To receive our video stream in Live Meeting: - Click on “Voice & Video” - Click the drop down next to the camera icon - Select “Show Main Video” Dial-in.

October 2013 Microsoft Security BulletinsJonathan NessSecurity Development Manager

Dustin ChildsGroup ManagerResponse Communications

Live Video Stream

• To receive our video stream in Live Meeting: - Click on “Voice & Video”

- Click the drop down next to the camera icon

- Select “Show Main Video”

• Dial-in Information: - 1 (877) 593-2001 Pin: 3959

What We Will Cover

• Review of October 2013 Bulletin Release Information

- Eight New Security Bulletins- One updated Security Advisory- Microsoft Windows Malicious Software Removal Tool

• Resources

• Questions and Answers: Please Submit Now- Submit Questions via Twitter #MSFTSecWebcast

Severity & Exploitability Index

Exploitabilit

y Index

1

RISK2

3

DP 1 1 2 1 3 2 2 3  

Severity

Critical

IMPACT

Important

Moderate

Low

MS13-080

MS13-081

MS13- 082

MS13-083

MS13-084

MS13-085

MS13-086

MS13-087

Inte

rnet

Explo

rer

.NET F

ram

ew

ork

Silv

erl

ight

Com

mon

Contr

ols

Kern

el-

Mode

Dri

vers

Share

Poin

t

Word

Exc

el

Bulletin Deployment Priority

BulletinProduct/

Component

KB # DisclosureAggregateSeverity

Exploit Index

Max ImpactDeployment

Priority

MS13-080 IE 2879017 Public Critical 1 RCE 1

MS13-081 KMD 2870008 Private Critical 1 RCE 1

MS13-083Common Controls

2864058 Private Critical 1 RCE 1

MS13-082 .NET 2878890 Public Critical 2 RCE 2

MS13-085 Excel 2885080 Private Important 1 RCE 2

MS13-086 Word 2885084 Private Important 1 RCE 2

MS13-084 SharePoint 2885089 Private Important 1 RCE 3

MS13-087 Silverlight 2890788 Private Important 3 Info Disc 3

CVE SeverityExploitability | Versions

Impact DisclosureLatest Older

CVE-2013-3872CVE-2013-3873CVE-2013-3874CVE-2013-3875 CVE-2013-3882 CVE-2013-3885 CVE-2013-3886

Critical NA 1 Remote Code Execution Cooperatively Disclosed

CVE-2013-3893 Critical 1 1 Remote Code Execution Publicly Disclosed

CVE-2013-3897 Critical 1 1 Remote Code Execution Cooperatively Disclosed

Affected ProductsIE6 – IE11 on all supported versions of Windows Client (except for IE11 on Windows 7)

IE6 – IE11 on all supported versions of Windows Server (except for IE11 on Windows Server 2008 R2 x64)

Affected Components Internet Explorer

Deployment Priority 1

Main Target Workstations

Possible Attack Vectors

• An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. (All CVEs)

• The attacker could take advantage of compromised websites and websites that accept or host user-provided content or advertisements. (All CVEs)

Impact of Attack • An attacker could gain the same user rights as the current user. (All CVEs)

Mitigating Factors

• An attacker cannot force users to view the attacker-controlled content. (All CVEs)• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and

Windows Mail open HTML email messages in the Restricted sites zone. (All CVEs)• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server

2008 R2 and Windows Server 2012 runs in a restricted mode that is known as Enhanced Security Configuration. (All CVEs)

Additional Information • Installations using Server Core are not affected.

MS13-080: Cumulative Security Update for Internet Explorer (2879017)

CVE Severity

Exploitability | Versions Impact Disclosure

Latest Older

CVE-2013-3128

Critical NA 1 Remote Code Execution Cooperatively Disclosed

CVE-2013-3894

Critical NA 2 Remote Code Execution Cooperatively Disclosed

CVE-2013-3200CVE-2013-3880CVE-2013-3881

Important NA 1 Elevation of Privilege Cooperatively Disclosed

CVE-2013-3879CVE-2013-3888

Important NA 2 Elevation of Privilege Cooperatively Disclosed

Affected Products All supported versions of Windows Client and Windows Server through Windows 8

Affected Components Kernel-Mode Driver

Deployment Priority 1

Main Target Workstations

Possible Attack Vectors

• An attacker could exploit the vulnerability by convincing a user to view a specially crafted font. (CVE-2013-3128/3894)

• An attacker could exploit the vulnerability by inserting a malicious USB device into the system. (CVE 2013-3200)

All other CVEs• For an attacker to exploit this vulnerability, a user would have to execute a specially

crafted application. • In an email attack scenario, an attacker could exploit the vulnerability by sending a

specially crafted application to a user and convincing them to run it.

