Dial In Number Pin: 0336 Information About Microsoft February 2012 Security Bulletins Jonathan Ness Security Development Manager Microsoft Corporation Pete Voss Sr. Response Communications Manager Microsoft Corporation
Dial In Number Pin: 0336 Live Video Stream To receive our video stream in LiveMeeting:To receive our video stream in LiveMeeting: –Click on Voice & Video –Click the drop down next to the camera icon –Select Show Main Video
Dial In Number Pin: 0336 What We Will Cover Review of February 2012 Bulletin release information:Review of February 2012 Bulletin release information: –New Security Bulletins –Microsoft ® Windows ® Malicious Software Removal Tool –Information About Microsoft Windows Vista ResourcesResources Questions and Answers: Please Submit NowQuestions and Answers: Please Submit Now
Dial In Number Pin: 0336 Severity and Exploitability Index Exploitability Index 1 RISK 2 3 DP Severity Critical IMPACT Important Moderate Low MS12-008MS12-009MS12-010MS12-011MS12-012MS12-013MS12-014MS12-015MS Windows Internet Explorer Windows.NET & Silverlight Windows Windows Windows Office Office
Dial In Number Pin: 0336 Bulletin Deployment Priority
Dial In Number Pin: 0336 MS12-008: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Critical22 Remote Code Execution Publicly Disclosed CVE Important11 Elevation of Privilege Cooperatively Disclosed Affected Products All supported versions of Windows and Windows Server (except those installed using Server Core) Windows Server 2008 x64 and Windows Server 2008 R2 when installed using Server Core Affected Components Kernel Mode Drivers Deployment Priority 2 Main Target Workstations and Servers Possible Attack Vectors CVE :CVE : Web-based: An attacker could host a specially crafted website that is designed to exploit this vulnerability.Web-based: An attacker could host a specially crafted website that is designed to exploit this vulnerability. based: an attacker could exploit the vulnerability by sending a specially crafted message to the user and convincing the user to preview or open the . based: an attacker could exploit the vulnerability by sending a specially crafted message to the user and convincing the user to preview or open the . Local: An attacker could also exploit this vulnerability by running a specially crafted application.Local: An attacker could also exploit this vulnerability by running a specially crafted application. CVE : To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability.CVE : To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability. Impact of Attack An attacker could run arbitrary code in kernel mode and take complete control of an affected system.An attacker could run arbitrary code in kernel mode and take complete control of an affected system. Mitigating Factors An attacker would have no way to force a user to visit a malicious website. (CVE )An attacker would have no way to force a user to visit a malicious website. (CVE ) An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. (CVE ) (CVE for a local attack only)An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. (CVE ) (CVE for a local attack only) Additional Information Installations using Server Core are affected, excluding Server 2008 and Server 2008 R2 as noted above.Installations using Server Core are affected, excluding Server 2008 and Server 2008 R2 as noted above.
Dial In Number Pin: 0336 MS12-009: Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Important13 Elevation of Privilege Cooperatively Disclosed CVE ImportantNA1 Elevation of Privilege Cooperatively Disclosed Affected Products Windows XP x64, Windows Server 2003 (32bit, X64, Itanium), Vista x64, Windows Server 2008 (x64 and Itanium), Windows 7 x64, Windows Server 2008 R2 (x64 and Itanium) Affected Components Ancillary Function Driver Deployment Priority 3 Main Target Workstations Possible Attack Vectors An attacker who is able to log onto the targeted system could then run a specially crafted application that could exploit the vulnerability.An attacker who is able to log onto the targeted system could then run a specially crafted application that could exploit the vulnerability. Impact of Attack An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and take complete control of an affected system.An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and take complete control of an affected system. Mitigating Factors An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. For CVE , this vulnerability is not exploitable on 32-bit editions of Microsoft Windows.For CVE , this vulnerability is not exploitable on 32-bit editions of Microsoft Windows. Additional Information Installations using Server Core are affected.Installations using Server Core are affected. CVE only affects versions of Windows Server 2003.CVE only affects versions of Windows Server 2003.
