MS Security Bulletin Summary - December 2012
FYI...
- http://technet.microsoft.com/en-us/s...letin/ms12-dec
December 11, 2012 - "This bulletin summary lists security bulletins released for December 2012...
(Total of 7)
Microsoft Security Bulletin MS12-077 - Critical
Cumulative Security Update for Internet Explorer (2761465)
- http://technet.microsoft.com/en-us/s...letin/ms12-077
Critical - Remote Code Execution - Requires restart - Microsoft Windows, Internet Explorer
Microsoft Security Bulletin MS12-078 - Critical
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2783534)
- http://technet.microsoft.com/en-us/s...letin/ms12-078
Critical - Remote Code Execution - Requires restart - Microsoft Windows
Microsoft Security Bulletin MS12-079 - Critical
Vulnerability in Microsoft Word Could Allow Remote Code Execution (2780642)
- http://technet.microsoft.com/en-us/s...letin/ms12-079
Critical - Remote Code Execution - May require restart - Microsoft Office
Microsoft Security Bulletin MS12-080 - Critical
Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2784126)
- http://technet.microsoft.com/en-us/s...letin/ms12-080
Critical - Remote Code Execution - May require restart - Microsoft Server Software
Microsoft Security Bulletin MS12-081 - Critical
Vulnerability in Windows File Handling Component Could Allow Remote Code Execution (2758857)
- http://technet.microsoft.com/en-us/s...letin/ms12-081
Critical - Remote Code Execution - Requires restart - Microsoft Windows
Microsoft Security Bulletin MS12-082 - Important
Vulnerability in DirectPlay Could Allow Remote Code Execution (2770660)
- http://technet.microsoft.com/en-us/s...letin/ms12-082
Important - Remote Code Execution - Requires restart - Microsoft Windows
Microsoft Security Bulletin MS12-083 - Important
Vulnerability in IP-HTTPS Component Could Allow Security Feature Bypass (2765809)
- http://technet.microsoft.com/en-us/s...letin/ms12-083
Important - Security Feature Bypass - Requires restart - Microsoft Windows
___
- http://blogs.technet.com/b/msrc/arch...edirected=true
Bulletin Deployment Priority:
- https://blogs.technet.com/cfs-filesy...355.Slide2.PNG
Severity and Exploitability Index:
- https://blogs.technet.com/cfs-filesy...550.Slide1.PNG
- http://blogs.technet.com/b/security/...edirected=true
___
ISC Analysis
- https://isc.sans.edu/diary.html?storyid=14683
Last Updated: 2012-12-12 01:54:45 UTC
___
- https://secunia.com/advisories/51411/ - MS12-077
- https://secunia.com/advisories/51459/ - MS12-078
- https://secunia.com/advisories/51467/ - MS12-079
- https://secunia.com/advisories/51474/ - MS12-080
- https://secunia.com/advisories/51493/ - MS12-081
- https://secunia.com/advisories/51497/ - MS12-082
- https://secunia.com/advisories/51500/ - MS12-083
___
MSRT
- http://support.microsoft.com/?kbid=890830
December 11, 2012 - Revision: 117.0
- http://www.microsoft.com/security/pc...-families.aspx
"... added in this release...
• Phdet ..."
- https://blogs.technet.com/b/mmpc/arc...edirected=true
Download:
- https://www.microsoft.com/download/e...ylang=en&id=16
File Name: Windows-KB890830-V4.15.exe - 16.8 MB
- https://www.microsoft.com/download/e...s.aspx?id=9905
x64 version of MSRT:
File Name: Windows-KB890830-x64-V4.15.exe - 17.4 MB
.
MS Security Advisory update - 2012.12.11 ...
FYI...
Microsoft Security Advisory (2749655)
Compatibility Issues Affecting Signed Microsoft Binaries
- http://technet.microsoft.com/en-us/s...visory/2749655
V2.0 (December 11, 2012): Added the KB2687627 and KB2687497 updates described in MS12-043, the KB2687501 and KB2687510 updates described in MS12-057, the KB2687508 update described in MS12-059, and the KB2726929 update described in MS12-060* to the list of available rereleases.
* http://technet.microsoft.com/en-us/s...letin/ms12-060
V2.0 (December 11, 2012): Re-released bulletin to replace the KB2687323 update with the KB2726929 update for Windows common controls on all affected variants of Microsoft Office 2003, Microsoft Office 2003 Web Components, and Microsoft SQL Server 2005.
Microsoft Security Advisory (2755801)
Update for Vulnerabilities in Adobe Flash Player in IE 10
- http://technet.microsoft.com/en-us/s...visory/2755801
V5.0 (December 11, 2012): Added KB2785605* to the Current update section.
