Dial In Number PIN: 1056 Information About Microsoft December 2011 Security Bulletins Jonathan Ness Security Development Manager Microsoft Corporation Jerry Bryant Group Manager, Response Communications Microsoft Corporation

Dial In Number PIN: 1056 What We Will Cover Review of December 2011 bulletin release information:Review of December 2011 bulletin release information: –New Security Bulletins –Announcements –Microsoft ® Windows ® Malicious Software Removal Tool ResourcesResources Questions and answers: Please Submit NowQuestions and answers: Please Submit Now

Dial In Number PIN: 1056 Severity and Exploitability Index Exploitability Index 1 RISK 2 3 DP Severity Critical IMPACT Important Moderate Low MS11-087MS11-088MS11-089MS11-090MS11-091MS11-092MS11-093MS11-094MS11-095MS11-096MS11-097MS11-098MS Windows Windows WindowsWindowsOffice WindowsOffice Windows WindowsOffice Internet Explorer Office Office

Dial In Number PIN: 1056 Bulletin Deployment Priority

Dial In Number PIN: 1056 MS11-087: MS11-087: Vulnerability In Windows Kernel-Mode Drivers Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Critical11 Remote Code Execution Publicly Disclosed Affected Products All supported releases of Microsoft Windows, including XP, Server 2003, Vista, Server 2008, Windows 7, and Server 2008 R2 Server 2008, Server 2008 R2 under certain circumstances. See “Additional Information” for details. Affected Components Windows Kernel Deployment Priority 1 Main Target Workstations and Servers Possible Attack Vectors An attacker could exploit this vulnerability if a user opens a specially crafted document or visits a malicious web page that embeds TrueType font files.An attacker could exploit this vulnerability if a user opens a specially crafted document or visits a malicious web page that embeds TrueType font files. Impact of Attack An attacker who successfully exploited this vulnerability could take complete control of the affected system.An attacker who successfully exploited this vulnerability could take complete control of the affected system. Mitigating Factors An attacker would have to convince users to open a specially-crafted document or visit a web site, typically by getting them to click a link in an or IM message.An attacker would have to convince users to open a specially-crafted document or visit a web site, typically by getting them to click a link in an or IM message. Additional Information This addresses the vulnerability first described in Microsoft Security Advisory This addresses the vulnerability first described in Microsoft Security Advisory This update applies with a lower severity rating to supported editions of Server 2008 or Server 2008 R2, when installed using the Server Core installation option.This update applies with a lower severity rating to supported editions of Server 2008 or Server 2008 R2, when installed using the Server Core installation option.

Dial In Number PIN: 1056 MS11-088: Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Important1N/A Elevation of Privilege Cooperatively Disclosed Affected Products All supported editions of Microsoft Office 2010 where Microsoft Pinyin IME 2010 is installed, Microsoft Office Pinyin SimpleFast Style 2010, and Microsoft Office Pinyin New Experience Style Affected Components Microsoft Pinyin Input Method Editor for Simplified Chinese Deployment Priority 3 Main Target Workstations Possible Attack Vectors An attacker who exposes configuration options in Microsoft Office IME (Chinese) can exploit this vulnerability, and perform specific actions utilizing the MSPY IME toolbar to launch Internet Explorer with system-level privileges.An attacker who exposes configuration options in Microsoft Office IME (Chinese) can exploit this vulnerability, and perform specific actions utilizing the MSPY IME toolbar to launch Internet Explorer with system-level privileges. Impact of Attack An attacker who exploits this vulnerability could run arbitrary code in kernel mode, and then install programs, view, change or delete data, or create new accounts with full user rights.An attacker who exploits this vulnerability could run arbitrary code in kernel mode, and then install programs, view, change or delete data, or create new accounts with full user rights. Mitigating Factors An attacker must have valid logon credentials to log on locally to exploit this vulnerability. The vulnerability cannot be exploited remotely or by anonymous users.An attacker must have valid logon credentials to log on locally to exploit this vulnerability. The vulnerability cannot be exploited remotely or by anonymous users. Additional Information Only implementations of Microsoft Pinyin IME 2010 are affected by this vulnerability. Other versions of Simplified Chinese IME and other implementations of IME are not affected.Only implementations of Microsoft Pinyin IME 2010 are affected by this vulnerability. Other versions of Simplified Chinese IME and other implementations of IME are not affected. This will only be available through the Microsoft Download Center.This will only be available through the Microsoft Download Center.