Dial In Number Pin: 0336 MS12-010: Cumulative Security Update For Internet Explorer ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Moderate Information Disclosure Cooperatively Disclosed CVE Critical11 Remote Code Execution Cooperatively Disclosed CVE Important3NA Information Disclosure Cooperatively Disclosed CVE Critical1NA Remote Code Execution Cooperatively Disclosed Affected Products Internet Explorer 6, 7, 8, 9 on all supported versions of Windows (except IE 6 on Windows XP) Internet Explorer 7, 8, 9 on all supported versions of Windows Server; IE 6 on Windows XP (Pro, x64) IE 6 on Windows Server 2003 (Standard, x64, Itanium) Affected Components Internet Explorer Deployment Priority 1 Main Target Workstations Possible Attack Vectors Copy and Paste: An attacker could convince a user to perform a copy operation on some content displayed on this website, and then convince the user to paste this content into a target website. (CVE )Copy and Paste: An attacker could convince a user to perform a copy operation on some content displayed on this website, and then convince the user to paste this content into a target website. (CVE ) Browse and Own: An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. (CVE , CVE )Browse and Own: An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. (CVE , CVE ) Information Disclosure: An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. (CVE )Information Disclosure: An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. (CVE ) Impact of Attack An attacker successfully exploiting this issue could view content from another domain or Internet Explorer zone. (CVE )An attacker successfully exploiting this issue could view content from another domain or Internet Explorer zone. (CVE ) An attacker successfully exploiting this issue could gain the same user rights as a logged-on user. (CVE , CVE )An attacker successfully exploiting this issue could gain the same user rights as a logged-on user. (CVE , CVE ) An attacker successfully exploiting this issue could view content from the Internet Explorer process memory. (CVE )An attacker successfully exploiting this issue could view content from the Internet Explorer process memory. (CVE ) Mitigating Factors By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML messages in the Restricted sites zone.By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML messages in the Restricted sites zone. By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration.By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration.Enhanced Security ConfigurationEnhanced Security Configuration Additional Information Installations using Server Core are not affected.Installations using Server Core are not affected.
Dial In Number Pin: 0336 MS12-011: Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Important1NA Elevation of Privilege Cooperatively Disclosed CVE Important1NA Elevation of Privilege Cooperatively Disclosed CVE Important1NA Elevation of Privilege Cooperatively Disclosed Affected Products Office SharePoint Server 2010, Office SharePoint Foundation 2010 Affected Components SharePoint Server Deployment Priority 3 Main Target Workstations connected to SharePoint Servers. Possible Attack Vectors based: An attacker could exploit the vulnerability by sending an message containing the specially crafted URL to the user of the targeted SharePoint site and by convincing the user to click on the specially crafted URL. based: An attacker could exploit the vulnerability by sending an message containing the specially crafted URL to the user of the targeted SharePoint site and by convincing the user to click on the specially crafted URL. Web based: An attacker would have to host a Web site that contains a specially crafted URL to the targeted SharePoint site that is used to attempt to exploit this vulnerability.Web based: An attacker would have to host a Web site that contains a specially crafted URL to the targeted SharePoint site that is used to attempt to exploit this vulnerability. Impact of Attack An attacker who successfully exploited this vulnerability could read content that the attacker is not authorized to read or use the victim's identity to take actions on the SharePoint site on behalf of the victim.An attacker who successfully exploited this vulnerability could read content that the attacker is not authorized to read or use the victim's identity to take actions on the SharePoint site on behalf of the victim. Mitigating Factors Internet Explorer 8 and Internet Explorer 9 users browsing to a SharePoint site in the Internet Zone are at a reduced risk because, by default, the XSS Filter in Internet Explorer 8 and Internet Explorer 9 prevents this attack in the Internet Zone.Internet Explorer 8 and Internet Explorer 9 users browsing to a SharePoint site in the Internet Zone are at a reduced risk because, by default, the XSS Filter in Internet Explorer 8 and Internet Explorer 9 prevents this attack in the Internet Zone. the attacker would not be able to steal the logged-on user's authentication credentials due to the way that SharePoint Server handles the HttpOnly authentication cookie.the attacker would not be able to steal the logged-on user's authentication credentials due to the way that SharePoint Server handles the HttpOnly authentication cookie. Additional Information This update includes a defense-in-depth update to help improve Microsoft SharePoint's handling of web services access controls.This update includes a defense-in-depth update to help improve Microsoft SharePoint's handling of web services access controls.
Dial In Number Pin: 0336 MS12-012: Vulnerability in Color Control Panel Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Important11 Remote Code Execution Publicly Disclosed Affected Products All supported versions of Windows Server 2008 and Windows Server 2008 R2 Affected Components Color Control Panel Deployment Priority 2 Main Target Servers Possible Attack Vectors An attacker could exploit the vulnerability by sending a legitimate file to a user (such as a.icm or.icc file), and convincing the user to place the attachment into a directory containing a specially crafted DLL file and to open the legitimate file.An attacker could exploit the vulnerability by sending a legitimate file to a user (such as a.icm or.icc file), and convincing the user to place the attachment into a directory containing a specially crafted DLL file and to open the legitimate file. An attacker could place a legitimate file (such as a.icm or.icc file) and a specially crafted DLL file in a network share, a UNC, or WebDAV location and then convince the user to open the file.An attacker could place a legitimate file (such as a.icm or.icc file) and a specially crafted DLL file in a network share, a UNC, or WebDAV location and then convince the user to open the file. Impact of Attack An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user.An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. Mitigating Factors The file sharing protocol, Server Message Block (SMB), is often disabled on the perimeter firewall.The file sharing protocol, Server Message Block (SMB), is often disabled on the perimeter firewall. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file (such as a.icm or.icc file).For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file (such as a.icm or.icc file). Additional Information Installations using Server Core are not affected.Installations using Server Core are not affected. This vulnerability is related to the class of vulnerabilities, described in Microsoft Security Advisory This vulnerability is related to the class of vulnerabilities, described in Microsoft Security Advisory Microsoft Security Advisory Microsoft Security Advisory
Dial In Number Pin: 0336 MS12-013: Vulnerability in C Run-Time Library Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Critical11 Remote Code Execution Cooperatively Disclosed Affected Products All supported versions of Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 Affected Components C Run-Time Library Deployment Priority 1 Main Target Workstations and Servers Possible Attack Vectors -based: An unauthenticated attacker could exploit the vulnerability by sending a user an message containing a specially crafted media file and convincing the user to open the media file. -based: An unauthenticated attacker could exploit the vulnerability by sending a user an message containing a specially crafted media file and convincing the user to open the media file. Web-based attack scenario, an attacker would have to host a website that contains a specially crafted media file.Web-based attack scenario, an attacker would have to host a website that contains a specially crafted media file. Impact of Attack An unauthenticated attacker could take complete control of the affected system.An unauthenticated attacker could take complete control of the affected system. Mitigating Factors An attacker would have no way to force users to visit a malicious website.An attacker would have no way to force users to visit a malicious website. Additional Information Installations using Server Core are affected.Installations using Server Core are affected.
