Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin Release for April 2014

Available Languages

Updated:August 6, 2016
Document ID:1470490034294243

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Cisco Applied Mitigation Bulletin

Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin Release for April 2014

Doc ID:
33520
First Published:
2014 April 8 17:17 GMT
Version: 
1
CVE-2014-0235
CVE-2014-0315
CVE-2014-1751
More...
IntelliShield
CVE-2014-0235
CVE-2014-0315
CVE-2014-1751
More...
IntelliShield

Cisco Response

  • Microsoft announced four security bulletins that address 11 vulnerabilities as part of the monthly security bulletin release on April 8, 2014. A summary of these bulletins is on the Microsoft website at http://technet.microsoft.com/en-us/security/bulletin/ms14-apr. This document provides identification and mitigation techniques that administrators can deploy on Cisco network devices.

    The vulnerabilities that have a client software attack vector, can be exploited locally on the vulnerable device, require user interaction, or can be exploited using web-based attacks (these include but are not limited to cross-site scripting, phishing, and web-based email threats) or email attachments, and files stored on network shares are in the following list:

    The vulnerabilities that have a network mitigation are in the following list. Cisco devices provide several countermeasures for the vulnerabilities that have a network attack vector, which will be discussed in detail later in this document.

    Information about affected and unaffected products is available in the respective Microsoft advisories and the Cisco Alerts that are referenced in Cisco Event Response: Microsoft Security Bulletin Release for April 2014.

    In addition, multiple Cisco products use Microsoft operating systems as their base operating system. Cisco products that may be affected by the vulnerabilities described in the referenced Microsoft advisories are detailed in the "Associated Products" table in the "Product Sets" section.

Vulnerability Characteristics

  • MS14-017, Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2949660): These vulnerabilities have been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2014-4252, CVE-2014-4253, and CVE-2014-3704. These vulnerabilities can be exploited remotely without authentication and require user interaction. Successful exploitation of these vulnerabilities may allow arbitrary code execution. The attack vector for exploitation of these vulnerabilities is through HTTP and HTTPS packets that typically use TCP port 80 and 443 but may also use TCP ports 3128, 8000, 8010, 8080, 8888, and 24326.

    MS14-019, Cumulative Security Update for Internet Explorer (2950467): These vulnerabilities have been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2014-0235, CVE-2014-1751, CVE-2014-1752, CVE-2014-1753, CVE-2014-1755, and CVE-2014-1760. These vulnerabilities can be exploited remotely without authentication and require user interaction. Successful exploitation of these vulnerabilities may allow arbitrary code execution. The attack vector for exploitation of these vulnerabilities is through HTTP and HTTPS packets that typically use TCP port 80 and 443 but may also use TCP ports 3128, 8000, 8010, 8080, 8888, and 24326.

    MS14-020, Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (2950145): This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2014-1759. These vulnerabilities can be exploited remotely without authentication and require user interaction. Successful exploitation of these vulnerabilities may allow arbitrary code execution. The attack vector for exploitation of these vulnerabilities is through HTTP and HTTPS packets that typically use TCP port 80 and 443 but may also use TCP ports 3128, 8000, 8010, 8080, 8888, and 24326.

    The Cisco ASA 5500 and 5500-X Series Adaptive Security Appliance, the Cisco Catalyst 6500 Series ASA Services Module (ASASM), the Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, the Cisco ACE Application Control Engine Appliance and Module, the Cisco Web and Email Security Appliances, and Cisco Cloud Web Security provide protection for potential attempts to exploit these vulnerabilities (a topic that is included in this document).

Vulnerability Overview

Mitigation Technique Overview

  • The vulnerabilities that have a client software attack vector, can be exploited locally on the vulnerable device, require user interaction, can be exploited using web-based attacks (these include but are not limited to cross-site scripting, phishing, and web-based email threats) or email attachments, and files stored on network shares are in the following list:

    These vulnerabilities are mitigated most successfully at the endpoint through software updates, user education, desktop administration best practices, and endpoint protection software such as Host Intrusion Prevention Systems (HIPS) or antivirus products.

    The vulnerabilities that have a network mitigation are in the following list. Cisco devices provide several countermeasures for these vulnerabilities. This section of the document provides an overview of these techniques.

    Effective means of exploit prevention can also be provided by Cisco ASA 5500 and 5500-X Series Adaptive Security Appliance, Cisco Catalyst 6500 Series ASA Services Module (ASASM), and the Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers using the following methods:

    • Application layer protocol inspection
    • URL filtering
    • Next-Generation Firewall Services

    These protection mechanisms filter and drop packets that are attempting to exploit the vulnerabilities that have a network attack vector.

    Effective exploit prevention can also be provided by the Cisco ACE Application Control Engine Appliance and Module using application protocol inspection.