* http://support.microsoft.com/kb/2785605
Dec 11, 2012 - Revision: 1.0
___
The following bulletins have undergone a major revision increment. Please see the appropriate bulletin for more details.
- http://technet.microsoft.com/security/bulletin/MS12-043
- http://technet.microsoft.com/security/bulletin/MS12-050
V2.1 (December 12, 2012): Clarified that the update for Microsoft SharePoint Services 2.0 is available from the Microsoft Download Center only.
- http://technet.microsoft.com/security/bulletin/MS12-057
- http://technet.microsoft.com/security/bulletin/MS12-059
- http://technet.microsoft.com/security/bulletin/MS12-060
:fear:
MS12-078 - "Known issues" ...
FYI..
MS12-078 - "Known issues" ...
- http://support.microsoft.com/kb/2753842
Last Review: December 14, 2012 - Revision: 2.0
"Known issues with this security update: We are aware of issues related to OpenType Font (OTF) rendering in applications such as PowerPoint on affected versions of Windows that occur after this security update is applied. We are currently investigating these issues and will take appropriate action to address the known issues..."
- http://h-online.com/-1771419
18 Dec 2012 - "... this patch seems to prevent the correct display of PostScript Type 1 fonts and OpenType fonts. They disappear completely in a variety of applications – CorelDraw, QuarkExpress and PowerPoint – and currently the only way to make them visible again is to remove the patch..."
:fear::fear:
IE 0-day attack in-the-wild...
FYI...
IE 0-day attack in-the-wild...
- https://krebsonsecurity.com/2012/12/...zero-day-flaw/
Dec 28th, 2012 - "Attackers are breaking into Microsoft Windows computers using a newly discovered vulnerability in Internet Explorer, security experts warn. While the flaw appears to have been used mainly in targeted attacks so far, this vulnerability could become more widely exploited if incorporated into commercial crimeware kits sold in the underground. In a blog posting* Friday evening, Milpitas, Calif. based security vendor FireEye said it found that the Web site for the Council on Foreign Relations was compromised and rigged to exploit a previously undocumented flaw in IE8 to install malicious software on vulnerable PCs used to browse the site. According to FireEye, the attack uses Adobe Flash to exploit a vulnerability in the latest (fully-patched) version of IE8..."
* http://blog.fireeye.com/research/201...k-details.html
2012.12.28 - "... we received reports that the Council on Foreign Relations (CFR) website was compromised and hosting malicious content on or around 2:00 PM EST on Wednesday, December 26. Through our Malware Protection Cloud, we can confirm that the website was compromised at that time, but we can also confirm that the CFR website was also hosting the malicious content as early as Friday, December 21... We can also confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability. We have chosen not to release the technical details of this exploit, as Microsoft is still investigating the vulnerability at this time... the JavaScript proceeded to load a flash file today.swf, which ultimately triggered a heap spray in Internet Explorer in order to complete the compromise of the endpoint..."
Update: "... We have seen multiple variations of this attack, as it looks like the attackers changed tactics multiple times during this campaign... Here is the decrypted payload.
- https://www.virustotal.com/file/af57...80b9/analysis/
File name: base
Detection ratio: 21/45
Analysis date: 2012-12-31
- https://krebsonsecurity.com/2012/12/...flaw/#comments
Dec 29, 2012 - "... worth noting that IE9 is not supported on Windows XP, so this vulnerability is probably most dangerous for XP users who browse with IE."
___
- https://secunia.com/advisories/51695/
Release Date: 2012-12-30
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: IE 6.x, 7.x, 8.x
... currently being actively exploited in targeted attacks.
Original Advisory: http://technet.microsoft.com/en-us/s...visory/2794220
- http://h-online.com/-1775071
30 Dec 2012
- http://www.kb.cert.org/vuls/id/154201
29 Dec 2012
___
MS Security Advisory (2794220)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://technet.microsoft.com/en-us/s...visory/2794220
Dec 29, 2012 - "Microsoft is investigating public reports of a vulnerability in IE6, IE7, and IE8. Internet Explorer 9 and Internet Explorer 10 are -not- affected by the vulnerability. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8. The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs..."
CVE Reference:
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2012-4792
"... exploited in the wild in December 2012."
- https://blogs.technet.com/b/msrc/arc...edirected=true
Dec 29, 2012 - "... we are actively working to develop a security update to address this issue..."
