Dial In Number Pin: 3959 Information About Microsoft January 2013 Security Bulletins Andrew Gross Senior Security Program Manager Microsoft Corporation Dustin Childs Group Manager, Response Communications Microsoft Corporation
Dial In Number Pin: 3959 Live Video Stream To receive our video stream in LiveMeeting:To receive our video stream in LiveMeeting: –Click on Voice & Video –Click the drop down next to the camera icon –Select Show Main Video
Dial In Number Pin: 3959 What We Will Cover Review of January 2013 Bulletin Release InformationReview of January 2013 Bulletin Release Information –Seven new security bulletins –Two security advisory revisions –Microsoft ® Windows ® Malicious Software Removal Tool ResourcesResources Questions and Answers: Please Submit NowQuestions and Answers: Please Submit Now –Submit Questions via Twitter #MSFTSecWebcast
Dial In Number Pin: 3959 Severity and Exploitability Index Exploitability Index 1 RISK 2 3 DP Severity Critical IMPACT Important Moderate Low MS13-001MS13-002MS13-003MS13-004MS13-005MS13-006MS Windows Print Spooler Kernel Mode Drivers SSL Systems Center Operations Manager.NET Framework Open Data Protocol XML Core Services
Dial In Number Pin: 3959 Bulletin Deployment Priority
Dial In Number Pin: 3959 MS13-001: Vulnerability in Windows Print Spooler Components Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE CriticalNA1 Remote Code Execution Cooperatively Disclosed Affected Products Supported versions of Windows 7 and Windows Server 2008 R2 Affected Components Print Spooler Deployment Priority 2 Main Target Workstations and servers Possible Attack Vectors A remote unauthenticated attacker could exploit the vulnerability by sending a specially crafted print job to the print server.A remote unauthenticated attacker could exploit the vulnerability by sending a specially crafted print job to the print server. Impact of Attack An attacker who successfully exploited this vulnerability could run arbitrary code on a user's system with system privileges.An attacker who successfully exploited this vulnerability could run arbitrary code on a user's system with system privileges. Mitigating Factors Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter.Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Additional Information Installations using Server Core are affected.Installations using Server Core are affected.
Dial In Number Pin: 3959 MS13-002: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Critical11 Remote Code Execution Cooperatively Disclosed CVE Critical11 Remote Code Execution Cooperatively Disclosed Affected Products XML Core Services 4 & 6 on Windows Clients; XML Core Services 3 on XP, Vista x64, Windows 7 x64, Windows 8 x64; XML Core Services 5 on Office 2003 & 2007, Word Viewer, Office Compatibility Pack, Expressio0n Web Service Pack, Expression Web 2, SharePoint Server 2007, and Groove Server Service 2007 XML Core Services 4 & 6 on all supported versions of Windows Server; XML Core Services 3 on all supported versions of Windows Server except the 32-bit versions of Windows Server 2003 and Windows Server 2008 Affected Components XML Core Services Deployment Priority 1 Main Target Workstations Possible Attack Vectors An attacker could exploit the vulnerability by hosting a specially crafted website that is designed to invoke MSXML through Internet Explorer.An attacker could exploit the vulnerability by hosting a specially crafted website that is designed to invoke MSXML through Internet Explorer. Non-Microsoft web applications and services that utilize the MSXML library for parsing XML could also be vulnerable to this attack.Non-Microsoft web applications and services that utilize the MSXML library for parsing XML could also be vulnerable to this attack. Impact of Attack An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Mitigating Factors By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML messages in the Restricted sites zone.By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML messages in the Restricted sites zone. An attacker cannot force a user to visit a malicious website.An attacker cannot force a user to visit a malicious website. Additional Information Installations using Server Core are affected except for Windows Server bit.Installations using Server Core are affected except for Windows Server bit. Depending on which version of Microsoft XML Core Services you have installed on your system, you may be offered more than one security update from this security bulletin.Depending on which version of Microsoft XML Core Services you have installed on your system, you may be offered more than one security update from this security bulletin.
