dial in number 1-800-227-8104 pin: 9049 information about microsoft april 2012 security bulletins...
TRANSCRIPT
Dial In Number 1-800-227-8104 Pin: 9049
Information About Microsoft April 2012 Security Bulletins
Jonathan NessSecurity Development ManagerMicrosoft Corporation
Pete VossSr. Response Communications ManagerMicrosoft Corporation
Dial In Number 1-800-227-8104 Pin: 9049
Live Video Stream
• To receive our video stream in LiveMeeting:– Click on Voice & Video– Click the drop down next to the camera icon
– Select Show Main Video
Dial In Number 1-800-227-8104 Pin: 9049
What We Will Cover
• Review of April 2012 Bulletin release information:– New Security Bulletins– Microsoft® Windows® Malicious Software Removal Tool– Information About Microsoft Windows XP
• Resources
• Questions and Answers: Please Submit Now– Submit Questions via Twitter #MSFTSecWebcast
Dial In Number 1-800-227-8104 Pin: 9049
Severity and Exploitability Index
Exploitabilit
y Index
1
RISK2
3
DP 1 2 2 3 1 2
Severity
Critical
IMPACT
Important
Moderate
Low
MS12-023 MS12-024 MS12-025 MS12-026 MS12-027 MS12-028
Inte
rne
t E
xp
lore
r
.NE
T
Win
do
ws
Off
ice
Win
do
ws
Fo
refr
on
t U
AG
Dial In Number 1-800-227-8104 Pin: 9049
Bulletin Deployment Priority
Bulletin KB Disclosure Aggregate Severity
Exploit Index
MaxImpact
Deployment Priority Notes
MS12-027MSComCtl
2664258 Private Critical 1 RCE 1 Microsoft is aware of limited, targeted attacks.
MS12-023IE
2675157 Private Critical 1 RCE 1 Provides a defense-in-depth to help address an industry-wide issue.
MS12-024Authenticode
2653956 Private Critical 1 RCE 2 Users should not open untrusted files.
MS12-025.NET 2671605 Private Critical 1 RCE 2 Microsoft’s Enhanced Security Configuration helps mitigate
risk.
MS12-028Office
2639185 Private Important 1 RCE 2 Users should not open attachments from untrusted sources.
MS12-026Forefront
2663860 Private Important 3 ID 3 This update is available from the Download Center only.
Dial In Number 1-800-227-8104 Pin: 9049
MS12-023: Cumulative Security Update For Internet Explorer (2675157)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2012-0168 Moderate N/A N/A Remote Code Execution Cooperatively Disclosed
CVE-2012-0169 Critical 3 3 Remote Code Execution Cooperatively Disclosed
CVE-2012-0170 Critical N/A 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-0171 Critical 1 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-0172 Critical N/A 1 Remote Code Execution Cooperatively Disclosed
Affected Products IE 6, 7, 8, 9 on all supported versions of Windows IE 6, 7, 8, 9 on all supported versions of Windows Server
Affected Components Internet Explorer
Deployment Priority 1
Main Target Workstations
Possible Attack Vectors
• CVE-2012-0168:• Printer Based: an attacker could exploit the vulnerability by convincing the user to print a specially crafted HTML
page. • CVE-2012-0169, CVE-2012-0170, CVE-2012-0171, CVE-2012-0172:
• Web-based: An attacker could exploit the vulnerability by convincing a user to visit a specially crafted website.
Impact of Attack • An attacker successfully exploiting this issue could gain the same user rights as a logged-on user.
Mitigating Factors
• CVE-2012-0168:• An attacker would have no way to force a user to print a HTML page. • The "Print table of links" option is not enabled by default when printing from Internet Explorer. Only customers who
manually select this feature when they print a webpage are likely to be vulnerable to this issue.• CVE-2012-0169, CVE-2012-0170, CVE-2012-0171, CVE-2012-0172:
• An attacker would have no way to force a user to visit a malicious website.
Additional Information • Installations using Server Core are not affected.