- https://blogs.technet.com/b/srd/arch...edirected=true
29 Dec 2012 - "... We’re also working on an appcompat shim-based Fix It protection tool that can be used to protect systems until the comprehensive update is available. The shim does not address the vulnerability but does prevent the vulnerability from being exploited for code execution... we’re working around the clock on the full security update. You should next expect to see an update from us announcing the availability of a Fix It tool to block the vulnerable code paths..."
:fear: :mad:
Targeted 0-day attack - IE 6, 7, and 8
FYI...
Targeted 0-day attack - IE 6, 7, and 8
- https://isc.sans.edu/diary.html?storyid=14776
Last Updated: 2012-12-30 22:06:53 UTC... Version: 2 - "... Update:
There is now a Metasploit module (ie_cdwnbindinfo_uaf)that emulates this attack, meaning this will move in to mainstream exploitation rapidly, thus mitigation steps should be taken so soon as possible. Home users running XP should be looking to use another browser as their primary method of browsing the web, and corporate security staff should review Microsoft’s recommendations to build a layered defence to protect staff..."
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2012-4792 - 9.3 (HIGH)
Last revised: 12/31/2012 - "Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8... exploited in the wild in December 2012..."
- https://secunia.com/advisories/51695/
Release Date: 2012-12-30
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: IE 6.x, 7.x, 8.x
... currently being actively exploited in targeted attacks.
Original Advisory: http://technet.microsoft.com/en-us/s...visory/2794220
:fear::fear:
MS FixIt released for IE 0-day...
FYI...
MS FixIt released for IE 0-day...
MS Security Advisory (2794220)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://technet.microsoft.com/en-us/s...visory/2794220
V1.1 (December 31, 2012): Added link to Microsoft Fix it* solution, "MSHTML Shim Workaround," that prevents exploitation of this issue.
* http://support.microsoft.com/kb/2794220#FixItForMe
Last Review: Dec 31, 2012 - Rev 1.0
Applies to: IE8, IE7, IE6...
- https://blogs.technet.com/b/srd/arch...edirected=true
31 Dec 2012
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2012-4792 - 9.3 (HIGH)
___
- https://windowssecrets.com/windows-s...r-to-remember/
Jan 2, 2013
> http://www.microsoft.com/security/pc...ns/201212.aspx
>> http://forums.spybot.info/showpost.p...3&postcount=51
7 Jan 2013
:fear:
MS Security Advisory 2798897 - Fraudulent Digital Certificates...
FYI...
MS Security Advisory (2798897)
Fraudulent Digital Certificates Could Allow Spoofing
- http://technet.microsoft.com/en-us/s...visory/2798897
Jan 03, 2013 - "Microsoft is aware of active attacks using one fraudulent digital certificate issued by TURKTRUST Inc., which is a CA present in the Trusted Root Certification Authorities Store. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows. TURKTRUST Inc. incorrectly created two subsidiary CAs (*.EGO.GOV.TR and e-islam.kktcmerkezbankasi.org). The *.EGO.GOV.TR subsidiary CA was then used to issue a fraudulent digital certificate to *.google.com. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties. To help protect customers from the fraudulent use of this digital certificate, Microsoft is updating the Certificate Trust list (CTL) and is providing an update for all supported releases of Microsoft Windows that removes the trust of certificates that are causing this issue... see Microsoft Knowledge Base Article 2677070 for details..."
* http://support.microsoft.com/kb/2677070
___
- http://h-online.com/-1777291
4 Jan 2013 - "... Mozilla will be adding the two SubCA certificates to its certificate blacklist during its next update, which is due on 8 January... Chrome has also been updated and no longer trusts the SubCA certificates; the company says that when it updates Chrome later in the month it will no longer show Extended Validation status for TURKTRUST issued certificates."
:fear:
IE FixIt negated with bypass
FYI...
IE FixIt negated with bypass ...
- http://www.securitytracker.com/id/1027930
CVE Reference: https://web.nvd.nist.gov/view/vuln/d...=CVE-2012-4792 - 9.3 (HIGH)
Updated: Jan 4 2013
Original Entry Date: Dec 30 2012
Impact: Execution of arbitrary code via network, User access via network
Vendor Confirmed: Yes
Version(s): IE6,7,8
... the vendor has provided the Microsoft Fix it solution, "MSHTML Shim Workaround"... the Microsoft Fix it solution can be bypassed using a variation of the original exploit http://blog.exodusintel.com/2013/01/...cve-2012-4792/
The vendor's advisory is available at:
http://technet.microsoft.com/en-us/s...visory/2794220
Mitigation: Use an alternative browser until a full patch is released for this issue.
:fear: