microsoft security bulletins · ms14-061: vulnerability in microsoft word and office web apps could...

Microsoft Security Bulletins

Andrew Gross

Security Development Manager

Pete Voss

MarComm Manager

Response Communications

October 2014

Dial-in Information

1 888-320-3585

Pin: 932342341

October 2014 Microsoft Security Bulletins

What We Will Cover

1. Review of October 2014 Bulletin Release Information

• Eight New Security Bulletins

• Two New Security Advisories

• Microsoft Windows Malicious Software Removal Tool

2. Resources

3. Questions and Answers: Please Submit Now

• Submit questions through the Social Stream


Dial-in and download information

For audio only:

• +1 425-706-3500 or +1-888-320-3585

• Conference ID: 932342341

Download the slides:

• http://aka.ms/WebcastSlides

• Provides PDF document of this presentation

http://aka.ms/WebcastSlides

October 2014 Microsoft Security Bulletins moderate important critical

BULLETINPRODUCT/

COMPONENTKB # DISCLOSURE

ACTIVE

ATTACKS

AGGREGATE

SEVERITY

EXPLOIT

INDEX

MAX

IMPACT

MS14-056 IE 2987107 Private Yes Critical RCE

MS14-057 .NET 3000414 Private None Critical RCE

MS14-058 KMD 3000061 Private Yes Critical RCE

MS14-060 OLE 3000869 Private Yes Important RCE

MS14-061 Word 3000434 Private None Important RCE

MS14-059 ASP.NET 2990942 Public None Important SB

MS14-062Message Queuing

2993254 Private None Important EOP

MS14-063 FAT32 2998579 Private None Important EOP

Bulletin Deployment Priority, Severity and XID

EP

LOY

MEN

T N

UM

BER

1

2

3

0

0

2

3

0


CVE SEVERITYEXPLOITABILITY | VERSIONS

IMPACT DISCLOSURELATEST OLDER

CVE-2014-4126 CVE-2014-4128

CVE-2014-4141 Critical Remote Code Execution Cooperatively Disclosed

CVE-2014-4130, CVE-2014-4132

CVE-2014-4138Critical NA NA Remote Code Execution Cooperatively Disclosed

CVE-2014-4127, CVE-2014-4129

CVE-2014-4133, CVE-2014-4134

CVE-2014-4137

Critical NA NA Remote Code Execution Cooperatively Disclosed

CVE-2014-4123 Important Elevation of Privilege Cooperatively Disclosed

CVE-2014-4124, CVE-2014-4140Important

Elevation of Privilege,

Security BypassCooperatively Disclosed

MS14-056: Cumulative Update for Internet Explorer (2987107))

AFFECTED PRODUCTS IE7 – IE11 on all supported versions of Windows Client IE6 – IE11 on all supported versions of Windows Server

AFFECTED COMPONENTS Internet Explorer

DEPLOYMENT PRIORITY

MAIN TARGET Workstations and terminal servers

0 0


POSSIBLE ATTACK VECTORS

CVE-2014-4123, CVE-2014-4124

• An attacker could attempt to exploit this vulnerability by running code at a higher privilege level

CVE-2014-4140

• An attacker could bypass the Address Space Layout Randomization (ASLR) security feature

All other CVEs

• An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then

convince a user to view the website.

IMPACT OF ATTACK

CVE-2014-4123, CVE-2014-4124

• An attacker who successfully exploited these vulnerabilities could elevate privileges in affected versions of Internet Explorer.

CVE-2014-4140

• An attacker who successfully exploited this vulnerability could take advantage of the ASLR bypass to run arbitrary code.

All other CVEs

• An attacker who successfully exploited these vulnerabilities could execute arbitrary code in the context of the current user.

MITIGATING FACTORS

CVE-2014-2783

• Extended Validation (EV) SSL Certificate guidelines disallow the use of wildcard certificates. EV SSL certificates issued by Certificate

Authorities (CA) in compliance with these guidelines cannot be used to exploit this vulnerability.

All other CVEs

• Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with

administrative user rights.

• An attacker would have no way to force users to view attacker controlled content.

MS14-056: Cumulative Update for Internet Explorer (2987107)


ADDITIONAL

INFORMATION

• Installations using Server Core are affected.

CVE-2014-4123, CVE-2014-4124

• Microsoft has not identified any workarounds for these vulnerabilities

All other CVEs

• Workarounds include configuring Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the

Internet and Local intranet security zone and setting Internet and Local intranet security zone settings to "High" to block A ctiveX

Controls and Active Scripting in these zones.