Dial In Number 1-800-227-8104 Pin: 9049
MS12-024: Vulnerability In Windows Could Allow Remote Code Execution (2653956)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2012-0151 Critical 1 1 Remote Code Execution Cooperatively Disclosed
Affected Products All supported versions of Windows and Windows Server
Affected Components Authenticode Signature Verification
Deployment Priority 2
Main Target Workstations and Servers
Possible Attack Vectors
• Email Attack Scenario: An attacker could exploit this vulnerability by sending a user an email message containing the specially crafted PE file and convincing the user to open the file.
• Web-Based Scenario: An attacker would have to host a website that contains a specially crafted PE file. Compromised websites and websites that accept or host user-provided content could contain specially crafted content that could be used to exploit this vulnerability.
Impact of Attack• An attacker who successfully exploited this vulnerability could take complete control of an affected
system.
Mitigating Factors• Microsoft has not identified any mitigating factors for this vulnerability.
Additional Information• Installations using Server Core are affected
Dial In Number 1-800-227-8104 Pin: 9049
MS12-025: Vulnerability in .NET Framework Could Allow Remote Code Execution (2671605)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2012-0163 Critical 1 1 Remote Code Execution Cooperatively Disclosed
Affected Products.NET Framework 1.0 SP3, .NET Framework 1.1 SP1, .NET Framework 2.0 SP2, .NET Framework 3.5.1, and .NET Framework 4
Affected Components .NET Framework
Deployment Priority 2
Main Target Workstations and Servers
Possible Attack Vectors
• Web-Browsing Scenario: An attacker could host a website that contains a webpage that is used to exploit this vulnerability. Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability.
• Web-Hosting Scenario: An attacker must have permission to upload arbitrary ASP.NET pages to a website and ASP.NET must be installed on that web server.
• This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.
Impact of Attack• An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user or the user account
of ASP.NET.
Mitigating Factors
• An attacker would have no way to force users to visit a website hosting the specially crafted media file. • By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a
restricted mode that is known as Enhanced Security Configuration.• In default configuration, an anonymous user cannot upload and run Microsoft .NET code on an Internet Information Server
(IIS).• Standard .NET Framework applications are not affected by this vulnerability. Only specially crafted .NET Framework
applications could exploit this vulnerability.
Additional Information• Installations using Server Core are affected.• .NET Framework 4 and .NET Framework 4 Client Profile are affected.
Dial In Number 1-800-227-8104 Pin: 9049
MS12-026: Vulnerabilities in Forefront United Access Gateway (UAG) Could Allow Information Disclosure (2663860)CVE Severity
ExploitabilityComment Note
Latest Software Older Versions
CVE-2012-0146 Moderate N/A N/A Spoofing Cooperatively Disclosed
CVE-2012-0147 Important 3 3 Information Disclosure Cooperatively Disclosed
Affected Products Forefront Unified Access Gateway 2010 SP1, and Forefront Unified Access Gateway 2010 SP1 Update 1
Affected Components Unified Access Gateway Web Interface
Deployment Priority 3
Main Target Servers
Possible Attack Vectors
• CVE-2012-0146: • Email Attack Scenario: An attacker would have to convince users to click a link that has a specially crafted URL that
redirects the user to the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.
• CVE-2012-0147:• Web Attack Scenario: A attacker would send a specially crafted HTTPS query to the UAG server. This specially
crafted request could allow the attacker to access restricted resources via the UAG default website.
Impact of Attack
• CVE-2012-0146: • The authenticated user's browser session could be redirected to a malicious site that is designed to impersonate a
legitimate UAG web interface. The attacker could trick the user and potentially acquire sensitive information, such as the user's credentials.
• CVE-2012-0147:• An attacker who successfully exploited this vulnerability could view secured resources on the server.
Mitigating Factors
• CVE-2012-0146: • An attacker would have no way to force users to visit a malicious website.
• CVE-2012-0147:• Microsoft has not identified any mitigating factors for this vulnerability.
