Monthly Security Bulletin Briefing

Transcription

1 Monthly Security Bulletin Briefing (June 2013) Teresa Ghiorzoe Security PM LATAM 1

2 June 2013 Agenda Security Advisories New Rerelease 1 1 Other Security Resources Detection and Deployment Table Lifecycle Information New Security Bulletins 5 Critical 1 4 Important June 2013 Bulletin Release Summary TechNet Public Webcast Details Appendix Malicious Software Removal Tool s Public Security Bulletin Links 2013 Non-Security s 2

3 June 2013 Security Bulletins Bulletin Impact Component Severity Priority Exploit Index MS Remote Code Execution Internet Explorer Critical 1 1 No Public MS Information Disclosure Windows Kernel Important 3 3 No MS Denial of Service Kernel-Mode Drivers Important 2 3 No MS Elevation of Privilege Print Spooler Important 2 1 No MS Remote Code Execution Office Important 1 1 Yes Exploitability Index: 1 - Exploit code likely 2 - Exploit code difficult 3 - Exploit code unlikely NA - Not Affected * - Not Rated 3

4 MS Cumulative Security for Internet Explorer ( ) Affected Software: IE 6 on Windows XP and Windows Server 2003 IE 7 on Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 IE 8 on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 IE 9 on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 IE 10 on Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT Detection and Deployment WU MU MBSA WSUS ITMU SCCM Yes Yes Yes 1 2 Yes 2 Yes 2 Yes 2 Severity Critical Deployment Priority 1 Restart Requirement A restart is required Replacement MS MS More Information and / or Known Issues Yes 3 Uninstall Support Use Add or Remove Programs in Control Panel 1. The Microsoft Baseline Security Analyzer (MBSA) tool does not support Windows 8 or Windows Server Windows RT devices can only be serviced with Windows and Microsoft 3. Windows RT devices require update to be installed before WU will offer this security update 4

5 MS Cumulative Security for Internet Explorer ( ) Vulnerability Details: Eighteen (18) remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted that could allow an attacker to take complete control of an affected system if they can convince a user to view a specially crafted website A remote code execution vulnerability exists when Internet Explorer improperly processes scripts while debugging a webpage that could allow an attacker to take complete control of an affected system if they can convince a user to debug a specially crafted website CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory Multiple * CVE Attack Vectors Critical Moderate A maliciously crafted Web page Compromised websites and websites that accept or host user-provided content or advertisements * CVE , CVE * CVE , CVE * CVE , CVE * CVE , CVE * CVE , CVE * CVE , CVE * CVE , CVE * CVE , CVE * CVE , CVE Remote Code Execution Remote Code Execution Mitigations 1 * Users would have to be persuaded to view a malicious web page Exploitation only gains the same user rights as the logged on account By default, all supported clients open HTML messages in Restricted sites zone By default, IE on Windows 2003, Windows 2008, Windows 2008 R2, & Windows 2012 runs in a restricted mode By default, script debugging is not enabled for CVE * NA NA No No No No Workarounds None None Set IE security to High for Internet and Intranet zones Configure IE to prompt before running ActiveX and Active Scripting Do not debug script on untrusted webpages or webpages that you do not control for CVE Exploitability Index: 1 - Exploit code likely 2 - Exploit code difficult 3 - Exploit code unlikely NA - Not Affected * - Not Rated DoS Rating: T = Temporary (DoS ends when an attack ceases) P = Permanent (Administrative action required to recover) 5

6 MS Vulnerability in Windows Kernel Could Allow Information Disclosure ( ) Affected Software: Windows XP SP3 Windows Server 2003 SP2 Windows Vista SP2 Windows Server 2008 for 32-bit Systems SP2 Windows 7 for 32-bit Systems SP1 Windows 8 for 32-bit Systems Detection and Deployment Severity Important Deployment Priority 3 Restart Requirement A restart is required Replacement MS MS More Information and / or Known Issues None Uninstall Support Use Add or Remove Programs in Control Panel WU MU MBSA WSUS ITMU SCCM * The Microsoft Baseline Security Analyzer (MBSA) tool does not support Windows 8 or Windows Server 2012 Yes Yes Yes * Yes Yes Yes 6