MS13-081: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2870008)

Impact of Attack

CVE-2013-3880• An attacker who successfully exploited this vulnerability could disclose info from a

different App Container All other CVEs• An attacker who successfully exploited this vulnerability could run arbitrary code in

kernel mode.

Mitigating Factors

CVE-2013-3128/3894• An attacker would have no way to force users to visit specially crafted websites. • An attacker would have to convince users to visit the website and open the specially

crafted fontCVE-2013-3200• In a default scenario, an attacker would require physical access to exploit this

vulnerability.All other CVEs• An attacker must have valid logon credentials and be able to log on locally to exploit this

vulnerability or convince a locally authenticated user to execute a specially crafted application.

Additional Information

• Installations using Server Core are affected.

CVE-2013-3128/3894• Disable Preview Pane and Details Pane in Windows Explorer

• CVE-2003-3128 is shared with MS13-082 Vulnerabilities in .NET Framework Could Allow Remote Code Execution. Both updates are required to fully address this issue.

MS13-081: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2870008)

CVE Severity

Exploitability | Versions Impact Disclosure

Latest Older

CVE-2013-3128

Critical 2 2 Remote Code Execution Cooperatively Disclosed

CVE-2013-3860CVE-2013-3861

Important 3 3 Denial of Service Cooperatively Disclosed

Affected Products.NET Framework 2.0 SP2 and .NET Framework 3.5.1, on all supported versions of Windows Client and Windows Server.

.NET Framework 3.0, .NET Framework 3.5, .NET Framework 3.5.1 SP1, .NET Framework 4, and .NET Framework 4.5 on all supported versions of Windows Client and Windows Server.

Affected Components .NET Framework

Deployment Priority 2

Main Target Workstations and Servers that run .NET and/or WCF

Possible Attack Vectors

• In a .NET application attack scenario, an attacker could host an XAML Browser Application (XBAP) containing a specially crafted OTF file on a website (CVE-2013-3128)

• In a .NET application attack scenario, an attacker could cause an application or server to crash or become unresponsive until an administrator restarts the application or server. (CVE-2013-3860/3861)

Impact of Attack

• An attacker who successfully exploited this vulnerability could execute code in the context of the logged on user. (CVE-2013-3128)

• An attacker could cause an application or server to crash or become unresponsive until an administrator restarts the application or server. (CVE-2013-3860/3861)

Mitigating Factors

• Microsoft has not identified any mitigating factors for this vulnerability. (CVE-2013-3128)• Affected systems do not accept and validate XML digital signatures by default. (CVE-

2013-3860)• Affected systems do not accept and validate JSON data by default. (CVE-2012-3861)

Additional Information

• .NET Framework 4 and .NET Framework 4 Client Profile affected.• CVE-2003-3128 is shared with MS13-081 Vulnerabilities in Windows Kernel-Mode Drivers

Could Allow Remote Code Execution. Both updates are required to fully address this issue.

MS13-082: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2878890)

CVE Severity

Exploitability | Versions Impact Disclosure

Latest Older

CVE-2013-3195

Critical NA 1 Remote Code Execution Cooperatively Disclosed

Affected ProductsAll supported 64-bit versions of Windows Client and Windows Server (except Windows 8.1)

All supported 32-bit versions of Windows Client and Windows Server (except Windows XP and Windows 8.1)

Affected Components Microsoft Common Control Library

Deployment Priority 1

Main Target Web application servers

Possible Attack Vectors• An attacker could exploit the vulnerability by sending a specially crafted request to an

affected system.

Impact of Attack• An attacker who successfully exploited this vulnerability could gain the same rights as

the logged on user.

Mitigating Factors• An attacker who successfully exploited this vulnerability could gain the same user rights

as the local user

Additional Information• Installations using Server Core are affected.• Severity ratings do not apply to 32-bit software because the known attack vectors for

the vulnerability discussed in this bulletin are blocked in a default configuration.

MS13-083: Vulnerabilities in Windows Common Control Library Could Allow Remote Code Execution (2864058)

CVE Severity

Exploitability | Versions

Impact Disclosure

Latest Older

CVE-2013-3889 Important 1 2 Remote Code Execution Cooperatively Disclosed

CVE-2013-3895 Important NA 3 Elevation of Privilege Cooperatively Disclosed

Affected ProductsMicrosoft SharePoint Server 2007, 2010 and 2013, All supported versions of Excel Services, Word Automation Services, and Web Services for SharePoint Server 2007, 2010 and 2013, Office Web Apps 2010

Affected Components SharePoint

Deployment Priority 3

Main Target Servers where SharePoint is installed

Possible Attack Vectors

• This vulnerability requires that a user open a specially crafted Office file with an affected version of Microsoft Excel software. (CVE-2013-3889)

• An unauthenticated attacker could create a specially crafted page and then convince an authenticated SharePoint user to visit the page. (CVE-2013-3895)

Impact of Attack

• An attacker who successfully exploited this vulnerability could cause arbitrary code to run in the security context of the current user. (CVE-2013-3889)

• An attacker who successfully exploited this vulnerability could read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the victim, such as change permissions and delete content, and inject malicious content in the browser of the victim. (CVE-2013-3895)

Mitigating Factors

• An attacker would have no way to force users to open specially crafted Office files. (CVE-2013-3889)

• Microsoft has not identified any mitigating factors for these vulnerabilities. (CVE-2013-3895)

Additional Information• CVE-2013-3889 is also addressed by MS13-085 Vulnerabilities in Microsoft Excel Could Allow

Remote Code Execution. Both updates are required to fully address this issue.

MS13-084: Vulnerabilities in SharePoint Could Allow Remote Code Execution (2885059)

CVE Severity

Exploitability | Versions

Impact Disclosure

Latest Older

CVE-2013-3889

Important 1 2 Remote Code Execution Cooperatively Disclosed

CVE-2013-3890

Important NA 3 Remote Code Execution Cooperatively Disclosed

Affected ProductsAll supported versions of Microsoft Office (except 2003 SP3), Excel Viewer, and Office Compatibility Pack SP3

Affected Components Microsoft Office

Deployment Priority 2

Main Target Workstations

Possible Attack Vectors

• This vulnerability requires that a user open a specially crafted Office file with an affected version of Microsoft Excel software. (CVE-2013-3889)

• This vulnerability requires that a user open a specially crafted Office file with an affected version of Microsoft Office software. (CVE-2013-3890)

Impact of Attack• An attacker who successfully exploited this vulnerability could cause arbitrary code to

run in the security context of the current user. (All CVEs)

Mitigating Factors

• An attacker would have no way to force users to open specially crafted Office or Excel files.

• CVE-2013-3889 is also addressed by MS13-084 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution . Both updates are required to fully address this issue.

MS13-085: Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2885080)

CVE Severity

Exploitability | Versions

Impact Disclosure

Latest Older

CVE-2013-3891

Important NA 1 Remote Code Execution Cooperatively Disclosed

CVE-2013-3892

Important NA 3 Remote Code Execution Cooperatively Disclosed

Affected Products Microsoft Word 2003, Microsoft Word 2007, and Microsoft Office Compatibility Pack

Affected Components Microsoft Word

Deployment Priority 2

Main Target Workstations

Possible Attack Vectors• Exploitation of this vulnerability requires that a user open a specially crafted file with an

affected version of Microsoft Office software. (All CVEs)

Impact of Attack• An attacker who successfully exploited this vulnerability could cause arbitrary code to

run in the security context of the current user. (All CVEs)

Mitigating Factors

• An attacker would have no way to force users to open specially crafted Office files.• Install and configure MOICE to be the registered handler for .doc files. • Use Microsoft Office File Block policy to prevent the opening of .doc and .dot binary files

MS13-086: Vulnerability in Microsoft Word Could Allow Remote Code Execution (2885084)

CVE Severity

Exploitability | Versions Impact Disclosure

Latest Older

CVE-2013-2896

Important 3 3 Information Disclosure Cooperatively Disclosed

Affected ProductsMicrosoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime when installed on Mac and all supported versions of Windows Client (except Windows RT) and Windows Server

Affected Components Silverlight

Deployment Priority 3

Main Target Workstations

Possible Attack Vectors

• An attacker could host a website that contains a specially crafted Silverlight application designed to exploit this vulnerability and then convince a user to view the website.

• The attacker could take advantage of compromised websites and websites that accept or host user-provided content or advertisements.

Impact of Attack • An attacker could disclose information on the local system.

Mitigating Factors

• An attacker cannot force users to visit specially crafted websites. • By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows

Server 2008 R2 and Windows Server 2012 runs in a restricted mode that is known as Enhanced Security Configuration.

Additional Information• Microsoft Silverlight build 5.1.20913.0, which was the current build of Microsoft

Silverlight when this bulletin was first released, addresses the vulnerability and is not affected. Builds of Microsoft Silverlight prior to 5.1.20913.0 are affected.

MS13-087: Vulnerability in Silverlight Could Allow Information Disclosure (2890788)

Microsoft Security Advisories

• Microsoft Security Advisory 2862973: Update for Deprecation of MD5 Hashing Algorithm for Microsoft Root Certificate Program

- Microsoft is planning to release this update through Microsoft Update on February 11, 2014.- Part of our ongoing efforts to strengthen the ecosystem

Detection & DeploymentBulletin

Windows Update

Microsoft Update

MBSA WSUS 3.0SMS 2003 with ITMU

ConfigurationManager

MS13-080IE

Yes Yes Yes1,2 Yes2 Yes2 Yes2

MS13-081KMD Yes Yes3 Yes1 Yes Yes Yes

MS13-082.NET

Yes Yes Yes1,2 Yes2 Yes2 Yes2

MS13-083Common Ctls

Yes Yes Yes1 Yes Yes Yes

MS13-084SharePoint

No Yes Yes Yes Yes Yes

MS13-085Excel

No Yes3 Yes2,3 Yes2,3 Yes2,3 Yes2,3

MS13-086Word

No Yes Yes Yes Yes Yes

MS13-087Silverlight

Yes3 Yes3 Yes1,2,3 Yes2,3 Yes2,3 Yes2,3

1. The MBSA does not support detection on Windows 8, Windows RT, and Windows Server 2012.2. Windows RT systems only support detection and deployment from Windows Update, Microsoft Update and the

Windows Store.3. Mac is not supported by detection tools.

Other Update InformationBulletin Restart Uninstall Replaces

MS13-080IE

Yes Yes MS13-069

MS13-081KMD Yes Yes

MS13-076MS13-046MS12-078

MS13-082.NET

Maybe YesMS13-052MS13-040MS11-100

MS13-083Common Ctls

Yes Yes MS10-081

MS13-084SharePoint

Maybe No MS13-067

MS13-085Excel

Maybe YesMS13-073MS11-072

MS13-086Word

Maybe Yes MS13-072

MS13-087Silverlight

No Yes MS13-052

Windows Malicious Software Removal Tool (MSRT)• During this release, Microsoft will increase/add

detection capability for the following families in the MSRT:• Win32/Shiotob - a family of trojans that monitors

network activities of the affected system to steal system information and user credentials.

• Win32/Foidan - a family of trojans that monitors and may also change internet traffics of an affected computer.

• Available as a priority update through Windows Update or Microsoft Update

• Offered through WSUS 3.0 or as a download at: www.microsoft.com/malwareremove

Blogs• Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc • Security Research & Defense blog:

http://blogs.technet.com/srd • Microsoft Malware Protection Center

Blog: http://blogs.technet.com/mmpc/

Twitter• @MSFTSecResponse

Security Centers• Microsoft Security Home Page:

www.microsoft.com/security • TechNet Security Center:

www.microsoft.com/technet/security• MSDN Security Developer Center:

http://msdn.microsoft.com/en-us/security/default.aspx

Bulletins, Advisories Notifications & Newsletters• Security Bulletins Summary:

www.microsoft.com/technet/security/bulletin/summary.mspx

• Security Bulletins Search:www.microsoft.com/technet/security/current.aspx

• Security Advisories:www.microsoft.com/technet/security/advisory/

• Microsoft Technical Security Notifications:www.microsoft.com/technet/security/bulletin/notify.mspx

• Microsoft Security Newsletter:www.microsoft.com/technet/security/secnews

Other Resources• Update Management Process

http://www.microsoft.com/technet/security/guidance/patchmanagement/secmod193.mspx

• Microsoft Active Protection Program Partners: http://www.microsoft.com/security/msrc/mapp/partners.mspx

Resources

Questions & Answers

• Submit text questions using the “Ask” button.

• Don’t forget to fill out the survey.

• A recording of this webcast will be available within 48 hours on the MSRC blog.

http://blogs.technet.com/msrc

• Register for next month’s webcast at: http://microsoft.com/technet/security/current.aspx

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.