monthly security bulletin briefing- january 2014 · ms14-001 remote code execution word important 2...
TRANSCRIPT
1
CSS Security Worldwide Programs
Monthly Security Bulletin
Briefing- January 2014
January 2014• Teresa GhiorzoeSecurity Program Manager- GBS LATAM
• Daniel Mauser
Senior Technical Lead - LATAM CTS
Blog de Segurança: http://blogs.technet.com/b/risco/
Twitter: LATAMSRC
Email: [email protected]
January
2014
Agenda
New Security
Bulletins
4Critical Important
0 4
Other Security Resources
Detection and Deployment Table
Product Support Lifecycle Information
Post Release Issue Tracking, Escalations, and Contacts
Slide Decks and the Public Webcast
1 Security
Bulletin re-release1 Security Advisory re-release
CSS Security Worldwide Programs
January
2014
Security
Bulletins
Bulletin Impact Component Severity PriorityExploit
IndexPublic
MS14-001 Remote Code Execution Word Important 2 1 No
MS14-002 Elevation of Privilege Kernel Important 1 1 Yes
MS14-003 Elevation of Privilege KMD Important 2 1 No
MS14-004 Denial of Service Dynamics AX Important 3 1 No
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
CSS Security Worldwide Programs
MS14-001
Vulnerabilities in
Microsoft Word
and Office Web
Apps Could
Allow Remote
Code Execution
(2916605)
Affected Software Microsoft Word 2003
Microsoft Word 2007
Microsoft Word 2010
Microsoft Word 2013
Microsoft Word 2013 RT
Office Compatibility Pack
Word Viewer
SharePoint Server 2010 (Word Automation
Services)
SharePoint Server 2013 (Word Automation
Services)
Office Web Apps 2010
Office Web Apps Server 2013
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
2MS13-072
MS13-084
MS13-086
MS13-100
No
Restart
Requirement
A restart may be
required
Uninstall Support
In Control Panel go to
Add or Remove
Programs (Windows XP
or Windows 2003) or
System and Security
(newer systems).Detection and Deployment
WU MU MBSA WSUS ITMU SCCMWindows RT devices can only be serviced with
Windows Update, Microsoft Update, and the
Windows Store.
After you install this security update on all
SharePoint servers, you must run the PSconfig tool
to complete the installationNo Yes Yes Yes Yes Yes
CSS Security Worldwide Programs
MS14-001
Vulnerabilities in
Microsoft Word
and Office Web
Apps Could
Allow Remote
Code Execution
(2916605)
Vulnerability Details
• Multiple memory corruption vulnerabilities exist in the way that affected Microsoft Office software parses
specially crafted files that could lead to remote code execution. An attacker who successfully exploited this
vulnerability could take complete control of an affected system.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2014-0258 Important Remote Code Execution NA 1 * No No None
CVE-2014-0259 Important Remote Code Execution NA 1 * No No None
CVE-2014-0260 Important Remote Code Execution 1 1 * No No None
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
Attack Vectors
• A specially crafted Office file
Common delivery mechanisms: a
maliciously crafted webpage, an
email attachment, an instant
message, a peer-to-peer file share,
a network share, and/or a USB
thumb drive.
Mitigations• The vulnerability cannot be exploited
automatically through email because
a user must open an attachment that
is sent in an email message.
• Users would have to be persuaded to
take some sort of action e.g. clicking
URL sent in email, IM sending user to
malicious site, and user opens Office
file.
• Exploitation only gains the same user
rights as the logged-on account
Workarounds• Install and configure MOICE to be
the registered handler for .doc
files.
• Use Microsoft Office File Block
policy to prevent the opening of
.doc and .dot binary files.
• Do not open Office files that you
receive from untrusted sources or
that you receive unexpectedly
from trusted sources.
