1 Monthly Security Bulletin Briefing May 2014 Customer Version CSS Security Worldwide Programs • Teresa Ghiorzoe Security Program Manager- GBS LATAM • Daniel Mauser Senior Technical Lead - LATAM CTS Blog de Segurança: http://blogs.technet.com/b/risco/ Twitter: LATAMSRC Email: [email protected]
32
Embed
Monthly Security Bulletin Briefing - Microsoft€¦ · Bulletin Briefing May 2014 Customer Version CSS Security Worldwide Programs ... • Microsoft Project Server 2013 and Microsoft
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Monthly Security
Bulletin Briefing
May 2014
Customer Version
CSS Security Worldwide Programs
• Teresa Ghiorzoe Security Program Manager- GBS LATAM
• Daniel Mauser
Senior Technical Lead - LATAM CTS
Blog de Segurança: http://blogs.technet.com/b/risco/
Affected Software • Microsoft SharePoint Server 2007
• Microsoft SharePoint Server 2010
• Microsoft SharePoint Server 2013
• Microsoft Project Server 2010
• Microsoft Project Server 2013 and Microsoft Office Web Apps
2010
• Microsoft Office Services and Microsoft Office Web Apps Server
2013
• Microsoft SharePoint Services 3.0
• Microsoft SharePoint Foundation 2010
• Microsoft SharePoint Foundation 2013
• Microsoft SharePoint Designer 2007
• Microsoft SharePoint Designer 2010
• Microsoft SharePoint Designer 2013
• Microsoft Project Server 2010
• Microsoft Project Server 2013
• SharePoint Server 2013 Client Components SDK
Severity | Critical
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
2 MS13-067
MS13-100
MS14-017
None
Uninstall Support This security update cannot
be uninstalled.
Restart Requirement • A restart may be required
Detection and Deployment
WU MU MBSA WSUS ITMU SCCM After you install this security update on all
SharePoint servers, you have to run the PSconfig
tool to complete the installation process No Yes Yes Yes Yes Yes
Vulnerabilities in Microsoft SharePoint Server Could Allow
Remote Code Execution (2952166) MS14-022
CSS Security Worldwide Programs
Exploitability Index (XI): 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected DoS Rating: T - Temporary (DoS ends when attack ceases) | P - Permanent (Administrative action required to recover) | * - Not Applicable
Slide 5
Vulnerability Details • Related remote code execution vulnerabilities (CVE-2014-0251) exist in Microsoft SharePoint Server. An authenticated attacker who successfully exploited any of
these related vulnerabilities could run arbitrary code in the security context of the W3WP service account.
• An elevation of privilege vulnerability (CVE-2014-1754) exists in Microsoft SharePoint Server. An attacker who successfully exploited this vulnerability could allow
an attacker to perform cross-site scripting attacks and run script in the security context of the logged-on user.
• A remote code execution vulnerability (CVE-2014-1813) exists in Microsoft Web Applications. An authenticated attacker who successfully exploited this
vulnerability could run arbitrary code in the security context of the W3WP service account.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2014-0251 Critical Remote Code Execution 1 1 * No No None
CVE-2014-1754 Important Elevation of Privilege 1 NA * No No None
CVE-2014-1813 Important Remote Code Execution 1 1 * No No None
Attack Vectors An authenticated attacker could attempt to
exploit any of these related vulnerabilities by
sending specially crafted page content to a
SharePoint server.
Mitigations • To exploit this vulnerability, an attacker must
be able to authenticate on the target
SharePoint site. Note that this is not a
mitigating factor if the SharePoint site is
configured to allow anonymous users to
access the site. By default, anonymous access
is not enabled.
• CVE-2014-1754 Microsoft has not identified
any mitigating factors for this vulnerability.
Workarounds
Microsoft has not identified any
workarounds for this vulnerability
Vulnerabilities in Microsoft SharePoint Server Could Allow
Remote Code Execution (2952166) MS14-022
Exploitability Index (XI): 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected DoS Rating: T - Temporary (DoS ends when attack ceases) | P - Permanent (Administrative action required to recover) | * - Not Applicable
CSS Security Worldwide Programs Slide 6
Affected Software:
• Microsoft Office 2007 (Grammar Checker for Chinese)
• Windows Office 2010 (Grammar Checker for Chinese)
• Microsoft Office 2013
• Microsoft Office 2013 RT
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
2 MS13-104 or
None None
Restart Requirement
• A restart may be
required.
