1 Monthly Security Bulletin Briefing September 2014 CSS Security Worldwide Programs • Teresa Ghiorzoe Security Program Manager- GBS LATAM • Daniel Mauser Senior Technical Lead - LATAM CTS Blog de Segurança: http://blogs.technet.com/b/risco/ Twitter: LATAMSRC Email: [email protected]
21
Embed
Monthly Security Bulletin Briefing - Microsoft€¦ · privilege and affects Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Monthly Security
Bulletin Briefing
September 2014
CSS Security Worldwide Programs
• Teresa GhiorzoeSecurity Program Manager- GBS LATAM
• Daniel Mauser
Senior Technical Lead - LATAM CTS
Blog de Segurança: http://blogs.technet.com/b/risco/
Vulnerabilities in Microsoft Lync Server Could Allow Denial of
Service (2990928)MS14-055
Vulnerability Details
• Two denial of service vulnerabilities exist in Lync Server. An attacker who successfully exploited these vulnerabilities could cause the
affected system to stop responding.
• A reflected cross-site scripting (XSS) vulnerability which could result in information disclosure exists when Lync Server fails to
properly sanitize specially crafted content. An attacker who successfully exploited this vulnerability could potentially execute scripts
in the user’s browser to obtain information from web sessions.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2014-4068 Important Denial of Service 3 3 T No No None
CVE-2014-4071 Important Denial of Service 3 NA T No No None
CVE-2014-4070 Important Information Disclosure 3 NA * No No None
Attack Vectors
• CVE-2014-4068 & 4071: Attacker executes a
specially crafted request to a Lync server.
• CVE-2014-4070: Attacker hosts a malicious
website utilizing the vulnerability, then
convinces users to visit the site.
• Attacker takes advantage of compromised
websites and/or sites hosting ads from other
providers.
• Email: Attacker sends an email containing a
URL linking to the malicious web site and
convinces user to click the link.
Mitigations
• Microsoft has not identified any
mitigating factors for these
vulnerabilities.
Workarounds
• CVE-2014-4070: Read email messages in plain
text.
• Set Internet and Local intranet security zone
settings to "High" to block ActiveX Controls
and Active Scripting in these zones.
• Add sites that you trust to the Internet
Explorer Trusted sites zone.
• CVE-2014-4068 & 4071: no workarounds
Exploitability Index (XI): 0 – Exploitation Detected | 1 – Exploitation more likely | 2 – Exploitation less likely | 3 - Exploitation unlikely | NA - Not Affected
DoS Rating: T - Temporary (DoS ends when attack ceases) | P - Permanent (Administrative action required to recover) | * - Not Applicable
CSS Security Worldwide ProgramsSlide 12
(2905247) Insecure ASP.NET Site Configuration Could Allow
Elevation of Privilege
Rereleased
Security
Advisory
What Has Changed?
This advisory was rereleased to offer the security update via Microsoft Update, in addition to
the download-center-only option that was provided when this advisory was originally
released.
Furthermore, the updates for some of the affected .NET Framework versions were rereleased
to address an issue that occasionally caused Page.IsPostBack to return an incorrect value.
Executive Summary
Microsoft is announcing the availability of an update for Microsoft ASP.NET to address a
vulnerability in ASP.NET view state that exists when Machine Authentication Code (MAC)
validation is disabled through configuration settings. The vulnerability could allow elevation of
privilege and affects Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework
2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft
.NET Framework 4, and Microsoft .NET Framework 4.5/4.5.1
Recommendations
Most customers have automatic updating enabled and will not need to take any action
because this security update will be downloaded and installed automatically. For information
about specific configuration options in automatic updating, see Microsoft Knowledge Base
Article 294871. For customers who do not have automatic updating enabled, the steps in Turn automatic updating on or off can be used to enable automatic updating.
More Information http://technet.microsoft.com/library/2905247
(2755801) Update for Vulnerabilities in Adobe Flash Player in
Internet Explorer
Rereleased
Security
Advisory
What Has Changed?
Microsoft updated this advisory to announce the availability of a new update for Adobe Flash
Player. On September 9, 2014, Microsoft released an update (2987114) for Internet Explorer 10
on Windows 8, Windows Server 2012, and Windows RT, and for Internet Explorer 11 on
Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The update addresses the
vulnerabilities described in Adobe Security bulletin APSB14-21. For more information about
this update, including download links, see Microsoft Knowledge Base Article 2987114.
Executive Summary
Microsoft is announcing the availability of an update for Adobe Flash Player in Internet
Explorer on all supported editions of Windows 8, Windows Server 2012, Windows RT,
Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The update addresses the
vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained
within Internet Explorer 10 and Internet Explorer 11.
Recommendations
Microsoft recommends that customers apply the current update immediately using update
management software, or by checking for updates using the Microsoft Update service. Since
the update is cumulative, only the current update will be offered. Customers do not need to install previous updates as a prerequisite for installing the current update.
More Information http://technet.microsoft.com/library/2755801