Dial In Number PIN: 1056 MS11-089: Vulnerabilities In Microsoft Office Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Important11 Remote Code Execution Cooperatively Disclosed Affected Products All supported editions of Office 2007, Office 2010, and Office For Mac 2011 Affected Components Microsoft Word Deployment Priority 2 Main Target Workstations Possible Attack Vectors An attacker could exploit this vulnerability if a user opens a specially crafted Word file.An attacker could exploit this vulnerability if a user opens a specially crafted Word file. Impact of Attack An attacker could gain the same user rights as the exploited logged-on user, which could include installing programs, viewing, changing or deleting data, or create new accounts with full user rights.An attacker could gain the same user rights as the exploited logged-on user, which could include installing programs, viewing, changing or deleting data, or create new accounts with full user rights. Mitigating Factors An attacker could not force a user to visit a specially crafted site.An attacker could not force a user to visit a specially crafted site. An attacker cannot exploit this vulnerability automatically through ; instead, the user would have to click on an attachment in an message.An attacker cannot exploit this vulnerability automatically through ; instead, the user would have to click on an attachment in an message. Additional Information NoneNone

Dial In Number PIN: 1056 MS11-090: Cumulative Security Update of ActiveX Kill Bits ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE CriticalN/A1 Remote Code Execution Cooperatively Disclosed Affected Products All supported editions of Windows XP and Windows Server 2003 Affected Components ActiveX Deployment Priority 2 Main Target Servers and Workstations Possible Attack Vectors An attacker could exploit this vulnerability if a user views a specially crafted web page that uses a specific binary behavior in Internet Explorer.An attacker could exploit this vulnerability if a user views a specially crafted web page that uses a specific binary behavior in Internet Explorer. Impact of Attack An attacker who exploits this vulnerability could gain the same user rights as the logged on user.An attacker who exploits this vulnerability could gain the same user rights as the logged on user. Mitigating Factors An attacker would have to convince users to visit a website, typically by getting them to click a link in an or IM message.An attacker would have to convince users to visit a website, typically by getting them to click a link in an or IM message. Additional Information Installations using Server Core are not affected.Installations using Server Core are not affected.

Dial In Number PIN: 1056 MS11-091: Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE ModerateN/AN/A Remote Code Execution Publicly Disclosed CVE ImportantN/A1 Remote Code Execution Cooperatively Disclosed CVE ImportantN/A1 Remote Code Execution Cooperatively Disclosed CVE ImportantN/A2 Remote Code Execution Cooperatively Disclosed Affected Products All supported editions of Microsoft Office 2003 and 2007 Affected Components Microsoft Publisher Deployment Priority 2 Main Target Workstations Possible Attack Vectors An attacker can exploit this vulnerability by creating a specially crafted Publisher file that could be included as an attachment, or hosted on a specially crafted/compromised web site, and then convince the user to open the specially crafted Publisher file.An attacker can exploit this vulnerability by creating a specially crafted Publisher file that could be included as an attachment, or hosted on a specially crafted/compromised web site, and then convince the user to open the specially crafted Publisher file. Impact of Attack An attacker who exploits this vulnerability could take complete control of an affected system, including installing programs, view, change or delete data, or create new accounts with full user rights.An attacker who exploits this vulnerability could take complete control of an affected system, including installing programs, view, change or delete data, or create new accounts with full user rights. Mitigating Factors An attacker has to convince the user to visit a web site or open an attachment.An attacker has to convince the user to visit a web site or open an attachment. Additional Information NoneNone

