Security Bulletin

Microsoft Security Bulletin MS12-034 - Critical

Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)

Published: May 08, 2012 | Updated: March 06, 2013

Version: 1.6

General Information

Executive Summary

This security update resolves three publicly disclosed vulnerabilities and seven privately reported vulnerabilities in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework, and Microsoft Silverlight. The most severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType font files. An attacker would have no way to force users to visit a malicious website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.

This security update is rated Critical for all supported releases of Microsoft Windows; for Microsoft .NET Framework 4, except when installed on Itanium-based editions of Microsoft Windows; and for Microsoft Silverlight 4 and Microsoft Silverlight 5. This security update is rated Important for Microsoft Office 2003, Microsoft Office 2007, and Microsoft Office 2010. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the most severe of these vulnerabilities by correcting the manner in which affected components handle specially crafted TrueType font files and by correcting the manner in which GDI+ validates specially crafted EMF record types and specially crafted EMF images embedded within Microsoft Office files. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.

Known Issues. Microsoft Knowledge Base Article 2681578 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.

Affected and Non-Affected Software

The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.

Microsoft Windows and Components

Operating System Component Maximum Security Impact Aggregate Severity Rating Updates Replaced
Microsoft Windows
Windows XP Service Pack 3 (KB2660649) (Tablet PC Edition 2005 Service Pack 3 only) Not applicable Remote Code Execution Important None
Windows XP Service Pack 3 (KB2659262) Not applicable Remote Code Execution Important KB2412687 in MS11-029 replaced by KB2659262
Windows XP Service Pack 3 (KB2676562) Not applicable Remote Code Execution Critical KB2641653 in MS12-018 replaced by KB2676562 KB2633171 in MS11-098 replaced by KB2676562
Windows XP Service Pack 3 (KB2686509) Not applicable Elevation of Privilege Important None
Windows XP Professional x64 Edition Service Pack 2 (KB2659262) Not applicable Remote Code Execution Important KB2412687 in MS11-029 replaced by KB2659262
Windows XP Professional x64 Edition Service Pack 2 (KB2676562) Not applicable Remote Code Execution Critical KB2641653 in MS12-018 replaced by KB2676562 KB979683 in MS10-021 replaced by KB2676562
Windows XP Professional x64 Edition Service Pack 2 (KB2686509) Not applicable Elevation of Privilege Important None
Windows Server 2003 Service Pack 2 (KB2659262) Not applicable Remote Code Execution Important KB2412687 in MS11-029 replaced by KB2659262
Windows Server 2003 Service Pack 2 (KB2676562) Not applicable Remote Code Execution Critical KB2641653 in MS12-018 replaced by KB2676562 KB2633171 in MS11-098 replaced by KB2676562
Windows Server 2003 Service Pack 2 (KB2686509) Not applicable Elevation of Privilege Important None
Windows Server 2003 x64 Edition Service Pack 2 (KB2659262) Not applicable Remote Code Execution Important KB2412687 in MS11-029 replaced by KB2659262
Windows Server 2003 x64 Edition Service Pack 2 (KB2676562) Not applicable Remote Code Execution Critical KB2641653 in MS12-018 replaced by KB2676562 KB979683 in MS10-021 replaced by KB2676562
Windows Server 2003 x64 Edition Service Pack 2 (KB2686509) Not applicable Elevation of Privilege Important None
Windows Server 2003 with SP2 for Itanium-based Systems (KB2659262) Not applicable Remote Code Execution Important KB2412687 in MS11-029 replaced by KB2659262
Windows Server 2003 with SP2 for Itanium-based Systems (KB2676562) Not applicable Remote Code Execution Critical KB2641653 in MS12-018 replaced by KB2676562 KB979683 in MS10-021 replaced by KB2676562
Windows Server 2003 with SP2 for Itanium-based Systems (KB2686509) Not applicable Elevation of Privilege Important None
Windows Vista Service Pack 2 (KB2658846) Not applicable Remote Code Execution Important KB2665364 in MS12-019 replaced by KB2658846
Windows Vista Service Pack 2 (KB2659262) Not applicable Remote Code Execution Important KB2412687 in MS11-029 replaced by KB2659262
Windows Vista Service Pack 2 (KB2660649) Not applicable Remote Code Execution Important None
Windows Vista Service Pack 2 (KB2676562) Not applicable Remote Code Execution Critical KB2641653 in MS12-018 replaced by KB2676562 KB2633171 in MS11-098 replaced by KB2676562
Windows Vista x64 Edition Service Pack 2 (KB2658846) Not applicable Remote Code Execution Important KB2665364 in MS12-019 replaced by KB2658846
Windows Vista x64 Edition Service Pack 2 (KB2659262) Not applicable Remote Code Execution Important KB2412687 in MS11-029 replaced by KB2659262
Windows Vista x64 Edition Service Pack 2 (KB2660649) Not applicable Remote Code Execution Important None
Windows Vista x64 Edition Service Pack 2 (KB2676562) Not applicable Remote Code Execution Critical KB2641653 in MS12-018 replaced by KB2676562 KB2556532 in MS11-068 replaced by KB2676562
Windows Server 2008 for 32-bit Systems Service Pack 2 (KB2658846) Not applicable Remote Code Execution Important KB2665364 in MS12-019 replaced by KB2658846
Windows Server 2008 for 32-bit Systems Service Pack 2 (KB2659262) Not applicable Remote Code Execution Important KB2412687 in MS11-029 replaced by KB2659262
Windows Server 2008 for 32-bit Systems Service Pack 2[3](KB2660649) Not applicable Remote Code Execution Important None
Windows Server 2008 for 32-bit Systems Service Pack 2 (KB2676562) Not applicable Remote Code Execution Critical KB2641653 in MS12-018 replaced by KB2676562 KB2633171 in MS11-098 replaced by KB2676562
Windows Server 2008 for x64-based Systems Service Pack 2 (KB2658846) Not applicable Remote Code Execution Important KB2665364 in MS12-019 replaced by KB2658846
Windows Server 2008 for x64-based Systems Service Pack 2 (KB2659262) Not applicable Remote Code Execution Important KB2412687 in MS11-029 replaced by KB2659262
Windows Server 2008 for x64-based Systems Service Pack 2[3](KB2660649) Not applicable Remote Code Execution Important None
Windows Server 2008 for x64-based Systems Service Pack 2 (KB2676562) Not applicable Remote Code Execution Critical KB2641653 in MS12-018 replaced by KB2676562 KB2556532 in MS11-068 replaced by KB2676562
Windows Server 2008 for Itanium-based Systems Service Pack 2 (KB2659262) Not applicable Remote Code Execution Important KB2412687 in MS11-029 replaced by KB2659262
Windows Server 2008 for Itanium-based Systems Service Pack 2 (KB2676562) Not applicable Remote Code Execution Critical KB2641653 in MS12-018 replaced by KB2676562 KB2556532 in MS11-068 replaced by KB2676562
Windows 7 for 32-bit Systems (KB2658846) Not applicable Remote Code Execution Important KB2665364 in MS12-019 replaced by KB2658846
Windows 7 for 32-bit Systems (KB2659262) Not applicable Remote Code Execution Important None
Windows 7 for 32-bit Systems (KB2660649) Not applicable Remote Code Execution Important None
Windows 7 for 32-bit Systems (KB2676562) Not applicable Remote Code Execution Critical KB2641653 in MS12-018 replaced by KB2676562 KB2633171 in MS11-098 replaced by KB2676562
Windows 7 for 32-bit Systems Service Pack 1 (KB2658846) Not applicable Remote Code Execution Important KB2665364 in MS12-019 replaced by KB2658846
Windows 7 for 32-bit Systems Service Pack 1 (KB2659262) Not applicable Remote Code Execution Important None
Windows 7 for 32-bit Systems Service Pack 1 (KB2660649) Not applicable Remote Code Execution Important None
Windows 7 for 32-bit Systems Service Pack 1 (KB2676562) Not applicable Remote Code Execution Critical KB2641653 in MS12-018 replaced by KB2676562 KB2633171 in MS11-098 replaced by KB2676562
Windows 7 for x64-based Systems (KB2658846) Not applicable Remote Code Execution Important KB2665364 in MS12-019 replaced by KB2658846
Windows 7 for x64-based Systems (KB2659262) Not applicable Remote Code Execution Important None
Windows 7 for x64-based Systems (KB2660649) Not applicable Remote Code Execution Important None
Windows 7 for x64-based Systems (KB2676562) Not applicable Remote Code Execution Critical KB2641653 in MS12-018 replaced by KB2676562 KB2556532 in MS11-068 replaced by KB2676562
Windows 7 for x64-based Systems Service Pack 1 (KB2658846) Not applicable Remote Code Execution Important KB2665364 in MS12-019 replaced by KB2658846
Windows 7 for x64-based Systems Service Pack 1 (KB2659262) Not applicable Remote Code Execution Important None
Windows 7 for x64-based Systems Service Pack 1 (KB2660649) Not applicable Remote Code Execution Important None
Windows 7 for x64-based Systems Service Pack 1 (KB2676562) Not applicable Remote Code Execution Critical KB2641653 in MS12-018 replaced by KB2676562 KB2556532 in MS11-068 replaced by KB2676562
Windows Server 2008 R2 for x64-based Systems (KB2658846) Not applicable Remote Code Execution Important KB2665364 in MS12-019 replaced by KB2658846
Windows Server 2008 R2 for x64-based Systems (KB2659262) Not applicable Remote Code Execution Important None
Windows Server 2008 R2 for x64-based Systems[4] (KB2660649) Not applicable Remote Code Execution Important None
Windows Server 2008 R2 for x64-based Systems (KB2676562) Not applicable Remote Code Execution Critical KB2641653 in MS12-018 replaced by KB2676562 KB2556532 in MS11-068 replaced by KB2676562
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (KB2658846) Not applicable Remote Code Execution Important KB2665364 in MS12-019 replaced by KB2658846
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (KB2659262) Not applicable Remote Code Execution Important None
Windows Server 2008 R2 for x64-based Systems Service Pack 1[4] (KB2660649) Not applicable Remote Code Execution Important None
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (KB2676562) Not applicable Remote Code Execution Critical KB2641653 in MS12-018 replaced by KB2676562 KB2556532 in MS11-068 replaced by KB2676562
Windows Server 2008 R2 for Itanium-based Systems (KB2658846) Not applicable Remote Code Execution Important KB2665364 in MS12-019 replaced by KB2658846
Windows Server 2008 R2 for Itanium-based Systems (KB2659262) Not applicable Remote Code Execution Important None
Windows Server 2008 R2 for Itanium-based Systems (KB2676562) Not applicable Remote Code Execution Critical KB2641653 in MS12-018 replaced by KB2676562 KB2556532 in MS11-068 replaced by KB2676562
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (KB2658846) Not applicable Remote Code Execution Important KB2665364 in MS12-019 replaced by KB2658846
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (KB2659262) Not applicable Remote Code Execution Important None
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (KB2676562) Not applicable Remote Code Execution Critical KB2641653 in MS12-018 replaced by KB2676562 KB2556532 in MS11-068 replaced by KB2676562
Microsoft .NET Framework 3.0 Service Pack 2
Windows XP Service Pack 3 Microsoft .NET Framework 3.0 Service Pack 2 (KB2656407) None No severity rating[2] None
Windows XP Professional x64 Edition Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 (KB2656407) None No severity rating[2] None
Windows Server 2003 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 (KB2656407) None No severity rating[2] None
Windows Server 2003 x64 Edition Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 (KB2656407) None No severity rating[2] None
Windows Vista Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 (KB2656409) None No severity rating[2] None
Windows Vista x64 Edition Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 (KB2656409) None No severity rating[2] None
Windows Server 2008 for 32-bit Systems Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 (KB2656409) None No severity rating[2] None
Windows Server 2008 for x64-based Systems Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 (KB2656409) None No severity rating[2] None
Microsoft .NET Framework 3.5.1
Windows 7 for 32-bit Systems Microsoft .NET Framework 3.5.1 (KB2656410) None No severity rating[2] None
Windows 7 for 32-bit Systems Service Pack 1 Microsoft .NET Framework 3.5.1 (KB2656411) None No severity rating[2] None
Windows 7 for x64-based Systems Microsoft .NET Framework 3.5.1 (KB2656410) None No severity rating[2] None
Windows 7 for x64-based Systems Service Pack 1 Microsoft .NET Framework 3.5.1 (KB2656411) None No severity rating[2] None
Windows Server 2008 R2 for x64-based Systems Microsoft .NET Framework 3.5.1 (KB2656410) None No severity rating[2] None
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Microsoft .NET Framework 3.5.1 (KB2656411) None No severity rating[2] None
Microsoft .NET Framework 4
Windows XP Service Pack 3 Microsoft .NET Framework 4[1](KB2656405) Remote Code Execution Critical None
Windows XP Professional x64 Edition Service Pack 2 Microsoft .NET Framework 4[1](KB2656405) Remote Code Execution Critical None
Windows Server 2003 Service Pack 2 Microsoft .NET Framework 4[1](KB2656405) Remote Code Execution Critical None
Windows Server 2003 x64 Edition Service Pack 2 Microsoft .NET Framework 4[1](KB2656405) Remote Code Execution Critical None
Windows Vista Service Pack 2 Microsoft .NET Framework 4[1](KB2656405) Remote Code Execution Critical None
Windows Vista x64 Edition Service Pack 2 Microsoft .NET Framework 4[1](KB2656405) Remote Code Execution Critical None
Windows Server 2008 for 32-bit Systems Service Pack 2 Microsoft .NET Framework 4[1](KB2656405) Remote Code Execution Critical None
Windows Server 2008 for x64-based Systems Service Pack 2 Microsoft .NET Framework 4[1](KB2656405) Remote Code Execution Critical None
Windows 7 for 32-bit Systems Microsoft .NET Framework 4[1](KB2656405) Remote Code Execution Critical None
Windows 7 for 32-bit Systems Service Pack 1 Microsoft .NET Framework 4[1](KB2656405) Remote Code Execution Critical None
Windows 7 for x64-based Systems Microsoft .NET Framework 4[1](KB2656405) Remote Code Execution Critical None
Windows 7 for x64-based Systems Service Pack 1 Microsoft .NET Framework 4[1](KB2656405) Remote Code Execution Critical None
Windows Server 2008 R2 for x64-based Systems Microsoft .NET Framework 4[1](KB2656405) Remote Code Execution Critical None
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Microsoft .NET Framework 4[1](KB2656405) Remote Code Execution Critical None
Server Core installation option
Windows Server 2008 for 32-bit Systems Service Pack 2 (KB2659262) Not applicable Remote Code Execution Important KB2412687 in MS11-029 replaced by KB2659262
Windows Server 2008 for 32-bit Systems Service Pack 2 (KB2676562) Not applicable Elevation of Privilege Important KB2641653 in MS12-018 replaced by KB2676562 KB2633171 in MS11-098 replaced by KB2676562
Windows Server 2008 for x64-based Systems Service Pack 2 (KB2659262) Not applicable Remote Code Execution Important KB2412687 in MS11-029 replaced by KB2659262
Windows Server 2008 for x64-based Systems Service Pack 2 (KB2676562) Not applicable Elevation of Privilege Important KB2641653 in MS12-018 replaced by KB2676562 KB2556532 in MS11-068 replaced by KB2676562
Windows Server 2008 R2 for x64-based Systems (KB2659262) Not applicable Remote Code Execution Important None
Windows Server 2008 R2 for x64-based Systems (KB2676562) Not applicable Elevation of Privilege Important KB2641653 in MS12-018 replaced by KB2676562 KB2556532 in MS11-068 replaced by KB2676562
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (KB2659262) Not applicable Remote Code Execution Important None
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (KB2676562) Not applicable Elevation of Privilege Important KB2641653 in MS12-018 replaced by KB2676562 KB2556532 in MS11-068 replaced by KB2676562
Windows Server 2008 R2 for x64-based Systems Microsoft .NET Framework 3.5.1 (KB2656410) None No severity rating[2] None
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Microsoft .NET Framework 3.5.1 (KB2656411) None No severity rating[2] None
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Microsoft .NET Framework 4 (KB2656405) Remote Code Execution Critical None

[1].NET Framework 4 and .NET Framework 4 Client Profile affected. The .NET Framework version 4 redistributable packages are available in two profiles: .NET Framework 4 and .NET Framework 4 Client Profile. .NET Framework 4 Client Profile is a subset of .NET Framework 4. The vulnerability addressed in this update affects both .NET Framework 4 and .NET Framework 4 Client Profile. For more information, see the MSDN article, Installing the .NET Framework.

[2]Severity ratings do not apply to this update for the specified software because there are no known attack vectors for the vulnerability discussed in this bulletin. However, as a defense-in-depth measure, Microsoft recommends that customers of this software apply this security update.

[3]This update is only applicable for Windows Server 2008 systems when the optional Desktop Experience feature has been installed and enabled. See the update FAQ for details.

[4]This update is only applicable for Windows Server 2008 R2 systems when the Ink Support component of the optional Ink and Handwriting Services feature has been installed and enabled. See the update FAQ for details.