Uninstall Support
• Use the Add or Remove
Programs Control Panel applet.
• Office 2010 – update cannot be
removed Detection and Deployment
WU MU MBSA WSUS ITMU SCCM Note: Windows RT devices can only be serviced with
Windows Update, Microsoft Update, and the Windows
Store No Yes Yes Yes Yes Yes
Vulnerability in Microsoft Office Could Allow Remote Code
Execution (2961037) MS14-023
CSS Security Worldwide Programs
Exploitability Index (XI): 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected DoS Rating: T - Temporary (DoS ends when attack ceases) | P - Permanent (Administrative action required to recover) | * - Not Applicable
Slide 7
Vulnerability in Microsoft Office Could Allow Remote Code
Execution (2961037) MS14-023
Vulnerability Details:
• A remote code execution vulnerability (CVE-2014-1756) exists in the way that affected Microsoft Office software handles the
loading of dynamic-link library (.dll) files. An attacker who successfully exploited this vulnerability could take complete control of an
affected system.
• An information disclosure vulnerability (CVE-2014-1808) exists when affected Microsoft Office software does not properly handle a
specially crafted response while attempting to open an Office file hosted on the malicious website. An attacker who successfully
exploited this vulnerability could ascertain access tokens used to authenticate the current user on a targeted Microsoft online
service.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2014-1756 Important Remote Code Execution 1 1 * No No 2269637
CVE-2014-1808 Important Information Disclosure 3 3 * No No None
Attack Vectors
• Attacker convinces user to open an Office
file located in same network directory as a
specially crafted .dll file
• Email vector – attacker sends Office
attachment, then convinces user to place
attachment in same directory as specially
crafted .dll file.
CVE-2014-1808 — Attacker hosts a malicious
website utilizing the vulnerability, then
convinces users to visit the site.
• Attacker takes advantage of
compromised websites and/or sites
hosting ads from other providers.
Mitigations
CVE-2014-1756 — user must visit an
untrusted network location or WebDAV
share and open Office related file.
• Users whose accounts are configured to
have fewer user rights on the system
could be less impacted than users who
operate with administrative user rights.
CVE-2014-1808 — vulnerability can’t be
exploited automatically through email.
• User has to be persuaded to visit
malicious site, typically via URL in IM or
email leading to attacker’s website.
Workarounds
CVE-2014-1756
• Disable loading of libraries from
WebDAV and remote network
shares — Details are listed in MS14-
023
• Disable the WebClient service
• Block TCP ports 139 and 445 at the
firewall
CVE-2014-1808 no workaround
CSS Security Worldwide Programs Slide 8
Vulnerability in a Microsoft Common Control Could Allow
Security Feature Bypass (2961033)
MS14-024
Affected Software • Office 2007
• Office 2010
• Office 2013
• Office 2013 RT
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
1 MS12-060 None
Restart Requirement
• A restart may be
required
Uninstall Support
• Use Add or Remove
Programs in Control Panel Detection and Deployment
WU MU MBSA WSUS ITMU SCCM Note: Windows RT devices can only be serviced with
Windows Update, Microsoft Update, and the Windows
Store No Yes Yes Yes Yes Yes
CSS Security Worldwide Programs Slide 9
Vulnerability in a Microsoft Common Control Could Allow
Security Feature Bypass (2961033) MS14-024
Vulnerability Details
• A security feature bypass vulnerability exists because the MSCOMCTL common controls library used by Microsoft Office software
does not properly implement Address Space Layout Randomization (ASLR). The vulnerability could allow an attacker to bypass the
ASLR security feature, which helps protect users from a broad class of vulnerabilities.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2014-1809 Important Security Feature Bypass NA NA * No Yes None
Attack Vector • Attacker hosts a malicious website
utilizing the vulnerability, then convinces
users to visit the site. Also could embed
an ActiveX control marked "safe for
initialization" in an application or Office
file that hosts the IE rendering engine.
• Attacker takes advantage of
compromised websites and/or sites
hosting ads from other providers or that
accept user provided content.
Mitigations
• Can’t be exploited automatically via email,
opening an attachment is necessary.