Dial In Number PIN: 1056 MS11-092: Vulnerability In Windows Media Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Critical11 Remote Code Execution Cooperatively Disclosed Affected Products All supported versions of Windows Affected Components Windows Media Center, Windows Media Player Deployment Priority 1 Main Target Workstations Possible Attack Vectors An attacker can exploit this vulnerability if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file.An attacker can exploit this vulnerability if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file. Impact of Attack An attacker who exploits this vulnerability could take complete control of an affected system, including installing programs, view, change or delete data, or create new accounts with full user rights.An attacker who exploits this vulnerability could take complete control of an affected system, including installing programs, view, change or delete data, or create new accounts with full user rights. Mitigating Factors An attacker has to convince the user to open the specially crafted media file.An attacker has to convince the user to open the specially crafted media file. Additional Information NoneNone

Dial In Number PIN: 1056 MS11-093: Vulnerability in OLE Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE ImportantN/A1 Remote Code Execution Cooperatively Disclosed Affected Products All supported editions of Windows XP and Windows Server 2003 Affected Components OLE Deployment Priority 3 Main Target Workstations and Servers Possible Attack Vectors An attacker could exploit this vulnerability if a user opens a file that contains a specially crafted OLE object.An attacker could exploit this vulnerability if a user opens a file that contains a specially crafted OLE object. Impact of Attack An attacker who successfully exploits this vulnerability could take complete control of an affected system, including the ability to install programs; view, change or delete data; or create new accounts with full user rights.An attacker who successfully exploits this vulnerability could take complete control of an affected system, including the ability to install programs; view, change or delete data; or create new accounts with full user rights. Mitigating Factors An attacker has to convince the user to open a malicious attachment contained in an message.An attacker has to convince the user to open a malicious attachment contained in an message. Additional Information Windows Vista, Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by this vulnerability.Windows Vista, Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by this vulnerability.

Dial In Number PIN: 1056 MS11-094: Vulnerabilities In Microsoft PowerPoint Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Important11 Remote Code Execution Cooperatively Disclosed CVE ImportantN/A2 Remote Code Execution Cooperatively Disclosed Affected Products Office 2007, Office 2010, Office 2008 for Mac, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, PowerPoint Viewer 2007 Affected Components PowerPoint Deployment Priority 2 Main Target Workstations Possible Attack Vectors CVE :CVE : In a network attack scenario, an attacker could place a legitimate file and a specially crafted DLL file in a network share, a UNC, or WebDAV location and then convince the user to open the file.In a network attack scenario, an attacker could place a legitimate file and a specially crafted DLL file in a network share, a UNC, or WebDAV location and then convince the user to open the file. In an attack scenario, an attacker could exploit the vulnerability by sending a legitimate file attachment to a user, and convincing the user to place the attachment into a directory containing a specially crafted DLL file and to open the legitimate file.In an attack scenario, an attacker could exploit the vulnerability by sending a legitimate file attachment to a user, and convincing the user to place the attachment into a directory containing a specially crafted DLL file and to open the legitimate file. CVE :CVE : In a Web-based attack scenario, an attacker would have to convince users to visit the Web site and open the specially crafted PowerPoint fileIn a Web-based attack scenario, an attacker would have to convince users to visit the Web site and open the specially crafted PowerPoint file In an attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted PowerPoint file to the user and convincing the user to open the file.In an attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted PowerPoint file to the user and convincing the user to open the file. Impact of Attack An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user.An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. Mitigating Factors The file sharing protocol, Server Message Block (SMB), is often disabled on the perimeter firewall. This limits the potential attack vectors for this vulnerability.The file sharing protocol, Server Message Block (SMB), is often disabled on the perimeter firewall. This limits the potential attack vectors for this vulnerability. An attacker cannot force a user to open a malicious file or to place files in a specific directory.An attacker cannot force a user to open a malicious file or to place files in a specific directory. Additional Information This bulletin is related to Security Advisory This bulletin is related to Security Advisory