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | *
- Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action
required to recover
MS14-002
Vulnerability in
Windows Kernel
Could Allow
Elevation of
Privilege
(2914368)
Affected Software Windows XP
Windows Server 2003
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
1 MS10-099 SA2914486
Restart
Requirement
A restart is
required
Uninstall Support
Use Add or Remove
Programs in Control
Panel
Detection and Deployment
WU MU MBSA WSUS ITMU SCCMSecurity Advisory addressed by this update:
Vulnerability in Microsoft Windows Kernel
Could Allow Elevation of Privilege
http://technet.microsoft.com/en-
us/security/advisory/2914486Yes Yes Yes Yes Yes Yes
CSS Security Worldwide Programs
MS14-002
Vulnerability in
Windows Kernel
Could Allow
Elevation of
Privilege
(2914368)
Vulnerability Details• An elevation of privilege vulnerability exists in the NDProxy component of the Windows kernel due to
improper validation of input passed from user mode to the kernel that could allow an attacker to run code
in kernel mode.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2013-5065 Important Elevation of Privilege NA 1 * Yes Yes 2914486
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not RatedDoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
Attack Vectors
• An attacker could run a
specially crafted application
that could exploit the
vulnerability and take complete
control over the affected
system.
Mitigations
• An attacker must have valid logon
credentials and be able to log on
locally to exploit this vulnerability.
Workarounds
• Reroute the NDProxy service
to Null.sys.
MS14-003
Vulnerability in
Windows
Kernel-Mode
Drivers Could
Allow Elevation
of Privilege
(2913602)
Affected Software:• Windows 7
• Windows Server 2008 R2
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
2 MS13-101 No
Restart
Requirement
This update
requires a restart
Uninstall Support
Use Add or Remove
Programs in Control
Panel
Detection and Deployment
WU MU MBSA WSUS ITMU SCCM
Yes Yes Yes Yes Yes Yes
CSS Security Worldwide Programs
MS14-003
Vulnerability in
Windows
Kernel-Mode
Drivers Could
Allow Elevation
of Privilege
(2913602)
Vulnerability Details:
• An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly uses
window handle thread objects in memory. An attacker who successfully exploited this vulnerability could
execute arbitrary code with elevated privileges.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2014-0262 Important Elevation of Privilege NA 1 P No No None
Attack Vectors
• An attacker could run a specially
crafted application designed to
increase privileges.
Mitigations
• To exploit this vulnerability, an
attacker would first have to log on
locally to the system.
* Local logon in this case also refers
to RDP session
Workarounds
• Microsoft has not identified
any workarounds for this
vulnerability.
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
MS14-004
Vulnerability in
Microsoft
Dynamics AX
Could Allow
Denial of
Service
(2880826)
Affected Software• Microsoft Dynamics AX 4.0 SP2
• Microsoft Dynamics AX 2009 SP1
• Microsoft Dynamics AX 2012
• Microsoft Dynamics AX 2012 R2
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
3 None No
Restart
Requirement
May require restart
Uninstall Support
Use Add or Remove
Programs in Control
PanelDetection and Deployment
WU MU MBSA WSUS ITMU SCCM
Update is available on the Microsoft Download
Center and PartnerSource
No No No No No No
CSS Security Worldwide Programs
MS14-004
Vulnerability in
Microsoft
Dynamics AX
Could Allow
Denial of
Service
(2880826)
Vulnerability Details
• A denial of service vulnerability exists in Microsoft Dynamics AX that could allow an attacker to cause a
Dynamics AX server to become unresponsive.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2014-0261 Important Denial of Service 3 3 P No No None
Attack Vectors
• An authenticated attacker could
submit specially crafted data to
an affected Dynamics AX server.
Mitigations
• To exploit this vulnerability, an
attacker must be able to
authenticate on the Dynamics AX
client.
Workarounds
• Microsoft has not identified
any workarounds for this
vulnerability.
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
Re-released
Security
Bulletin
Security Bulletin (2870008)
Vulnerabilities in Windows Kernel-Mode
Drivers Could Allow Remote Code Execution
Microsoft is re-releasing one of the updates associated with this
bulletin (2862330) to address stability issues caused by applying this
update under certain circumstances on Windows 7 and Windows
Server 2008 R2.
CSS Security Worldwide Programs
Rereleased
Security
Advisories
Security Advisory (2755801)Update for Vulnerabilities in Adobe Flash Player
in Internet Explorer
Microsoft updated this advisory to announce the availability of a new
update for Adobe Flash Player. On January 14, 2013, Microsoft
released an update (KB2916626) for all supported editions of
Windows 8, Windows 8.1, Windows Server 2012, Windows Server
2012 R2, and Windows RT. The update addresses the vulnerabilities
described in Adobe Security bulletin APSB14-02. For more
information about this update, including download links, see
Microsoft Knowledge Base Article 2916626
Microsoft
Support
Lifecycle
CSS Security Worldwide Programs
Lifecycle ChangesThe following product families and service pack levels are scheduled to
have their support lifecycle expire on January 14, 2014
Product Family
• Live Communications Server 2003
Remember that support for the entire Windows XP product
family will expire on 4/8/2014
http://support.microsoft.com/lifecycle
January
2014
Security
Bulletins
CSS Security Worldwide Programs
Bulletin Description Severity Priority
MS14-001Vulnerabilities in Microsoft Word and Office Web Apps Could Allow
Remote Code Execution Important 2
MS14-002 Vulnerability in Windows Kernel Could Allow Elevation of Privilege Important 1
MS14-003Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of
Privilege Important 2
MS14-004 Vulnerability in Microsoft Dynamics AX Could Allow Denial of Service Important 3
Appendix
CSS Security Worldwide Programs
MSRT Changes
New malware families added
to the January 2014 MSRT
MSIL/Bladabindi
A family of malware that can be used to
take control of PCs and steal sensitive
information
Additional ToolsMicrosoft Safety Scanner
• Same basic engine as the MSRT, but
with a full set of A/V signatures
Windows Defender Offline
• An offline bootable A/V tool with a
full set of signatures
• Designed to remove rootkits and
other advanced malware that can't
always be detected by antimalware
programs
• Requires you to download an ISO file
and burn a CD, DVD, or USB flash
drive
17
Malicious
Software
Removal Tool
(MSRT)
Updates
CSS Security Worldwide Programs
In 2014 Q1, security bulletins will be moving
to the TechNet Library
• Bulletins, bulletin summaries, and advisories will join the existing IT Pro
content at http://technet.microsoft.com/library
• TechNet Security portal at http://technet.microsoft.com/security/ will
be updated to point to bulletins in the TechNet Library.
Details
• URLs will change from
http://technet.microsoft.com/security/bulletin/MSNN-NNN to
http://technet.microsoft.com/library/security/MSNN-NNN
• Navigational landing pages will guide gentle readers to the latest bulletins
grouped by product family (Windows, IE, .NET, Office, etc.)
• All bulletin content going back to 1998 will be present.
18
TechNet
Security is
Changing!
CSS Security Worldwide Programs
Public
Security
Bulletin
Links
CSS Security Worldwide Programs
Monthly Bulletin Links
• Microsoft Security Bulletin Summary for January 2014
http://technet.microsoft.com/en-us/security/bulletin/ms14-jan
• Security Bulletin Search
http://technet.microsoft.com/security/bulletin
• Security Advisories
http://technet.microsoft.com/security/advisory
• Microsoft Technical Security Notifications
http://technet.microsoft.com/en-us/security/dd252948.aspx
Blogs
• MSRC Blog
http://blogs.technet.com/msrc
• SRD Team Blog
http://blogs.technet.com/srd
• MMPC Team Blog
http://blogs.technet.com/mmpc
• MSRC Ecosystem Team Blog
http://blogs.technet.com/ecostrat
Supplemental Security Reference Articles
• Detailed Bulletin Information Spreadsheet
http://go.microsoft.com/fwlink/?LinkID=245778
• Security Tools for IT Pros
http://technet.microsoft.com/en-us/security/cc297183
• KB894199 Description of Software Update Services and Windows Server Update Services changes in
content
http://support.microsoft.com/kb/894199
• The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious
software
http://support.microsoft.com/kb/890830
January 2014
Manageability
Tools
Reference
CSS Security Worldwide Programs
BulletinWindows
Update 1Microsoft
Update 1 MBSA 2 WSUS SMS ITMU SCCM
MS14-001 No Yes Yes Yes Yes Yes
MS14-002 Yes Yes Yes Yes Yes Yes
MS14-003 Yes Yes Yes Yes Yes Yes
MS14-004 No No No No No No
1. Windows RT devices can only be serviced with Windows Update, Microsoft Update, and the Windows Store.
2. Microsoft Baseline Security Analyzer (MBSA) v2.3 now supports Windows 8, Windows 8.1, Windows Server 2012, and Windows
Server 2012 R2.
January 2014
Non-Security
Content
Description Classification Deployment
Update for Windows 8.1 (KB2904440) Critical Update Site, AU, SUS, Catalog
Dynamic Update for Windows 8.1 (KB2914220) Critical Update Site, AU, SUS, Catalog
Update for Microsoft Outlook 2013 (KB2850061) 32-Bit EditionCritical Update Site, AU, SUS, Catalog
CSS Security Worldwide Programs
MBSA 2.3
CSS Security Worldwide Programs
MBSA 2.3 Now Available
The Microsoft Baseline Security Analyzer provides
a streamlined method to identify missing security
updates and common security misconfigurations.
MBSA 2.3 release now provides support for
Windows 8, Windows 8.1, Windows Server 2012,
and Windows Server 2012 R2.
Tool Information
• Available at the Download
Center at http://www.microsoft.com/downl
oad/details.aspx?id=7558
• Windows 2000 will no longer
be supported with this
release.
Links
Públicos
dos
Boletin de
Segurança
Português
LATAM
Links do Boletins em Português
• Microsoft Security Bulletin Summary for january 2014-
Resumo
http://technet.microsoft.com/pt-
br/security/bulletin/ms14-jan
• Security Bulletin Search/Boletins de Segurança Busca
http://technet.microsoft.com/pt-br/security/bulletin
• Security Advisories/Comunicados de Segurança
http://technet.microsoft.com/pt-br/security/advisory
• Microsoft Technical Security Notifications - Notificações
http://technet.microsoft.com/pt-
br/security/dd252948.aspx
Blogs
Negócios de Risco
• http://blogs.technet.com/b/risco/
• MSRC Blog
http://blogs.technet.com/msrc
• SRD Team Blog
http://blogs.technet.com/srd
• MMPC Team Blog
http://blogs.technet.com/mmpc
• MSRC Ecosystem Team Blog
http://blogs.technet.com/ecostrat
Supplemental Security Reference Articles
• Detailed Bulletin Information Spreadsheet
http://go.microsoft.com/fwlink/?LinkID=245778
• Security Tools for IT Pros- Ferramentas de Segurança
http://technet.microsoft.com/pt-br/security/cc297183
• KB894199 Description of Software Update Services and Windows Server Update Services changes in
content
http://support.microsoft.com/kb/894199
• The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious
software
http://support.microsoft.com/kb/890830
Webcast
Português
Fevereiro
GBS Security Worldwide Programs24
Webcast Português (Externo)
WEBCAST – CLIENTEShttps://msevents.microsoft.com/CUI/EventDetail.aspx?Event
ID=1032575576&Culture=pt-BR&community=1
13/ FEVEREIRO/2014
15:30 Hrs Brasília
Veja nosso blog para se inscrever:
Negócios de Risco
• http://blogs.technet.com/b/risco/