MS14-056: Cumulative Update for Internet Explorer (2987107)





CVE-2014-4073 Important Elevation of Privilege Cooperatively Disclosed

CVE-2014-4122Important NA Security Bypass Cooperatively Disclosed

MS14-057: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (3000414)

AFFECTED PRODUCTSAll supported editions of Windows Vista, Windows Server 2008 (excluding Itanium), Windows 7, Windows Server 2008 R2

(excluding Itanium), Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1

AFFECTED COMPONENTSMicrosoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET

Framework 4, and Microsoft .NET Framework 4.5/4.5.1/4.5.2 on affected releases of Microsoft Windows

DEPLOYMENT PRIORITY

MAIN TARGET Systems where .NET is used, including workstations and servers

POSSIBLE ATTACK VECTORS • An attacker would send a specially crafted URI request containing international characters to a .NET web application

IMPACT OF ATTACK• The most severe of the vulnerabilities could allow remote code execution if an attacker sends a specially crafted URI request

containing international characters to a .NET web application.

MITIGATING FACTORS• In .NET 4.0 applications, the vulnerable functionality (iriParsing) is disabled by default; for the vulnerability to be exploitable an

application has to explicitly enable this functionality.

ADDITIONAL INFORMATION • In .NET 4.5 applications, iriParsing is enabled by default and cannot be disabled.

2 2

2 2





CVE-2014-4113Important Elevation of Privilege Cooperatively Disclosed

MS14-058: Vulnerability in Kernel-Mode Driver Could Allow Remote Code Execution (3000061)

AFFECTED PRODUCTS All supported editions of Windows

AFFECTED COMPONENTS KMD

DEPLOYMENT PRIORITY

MAIN TARGET Workstations and terminal servers are primarily at risk.

POSSIBLE ATTACK VECTORS• The more severe of the vulnerabilities could allow remote code execution if an attacker convinces a user to open a specially

crafted document or to visit an untrusted website that contains embedded TrueType fonts.

IMPACT OF ATTACK• An attacker who exploited this vulnerability could cause an arbitrary program to execute at the same integrity level as the

current user.

MITIGATING FACTORS

• An attacker would have no way to force users to perform these actions. Instead, an attacker would have to persuade users to

do so, typically by getting them to click a link in an email message or Instant Messenger message.

• An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

ADDITIONAL INFORMATION• 32-bit and 64-bit editions of Windows 8 and Windows 8.1 are less exposed to currently known exploits due to mitigations built

into these operating systems.

0 0

0 0




CVE-2014-4075 Important N/A N/A Security Bypass Publicly Disclosed

MS14-059: Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass (2990942)

AFFECTED PRODUCTS ASP.NET MVC 2, ASP.NET MVC 3, ASP.NET MVC 4, ASP.NET MVC 5, and APS.NET MVC 5.1.

AFFECTED COMPONENTS ASP.NET

DEPLOYMENT PRIORITY

MAIN TARGET Web servers

POSSIBLE ATTACK VECTORS• A cross-site scripting (XSS) vulnerability exists in ASP.NET MVC that could allow an attacker to inject a client-side script into the

user's web browser.

IMPACT OF ATTACK• An attacker who successfully exploited this vulnerability could spoof content, disclose information, or take any action that the

user could take on the site on behalf of the targeted user..

MITIGATING FACTORS

• An attacker would have no way to force users to view the attacker-controlled content.

• The XSS Filter in Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11 prevents this attack for

users when browsing to websites in the Internet Zone.

ADDITIONAL INFORMATION • Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones

3 3

3




CVE-2014-4114 Important Remote Code Execution Cooperatively Disclosed

MS14-060: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3000869)

AFFECTED PRODUCTSAll supported editions of Windows Vista, Windows Server 2008 (excluding Itanium), Windows 7, Windows Server 2008 R2

(excluding Itanium), Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2.

AFFECTED COMPONENTS Microsoft Office

DEPLOYMENT PRIORITY


POSSIBLE ATTACK VECTORS• If a user opens a Microsoft Office file that contains a specially crafted OLE object, an attacker who successfully exploited this

vulnerability could run arbitrary code in the context of that user.

IMPACT OF ATTACK • An attacker who successfully exploited this vulnerability could cause code to execute within the context of the logged on user.

MITIGATING FACTORS

• Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who

operate with administrative user rights.

• An attacker would have no way to force users to visit the attacker’s websites.

• Protected View is enabled by default.

ADDITIONAL INFORMATION • One workaround for this vulnerability is to disable the WebClient service.