Microsoft Office

Office Software Maximum Security Impact Aggregate Severity Rating Updates Replaced
Microsoft Office 2003 Service Pack 3\ (KB2598253) Remote Code Execution Important KB972580 in MS09-062 replaced by KB2598253
Microsoft Office 2007 Service Pack 2\ (KB2596672) Remote Code Execution Important KB972581 in MS09-062 replaced by KB2596672
Microsoft Office 2007 Service Pack 2\ (KB2596792) Remote Code Execution Important None
Microsoft Office 2007 Service Pack 3\ (KB2596672) Remote Code Execution Important None
Microsoft Office 2007 Service Pack 3\ (KB2596792) Remote Code Execution Important None
Microsoft Office 2010 (32-bit editions)\ (KB2589337) Remote Code Execution Important None
Microsoft Office 2010 Service Pack 1 (32-bit editions)\ (KB2589337) Remote Code Execution Important None
Microsoft Office 2010 (64-bit editions)\ (KB2589337) Remote Code Execution Important None
Microsoft Office 2010 Service Pack 1 (64-bit editions)\ (KB2589337) Remote Code Execution Important None

Microsoft Developer Tools and Software

Operating System Maximum Security Impact Aggregate Severity Rating Updates Replaced
Microsoft Silverlight 4
Microsoft Silverlight 4 when installed on Mac (KB2690729) Remote Code Execution Critical KB2668562 in MS12-016 replaced by KB2690729
Microsoft Silverlight 4 when installed on all supported releases of Microsoft Windows clients (KB2690729) Remote Code Execution Critical KB2668562 in MS12-016 replaced by KB2690729
Microsoft Silverlight 4 when installed on all supported releases of Microsoft Windows servers (KB2690729) Remote Code Execution Critical KB2668562 in MS12-016 replaced by KB2690729
Microsoft Silverlight 5
Microsoft Silverlight 5 when installed on Mac (KB2636927) Remote Code Execution Critical None
Microsoft Silverlight 5 when installed on all supported releases of Microsoft Windows clients (KB2636927) Remote Code Execution Critical None
Microsoft Silverlight 5 when installed on all supported releases of Microsoft Windows servers (KB2636927) Remote Code Execution Critical None

Non-Affected Software

Software
Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft Office 2008 for Mac
Microsoft Office for Mac 2011
Microsoft Office Compatibility Pack Service Pack 2
Microsoft Office Compatibility Pack Service Pack 3
Microsoft Works 9

Why was this bulletin revised on May22, 2012?
This bulletin was revised to make several additions and corrections:

  • To announce a detection change for KB2656407 for Microsoft .NET Framework 3.0 Service Pack 2 to correct an installation issue. This is a detection change only. There were no changes to the security update files. Customers who have already successfully updated their systems do not need to take any action.
  • To announce a detection change for KB2636927 for Microsoft Silverlight 5 to correct an installation issue. This is a detection change only. There were no changes to the security update files. Customers who have already successfully updated their systems do not need to take any action.
  • Corrected the update replacement information for Microsoft Silverlight 5.
  • Added footnotes and an update FAQ entry to explain why Windows Server 2008 customers may not be offered security update KB2660649.
  • Added footnotes and an update FAQ entry to explain why Windows Server 2008 R2 customers may not be offered security update KB2660649.
  • Added an update FAQ entry to explain why Windows Server 2008 customers may not be offered security update KB2658846.

I have a non-vulnerable version of software installed, why am I being offered security update KB2589337?
Some non-affected software, including Microsoft Visio Viewer 2010, contain the vulnerable shared component of Microsoft Office, but because they do not access the vulnerable code, they are not affected. However, since the vulnerable code is present, this update will be offered.

I am running Windows Server 2008. Why am I not being offered security update KB2660649?
Security update package KB2660649 is only applicable on Windows Server 2008 for 32-bit Systems Service Pack 2 and Windows Server 2008 for x64-based Systems Service Pack 2 systems when the optional Desktop Experience feature has been installed and enabled. Windows Server 2008 customers who have installed and enabled the Desktop Experience feature will have the vulnerable component addressed by KB2660649 and will therefore need to install this security update. Customers who have not installed the Desktop Experience feature or who have installed but not enabled the feature will not have the vulnerable component and will therefore not be offered security update package KB2660649.

I am running Windows Server 2008 R2. Why am I not being offered security update KB2660649?
Security update package KB2660649 is only applicable on Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1 systems when the Ink Support component of the optional Ink and Handwriting Services feature has been installed and enabled. Windows Server 2008 R2 customers who have installed and enabled the Ink Support component of the Ink and Handwriting Services feature will have the vulnerable component addressed by KB2660649 and will therefore need to install this security update. Customers who have not installed the Ink Support component of the Ink and Handwriting Services feature or who have installed but not enabled the feature will not have the vulnerable component and will therefore not be offered security update package KB2660649.

I am running one of the operating systems that are listed in the affected software table for security update KB2658846. Why am I not being offered this update?
Security update KB2658846 will only be offered to systems on which the affected component (DirectWrite) is installed.

Note On supported editions of Windows Vista and Windows Server 2008, DirectWrite is not installed by default. On these operating systems, DirectWrite is installed as part of any of the following updates: Windows Graphics, Imaging, and XPS Library (KB971512), Platform Update Supplement (KB2117917), or the Update for DirectWrite and XPS (KB2505189). Note that these updates are offered through automatic updating.

Why does this update address several reported security vulnerabilities?
This update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files.

Why are multiple package updates available for my software?
The updates required to address the vulnerabilities described in this bulletin are offered across different package updates as indicated in the Affected Software table due to the componentized servicing model of the software. To be protected from the vulnerabilities, all updates available for any affected software are required, but they do not need to be installed in a particular order.

There is more than one update listed for the software installed on my system. Do I need to install all of the updates?
Yes. Customers should apply all updates offered for the software installed on their systems.

Do I need to install these security updates in a particular sequence?
No. Multiple updates for one version of software can be applied in any sequence.

What is defense-in-depth?
In information security, defense-in-depth refers to an approach in which multiple layers of defense are in place to help prevent attackers from compromising the security of a network or system.

Are there special requirements related to applying the security update packages that address CVE-2012-0181?
Yes. The detection logic for the security update package identified as KB2686509 performs an eligibility check of the system in order to verify whether the system meets the requirements to activate the fix applied by KB2676562, which addresses CVE-2012-0181. If the system meets the requirements, both KB2686509 and KB2676562 will be successfully installed on the system and the vulnerability described in CVE-2012-0181 will be addressed. Otherwise, KB2686509 will be re-offered until the system does meet the requirements. Successful installation of both the KB2686509 and KB2676562 update packages are necessary to be protected against CVE-2012-0181 on Windows XP and Windows Server 2003 systems. If your system does not meet the requirements to install the update, please follow the guidance documented in Microsoft Knowledge Base Article 2686509.

I have Microsoft Office 2010 installed on my system. Why might I not be offered update package KB2589337 for Microsoft Office 2010?
The vulnerabilities addressed by update package KB2589337 only affect Microsoft Office 2010 when installed on systems running Windows XP and Windows Server 2003. Therefore, the Microsoft Office 2010 update KB2589337 will not be offered to systems running Windows Vista or later versions of Microsoft Windows.

Is this security update related to MS12-035, Vulnerabilities in .NET Framework Could Allow Remote Code Execution?
No. Although both of these security updates affect the .NET Framework, the updates affect different components and are not related. These updates may be applied in any order.

Is Windows 8 Consumer Preview affected by any of the vulnerabilities addressed in this bulletin?
Yes. The KB2658846, KB2660649, and KB2676562 updates are available for the Windows 8 Consumer Preview release. Customers with Windows 8 Consumer Preview are encouraged to apply the updates to their systems. The updates are only available on Windows Update.

How do I determine which version of the Microsoft .NET Framework is installed?
You can install and run multiple versions of the .NET Framework on a system, and you can install the versions in any order. There are several ways to determine which versions of the .NET Framework are currently installed. For more information, see Microsoft Knowledge Base Article 318785.

What is the difference between .NET Framework 4 and .NET Framework 4 Client Profile?
The .NET Framework version 4 redistributable packages are available in two profiles: .NET Framework 4 and .NET Framework 4 Client Profile. The .NET Framework 4 Client Profile is a subset of the .NET Framework 4 profile that is optimized for client applications. It provides functionality for most client applications, including Windows Presentation Foundation (WPF), Windows Forms, Windows Communication Foundation (WCF), and ClickOnce features. This enables faster deployment and a smaller install package for applications that target the .NET Framework 4 Client Profile. For more information, see the MSDN article, .NET Framework Client Profile.

How do I know which version and build of Microsoft Silverlight is currently installed?
If Microsoft Silverlight is already installed on your computer, you can visit the Get Microsoft Silverlight page, which will indicate which version and build of Microsoft Silverlight are currently installed on your system. Alternatively, you can use the Manage Add-Ons feature of current versions of Microsoft Internet Explorer to determine the version and build information that is currently installed.

You can also manually check the version number of sllauncher.exe located in the "%ProgramFiles%\Microsoft Silverlight" directory (on x86 Microsoft Windows systems) or in the "%ProgramFiles(x86)%\Microsoft Silverlight" directory (on x64 Microsoft Windows systems).

In addition, on Microsoft Windows, the version and build information of the currently installed version of Microsoft Silverlight can be found in the registry at [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Silverlight]:Version on x86 Microsoft Windows systems, or [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Silverlight]:Version on x64 Microsoft Windows systems.

On Apple Mac OS, the version and build information of the currently installed version of Microsoft Silverlight can be found as follows:

  1. Open the Finder
  2. Select the system drive and go to the folder Internet Plug-ins - Library
  3. Right-click the file Silverlight.Plugin (if your mouse has only one button, press the Ctrl key while clicking on the file) to bring up the context menu, then click Show Package Contents
  4. Inside the contents folder, locate the file info.plist and open it with an editor. It will contain an entry like this, which shows you the version number: SilverlightVersion 4.1.10329 or SilverlightVersion 5.1.10411

The version installed with this security update for Microsoft Silverlight 4 is 4.1.10329. If your Microsoft Silverlight 4 version number is higher than or equal to this version number, your system is not vulnerable. The version installed with this security update for Microsoft Silverlight 5 is 5.1.10411. If your Microsoft Silverlight 5 version number is higher than or equal to this version number, your system is not vulnerable.

How do I upgrade my version of Microsoft Silverlight?
The Microsoft Silverlight auto-update feature helps makes sure that your Microsoft Silverlight installation is kept up to date with the latest version of Microsoft Silverlight, Microsoft Silverlight functionality, and security features. For more information about the Microsoft Silverlight auto-update feature, see the Microsoft Silverlight Updater. Customers who have disabled the Microsoft Silverlight auto-update feature can enroll in Microsoft Update to obtain the latest version of Microsoft Silverlight, or download the latest version of Microsoft Silverlight manually using the download link in the Affected Software table in the earlier section, Affected and Non-Affected Software. For information about deploying Microsoft Silverlight in an enterprise environment, see the Silverlight Enterprise Deployment Guide.

Where are the file information details?
Refer to the reference tables in the Security Update Deployment section for the location of the file information details.

I am using an older release of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle website.

It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Service Pack Lifecycle Support Policy.

Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information website, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.

Vulnerability Information

Severity Ratings and Vulnerability Identifiers

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the May bulletin summary. For more information, see Microsoft Exploitability Index.

Table 1

Affected Software TrueType Font Parsing Vulnerability - CVE-2011-3402 TrueType Font Parsing Vulnerability - CVE-2012-0159 .NET Framework Buffer Allocation Vulnerability - CVE-2012-0162 .NET Framework Index Comparison Vulnerability - CVE-2012-0164 GDI+ Record Type Vulnerability - CVE-2012-0165 GDI+ Heap Overflow Vulnerability - CVE-2012-0167
Windows XP
Windows XP Service Pack 3 (Tablet PC Edition 2005 only) Important  Remote Code Execution Important  Remote Code Execution Not applicable Not applicable Not applicable Not applicable
Windows XP Service Pack 3 Important Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Not applicable Not applicable
Windows XP Professional x64 Edition Service Pack 2 Important Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Not applicable Not applicable
Windows Server 2003
Windows Server 2003 Service Pack 2 Important Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Not applicable Not applicable
Windows Server 2003 x64 Edition Service Pack 2 Important Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Not applicable Not applicable
Windows Server 2003 with SP2 for Itanium-based Systems Important Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Not applicable Not applicable
Windows Vista
Windows Vista Service Pack 2 Important Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Critical  Remote Code Execution Not applicable
Windows Vista x64 Edition Service Pack 2 Important Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Critical  Remote Code Execution Not applicable
Windows Server 2008
Windows Server 2008 for 32-bit Systems Service Pack 2 Important Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Critical  Remote Code Execution Not applicable
Windows Server 2008 for x64-based Systems Service Pack 2 Important Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Critical  Remote Code Execution Not applicable
Windows Server 2008 for Itanium-based Systems Service Pack 2 Important Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Critical  Remote Code Execution Not applicable
Windows 7
Windows 7 for 32-bit Systems Important Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Not applicable Not applicable
Windows 7 for 32-bit Systems Service Pack 1 Important Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Not applicable Not applicable
Windows 7 for x64-based Systems Important Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Not applicable Not applicable
Windows 7 for x64-based Systems Service Pack 1 Important Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Not applicable Not applicable
Windows Server 2008 R2
Windows Server 2008 R2 for x64-based Systems Important Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Not applicable Not applicable
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Important Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Not applicable Not applicable
Windows Server 2008 R2 for Itanium-based Systems Important Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Not applicable Not applicable
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Important Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Not applicable Not applicable
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2 when installed on Windows XP Service Pack 3 No severity rating[2] Not applicable Not applicable Not applicable Not applicable Not applicable
Microsoft .NET Framework 3.0 Service Pack 2 when installed on Windows XP Professional x64 Edition Service Pack 2 No severity rating[2] Not applicable Not applicable Not applicable Not applicable Not applicable
Microsoft .NET Framework 3.0 Service Pack 2 when installed on Windows Server 2003 Service Pack 2 No severity rating[2] Not applicable Not applicable Not applicable Not applicable Not applicable
Microsoft .NET Framework 3.0 Service Pack 2 when installed on Windows Server 2003 x64 Edition Service Pack 2 No severity rating[2] Not applicable Not applicable Not applicable Not applicable Not applicable
Microsoft .NET Framework 3.0 Service Pack 2 on Windows Vista Service Pack 2 No severity rating[2] Not applicable Not applicable Not applicable Not applicable Not applicable
Microsoft .NET Framework 3.0 Service Pack 2 on Windows Vista x64 Edition Service Pack 2 No severity rating[2] Not applicable Not applicable Not applicable Not applicable Not applicable
Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 No severity rating[2] Not applicable Not applicable Not applicable Not applicable Not applicable
Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 No severity rating[2] Not applicable Not applicable Not applicable Not applicable Not applicable
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems No severity rating[2] Not applicable Not applicable Not applicable Not applicable Not applicable
Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems Service Pack 1 No severity rating[2] Not applicable Not applicable Not applicable Not applicable Not applicable
Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems No severity rating[2] Not applicable Not applicable Not applicable Not applicable Not applicable
Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems Service Pack 1 No severity rating[2] Not applicable Not applicable Not applicable Not applicable Not applicable
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems No severity rating[2] Not applicable Not applicable Not applicable Not applicable Not applicable
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 No severity rating[2] Not applicable Not applicable Not applicable Not applicable Not applicable
Microsoft .NET Framework 4
Microsoft .NET Framework 4 when installed on Windows XP Service Pack 3[1] No severity rating[2] Not applicable Critical  Remote Code Execution Moderate  Denial of Service Not applicable Not applicable
Microsoft .NET Framework 4 when installed on Windows XP Professional x64 Edition Service Pack 2[1] No severity rating[2] Not applicable Critical  Remote Code Execution Moderate  Denial of Service Not applicable Not applicable
Microsoft .NET Framework 4 when installed on Windows Server 2003 Service Pack 2[1] No severity rating[2] Not applicable Critical  Remote Code Execution Moderate  Denial of Service Not applicable Not applicable
Microsoft .NET Framework 4 when installed on Windows Server 2003 x64 Edition Service Pack 2[1] No severity rating[2] Not applicable Critical  Remote Code Execution Moderate  Denial of Service Not applicable Not applicable
Microsoft .NET Framework 4 when installed on Windows Vista Service Pack 2[1] No severity rating[2] Not applicable Critical  Remote Code Execution Moderate  Denial of Service Not applicable Not applicable
Microsoft .NET Framework 4 when installed on Windows Vista x64 Edition Service Pack 2[1] No severity rating[2] Not applicable Critical  Remote Code Execution Moderate  Denial of Service Not applicable Not applicable
Microsoft .NET Framework 4 when installed on Windows Server 2008 for 32-bit Systems Service Pack 2[1] No severity rating[2] Not applicable Critical  Remote Code Execution Moderate  Denial of Service Not applicable Not applicable
Microsoft .NET Framework 4 when installed on Windows Server 2008 for x64-based Systems Service Pack 2[1] No severity rating[2] Not applicable Critical  Remote Code Execution Moderate  Denial of Service Not applicable Not applicable
Microsoft .NET Framework 4 when installed on Windows 7 for 32-bit Systems[1] No severity rating[2] Not applicable Critical  Remote Code Execution Moderate  Denial of Service Not applicable Not applicable
Microsoft .NET Framework 4 when installed on Windows 7 for 32-bit Systems Service Pack 1[1] No severity rating[2] Not applicable Critical  Remote Code Execution Moderate  Denial of Service Not applicable Not applicable
Microsoft .NET Framework 4 when installed on Windows 7 for x64-based Systems[1] No severity rating[2] Not applicable Critical  Remote Code Execution Moderate  Denial of Service Not applicable Not applicable
Microsoft .NET Framework 4 when installed on Windows 7 for x64-based Systems Service Pack 1[1] No severity rating[2] Not applicable Critical  Remote Code Execution Moderate  Denial of Service Not applicable Not applicable
Microsoft .NET Framework 4 when installed on Windows Server 2008 R2 for x64-based Systems[1] No severity rating[2] Not applicable Critical  Remote Code Execution Moderate  Denial of Service Not applicable Not applicable
Microsoft .NET Framework 4 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1[1] No severity rating[2] Not applicable Critical  Remote Code Execution Moderate  Denial of Service Not applicable Not applicable
Server Core installation option
Windows Server 2008 for 32-bit Systems Service Pack 2 Important Remote Code Execution Important Elevation of Privilege Not applicable Not applicable Important  Remote Code Execution Not applicable
Windows Server 2008 for x64-based Systems Service Pack 2 Important  Remote Code Execution Important Elevation of Privilege Not applicable Not applicable Important  Remote Code Execution Not applicable
Windows Server 2008 R2 for x64-based Systems Important  Remote Code Execution Important Elevation of Privilege Not applicable Not applicable Not applicable Not applicable
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Important  Remote Code Execution Important Elevation of Privilege Not applicable Not applicable Not applicable Not applicable
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems No severity rating[2] Not applicable Not applicable Not applicable Not applicable Not applicable
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 No severity rating[2] Not applicable Not applicable Not applicable Not applicable Not applicable
Microsoft .NET Framework 4 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1 No severity rating[2] Not applicable Critical  Remote Code Execution Moderate  Denial of Service Not applicable Not applicable
Microsoft Office
Microsoft Office 2003 Service Pack 3 Important  Remote Code Execution Important  Remote Code Execution Not applicable Not applicable Important  Remote Code Execution Important  Remote Code Execution
Microsoft Office 2007 Service Pack 2 Important  Remote Code Execution Important  Remote Code Execution Not applicable Not applicable Important  Remote Code Execution Important  Remote Code Execution
Microsoft Office 2007 Service Pack 3 Important  Remote Code Execution Important  Remote Code Execution Not applicable Not applicable Important  Remote Code Execution Important  Remote Code Execution
Microsoft Office 2010 (32-bit editions) Important  Remote Code Execution Important  Remote Code Execution Not applicable Not applicable Important  Remote Code Execution Not applicable
Microsoft Office 2010 Service Pack 1 (32-bit editions) Important  Remote Code Execution Important  Remote Code Execution Not applicable Not applicable Important  Remote Code Execution Not applicable
Microsoft Office 2010 (64-bit editions) Important  Remote Code Execution Important  Remote Code Execution Not applicable Not applicable Important  Remote Code Execution Not applicable
Microsoft Office 2010 Service Pack 1 (64-bit editions) Important  Remote Code Execution Important  Remote Code Execution Not applicable Not applicable Important  Remote Code Execution Not applicable
Microsoft Silverlight 4
Microsoft Silverlight 4 when installed on Mac Critical  Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Not applicable Not applicable
Microsoft Silverlight 4 when installed on all supported releases of Microsoft Windows clients Critical  Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Not applicable Not applicable
Microsoft Silverlight 4 when installed on all supported releases of Microsoft Windows servers Critical  Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Not applicable Not applicable
Microsoft Silverlight 5
Microsoft Silverlight 5 when installed on Mac Critical  Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Not applicable Not applicable
Microsoft Silverlight 5 when installed on all supported releases of Microsoft Windows clients Critical  Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Not applicable Not applicable
Microsoft Silverlight 5 when installed on all supported releases of Microsoft Windows servers Critical  Remote Code Execution Critical  Remote Code Execution Not applicable Not applicable Not applicable Not applicable