    Effective use of Cisco Intrusion Prevention System (IPS) event actions provides visibility into and protection against attacks that attempt to exploit these vulnerabilities.

    Effective use of Sourcefire Intrusion Prevention System (IPS) event actions provides visibility into and protection against attacks that attempt to exploit these vulnerabilities.

    Effective use of Cisco Web Security Appliance can protect against the vulnerabilities that have an attack vector over the web.

    Effective use of Cisco Email Security Appliance can protect against the vulnerabilities that have an email attack vector.

    Effective use of Cisco Cloud Web Security can protect against the vulnerabilities that have an attack vector over the web.

Risk Management

  • Organizations are advised to follow their standard risk evaluation and mitigation processes to determine the potential impact of these vulnerabilities. Triage refers to sorting projects and prioritizing efforts that are most likely to be successful. Cisco has provided documents that can help organizations develop a risk-based triage capability for their information security teams. Risk Triage for Security Vulnerability Announcements and Risk Triage and Prototyping can help organizations develop repeatable security evaluation and response processes.

Device-Specific Mitigation and Identification

  • Caution: The effectiveness of any mitigation technique depends on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

    Specific information about mitigation and identification is available for these devices:

    Cisco ASA, Cisco ASASM, and Cisco FWSM Firewalls

    Mitigation: Application Layer Protocol Inspection

    Application layer protocol inspection is available beginning in Cisco IOS Software Release 7.2(1) for the Cisco ASA 5500 and 5500-X Series Adaptive Security Appliance, IOS Software Release 8.5 for the Cisco Catalyst 6500 Series ASA Services Module, and in IOS Software Release 4.0(1) for the Cisco Firewall Services Module. This advanced security feature performs deep packet inspection of traffic that transits the firewall. Administrators may construct an inspection policy for applications that require special handling through the configuration of inspection class maps and inspection policy maps, which are applied via a global or interface service policy. Application inspection will inspect both IPv4 and IPv6 packets matched in the class-map of the policy.

    Additional information about application layer protocol inspection and the Modular Policy Framework (MPF) is in the Getting Started with Application Layer Protocol Inspection section of Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.1.

    Caution: Application layer protocol inspection will decrease firewall performance. Administrators are advised to test performance impact in a lab environment before this feature is deployed in production environments.

    HTTP Application Inspection
    For MS14-017 and MS14-020, by using the HTTP inspection engine on the Cisco ASA 5500 and 5500-X Series Adaptive Security Appliances, Cisco 6500 Series ASA Services Modules, and the Cisco Firewall Services Module, administrators can configure regular expressions (regexes) for pattern matching and construct inspection class maps and inspection policy maps. These methods can help protect against specific vulnerabilities, such as the one described in this document, and other threats that may be associated with HTTP traffic. The following HTTP application inspection configuration uses the Cisco Modular Policy Framework (MPF) to create a policy for inspection of traffic on TCP ports 80, 3128, 8000, 8010, 8080, 8888, and 24326, which are the default ports for the Cisco IPS #WEBPORTS variable. The HTTP application inspection policy will drop connections where the HTTP response body contains any of the regexes that are configured to match the ActiveX control that is associated with these vulnerabilities.

    Caution: The configured regexes can match text strings at any location in the body of an HTML response. Care should be taken to ensure that legitimate business applications that use matching text strings without calling the ActiveX control are not affected. Additional information about regex syntax is in Creating a Regular Expression.

    Additional information about ActiveX exploits and mitigations that leverage Cisco firewall technologies is available in the Preventing ActiveX Exploits with Cisco Firewall Application Layer Protocol Inspection Cisco Security Intelligence Operations white paper.

    !
!-- Configure regexes that look for either the  
!-- .rtf or the .pub file extensions that are
!-- typically used to exploit the vulnerability
!-- associated with MS14-017 and MS14-020
! 
regex MS14-017 ".+\x2e[Rr][Tt][Ff]"
regex MS14-020 ".+\x2e[Pp][Uu][Bb]"
!
!-- The "?" in the above regexes must be escaped with  
!-- [CTRL-v]. See Creating a Regular Expression for   
!-- details  
! 
!-- Configure a regex class to match on the regular  
!-- expressions that are configured above
! 
class-map type regex match-any MS14-regex_class
 match regex MS14-017
 match regex MS14-020
!
!-- Configure an object group for the default ports that 
!-- are used by the Cisco IPS #WEBPORTS variable, which 
!-- are TCP ports 80 (www), 3128, 8000, 8010, 8080, 8888, 
!-- and 24326
!
object-group service WEBPORTS tcp
 port-object eq www 
 port-object eq 3128 
 port-object eq 8000 
 port-object eq 8010 
 port-object eq 8080 
 port-object eq 8888 
 port-object eq 24326 
!
!-- Configure an access list that uses the WEBPORTS object 
!-- group, which will be used to match TCP packets that 
!-- are destined to the #WEBPORTS variable that is used 
!-- by a Cisco IPS device
!
access-list Webports_ACL extended permit tcp any any object-group WEBPORTS 
!
!-- Configure a class that uses the above-configured
!-- access list to match TCP packets that are destined
!-- to the ports that are used by the Cisco IPS #WEBPORTS
!-- variable
!
class-map Webports_Class
 match access-list Webports_ACL
!
!-- Configure an HTTP application inspection policy that  
!-- identifies, drops, and logs connections that contain   
!-- the regexes that are configured above
! 
policy-map type inspect http MS_Apr_2014_policy
 parameters
!
!-- "body-match-maximum" indicates the maximum number of 
!-- characters in the body of an HTTP message that
!-- should be searched in a body match. The default value is
!-- 200 bytes. A large number such as shown here may have an
!-- impact on system performance. Administrators are advised
!-- to test performance impact in a lab environment before 
!-- this command is deployed in production environments.
!
 body-match-maximum 1380
 match response body regex class MS14-regex_class    
  drop-connection log  
!
!-- Add the above-configured "Webports_Class" that matches 
!-- TCP packets that are destined to the default ports  
!-- that are used by the Cisco IPS #WEBPORTS variable to  
!-- the default policy "global_policy" and use it to 
!-- inspect HTTP traffic that transits the firewall
! 
policy-map global_policy
 class Webports_Class
  inspect http MS_Apr_2014_policy 
!
!-- By default, the policy "global_policy" is applied 
!-- globally, which results in the inspection of 
!-- traffic that enters the firewall from all interfaces 
!
service-policy global_policy global

    For additional information about the configuration and use of object groups, reference the Adding Global Objects section of Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.1.

    Additional information about HTTP application inspection and the MPF is in the HTTP Inspection section of Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.1.

    For information on using the Cisco Firewall command line interface (CLI) to gauge the effectiveness of application inspection, please refer to the Cisco Security Intelligence Operations white paper Identification of Security Exploits with Cisco ASA, Cisco ASASM, and Cisco FWSM Firewalls.

    Mitigation: URL Filtering

    URL filtering can be applied on the ASA by leveraging Websense Enterprise Secure Computing SmartFilter Server (formerly N2H2) Internet filtering products. When URL filtering is enabled, the ASA only enforces the filtering policy decisions which are made for HTTP, HTTPS, and FTP by the Internet filtering product configurations.

    Specifically, for HTTPS content the ASA sends the URL lookup without directory and filename information. When the filtering server approves an HTTPS connection request, the ASA allows the completion of SSL connection negotiation and allows the reply from the web server to reach the originating client. If the filtering server denies the request, the ASA prevents the completion of SSL connection negotiation. The browser displays an error message such as The Page or the content cannot be displayed.

    URL filtering is configured using url-server and filter global CLI commands.

    URL filtering can be used to mitigate the vulnerabilities described in this document by filtering HTTP or HTTPS requests that contain .rtf or .pub in their URI field.

    For more information, see the Filtering HTTPS URLs of the Cisco ASA configuration guide and How to configure URL filtering in the Cisco Support Community.

    Mitigation: Next-Generation Firewall Services

    Starting in Cisco ASA Software Release 8.4(5) for Cisco ASA 5585-X with ASA CX SSP-10 and -20; Cisco ASA Software Release 9.1 for Cisco ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X; and Cisco ASA Software Release 9.1(3) for Cisco ASA 5585-X with ASA CX SSP-40 and -60, the Cisco ASA Next-Generation Firewall (NGFW) services allow an administrator to monitor or enforce policies based on the identity of the user (who), the application or website that the user is trying to access (what), the origin of the access attempt (where), the time of the attempted access (when), and the properties of the device used for the access (how).

    The NGFW services run in a separate hardware module (SSP for ASA5585-X) or software module (ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X). The ASA forwards traffic (using MPF policies) to the NGFW module, which monitors and/or enforces policies as configured. NGFW policies can be configured using the Cisco Prime Security Manager (PRSM) GUI in single or multiple device mode. A variety of applications can be recognized and acted on as part of the Application Visibility and Control (AVC) service on NGFW. Application recognition is continually updated using signature and engine updates. Similarly, the Web Security Essentials (WSE) service can inspect and act upon web features and requests. Also, web reputation policies can be used to filter traffic based on reputation of the destinations visited.

