- Threat Outbreak Alert: Malicious Personal Pictures Attachment E-mail Messages on July 18, 2012
- Threat Outbreak Alert: Fake Hotel Reservation Confirmation Details E-mail Messages on July 18, 2012
- Threat Outbreak Alert: Fake German Account Statement Notification E-mail Messages on July 18, 2012
- Threat Outbreak Alert: Fake UPS Payment Document Attachment E-mail Messages on July 18, 2012
- Threat Outbreak Alert: Fake Xerox Scan Attachment E-mail Messages on July 18, 2012
- MS12-044 – Critical : Cumulative Security Update for Internet Explorer (2719177) – Version: 1.1
Severity Rating: Critical
Revision Note: V1.1 (July 18, 2012): Removed erroneous update FAQ pertaining to the applicability for this update on systems running Windows 8 Release Preview and Windows Server 2012 Release Candidate. Windows 8 Release Preview and Windows Server 2012 Release Candidate are not affected by the vulnerabilities described in this bulletin.
Summary: This security update resolves two privately reported vulnerabilities in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. - MS12-036 – Critical : Vulnerability in Remote Desktop Could Allow Remote Code Execution (2685939) – Version: 1.2
Severity Rating: Critical
Revision Note: V1.2 (July 10, 2012): Removed MS11-065 as a bulletin replaced by the KB2685939 update for Windows XP Service Pack 3, Windows XP Professional x64 Edition Service Pack 2, Windows Server 2003 Service Pack 2, Windows Server 2003 x64 Edition Service Pack 2, and Windows Server 2003 with SP2 for Itanium-based Systems. This is an informational change only. There were no changes to the detection logic or the update files.
Summary: This security update resolves a privately reported vulnerability in the Remote Desktop Protocol. The vulnerability could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk. - MS12-051 – Important : Vulnerability in Microsoft Office for Mac Could Allow Elevation of Privilege (2721015) – Version: 1.0
Severity Rating: Important
Revision Note: V1.0 (July 10, 2012): Bulletin published.
Summary: This security update resolves one publicly disclosed vulnerability in Microsoft Office for Mac. The vulnerability could allow elevation of privilege if a malicious executable is placed on an affected system by an attacker, and then another user logs on later and runs the malicious executable. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. - MS11-044 – Critical : Vulnerability in .NET Framework Could Allow Remote Code Execution (2538814) – Version: 1.3
Severity Rating: Critical
Revision Note: V1.3 (July 10, 2012): Microsoft revised this bulletin to communicate a minor detection change for KB2518864 for Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 to correct an offering issue. There were no changes to the security update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a publicly disclosed vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions. - MS12-016 – Critical : Vulnerabilities in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2651026) – Version: 1.3
Severity Rating: Critical
Revision Note: V1.3 (July 10, 2012): Microsoft revised this bulletin to communicate a minor detection change for KB2633880 for Microsoft .NET Framework 2.0 Service Pack 2 to correct an offering issue. There were no changes to the security update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted web page using a web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. - TA12-192A: Microsoft Updates for Multiple Vulnerabilities
Original release date: July 10, 2012 | Last revised: —
Systems Affected
- Microsoft Windows
- Microsoft Internet Explorer
- Microsoft Office
- Microsoft Developer Tools
- Microsoft Server Software
Overview
Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.
Description
The Microsoft Security Bulletin Summary for July 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities.
Impact
A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.
Solution
Apply updates
Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for July 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.
References
- Microsoft Security Bulletin Summary for July 2012
- Microsoft Windows Server Update Services
- Microsoft Update
- Microsoft Update Overview
- Turn Automatic Updating On or Off
Revision History
- July 10, 2012: Initial release
This product is provided subject to this Notification and this Privacy & Use policy.
- TA12-174A: Microsoft XML Core Services Attack Activity
Original release date: June 22, 2012 | Last revised: —
Systems Affected
Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 are affected. Microsoft Internet Explorer, Microsoft Office 2003, and Microsoft Office 2007 are affected due to their use of XML Core Services.
Overview
Microsoft Security Advisory (2719615) warns of active attacks using a vulnerability in Microsoft XML Core Services. Microsoft Internet Explorer and Microsoft Office can be used as attack vectors.
Description
Microsoft Security Advisory (2719615), a Google Online Security blog post, Sophos, and other sources report active attacks exploiting a vulnerability in Microsoft XML Core Services (CVE-2012-1889). Attack scenarios involve exploits served by compromised web sites and delivered in Office documents. Reliable public exploit code is available, and attacks may become more widespread.
Impact
By convincing a victim to view a specially crafted web page or Office document, an attacker could execute arbitrary code and take any action as the victim.
Solution
As of June 22, 2012, a comprehensive update is not available. Consider the following workarounds.
Apply Fix it
Apply the Fix it solution described in Microsoft Knowledge Base Article 2719615. This solution uses the Application Compatibility Database feature to make runtime modifications to XML Core Services to patch the vulnerability.
Disable scripting
Configure Internet Explorer to disable Active Scripting in the Internet and Local intranet zones as described in Microsoft Security Advisory (2719615). See also Securing Your Web Browser.
Use the Enhanced Mitigation Experience Toolkit (EMET)
EMET is a utility to configure Windows runtime mitigation features such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Structured Exception Handler Overwrite Protection (SEHOP). These features, particularly the combination of system-wide DEP and ASLR, make it more difficult for an attacker to successfully exploit a vulnerability. Configure EMET for Internet Explorer as described in Microsoft Security Advisory (2719615).
References
- Microsoft Security Advisory (2719615)
- Microsoft Security Advisory: Vulnerability in Microsoft XML Core Services could allow remote code execution
- NVD Vulnerability Summary for CVE-2012-1889
- Microsoft XML vulnerability under active exploitation
- European aeronautical supplier's website infected with "state-sponsored" zero-day exploit
- Securing Your Web Browser
- Application Compatibility Database
Revision History
- June 22, 2012: Initial release
This product is provided subject to this Notification and this Privacy & Use policy.
- TA12-164A: Microsoft Updates for Multiple Vulnerabilities
Original release date: June 12, 2012 | Last revised: —
Systems Affected
- Microsoft Windows
- Microsoft Internet Explorer
- Microsoft .NET Framework
- Microsoft Office
- Microsoft Visual Basic for Applications
- Microsoft Dynamics AX
Overview
Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.
Description
The Microsoft Security Bulletin Summary for June 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities. Additional details for MS12-042 can be found in US-CERT vulnerability note VU#649219.
Impact
A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.
Solution
Apply updates
Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for June 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.
References
- Microsoft Security Bulletin Summary for June 2012 – <http://technet.microsoft.com/en-us/security/bulletin/ms12-jun>
- US-CERT Vulnerability Note VU#649219 – <http://www.kb.cert.org/vuls/id/649219>
- Microsoft Windows Server Update Services – <http://technet.microsoft.com/en-us/wsus/default.aspx>
- Microsoft Update – <https://www.update.microsoft.com/>
- Microsoft Update Overview – <http://www.microsoft.com/security/updates/mu.aspx>
- Turn Automatic Updating On or Off – <http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off>
Revision History
- June 12, 2012: Initial release
- TA12-156A: Microsoft Windows Unauthorized Digital Certificates
Original release date: June 04, 2012 | Last revised: —
Systems Affected
All supported versions of Microsoft Windows, including:
- Windows XP and Server 2003
- Windows Vista and Server 2008
- Windows 7 and Server 2008 R2
- Windows 8 Consumer Preview
- Windows Mobile and Phone
Overview
X.509 digital certificates published by the Microsoft Terminal Services licensing certificate authority (CA) can be illegitimately used to sign code. This problem was discovered in the Flame malware. Microsoft has released updates to revoke trust in the affected certificates.
Description
Microsoft Security Advisory (2718704) warns of active attacks using illegitimate certificates published by the the Microsoft Terminal Services licensing certificate authority (CA). There appear to be problems with some combination of weak cryptography and certificate usage configuration. From an MSRC blog post:
We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.
From another MSRC blog post:
What we found is that certificates published by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft. Specifically, when an enterprise customer requests a Terminal Services activation license, the certificate published by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure.
The following details about the affected certificates were provided in Microsoft Security Advisory (2718704):
Certificate: Microsoft Enforced Licensing Intermediate PCA
Issued by: Microsoft Root Authority
Thumbprint: 2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70Certificate: Microsoft Enforced Licensing Intermediate PCA
Issued by: Microsoft Root Authority
Thumbprint: 3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08Certificate: Microsoft Enforced Licensing Registration Authority CA (SHA1)
Issued by: Microsoft Root Certificate Authority
Thumbprint: fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97Impact
An attacker could obtain a certificate that could be used to illegitimately sign code as Microsoft. The signed code could then be used in a variety of attacks in which the code would appear to be trusted by Windows.
An attacker could offer software that appeared to be signed by a valid and trusted Microsoft certificate chain. As noted in an MSRC blog post, "…some components of the [Flame] malware have been signed by certificates that allow software to appear as if it was produced by Microsoft."
Solution
It is important to act quickly to revoke trust in the affected certificates. Any certificates published by the Microsoft Terminal Services licensing certificate authority (CA) could be used for illegitimate purposes and should not be trusted.
Apply updates
Apply the appropriate versions of KB2718704 to add the affected certificates to the Untrusted Certificate Store. Updates will reach most users via automatic updates and Windows Server Update Services (WSUS).
Revoke trust in affected certificates
Manually add the affected certificates to the Untrusted Certificate Store. The Certifcates MMC snap-in and Certutil command can be used on Windows systems.
References
- US-CERT Current Activity: Unauthorized Microsoft Digital Certificates – <https://www.us-cert.gov/current/#microsoft_unauthorized_digital_certificates>
- Microsoft Security Advisory (2718704) – <https://technet.microsoft.com/en-us/security/advisory/2718704>
- Unauthorized digital certificates could allow spoofing – <http://support.microsoft.com/kb/2718704>
- Microsoft certification authority signing certificates added to the Untrusted Certificate Store – <https://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx?Redirected=true>
- Microsoft releases Security Advisory 2718704 – <https://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx>
- Windows Server Update Services – <http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx>
- Certutil – <http://technet.microsoft.com/en-us/library/cc732443%28v=ws.10%29.aspx>
- How to: View Certificates with the MMC Snap-in – <http://msdn.microsoft.com/en-us/library/ms788967.aspx>
Revision History
- June 04, 2012: Initial release
- TA12-129A: Microsoft Updates for Multiple Vulnerabilities
Original release date: May 08, 2012 | Last revised: —
Systems Affected
- Microsoft Windows
- Microsoft .NET Framework
- Microsoft Office
- Microsoft Silverlight
Overview
Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.
Description
The Microsoft Security Bulletin Summary for May 2012 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address the vulnerabilities.
Impact
A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.
Solution
Apply updates
Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for May 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.
References
- Microsoft Security Bulletin Summary for May 2012 – <http://technet.microsoft.com/en-us/security/bulletin/ms12-may>
- Microsoft Windows Server Update Services – <http://technet.microsoft.com/en-us/wsus/default.aspx>
- Microsoft Update – <https://www.update.microsoft.com/>
- Microsoft Update Overview – <http://www.microsoft.com/security/updates/mu.aspx>
- Turn Automatic Updating On or Off – <http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off>
Revision History
- May 08, 2012: Initial release