0 0

2




CVE-2014-4117 Important N/A N/A Remote Code Execution Cooperatively Disclosed

MS14-061: Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution

(3000434)

AFFECTED PRODUCTS

Microsoft Word 2007, Microsoft Word 2010, affected Microsoft Office services and Web Apps on supported editions of Microsoft

SharePoint Server 2010, Microsoft Web Apps Server 2010, supported versions of Microsoft Word Viewer, Microsoft Office

Compatibility Pack, and Microsoft Office for Mac 2011

AFFECTED COMPONENTS Microsoft Office

DEPLOYMENT PRIORITY


POSSIBLE ATTACK VECTORS • An attacker could convince a user to open a specially crafted Microsoft Word file

IMPACT OF ATTACK• The vulnerability could allow remote code execution in the context of the current user if an attacker convinces a user to open a

specially crafted Microsoft Word file.

MITIGATING FACTORS

• Email: For an attack to be successful a user must open an attachment that is sent in an email message.

• Web: An attacker would have to convince users to take action, typically by getting them to click a link in an email message or

Instant Messenger message that takes users to the attacker’s website, and then convince them to open the specially crafted

Office file.

• Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who

operate with administrative user rights.

ADDITIONAL INFORMATION • Do not open Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources.

2




CVE-2014-4971 Important N/A N/A Elevation of Privilege Publicly Disclosed

MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254)

AFFECTED PRODUCTS All supported editions of Windows Server 2003

AFFECTED COMPONENTS Microsoft Windows

DEPLOYMENT PRIORITY

MAIN TARGET Windows 2003 servers with the Message Queuing service enabled

POSSIBLE ATTACK VECTORS • An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

IMPACT OF ATTACK • Successful exploitation of this vulnerability could lead to full access to the affected system.

MITIGATING FACTORS

• By default, the Message Queuing component is not installed on any affected operating system edition and can only be enabled

by a user with administrative privileges.

• An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could

not be exploited remotely or by anonymous users.

ADDITIONAL INFORMATION • As a workaround, you can disable the Message Queuing service.

3




CVE-2014-4115 Important N/A N/A Elevation of Privilege Cooperatively Disclosed

MS14-063: Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege (2998579)

AFFECTED PRODUCTS All supported editions of Windows Server 2003, Windows Vista, and Windows Server 2008

AFFECTED COMPONENTS FAT32 Disk partition driver

DEPLOYMENT PRIORITY

MAIN TARGET Windows computers running the FAT32 file system

POSSIBLE ATTACK VECTORS • An elevation of privilege vulnerability exists in the way the Windows FASTFAT system driver interacts with FAT32 disk partitions

IMPACT OF ATTACK • An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated privileges.

MITIGATING FACTORS • An attacker must have physical access to the system to be able to exploit the vulnerability.

ADDITIONAL INFORMATION • The Microsoft Windows FASTFAT driver is used to manage FAT32 disk partitions.

2

3


Microsoft Security Advisories

Microsoft Security Advisory 2949927:

Availability of SHA-2 Hashing Algorithm for Windows 7 and

Windows Server 2008R2

• On October 14, 2014, Microsoft announced an update for all supported editions

of Windows 7 and Windows Server 2008 R2 to add support for SHA-2 signing

and verification functionality.




Update for Enabling TLS 1.1 or 1.2 in EAP

• On October 14, 2014, Microsoft revised this advisory to announce the availability

of an update for supported editions of Windows Server 2008, Windows 7,

Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, and

Windows RT for the Microsoft Extensible Authentication Protocol (EAP)

implementation that enables the use of Transport Layer Security (TLS) 1.1 or 1.2

through the modification of the system registry.




Update to Improve Credentials Protection and Management

• On October 14, 2014, Microsoft revised this advisory to announce the availability

of updates for supported editions of Windows 7, Windows Server 2008 R2,

Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server

2012 R2, and Windows RT 8.1 that improve credential protection and domain

authentication controls to reduce credential theft.



Microsoft Security Advisory 2755801

Update for Vulnerabilities in Adobe Flash Player in Internet Explorer

• On October 14, 2014, Microsoft released an update (3001237) for Internet

Explorer 10 on Windows 8, Windows Server 2012, and Windows RT, and for

Internet Explorer 11 on Windows 8.1, Windows Server 2012 R2, and Windows RT

8.1. The update addresses the vulnerabilities described in Adobe Security bulletin

APSB14-22. For more information about this update, including download links,

see Microsoft Knowledge Base Article 3001237.

Notes: The update for Windows RT is available via Windows Update only.


BULLETINWindows

Update

Microsoft

UpdateMBSA WSUS 3.0

SMS 2003

with ITMU

Configuration

Manager

MS14-056IE

Yes Yes Yes1

Yes1

Yes1

Yes1

MS14-057.NET

Yes Yes Yes1 Yes1

Yes1

Yes1

MS14-058KMD

Yes Yes Yes1

Yes1

Yes1

Yes1

MS14-059ASP. NET

Yes Yes Yes1 Yes1 Yes1 Yes1

1. Windows RT systems only support detection and deployment from Windows Update, Microsoft Update and the Windows Store.

Detection and Deployment


BULLETINWindows

Update

Microsoft

UpdateMBSA WSUS 3.0

SMS 2003

with ITMU

Configuration

Manager

MS14-060OLE

Yes Yes Yes Yes1 Yes1 Yes1

MS14-061WORD

No Yes Yes1

Yes Yes1

Yes1

MS14-062.MESSAGE

QUEUING

Yes Yes Yes1 Yes1

Yes1

Yes1

MS14-063FAT32

Yes Yes Yes Yes Yes Yes

1. Windows RT systems only support detection and deployment from Windows Update, Microsoft Update and the Windows Store.

Detection and Deployment


BULLETIN Restart Uninstall Replaces

MS14-056IE

Yes Yes MS14-052

MS14-057.NET

Maybe Yes MS12-016

MS14-058KMD

Yes Yes MS14-045

MS14-059ASP.NET

Maybe No None

Other Update Information


BULLETIN Restart Uninstall Replaces

MS14-060OLE

Maybe Yes None

MS14-061WORD

Maybe Yes MS14-034, MS14-017

MS14-062.MESSAGE

QUEUING

Yes Yes MS09-040

MS14-063FAT32

Yes Yes None

Other Update Information


Windows Malicious Software Removal Tool (MSRT)

During this release, Microsoft will increase/add detection capability for the following

families in the MSRT:

• Win32/Hikiti - a family of malware designed to give a malicious hacker unauthorized access and control of your PC.

Available as a priority update through Windows Update or Microsoft Update

Offered through WSUS 3.0 or as a download at: www.microsoft.com/malwareremove

http://www.microsoft.com/malwareremove


Resources

BlogsMicrosoft Security Response Center (MSRC) Blog:

http://blogs.technet.com/msrc

Security Research & Defense blog: http://blogs.technet.com/srd

Microsoft Malware Protection Center Blog:

http://blogs.technet.com/mmpc/

Twitter@MSFTSecResponse

Security CentersMicrosoft Security Home Page:

www.microsoft.com/security

TechNet Security Center:www.microsoft.com/technet/security

MSDN Security Developer Center:http://msdn.microsoft.com/en-us/security/default.aspx

Bulletins, Advisories Notifications & NewslettersSecurity Bulletins Summary:

www.microsoft.com/technet/security/bulletin/summary.mspx

Security Bulletins Search:www.microsoft.com/technet/security/current.aspx

Security Advisories:

www.microsoft.com/technet/security/advisory/

Microsoft Technical Security Notifications:www.microsoft.com/technet/security/bulletin/notify.mspx

Microsoft Security Newsletter:www.microsoft.com/technet/security/secnews

Other ResourcesUpdate Management Processhttp://www.microsoft.com/technet/security/guidance/patchmanagement/secmod1

93.mspx

Microsoft Active Protection Program Partners: http://www.microsoft.com/security/msrc/mapp/partners.mspx


http://blogs.technet.com/srd

http://blogs.technet.com/mmpc/

http://www.microsoft.com/security

http://www.microsoft.com/technet/security

http://msdn.microsoft.com/en-us/security/default.aspx

http://www.microsoft.com/technet/security/bulletin/summary.mspx

http://www.microsoft.com/technet/security/current.aspx

http://www.microsoft.com/technet/security/advisory/

http://www.microsoft.com/technet/security/bulletin/notify.mspx

http://www.microsoft.com/technet/security/secnews

http://www.microsoft.com/technet/security/guidance/patchmanagement/secmod193.mspx

http://www.microsoft.com/security/msrc/mapp/partners.mspx


Questions & Answers

Submit text questions using the Social Stream.

Don’t forget to fill out the survey.

A recording of this webcast will be available on the MSRC blog


Get the calendar reminder for next month’s webcast at:

http://technet.microsoft.com/en-us/security/dn756352


http://technet.microsoft.com/en-us/security/dn756352

July 2014 Microsoft Security Bulletins

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows 8.1 and other product names are or may be

registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of

this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment

on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Thank you

microsoft security bulletins · ms14-061: vulnerability in microsoft word and office web apps could...

Documents