Dial In Number PIN: 1056 MS11-095: Vulnerability In Active Directory Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Important11 Remote Code Execution Cooperatively Disclosed Affected Products Windows XP, Windows Server 2003 (Standard, Itanium, x64), Vista, Windows Server 2008 Standard and x64), Windows 7, Windows Server 2008 R2 x64 Affected Components ADAM, Active Directory, AD LDS Deployment Priority 2 Main Target Servers Possible Attack Vectors An attacker could run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.An attacker could run a specially crafted application that could exploit the vulnerability and take complete control over the affected system. Impact of Attack An attacker who successfully exploited this vulnerability could take complete control of the affected system.An attacker who successfully exploited this vulnerability could take complete control of the affected system. Mitigating Factors In order to successfully exploit this vulnerability, an attacker must have member account credentials within the target Active Directory domain.In order to successfully exploit this vulnerability, an attacker must have member account credentials within the target Active Directory domain. Additional Information Installations using Server Core are affected.Installations using Server Core are affected.

Dial In Number PIN: 1056 MS11-096: Vulnerability in Microsoft Excel Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE ImportantN/A1 Remote Code Execution Cooperatively Disclosed Affected Products Microsoft Office 2003 SP3, Office 2004 for Mac Affected Components Excel Deployment Priority 2 Main Target Workstations Possible Attack Vectors In an attack scenario, an attacker could exploit the vulnerability by sending a specially crafted Excel file to the user and by convincing the user to open the file.In an attack scenario, an attacker could exploit the vulnerability by sending a specially crafted Excel file to the user and by convincing the user to open the file. In a Web-based attack scenario, an attacker would have to host a Web site that contains an Excel file that is used to attempt to exploit this vulnerability.In a Web-based attack scenario, an attacker would have to host a Web site that contains an Excel file that is used to attempt to exploit this vulnerability. Impact of Attack An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user.An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. Mitigating Factors An attacker would have no way to force users to visit these Web sites or to open malicious files.An attacker would have no way to force users to visit these Web sites or to open malicious files. Additional Information When the Office File Validation feature is enabled in Microsoft Excel 2003, malicious files attempting to exploit this issue are not opened automatically.When the Office File Validation feature is enabled in Microsoft Excel 2003, malicious files attempting to exploit this issue are not opened automatically.

Dial In Number PIN: 1056 MS11-097: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Important11 Elevation of Privilege Cooperatively Disclosed Affected Products All supported versions of Windows and Windows Server Affected Components Windows Client/Server Run-time Subsystem (CSRSS) Deployment Priority 3 Main Target Workstations and Servers Possible Attack Vectors To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application designed to send a device event message to a higher-integrity process.To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application designed to send a device event message to a higher-integrity process. Impact of Attack An attacker who successfully exploited this vulnerability could run arbitrary code in the context of another process.An attacker who successfully exploited this vulnerability could run arbitrary code in the context of another process. Mitigating Factors An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. Additional Information Installations using Server Core are affected.Installations using Server Core are affected.

Dial In Number PIN: 1056 MS11-098: Vulnerability In Windows Kernel Could Allow Elevation of Privilege ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Important11 Elevation of Privilege Cooperatively Disclosed Affected Products Windows XP, Windows Server 2003, Vista, Windows 7 Affected Components Kernel Deployment Priority 3 Main Target Workstations Possible Attack Vectors To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take complete control over an affected system.To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take complete control over an affected system. Impact of Attack An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. Mitigating Factors An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.The vulnerability could not be exploited remotely or by anonymous users. Additional Information Installations using Server Core are affected.Installations using Server Core are affected.

Dial In Number PIN: 1056 MS11-099: Cumulative Security Update For Internet Explorer ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Important33 Information Disclosure Cooperatively Disclosed CVE Important1N/A Remote Code Execution Cooperatively Disclosed CVE ModerateN/AN/A Information Disclosure Cooperatively Disclosed Affected Products IE6, IE7, IE 8 and IE 9 on all supported versions of Windows clients. IE6, IE7, IE 8 and IE 9 on all supported versions of Windows servers. Affected Components Internet Explorer Deployment Priority 2 Main Target Workstations Possible Attack Vectors CVE & CVE :CVE & CVE : Browse and Own: An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site.Browse and Own: An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. CVE :CVE : An attacker could exploit a vulnerability that exists in the way Internet Explorer loads libraries.An attacker could exploit a vulnerability that exists in the way Internet Explorer loads libraries. Impact of Attack CVE & CVE :CVE & CVE : An attacker could view content from another domain or Internet Explorer zone.An attacker could view content from another domain or Internet Explorer zone. CVE :CVE : An attacker could take complete control of an affected system, including installing programs, view, change or delete data, or create new accounts with full user rights.An attacker could take complete control of an affected system, including installing programs, view, change or delete data, or create new accounts with full user rights. Mitigating Factors The Server Message Block (SMB) is often disabled on the perimeter firewall. This limits the potential attack vectors for this vulnerability.The Server Message Block (SMB) is often disabled on the perimeter firewall. This limits the potential attack vectors for this vulnerability. An attacker could not force a user to visit a specially crafted site.An attacker could not force a user to visit a specially crafted site. Additional Information Installations using Server Core are not affected.Installations using Server Core are not affected.

Dial In Number PIN: 1056 Detection & Deployment # Microsoft Office Pinyin SimpleFast Style Available Through Download Center * Except For Windows XP Media Center Edition 2005 SP3 ** Except For Office 2008 For Mac *** Except For Office 2004 For Mac

Dial In Number PIN: 1056 Other Update Information

Dial In Number PIN: 1056 Windows Malicious Software Removal Tool (MSRT) During this release Microsoft will increase detection capability for the following families in the MSRT:During this release Microsoft will increase detection capability for the following families in the MSRT: –Win32/Helompy: This is an AutoIt worm that propagates via removable drives, network share, , and IM. It aims to steal Web credentials for various services, including Facebook, eBay, and Gmail. The worm contacts a remote host in order to download arbitrary files and to upload stolen personal information. Win32/Helompy: Available as a priority update through Windows Update or Microsoft Update.Available as a priority update through Windows Update or Microsoft Update. Is offered through WSUS 3.0 or as a download at: offered through WSUS 3.0 or as a download at:

Dial In Number PIN: 1056 Resources Blogs Microsoft Security Response Center (MSRC) blog: Security Response Center (MSRC) blog: Security Research & Defense blog: Research & Defense blog: Microsoft Malware Protection Center Blog: Malware Protection Center Blog: Twitter Security Centers Microsoft Security Home Page: Security Home Page: TechNet Security Center: Security Center: MSDN Security Developer Center: Security Developer Center: Bulletins, Advisories, Notifications & Newsletters Security Bulletins Summary: mspxSecurity Bulletins Summary: mspx mspx mspx Security Bulletins Search: Bulletins Search: Security Advisories: Advisories: Microsoft Technical Security Notifications: Technical Security Notifications: Microsoft Security Newsletter: Security Newsletter: Other Resources Update Management Process chmanagement/secmod193.mspxUpdate Management Process chmanagement/secmod193.mspx chmanagement/secmod193.mspx chmanagement/secmod193.mspx Microsoft Active Protection Program Partners: mspxMicrosoft Active Protection Program Partners: mspx mspx mspx

Dial In Number PIN: 1056 Questions and Answers Submit text questions using the “Ask” button.Submit text questions using the “Ask” button. Don’t forget to fill out the survey.Don’t forget to fill out the survey. A recording of this webcast will be available within 48 hours on the MSRC Blog: recording of this webcast will be available within 48 hours on the MSRC Blog: Register for next month’s webcast at: for next month’s webcast at:

Dial In Number PIN: 1056