Table 2

Affected Software Silverlight Double-Free Vulnerability - CVE-2012-0176 Windows and Messages Vulnerability - CVE-2012-0180 Keyboard Layout File Vulnerability - CVE-2012-0181 Scrollbar Calculation Vulnerability - CVE-2012-1848 Aggregate Severity Rating
Windows XP
Windows XP Service Pack 3 (Tablet PC Edition 2005 only) Not applicable Not applicable Not applicable Not applicable Important
Windows XP Service Pack 3 Not applicable Important  Elevation of Privilege Important  Elevation of Privilege Important  Elevation of Privilege Critical
Windows XP Professional x64 Edition Service Pack 2 Not applicable Important  Elevation of Privilege Important  Elevation of Privilege Important  Elevation of Privilege Critical
Windows Server 2003
Windows Server 2003 Service Pack 2 Not applicable Important  Elevation of Privilege Important  Elevation of Privilege Important  Elevation of Privilege Critical
Windows Server 2003 x64 Edition Service Pack 2 Not applicable Important  Elevation of Privilege Important  Elevation of Privilege Important  Elevation of Privilege Critical
Windows Server 2003 with SP2 for Itanium-based Systems Not applicable Important  Elevation of Privilege Important  Elevation of Privilege Important  Elevation of Privilege Critical
Windows Vista
Windows Vista Service Pack 2 Not applicable Important  Elevation of Privilege Moderate  Denial of Service Important  Elevation of Privilege Critical
Windows Vista x64 Edition Service Pack 2 Not applicable Important  Elevation of Privilege Moderate  Denial of Service Important  Elevation of Privilege Critical
Windows Server 2008
Windows Server 2008 for 32-bit Systems Service Pack 2 Not applicable Important  Elevation of Privilege Moderate  Denial of Service Important  Elevation of Privilege Critical
Windows Server 2008 for x64-based Systems Service Pack 2 Not applicable Important  Elevation of Privilege Moderate  Denial of Service Important  Elevation of Privilege Critical
Windows Server 2008 for Itanium-based Systems Service Pack 2 Not applicable Important  Elevation of Privilege Moderate  Denial of Service Important  Elevation of Privilege Critical
Windows 7
Windows 7 for 32-bit Systems Not applicable Important  Elevation of Privilege Moderate  Denial of Service Important  Elevation of Privilege Critical
Windows 7 for 32-bit Systems Service Pack 1 Not applicable Important  Elevation of Privilege Moderate  Denial of Service Important  Elevation of Privilege Critical
Windows 7 for x64-based Systems Not applicable Important  Elevation of Privilege Moderate  Denial of Service Important  Elevation of Privilege Critical
Windows 7 for x64-based Systems Service Pack 1 Not applicable Important  Elevation of Privilege Moderate  Denial of Service Important  Elevation of Privilege Critical
Windows Server 2008 R2
Windows Server 2008 R2 for x64-based Systems Not applicable Important  Elevation of Privilege Moderate  Denial of Service Important  Elevation of Privilege Critical
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Not applicable Important  Elevation of Privilege Moderate  Denial of Service Important  Elevation of Privilege Critical
Windows Server 2008 R2 for Itanium-based Systems Not applicable Important  Elevation of Privilege Moderate  Denial of Service Important  Elevation of Privilege Critical
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Not applicable Important  Elevation of Privilege Moderate  Denial of Service Important  Elevation of Privilege Critical
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2 when installed on Windows XP Service Pack 3 Not applicable Not applicable Not applicable Not applicable No severity rating
Microsoft .NET Framework 3.0 Service Pack 2 when installed on Windows XP Professional x64 Edition Service Pack 2 Not applicable Not applicable Not applicable Not applicable No severity rating
Microsoft .NET Framework 3.0 Service Pack 2 when installed on Windows Server 2003 Service Pack 2 Not applicable Not applicable Not applicable Not applicable No severity rating
Microsoft .NET Framework 3.0 Service Pack 2 when installed on Windows Server 2003 x64 Edition Service Pack 2 Not applicable Not applicable Not applicable Not applicable No severity rating
Microsoft .NET Framework 3.0 Service Pack 2 on Windows Vista Service Pack 2 Not applicable Not applicable Not applicable Not applicable No severity rating
Microsoft .NET Framework 3.0 Service Pack 2 on Windows Vista x64 Edition Service Pack 2 Not applicable Not applicable Not applicable Not applicable No severity rating
Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 Not applicable Not applicable Not applicable Not applicable No severity rating
Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 Not applicable Not applicable Not applicable Not applicable No severity rating
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems Not applicable Not applicable Not applicable Not applicable No severity rating
Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems Service Pack 1 Not applicable Not applicable Not applicable Not applicable No severity rating
Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems Not applicable Not applicable Not applicable Not applicable No severity rating
Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems Service Pack 1 Not applicable Not applicable Not applicable Not applicable No severity rating
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Not applicable Not applicable Not applicable Not applicable No severity rating
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 Not applicable Not applicable Not applicable Not applicable No severity rating
Microsoft .NET Framework 4
Microsoft .NET Framework 4 when installed on Windows XP Service Pack 3[1] Not applicable Not applicable Not applicable Not applicable Critical
Microsoft .NET Framework 4 when installed on Windows XP Professional x64 Edition Service Pack 2[1] Not applicable Not applicable Not applicable Not applicable Critical
Microsoft .NET Framework 4 when installed on Windows Server 2003 Service Pack 2[1] Not applicable Not applicable Not applicable Not applicable Critical
Microsoft .NET Framework 4 when installed on Windows Server 2003 x64 Edition Service Pack 2[1] Not applicable Not applicable Not applicable Not applicable Critical
Microsoft .NET Framework 4 when installed on Windows Vista Service Pack 2[1] Not applicable Not applicable Not applicable Not applicable Critical
Microsoft .NET Framework 4 when installed on Windows Vista x64 Edition Service Pack 2[1] Not applicable Not applicable Not applicable Not applicable Critical
Microsoft .NET Framework 4 when installed on Windows Server 2008 for 32-bit Systems Service Pack 2[1] Not applicable Not applicable Not applicable Not applicable Critical
Microsoft .NET Framework 4 when installed on Windows Server 2008 for x64-based Systems Service Pack 2[1] Not applicable Not applicable Not applicable Not applicable Critical
Microsoft .NET Framework 4 when installed on Windows 7 for 32-bit Systems[1] Not applicable Not applicable Not applicable Not applicable Critical
Microsoft .NET Framework 4 when installed on Windows 7 for 32-bit Systems Service Pack 1[1] Not applicable Not applicable Not applicable Not applicable Critical
Microsoft .NET Framework 4 when installed on Windows 7 for x64-based Systems[1] Not applicable Not applicable Not applicable Not applicable Critical
Microsoft .NET Framework 4 when installed on Windows 7 for x64-based Systems Service Pack 1[1] Not applicable Not applicable Not applicable Not applicable Critical
Microsoft .NET Framework 4 when installed on Windows Server 2008 R2 for x64-based Systems[1] Not applicable Not applicable Not applicable Not applicable Critical
Microsoft .NET Framework 4 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1[1] Not applicable Not applicable Not applicable Not applicable Critical
Server Core installation option
Windows Server 2008 for 32-bit Systems Service Pack 2 Not applicable Important  Elevation of Privilege Moderate  Denial of Service Important  Elevation of Privilege Important
Windows Server 2008 for x64-based Systems Service Pack 2 Not applicable Important  Elevation of Privilege Moderate  Denial of Service Important  Elevation of Privilege Important
Windows Server 2008 R2 for x64-based Systems Not applicable Important  Elevation of Privilege Moderate  Denial of Service Important  Elevation of Privilege Important
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Not applicable Important  Elevation of Privilege Moderate  Denial of Service Important  Elevation of Privilege Important
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Not applicable Not applicable Not applicable Not applicable No severity rating
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 Not applicable Not applicable Not applicable Not applicable No severity rating
Microsoft .NET Framework 4 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1 Not applicable Not applicable Not applicable Not applicable Critical
Microsoft Office
Microsoft Office 2003 Service Pack 3 Not applicable Not applicable Not applicable Not applicable Important
Microsoft Office 2007 Service Pack 2 Not applicable Not applicable Not applicable Not applicable Important
Microsoft Office 2007 Service Pack 3 Not applicable Not applicable Not applicable Not applicable Important
Microsoft Office 2010 (32-bit editions) Not applicable Not applicable Not applicable Not applicable Important
Microsoft Office 2010 Service Pack 1 (32-bit editions) Not applicable Not applicable Not applicable Not applicable Important
Microsoft Office 2010 (64-bit editions) Not applicable Not applicable Not applicable Not applicable Important
Microsoft Office 2010 Service Pack 1 (64-bit editions) Not applicable Not applicable Not applicable Not applicable Important
Microsoft Silverlight 4
Microsoft Silverlight 4 when installed on Mac Not applicable Not applicable Not applicable Not applicable Critical
Microsoft Silverlight 4 when installed on all supported releases of Microsoft Windows clients Critical  Remote Code Execution Not applicable Not applicable Not applicable Critical
Microsoft Silverlight 4 when installed on all supported releases of Microsoft Windows servers Critical  Remote Code Execution Not applicable Not applicable Not applicable Critical
Microsoft Silverlight 5
Microsoft Silverlight 5 when installed on Mac Not applicable Not applicable Not applicable Not applicable Critical
Microsoft Silverlight 5 when installed on all supported releases of Microsoft Windows clients Not applicable Not applicable Not applicable Not applicable Critical
Microsoft Silverlight 5 when installed on all supported releases of Microsoft Windows servers Not applicable Not applicable Not applicable Not applicable Critical

[1].NET Framework 4 and .NET Framework 4 Client Profile affected. The .NET Framework version 4 redistributable packages are available in two profiles: .NET Framework 4 and .NET Framework 4 Client Profile. .NET Framework 4 Client Profile is a subset of .NET Framework 4. The vulnerability addressed in this update affects both .NET Framework 4 and .NET Framework 4 Client Profile. For more information, see the MSDN article, Installing the .NET Framework.

[2]Severity ratings do not apply to this update for the specified software because there are no known attack vectors for the vulnerability discussed in this bulletin. However, as a defense-in-depth measure, Microsoft recommends that customers of this software apply this security update.

TrueType Font Parsing Vulnerability - CVE-2011-3402

A remote code execution vulnerability exists in the way that affected components handle a specially crafted TrueType font file. The vulnerability could allow remote code execution if a user opens a specially crafted TrueType font file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2011-3402.

Mitigating Factors for TrueType Font Parsing Vulnerability - CVE-2011-3402

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

  • In a web browsing attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.
  • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone, which disables font download by default. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario. The vulnerability could also be exploited if a user opens an attachment that is sent in an email message.

Workarounds for TrueType Font Parsing Vulnerability - CVE-2011-3402

Microsoft has not identified any workarounds for this vulnerability.

FAQ for TrueType Font Parsing Vulnerability - CVE-2011-3402

What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

What causes the vulnerability?
The vulnerability is caused by the incorrect handling of specially crafted TTF files.

What is TrueType?
TrueType is a digital font technology used in Microsoft operating systems.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability?
There are multiple means that could allow an attacker to exploit this vulnerability.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email.

In a file sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit this vulnerability, and then convince a user to open the document file.

What systems are primarily at risk from the vulnerability?
Workstations and servers are at risk for this vulnerability.

What does the update do?
The update addresses the vulnerability by correcting the manner in which specially crafted TTF files are handled.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2011-3402.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
Although this vulnerability has previously been exploited through limited, targeted attacks, the exploited attack vectors were addressed in MS11-087, Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417). Microsoft had not received any information to indicate that the attack vectors addressed in this bulletin had been publicly used to attack customers when this security bulletin was originally issued.

TrueType Font Parsing Vulnerability - CVE-2012-0159

A remote code execution vulnerability exists in the way that affected components handle a specially crafted TrueType font file. The vulnerability could allow remote code execution if a user opens a specially crafted TrueType font file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2012-0159.

Mitigating Factors for TrueType Font Parsing Vulnerability - CVE-2012-0159

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

  • In a web browsing attack scenario, an attacker could host a website that contains a web page that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.
  • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone, which disables font download by default. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario. The vulnerability could also be exploited if a user opens an attachment that is sent in an email message.

Workarounds for TrueType Font Parsing Vulnerability - CVE-2012-0159

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

  • Deny access to T2EMBED.DLL

    Note Before applying this workaround, users should apply the latest Microsoft security updates. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you.

    Note For this workaround, commands for Windows XP and Windows Server 2003 may only work in English language versions of these operating systems.

    Note This workaround only mitigates the web-based and file sharing attack scenarios related to the Windows Kernel-Mode Drivers. The local Kernel-Mode Drivers attack scenario, and all other attack scenarios that leverage code in other affected Windows components, Microsoft Office and Microsoft Silverlight will not be mitigated by this workaround.

    Note See Microsoft Knowledge Base Article 2639417 to use the automated Microsoft Fix it solution to enable or disable this workaround to deny access to t2embed.dll.

    On Windows XP and Windows Server 2003:

    • For 32-bit systems, enter the following command at an administrative command prompt:

      Echo y| cacls "%windir%\system32\t2embed.dll" /E /P everyone:N

    • For 64-bit systems, enter the following commands from an administrative command prompt:

      Echo y| cacls "%windir%\system32\t2embed.dll" /E /P everyone:N

      Echo y| cacls "%windir%\syswow64\t2embed.dll" /E /P everyone:N

    On Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2:

    • For 32-bit systems, enter the following commands at an administrative command prompt:

      Takeown.exe /f "%windir%\system32\t2embed.dll"

      Icacls.exe "%windir%\system32\t2embed.dll" /deny *S-1-1-0:(F)

    • For 64-bit systems, enter the following commands at an administrative command prompt:

      Takeown.exe /f "%windir%\system32\t2embed.dll"

      Icacls.exe "%windir%\system32\t2embed.dll" /deny *S-1-1-0:(F)

      Takeown.exe /f "%windir%\syswow64\t2embed.dll"

      Icacls.exe "%windir%\syswow64\t2embed.dll" /deny *S-1-1-0:(F)

    Impact of Workaround. 

