Microsoft November 2012 Black Tuesday Update – Overview, (Tue, Nov 13th)

 SANS Internet Storm Center, Security Alerts  Comments Off on Microsoft November 2012 Black Tuesday Update – Overview, (Tue, Nov 13th)
Nov 132012
 

NOTE: Several of these patches apply to Windows 8 and Windows RT that were just released last month.

Overview of the November 2012 Microsoft patches and their status.

#

Affected

Contra Indications – KB

Known Exploits

Microsoft rating(**)

ISC rating(*)

clients

servers

MS12-071

Cumulative Security Update for Internet Explorer

(Replaces MS12-063 )

Internet Explorer 9

CVE-2012-1538

CVE-2012-1539

CVE-2012-4775

KB 2761451

no known exploit.

Severity:Critical

Exploitability: 1,1,1

Critical

Important

MS12-072

Vulnerabilities in Windows Shell Could Allow Remote Code Execution

(Replaces )

Remote Code Execution

CVE-2012-1527

CVE-2012-1528

KB 2727528

no known exploit.

Severity:Critical

Exploitability: 1,1

Critical

Critical

MS12-073

Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Information Disclosure

(Replaces MS11-004 )

IIS

CVE-2012-2531

CVE-2012-2532

KB 2733829

PoC code may exist.

Severity:Moderate

Exploitability: ?,?

Less urgent

Important

MS12-074

Vulnerabilities in .NET Framework Could Allow Remote Code Execution

(Replaces MS11-078 MS11-100 MS12-016 MS12-034 )

.NET Framework 1.0 SP3, .NET Framework 1.1 SP1, .NET Framework 2.0 SP2, .NET Framework 3.5, .NET Framework 3.5.1, .NET Framework 4, .NET Framework 4.5

CVE-2012-1895

CVE-2012-1896

CVE-2012-2519

CVE-2012-4776

CVE-2012-4777

KB 2745030

no known exploit

Severity:Critical

Exploitability: 1,3,1,1,1

Critical

Critical

MS12-075

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution

(Replaces MS12-055 )

Windows Vista, Windows 7, Windows 8, Windows RT, Windows Server 2003, Windows Server 2008, Windows Server 2012

CVE-2012-2530

CVE-2012-2553

CVE-2012-2897

KB 2761226

no known exploit

Severity:Critical

Exploitability: 1,1,2

Critical

Critical

MS12-076

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (Replaces MS12-030 MS12-051 )

Excel 2003, Excel 2007, Excel 2010, Excel 2008 on Mac

CVE-2012-1885

CVE-2012-1886

CVE-2012-1887

CVE-2012-2543

KB 2720184

no known exploit

Severity:Important

Exploitability: 1,1,1,1

Critical

Important

We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.

Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.

Important: Things where more testing and other measures can help.

Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.

The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.

The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.

Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.

All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

——

Post suggestions or comments in the section below or send us any questions or comments in the contact form

—————

Jim Clausing, GIAC GSE #26

jclausing –at– isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

MS12-076 – Important : Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2720184) – Version: 1.0

 Microsoft Security Bulletins  Comments Off on MS12-076 – Important : Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2720184) – Version: 1.0
Nov 132012
 

Severity Rating: Important
Revision Note: V1.0 (November 13, 2012): Bulletin published.
Summary: This security update resolves four privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file with an affected version of Microsoft Excel. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft May 2012 Black Tuesday Update – Overview, (Tue, May 8th)

 SANS Internet Storm Center, Security Alerts  Comments Off on Microsoft May 2012 Black Tuesday Update – Overview, (Tue, May 8th)
May 082012
 

Overview of the May 2012 Microsoft patches and their status.

#
Affected
Contra Indications – KB
Known Exploits
Microsoft rating(**)
ISC rating(*)

clients
servers

MS12-029
Microsoft Word RTF Import

(Replaces MS10-079, MS11-089, MS11-094)

Microsoft Word 2003 and 2007

CVE-2012-0183
KB 2680352
No publicly known exploits
Severity:Critical

Exploitability: 1
CRITICAL
N/A

MS12-030
Microsoft Office Remote Code Execution Vulnerabilities

(Replaces MS11-072, MS11-089, MS11-094, MS11-096)

Microsoft Excel 2003/2007/2010

CVE-2012-0141

CVE-2012-0142

CVE-2012-0143

CVE-2012-0184

CVE-2012-0185

CVE-2012-1847
KB 2663830
Yes (CVE-2012-0143)
Severity:Critical

Exploitability: 3,3,1,1,2,1
CRITICAL
N/A

MS12-031
Visio Viewer 2010 Remote Code Execution Vulnerability

(Replaces MS12-015)

Microsoft Visio Viewer 2010

CVE-2012-0018
KB 2597981
No publicly known exploits
Severity:Important

Exploitability: 1
CRITICAL
N/A

MS12-032
TCP/IP Elevation of Privilege and Firewall Bypass Vulnerability

(Replaces MS11-083)