Dial In Number Pin: 3959 MS13-003: Vulnerabilities in System Center Operations Manager Could Allow Elevation of Privilege ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE ImportantNA1 Elevation of Privilege Cooperatively Disclosed CVE ImportantNA1 Elevation of Privilege Cooperatively Disclosed Affected Products Microsoft System Center Operations Manager 2007, Microsoft System Center Operations Manager 2007 R2 Affected Components Systems Center Operations Manager Deployment Priority 3 Main Target Systems Center Operations Manager Servers Possible Attack Vectors An attacker could exploit this vulnerability by having a user visit an affected website by way of a specially crafted URL. This can be done through any medium that can contain web links that are controlled by the attacker, such as a link in an , a link on a website, or a redirect on a website.An attacker could exploit this vulnerability by having a user visit an affected website by way of a specially crafted URL. This can be done through any medium that can contain web links that are controlled by the attacker, such as a link in an , a link on a website, or a redirect on a website. Impact of Attack An attacker who successfully exploited this vulnerability could inject a client-side script in the user's browser.An attacker who successfully exploited this vulnerability could inject a client-side script in the user's browser. Mitigating Factors An attacker would have no way to force users to visit a specially crafted website.An attacker would have no way to force users to visit a specially crafted website. Additional Information Microsoft System Center Operations Manager 2007 R2: Only available via the DLC and is cumulative.Microsoft System Center Operations Manager 2007 R2: Only available via the DLC and is cumulative. The update for Microsoft System Center Operations Manager 2007 is not available at this time; see the FAQ in the bulletin for more information.The update for Microsoft System Center Operations Manager 2007 is not available at this time; see the FAQ in the bulletin for more information.
Dial In Number Pin: 3959 MS13-004: Vulnerability in.NET Framework Could Allow Elevation of Privilege ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE ModerateNANA Information Disclosure Cooperatively Disclosed CVE Important11 Elevation of Privilege Cooperatively Disclosed CVE Important11 Elevation of Privilege Cooperatively Disclosed CVE Important11 Elevation of Privilege Cooperatively Disclosed Affected Products.NET Framework 1.1, 2.0, 3.5.1, 4.0, & 4.5 on all supported versions of Microsoft Windows Client and Microsoft Windows Server and 3.5 on Windows 8 and Windows Server 2012 only DiD:.NET Framework 3.0 on all supported versions of Microsoft Windows Client and Microsoft Windows Server Affected Components.NET Framework Deployment Priority 2 Main Target Exchange Server Systems Possible Attack Vector Web based: An attacker could host a specially crafted website that contains a specially crafted XBAP (XAML browser application) that could exploit this vulnerability and then convince a user to view the website.Web based: An attacker could host a specially crafted website that contains a specially crafted XBAP (XAML browser application) that could exploit this vulnerability and then convince a user to view the website..NET applications: This vulnerability could also be used by Windows.NET Framework applications to bypass Code Access Security (CAS) restrictions..NET applications: This vulnerability could also be used by Windows.NET Framework applications to bypass Code Access Security (CAS) restrictions. Impact of Attack An attacker could obtain data that is stored in unmanaged memory locations.An attacker could obtain data that is stored in unmanaged memory locations. An attacker who successfully exploited this vulnerability could take complete control of the affected system.An attacker who successfully exploited this vulnerability could take complete control of the affected system. Mitigating Factors Microsoft has not identified any mitigations to these vulnerabilities.Microsoft has not identified any mitigations to these vulnerabilities. Additional Information.NET Framework 4 and.NET Framework 4 Client Profile affected..NET Framework 4 and.NET Framework 4 Client Profile affected. Windows RT security updates are provided via Windows Update.Windows RT security updates are provided via Windows Update.Windows UpdateWindows Update
Dial In Number Pin: 3959 MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Important1NA Elevation of Privilege Cooperatively Disclosed Affected Products All supported versions of Windows Client and Windows Server except for all editions of Windows XP and Windows Server 2003 Affected Components Kernel-Mode Drivers Deployment Priority 2 Main Target Workstations Possible Attack Vectors This vulnerability requires that an attacker convince a user to run a specially crafted application.This vulnerability requires that an attacker convince a user to run a specially crafted application. Impact of Attack An attacker who successfully exploited this vulnerability could run arbitrary code in the context of a higher Integrity Level (IL) process.An attacker who successfully exploited this vulnerability could run arbitrary code in the context of a higher Integrity Level (IL) process. Mitigating Factors An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. Additional Information Installations using Server Core are affected.Installations using Server Core are affected.
Dial In Number Pin: 3959 MS13-006: Vulnerability in Microsoft Windows Could Allow Security Feature Bypass ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE ImportantNANA Security Feature Bypass Cooperatively Disclosed Affected Products All supported versions of Windows Client and Windows Server except for all editions of Windows XP and Windows Server 2003 Affected Components SSL and TLS Deployment Priority 2 Main Target Workstations and servers that send and receive SSL/TLS encrypted traffic Possible Attack Vectors In a man-in-the-middle attack, an attacker could inject malformed traffic into an SSL version 3 or TLS browsing session between Internet Explorer and a third-party server or a third-party client and a Microsoft server, silently downgrading the connection to SSL version 2.In a man-in-the-middle attack, an attacker could inject malformed traffic into an SSL version 3 or TLS browsing session between Internet Explorer and a third-party server or a third-party client and a Microsoft server, silently downgrading the connection to SSL version 2. Impact of Attack Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all the while thinking they are communicating only with the intended user.Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all the while thinking they are communicating only with the intended user. Mitigating Factors Microsoft has not identified any mitigations for this vulnerability.Microsoft has not identified any mitigations for this vulnerability. Additional Information Installations using Server Core are affected.Installations using Server Core are affected.
Dial In Number Pin: 3959 MS13-007: Vulnerability in Open Data Protocol Could Allow Denial of Service ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Important33 Denial of Service Cooperatively Disclosed Affected Products.NET Framework 3.5, 3.5.1, 4.0 on all supported versions of Microsoft Windows Client (except Windows RT) and Microsoft Windows Server ; Management OData Extension on Windows 8 and Windows Server 2012 Affected Components Open Data Protocol Deployment Priority 3 Main Target Workstations Possible Attack Vectors An unauthenticated attacker could send a small number of specially crafted HTTP requests to an affected site, causing a denial of service conditionAn unauthenticated attacker could send a small number of specially crafted HTTP requests to an affected site, causing a denial of service condition Impact of Attack An attacker could use this vulnerability to cause a denial of service attack and disrupt the availability of sites that use.NET WCF Services.An attacker could use this vulnerability to cause a denial of service attack and disrupt the availability of sites that use.NET WCF Services. Mitigating Factors Microsoft has not identified any mitigations for this vulnerability.Microsoft has not identified any mitigations for this vulnerability. Additional Information Installations using Server Core are affected.Installations using Server Core are affected.
Dial In Number Pin: 3959 Microsoft Security Advisory ( ): Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10Microsoft Security Advisory ( ): Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10 –On January 8, 2013, Microsoft revised a security advisory to announce the availability of a new Adobe Flash update. (KB ) Microsoft Security Advisory (973811): Extended Protection for AuthenticationMicrosoft Security Advisory (973811): Extended Protection for Authentication –Microsoft is centralizing recommendations and best practices in KB These are not new recommendations, but are being consolidated into a single KB article. –This revision also includes a Fix it that automatically sets Windows XP and Windows Server 2003 systems to allow NTLMv2 only as recommended. Microsoft Security Advisories
Dial In Number Pin: 3959 Detection & Deployment 1.MBSA does not support detection on Windows 8, Windows RT, and Windows Server Yes, except for Windows Server Windows RT systems only support detection and deployment from Windows Update, Microsoft Update and the Windows Store 4.Updates for this bulletin are only available via the Microsoft Download Center
Dial In Number Pin: 3959 Other Update Information
Dial In Number Pin: 3959 Windows Malicious Software Removal Tool (MSRT) During this release Microsoft will increase/add detection capability for the following families in the MSRT: Win32/Ganelp: A worm that can spread itself from one computer to anotherWin32/Ganelp: A worm that can spread itself from one computer to anotherWin32/Ganelp: Win32/Lefgroo: A worm that spreads by dropping copies of itself to all writeable fixed and removable drives in the systemWin32/Lefgroo: A worm that spreads by dropping copies of itself to all writeable fixed and removable drives in the systemWin32/Lefgroo January MSRT will be distributed to Windows 8, x86 and x64. Available as a priority update through Windows Update or Microsoft Update. Offered through WSUS 3.0 or as a download at:
Dial In Number Pin: 3959 Resources Blogs Microsoft Security Response Center (MSRC) blog: Security Response Center (MSRC) blog: Security Research & Defense blog: Research & Defense blog: Microsoft Malware Protection Center Blog: Malware Protection Center Blog: Twitter Security Centers Microsoft Security Home Page: Security Home Page: TechNet Security Center: Security Center: MSDN Security Developer Center: us/security/default.aspxMSDN Security Developer Center: us/security/default.aspx us/security/default.aspx us/security/default.aspx Bulletins, Advisories, Notifications & Newsletters Security Bulletins Summary: ary.mspxSecurity Bulletins Summary: ary.mspx ary.mspx ary.mspx Security Bulletins Search: Bulletins Search: Security Advisories: Advisories: Microsoft Technical Security Notifications: mspxMicrosoft Technical Security Notifications: mspx mspx mspx Microsoft Security Newsletter: Security Newsletter: Other Resources Update Management Process e/patchmanagement/secmod193.mspxUpdate Management Process e/patchmanagement/secmod193.mspx e/patchmanagement/secmod193.mspx e/patchmanagement/secmod193.mspx Microsoft Active Protection Program Partners: ners.mspxMicrosoft Active Protection Program Partners: ners.mspx ners.mspx ners.mspx
Dial In Number Pin: 3959 Questions and Answers Submit text questions using the “Ask” button.Submit text questions using the “Ask” button. Don’t forget to fill out the survey.Don’t forget to fill out the survey. A recording of this webcast will be available within 48 hours on the MSRC Blog: recording of this webcast will be available within 48 hours on the MSRC Blog: Register for next month’s webcast at: for next month’s webcast at:
Dial In Number Pin: 3959