Dial In Number Pin: 0336 MS12-014: Vulnerability in Indeo Codec Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE ImportantNA1 Remote Code Execution Publicly Disclosed Affected Products Windows XP Affected Components Indeo Codec Deployment Priority 2 Main Target Workstations Possible Attack Vectors -based: An attacker could exploit the vulnerability by sending a legitimate file to a user (such as an.avi file), and convincing the user to place the attachment into a directory containing a specially crafted DLL file and to open the legitimate file. -based: An attacker could exploit the vulnerability by sending a legitimate file to a user (such as an.avi file), and convincing the user to place the attachment into a directory containing a specially crafted DLL file and to open the legitimate file. Network-based: An attacker could place a legitimate file (such as an.avi file) and a specially crafted DLL file in a network share, a UNC, or WebDAV location and then convince the user to open the file.Network-based: An attacker could place a legitimate file (such as an.avi file) and a specially crafted DLL file in a network share, a UNC, or WebDAV location and then convince the user to open the file. Impact of Attack An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user.An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. Mitigating Factors The file sharing protocol, Server Message Block (SMB), is often disabled on the perimeter firewall.The file sharing protocol, Server Message Block (SMB), is often disabled on the perimeter firewall. A user must visit an untrusted remote file system location or WebDAV share and open a media file.A user must visit an untrusted remote file system location or WebDAV share and open a media file. Additional Information The Indeo Codec Insecure Library Loading Vulnerability (CVE ) addressed by this update is related to the class of vulnerabilities described in Microsoft Security Advisory The Indeo Codec Insecure Library Loading Vulnerability (CVE ) addressed by this update is related to the class of vulnerabilities described in Microsoft Security Advisory Microsoft Security Advisory Microsoft Security Advisory
Dial In Number Pin: 0336 MS12-015: Vulnerabilities in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Important1NA Remote Code Execution Cooperatively Disclosed CVE Important1NA Remote Code Execution Cooperatively Disclosed CVE Important3NA Remote Code Execution Cooperatively Disclosed CVE Important3NA Remote Code Execution Cooperatively Disclosed CVE Important3NA Remote Code Execution Cooperatively Disclosed Affected Products Visio Viewer 2010 Affected Components Visio Viewer Deployment Priority 2 Main Target Workstations Possible Attack Vectors -based: An attacker could exploit the vulnerability by sending a specially crafted Visio file to the user and by convincing the user to open the file. -based: An attacker could exploit the vulnerability by sending a specially crafted Visio file to the user and by convincing the user to open the file. Web-based: An attacker would have to host a website that contains a specially crafted Visio file that is used to attempt to exploit this vulnerability.Web-based: An attacker would have to host a website that contains a specially crafted Visio file that is used to attempt to exploit this vulnerability. Impact of Attack An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user.An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. Mitigating Factors By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML messages in the Restricted sites zone.By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML messages in the Restricted sites zone. By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode known as Enhanced Security Configuration.By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode known as Enhanced Security Configuration.Enhanced Security ConfigurationEnhanced Security Configuration
Dial In Number Pin: 0336 MS12-016: Vulnerabilities in.NET Framework and Microsoft Silverlight Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Critical11 Remote Code Execution Cooperatively Disclosed CVE CriticalNA1 Remote Code Execution Publicly Disclosed Affected Products Silverlight 4 on Windows Clients, Servers, and on Mac; all supported versions of.Net Framework on all supported versions of Windows and Windows Server (except for.Net Framework 1.1 and 3.5) Affected Components.NET Framework and Silverlight Deployment Priority 2 Main Target Workstations, Servers, and Web Hosting sites Possible Attack Vectors An attacker could host a specially crafted website that contains a specially crafted XBAP (XAML browser application) that could exploit this vulnerability and then convince a user to view the website.An attacker could host a specially crafted website that contains a specially crafted XBAP (XAML browser application) that could exploit this vulnerability and then convince a user to view the website. If a web hosting environment allows users to upload custom ASP.NET applications, an attacker could upload a malicious ASP.NET application that uses this vulnerability.If a web hosting environment allows users to upload custom ASP.NET applications, an attacker could upload a malicious ASP.NET application that uses this vulnerability. This vulnerability could also be used by Windows.NET applications to bypass Code Access Security (CAS) restrictions.This vulnerability could also be used by Windows.NET applications to bypass Code Access Security (CAS) restrictions. Impact of Attack Web browsing: An attacker could obtain the same permissions as the currently logged-on user.Web browsing: An attacker could obtain the same permissions as the currently logged-on user. Web hosting: An attacker could obtain the same permissions as the service account associated with the application pool identity of the application pool in which a Microsoft.NET application is running.Web hosting: An attacker could obtain the same permissions as the service account associated with the application pool identity of the application pool in which a Microsoft.NET application is running. Mitigating Factors By default, partial trust ASP.NET applications are not granted SocketPermission.By default, partial trust ASP.NET applications are not granted SocketPermission. An attacker must have permission to upload arbitrary ASP.NET pages to a website and ASP.NET must be installed on that web server.An attacker must have permission to upload arbitrary ASP.NET pages to a website and ASP.NET must be installed on that web server. Additional Information NET Framework 4 and.NET Framework 4 Client Profile affected.NET Framework 4 and.NET Framework 4 Client Profile affected. Installations using Server Core are affected for.Net but not affected for Silverlight.Installations using Server Core are affected for.Net but not affected for Silverlight.