7 MS Vulnerability in Windows Kernel Could Allow Information Disclosure ( ) Vulnerability Details: An information disclosure vulnerability exists when the Kernel improperly handles objects in memory. An attacker with valid logon credentials could log on locally and run a specially crafted application to disclose information from kernel addresses. CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory CVE Important Information Disclosure 3 3 P No No None Attack Vectors A maliciously crafted application Mitigations An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities Workarounds Microsoft has not identified any workarounds for any of these vulnerabilities Exploitability Index: DoS Rating: 1 - Exploit code likely 2 - Exploit code difficult 3 - Exploit code unlikely NA - Not Affected * - Not Rated T = Temporary (DoS ends when an attack ceases) P = Permanent (Administrative action required to recover) 7

8 MS Vulnerability in Kernel-Mode Driver Could Allow Denial of Service ( ) Affected Software: Windows Vista (All Supported Versions) Windows Server 2008 (All Supported Versions) Windows 7 (All Supported Versions) Windows Server 2008 R2 (All Supported Versions) Windows 8 (All Supported Versions) Windows Server 2012 Windows RT Detection and Deployment Severity Important Deployment Priority Replacement More Information and / or Known Issues 2 MS Yes 3 Restart Requirement A restart is required Uninstall Support Use Add or Remove Programs in Control Panel WU MU MBSA WSUS ITMU SCCM Yes Yes Yes 1 2 Yes 2 Yes 2 Yes 2 1. The Microsoft Baseline Security Analyzer (MBSA) tool does not support Windows 8 or Windows Server Windows RT devices can only be serviced with Windows and Microsoft 3. Windows RT devices require update to be installed before WU will offer this security update 8

9 MS Vulnerability in Kernel-Mode Driver Could Allow Denial of Service ( ) Vulnerability Details: A denial of service vulnerability exists in the way that the Windows TCP/IP driver improperly handles packets during a TCP connection. An attacker who successfully exploited this vulnerability could cause the target system to stop responding by sending maliciously crafted network packets to the target system. CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory CVE Important Denial of Service 3 3 P No No None Attack Vectors Maliciously crafted network packets Mitigations Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter Workarounds Microsoft has not identified any workarounds for any of these vulnerabilities Exploitability Index: DoS Rating: 1 - Exploit code likely 2 - Exploit code difficult 3 - Exploit code unlikely NA - Not Affected * - Not Rated T = Temporary (DoS ends when an attack ceases) P = Permanent (Administrative action required to recover) 9

10 MS Vulnerability in Windows Print Spooler Components Could Allow Elevation of Privilege ( ) Affected Software: Windows Vista (All Supported Versions) Windows Server 2008 (All Supported Versions) Windows 7 (All Supported Versions) Windows Server 2008 R2 (All Supported Versions) Windows 8 (All Supported Versions) Windows Server 2012 Windows RT Detection and Deployment WU MU MBSA WSUS ITMU SCCM Yes Yes Yes 1 2 Yes 2 Yes 2 Yes 2 Severity Important Deployment Priority Replacement More Information and / or Known Issues 2 MS Yes 3 Restart Requirement A restart is required Uninstall Support Use Add or Remove Programs in Control Panel 1. The Microsoft Baseline Security Analyzer (MBSA) tool does not support Windows 8 or Windows Server Windows RT devices can only be serviced with Windows and Microsoft 3. Windows RT devices require update to be installed before WU will offer this security update 10

11 MS Vulnerability in Windows Print Spooler Components Could Allow Elevation of Privilege ( ) Vulnerability Details: An elevation of privilege vulnerability exists in the way that Microsoft Windows Print Spooler handles memory when a printer is deleted. The vulnerability could allow an attacker with valid logon credentials to log on locally and run arbitrary code in the context of the local system and take complete control of an affected system by deleting a printer connection CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory CVE Important Elevation of Privilege 1 1 P No None None Attack Vectors A maliciously crafted application Mitigations An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities Workarounds Disable the Print Spooler service Exploitability Index: DoS Rating: 1 - Exploit code likely 2 - Exploit code difficult 3 - Exploit code unlikely NA - Not Affected * - Not Rated T = Temporary (DoS ends when an attack ceases) P = Permanent (Administrative action required to recover) 11

12 MS Vulnerability in Microsoft Office Could Allow Remote Code Execution ( ) Affected Software: Office 2003 SP3 Office for Mac 2011 Detection and Deployment Severity Important Deployment Priority 1 Restart Requirement A restart is not required Replacement MS MS More Information and / or Known Issues None Uninstall Support Use Add or Remove Programs in Control Panel WU No MU Yes * MBSA Yes * WSUS Yes * ITMU Yes * SCCM Yes * * Microsoft does not offer any detection and deployment tools for applications designed to run on Macintosh, but the applications feature a built in automatic updating component 12

13 MS Vulnerability in Microsoft Office Could Allow Remote Code Execution ( ) Vulnerability Details: A remote code execution vulnerability exists in the way that Microsoft Office parses specially crafted Office files. This vulnerability could allow an attacker to take complete control of an affected system if they can convince a user to open a specially crafted office file. CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory CVE Important Remote Code Execution NA 1 NA No Yes * None Attack Vectors A maliciously crafted Office file Common delivery mechanisms: a maliciously crafted Web page, an attachment, an instant message, a peer-to-peer file share, a network share, and/or a USB thumb drive * Microsoft is aware of limited targeted attacks against this vulnerability Mitigations Users would have to be persuaded to visit a malicious web site Exploitation only gains the same user rights as the logged on account Workarounds Do not open or save Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources For Office for Mac 2011, disassociate binary Office file formats from Office for Mac in OS X's LaunchServices database Exploitability Index: DoS Rating: 1 - Exploit code likely 2 - Exploit code difficult 3 - Exploit code unlikely NA - Not Affected * - Not Rated T = Temporary (DoS ends when an attack ceases) P = Permanent (Administrative action required to recover) 13

14 Security Advisory ( ) to Improve Cryptography and Digital Certificate Handling in Windows Affected Software: Windows Vista (All Supported Versions) Windows Server 2008 (All Supported Versions) Windows 7 (All Supported Versions) Windows Server 2008 R2 (All Supported Versions) Windows 8 (All Supported Versions) Windows Server 2012 Windows RT This update as part of ongoing efforts to improve cryptography and digital certificate handling in Windows. s will bolster the Windows cryptography and certificate handling infrastructure in response to an evolving threat environment. Microsoft will announce additional updates via this advisory. Executive Summary: Microsoft is releasing an update ( ) that builds on the expanded Certificate Trust List (CTL) functionality provided in update ( ), which gave enterprises more options for managing their private PKI environments. This update allows admins to: Configure domain-joined computers to use the auto update mechanism (for both trusted and disallowed CTLs) without having access to WU. Configure domain-joined computers to opt in (for both trusted and disallowed CTLs) to auto update independently. Examine the set of roots in Microsoft root programs and to choose a subset of them for distribution via Group Policy. 14

15 Security Advisory Rerelease Security Advisory ( ) for Vulnerabilities in Adobe Flash Player in Internet Explorer 10 Windows 8 for 32-bit and 64-bit Systems Windows Server 2012 Windows RT Reason for rerelease: The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-16 For more information about this update, including download links, see KB Article

16 June 2013 Manageability Tools Reference Bulletin Windows Microsoft MBSA WSUS SMS ITMU SCCM MS Yes Yes Yes 1 2 Yes 2 Yes 2 Yes 2 MS Yes Yes Yes 1 Yes Yes Yes MS Yes Yes Yes 1 2 Yes 2 Yes 2 Yes 2 MS Yes Yes Yes 1 2 Yes 2 Yes 2 Yes 2 MS No Yes 3 Yes 3 Yes 3 Yes 3 Yes 3 1. The MBSA does not support detection on systems running Windows 8 or Windows Server Windows RT devices can only be serviced with Windows and Microsoft and the Microsoft Store 3. Microsoft does not offer any detection and/or deployment tools for products that run on Mac

17 Microsoft Support Lifecycle Lifecycle Changes There are no product families and/or service pack levels that scheduled to have their support lifecycle expire on June 11 th 2013 Remember that support for the entire Windows XP product family will expire on 4/8/

18 June 2013 Security Bulletin Summary Bulletin Description Severity Priority MS Cumulative Security for Internet Explorer Critical 1 MS Vulnerability in Windows Kernel Could Allow Information Disclosure Important 3 MS Vulnerability in Kernel-Mode Driver Could Allow Denial of Service Important 2 MS Vulnerability in Windows Print Spooler Components Could Allow Elevation of Privilege Important 2 MS Vulnerability in Microsoft Office Could Allow Remote Code Execution Important 1

19 TechNet Public Webcast TechNet Webcast Microsoft will host a public webcast to address customer questions on these bulletins: Information About Microsoft's Security Bulletins Wednesday, June 12, :00 AM Pacific Time (US & Canada) You can register for the webcast here: 19

20 Appendix 20

21 Malicious Software Removal Tool s New malware families added to the June 2013 MSRT Win32/Tupym Additional Tools Microsoft Safety Scanner Same basic engine as the MSRT, but with a full set of A/V signatures Windows Defender Offline An offline bootable A/V tool with a full set of signatures Designed to remove rootkits and other advanced malware that can't always be detected by antimalware programs Requires you to download an ISO file and burn a CD, DVD, or USB flash drive 21

22 Public Security Bulletin Links Monthly Bulletin Links Microsoft Security Bulletin Summary for June Security Bulletin Search Security Advisories Microsoft Technical Security Notifications Blogs MSRC Blog SRD Team Blog MMPC Team Blog MSRC Ecosystem Team Blog Supplemental Security Reference Articles Detailed Bulletin Information Spreadsheet Security Tools for IT Pros KB Description of Software Services and Windows Server Services changes in content The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software 6/13/

23 June 2013 Non- Security Content (Windows) Description Classification Deployment for Microsoft.NET Framework 4 on XP, Server 2003, Vista, Windows 7, Server 2008 x86 (KB ) for Microsoft.NET Framework 3.5 SP1 on Windows XP, Server 2003, Vista and Server 2008 x86 (KB ) for Microsoft.NET Framework 2.0 SP2 on Windows Server 2003 and Windows XP x86 (KB ) for Microsoft.NET Framework on Windows 7 SP1 x86 (KB ) for Microsoft.NET Framework on Windows 7 SP1 x86 (KB for Microsoft.NET Framework 2.0 SP2 on Windows Server 2008 SP2 x86 (KB ) for Microsoft.NET Framework 3.5 on Windows 8 x86 (KB ) for Windows 8 (KB ) (Recommended) (Recommended) (Recommended) (Recommended) (Recommended) (Recommended) (Recommended) (Recommended) Site, AU, SUS, Catalog Site, AU, SUS, Catalog Site, AU, SUS, Catalog Site, AU, SUS, Catalog Site, AU, SUS, Catalog Site, AU, SUS, Catalog Site, AU, SUS, Catalog Site, AU, SUS, Catalog for Windows 8 (KB ) Critical Site, AU, SUS, Catalog for Windows 7 (KB ) for Windows 7 (KB ) for Windows 8 (KB ) for Windows 8 (KB ) (Recommended) (Recommended) (Recommended) (Recommended) Site, AU, SUS, Catalog Site, AU, SUS, Catalog Site, AU, SUS, Catalog Site, AU, SUS, Catalog for Windows 8 (KB ) Critical Site, AU, SUS, Catalog for Windows 7 (KB ) (Optional) Site, SUS, Catalog Windows Malicious Software Removal Tool - June 2013 (KB890830) Rollup Site, AU, SUS, Catalog

24 June 2013 Non- Security Content (Office) Description Classification Deployment for Microsoft Office 2013 (KB ) Critical Site, AU, SUS, Catalog for Microsoft Office 2013 (KB ) Critical Site, Catalog for Microsoft Office 2013 (KB ) Critical Site, AU, SUS, Catalog for Microsoft Office 2013 (KB ) Critical Site, AU for Microsoft Office 2013 (KB ) Critical Site, AU, SUS, Catalog for Microsoft Office 2013 (KB Critical Site, AU, SUS, Catalog for Microsoft Office Outlook 2007 Junk Filter (KB ) Critical Site, AU, SUS, Catalog for Microsoft Outlook 2013 (KB ) Critical Site, AU, SUS, Catalog for Microsoft SkyDrive Pro (KB ) Critical Site, AU, SUS, Catalog for Microsoft Word 2013 (KB ) Critical Site, AU, SUS, Catalog for Microsoft Word 2013 (KB ) Critical Site, AU, SUS, Catalog for Outlook 2003 Junk Filter (KB ) Critical Site, AU, SUS, Catalog for Microsoft Security Essentials Prerelease (KB ) Critical Site, AU Rollup for Lync 2010 Attendee - Administrator level installation (KB ) Rollup Site, AU, SUS, Catalog