Additional Information • This update is available through the Download Center only.
Dial In Number 1-800-227-8104 Pin: 9049
MS12-027: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258)CVE Severity
ExploitabilityComment Note
Latest Software Older Versions
CVE-2012-0158 Critical 1 1 Remote Code Execution Cooperatively Disclosed
Affected Products
All Supported Versions of Office (except x64 editions)All Supported Editions of SQL Server (except 2000 Itanium SP4, 2000 Reporting Service SP2, 2000 MSDE, 2000 MSDE SP4, 2005 Express Edition SP4, and SQL Server 2008 Management Studio)BizTalk Server 2002 SP1Commerce Server 2002 SP4, Commerce Server 2007 SP2, Commerce Server 2009, Commerce Server 2009 R2Visual FoxPro 8.0 SP1, Visual FoxPro 9.0 SP2Virtual Basic 6.0 Runtime
Affected Components Windows Common Controls
Deployment Priority 1
Main Target Workstations and Servers
Possible Attack Vectors
• Web Attack Scenario: An attacker could host a website that contains a web page that is used to exploit this vulnerability. Compromised websites and websites that accept or host user-provided content could contain specially crafted content that could be used to exploit this vulnerability.
• Email Attack Scenario: An attacker could exploit this vulnerability by sending the user the malicious file as an email attachment, and convince the user to open the attachment.
Impact of Attack • An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.
Mitigating Factors • An attacker would have no way to force users to visit a website or open an email attachment.
Additional Information
• By default, supported versions of Microsoft SQL Server 2005 and Microsoft SQL Server 2008 default installations include the Windows common controls. Microsoft Update will automatically detect and deploy the Windows common controls packages to these supported versions of Microsoft SQL server 2005 and Microsoft SQL Server 2008.
• Microsoft is aware of limited, targeted attacks attempting to exploit the vulnerability.
Dial In Number 1-800-227-8104 Pin: 9049
MS12-028: Vulnerability In Microsoft Office Could Allow Remote Code Execution (2639185)
CVE Severity
Exploitability
Comment Note
Latest Software Older Versions
CVE-2012-0177 Important 3 1 Remote Code Execution Cooperatively Disclosed
Affected Products Office 2007 SP2, Microsoft Works 9, and Microsoft Works 6-9 File Converter
Affected Components Microsoft Office Works File Converter
Deployment Priority 2
Main Target Workstations
Possible Attack Vectors
• Web Attack Scenario: An attacker could host a website that contains a web page that is used to exploit this vulnerability. Compromised websites and websites that accept or host user-provided content could contain specially crafted content that could be used to exploit this vulnerability.
• Email Attack Scenario: An attacker could exploit this vulnerability by sending the user the malicious file as an email attachment, and convince the user to open the attachment.
Impact of Attack• An attacker who successfully exploited this vulnerability could gain the same user rights as the current
user.
Mitigating Factors• An attacker would have no way to force users to visit a website or open an email attachment.
Dial In Number 1-800-227-8104 Pin: 9049
Detection & Deployment
Bulletin Windows Update Microsoft Update MBSA WSUS 3.0 SMS 2003 with ITMU SCCM 2007
MS12-023IE
Yes Yes Yes Yes Yes Yes
MS12-024Authenticode Yes Yes Yes Yes Yes Yes
MS12-025.NET Yes Yes Yes Yes Yes Yes
MS12-026Forefront No* No* No* No* No* No*
MS12-027MSComCtl
Yeswith exceptions**
Yeswith exceptions**
Yeswith exceptions** Yes Yes
with exceptions**Yes
with exceptions**
MS12-028Office
No Yes Yes Yes Yes Yes
*Available in Download Center Only**Except for MS Commerce Server 2002 SP4, 2007 SP2, 2009, and 2009 R2; plus Visual FoxPro 8.0 SP1, Visual Fox Pro 9.0 SP2 and Visual Basic 6.0 Runtime
Dial In Number 1-800-227-8104 Pin: 9049
Other Update Information
Bulletin Restart Uninstall Replaces
MS12-023IE
Yes Maybe MS12-010
MS12-024Authenticode Yes Maybe MS10-019
MS12-025.NET Maybe Yes None
MS12-026Forefront Maybe Yes None
MS12-027MSComCtl
Maybe No MS09-004
MS12-028Office
Maybe Yes MS09-024, MS10-105
Dial In Number 1-800-227-8104 Pin: 9049
Windows Malicious Software Removal Tool (MSRT)
• During this release Microsoft will increase detection capability for the following families in the MSRT:– Win32/Gamarue: A bot-controlled worm that spreads via removable drives. It
gathers information about the infected computer and sends it back to a pre-defined remote web server, where it may accept further instruction and may lead to the installation of other malware.