TCP/IP, Windows Firewall

CVE-2012-0174

CVE-2012-0179
KB 2597981
No publicly known exploits
Severity:Important

Exploitability: 1
important
important

MS12-033
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege

Plug and Play (PnP) Configuration Manager Vulnerability

CVE-2012-0178
KB 2690533
Elevation of Privilege
Severity:Important

Exploitability: Likely
Important
Important

MS12-034
Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight

(Replaces MS11-029, MS12-018)

Microsoft Windows, Microsoft .NET Framework, Microsoft Silverlight, Microsoft Office

CVE-2011-3402

CVE-2012-0159

CVE-2012-0162

CVE-2012-0164

CVE-2012-0165

CVE-2012-0167

CVE-2012-0176

CVE-2012-0180

CVE-2012-0181

CVE-2012-0184
KB 2681578
Yes
Severity:Critical

Exploitability: 1,1,1,1,2,1,1,1,1,1
CRITICAL
CRITICAL

MS12-035
.Net Framework Remote Code Execution

(Replaces MS11-044, MS11-078, MS12-016)

.NET Framework

CVE-2012-0160

CVE-2012-0161
KB 2693777
No publicly known exploits
Severity:Critical

Exploitability: 1
CRITICAL
CRITICAL

We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Important: Things where more testing and other measures can help.
Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.

The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a t ypical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.


Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center – https://isc.sans.edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft May 2012 Black Tuesday Update – Overview, (Tue, May 8th)

 SANS Internet Storm Center, Security Alerts  Comments Off on Microsoft May 2012 Black Tuesday Update – Overview, (Tue, May 8th)
May 082012
 

Overview of the May 2012 Microsoft patches and their status.

#
Affected
Contra Indications – KB
Known Exploits
Microsoft rating(**)
ISC rating(*)

clients
servers

MS12-029
Microsoft Word RTF Import

(Replaces MS10-079, MS11-089, MS11-094)

Microsoft Word 2003 and 2007

CVE-2012-0183
KB 2680352
No publicly known exploits
Severity:Critical

Exploitability: 1
CRITICAL
N/A

MS12-030
Microsoft Office Remote Code Execution Vulnerabilities

(Replaces MS11-072, MS11-089, MS11-094, MS11-096)

Microsoft Excel 2003/2007/2010

CVE-2012-0141

CVE-2012-0142

CVE-2012-0143

CVE-2012-0184

CVE-2012-0185

CVE-2012-1847
KB 2663830
Yes (CVE-2012-0143)
Severity:Critical

Exploitability: 3,3,1,1,2,1
CRITICAL
N/A

MS12-031
Visio Viewer 2010 Remote Code Execution Vulnerability

(Replaces MS12-015)

Microsoft Visio Viewer 2010

CVE-2012-0018
KB 2597981
No publicly known exploits
Severity:Important

Exploitability: 1
CRITICAL
N/A

MS12-032
TCP/IP Elevation of Privilege and Firewall Bypass Vulnerability

(Replaces MS11-083)

TCP/IP, Windows Firewall

CVE-2012-0174

CVE-2012-0179
KB 2597981
No publicly known exploits
Severity:Important

Exploitability: 1
important
important

MS12-033
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege

Plug and Play (PnP) Configuration Manager Vulnerability

CVE-2012-0178
KB 2690533
Elevation of Privilege
Severity:Important

Exploitability: Likely
Important
Important

MS12-034
Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight

(Replaces MS11-029, MS12-018)

Microsoft Windows, Microsoft .NET Framework, Microsoft Silverlight, Microsoft Office

CVE-2011-3402

CVE-2012-0159

CVE-2012-0162

CVE-2012-0164

CVE-2012-0165

CVE-2012-0167

CVE-2012-0176

CVE-2012-0180

CVE-2012-0181

CVE-2012-0184
KB 2681578
Yes
Severity:Critical

Exploitability: 1,1,1,1,2,1,1,1,1,1
CRITICAL
CRITICAL

MS12-035
.Net Framework Remote Code Execution

(Replaces MS11-044, MS11-078, MS12-016)

.NET Framework

CVE-2012-0160

CVE-2012-0161
KB 2693777
No publicly known exploits
Severity:Critical

Exploitability: 1
CRITICAL
CRITICAL

We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Important: Things where more testing and other measures can help.
Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.

The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a t ypical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.


Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center – https://isc.sans.edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft Excel ‘MergeCells’ Record Heap Overflow Remote Code Execution Vulnerability

 Security Alerts  Comments Off on Microsoft Excel ‘MergeCells’ Record Heap Overflow Remote Code Execution Vulnerability
May 072012
 

Type: Vulnerability. Microsoft Excel is prone to a remote code-execution vulnerability; fixes are available.

%d bloggers like this: