十二月份资讯安全公告Dec

十二月份資訊安全公告

Dec14,2023RichardChen陳政鋒

(Net+,Sec+,MCSE2023+Security,CISSP)

資深技術增援工程師

台灣微軟技術增援處QuestionsandAnswersSubmittextquestionsusingthe

“AskaQuestion”buttonWhatWeWillCoverRecapNov.releasesknownissuesReviewDec.

releasesOthersecurityresourcesPreparefornewWSUSSCAN.CABarchitectureIE7overAULifecycleInformationWindowsMaliciousSoftwareRemovalToolResourcesQuestionsandanswersRecapNov.KnownissuesandMS06-066NetwareGetofferingevennoCSNWisinstalled:NormalproactivepatchingMS06-067IEpatch3rdpartyAPcompatibilityissue,seeKB922760MS06-069AdobeFlashPlayerRe-offering,installthelatestFlashPlayertosolvetheissueMS06-070WorkstationserviceWormvulnerability,installthepatchimmediatelyMS06-071MSXMLWSUScategory/descriptionerror,fixingnow.MSXML4installfailure,seeKB927978Dec2023SecurityBulletins

SummaryOnDec13:7NewSecurityBulletins5Windows(1critical,4important)1VisualStudio(critical)1MediaPlayer(critical)1re-releaseMS06-059(critical)5High-prioritynon-securityupdatesNovember2023SecurityBulletinsOverviewBulletinNumberTitleMaximumSeverityRatingProductsAffectedMS06-072CumulativeSecurityUpdateforInternetExplorer(925454)CriticalInternetExplorer5.01&6MS06-073VulnerabilityVisualStudio2023CouldAllowRemoteCodeExecution(925674)CriticalVisualStudio2023MS06-074VulnerabilityinSNMPCouldAllowRemoteCodeExecution(926247)ImportantWindows2023,XP,2023MS06-075VulnerabilityinWindowsCouldAllowElevationofPrivilege(926255)ImportantWindowsXP,2023MS06-076CumulativeSecurityUpdateforOutlookExpress(923694)ImportantOutlookExpressonWindows2023,XP,2023MS06-077VulnerabilityinRemoteInstallationServiceCouldAllowRemoteCodeExecution(926121)ImportantWindows2023MS06-078VulnerabilityinWindowsMediaFormatCouldAllowRemoteCodeExecution(923689)CriticalWindowsMediaFormat7.1–9.5andWindowsMediaPlayer6.4onWindows2023,XP,2023December

2023SecurityBulletins

SeveritySummaryBulletinNumberWindows2023SP4WindowsXPSP2WindowsServer2023WindowsServer2023SP1MS06-072CriticalCriticalModerateCriticalWindows2023SP4WindowsXPSP2WindowsServer2023WindowsServer2023SP1MS06-074ImportantImportantImportantImportantMS06-075NotAffectedImportantImportantNotAffectedMS06-077ImportantNotAffectedNotAffectedNotAffectedVisualStudio2023MS06-073CriticalWindowsMediaPlayer6.4Windows2023SP4WindowsXPSP2WindowsServer2023&SP1MS06-078CriticalCriticalCriticalCriticalOutlookExpress5.5OutlookExpress6WindowsVistaMS06-076ImportantImportantNotAffectedMS06-072:InternetExplorer–

CriticalTitle&KBArticle:CumulativeSecurityUpdateforInternetExplorer(925454)AffectedSoftware:IE5.01SP4onWindows2023SP4IE6SP1onWindows2023SP4IE6forWindowsXPSP2IE6forWindowsServer2023RTMandSP1IE6forWindowsServer2023RTMia64andSP1ia64IE6forWindowsServer2023x64IE6forWindowsXPProx64ReplacedUpdates:

MS06-067andallpreviousCumulativeSecurityUpdatesforInternetExplorerVulnerabilities:CVE-2023-5577-TIFFolderInformationDisclosureVulnCVE-2023-5578-TIFFolderInformationDisclosureVulnCVE-2023-5579-ScriptErrorHandlingMemoryCorruptionVulnCVE-2023-5581-DHTMLScriptFunctionMemoryCorruptionVulnPubliclyDisclosed:NoKnownExploits:NoMS06-072:InternetExplorer–

CriticalIssueSummary:Two“RemoteCodeExploit”vulnerabilitiesandtwo“InformationDisclosure”vulnerabilitiesexistinIEthatcouldallowanattackertorunarbitrarycodeFixDescription:ThefixmodifiesthehandlingofDHTMLscriptfunctioncallsandscripterrorexceptions.ItalsorestrictsOBJECTtagsfromexposingsensitivepathstoscriptsandaccesstocachedcontentintheTIFfolderAttackVectors:

MaliciousWebPageMaliciousEmailMitigations:AuserwouldhavetobepersuadedtovisitamaliciousWebsiteExploitationonlyallowstheprivilegeleveloftheloggedonuserBydefault,IEonWindows2023runsinarestrictedmodeOutlookExpress6,Outlook2023,andOutlook2023openHTMLe-mailmessagesintheRestrictedsiteszoneInternetExplorer7isnotaffectedWorkaround:Disable“DragandDroporcopyandpastefiles”DisableActiveScriptingorsetto“Prompt”SetIEsecuritytoHighforInternetandIntranetzonesOpenHTMLe-mailmessagesintheRestrictedsiteszone,applyupdate235309forOutlook2023RestartRequirement:NOInstallationandRemoval:

Add/RemoveProgramsCommandlineuninstalloptionScriptableDeploymentMoreInformation:/taiwan/technet/security/bulletin/ms06-072.mspxMS06-073:WMIObjectBroker-

Critical

Title&KBArticle:VulnerabilityVisualStudio2023CouldAllowRemoteCodeExecution(925674)AffectedSoftware:MicrosoftVisualStudio2023ReplacedUpdates:NONEVulnerabilities:WMIObjectBrokerVulnerability-CVE-2023-4704:AremotecodeexecutionvulnerabilityexistsintheWMIObjectBrokercontrolthattheWMIWizardusesinVisualStudio2023.AnattackercouldexploitthevulnerabilitybyconstructingaspeciallycraftedWebpagethatcouldpotentiallyallowremotecodeexecutionifauserviewedtheWebpage.Anattackerwhosuccessfullyexploitedthisvulnerabilitycouldtakecompletecontrolofanaffectedsystem.PubliclyDisclosed:YesKnownExploits?:Yes.CVE-2023-4704.MS06-073:WMIObjectBroker-

CriticalIssueSummary:Thisupdateresolvesapublicvulnerability.Anattackerwhohassuccessfullyexploitedthisvulnerabilitycouldtakecompletecontrolofanaffectedsystem.Anattackercouldtheninstallprograms;view,change,ordeletedata;orcreatenewaccountswithfulluserrights.Ifauserisloggedonwithadministrativeuserrights,anattackerwhohassuccessfullyexploitedthisvulnerabilitycouldtakecompletecontrolofanaffectedsystem.Userswhoseaccountsareconfiguredtohavefeweruserrightsonthesystemcouldbelessimpactedthanuserswhooperatewithadministrativeuserrights.FixDescription:TheupdateremovesthevulnerabilitybymodifyingthewaythattheWMIObjectBrokerinstantiatesothercontrols.AttackVectors:

MaliciousWebPageEmailswithMaliciousComponentsMS06-073:WMIObjectBroker-

Critical

Mitigations:AuserwouldhavetobepersuadedtovisitamaliciousWebsiteThisActiveXcontrolisnotinthedefaultallow-listforActiveXcontrolsinInternetExplorer7.OnlycustomerswhohaveexplicitlyapprovedthiscontrolbyusingtheActiveXOpt-inFeatureareatrisktoattemptstoexploitthisvulnerability.ExploitationonlyallowsthesameprivilegesastheloggedonuserTheRestrictedsiteszonehelpsreduceattacksthatcouldtrytoexploitthisvulnerabilitybypreventingActiveScripting/ActiveXcontrolsfrombeingusedwhenreadingHTMLe-mail.Thevulnerabilitycouldnotbeexploitedautomaticallythroughe-mail.Foranattacktobesuccessfulausermustopenanattachmentthatissentinane-mailmessageormustclickonalinkwithinane-mail.Bydefault,InternetExploreronWindowsServer2023runsinarestrictedmodethatisknownasEnhancedSecurityConfiguration.Workaround:DisableattemptstoinstantiatetheWMIObjectBrokercontrolwithinInternetExplorer(seeMicrosoftKnowledgeBaseArticle240797.)ConfigureInternetExplorertopromptbeforerunningActiveXControlsordisableActiveXControlsintheInternetandLocalintranetsecurityzoneSetInternetandLocalintranetsecurityzonesettingsto“High”topromptbeforerunningActiveXControlsandActiveScriptinginthesezonesForOutlook2023,installOutlookE-mailSecurityUpdatesothatOutlook2023opensHTMLe-mailmessagesintheRestrictedsiteszone.ForOutlookExpress5.5ServicePack2,installMicrosoftSecurityBulletinMS04-018sothatOutlookExpress5.5opensHTMLe-mailmessagesintheRestrictedsiteszone.MS06-073:WMIObjectBroker-

Critical

RestartRequirement:Thisupdatedoesnotrequirearestartunlesstherequiredservicescannotbestoppedbytheinstaller.InstallationandRemoval:

Add/RemoveProgramsCommandlineinstall/uninstalloptionScriptableDeploymentMoreInformation:/taiwan/technet/security/bulletin/ms06-073.mspxMS06-074:SNMP-ImportantTitle&KBArticle:VulnerabilityinSNMPCouldAllowRemoteCodeExecution(926247)AffectedSoftware:Windows2023SP4WindowsXPSP2WindowsXPProx64WindowsServer2023WindowsServer2023&WindowsServer2023SP1WindowsServer2023ia64&WindowsServer2023SP1ia64WindowsServer2023x64ReplacedUpdates:NoneVulnerabilities:CVE-2023-5583PubliclyDisclosed:NoKnownExploits?:NoMS06-074:SNMP-ImportantIssueSummary:AremotecodeexecutionvulnerabilityexistsinSNMPServicethatcouldallowanattackerwhosuccessfullyexploitedthisvulnerabilitytotakecompletecontroloftheaffectedsystem.FixDescription:TheupdateremovesthevulnerabilitybymodifyingthewaythatSNMPServicevalidatesthelengthofamessagebeforeitpassesthemessagetotheallocatedbuffer.AttackVectors:

MaliciouspackettransmissionoverthenetworkMitigations:

SNMPserviceisnotinstalledbydefault.Forcustomerswhorequiretheaffectedcomponent,firewallbestpracticesandstandarddefaultfirewallconfigurationscanhelpprotectnetworksfromattacksthatoriginateoutsidetheenterpriseperimeter.Workaround:RestricttheIPaddressesthatareallowedtomanagethecomputer.

BlockUDPport161atthefirewall.Tohelpprotectfromnetwork-basedattemptstoexploitthisvulnerability,useapersonalfirewall,suchastheWindowsFirewall,whichisincludedwithWindowsXP.RestartRequirement:YesInstallationandRemoval:Add/RemoveProgramsCommandlineuninstalloptionScriptableDeploymentMoreInformation:/taiwan/technet/security/bulletin/ms06-074.mspxMS06-075:FileManifest-ImportantTitle&KBArticle:VulnerabilityinWindowsCouldAllowElevationofPrivilege(926255)AffectedSoftware:WindowsXPSP2WindowsServer2023•WindowsServer2023ia64ReplacedUpdates:

NoneVulnerabilities:FileManifestCorruptionVulnerability-CVE-2023-5585PubliclyDisclosed:NoKnownExploits?:NoMS06-075:FileManifest-ImportantIssueSummary:AprivilegeelevationvulnerabilityexistsinthewaythatMicrosoftWindowsstartsapplicationswithspeciallycraftedfilemanifests.Thisvulnerabilitycouldallowaloggedonusertotakecompletecontrolofthesystem.FixDescription:TheupdateremovesthevulnerabilitybymodifyingthewaythatClientServerRun-timeSubsystemvalidatesembeddedfilemanifestsbeforeitpassesdatatotheallocatedbuffer.Thissecurityupdatecorrectsanintegeroverflowinsxs.dll.Anyapplicationthatusesside-by-sideassemblieswithRequestedPrivilegessectionmayBSODthemachine.Compctl32.dllandGDIplus.dllaretwoside-by-sideassembliescommonlyusedbyMicrosoft.IntheworstcasealocalauthenticatedusercanrunexecutecodebeforethemachineBSOD;thereforelocalEoP(fromlocaltosystemispossible).AttackVectors:LoggedonuserMitigations:

Anattackermusthavevalidlogoncredentialsandbeabletologonlocallytoexploitthisvulnerability.Thevulnerabilitycouldnotbeexploitedremotelyorbyanonymoususers.Workaround:NoneRestartRequirement:YesInstallationandRemoval:Add/RemoveProgramsCommandlineuninstalloptionScriptableDeploymentMoreInformation:/taiwan/technet/security/bulletin/ms06-075.mspxMS06-076:OutlookExpress-ImportantTitle&KBArticle:CumulativeSecurityUpdateforOutlookExpress(923694)AffectedSoftware:Win2KSP4WinXPSP2,x64EditionWin2K3andWin2K3SP1,2K3Itanium&Sp1forItanium,Win2K3x64OE5.5SP2onWin2KSP4OE6SP1onWinXPSP2OE6onWinXPSP2,x64EditionOE6onWin2K3andWin2K3SP1,x64Edition,Itanium&ItaniumSP1ReplacedUpdates:MS06-016&MS06-043withOE6onWinXPSP2&x64andOE6onWin2K3Sp1&x64Vulnerabilities:CVE-2023-2386:WindowsAddressBookContactRecordPubliclyDisclosed:CVE-2023-2386–NoKnownExploits?:NoIssueSummary:CVE-2023-2386:AnuncheckedbufferintheWindowsAddressBook(WAB)functionswithinOutlookExpressleadsaremotecodeexecutionattacksFixDescription:CVE-2023-2386:RemovesthevulnerabilitybymodifyingthewaythatOutlookExpress,whenusinga.wabfile,validatesthelengthofafieldbeforeitpassesittotheallocatedbufferAttackVectors:MaliciousEmailMaliciousWebPageMitigations:AuserwouldhavetobepersuadedtovisitamaliciousWebsiteExploitationonlyallowsthesameprivilegesastheloggedonuserAusermustopenanattachmentthatissentinane-mailWorkaround:Backupandremovethe.wabfileassociationImpactofWorkaround:Userswillnotbeabletoopenaddressbooksbydoubleclickingthem.TheywillhavetomanuallystarttheWindowsAddressBookapplicationandpasstheaddressbooktobeusedasacommandlineparameterortheycanimporttheaddressbookfromtheFilemenu.ThisdoesnotaffecttheuseofaddressbooksinOutlookExpressRestartRequirement

NoInstallationandRemoval:Add/RemovePrograms,CommandlineuninstalloptionScriptableDeploymentMoreInformation:/taiwan/technet/security/bulletin/ms06-076.mspxMS06-076:OutlookExpress-ImportantMS06-077:RIS-ImportantTitle&KBArticle:VulnerabilityinRemoteInstallationServiceCouldAllowRemoteCodeExecution(926121)AffectedSoftware:Windows2023SP4ONLYReplacedUpdates:NoneVulnerabilities:CVE-2023-5584-RISWritablePathVulnerabilityPubliclyDisclosed:NoKnownExploits?:NoMS06-077:RIS-ImportantIssueSummary:RISallowsanonymousaccesstothefilestructureofahostedoperatingsystembuildthroughtheTFTPservice.FixDescription:TheupdatepreventsanonymousTFTPuserstheabilitytowritetotheRIShostedoperatingsystembuild’sfilestructurebyaddingtheregistrykeyidentifiedintheWorkaroundssectionofthebulletin.AttackVectors:MaliciouspackettransmissionoverthenetworkMitigations:AnattackerwouldneedTFTPaccesstoexploitthisvulnerabilityRISisnotinstalledbydefaultStandardFirewallconfigurationsshouldblockthisfromthewebWorkaround:ConfiguretheTFTPserviceasreadonlyDisabletheTFTPServiceBlockUDPport69atthefirewallRestartRequirement:NoInstallationandRemoval:Add/RemoveProgramsCommandlineuninstalloptionScriptableDeploymentMoreInformation:/taiwan/technet/security/bulletin/ms06-077.mspxMS06-078:WindowsMediaPlayer-Critical

Title&KBArticle:VulnerabilityinWindowsMediaPlayerCouldAllowRemoteCodeExecutionKB925398addressesWindowsMediaPlayer6.4KB923689addressesWindowsMediaFormatRuntimesAffectedSoftware:MicrosoftWindowsMediaFormat7.1through9.5SeriesRuntimeonthefollowingoperatingsystemversionsMicrosoftWindows2023ServicePack4-(KB923689)MicrosoftWindowsXPServicePack2-(KB923689)MicrosoftWindowsXPProfessionalx64Edition-(KB923689)MicrosoftWindowsServer2023orMicrosoftWindowsServer2023ServicePack1-(KB923689)MicrosoftWindowsServer2023x64Edition-(KB923689)AffectedSoftware:MicrosoftWindowsMediaFormat9.5SeriesRuntimex64Editiononthefollowingoperatingsystemversions:MicrosoftWindowsXPProfessionalx64Edition-(KB923689)MicrosoftWindowsServer2023x64Edition-(KB923689)MicrosoftWindowsMediaPlayer6.4onthefollowingoperatingsystemversions:Windows2023ServicePack4-(KB925398)MicrosoftWindowsXPServicePack2-(KB925398)MicrosoftWindowsXPProfessionalx64Edition–(KB925398)MicrosoftWindowsServer2023oronMicrosoftWindowsServer2023ServicePack1–(KB925398)MicrosoftWindowsServer2023x64Edition–(KB925398)ReplacedUpdates:NoneVulnerabilities:CVE-2023-4702WindowsMediaFormatVulnerabilityCVE-2023-6134WindowsMediaFormatWMVCOREASXVulnerabilityPubliclyDisclosed:NoKnownExploits?:NoMS06-078:WindowsMediaPlayer-CriticalIssueSummary:BufferoverflowRemoteCodeExecutionWMVCoreASFexploitedASXexploitedFixDescription:

UpdatemodifiesWMVCOREvalidationprocess.AttackVectors:MaliciousWebPageMaliciousEmailMitigations:RequiresaccessingmaliciousWebsite/openingmaliciousemailExploitationonlyallowsthesameprivilegesastheloggedonuserBydefault,IEonWindows2023runsinarestrictedmodeWindowsMediaFormat11runtimeisnotaffectedbythisvulnerabilityandcouldbeusedtopreventanattempttoexploitthisvulnerability.Workaround:DisabletheWindowsMediaPlayerActiveXcontrolsfromrunninginInternetExplorerModifytheAccessControlListonStrmdll.dlltopreventshellbasedattacksonplayersonWindows2023UnregisterShmedia.dlltopreventshellbasedattacksonplayersWindowsXPandWindows2023MS06-078:WindowsMediaPlayer-CriticalRestartRequirement:None,ifrequiredservicesareterminable.InstallationandRemoval:Add/RemoveProgramsCommandlineuninstalloptionScriptableDeploymentMoreInformation:

/taiwan/technet/security/bulletin/ms06-078.mspxMS06-078:WindowsMediaPlayer-CriticalRe-ReleaseofMS06-059-ExcelCriticalInstallMS06-059mightfailifALLconditionsaretrue:RunningExcel2023MSI2.0PreviouslyinstalledMS06-037Details:Basically,becausethe059patchdoesnotcontaintheMSI2.0patchcodefor037,installingExcel2023’s059ontopof037willtriggeraWindowsInstaller2.0buginsomecases&resultinexcel.exenotgettingupdatedtoversion6816.Resolution:InstallMS06-059v2DetectionandDeploymentBulletinComponentOfficeUpdateWU/MUMBSA1.2+ODTMBSA2.0/

2.0.1SUSWSUSESTSMSSUITSMSITMUDetectanddeployDetectanddeployDetectonlyDetectonlyDetectanddeployDetectanddeployDetectonlyDetectanddeployDetectanddeployMS06-072MicrosoftInternetExplorerNotapplicableYesYesYesYesYesNotapplicableYesYesMS06-073MicrosoftVisualStudioNotapplicableYesNoYesNoYesYesYes,withESUITYesMS06-074SNMPNotapplicableYesYesYesYesYesNotapplicableYesYesMS06-075FileManifestNotapplicableYesYesYesYesYesNotapplicableYesYesMS06-076MicrosoftOutlookExpressNotapplicableYesNoYesYesYesYesYes,withESUITYesMS06-077RemoteInstallationServices(RIS)NotapplicableYesNoYesYesYesYesYesYesMS06-078WindowsMediaPlayerNotapplicableYesPartialYesYesYesYesYes,withESUITPartialOtherUpdateInformationBulletinRestartUninstallReplacesOnproductsMS06-072YesYesMS06-067andallpreviousCumulativeSecurityUpdatesforIEIE5.01SP4,IE6,IE6SP1MS06-073MaybeYesN/AVisualStudio2023MS06-074YesYesN/AWindows2023SP4,XPSP2,W2K3,W2K3SP1MS06-075YesYesN/AXPSP2andW2K3MS06-076NoYesMS06-016&MS06-043withOE6onWinXPSP2&x64andOE6onW2K3SP1&x64OE5.5SP2andOE6MS06-077NoYesN/AW2KOnlyMS06-078MaybeYesN/A

MicrosoftWindowsMediaFormat7.1through9.5SeriesRuntimeonthefollowingoperatingsystemversions

MicrosoftWindowsMediaPlayer6.4December2023Non-SecurityUpdatesNUMBERTITLEDistribution911897UpdateforWindowsServerWU,MU926251UpdateforWindowsXPMediaCenterEditionfor2023WU,MU928388UpdateforWindowsWU,MU929120UpdateforWindowsWU,MU924886UpdateforOffice2023MUNewWSUSSCAN.CABarchitectureNewarchitectureforwsusscan.cabbeginssinceNovember2023Supportforexistingwsusscan.cabarchitectureendsonMarch2023SMSITMUcustomers:downloadanddeployupdatedversion