– Win32/BOCINEX: A bundled installer that executes Program:Win32/CoinMiner.– Win32/Claretore: A Trojan that injects itself into running processes to intercept
browser traffic and redirect the browser to an attacker-defined URL.
• Available as a priority update through Windows Update or Microsoft Update.
• Is offered through WSUS 3.0 or as a download at: www.microsoft.com/malwareremove.
Dial In Number 1-800-227-8104 Pin: 9049
TechNet Has ChangedSnapshot of Recent Improvements
• Streamlining of http://technet.microsoft.com/en-us/security/bulletin– Merged Product and service pack dropdown controls – Simplified search results by removing redundant Affected Software– Added new lifecycle information for the Windows, Windows Server,
and IE TechCenters
• New Features For Bulletin Search– Search by bulletin, CVE, or KB number– Download information on all bulletins released since 1998 in spreadsheet form– Merged “Product Search” and “Search By KB” tabs.– Upgraded the Date control to allow specific start / end dates when searching– Simplified search filters by removing the Severity filter– Added localized TechNet Security bulletin sites and bulletin search FAQs– Demonstration video coming soon
Dial In Number 1-800-227-8104 Pin: 9049
Windows XP: Heading Into The Sunset
• Windows XP goes out of support in April 2014.
• We are notifying customers now so they can update to the latest operating system.
• Windows XP represented great technologies when they were first introduced nearly a decade ago, but a lot has changed and we’re encouraging customers to upgrade to Windows 7.
Dial In Number 1-800-227-8104 Pin: 9049
ResourcesBlogs• Microsoft Security Response Center (MSRC) blog:
www.blogs.technet.com/msrc • Security Research & Defense blog:
http://blogs.technet.com/srd • Microsoft Malware Protection Center Blog:
http://blogs.technet.com/mmpc/
Twitter• @MSFTSecResponse
Security Centers• Microsoft Security Home Page:
www.microsoft.com/security • TechNet Security Center:
www.microsoft.com/technet/security• MSDN Security Developer Center:
http://msdn.microsoft.com/en-us/security/default.aspx
Bulletins, Advisories, Notifications & Newsletters• Security Bulletins Summary:
www.microsoft.com/technet/security/bulletin/summary.mspx
• Security Bulletins Search:www.microsoft.com/technet/security/current.aspx
• Security Advisories:www.microsoft.com/technet/security/advisory/
• Microsoft Technical Security Notifications:www.microsoft.com/technet/security/bulletin/notify.mspx
• Microsoft Security Newsletter:www.microsoft.com/technet/security/secnews
Other Resources• Update Management Process
http://www.microsoft.com/technet/security/guidance/patchmanagement/secmod193.mspx
• Microsoft Active Protection Program Partners: http://www.microsoft.com/security/msrc/mapp/partners.mspx
Dial In Number 1-800-227-8104 Pin: 9049
Questions and Answers• Submit text questions using the “Ask” button. • Don’t forget to fill out the survey.• A recording of this webcast will be available within 48 hours on the
MSRC Blog:http://blogs.technet.com/msrc
• Register for next month’s webcast at:http://microsoft.com/technet/security/current.aspx
Dial In Number 1-800-227-8104 Pin: 9049
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.