    • Applications that rely on embedded font technology will fail to display properly.
    • After applying this workaround, users of Windows XP and Windows Server 2003 may be reoffered the KB982132 and KB972270 security updates. These reoffered updates will fail to install. The reoffering is a detection logic issue and users who have successfully applied both the KB982132 and KB972270 security updates previously can ignore the reoffer.
    • Applications with functionality that relies on T2EMBED.DLL, such as generating PDF files, may fail to work as expected. For example, Microsoft Office software will fail to generate PDF files.
    • Microsoft Office 2003 software with the Microsoft Office Compatibility Pack may fail to open PowerPoint 2007 (.pptx) files; instead, generating the message, "This file was created by a newer version of Microsoft PowerPoint. Do you want to download a compatibility pack so that you can work with this file?", even though the Microsoft Office Compatibility Pack is already installed.

    How to undo the workaround.

    On Windows XP and Windows Server 2003:

    • For 32-bit systems, enter the following command at an administrative command prompt:

      cacls "%windir%\system32\t2embed.dll" /E /R everyone

    • For 64-bit systems, enter the following commands at an administrative command prompt:

      cacls "%windir%\system32\t2embed.dll" /E /R everyone

      cacls "%windir%\syswow64\t2embed.dll" /E /R everyone

    On Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2:

    • For 32-bit systems, enter the following command at an administrative command prompt:

      Icacls.exe "%windir%\system32\t2embed.DLL" /remove:d *S-1-1-0

    • For 64-bit systems, enter the following commands at an administrative command prompt:

      Icacls.exe "%windir%\system32\t2embed.DLL" /remove:d *S-1-1-0

      Icacls.exe "%windir%\syswow64\t2embed.DLL" /remove:d *S-1-1-0

FAQ for TrueType Font Parsing Vulnerability - CVE-2012-0159

What is the scope of the vulnerability?
This is a remote code execution vulnerability.

What causes the vulnerability?
The vulnerability is caused by the incorrect handling of specially crafted TTF files.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited the vulnerability through the Windows Kernel-Mode Drivers could run arbitrary code in kernel mode and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

An attacker who successfully exploited the vulnerability through Microsoft Silverlight, Microsoft Office or other affected Windows components could gain the same user rights as the current user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability?
There are multiple means that could allow an attacker to exploit this vulnerability.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email.

In a file sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit this vulnerability, and then convince a user to open the document file.

In a local attack scenario, an attacker could also exploit this vulnerability by running a specially crafted application to take complete control over the affected system. However, the attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability in this scenario.

What systems are primarily at risk from the vulnerability?
Workstations and Servers are at risk for this vulnerability.

What does the update do?
The update addresses the vulnerability by correcting the manner in which specially crafted TTF files are handled.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.

.NET Framework Buffer Allocation Vulnerability - CVE-2012-0162

A remote code execution vulnerability exists in Microsoft .NET Framework that can allow a specially crafted Microsoft .NET Framework application to access memory in an unsafe manner. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2012-0162.

Mitigating Factors for .NET Framework Buffer Allocation Vulnerability - CVE-2012-0162

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

  • In a web browsing attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.
  • By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability only on Windows Server 2008 and Windows Server 2008 R2, and only in a web browsing attack scenario. See the FAQ section of this vulnerability for more information about Internet Explorer Enhanced Security Configuration.
  • On systems where MS11-044 has been applied, users will be prompted before XBAP applications will execute when in the Internet Zone of Internet Explorer. A user must click through this prompt in order to run the XBAP application on their system.

Workarounds for .NET Framework Buffer Allocation Vulnerability - CVE-2012-0162

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

  • Disable XAML browser applications in Internet Explorer

    To help protect against this vulnerability, change your settings to prompt before running XAML browser applications (XBAPs) or to disable XBAPs in the Internet and Local intranet security zones as follows:

    1. In Internet Explorer, click the Tools menu and then select Internet Options.
    2. Click the Security tab, click Internet, and then click Custom level. Under Settings, for Loose XAML, click Prompt or Disable, and then click OK.
    3. Click the Security tab, click Internet, and then click Custom level. Under Settings, for XAML browser applications, click Prompt or Disable, and then click OK.
    4. Click the Security tab, click Internet, and then click Custom level. Under Settings, for XPS documents, click Prompt or Disable, and then click OK.
    5. On the Security tab, click Custom level. Under .NET Framework-reliant components, set Run components not signed with Authenticode to either Prompt or Disable, and then click OK. Repeat this step for Run components signed with Authenticode, and then click OK.
    6. Click Local intranet, and then click Custom Level. Repeat steps 3 and 4. If you are prompted to confirm that you want to change these settings, click Yes. Click OK to return to Internet Explorer.

    Impact of workaround. Microsoft .NET code will not run in Internet Explorer or will not run without prompting. Disabling Microsoft .NET applications and components in the Internet and Local intranet security zones may cause some websites to work incorrectly. If you have difficulty using a website after you change this setting and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly.

    Add sites that you trust to the Internet Explorer Trusted sites zone

    After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted websites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

    To do this, perform the following steps:

    1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
    2. In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
    3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
    4. In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.
    5. Repeat these steps for each site that you want to add to the zone.
    6. Click OK two times to accept the changes and return to Internet Explorer.

    Note Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.

    How to undo the workaround. Perform the following steps:

    1. In Internet Explorer, click the Tools menu, and then select Internet Options.
    2. Click the Security tab, click Reset all zones to default level, and then click OK.

FAQ for .NET Framework Buffer Allocation Vulnerability - CVE-2012-0162

What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

What causes the vulnerability?
The vulnerability is caused when the Microsoft .NET Framework improperly allocates a buffer in memory.

What might an attacker use the vulnerability to do?
In the web browsing scenario, an attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability?
There are two attack scenarios possible for exploiting this vulnerability: a web browsing scenario and a Windows .NET application bypass of Code Access Security (CAS) restrictions. These scenarios are described as follows:

  • Web browsing attack scenario
    An attacker could host a specially crafted website that contains a specially crafted XBAP (XAML browser application) that could exploit this vulnerability and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website. It could also be possible to display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems.
  • Windows .NET applications attack scenario
    This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.

What is an XAML Browser Application (XBAP)?
An XAML browser application (XBAP) combines features of both a web application and a rich-client application. Like web applications, XBAPs can be published to a web server and launched from Internet Explorer. Like rich-client applications, XBAPs can take advantage of the capabilities of Windows Presentation Foundation (WPF). For more information about XBAPs, see MSDN article, Windows Presentation Foundation XAML Browser Applications Overview.

What are .NET Framework Code Access Security (CAS) Restrictions?
The .NET Framework provides a security mechanism called code access security to help protect computer systems from malicious mobile code, to allow code from unknown origins to run with protection, and to help prevent trusted code from intentionally or accidentally compromising security. Code access security (CAS) enables code to be trusted to varying degrees depending on where the code originates and on other aspects of the code's identity. Code access security also enforces the varying levels of trust on code, which minimizes the amount of code that must be fully trusted in order to run. Using code access security can reduce the likelihood that your code will be misused by malicious or error-filled code. For more information on CAS, see the MSDN article, Code Access Security.

What systems are primarily at risk from the vulnerability?
There are two types of systems at risk from this vulnerability, described as follows: systems that are using the web browsing scenario and systems that are using the Windows .NET applications scenario.

  • Web browsing scenario
    Successful exploitation of this vulnerability requires that a user is logged on and is visiting websites using a web browser capable of instantiating XBAPs. Therefore, any systems where a web browser is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability. Servers could be at more risk if administrators allow users to browse and read email on servers. However, best practices strongly discourage allowing this.
  • Windows .NET applications
    Workstations and server that run untrusted Windows .NET applications are also at risk from this vulnerability.

I am running Internet Explorer for Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. Does this mitigate this vulnerability?
Yes. By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted web content on a server. This is a mitigating factor for websites that you have not added to the Internet Explorer Trusted sites zone.

What does the update do?
The update addresses the vulnerability by correcting the manner in which the Microsoft .NET Framework allocates buffer space in memory.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.

.NET Framework Index Comparison Vulnerability - CVE-2012-0164

A denial of service vulnerability exists in the way that .NET Framework compares the value of an index. An attacker who successfully exploited this vulnerability could cause applications created using WPF APIs to stop responding until manually restarted. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights in any fashion.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2012-0164.

Mitigating Factors for .NET Framework Index Comparison Vulnerability - CVE-2012-0164

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds for .NET Framework Index Comparison Vulnerability - CVE-2012-0164

Microsoft has not identified any workarounds for this vulnerability.

FAQ for .NET Framework Index Comparison Vulnerability - CVE-2012-0164

What is the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who exploited this vulnerability could cause the affected application to stop responding until it is manually restarted. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights in any fashion.

What causes the vulnerability?
The vulnerability is caused when the .NET Framework improperly compares the value of an index within a WPF application.

What is the Windows Presentation Foundation (WPF)?
Windows Presentation Foundation (WPF) is a next-generation presentation system for building Windows client applications with rich user experiences. With WPF, you can create a wide range of both standalone and browser-hosted applications. For more information about WPF, see the MSDN article, Introduction to WPF.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could cause applications created using WPF APIs that are running on a user's system to stop responding until manually restarted.

How could an attacker exploit the vulnerability?
An unauthenticated attacker could send a small number of specially crafted requests to an affected site, causing a denial of service condition.

What systems are primarily at risk from the vulnerability?
Workstations and servers running WPF APIs are primarily at risk from this issue.

What does the update do?
The update addresses the vulnerability by correcting the manner in which the .NET Framework compares index values within a WPF application.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2012-0164.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.

GDI+ Record Type Vulnerability - CVE-2012-0165

A remote code execution vulnerability exists in the way that GDI+ handles validation of specially crafted EMF images. The vulnerability could allow remote code execution if a user opens a specially crafted EMF image file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2012-0165.

Mitigating Factors for GDI+ Record Type Vulnerability - CVE-2012-0165

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

  • In a web browsing attack scenario, an attacker could host a website that contains a web page that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.
  • An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Workarounds for GDI+ Record Type Vulnerability - CVE-2012-0165

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

  • Disable metafile processing

    Customers who have applied MS07-017 or customers using Windows Vista or Windows Server 2008 can disable metafile processing by modifying the registry. This setting will help protect the affected system from attempts to exploit this vulnerability.

    To modify the key, perform the following steps:

    Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Change Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

    1. Click Start, click Run, type Regedit, and then click OK.
    2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
    3. On the Edit menu, select New, and then click DWORD.
    4. Type DisableMetaFiles, and then press ENTER.
    5. On the Edit menu, click Modify to modify the DisableMetaFiles registry entry.
    6. In the Value data box, type 1, and then click OK.
    7. Exit Registry Editor.
    8. Restart the computer.

    To disable metafile processing using a managed deployment script, perform the following steps:

    1. Save the following to a file with a .REG extension (e.g. Disable_MetaFiles.reg):
      Windows Registry Editor Version 5.00
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize]
      "DisableMetaFiles"=dword:00000001
    2. Run the above registry script on the target machine with the following command from an administrator command prompt:
      Regedit.exe /s Disable_MetaFiles.reg
    3. Restart the computer.

    Impact of workaround. Turning off processing of metafiles may cause the performance of software or system components to decrease in functionality. Turning off processing of metafiles may also cause the software or system components to fail completely. Evaluate the applicability of this workaround. Examples of adverse results include the following:

    • You cannot print on the computer.
    • Some applications on the computer may be unable to display Clipart.
    • Some applications that involve OLE rendering may break, especially when the object server is not active.

    For more information on this setting, read Microsoft Knowledge Base Article 941835.

    How to undo the workaround. Perform the following steps:

    1. Click Start, click Run, type Regedit, and then click OK.
    2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
    3. On the Edit menu, click Modify on the DisableMetaFiles registry entry.
    4. In the Value data box, type 0, and then click OK.
    5. Exit Registry Editor.
    6. Restart the computer.

FAQ for GDI+ Record Type Vulnerability - CVE-2012-0165

What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

What causes the vulnerability?
The vulnerability is caused by GDI+ improperly handling the validation of specially crafted EMF images.

What is GDI+?
GDI+ is a graphics device interface that provides two-dimensional vector graphics, imaging, and typography to applications and programmers.

What is the Enhanced Metafile (EMF) image format?
EMF is a 32-bit format that can contain both vector information and bitmap information. This format is an improvement over the Windows Metafile Format (WMF) and contains extended features.

For more information about image types and formats, see Microsoft Knowledge Base Article 320314. For additional information about graphics file formats, see MSDN article, Metafiles.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability?
An attacker could host a specially crafted web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. This can also include compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or in an Instant Messenger request that takes users to the attacker's website. It could also be possible to display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems.

In an email attack scenario, an attacker could exploit the vulnerability by sending Outlook users a specially crafted email, or by sending a specially crafted Office Document to the user and by convincing the user to open the file or read the message.

Attackers could also exploit this vulnerability by hosting a malicious image on a network share and then convincing a user to browse to the folder in Windows Explorer.

What systems are primarily at risk from the vulnerability?
This vulnerability requires that a user is logged on and reading email messages, visiting websites, or opening files from a network share for any malicious action to occur. Therefore, any systems where email messages are read, where Internet Explorer is used frequently, or where users have network share access, such as workstations or terminal servers, are at the most risk from this vulnerability. Systems that are not typically used to visit websites, such as most server systems, are at a reduced risk.

What does the update do?
The update addresses the vulnerability by correcting the manner in which GDI+ validates specially crafted EMF record types.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.

GDI+ Heap Overflow Vulnerability - CVE-2012-0167

A remote code execution vulnerability exists in the way that the Office GDI+ library handles validation of specially crafted EMF images embedded within an Office document. The vulnerability could allow remote code execution if a user opens a specially crafted Office document. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2012-0167.

Mitigating Factors for GDI+ Heap Overflow Vulnerability - CVE-2012-0167

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

  • In a web browsing attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.
  • An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Workarounds for GDI+ Heap Overflow Vulnerability - CVE-2012-0167

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

  • Disable metafile processing

    Customers who have applied MS07-017 or customers using Windows Vista or Windows Server 2008 can disable metafile processing by modifying the registry. This setting will help protect the affected system from attempts to exploit this vulnerability.

    To modify the key, perform the following steps:

    Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

    1. Click Start, click Run, type Regedit, and then click OK.
    2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
    3. On the Edit menu, select New, and then click DWORD.
    4. Type DisableMetaFiles, and then press ENTER.
    5. On the Edit menu, click Modify to modify the DisableMetaFiles registry entry.
    6. In the Value data box, type 1, and then click OK.
    7. Exit Registry Editor.
    8. Restart the computer.

    To disable metafile processing using a managed deployment script, perform the following steps:

    1. Save the following to a file with a .REG extension (e.g. Disable_MetaFiles.reg):
      Windows Registry Editor Version 5.00
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize]
      "DisableMetaFiles"=dword:00000001
    2. Run the above registry script on the target machine with the following command from an administrator command prompt:
      Regedit.exe /s Disable_MetaFiles.reg
    3. Restart the computer.

    Impact of workaround. Turning off processing of metafiles may cause the performance of software or system components to decrease in functionality. Turning off processing of metafiles may also cause the software or system components to fail completely. Evaluate the applicability of this workaround. Examples of adverse results include the following:

    • You cannot print on the computer.
    • Some applications on the computer may be unable to display Clipart.
    • Some applications that involve OLE rendering may break, especially when the object server is not active.

    For more information on this setting, read Microsoft Knowledge Base Article 941835.

    How to undo the workaround. Perform the following steps:

    1. Click Start, click Run, type Regedit, and then click OK.
    2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
    3. On the Edit menu, click Modify on the DisableMetaFiles registry entry.
    4. In the Value data box, type 0, and then click OK.
    5. Exit Registry Editor.
    6. Restart the computer.

FAQ for GDI+ Heap Overflow Vulnerability - CVE-2012-0167

What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

What causes the vulnerability?
The vulnerability is caused by GDI+ improperly handling the validation of specially crafted EMF images within a Microsoft Office file.

What is GDI+?
GDI+ is a graphics device interface that provides two-dimensional vector graphics, imaging, and typography to applications and programmers.

What is the Enhanced Metafile (EMF) image format?
EMF is a 32-bit format that can contain both vector information and bitmap information. This format is an improvement over the Windows Metafile Format (WMF) and contains extended features.

For more information about image types and formats, see Microsoft Knowledge Base Article 320314. For additional information about graphics file formats, see MSDN article, Metafiles.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability?
This vulnerability requires that a user open a specially crafted Office document with an affected version of Microsoft Office.

In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted Office file to the user and by convincing the user to open the file.

In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted Office document that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link that takes them to the attacker's website, and then convinced them to open a specially crafted Office document.

What systems are primarily at risk from the vulnerability?
Systems where Microsoft Office is used, including workstations and terminal servers, are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.