• An attacker would have to convince users
to take action, typically by getting them to
click a link in an email message or instant
message that takes users to the attacker’s
website, and then convince them to open
the specially crafted Office file.
Workarounds
• Microsoft has not identified any
workarounds for this vulnerability.
Exploitability Index (XI): 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected DoS Rating: T - Temporary (DoS ends when attack ceases) | P - Permanent (Administrative action required to recover) | * - Not Applicable
Affected Software
• Windows Vista
• Windows Server 2008
• Windows 7
• Windows Server 2008 R2
• Windows 8 and 8.1
• Windows Server 2012 and 2012 R2
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
1 None
Existing GPOs using
these GP
preferences should
be removed
Restart Requirement
• A restart may be required
Uninstall Support
• Use Add or Remove Programs
in Control Panel
Detection and Deployment
WU MU MBSA WSUS ITMU SCCM Note: This update is available on Microsoft
Download Center and Windows Update Catalog No No Yes Yes Yes Yes
CSS Security Worldwide Programs Slide 10
Vulnerability in Group Policy Preferences Could Allow
Elevation of Privilege (2962486) MS14-025
Vulnerability in Microsoft XML Core Services Could Allow
Information Disclosure (2916036)
CSS Security Worldwide Programs
Vulnerability Details
• An elevation of privilege vulnerability exists in the way that Active Directory distributes passwords that are configured using Group
Policy preferences. An authenticated attacker who successfully exploited the vulnerability could decrypt the passwords and use
them to elevate privileges on the domain.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2014-1812 Important Elevation of Privilege 1 1 * Yes Yes No
Attack Vectors • To exploit the vulnerability, an attacker
would first need to gain access to an
authenticated user account on the
domain. If a GPO is configured using
Group Policy preferences to set a local
administrative password or define
credentials to map a network drive,
schedule a task, or configure the
running context of a service, an
attacker could then retrieve and
decrypt the password stored with
Group Policy preferences.
Mitigations
• An attacker must be authenticated
within a domain to execute this attack.
Workarounds
• Microsoft has not identified any
workarounds for this vulnerability.
Exploitability Index (XI): 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected DoS Rating: T - Temporary (DoS ends when attack ceases) | P - Permanent (Administrative action required to recover) | * - Not Applicable
Slide 11
MS14-025 Vulnerability in Group Policy Preferences Could Allow
Elevation of Privilege (2962486)
Affected Software
• Microsoft .NET Framework 1.1 SP1
• Microsoft .NET Framework 2.0 SP2
• Microsoft .NET Framework 3.5
• Microsoft .NET Framework 3.5.1
• Microsoft .NET Framework 4
• Microsoft .NET Framework 4.5
• Microsoft .NET Framework 4.5.1
On all supported edition of:
• Windows Server 2003
• Windows Vista
• Windows Server 2008
• Windows 7
• Windows Server 2008 R2
• Windows 8 and 8.1
• Windows Server 2012 and 2012 R2
• Windows RT and RT 8.1
Severity | Important
Deployment
Priority Update Replacement
More Information
and / or
Known Issues
3 MS14-009 None
Restart Requirement
• A restart may be required
Uninstall Support
• Use Add or Remove Programs in
Control Panel
Note: Windows RT devices can only be serviced with Windows Update,
Microsoft Update, and the Windows Store.
WU MU MBSA WSUS ITMU SCCM
Yes Yes Yes Yes Yes Yes
CSS Security Worldwide Programs Slide 12
Vulnerability in .NET Framework Could Allow Elevation of
Privilege (2958732) MS14-026
Vulnerability in Microsoft XML Core Services Could Allow
Information Disclo
CSS Security Worldwide Programs
Vulnerability Details
• An elevation of privilege vulnerability exists in the way that .NET Framework handles TypeFilterLevel checks for some malformed
objects.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2014-1806 Important Elevation of Privilege 1 1 * No No No
Attack Vectors • An unauthenticated attacker could send
specially crafted data to an affected
workstation or server that uses .NET
Remoting, allowing the attacker to execute
arbitrary code on the targeted system
Mitigations
• .NET Remoting endpoints are not
accessible to anonymous clients by
default.
Workarounds
Enable security when registering a
channel.
