microsoft security bulletins · ms14-061: vulnerability in microsoft word and office web apps could...
TRANSCRIPT
Microsoft Security Bulletins
Andrew Gross
Security Development Manager
Pete Voss
MarComm Manager
Response Communications
October 2014
Dial-in Information
1 888-320-3585
Pin: 932342341
October 2014 Microsoft Security Bulletins
What We Will Cover
1. Review of October 2014 Bulletin Release Information
• Eight New Security Bulletins
• Two New Security Advisories
• Microsoft Windows Malicious Software Removal Tool
2. Resources
3. Questions and Answers: Please Submit Now
• Submit questions through the Social Stream
October 2014 Microsoft Security Bulletins
Dial-in and download information
For audio only:
• +1 425-706-3500 or +1-888-320-3585
• Conference ID: 932342341
Download the slides:
• http://aka.ms/WebcastSlides
• Provides PDF document of this presentation
October 2014 Microsoft Security Bulletins moderate important critical
BULLETINPRODUCT/
COMPONENTKB # DISCLOSURE
ACTIVE
ATTACKS
AGGREGATE
SEVERITY
EXPLOIT
INDEX
MAX
IMPACT
MS14-056 IE 2987107 Private Yes Critical RCE
MS14-057 .NET 3000414 Private None Critical RCE
MS14-058 KMD 3000061 Private Yes Critical RCE
MS14-060 OLE 3000869 Private Yes Important RCE
MS14-061 Word 3000434 Private None Important RCE
MS14-059 ASP.NET 2990942 Public None Important SB
MS14-062Message Queuing
2993254 Private None Important EOP
MS14-063 FAT32 2998579 Private None Important EOP
Bulletin Deployment Priority, Severity and XID
EP
LOY
MEN
T N
UM
BER
1
2
3
0
0
2
3
0
October 2014 Microsoft Security Bulletins moderate important critical
CVE SEVERITYEXPLOITABILITY | VERSIONS
IMPACT DISCLOSURELATEST OLDER
CVE-2014-4126 CVE-2014-4128
CVE-2014-4141 Critical Remote Code Execution Cooperatively Disclosed
CVE-2014-4130, CVE-2014-4132
CVE-2014-4138Critical NA NA Remote Code Execution Cooperatively Disclosed
CVE-2014-4127, CVE-2014-4129
CVE-2014-4133, CVE-2014-4134
CVE-2014-4137
Critical NA NA Remote Code Execution Cooperatively Disclosed
CVE-2014-4123 Important Elevation of Privilege Cooperatively Disclosed
CVE-2014-4124, CVE-2014-4140Important
Elevation of Privilege,
Security BypassCooperatively Disclosed
MS14-056: Cumulative Update for Internet Explorer (2987107))
AFFECTED PRODUCTS IE7 – IE11 on all supported versions of Windows Client IE6 – IE11 on all supported versions of Windows Server
AFFECTED COMPONENTS Internet Explorer
DEPLOYMENT PRIORITY
MAIN TARGET Workstations and terminal servers
0 0
October 2014 Microsoft Security Bulletins moderate important critical
POSSIBLE ATTACK VECTORS
CVE-2014-4123, CVE-2014-4124
• An attacker could attempt to exploit this vulnerability by running code at a higher privilege level
CVE-2014-4140
• An attacker could bypass the Address Space Layout Randomization (ASLR) security feature
All other CVEs
• An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then
convince a user to view the website.
IMPACT OF ATTACK
CVE-2014-4123, CVE-2014-4124
• An attacker who successfully exploited these vulnerabilities could elevate privileges in affected versions of Internet Explorer.
CVE-2014-4140
• An attacker who successfully exploited this vulnerability could take advantage of the ASLR bypass to run arbitrary code.
All other CVEs
• An attacker who successfully exploited these vulnerabilities could execute arbitrary code in the context of the current user.