What does the update do?
The update addresses the vulnerability by correcting the manner in which GDI+ validates specially crafted EMF images embedded within a Microsoft Office file.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.

Silverlight Double-Free Vulnerability - CVE-2012-0176

A remote code execution vulnerability exists in Microsoft Silverlight that can allow a specially crafted Silverlight application to access memory in an unsafe manner. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2012-0176.

Mitigating Factors for Silverlight Double-Free Vulnerability - CVE-2012-0176

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

  • In a web browsing attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.
  • By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability only on Windows Server 2008 and Windows Server 2008 R2, and only in a web browsing attack scenario. See the FAQ section of this vulnerability for more information about Internet Explorer Enhanced Security Configuration.
  • An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Workarounds for Silverlight Double-Free Vulnerability - CVE-2012-0176

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

  • Temporarily prevent the Microsoft Silverlight ActiveX control from running in Internet Explorer (Method 1)

    You can help protect against these vulnerabilities by temporarily preventing attempts to instantiate the Silverlight ActiveX control in Internet Explorer by setting the kill bit for the control.

    Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

    We recommend that you back up the registry before you edit it.

    Use the following text to create a .reg file that temporarily prevents attempts to instantiate the Silverlight ActiveX control in Internet Explorer. You can copy the following text, paste it into a text editor such as Notepad, and then save the file with the .reg file name extension. Run the .reg file on the vulnerable client.

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{DFEAF541-F3E1-4C24-ACAC-99C30715084A}]
    "Compatibility Flags"=dword:00000400
    

    Close Internet Explorer and reopen it for the changes to take effect.

    For detailed steps about stopping a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps and create a Compatibility Flags value in the registry to prevent the Silverlight ActiveX control from running in Internet Explorer.

    Impact of workaround. Applications and websites that require the Microsoft Silverlight ActiveX control may no longer function correctly. If you implement this workaround it would affect any Silverlight ActiveX control you have installed on your system.

    How to undo the workaround. Remove the registry keys added to temporarily prevent attempts to instantiate the Silverlight ActiveX control in Internet Explorer.

  • Temporarily prevent the Microsoft Silverlight ActiveX control from running in Firefox or Chrome

    To modify the registry key to disable Microsoft Silverlight, follow these steps:

    Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

    • Using the Interactive Method

      1. Click Start, click Run, type Regedit in the Open box, and then click OK.

      2. Locate and then click the following registry subkey:

        HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0

      3. Right click on @Microsoft.com/NpCtrl,version=1.0 and select Export. Save the file to disk.

      4. Delete the entire @Microsoft.com/NpCtrl,version=1.0 key.

      5. Quit the registry editor.

    • Using a registry file

      1. Create a backup copy of the registry keys. A backup copy can be made using a managed deployment script with the following command:

        Regedit.exe /e SL_backup.reg HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0
        
      2. Save the following to a file with a .REG extension (e.g. Disable_Silverlight.reg):

        Windows Registry Editor Version 5.00
        [-HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0]
        
      3. Run the above registry script created in step 2 on the target system with the following command:

        Regedit /s Disable_Silverlight.reg

    How to undo the workaround.

    • Using the Interactive Method

      1. Click Start, click Run, type Regedit in the Open box, and then click OK.
      2. On the File menu, click Import.
      3. In Look in, select the drive, folder, or network computer and folder where the file you previously exported is located.
      4. Select the correct file name and then click Open.
    • Using a Managed Deployment Script

      Restore the file backed up in Using a registry file Step 1, above, with the following command:

      Regedit /s SL_backup.reg

FAQ for Silverlight Double-Free Vulnerability - CVE-2012-0176

What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

What causes the vulnerability?
The vulnerability is caused by Microsoft Silverlight incorrectly freeing memory while rendering specially crafted XAML glyphs.

What is Microsoft Silverlight?
Microsoft Silverlight is a cross-browser, cross-platform implementation of the Microsoft .NET Framework for building media experiences and rich interactive applications for the web. For more information, see the official site of Microsoft Silverlight.

What are XAML Glyphs?
Windows Presentation Foundation (WPF) provides advanced text support including glyph-level markup with direct access to Glyphs for customers who want to intercept and persist text after formatting. These features provide critical support for the different text rendering requirements in each of the following scenarios: screen display of fixed-format documents, print scenarios, and fixed-format document representation, including clients for previous versions of Windows and other computing devices. For more information, see the MSDN article, Introduction to the GlyphRun Object and Glyphs Element.

What is a "double free" condition?
A double free condition is a condition in which a program is caused to release or free allocated memory more than once. Releasing memory that has already been freed could lead to memory corruption. An attacker could add arbitrary code to memory that is then executed when the corruption occurs. This code could then be executed at a system level of privilege.

Typically, this vulnerability causes a denial of service to occur. However, in some circumstances, it could cause code execution to occur. Because of the unique layout of the memory on each affected system, exploiting this vulnerability on a mass scale could be difficult.

What might an attacker use the vulnerability to do?
In the web browsing scenario, an attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability?
An attacker could host a specially crafted website that contains a specially crafted Silverlight application that could exploit this vulnerability and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website. It could also be possible to display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems.

What systems are primarily at risk from the vulnerability?
Successful exploitation of this vulnerability requires that a user is logged on and is visiting websites using a web browser capable of instantiating Silverlight applications. Therefore, any systems where a web browser is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability. Servers could be at more risk if administrators allow users to browse and read email on servers. However, best practices strongly discourage allowing this.

I am running Internet Explorer for Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. Does this mitigate this vulnerability?
Yes. By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted web content on a server. This is a mitigating factor for websites that you have not added to the Internet Explorer Trusted sites zone.

What does the update do?
The update addresses this issue by correcting the manner in which Microsoft Silverlight resets pointers when freeing memory.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.

Windows and Messages Vulnerability - CVE-2012-0180

An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver manages the functions related to Windows and Messages handling. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2012-0180.

Mitigating Factors for Windows and Messages Vulnerability - CVE-2012-0180

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

  • An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Workarounds for Windows and Messages Vulnerability - CVE-2012-0180

Microsoft has not identified any workarounds for this vulnerability.

FAQ for Windows and Messages Vulnerability - CVE-2012-0180

What is the scope of the vulnerability?
This is an elevation of privilege vulnerability.

What is the component affected by the vulnerability?
The component affected by this vulnerability is the Windows kernel-mode driver (win32k.sys).

What causes the vulnerability?
The vulnerability is caused when the Windows kernel-mode driver improperly handles input passed from user-mode functions.

What is the Windows kernel-mode driver (win32k.sys)?
Win32k.sys is a kernel-mode device driver and is the kernel part of the Windows subsystem. It contains the window manager, which controls window displays; manages screen output; collects input from the keyboard, mouse, and other devices; and passes user messages to applications. It also contains the Graphics Device Interface (GDI), which is a library of functions for graphics output devices. Finally, it serves as a wrapper for DirectX support that is implemented in another driver (dxgkrnl.sys).

What is the Windows kernel?
The Windows kernel is the core of the operating system. It provides system-level services such as device management and memory management, allocates processor time to processes, and manages error handling.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could run arbitrary code in the context of another process. If this process runs with administrator privileges, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.

What does the update do?
The update addresses the vulnerability by correcting the way that the Windows kernel-mode driver handles data passed from user-mode functions.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.

Keyboard Layout File Vulnerability - CVE-2012-0181

An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver manages Keyboard Layout files. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2012-0181.

Mitigating Factors for Keyboard Layout File Vulnerability - CVE-2012-0181

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

  • An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Workarounds for Keyboard Layout File Vulnerability - CVE-2012-0181

Microsoft has not identified any workarounds for this vulnerability.

FAQ for Keyboard Layout File Vulnerability - CVE-2012-0181

What is the scope of the vulnerability?
This is an elevation of privilege vulnerability.

What is the component affected by the vulnerability?
The component affected by this vulnerability is the Windows kernel-mode driver (win32k.sys).

What causes the vulnerability?
The vulnerability is caused when the Windows kernel-mode driver improperly handles Keyboard Layout files.

What is the Windows kernel-mode driver (win32k.sys)?
Win32k.sys is a kernel-mode device driver and is the kernel part of the Windows subsystem. It contains the window manager, which controls window displays; manages screen output; collects input from the keyboard, mouse, and other devices; and passes user messages to applications. It also contains the Graphics Device Interface (GDI), which is a library of functions for graphics output devices. Finally, it serves as a wrapper for DirectX support that is implemented in another driver (dxgkrnl.sys).

What is the Windows kernel?
The Windows kernel is the core of the operating system. It provides system-level services such as device management and memory management, allocates processor time to processes, and manages error handling.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could run arbitrary code in the context of another process. If this process runs with administrator privileges, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.

What does the update do?
The update addresses the vulnerability by correcting the way that the Windows kernel-mode driver handles Keyboard Layout files.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2012-0181.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.

Scrollbar Calculation Vulnerability - CVE-2012-1848

An elevation of privilege vulnerability exists in the Windows kernel-mode driver. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2012-1848.

Mitigating Factors for Scrollbar Calculation Vulnerability - CVE-2012-1848

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

  • An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Workarounds for Scrollbar Calculation Vulnerability - CVE-2012-1848

Microsoft has not identified any workarounds for this vulnerability.

FAQ for Scrollbar Calculation Vulnerability - CVE-2012-1848

What is the scope of the vulnerability?
This is an elevation of privilege vulnerability.

What is the component affected by the vulnerability?
The component affected by this vulnerability is the Windows kernel-mode driver (win32k.sys).

What causes the vulnerability?
The vulnerability is caused when the Windows kernel-mode driver improperly handles input passed from user-mode functions.

What is the Windows kernel-mode driver (win32k.sys)?
Win32k.sys is a kernel-mode device driver and is the kernel part of the Windows subsystem. It contains the window manager, which controls window displays; manages screen output; collects input from the keyboard, mouse, and other devices; and passes user messages to applications. It also contains the Graphics Device Interface (GDI), which is a library of functions for graphics output devices. Finally, it serves as a wrapper for DirectX support that is implemented in another driver (dxgkrnl.sys).

What is the Windows kernel?
The Windows kernel is the core of the operating system. It provides system-level services such as device management and memory management, allocates processor time to processes, and manages error handling.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could run arbitrary code in the context of another process. If this process runs with administrator privileges, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.

What does the update do?
The update addresses the vulnerability by correcting the way that the Windows kernel-mode driver handles data passed from user-mode functions.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.

Update Information

Detection and Deployment Tools and Guidance

Security Central

Manage the software and security updates you need to deploy to the servers, desktop, and mobile systems in your organization. For more information see the TechNet Update Management Center. The Microsoft TechNet Security website provides additional information about security in Microsoft products.

Security updates are available from Microsoft Update and Windows Update. Security updates are also available from the Microsoft Download Center. You can find them most easily by doing a keyword search for "security update."

Finally, security updates can be downloaded from the Microsoft Update Catalog. The Microsoft Update Catalog provides a searchable catalog of content made available through Windows Update and Microsoft Update, including security updates, drivers and service packs. By searching using the security bulletin number (such as, "MS07-036"), you can add all of the applicable updates to your basket (including different languages for an update), and download to the folder of your choosing. For more information about the Microsoft Update Catalog, see the Microsoft Update Catalog FAQ.

Detection and Deployment Guidance

Microsoft provides detection and deployment guidance for security updates. This guidance contains recommendations and information that can help IT professionals understand how to use various tools for detection and deployment of security updates. For more information, see Microsoft Knowledge Base Article 961747.

Microsoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer (MBSA) allows administrators to scan local and remote systems for missing security updates as well as common security misconfigurations. For more information about MBSA, visit Microsoft Baseline Security Analyzer.

The following table provides the MBSA detection summary for this security update.

Software MBSA
Windows XP Service Pack 3 Yes
Windows XP Professional x64 Edition Service Pack 2 Yes
Windows Server 2003 Service Pack 2 Yes
Windows Server 2003 x64 Edition Service Pack 2 Yes
Windows Server 2003 with SP2 for Itanium-based Systems Yes
Windows Vista Service Pack 2 Yes
Windows Vista x64 Edition Service Pack 2 Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 Yes
Windows Server 2008 for x64-based Systems Service Pack 2 Yes
Windows Server 2008 for Itanium-based Systems Service Pack 2 Yes
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1 Yes
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1 Yes
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1 Yes
Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Yes
Microsoft Office 2003 Service Pack 3 Yes
Microsoft Office 2007 Service Pack 2 Yes
Microsoft Office 2007 Service Pack 3 Yes
Microsoft Office 2010 (32-bit editions) Yes
Microsoft Office 2010 Service Pack 1 (32-bit editions) Yes
Microsoft Office 2010 (64-bit editions) Yes
Microsoft Office 2010 Service Pack 1 (64-bit editions) Yes
Microsoft Silverlight 4 when installed on Mac No
Microsoft Silverlight 4 when installed on all supported releases of Microsoft Windows clients Yes
Microsoft Silverlight 4 when installed on all supported releases of Microsoft Windows servers Yes
Microsoft Silverlight 5 when installed on Mac No
Microsoft Silverlight 5 when installed on all supported releases of Microsoft Windows clients Yes
Microsoft Silverlight 5 when installed on all supported releases of Microsoft Windows servers Yes

Note For customers using legacy software not supported by the latest release of MBSA, Microsoft Update, and Windows Server Update Services, please visit Microsoft Baseline Security Analyzer and reference the Legacy Product Support section on how to create comprehensive security update detection with legacy tools.

Windows Server Update Services

Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates to computers that are running the Windows operating system. For more information about how to deploy security updates using Windows Server Update Services, see the TechNet article, Windows Server Update Services.

Systems Management Server

The following table provides the SMS detection and deployment summary for this security update.

Software SMS 2003 with ITMU Configuration Manager 2007
Windows XP Service Pack 3 Yes Yes
Windows XP Professional x64 Edition Service Pack 2 Yes Yes
Windows Server 2003 Service Pack 2 Yes Yes
Windows Server 2003 x64 Edition Service Pack 2 Yes Yes
Windows Server 2003 with SP2 for Itanium-based Systems Yes Yes
Windows Vista Service Pack 2 Yes Yes
Windows Vista x64 Edition Service Pack 2 Yes Yes
Windows Server 2008 for 32-bit Systems Service Pack 2 Yes Yes
Windows Server 2008 for x64-based Systems Service Pack 2 Yes Yes
Windows Server 2008 for Itanium-based Systems Service Pack 2 Yes Yes
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1 Yes Yes
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1 Yes Yes
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1 Yes Yes
Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Yes Yes
Microsoft Office 2003 Service Pack 3 Yes Yes
Microsoft Office 2007 Service Pack 2 Yes Yes
Microsoft Office 2007 Service Pack 3 Yes Yes
Microsoft Office 2010 (32-bit editions) Yes Yes
Microsoft Office 2010 Service Pack 1 (32-bit editions) Yes Yes
Microsoft Office 2010 (64-bit editions) Yes Yes
Microsoft Office 2010 Service Pack 1 (64-bit editions) Yes Yes
Microsoft Silverlight 4 when installed on Mac No No
Microsoft Silverlight 4 when installed on all supported releases of Microsoft Windows clients Yes Yes
Microsoft Silverlight 4 when installed on all supported releases of Microsoft Windows servers Yes Yes
Microsoft Silverlight 5 when installed on Mac No No
Microsoft Silverlight 5 when installed on all supported releases of Microsoft Windows clients Yes Yes
Microsoft Silverlight 5 when installed on all supported releases of Microsoft Windows servers Yes Yes

Note Microsoft discontinued support for SMS 2.0 on April 12, 2011. For SMS 2003, Microsoft also discontinued support for the Security Update Inventory Tool (SUIT) on April 12, 2011. Customers are encouraged to upgrade to System Center Configuration Manager 2007. For customers remaining on SMS 2003 Service Pack 3, the Inventory Tool for Microsoft Updates (ITMU) is also an option.

For SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates (ITMU) can be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 ITMU, see SMS 2003 Inventory Tool for Microsoft Updates. For more information about SMS scanning tools, see SMS 2003 Software Update Scanning Tools. See also Downloads for Systems Management Server 2003.

System Center Configuration Manager 2007 uses WSUS 3.0 for detection of updates. For more information about Configuration Manager 2007 Software Update Management, visit System Center Configuration Manager 2007.

For more information about SMS, visit the SMS website.

For more detailed information, see Microsoft Knowledge Base Article 910723: Summary list of monthly detection and deployment guidance articles.

Note If you have used an Administrative Installation Point (AIP) for deploying Office XP or Office 2003, you may not be able to deploy the update using SMS if you have updated the AIP from the original baseline. For more information, see the Office Administrative Installation Point heading in this section.

Office Administrative Installation Point

If you installed your application from a server location, the server administrator must update the server location with the administrative update and deploy that update to your system.

Update Compatibility Evaluator and Application Compatibility Toolkit

Updates often write to the same files and registry settings required for your applications to run. This can trigger incompatibilities and increase the time it takes to deploy security updates. You can streamline testing and validating Windows updates against installed applications with the Update Compatibility Evaluator components included with Application Compatibility Toolkit.

The Application Compatibility Toolkit (ACT) contains the necessary tools and documentation to evaluate and mitigate application compatibility issues before deploying Windows Vista, a Windows Update, a Microsoft Security Update, or a new version of Windows Internet Explorer in your environment.

Security Update Deployment

Affected Software

For information about the specific security update for your affected software, click the appropriate link:

Windows XP (all editions)

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Deployment  
Installing without user intervention For Windows XP Tablet PC Edition 2005 Service Pack 3:\ WindowsXP-KB2660649-x86-enu.exe /quiet
For Windows XP Service Pack 3:\ WindowsXP-KB2659262-x86-enu.exe /quiet\ WindowsXP-KB2676562-x86-enu.exe /quiet\ WindowsXP-KB2686509-x86-enu.exe /quiet
For Microsoft .NET Framework 3.0 Service Pack 2 when installed on Windows XP Service Pack 3:\ NDP30SP2-KB2656407-x86.exe /quiet
For Microsoft .NET Framework 4 when installed on Windows XP Service Pack 3:\ NDP40-KB2656405-x86.exe /quiet
For Windows XP Professional x64 Edition Service Pack 2:\ WindowsServer2003.WindowsXP-KB2659262-x64-enu.exe /quiet\ WindowsServer2003.WindowsXP-KB2676562-x64-enu.exe /quiet\ WindowsServer2003.WindowsXP-KB2686509-x64-enu.exe /quiet
For Microsoft .NET Framework 3.0 Service Pack 2 when installed on Windows XP Professional x64 Edition Service Pack 2:\ NDP30SP2-KB2656407-x64.exe /quiet
For Microsoft .NET Framework 4 when installed on Windows XP Professional x64 Edition Service Pack 2:\ NDP40-KB2656405-x64.exe /quiet
Installing without restarting For Windows XP Tablet PC Edition 2005 Service Pack 3:\ WindowsXP-KB2660649-x86-enu.exe /norestart
For Windows XP Service Pack 3:\ WindowsXP-KB2659262-x86-enu.exe /norestart\ WindowsXP-KB2676562-x86-enu.exe /norestart\ WindowsXP-KB2686509-x86-enu.exe /norestart
For Microsoft .NET Framework 3.0 Service Pack 2 when installed on Windows XP Service Pack 3:\ NDP30SP2-KB2656407-x86.exe /quiet /norestart
For Microsoft .NET Framework 4 when installed on Windows XP Service Pack 3:\ NDP40-KB2656405-x86.exe /quiet /norestart
For Windows XP Professional x64 Edition Service Pack 2:\ WindowsServer2003.WindowsXP-KB2659262-x64-enu.exe /norestart\ WindowsServer2003.WindowsXP-KB2676562-x64-enu.exe /norestart\ WindowsServer2003.WindowsXP-KB2686509-x64-enu.exe /norestart
For Microsoft .NET Framework 3.0 Service Pack 2 when installed on Windows XP Professional x64 Edition Service Pack 2:\ NDP30SP2-KB2656407-x64.exe /quiet /norestart
For Microsoft .NET Framework 4 when installed on Windows XP Professional x64 Edition Service Pack 2:\ NDP40-KB2656405-x64.exe /quiet /norestart
Update log file For Windows XP Tablet PC Edition 2005 Service Pack 3:\ KB2660649.log
For Windows XP Service Pack 3 and Windows XP Professional x64 Edition Service Pack 2:\ KB2659262.log\ KB2676562.log\ KB2686509.log
For Microsoft .NET Framework 3.0 Service Pack 2:\ Microsoft .NET Framework 3.0-KB2656407_*-msi0.txt\ Microsoft .NET Framework 3.0-KB2656407_*.html
For Microsoft .NET Framework 4:\ KB2656405__-Microsoft .NET Framework 4 Client Profile-MSP0.txt\ KB2656405__.html
Further information See the subsection, Detection and Deployment Tools and Guidance
Restart Requirement  
Restart required? For Windows XP Tablet PC Edition 2005 Service Pack 3, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2:\ Yes, you must restart your system after you apply this security update.
For Microsoft .NET Framework 3.0 Service Pack 2 and Microsoft .NET Framework 4:\ In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\ \ To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.
HotPatching Not applicable
Removal Information For Windows XP Tablet PC Edition 2005 Service Pack 3:\ Use Add or Remove Programs item in Control Panel or the Spuninst.exe utility located in the %Windir%$NTUninstallKB2660649$\Spuninst folder
For Windows XP Service Pack 3 and Windows XP Professional x64 Edition Service Pack 2:\ Use Add or Remove Programs item in Control Panel or the Spuninst.exe utility located in the %Windir%$NTUninstallKB2659262$\Spuninst folder\ Use Add or Remove Programs item in Control Panel or the Spuninst.exe utility located in the %Windir%$NTUninstallKB2676562$\Spuninst folder\ Use Add or Remove Programs item in Control Panel or the Spuninst.exe utility located in the %Windir%$NTUninstallKB2686509$\Spuninst folder
For all supported versions of Microsoft .NET Framework, use the Add or Remove Programs item in Control Panel.
File Information See Microsoft Knowledge Base Article 2681578
Registry Key Verification For Windows XP Tablet PC Edition 2005 Service Pack 3:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB2660649\Filelist
For all supported 32-bit editions of Windows XP:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB2659262\Filelist\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB2676562\Filelist\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB2686509\Filelist
For all supported x64-based editions of Windows XP:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP Version 2003\SP3\KB2659262\Filelist\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP Version 2003\SP3\KB2676562\Filelist\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP Version 2003\SP3\KB2686509\Filelist
For Microsoft .NET Framework 3.0 Service Pack 2:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 3.0 Service Pack 2\SP2\KB2656407\ "ThisVersionInstalled" = "Y
For Microsoft .NET Framework 4 when installed on Windows XP Service Pack 3:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2656405\ "ThisVersionInstalled" = "Y"
For Microsoft .NET Framework 4 when installed on Windows XP Professional x64 Edition Service Pack 2:\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2656405\ "ThisVersionInstalled" = "Y"

Note The update for supported versions of Windows XP Professional x64 Edition also applies to supported versions of Windows Server 2003 x64 Edition.

Deployment Information

Installing the Update

When you install this security update, the installer checks whether one or more of the files that are being updated on your system have previously been updated by a Microsoft hotfix.

If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE, SP1QFE, or SP2QFE files to your system. Otherwise, the installer copies the RTMGDR, SP1GDR, or SP2GDR files to your system. Security updates may not contain all variations of these files. For more information about this behavior, see Microsoft Knowledge Base Article 824994.

For more information about the installer, see Microsoft Knowledge Base Article 832475.

For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

This security update for Windows XP supports the following setup switches.

Switch Description
/help Displays the command-line options.
Setup Modes
/passive Unattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.
/quiet Quiet mode. This is the same as unattended mode, but no status or error messages are displayed.
Restart Options
/norestart Does not restart when installation has completed.
/forcerestart Restarts the computer after installation and force other applications to close at shutdown without saving open files first.
/warnrestart[:x] Presents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.
/promptrestart Displays a dialog box prompting the local user to allow a restart.
Special Options
/overwriteoem Overwrites OEM files without prompting.
/nobackup Does not back up files needed for uninstall.
/forceappsclose Forces other programs to close when the computer shuts down.
/log:path Allows the redirection of installation log files.
/integrate:path Integrates the update into the Windows source files. These files are located at the path that is specified in the switch.
/extract[:path] Extracts files without starting the Setup program.
/ER Enables extended error reporting.
/verbose Enables verbose logging. During installation, creates %Windir%\CabBuild.log. This log details the files that are copied. Using this switch may cause the installation to proceed more slowly.

Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841.

This security update for Microsoft .NET Framework supports the following setup switches.

Supported Security Update Installation Switches

Switch Description
/?, /h, /help Displays help on supported switches.
/quiet Suppresses the display of status or error messages.
/norestart When combined with /quiet, the system will not be restarted after installation even if a restart is required to complete installation.

Removing the Update

This security update for Windows XP supports the following setup switches.

Switch Description
/help Displays the command-line options.
Setup Modes
/passive Unattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.
/quiet Quiet mode. This is the same as unattended mode, but no status or error messages are displayed.
Restart Options
/norestart Does not restart when installation has completed
/forcerestart Restarts the computer after installation and force other applications to close at shutdown without saving open files first.
/warnrestart[:x] Presents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.
/promptrestart Displays a dialog box prompting the local user to allow a restart.
Special Options
/forceappsclose Forces other programs to close when the computer shuts down.
/log:path Allows the redirection of installation log files.

This security update for Microsoft .NET Framework supports the following setup switches.

Switch Description
/?, /h, /help Displays help on supported switches.
/quiet Suppresses the display of status or error messages.
/norestart When combined with /quiet, the system will not be restarted after installation even if a restart is required to complete installation.

Verifying That the Update Has Been Applied

  • Microsoft Baseline Security Analyzer

    To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.

  • File Version Verification

    Because there are several editions of Microsoft Windows, the following steps may be different on your system. If they are, see your product documentation to complete these steps.

    1. Click Start, and then click Search.
    2. In the Search Results pane, click All files and folders under Search Companion.
    3. In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.
    4. In the list of files, right-click a file name from the appropriate file information table, and then click Properties.
      Note Depending on the edition of the operating system, or the programs that are installed on your system, some of the files that are listed in the file information table may not be installed.
    5. On the Version tab, determine the version of the file that is installed on your system by comparing it to the version that is documented in the appropriate file information table.
      Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.
  • Registry Key Verification

    You may also be able to verify the files that this security update has installed by reviewing the registry keys listed in the Reference Table in this section.

    These registry keys may not contain a complete list of installed files. Also, these registry keys may not be created correctly when an administrator or an OEM integrates or slipstreams this security update into the Windows installation source files.

Windows Server 2003 (all editions)

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Deployment
Installing without user intervention For all supported 32-bit editions of Windows Server 2003:\ WindowsServer2003-KB2659262-x86-enu.exe /quiet\ WindowsServer2003-KB2676562-x86-enu.exe /quiet\ WindowsServer2003-KB2686509-x86-enu.exe /quiet
For Microsoft .NET Framework 3.0 Service Pack 2 when installed on all supported 32-bit editions of Windows Server 2003:\ NDP30SP2-KB2656407-x86.exe /quiet
For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Server 2003:\ NDP40-KB2656405-x86.exe /quiet
  For all supported x64-based editions of Windows Server 2003:\ WindowsServer2003.WindowsXP-KB2659262-x64-enu.exe /quiet\ WindowsServer2003.WindowsXP-KB2676562-x64-enu.exe /quiet\ WindowsServer2003.WindowsXP-KB2686509-x64-enu.exe /quiet
  For Microsoft .NET Framework 3.0 Service Pack 2 when installed on all supported x64-based editions of Windows Server 2003:\ NDP30SP2-KB2656407-x64.exe /quiet
  For Microsoft .NET Framework 4 when installed on all supported x64-based editions of Windows Server 2003:\ NDP40-KB2656405-x64.exe /quiet
For all supported Itanium-based editions of Windows Server 2003:\ WindowsServer2003-KB2659262-ia64-enu.exe /quiet\ WindowsServer2003-KB2676562-ia64-enu.exe /quiet\ WindowsServer2003-KB2686509-ia64-enu.exe /quiet
Installing without restarting For all supported 32-bit editions of Windows Server 2003:\ WindowsServer2003-KB2659262-x86-enu.exe /norestart\ WindowsServer2003-KB2676562-x86-enu.exe /norestart\ WindowsServer2003-KB2686509-x86-enu.exe /norestart
  For Microsoft .NET Framework 3.0 Service Pack 2 when installed on all supported 32-bit editions of Windows Server 2003:\ NDP30SP2-KB2656407-x86.exe /quiet /norestart
For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Server 2003:\ NDP40-KB2656405-x86.exe /quiet /norestart
For all supported x64-based editions of Windows Server 2003:\ WindowsServer2003.WindowsXP-KB2659262-x64-enu.exe /norestart\ WindowsServer2003.WindowsXP-KB2676562-x64-enu.exe /norestart\ WindowsServer2003.WindowsXP-KB2686509-x64-enu.exe /norestart
For Microsoft .NET Framework 3.0 Service Pack 2 when installed on all supported x64-based editions of Windows Server 2003:\ NDP30SP2-KB2656407-x64.exe /quiet /norestart
For Microsoft .NET Framework 4 when installed on all supported x64-based editions of Windows Server 2003:\ NDP40-KB2656405-x64.exe /quiet /norestart
For all supported Itanium-based editions of Windows Server 2003:\ WindowsServer2003-KB2659262-ia64-enu.exe /norestart\ WindowsServer2003-KB2676562-ia64-enu.exe /norestart\ WindowsServer2003-KB2686509-ia64-enu.exe /norestart
Update log file For all supported 32-bit editions of Windows Server 2003:\ KB2659262.log\ KB2676562.log\ KB2686509.log
For Microsoft .NET Framework 3.0 Service Pack 2:\ Microsoft .NET Framework 3.0-KB2656407_*-msi0.txt\ Microsoft .NET Framework 3.0-KB2656407_*.html
For Microsoft .NET Framework 4:\ KB2656405_**-Microsoft .NET Framework 4 Client Profile-MSP0.txt\ KB2656405*_*.html
Further information See the subsection, Detection and Deployment Tools and Guidance
Restart Requirement  
Restart required? For all supported editions of Windows Server 2003:\ Yes, you must restart your system after you apply this security update.
For Microsoft .NET Framework 3.0 Service Pack 2 and Microsoft .NET Framework 4:\ In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\ \ To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.
HotPatching This security update does not support HotPatching. For more information about HotPatching, see Microsoft Knowledge Base Article 897341.
Removal Information For all supported editions of Windows Server 2003:\ Use Add or Remove Programs item in Control Panel or the Spuninst.exe utility located in the %Windir%$NTUninstallKB2659262$\Spuninst folder\ Use Add or Remove Programs item in Control Panel or the Spuninst.exe utility located in the %Windir%$NTUninstallKB2676562$\Spuninst folder\ Use Add or Remove Programs item in Control Panel or the Spuninst.exe utility located in the %Windir%$NTUninstallKB2686509$\Spuninst folder
For all supported versions of Microsoft .NET Framework, use the Add or Remove Programs item in Control Panel.
File Information See Microsoft Knowledge Base Article 2681578
Registry Key Verification For all supported editions of Windows Server 2003:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP3\KB2659262\Filelist\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP3\KB2676562\Filelist\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP3\KB2686509\Filelist
For Microsoft .NET Framework 3.0 Service Pack 2:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 3.0 Service Pack 2\SP2\KB2656407\ "ThisVersionInstalled" = "Y
For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Server 2003:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2656405\ "ThisVersionInstalled" = "Y"
For Microsoft .NET Framework 4 when installed on all supported x64-based editions of Windows Server 2003:\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2656405\ "ThisVersionInstalled" = "Y"

Note The update for supported versions of Windows Server 2003 x64 Edition also applies to supported versions of Windows XP Professional x64 Edition.

Deployment Information

Installing the Update

When you install this security update, the installer checks whether one or more of the files that are being updated on your system have previously been updated by a Microsoft hotfix.

If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE, SP1QFE, or SP2QFE files to your system. Otherwise, the installer copies the RTMGDR, SP1GDR, or SP2GDR files to your system. Security updates may not contain all variations of these files. For more information about this behavior, see Microsoft Knowledge Base Article 824994.

For more information about the installer, see Microsoft Knowledge Base Article 832475.

For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

This security update supports the following setup switches for Microsoft Windows Server 2003.

Switch Description
/help Displays the command-line options.
Setup Modes
/passive Unattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.
/quiet Quiet mode. This is the same as unattended mode, but no status or error messages are displayed.
Restart Options
/norestart Does not restart when installation has completed.
/forcerestart Restarts the computer after installation and force other applications to close at shutdown without saving open files first.
/warnrestart[:x] Presents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.
/promptrestart Displays a dialog box prompting the local user to allow a restart.
Special Options
/overwriteoem Overwrites OEM files without prompting.
/nobackup Does not back up files needed for uninstall.
/forceappsclose Forces other programs to close when the computer shuts down.
/log:path Allows the redirection of installation log files.
/integrate:path Integrates the update into the Windows source files. These files are located at the path that is specified in the switch.
/extract[:path] Extracts files without starting the Setup program.
/ER Enables extended error reporting.
/verbose Enables verbose logging. During installation, creates %Windir%\CabBuild.log. This log details the files that are copied. Using this switch may cause the installation to proceed more slowly.

Note You can combine these switches into one command. For backward compatibility, the security update also supports many of the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841.

This security update for Microsoft .NET Framework 3.0 supports the following setup switches.

Supported Security Update Installation Switches

Switch Description
/?, /h, /help Displays help on supported switches.
/quiet Suppresses the display of status or error messages.
/norestart When combined with /quiet, the system will not be restarted after installation even if a restart is required to complete installation.

Removing the Update

This security update supports the following setup switches.

Switch Description
/help Displays the command-line options.
Setup Modes
/passive Unattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.
/quiet Quiet mode. This is the same as unattended mode, but no status or error messages are displayed.
Restart Options
/norestart Does not restart when installation has completed.
/forcerestart Restarts the computer after installation and force other applications to close at shutdown without saving open files first.
/warnrestart[:x] Presents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.
/promptrestart Displays a dialog box prompting the local user to allow a restart.
Special Options
/forceappsclose Forces other programs to close when the computer shuts down.
/log:path Allows the redirection of installation log files.

Verifying that the Update Has Been Applied

  • Microsoft Baseline Security Analyzer

    To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.

  • File Version Verification

    Because there are several editions of Microsoft Windows, the following steps may be different on your system. If they are, see your product documentation to complete these steps.