Dial In Number Pin: 0336 Detection & Deployment 1. Except for Silverlight when installed on Mac
Dial In Number Pin: 0336 Other Update Information
Dial In Number Pin: 0336 Windows Malicious Software Removal Tool (MSRT) During this release Microsoft will increase detection capability for the following families in the MSRT:During this release Microsoft will increase detection capability for the following families in the MSRT: – –Win32/Pramro: A prevalent trojan that is often used by attackers to create a proxy to hide the origin of a bigger attack scheme; it also sends spam . Win32/Pramro – –Win32/Fareit: A prevalent trojan that steals password, computer and user credentials, and has been observed dropping rogues and bots.Win32/Fareit Available as a priority update through Windows Update or Microsoft Update.Available as a priority update through Windows Update or Microsoft Update. Is offered through WSUS 3.0 or as a download at: offered through WSUS 3.0 or as a download at:
Dial In Number Pin: 0336 TechNet is changing! Soon: In late February,In late February, will be streamlined for easier usehttp://technet.microsoft.com/en-us/security/bulletin Product and service pack dropdown controls will be merged Affected Software lists will be removed from search results New lifecycle information for the Windows, Windows Server, and IE TechCentersLater: This spring, the Product Search and Search by KB tabs will be merged Customers will be able to search by bulletin, CVE, or KB number Information on all bulletins released since 2000 will be downloadable in spreadsheet form The Date control will be modified to allow specific start / end dates The Severity filter will be removed to simplify searches
Dial In Number Pin: 0336 We support Microsoft Windows Vista We have received inquiries about the date for the end of Mainstream support for some editions of Windows Vista. We can confirm that all editions of Vista will exit Mainstream support in April 2012, entering the Extended support phase. In Extended support, users of currently supported editions of Vista Business, Vista Enterprise, Vista Home and Vista Ultimate will continue to receive security updates for five years. Vista SP1 has been out of support since July 2011 and remains out of support. Halo 2 for Windows Vista is nearing the end of its lifecycle and will be taken out of support on October 9, 2012.
Dial In Number Pin: 0336 Resources Blogs Microsoft Security Response Center (MSRC) blog: Security Response Center (MSRC) blog: Security Research & Defense blog: Research & Defense blog: Microsoft Malware Protection Center Blog: Malware Protection Center Blog: Twitter Security Centers Microsoft Security Home Page: Security Home Page: TechNet Security Center: Security Center: MSDN Security Developer Center: Security Developer Center: Bulletins, Advisories, Notifications & Newsletters Security Bulletins Summary: mspxSecurity Bulletins Summary: mspx mspx mspx Security Bulletins Search: Bulletins Search: Security Advisories: Advisories: Microsoft Technical Security Notifications: Technical Security Notifications: Microsoft Security Newsletter: Security Newsletter: Other Resources Update Management Process chmanagement/secmod193.mspxUpdate Management Process chmanagement/secmod193.mspx chmanagement/secmod193.mspx chmanagement/secmod193.mspx Microsoft Active Protection Program Partners: mspxMicrosoft Active Protection Program Partners: mspx mspx mspx
Dial In Number Pin: 0336 Questions and Answers Submit text questions using the “Ask” button.Submit text questions using the “Ask” button. Don’t forget to fill out the survey.Don’t forget to fill out the survey. A recording of this webcast will be available within 48 hours on the MSRC Blog: recording of this webcast will be available within 48 hours on the MSRC Blog: Register for next month’s webcast at: for next month’s webcast at:
Dial In Number Pin: 0336