MITIGATING FACTORS
CVE-2014-2783
• Extended Validation (EV) SSL Certificate guidelines disallow the use of wildcard certificates. EV SSL certificates issued by Certificate
Authorities (CA) in compliance with these guidelines cannot be used to exploit this vulnerability.
All other CVEs
• Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with
administrative user rights.
• An attacker would have no way to force users to view attacker controlled content.
MS14-056: Cumulative Update for Internet Explorer (2987107)
October 2014 Microsoft Security Bulletins moderate important critical
ADDITIONAL
INFORMATION
• Installations using Server Core are affected.
CVE-2014-4123, CVE-2014-4124
• Microsoft has not identified any workarounds for these vulnerabilities
All other CVEs
• Workarounds include configuring Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the
Internet and Local intranet security zone and setting Internet and Local intranet security zone settings to "High" to block A ctiveX
Controls and Active Scripting in these zones.
MS14-056: Cumulative Update for Internet Explorer (2987107)
October 2014 Microsoft Security Bulletins moderate important critical
CVE SEVERITYEXPLOITABILITY | VERSIONS
IMPACT DISCLOSURELATEST OLDER
CVE-2014-4121 Critical Remote Code Execution Cooperatively Disclosed
CVE-2014-4073 Important Elevation of Privilege Cooperatively Disclosed
CVE-2014-4122Important NA Security Bypass Cooperatively Disclosed
MS14-057: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (3000414)
AFFECTED PRODUCTSAll supported editions of Windows Vista, Windows Server 2008 (excluding Itanium), Windows 7, Windows Server 2008 R2
(excluding Itanium), Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1
AFFECTED COMPONENTSMicrosoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET
Framework 4, and Microsoft .NET Framework 4.5/4.5.1/4.5.2 on affected releases of Microsoft Windows
DEPLOYMENT PRIORITY
MAIN TARGET Systems where .NET is used, including workstations and servers
POSSIBLE ATTACK VECTORS • An attacker would send a specially crafted URI request containing international characters to a .NET web application
IMPACT OF ATTACK• The most severe of the vulnerabilities could allow remote code execution if an attacker sends a specially crafted URI request
containing international characters to a .NET web application.
MITIGATING FACTORS• In .NET 4.0 applications, the vulnerable functionality (iriParsing) is disabled by default; for the vulnerability to be exploitable an
application has to explicitly enable this functionality.
ADDITIONAL INFORMATION • In .NET 4.5 applications, iriParsing is enabled by default and cannot be disabled.
2 2
2 2
October 2014 Microsoft Security Bulletins moderate important critical
CVE SEVERITYEXPLOITABILITY | VERSIONS
IMPACT DISCLOSURELATEST OLDER
CVE-2014-4148 Critical Remote Code Execution Cooperatively Disclosed
CVE-2014-4113Important Elevation of Privilege Cooperatively Disclosed
MS14-058: Vulnerability in Kernel-Mode Driver Could Allow Remote Code Execution (3000061)
AFFECTED PRODUCTS All supported editions of Windows
AFFECTED COMPONENTS KMD
DEPLOYMENT PRIORITY
MAIN TARGET Workstations and terminal servers are primarily at risk.
POSSIBLE ATTACK VECTORS• The more severe of the vulnerabilities could allow remote code execution if an attacker convinces a user to open a specially
crafted document or to visit an untrusted website that contains embedded TrueType fonts.
IMPACT OF ATTACK• An attacker who exploited this vulnerability could cause an arbitrary program to execute at the same integrity level as the
current user.
MITIGATING FACTORS
• An attacker would have no way to force users to perform these actions. Instead, an attacker would have to persuade users to
do so, typically by getting them to click a link in an email message or Instant Messenger message.
• An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
ADDITIONAL INFORMATION• 32-bit and 64-bit editions of Windows 8 and Windows 8.1 are less exposed to currently known exploits due to mitigations built
into these operating systems.
