Microsoft Security Bulletin Advance Notification for July 2013

This advance notification provides a number as the bulletin identifier, because the official Microsoft Security Bulletin numbers are not issued until release. The bulletin summary that replaces this advance notification will have the proper Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the bulletin identifier.
The following table summarizes the security bulletins for this month in order of severity.
For details on affected software, see the next section, Affected Software.

Bulletin ID	Maximum Severity Rating and Vulnerability Impact	Restart Requirement	Affected Software
Bulletin 1	Critical Remote Code Execution	May require restart	Microsoft .NET Framework, Microsoft Silverlight
Bulletin 2	Critical Remote Code Execution	Requires restart	Microsoft Windows
Bulletin 3	Critical Remote Code Execution	May require restart	Microsoft Windows, Microsoft Office, Microsoft Visual Studio, Microsoft Lync
Bulletin 4	Critical Remote Code Execution	Requires restart	Microsoft Windows, Internet Explorer
Bulletin 5	Critical Remote Code Execution	May require restart	Microsoft Windows
Bulletin 6	Critical Remote Code Execution	May require restart	Microsoft Windows
Bulletin 7	Important Elevation of Privilege	Does not require restart	Microsoft Security Software

Retirement of Red Hat Enterprise Linux 6.1 Extended Update Support (EUS).

1. Summary:

This is the final notification for the retirement of Red Hat Enterprise
Linux 6.1 Extended Update Support (EUS).

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server EUS (v. 6.1) - i386, ppc64, s390x, x86_64

3. Description:

In accordance with the Red Hat Enterprise Linux Errata Support Policy,
Extended Update Support for Red Hat Enterprise Linux 6.1 was retired on
May 31, 2013, and support is no longer provided. Accordingly, Red Hat will
no longer provide updated packages, including critical impact security
patches or urgent priority bug fixes, for Red Hat Enterprise Linux 6.1 EUS.
In addition, technical support through Red Hat's Global Support Services is
no longer provided.

Note: This notification applies only to those customers with subscriptions
to the Extended Update Support (EUS) channels for Red Hat Enterprise Linux
6.1.

We encourage customers to plan their migration from Red Hat Enterprise
Linux 6.1 to a more recent version of Red Hat Enterprise Linux 6. As a
benefit of the Red Hat subscription model, customers can use their active
subscriptions to entitle any system on a currently supported Red Hat
Enterprise Linux 6 release (6.2, 6.3, or 6.4, for which EUS is available).

Ubuntu to halve support length for non-LTS releases

The reduction in support for non-LTS releases from 18 to nine months should give the developers more time to concentrate on testing the packages to which users will be able to upgrade between major releases. No decisions have been taken, apparently, on how the up-to-date packages will be delivered to users; the Technical Board only decided to "enable users to continuously track the development focus of Ubuntu without having to explicitly upgrade".

Red Hat Announces General Availability of Next Minor Release of Red Hat Enterprise Linux 6

Red Hat Enterprise Linux 6.4 has been optimized for performance, stability and flexibility, and designed to help organizations manage their workloads across physical, virtual and cloud environments. Red Hat Enterprise Linux introduces several new components that help enterprises meet these core business objectives.

Scale-out Data Access Through Parallel NFS (pNFS)
Red Hat has collaborated with its partners and the upstream community on the parallel Network File System (pNFS) industry standard. This helps to solve the problems associated with NFS sprawl, characterized by the explosive growth of data and the increased burden of managing file system complexity. Capabilities have also been added that result in performance gains for I/O intensive workloads like database access. Using the first-to-market, fully supported pNFS client -- delivered in Red Hat Enterprise Linux 6.4 -- customers can begin to plan and design next-generation, scalable file system solutions based on pNFS.

“NetApp and Red Hat are seeing considerable demand for pNFS capabilities from customers looking to modernize their data center environment to address the extreme requirements around scale, performance and manageability,” said Patrick Rogers, vice president, solutions and integrations, NetApp. “With Red Hat Enterprise Linux 6.4, Red Hat has achieved a significant milestone advancing pNFS client support, which reflects their continued leadership and innovation in enterprise-class open source solutions.”

Focus On Security Through Enhanced Identity Management
Red Hat Enterprise Linux 6.4 continues to expand security through enhanced identity and host-based access management. This release also provides easier interoperability in heterogeneous environments, whether identities are Linux- based or managed by Microsoft Active Directory.

Improved Virtual Guest Experience on VMware and Hyper-V
Red Hat Enterprise Linux 6 .4 now includes the Microsoft Hyper-V Linux drivers, improving the overall performance of the operating system when running as a guest on Microsoft Hyper-V. The latest release also offers installation support for the VMware and Microsoft Hyper-V para-virtualized drivers, improving the deployment experience for users working in these environments.

Updated Management Capabilities
Red Hat Enterprise Linux 6.4 provides enhancement to control groups (cgroups), allowing multi-threaded applications to migrate smoothly between them. In addition, this release includes updated performance monitoring tools that support new counters (performance monitoring units, or PMUs) from Intel.

New Tools and Improved Productivity Support
Red Hat Enterprise Linux 6.4 includes several key productivity-focused improvements, including enhanced interoperability with Microsoft Exchange, calendar support in Evolution, and new functions, such as alarm notifications and the ability to schedule meetings. This update also includes support for newer Wacom tablets, which benefits professional animators and design artists.

"Red Hat Enterprise Linux has long been considered the premier open source operating system for enterprises, and this latest iteration further cements the platform as a compelling foundation for mission-critical solutions across physical, virtual and cloud environments," said Jim Totton, vice president and general manager, Red Hat's Platform Business Unit. "The features found within Red Hat Enterprise Linux 6.4 — from support for pNFS to expanded security features and much more — exemplify our commitment to innovation and providing our customers with the advanced tools they need to attain their business goals."

Adobe Releases Security Update for Adobe Reader and Acrobat

Adobe has released a security update for Adobe Reader and Acrobat to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to cause a denial-of-service condition or take control of the affected system. Adobe is aware of reports that these vulnerabilities are being exploited in the wild in targeted attacks designed to trick users into clicking on malicious PDF files delivered in an email message.

Adobe has released updates for the following versions:

 * Adobe Reader XI 11.0.01 and earlier for Windows and Macintosh

 * Adobe Reader X 10.1.5 and earlier for Windows and Macintosh

 * Adobe Reader 9.5.3 and earlier 9.x versions for Windows, Macintosh and Linux

 * Adobe Acrobat XI 11.0.01 and earlier for Windows and Macintosh

 * Adobe Acrobat X 10.1.5 and earlier for Windows and Macintosh

 * Adobe Acrobat 9.5.3. and earlier 9.x versions for Windows and Macintosh

US-CERT encourages users and administrators to review Adobe Security Bulletin APSB13-02 and follow best-practice security polices to determine which updates should be applied.

Relevant URL(s):

<http://www.adobe.com/support/security/advisories/apsa13-02.html>

Microsoft : MS12-043 - Critical

* MS12-043 - Critical

  - http://technet.microsoft.com/security/bulletin/ms12-043

  - Reason for Revision: V4.1 (January 30, 2013): Clarified that

    customers with the KB2687324 and KB2596679 updates will be

    offered the KB2687627 and KB2687497 updates respectively for

    Microsoft XML Core Services 5.0. See the update FAQ for

    details.

  - Originally posted: July 10, 2012

  - Updated: January 30, 2013

  - Bulletin Severity Rating: Critical

  - Version: 4.1

Security update KB2756920 for Windows 7 and Windows Server 2008 R2

* MS13-004 - Important

 - http://technet.microsoft.com/security/bulletin/MS13-004

 - Reason for Revision: V2.0 (January 22, 2013): Bulletin

   rereleased to reoffer security update KB2756920 for Windows 7

   and Windows Server 2008 R2 to systems that are running in

   specific configurations known to have potential compatibility

   issues. Customers who are reoffered the update should

   reinstall this update. See the update FAQ for more

   information.

 - Originally posted: January 8, 2013

 - Updated: January 22, 2013

 - Bulletin Severity Rating: Important

 - Version: 2.0

Oracle Java 7 Security Manager Bypass Vulnerability

Original release date: January 10, 2013

Last revised: --

Systems Affected

     Any system using Oracle Java 7 (1.7, 1.7.0) including

     * Java Platform Standard Edition 7 (Java SE 7)

     * Java SE Development Kit (JDK 7)

     * Java SE Runtime Environment (JRE 7)

     All versions of Java 7 through update 10 are affected.  Web

     browsers using the Java 7 plug-in are at high risk.

Overview

   A vulnerability in the way Java 7 restricts the permissions of Java

   applets could allow an attacker to execute arbitrary commands on a

   vulnerable system.

Description

   A vulnerability in the Java Security Manager allows a Java applet

   to grant itself permission to execute arbitrary code. An attacker

   could use social engineering techniques to entice a user to visit a

   link to a website hosting a malicious Java applet. An attacker

   could also compromise a legitimate web site and upload a malicious

   Java applet (a "drive-by download" attack).

   Any web browser using the Java 7 plug-in is affected. The Java

   Deployment Toolkit plug-in and Java Web Start can also be used as

   attack vectors.

   Reports indicate this vulnerability is being actively exploited,

   and exploit code is publicly available.

   Further technical details are available in Vulnerability Note

   VU#625617.

Impact

   By convincing a user to load a malicious Java applet or Java

   Network Launching Protocol (JNLP) file, an attacker could execute

   arbitrary code on a vulnerable system with the privileges of the

   Java plug-in process.

Solution

   Disable Java in web browsers

   This and previous Java vulnerabilities have been widely targeted by

   attackers, and new Java vulnerabilities are likely to be

   discovered. To defend against this and future Java vulnerabilities,

   disable Java in web browsers.

   Starting with Java 7 Update 10, it is possible to disable Java

   content in web browsers through the Java control panel applet. From

   Setting the Security Level of the Java Client:

   For installations where the highest level of security is required,

   it is possible to entirely prevent any Java apps (signed or

   unsigned) from running in a browser by de-selecting Enable Java

   content in the browser in the Java Control Panel under the Security

   tab.

   If you are unable to update to Java 7 Update 10 please see the

   solution section of Vulnerability Note VU#636312 for instructions

   on how to disable Java on a per browser basis.

Red Hat Enterprise Linux 5.9 introduced

Customers with a Red Hat Enterprise Linux (RHEL) support contract are now able to download version 5.9 of the company's Linux distribution. The new release updates RHEL 5 to include Microsoft's Hyper V driver, OpenJDK 7 and Samba 3.6. This minor version update of RHEL 5 also marks the completion of the first support phase of the revised Red Hat support life cycle; it has taken five years to get to this point – RHEL 5 was introduced in 2007.

The integrated Hyper V driver is designed to make the Linux distribution work better under Microsoft's hypervisor – for example in clouds with Windows hosts. The drivers that have been developed by Microsoft have been part of the official Linux kernel for some time, but didn't meet the kernel developers' quality requirements up until a few months ago; this was probably the reason why Red Hat previously disregarded these drivers. The developers have also updated the more recent of the two included Samba variants to version 3.6; this version is part of the Samba3x packages and supports the second generation Server Message Block network protocol (SMB2), which is said to produce less overhead during data exchanges and works faster as a result. Red Hat has also updated the SystemTap system diagnostics software to version 1.8, introducing various minor improvements. Further new additions are OpenJDK 7 and version 5 of the rsyslog system logging service. However, both are optional, which means that systems will continue to use OpenJDK 6 and the older version of rsyslog unless users manually switch to the newer versions.
As usual, Red Hat has improved the distribution's support for new processors and has updated a whole range of drivers – including the bfa driver, which supports the Brocade Fibre Channel host adapter and is no longer classified as a technology preview. A new RHEL 5 component is the ib_qib driver that is intended for Qlogic InfiniBand host channel adapters and supersedes the ib_ipath driver, though that driver continues to be usable. Further details of the new features can be found in the product announcement and in the RHEL 5.9 release and technical notes.
                                                                         The RHEL life cycle
                                                                            Source: Red Hat


The completion of the first support phase has marked the beginning of the Production 2 Phase in the life cycle of RHEL 5. In this phase, Red Hat will no longer integrate any major new features such as those introduced in RHEL 5.9. Even driver updates and other new hardware support improvements will only be made if they don't require much effort. Red Hat will, however, continue to issue minor releases and make new installation images available that include all changes made up to that point. This second maintenance phase will end in the first quarter of 2014. After that time, Red Hat will reduce the distribution's maintenance even further in the Production 3 Phase, which will still provide security patches and bug fixes, but no further minor releases or updated drivers.

                                                            Support phases of RHEL 5 and 6
                                                                       Source: Red Hat

The third maintenance phase of RHEL 5 will end in the first quarter of 2017, but customers will be able to purchase three further years of support and extend the overall maintenance period of RHEL 5 to a total of thirteen years. If Red Hat keeps to its current release rhythm, RHEL 9 should already be available when this phase is complete. A first beta of RHEL 7 has been scheduled for the first half of 2013, and version 6.4 is already in beta testing. The fourth minor release of RHEL 6 should become available in a few weeks; in addition, Oracle Linux, CentOS, Scientific Linux and others will probably release their usual free-of-charge RHEL 5.9 clones over the coming weeks.