    1. Click Start, and then click Search.
    2. In the Search Results pane, click All files and folders under Search Companion.
    3. In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.
    4. In the list of files, right-click a file name from the appropriate file information table, and then click Properties.
      Note Depending on the edition of the operating system, or the programs that are installed on your system, some of the files that are listed in the file information table may not be installed.
    5. On the Version tab, determine the version of the file that is installed on your system by comparing it to the version that is documented in the appropriate file information table.
      Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.
  • Registry Key Verification

    You may also be able to verify the files that this security update has installed by reviewing the registry keys listed in the Reference Table in this section.

    These registry keys may not contain a complete list of installed files. Also, these registry keys may not be created correctly when an administrator or an OEM integrates or slipstreams this security update into the Windows installation source files.

Windows Vista (all editions)

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Deployment  
Installing without user intervention For all supported 32-bit editions of Windows Vista:\ Windows6.0-KB2658846-x86.msu /quiet\ Windows6.0-KB2659262-x86.msu /quiet\ Windows6.0-KB2660649-x86.msu /quiet\ Windows6.0-KB2676562-x86.msu /quiet
For Microsoft .NET Framework 3.0 Service Pack 2 when installed on all supported 32-bit editions of Windows Vista:\ Windows6.0-KB2656409-x86.msu /quiet
For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Vista:\ NDP40-KB2656405-x86.exe /quiet
For all supported x64-based editions of Windows Vista:\ Windows6.0-KB2658846-x64.msu /quiet\ Windows6.0-KB2659262-x64.msu /quiet\ Windows6.0-KB2660649-x64.msu /quiet\ Windows6.0-KB2676562-x64.msu /quiet
For Microsoft .NET Framework 3.0 Service Pack 2 when installed on all supported x64-based editions of Windows Vista:\ Windows6.0-KB2656409-x64.msu /quiet
For Microsoft .NET Framework 4 when installed on all supported x64-based editions of Windows Vista:\ NDP40-KB2656405-x64.exe /quiet
Installing without restarting For all supported 32-bit editions of Windows Vista:\ Windows6.0-KB2658846-x86.msu /norestart\ Windows6.0-KB2659262-x86.msu /norestart\ Windows6.0-KB2660649-x86.msu /norestart\ Windows6.0-KB2676562-x86.msu /norestart
For Microsoft .NET Framework 3.0 Service Pack 2 when installed on all supported 32-bit editions of Windows Vista:\ Windows6.0-KB2656409-x86.msu /quiet /norestart
For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Vista:\ NDP40-KB2656405-x86.exe /quiet /norestart
For all supported x64-based editions of Windows Vista:\ Windows6.0-KB2658846-x64.msu /norestart\ Windows6.0-KB2659262-x64.msu /norestart\ Windows6.0-KB2660649-x64.msu /norestart\ Windows6.0-KB2676562-x64.msu /norestart
For Microsoft .NET Framework 3.0 Service Pack 2 when installed on all supported x64-based editions of Windows Vista:\ Windows6.0-KB2656409-x64.msu /quiet /norestart
For Microsoft .NET Framework 4 when installed on all supported x64-based editions of Windows Vista:\ NDP40-KB2656405-x64.exe /quiet /norestart
Further information See the subsection, Detection and Deployment Tools and Guidance
Restart Requirement  
Restart required? For all supported editions of Windows Vista:\ Yes, you must restart your system after you apply this security update.
For Microsoft .NET Framework 3.0 Service Pack 2 and Microsoft .NET Framework 4:\ In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\ \ To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.
HotPatching Not applicable.
Removal Information For all supported editions of Windows Vista:\ WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click Control Panel, and then click Security. Under Windows Update, click View installed updates and select from the list of updates.
For all supported versions of Microsoft .NET Framework, use the Add or Remove Programs item in Control Panel.
File Information See Microsoft Knowledge Base Article 2681578
Registry Key Verification For all supported editions of Windows Vista:\ Note A registry key does not exist to validate the presence of this update.
For Microsoft .NET Framework 3.0 Service Pack 2:\ Note A registry key does not exist to validate the presence of this update.
For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Vista:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2656405\ "ThisVersionInstalled" = "Y"
For Microsoft .NET Framework 4 when installed on all supported x64-based editions of Windows Vista:\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2656405\ "ThisVersionInstalled" = "Y"

Deployment Information

Installing the Update

When you install this security update, the installer checks whether one or more of the files that are being updated on your system have previously been updated by a Microsoft hotfix.

For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

This security update supports the following setup switches.

Supported Security Update Installation Switches

Switch Description
/?, /h, /help Displays help on supported switches.
/quiet Suppresses the display of status or error messages.
/norestart When combined with /quiet, the system will not be restarted after installation even if a restart is required to complete installation.

Note For more information about the wusa.exe installer, see Microsoft Knowledge Base Article 934307.

Verifying That the Update Has Been Applied

  • Microsoft Baseline Security Analyzer

    To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.

  • File Version Verification

    Because there are several editions of Microsoft Windows, the following steps may be different on your system. If they are, see your product documentation to complete these steps.

    1. Click Start and then enter an update file name in the Start Search box.
    2. When the file appears under Programs, right-click the file name and click Properties.
    3. On the General tab, compare the file size with the file information tables provided in the bulletin KB article.
      Note Depending on the edition of the operating system, or the programs that are installed on your system, some of the files that are listed in the file information table may not be installed.
    4. You can also click the Details tab and compare information, such as file version and date modified, with the file information tables provided in the bulletin KB article.
      Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.
    5. Finally, you can also click the Previous Versions tab and compare file information for the previous version of the file with the file information for the new, or updated, version of the file.

Windows Server 2008 (all editions)

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Deployment  
Installing without user intervention For all supported 32-bit editions of Windows Server 2008:\ Windows6.0-KB2658846-x86.msu /quiet\ Windows6.0-KB2659262-x86.msu /quiet\ Windows6.0-KB2660649-x86.msu /quiet\ Windows6.0-KB2676562-x86.msu /quiet
For Microsoft .NET Framework 3.0 Service Pack 2 when installed on all supported 32-bit editions of Windows Server 2008:\ Windows6.0-KB2656409-x86.msu /quiet
For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Server 2008:\ NDP40-KB2656405-x86.exe /quiet
For all supported x64-based editions of Windows Server 2008:\ Windows6.0-KB2658846-x64.msu /quiet\ Windows6.0-KB2659262-x64.msu /quiet\ Windows6.0-KB2660649-x64.msu /quiet\ Windows6.0-KB2676562-x64.msu /quiet
For Microsoft .NET Framework 3.0 Service Pack 2 when installed on all supported x64-based editions of Windows Server 2008:\ Windows6.0-KB2656409-x64.msu /quiet
For Microsoft .NET Framework 4 when installed on all supported x64-based editions of Windows Server 2008:\ NDP40-KB2656405-x64.exe /quiet
For all supported Itanium-based editions of Windows Server 2008:\ Windows6.0-KB2659262-ia64.msu /quiet\ Windows6.0-KB2676562-ia64.msu /quiet
Installing without restarting For all supported 32-bit editions of Windows Server 2008:\ Windows6.0-KB2658846-x86.msu /norestart\ Windows6.0-KB2659262-x86.msu /norestart\ Windows6.0-KB2660649-x86.msu /norestart\ Windows6.0-KB2676562-x86.msu /norestart
For Microsoft .NET Framework 3.0 Service Pack 2 when installed on all supported 32-bit editions of Windows Server 2008:\ Windows6.0-KB2656409-x86.msu /quiet /norestart
For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Server 2008:\ NDP40-KB2656405-x86.exe /quiet /norestart
For all supported x64-based editions of Windows Server 2008:\ Windows6.0-KB2658846-x64.msu /norestart\ Windows6.0-KB2659262-x64.msu /norestart\ Windows6.0-KB2660649-x64.msu /norestart\ Windows6.0-KB2676562-x64.msu /norestart
For Microsoft .NET Framework 3.0 Service Pack 2 when installed on all supported x64-based editions of Windows Server 2008:\ Windows6.0-KB2656409-x64.msu /quiet /norestart
For Microsoft .NET Framework 4 when installed on all supported x64-based editions of Windows Server 2008:\ NDP40-KB2656405-x64.exe /quiet /norestart
For all supported Itanium-based editions of Windows Server 2008:\ Windows6.0-KB2659262-ia64.msu /norestart\ Windows6.0-KB2676562-ia64.msu /norestart
Further information See the subsection, Detection and Deployment Tools and Guidance
Restart Requirement  
Restart required? For all supported editions of Windows Server 2008:\ Yes, you must restart your system after you apply this security update.
For Microsoft .NET Framework 3.0 Service Pack 2 and Microsoft .NET Framework 4:\ In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\ \ To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.
HotPatching Not applicable.
Removal Information For all supported editions of Windows Server 2008:\ WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click Control Panel, and then click Security. Under Windows Update, click View installed updates and select from the list of updates.
For all supported versions of Microsoft .NET Framework, use the Add or Remove Programs item in Control Panel.
File Information See Microsoft Knowledge Base Article 2681578
Registry Key Verification For all supported editions of Windows Server 2008:\ Note A registry key does not exist to validate the presence of this update.
For Microsoft .NET Framework 3.0 Service Pack 2:\ Note A registry key does not exist to validate the presence of this update.
For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows Server 2008:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2656405\ "ThisVersionInstalled" = "Y"
For Microsoft .NET Framework 4 when installed on all supported x64-based editions of Windows Server 2008:\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2656405\ "ThisVersionInstalled" = "Y"

Deployment Information

Installing the Update

When you install this security update, the installer checks whether one or more of the files that are being updated on your system have previously been updated by a Microsoft hotfix.

For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

This security update supports the following setup switches.

Supported Security Update Installation Switches

Switch Description
/?, /h, /help Displays help on supported switches.
/quiet Suppresses the display of status or error messages.
/norestart When combined with /quiet, the system will not be restarted after installation even if a restart is required to complete installation.

Note For more information about the wusa.exe installer, see Microsoft Knowledge Base Article 934307.

Verifying That the Update Has Been Applied

  • Microsoft Baseline Security Analyzer

    To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.

  • File Version Verification

    Because there are several editions of Microsoft Windows, the following steps may be different on your system. If they are, see your product documentation to complete these steps.

    1. Click Start and then enter an update file name in the Start Search box.
    2. When the file appears under Programs, right-click the file name and click Properties.
    3. On the General tab, compare the file size with the file information tables provided in the bulletin KB article.
      Note Depending on the edition of the operating system, or the programs that are installed on your system, some of the files that are listed in the file information table may not be installed.
    4. You can also click the Details tab and compare information, such as file version and date modified, with the file information tables provided in the bulletin KB article.
      Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.
    5. Finally, you can also click the Previous Versions tab and compare file information for the previous version of the file with the file information for the new, or updated, version of the file.

Windows 7 (all editions)

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Deployment  
Installing without user intervention For all supported 32-bit editions of Windows 7:\ Windows6.1-KB2658846-x86.msu /quiet\ Windows6.1-KB2659262-x86.msu /quiet\ Windows6.1-KB2660649-x86.msu /quiet\ Windows6.1-KB2676562-x86.msu /quiet
For Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems:\ Windows6.1-KB2656410-x86.msu /quiet
For Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems Service Pack 1:\ Windows6.1-KB2656411-x86.msu /quiet
For Microsoft .NET Framework 4 when installed on Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1:\ NDP40-KB2656405-x86.exe /quiet
For all supported x64-based editions of Windows 7:\ Windows6.1-KB2658846-x64.msu /quiet\ Windows6.1-KB2659262-x64.msu /quiet\ Windows6.1-KB2660649-x64.msu /quiet\ Windows6.1-KB2676562-x64.msu /quiet
For Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems:\ Windows6.1-KB2656410-x64.msu /quiet
For Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems Service Pack 1:\ Windows6.1-KB2656411-x64.msu /quiet
Microsoft .NET Framework 4 when installed on Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1:\ NDP40-KB2656405-x64.exe /quiet
Installing without restarting For all supported 32-bit editions of Windows 7:\ Windows6.1-KB2658846-x86.msu /norestart\ Windows6.1-KB2659262-x86.msu /norestart\ Windows6.1-KB2660649-x86.msu /norestart\ Windows6.1-KB2676562-x86.msu /norestart
For Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems:\ Windows6.1-KB2656410-x86.msu /quiet /norestart
For Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems Service Pack 1:\ Windows6.1-KB2656411-x86.msu /quiet /norestart
For Microsoft .NET Framework 4 when installed on Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1:\ NDP40-KB2656405-x86.exe /quiet /norestart
For all supported x64-based editions of Windows 7:\ Windows6.1-KB2658846-x64.msu /norestart\ Windows6.1-KB2659262-x64.msu /norestart\ Windows6.1-KB2660649-x64.msu /norestart\ Windows6.1-KB2676562-x64.msu /norestart
For Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems:\ Windows6.1-KB2656410-x64.msu /quiet /norestart
For Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems Service Pack 1:\ Windows6.1-KB2656411-x64.msu /quiet /norestart
Microsoft .NET Framework 4 when installed on Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1:\ NDP40-KB2656405-x64.exe /quiet /norestart
Further information See the subsection, Detection and Deployment Tools and Guidance
Restart Requirement  
Restart required? For all supported editions of Windows 7:\ Yes, you must restart your system after you apply this security update.
For Microsoft .NET Framework 3.5.1 and Microsoft .NET Framework 4:\ In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\ \ To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.
HotPatching Not applicable.
Removal Information For all supported editions of Windows 7:\ WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click Control Panel, and then click Security. Under Windows Update, click View installed updates and select from the list of updates.
For all supported versions of Microsoft .NET Framework, use the Add or Remove Programs item in Control Panel.
File Information See Microsoft Knowledge Base Article 2681578
Registry Key Verification For all supported editions of Windows 7:\ Note A registry key does not exist to validate the presence of this update.
For Microsoft .NET Framework 3.5.1:\ Note A registry key does not exist to validate the presence of this update.
For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows 7:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2656405\ "ThisVersionInstalled" = "Y"
For Microsoft .NET Framework 4 when installed on all supported x64-based editions of Windows 7:\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2656405\ "ThisVersionInstalled" = "Y"

Deployment Information

Installing the Update

When you install this security update, the installer checks whether one or more of the files that are being updated on your system have previously been updated by a Microsoft hotfix.

For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

This security update supports the following setup switches.

Supported Security Update Installation Switches

Switch Description
/?, /h, /help Displays help on supported switches.
/quiet Suppresses the display of status or error messages.
/norestart When combined with /quiet, the system will not be restarted after installation even if a restart is required to complete installation.
/warnrestart:<seconds> When combined with /quiet, the installer will warn the user before initiating restart.
/promptrestart When combined with /quiet, the installer will prompt before initiating restart.
/forcerestart When combined with /quiet, the installer will forcefully close applications and initiate restart.
/log:<file name> Enables logging to specified file.
/extract:<destination> Extracts the package contents to the destination folder.
/uninstall /kb:<KB Number> Uninstalls the security update.

Note For more information about the wusa.exe installer, see "Windows Update Stand-alone Installer" in the TechNet article, Miscellaneous Changes in Windows 7.

Verifying That the Update Has Been Applied

  • Microsoft Baseline Security Analyzer

    To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.

  • File Version Verification

    Because there are several editions of Microsoft Windows, the following steps may be different on your system. If they are, see your product documentation to complete these steps.

    1. Click Start and then enter an update file name in the Search box.
    2. When the file appears under Programs, right-click the file name and click Properties.
    3. On the General tab, compare the file size with the file information tables provided in the bulletin KB article.
      Note Depending on the edition of the operating system, or the programs that are installed on your system, some of the files that are listed in the file information table may not be installed.
    4. You can also click the Details tab and compare information, such as file version and date modified, with the file information tables provided in the bulletin KB article.
      Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.
    5. Finally, you can also click the Previous Versions tab and compare file information for the previous version of the file with the file information for the new, or updated, version of the file.

Windows Server 2008 R2 (all editions)

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Deployment  
Installing without user intervention For all supported x64-based editions of Windows Server 2008 R2:\ Windows6.1-KB2658846-x64.msu /quiet\ Windows6.1-KB2659262-x64.msu /quiet\ Windows6.1-KB2660649-x64.msu /quiet\ Windows6.1-KB2676562-x64.msu /quiet
For Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems:\ Windows6.1-KB2656410-x64.msu /quiet
For Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1:\ Windows6.1-KB2656411-x64.msu /quiet
For Microsoft .NET Framework 4 when installed on Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1:\ NDP40-KB2656405-x64.exe /quiet
For all supported Itanium-based editions of Windows Server 2008 R2:\ Windows6.1-KB2658846-ia64.msu /quiet\ Windows6.1-KB2659262-ia64.msu /quiet\ Windows6.1-KB2676562-ia64.msu /quiet
Installing without restarting For all supported x64-based editions of Windows Server 2008 R2:\ Windows6.1-KB2658846-x64.msu /norestart\ Windows6.1-KB2659262-x64.msu /norestart\ Windows6.1-KB2660649-x64.msu /norestart\ Windows6.1-KB2676562-x64.msu /norestart
For Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems:\ Windows6.1-KB2656410-x64.msu /quiet /norestart
For Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1:\ Windows6.1-KB2656411-x64.msu /quiet /norestart
For Microsoft .NET Framework 4 when installed on Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1:\ NDP40-KB2656405-x64.exe /quiet /norestart
For all supported Itanium-based editions of Windows Server 2008 R2:\ Windows6.1-KB2658846-ia64.msu /norestart\ Windows6.1-KB2659262-ia64.msu /norestart\ Windows6.1-KB2676562-ia64.msu /norestart
Further information See the subsection, Detection and Deployment Tools and Guidance
Restart Requirement  
Restart required? For all supported editions of Windows Server 2008 R2:\ Yes, you must restart your system after you apply this security update.
For Microsoft .NET Framework 3.5.1 and Microsoft .NET Framework 4:\ In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\ \ To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.
HotPatching Not applicable.
Removal Information For all supported editions of Windows Server 2008 R2:\ WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click Control Panel, and then click Security. Under Windows Update, click View installed updates and select from the list of updates.
For all supported versions of Microsoft .NET Framework, use the Add or Remove Programs item in Control Panel.
File Information See Microsoft Knowledge Base Article 2681578
Registry Key Verification For all supported editions of Windows Server 2008 R2:\ Note A registry key does not exist to validate the presence of this update.
For Microsoft .NET Framework 3.5.1:\ Note A registry key does not exist to validate the presence of this update.
For Microsoft .NET Framework 4 when installed on all supported editions of Windows Server 2008 R2:\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Updates\Microsoft .NET Framework 4 Client Profile\KB2656405\ "ThisVersionInstalled" = "Y"

Deployment Information

Installing the Update

When you install this security update, the installer checks whether one or more of the files that are being updated on your system have previously been updated by a Microsoft hotfix.

For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

This security update supports the following setup switches.

Supported Security Update Installation Switches

Switch Description
/?, /h, /help Displays help on supported switches.
/quiet Suppresses the display of status or error messages.
/norestart When combined with /quiet, the system will not be restarted after installation even if a restart is required to complete installation.
/warnrestart:<seconds> When combined with /quiet, the installer will warn the user before initiating restart.
/promptrestart When combined with /quiet, the installer will prompt before initiating restart.
/forcerestart When combined with /quiet, the installer will forcefully close applications and initiate restart.
/log:<file name> Enables logging to specified file.
/extract:<destination> Extracts the package contents to the destination folder.
/uninstall /kb:<KB Number> Uninstalls the security update.

Note For more information about the wusa.exe installer, see "Windows Update Stand-alone Installer" in the TechNet article, Miscellaneous Changes in Windows 7.

Verifying That the Update Has Been Applied

  • Microsoft Baseline Security Analyzer

    To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.

  • File Version Verification

    Because there are several editions of Microsoft Windows, the following steps may be different on your system. If they are, see your product documentation to complete these steps.

    1. Click Start and then enter an update file name in the Start Search box.
    2. When the file appears under Programs, right-click the file name and click Properties.
    3. On the General tab, compare the file size with the file information tables provided in the bulletin KB article.
      Note Depending on the edition of the operating system, or the programs that are installed on your system, some of the files that are listed in the file information table may not be installed.
    4. You can also click the Details tab and compare information, such as file version and date modified, with the file information tables provided in the bulletin KB article.
      Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.
    5. Finally, you can also click the Previous Versions tab and compare file information for the previous version of the file with the file information for the new, or updated, version of the file.

Office 2003 (all editions)

Reference Table

The following table contains the security update information for this software. You can find additional information in the Deployment Information subsection below.

Inclusion in Future Service Packs There are no more service packs planned for this software. The update for this issue may be included in a future update rollup.
Deployment
Installing without user intervention office2003-kb2598253-fullfile-enu.exe /q:a
Installing without restarting office2003-kb2598253-fullfile-enu.exe /r:n
Update log file Not applicable
Further information For detection and deployment, see the earlier section, Detection and Deployment Tools and Guidance. \ \ For features you can selectively install, see the Office Features for Administrative Installations subsection in this section.
Restart Requirement
Restart required? In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\ \ To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.
HotPatching Not applicable
Removal Information Use Add or Remove Programs item in Control Panel.\ \ Note When you remove this update, you may be prompted to insert the Microsoft Office 2003 CD in the CD drive. Additionally, you may not have the option to uninstall the update from the Add or Remove Programs item in Control Panel. There are several possible causes for this issue. For more information about the removal, see Microsoft Knowledge Base Article 903771.
File Information See Microsoft Knowledge Base Article 2681578
Registry Key Verification Not applicable

Office Features

The following table contains the list of feature names (case sensitive) that must be reinstalled for the update. To install all features, you can use REINSTALL=ALL or you can install the following features:

Product Feature
VISVEA, PPT11, RMS, STD11, ACCESSRT, ACC11, BASIC11, FP11, ONOTE11, OUTLS11, OUTL11, OUTLSM11, PERS11, PRO11SB, PROI11, PRO11, PUB11, STDP11, WORD11, INF11, EXCEL11, PRJPROE, PRJPRO, PRJSTDE, PRJSTD, VISPRO, VISPROR, VISSTD, VISSTDR ProductNonBootFiles

Note Administrators working in managed environments can find complete resources for deploying Office updates in an organization at the Office Admin Update Center. At that site, scroll down and look under the Update Resources section for the software version you are updating. The Windows Installer Documentation also provides more information about the parameters supported by Windows Installer.

Deployment Information

Installing the Update

You can install the update from the appropriate download link in the Affected and Non-Affected Software section. If you installed your application from a server location, the server administrator must instead update the server location with the administrative update and deploy that update to your system. For more information about Administrative Installation Points, refer to the Office Administrative Installation Point information in the Detection and deployment Tools and Guidance subsection.

This security update requires that Windows Installer 2.0 or later version be installed on the system. All supported versions of Windows include Windows Installer 2.0 or a later version.

To install the 2.0 or later version of Windows Installer, visit one of the following Microsoft websites:

For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

This security update supports the following setup switches.

Supported Security Update Installation Switches

Switch Description
/q Specifies quiet mode, or suppresses prompts, when files are being extracted.
/q:u Specifies user-quiet mode, which presents some dialog boxes to the user.
/q:a Specifies administrator-quiet mode, which does not present any dialog boxes to the user.
/t:path Specifies the target folder for extracting files.
/c Extracts the files without installing them. If /t:path is not specified, you are prompted for a target folder.
/c:path Overrides the install command that is defined by author. Specifies the path and name of the Setup.inf or .exe file.
/r:n Never restarts the system after installation.
/r:I Prompts the user to restart the system if a restart is required, except when used with /q:a.
/r:a Always restarts the system after installation.
/r:s Restarts the system after installation without prompting the user.
/n:v No version checking - Install the program over any earlier version.

Note You can combine these switches into one command. For backward compatibility, the security update also supports many of the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841.

Removing the Update

To remove this security update, use the Add or Remove Programs item in Control Panel.

Note When you remove this update, you may be prompted to insert the Microsoft Office 2003 CD in the CD drive. Additionally, you may not have the option to uninstall the update from the Add or Remove Programs item in Control Panel. There are several possible causes for this issue. For more information about the removal, see Microsoft Knowledge Base Article 903771.

Verifying that the Update Has Been Applied

  • Microsoft Baseline Security Analyzer

    To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.

  • File Version Verification

    Because there are several editions of Microsoft Windows, the following steps may be different on your system. If they are, see your product documentation to complete these steps.

    1. Click Start and then enter an update file name in the Start Search box.
    2. When the file appears under Programs, right-click the file name and click Properties.
    3. On the General tab, compare the file size with the file information tables provided in the bulletin KB article.
    4. You can also click the Details tab and compare information, such as file version and date modified, with the file information tables provided in the bulletin KB article.
    5. Finally, you can also click the Previous Versions tab and compare file information for the previous version of the file with the file information for the new, or updated, version of the file.

Microsoft Office 2007 (all editions)

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Deployment
Installing without user intervention Microsoft Office 2007 Service Pack 2\ mdivwctl2007-kb2596792-fullfile-x86-glb.exe /passive\ ogl2007-kb2596672-fullfile-x86-glb.exe /passive
Microsoft Office 2007 Service Pack 3\ mdivwctl2007-kb2596792-fullfile-x86-glb.exe /passive\ ogl2007-kb2596672-fullfile-x86-glb.exe /passive
Installing without restarting Microsoft Office 2007 Service Pack 2\ mdivwctl2007-kb2596792-fullfile-x86-glb.exe /norestart\ ogl2007-kb2596672-fullfile-x86-glb.exe /norestart
Microsoft Office 2007 Service Pack 3\ mdivwctl2007-kb2596792-fullfile-x86-glb.exe /norestart\ ogl2007-kb2596672-fullfile-x86-glb.exe /norestart
Update log file Not applicable
Further information For detection and deployment, see the earlier section, Detection and Deployment Tools and Guidance.
Restart Requirement
Restart required? In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\ \ To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.
HotPatching Not applicable
Removal Information Use Add or Remove Programs item in Control Panel.
File Information See Microsoft Knowledge Base Article 2681578
Registry Key Verification Not applicable

Deployment Information

Installing the Update

You can install the update from the appropriate download link in the Affected and Non-Affected Software section. If you installed your application from a server location, the server administrator must instead update the server location with the administrative update and deploy that update to your system. For more information about Administrative Installation Points, refer to the Office Administrative Installation Point information in the Detection and deployment Tools and Guidance subsection.

This security update requires that Windows Installer 3.1 or later version be installed on the system.

To install the 3.1 or later version of Windows Installer, visit one of the following Microsoft websites:

For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

This security update supports the following setup switches.

Supported Security Update Installation Switches

Switch Description
/? or /help Displays usage dialog.
/passive Specifies passive mode. Requires no user interaction; users see basic progress dialogs but cannot cancel.
/quiet Specifies quiet mode, or suppresses prompts, when files are being extracted.
/norestart Suppresses restarting the system if the update requires a restart.
/forcerestart Automatically restarts the system after applying the update, regardless of whether the update requires the restart.
/extract Extracts the files without installing them. You are prompted for a target folder.
/extract:<path> Overrides the install command that is defined by author. Specifies the path and name of the Setup.inf or .exe file.
/lang:<LCID> Forces the use of a specific language, when the update package supports that language.
/log:<log file> Enables logging, by both Vnox and Installer, during the update installation.

Note You can combine these switches into one command. For backward compatibility, the security update also supports many of the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841.

Removing the Update

To remove this security update, use the Add or Remove Programs item in Control Panel.

Note When you remove this update, you may be prompted to insert the 2007 Microsoft Office CD in the CD drive. Additionally, you may not have the option to uninstall the update from the Add or Remove Programs item in Control Panel. There are several possible causes for this issue. For more information about the removal, see Microsoft Knowledge Base Article 903771.

Verifying that the Update Has Been Applied

  • Microsoft Baseline Security Analyzer

    To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.

  • File Version Verification

    Because there are several editions of Microsoft Windows, the following steps may be different on your system. If they are, see your product documentation to complete these steps.

    1. Click Start and then enter an update file name in the Start Search box.
    2. When the file appears under Programs, right-click the file name and click Properties.
    3. On the General tab, compare the file size with the file information tables provided in the bulletin KB article.
      Note Depending on the edition of the operating system, or the programs that are installed on your system, some files that are listed in the file information table may not be installed.
    4. You can also click the Details tab and compare information, such as file version and date modified, with the file information tables provided in the bulletin KB article.
      Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.
    5. Finally, you can also click the Previous Versions tab and compare file information for the previous version of the file with the file information for the new, or updated, version of the file.

Microsoft Office 2010 (all editions)

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Deployment
Installing without user intervention For all supported editions of Microsoft Office 2010 (32-bit editions):\ ogl2010-kb2589337-fullfile-x86-glb.exe /passive
For all supported editions of Microsoft Office 2010 (64-bit editions):\ ogl2010-kb2589337-fullfile-x64-glb.exe /passive
Installing without restarting For all supported editions of Microsoft Office 2010 (32-bit editions):\ ogl2010-kb2589337-fullfile-x86-glb.exe /norestart
For all supported editions of Microsoft Office 2010 (64-bit editions):\ ogl2010-kb2589337-fullfile-x64-glb.exe /norestart
Update log file Not applicable
Further information For detection and deployment, see the earlier section, Detection and Deployment Tools and Guidance.
Restart Requirement
Restart required? In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\ \ To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.
HotPatching Not applicable
Removal Information Use Add or Remove Programs item in Control Panel.
File Information See Microsoft Knowledge Base Article 2681578
Registry Key Verification Not applicable

Deployment Information

Installing the Update

You can install the update from the appropriate download link in the Affected and Non-Affected Software section. If you installed your application from a server location, the server administrator must instead update the server location with the administrative update and deploy that update to your system. For more information about Administrative Installation Points, refer to the Office Administrative Installation Point information in the Detection and deployment Tools and Guidance subsection.

This security update requires that Windows Installer 3.1 or later version be installed on the system.

To install the 3.1 or later version of Windows Installer, visit one of the following Microsoft websites:

For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

This security update supports the following setup switches.

Supported Security Update Installation Switches

Switch Description
/? or /help Displays usage dialog.
/passive Specifies passive mode. Requires no user interaction; users see basic progress dialogs but cannot cancel.
/quiet Specifies quiet mode, or suppresses prompts, when files are being extracted.
/norestart Suppresses restarting the system if the update requires a restart.
/forcerestart Automatically restarts the system after applying the update, regardless of whether the update requires the restart.
/extract Extracts the files without installing them. You are prompted for a target folder.
/extract:<path> Overrides the install command that is defined by author. Specifies the path and name of the Setup.inf or .exe file.
/lang:<LCID> Forces the use of a specific language, when the update package supports that language.
/log:<log file> Enables logging, by both Vnox and Installer, during the update installation.

Note You can combine these switches into one command. For backward compatibility, the security update also supports many of the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841.

Removing the Update

To remove this security update, use the Add or Remove Programs item in Control Panel.

Note When you remove this update, you may be prompted to insert the 2007 Microsoft Office CD in the CD drive. Additionally, you may not have the option to uninstall the update from the Add or Remove Programs item in Control Panel. There are several possible causes for this issue. For more information about the removal, see Microsoft Knowledge Base Article 903771.

Verifying that the Update Has Been Applied

  • Microsoft Baseline Security Analyzer

    To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.

  • File Version Verification

    Because there are several editions of Microsoft Windows, the following steps may be different on your system. If they are, see your product documentation to complete these steps.

    1. Click Start and then enter an update file name in the Start Search box.
    2. When the file appears under Programs, right-click the file name and click Properties.
    3. On the General tab, compare the file size with the file information tables provided in the bulletin KB article.
      Note Depending on the edition of the operating system, or the programs that are installed on your system, some files that are listed in the file information table may not be installed.
    4. You can also click the Details tab and compare information, such as file version and date modified, with the file information tables provided in the bulletin KB article.
      Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.
    5. Finally, you can also click the Previous Versions tab and compare file information for the previous version of the file with the file information for the new, or updated, version of the file.

Other Information

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

  • Alin Rad Pop, working with Tipping Point'sZero Day Initiative, for reporting the TrueType Font Parsing Vulnerability (CVE-2012-0159)
  • Vitaliy Toropov, working with Tipping Point'sZero Day Initiative, for reporting the .NET Framework Buffer Allocation Vulnerability (CVE-2012-0162)
  • Omair for reporting the GDI+ Record Type Vulnerability (CVE-2012-0165)
  • An anonymous researcher, working with Verisign iDefense Labs, for reporting the GDI+ Record Type Vulnerability (CVE-2012-0165)
  • An anonymous researcher, working with Verisign iDefense Labs, for reporting the GDI+ Heap Overflow Vulnerability (CVE-2012-0167)
  • Alex Plaskett of MWR InfoSecurity for reporting the Silverlight Double-Free Vulnerability (CVE-2012-0176)
  • Tarjei Mandt of Azimuth Security for reporting the Keyboard Layout File Vulnerability (CVE-2012-0181)
  • Nicolas Economou of Core Security Technologies for reporting the Keyboard Layout File Vulnerability (CVE-2012-0181)
  • Geoff McDonald of Symantec for reporting the Keyboard Layout File Vulnerability (CVE-2012-0181)
  • h4ckmp for reporting the Scrollbar Calculation Vulnerability (CVE-2012-1848)

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Support

How to obtain help and support for this security update

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (May 8, 2012): Bulletin published.
  • V1.1 (May 16, 2012): Added a link to Microsoft Knowledge Base Article 2681578 under Known Issues in the Executive Summary. Also added Microsoft .NET Framework 1.1 Service Pack 1 to the Non-Affected Software table and corrected the update replacement information for Microsoft Office. These were informational changes only. There were no changes to the security update files or detection logic.
  • V1.2 (May 22, 2012): Added an entry to the Frequently Asked Questions (FAQ) Related to This Security Update section to explain this revision.
  • V1.3 (June 6, 2012): Added an entry to the update FAQ to explain why systems with non-affected versions of Microsoft Visio Viewer 2010 will be offered security update KB2589337.
  • V1.4 (July 31, 2012): Bulletin revised to announce a detection change in the Windows Vista packages for KB2676562 to correct a Windows Update reoffering issue. This is a detection change only. Customers who have already successfully updated their systems do not need to take any action.
  • V1.5 (October 31, 2012): Corrected update replacement information for the KB2676562 update.
  • V1.6 (March 6, 2013): Corrected update replacement information for the KB2676562 update.

Built at 2014-04-18T13:49:36Z-07:00