0 0
0 0
October 2014 Microsoft Security Bulletins moderate important critical
CVE SEVERITYEXPLOITABILITY | VERSIONS
IMPACT DISCLOSURELATEST OLDER
CVE-2014-4075 Important N/A N/A Security Bypass Publicly Disclosed
MS14-059: Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass (2990942)
AFFECTED PRODUCTS ASP.NET MVC 2, ASP.NET MVC 3, ASP.NET MVC 4, ASP.NET MVC 5, and APS.NET MVC 5.1.
AFFECTED COMPONENTS ASP.NET
DEPLOYMENT PRIORITY
MAIN TARGET Web servers
POSSIBLE ATTACK VECTORS• A cross-site scripting (XSS) vulnerability exists in ASP.NET MVC that could allow an attacker to inject a client-side script into the
user's web browser.
IMPACT OF ATTACK• An attacker who successfully exploited this vulnerability could spoof content, disclose information, or take any action that the
user could take on the site on behalf of the targeted user..
MITIGATING FACTORS
• An attacker would have no way to force users to view the attacker-controlled content.
• The XSS Filter in Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11 prevents this attack for
users when browsing to websites in the Internet Zone.
ADDITIONAL INFORMATION • Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
3 3
3
October 2014 Microsoft Security Bulletins moderate important critical
CVE SEVERITYEXPLOITABILITY | VERSIONS
IMPACT DISCLOSURELATEST OLDER
CVE-2014-4114 Important Remote Code Execution Cooperatively Disclosed
MS14-060: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3000869)
AFFECTED PRODUCTSAll supported editions of Windows Vista, Windows Server 2008 (excluding Itanium), Windows 7, Windows Server 2008 R2
(excluding Itanium), Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2.
AFFECTED COMPONENTS Microsoft Office
DEPLOYMENT PRIORITY
MAIN TARGET Workstations and terminal servers are primarily at risk.
POSSIBLE ATTACK VECTORS• If a user opens a Microsoft Office file that contains a specially crafted OLE object, an attacker who successfully exploited this
vulnerability could run arbitrary code in the context of that user.
IMPACT OF ATTACK • An attacker who successfully exploited this vulnerability could cause code to execute within the context of the logged on user.
MITIGATING FACTORS
• Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who
operate with administrative user rights.
• An attacker would have no way to force users to visit the attacker’s websites.
• Protected View is enabled by default.
ADDITIONAL INFORMATION • One workaround for this vulnerability is to disable the WebClient service.
0 0
2
October 2014 Microsoft Security Bulletins moderate important critical
CVE SEVERITYEXPLOITABILITY | VERSIONS
IMPACT DISCLOSURELATEST OLDER
CVE-2014-4117 Important N/A N/A Remote Code Execution Cooperatively Disclosed
MS14-061: Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution
(3000434)
AFFECTED PRODUCTS
Microsoft Word 2007, Microsoft Word 2010, affected Microsoft Office services and Web Apps on supported editions of Microsoft
SharePoint Server 2010, Microsoft Web Apps Server 2010, supported versions of Microsoft Word Viewer, Microsoft Office
Compatibility Pack, and Microsoft Office for Mac 2011
AFFECTED COMPONENTS Microsoft Office
DEPLOYMENT PRIORITY
MAIN TARGET Workstations and terminal servers are primarily at risk.
POSSIBLE ATTACK VECTORS • An attacker could convince a user to open a specially crafted Microsoft Word file
IMPACT OF ATTACK• The vulnerability could allow remote code execution in the context of the current user if an attacker convinces a user to open a
specially crafted Microsoft Word file.
MITIGATING FACTORS
• Email: For an attack to be successful a user must open an attachment that is sent in an email message.
• Web: An attacker would have to convince users to take action, typically by getting them to click a link in an email message or
Instant Messenger message that takes users to the attacker’s website, and then convince them to open the specially crafted
Office file.
• Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who
operate with administrative user rights.
ADDITIONAL INFORMATION • Do not open Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources.
2
October 2014 Microsoft Security Bulletins moderate important critical
CVE SEVERITYEXPLOITABILITY | VERSIONS
IMPACT DISCLOSURELATEST OLDER
CVE-2014-4971 Important N/A N/A Elevation of Privilege Publicly Disclosed
MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254)
AFFECTED PRODUCTS All supported editions of Windows Server 2003
AFFECTED COMPONENTS Microsoft Windows
DEPLOYMENT PRIORITY
MAIN TARGET Windows 2003 servers with the Message Queuing service enabled
POSSIBLE ATTACK VECTORS • An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
IMPACT OF ATTACK • Successful exploitation of this vulnerability could lead to full access to the affected system.
MITIGATING FACTORS
• By default, the Message Queuing component is not installed on any affected operating system edition and can only be enabled
by a user with administrative privileges.
• An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could
not be exploited remotely or by anonymous users.
ADDITIONAL INFORMATION • As a workaround, you can disable the Message Queuing service.
3
October 2014 Microsoft Security Bulletins moderate important critical
CVE SEVERITYEXPLOITABILITY | VERSIONS
IMPACT DISCLOSURELATEST OLDER
CVE-2014-4115 Important N/A N/A Elevation of Privilege Cooperatively Disclosed
MS14-063: Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege (2998579)
AFFECTED PRODUCTS All supported editions of Windows Server 2003, Windows Vista, and Windows Server 2008
AFFECTED COMPONENTS FAT32 Disk partition driver
DEPLOYMENT PRIORITY
MAIN TARGET Windows computers running the FAT32 file system
POSSIBLE ATTACK VECTORS • An elevation of privilege vulnerability exists in the way the Windows FASTFAT system driver interacts with FAT32 disk partitions
IMPACT OF ATTACK • An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.
MITIGATING FACTORS • An attacker must have physical access to the system to be able to exploit the vulnerability.
ADDITIONAL INFORMATION • The Microsoft Windows FASTFAT driver is used to manage FAT32 disk partitions.
2
3
October 2014 Microsoft Security Bulletins
Microsoft Security Advisories
Microsoft Security Advisory 2949927:
Availability of SHA-2 Hashing Algorithm for Windows 7 and
Windows Server 2008R2
• On October 14, 2014, Microsoft announced an update for all supported editions
of Windows 7 and Windows Server 2008 R2 to add support for SHA-2 signing
and verification functionality.
October 2014 Microsoft Security Bulletins
Microsoft Security Advisories
Microsoft Security Advisory 2977292:
Update for Enabling TLS 1.1 or 1.2 in EAP
• On October 14, 2014, Microsoft revised this advisory to announce the availability
of an update for supported editions of Windows Server 2008, Windows 7,
Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, and
Windows RT for the Microsoft Extensible Authentication Protocol (EAP)
implementation that enables the use of Transport Layer Security (TLS) 1.1 or 1.2
through the modification of the system registry.
October 2014 Microsoft Security Bulletins
Microsoft Security Advisories
Microsoft Security Advisory 2871997:
Update to Improve Credentials Protection and Management
• On October 14, 2014, Microsoft revised this advisory to announce the availability
of updates for supported editions of Windows 7, Windows Server 2008 R2,
Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server
2012 R2, and Windows RT 8.1 that improve credential protection and domain
authentication controls to reduce credential theft.
October 2014 Microsoft Security Bulletins
Microsoft Security Advisories
Microsoft Security Advisory 2755801
Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
• On October 14, 2014, Microsoft released an update (3001237) for Internet
Explorer 10 on Windows 8, Windows Server 2012, and Windows RT, and for
Internet Explorer 11 on Windows 8.1, Windows Server 2012 R2, and Windows RT
8.1. The update addresses the vulnerabilities described in Adobe Security bulletin
APSB14-22. For more information about this update, including download links,
see Microsoft Knowledge Base Article 3001237.
Notes: The update for Windows RT is available via Windows Update only.
October 2014 Microsoft Security Bulletins
BULLETINWindows
Update
Microsoft
UpdateMBSA WSUS 3.0
SMS 2003
with ITMU
Configuration
Manager
MS14-056IE
Yes Yes Yes1
Yes1
Yes1
Yes1
MS14-057.NET
Yes Yes Yes1 Yes1
Yes1
Yes1
MS14-058KMD
Yes Yes Yes1
Yes1
Yes1
Yes1
MS14-059ASP. NET
Yes Yes Yes1 Yes1 Yes1 Yes1
1. Windows RT systems only support detection and deployment from Windows Update, Microsoft Update and the Windows Store.
Detection and Deployment
October 2014 Microsoft Security Bulletins
BULLETINWindows
Update
Microsoft
UpdateMBSA WSUS 3.0
SMS 2003
with ITMU
Configuration
Manager
MS14-060OLE
Yes Yes Yes Yes1 Yes1 Yes1
MS14-061WORD
No Yes Yes1
Yes Yes1
Yes1
MS14-062.MESSAGE
QUEUING
Yes Yes Yes1 Yes1
Yes1
Yes1
MS14-063FAT32
Yes Yes Yes Yes Yes Yes
1. Windows RT systems only support detection and deployment from Windows Update, Microsoft Update and the Windows Store.
Detection and Deployment
October 2014 Microsoft Security Bulletins
BULLETIN Restart Uninstall Replaces
MS14-056IE
Yes Yes MS14-052
MS14-057.NET
Maybe Yes MS12-016
MS14-058KMD
Yes Yes MS14-045
MS14-059ASP.NET
Maybe No None
Other Update Information
October 2014 Microsoft Security Bulletins
BULLETIN Restart Uninstall Replaces
MS14-060OLE
Maybe Yes None
MS14-061WORD
Maybe Yes MS14-034, MS14-017
MS14-062.MESSAGE
QUEUING
Yes Yes MS09-040
MS14-063FAT32
Yes Yes None
Other Update Information
October 2014 Microsoft Security Bulletins
Windows Malicious Software Removal Tool (MSRT)
During this release, Microsoft will increase/add detection capability for the following
families in the MSRT:
• Win32/Hikiti - a family of malware designed to give a malicious hacker unauthorized access and control of your PC.
Available as a priority update through Windows Update or Microsoft Update
Offered through WSUS 3.0 or as a download at: www.microsoft.com/malwareremove
October 2014 Microsoft Security Bulletins
Resources
BlogsMicrosoft Security Response Center (MSRC) Blog:
http://blogs.technet.com/msrc
Security Research & Defense blog: http://blogs.technet.com/srd
Microsoft Malware Protection Center Blog:
http://blogs.technet.com/mmpc/
Twitter@MSFTSecResponse
Security CentersMicrosoft Security Home Page:
www.microsoft.com/security
TechNet Security Center:www.microsoft.com/technet/security
MSDN Security Developer Center:http://msdn.microsoft.com/en-us/security/default.aspx
Bulletins, Advisories Notifications & NewslettersSecurity Bulletins Summary:
www.microsoft.com/technet/security/bulletin/summary.mspx
Security Bulletins Search:www.microsoft.com/technet/security/current.aspx
Security Advisories:
www.microsoft.com/technet/security/advisory/
Microsoft Technical Security Notifications:www.microsoft.com/technet/security/bulletin/notify.mspx
Microsoft Security Newsletter:www.microsoft.com/technet/security/secnews
Other ResourcesUpdate Management Processhttp://www.microsoft.com/technet/security/guidance/patchmanagement/secmod1
93.mspx
Microsoft Active Protection Program Partners: http://www.microsoft.com/security/msrc/mapp/partners.mspx
October 2014 Microsoft Security Bulletins
Questions & Answers
Submit text questions using the Social Stream.
Don’t forget to fill out the survey.
A recording of this webcast will be available on the MSRC blog
http://blogs.technet.com/msrc
Get the calendar reminder for next month’s webcast at:
http://technet.microsoft.com/en-us/security/dn756352
July 2014 Microsoft Security Bulletins
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows 8.1 and other product names are or may be
registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of
this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Thank you