For more information see Authentication
with the TCP channel
http://msdn.microsoft.com/library/59haf
wyt
Exploitability Index (XI): 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected DoS Rating: T - Temporary (DoS ends when attack ceases) | P - Permanent (Administrative action required to recover) | * - Not Applicable
Slide 13
MS14-026 Vulnerability in .NET Framework Could Allow Elevation of
Privilege (2958732)
Affected Software
• Windows Server 2003
• Windows Vista
• Windows Server 2008
• Windows 7
• Windows Server 2008 R2
• Windows 8 and 8.1
• Windows Server 2012 and 2012 R2
• Windows RT and RT 8.1
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
2 MS10-007
MS12-048 None
Restart Requirement
• A restart is required
Uninstall Support
• Use Add or Remove Programs
in Control Panel
Detection and Deployment
WU MU MBSA WSUS ITMU SCCM Note: Windows RT devices can only be serviced
with Windows Update, Microsoft Update, and the
Windows Store Yes Yes Yes Yes Yes Yes
CSS Security Worldwide Programs Slide 14
Vulnerability in Windows Shell Handler Could Allow Elevation
of Privilege (2962488) MS14-027
CSS Security Worldwide Programs
Vulnerability Details
• An elevation of privilege vulnerability exists when the Windows Shell improperly handles file associations. An attacker who
successfully exploited this vulnerability could run arbitrary code in the context of the Local System account. An attacker could then
install programs; view, change, or delete data; or create new accounts with full administrative rights.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2014-1807 Important Elevation of Privilege 1 1 * No Yes No
Attack Vectors • To exploit this vulnerability, an
attacker would first have to log on to
the system. An attacker could then run
a specially crafted application
designed to elevate privileges.
Mitigations
• An attacker must have valid logon
credentials and be able to log on locally
to exploit this vulnerability.
Workarounds
• Microsoft has not identified any
workarounds for this vulnerability.
Exploitability Index (XI): 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected DoS Rating: T - Temporary (DoS ends when attack ceases) | P - Permanent (Administrative action required to recover) | * - Not Applicable
Slide 15
MS14-027 Vulnerability in Windows Shell Handler Could Allow Elevation
of Privilege (2962488)
Affected Software
• Windows Server 2008 x86, x64
• Windows Server 2008 R2 x64
• Windows Server 2012 and 2012 R2
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
3 None
No security update
available for Server
2008
Restart Requirement
• A restart may be required
Uninstall Support
• Use Add or Remove Programs
in Control Panel
Detection and Deployment
WU MU MBSA WSUS ITMU SCCM The architecture to properly support the fix
provided in the update does not exist on
Windows Storage Server 2008 systems, making it
infeasible to build the fix for Windows Storage
Server 2008. Yes Yes Yes Yes Yes Yes
CSS Security Worldwide Programs Slide 16
Vulnerabilities in iSCSI Could Allow Denial of Service
(2962485) MS14-028
CSS Security Worldwide Programs
Vulnerability Details
• Two denial of service vulnerabilities exist in the way that affected operating systems handle iSCSI packets or connections. An
attacker who successfully exploited the vulnerability could cause the affected service or services to stop responding.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2014-0255 Important Denial of Service 3 3 T No No No
CVE-2014-0256 Important Denial of Service 3 3 T No No No
Attack Vectors • An attacker could exploit the
vulnerability by creating a large
number of specially crafted iSCSI
packets and sending the packets to
affected systems over a network.
Mitigations
• This vulnerability only affects servers for
which the iSCSI target role has been
enabled. By default the iSCSI target role
is not enabled on any of these OS.
Workarounds
• Limit the attack surface from untrusted
networks by placing iSCSI on its own
isolated network, separate from any
network on which internet traffic flows.
• Configure your firewall to restrict access
to TCP port 3260 to authorized iSCSI
client IP addresses
Exploitability Index (XI): 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected DoS Rating: T - Temporary (DoS ends when attack ceases) | P - Permanent (Administrative action required to recover) | * - Not Applicable
Slide 17
MS14-028 Vulnerabilities in iSCSI Could Allow Denial of Service
(2962485)
Affected Software • Internet Explorer 6 on Windows Server 2003
• Internet Explorer 7 on Windows Server 2003, Windows
Vista, and Windows Server 2008
• Internet Explorer 8 on Windows Server 2003, Windows
Vista, Windows Server 2008, Windows 7, and Windows
Server 2008 R2
• Internet Explorer 9 on Windows Vista, Windows Server
2008, Windows 7, and Windows Server 2008 R2
• Internet Explorer 10 on Windows 7, Windows Server 2008
R2, Windows 8, Windows Server 2012, and Windows RT
• Internet Explorer 11 on Windows 7, Windows Server 2008
R2, Windows 8.1, Windows Server 2012 R2, and Windows
RT 8.1
Severity | Critical
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
1 MS14-021
Not a cumulative
update. Requires
MS14-018 on most
platforms
Restart Requirement
• A restart is required
Uninstall Support
• Use Add or Remove
Programs in Control Panel
Detection and Deployment
WU MU MBSA WSUS ITMU SCCM This update includes the fix for CVE-2014-1776,
first addressed by the MS14-021 out-of-band
security update on May 1. Yes Yes Yes Yes Yes Yes
CSS Security Worldwide Programs Slide 18
Security Update for Internet Explorer (2962482) MS14-029
CSS Security Worldwide Programs
Vulnerability Details
• Remote code execution vulnerabilities exist when Internet Explorer improperly accesses objects in memory. These vulnerabilities
could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2014-0310 Critical Remote Code Execution 1 1 * No No No
CVE-2014-1815 Critical Remote Code Execution 1 1 * No Yes No
Attack Vectors • Attacker hosts a malicious website
utilizing the vulnerability, then
convinces users to visit the site.
• Attacker takes advantage of
compromised websites and/or sites
hosting ads from other providers.
Mitigations
• Attacker would have to convince users to take
action, typically by getting them to click a link in an
email message or in an Instant Messenger message
that takes users to the attacker's website, or by
getting them to open an attachment sent through
email. No way for attacker to force user to view
malicious content.
• Exploitation only gains the same user rights as the
logged-on account.
• By default, all Microsoft email clients open HTML
email messages in the Restricted Sites zone.
• By default, Internet Explorer runs in a restricted
mode for all Windows Servers.
Workarounds
• Set Internet and Local intranet
security zone settings to "High" to
block ActiveX Controls and Active
Scripting in these zones.
• Configure Internet Explorer to
prompt before running Active
Scripting or to disable Active
Scripting in the Internet and Local
intranet security zone.
• Add sites that you trust to the
Internet Explorer Trusted sites zone.
Exploitability Index (XI): 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected DoS Rating: T - Temporary (DoS ends when attack ceases) | P - Permanent (Administrative action required to recover) | * - Not Applicable
Slide 19
MS14-029 Security Update for Internet Explorer (2962482)
CSS Security Worldwide Programs Slide 20
Update for Disabling RC4 in .NET TLS (2960358) Security
Advisory
Executive Summary
Microsoft is announcing the availability of an update for Microsoft .NET Framework that
disables RC4 in Transport Layer Security (TLS) through the modification of the system registry.
Use of RC4 in TLS could allow an attacker to perform man-in-the-middle attacks and recover
plaintext from encrypted sessions.
Recommendations
Microsoft recommends that customers download and test the update before deploying it in
their environments as soon as possible. The update is available from the Microsoft Download
Center. For information on how to manually apply the update, see Microsoft Knowledge Base
(2755801) Update for Vulnerabilities in Adobe Flash Player in
Internet Explorer
Rereleased
Security
Advisory
What Has Changed?
Microsoft updated this advisory to announce the availability of a new update for Adobe Flash
Player. On May 13, 2014, Microsoft released an update (KB2957151) for Internet Explorer 10
on Windows 8, Windows Server 2012, and Windows RT, and for Internet Explorer 11 on
Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The update addresses the
vulnerabilities described in Adobe Security bulletin APSB14-14. For more information about
this update, including download links, see Microsoft Knowledge Base Article 2957151.
Executive Summary
Microsoft is announcing the availability of an update for Adobe Flash Player in Internet
Explorer on all supported editions of Windows 8, Windows Server 2012, Windows RT,
Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The update addresses the
vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained
within Internet Explorer 10 and Internet Explorer 11.
Recommendations
Microsoft recommends that customers apply the current update immediately using update
management software, or by checking for updates using the Microsoft Update service. Since
the update is cumulative, only the current update will be offered. Customers do not need to install previous updates as a prerequisite for installing the current update.