    Cisco NGFW can be used to mitigate MS14-017, MS14-019, and MS14-020 by filtering the following:

    • low-reputation URL destinations
    • files with .rtf or .pub file types

    Monitoring and filtering policies (AVC and WSE) can also be applied to encrypted TLS traffic.

    For more information about supported applications, see ASA NGFW Services Applications Portal. For more information about configuring the ASA, see the Configuring the ASA CX Module section in the Cisco ASA configuration guide. For more information on configuring the ASA CX, see User Guide for ASA CX and Cisco Prime Security Manager.

    Cisco ACE

    Mitigation: Application Protocol Inspection

    Application protocol inspection is available for the Cisco ACE Application Control Engine Appliance and Module. This advanced security feature performs deep packet inspection of traffic that transits the Cisco ACE device. Administrators can construct an inspection policy for applications that require special handling through the configuration of inspection class maps and inspection policy maps, which are applied via a global or interface service policy.

    Additional information about application protocol inspection is in the Configuring Application Protocol Inspection section of Security Guide vA5(1.0), Cisco ACE Application Control Engine.

    HTTP Deep Packet Inspection

    To conduct HTTP deep packet inspection for MS14-017 and MS14-020, administrators can configure regular expressions (regexes) for pattern matching and construct inspection class maps and inspection policy maps. These methods can help protect against specific vulnerabilities, such as the one described in this document, and other threats that may be associated with HTTP traffic. The following HTTP application protocol inspection configuration inspects traffic on TCP ports 80, 3128, 8000, 8010, 8080, 8888, and 24326, which are the default ports for the Cisco IPS #WEBPORTS variable.

    Caution: The configured regexes can match text strings at any location in the content of an HTML packet. Care should be taken to ensure that legitimate business applications that use matching text strings are not affected.

    
! 
!-- Configure an HTTP application inspection class that looks
!-- for HTTP packets that contain either of the .rtf or
!-- .pub file extensions that are typically used to exploit
!-- the vulnerabilities associated with MS14-017 and MS14-020
! 
class-map type http inspect match-any MS14_class
      2 match content ".*.+\x2e[Rr][Tt][Ff].*"
  3 match content ".*.+\x2e[Pp][Uu][Bb].*" 
!
!-- The "?" in the above regexes must be escaped with  
!-- [CTRL-v].   
!
!-- Configure an HTTP application inspection policy that
!-- identifies, resets, and logs connections that contain
!-- the regexes that are configured above
!
policy-map type inspect http all-match MS_Apr_2014
  class MS14_class
        reset log  
!
!-- Configure an access list that matches TCP packets
!-- that are destined to the #WEBPORTS variable that is
!-- used by a Cisco IPS device
!
access-list WEBPORTS line 8 extended permit tcp any any eq www 
access-list WEBPORTS line 16 extended permit tcp any any eq 3128 
access-list WEBPORTS line 24 extended permit tcp any any eq 8000 
access-list WEBPORTS line 32 extended permit tcp any any eq 8010 
access-list WEBPORTS line 40 extended permit tcp any any eq 8080 
access-list WEBPORTS line 48 extended permit tcp any any eq 8888 
access-list WEBPORTS line 56 extended permit tcp any any eq 24326 
!
!-- Configure a Layer 4 class that uses the above-configured
!-- access list to match TCP packets that are destined
!-- to the ports that are used by the Cisco IPS #WEBPORTS
!-- variable
!
class-map match-all L4_http_class
  match access-list WEBPORTS
!
!-- Configure a Layer 4 policy that applies the HTTP application
!-- inspection policy configured above to TCP packets that
!-- are destined to the ports that are used by the Cisco IPS
!-- #WEBPORTS variable
!
policy-map multi-match L4_MS_Apr_2014
  class L4_http_class
    inspect http policy MS_Apr_2014  
!
!-- Apply the configuration globally across all interfaces,
!-- which results in the inspection of all traffic that enters
!-- the ACE
!
service-policy input L4_MS_Apr_2014

    For information about how to use the ACE CLI to gauge the effectiveness of application inspection, refer to the Cisco Security Intelligence Operations white paper Identification of Malicious Traffic Using Cisco ACE.

    Cisco Intrusion Prevention System

    Mitigation: Cisco IPS Signature Event Actions

    Administrators can use the Cisco IPS appliances and services modules to provide threat detection and help prevent attempts to exploit several of the vulnerabilities described in this document. The following table provides an overview of CVE identifiers and the respective Cisco IPS signatures that will trigger events on potential attempts to exploit these vulnerabilities.

    CVE ID Signature Release Signature ID Signature Name Enabled Severity Fidelity*
    CVE-2014-1761 S780 1709/0 Microsoft Office Word RTF Document Processing Arbitrary Code Execution Vulnerability Yes High 85
    CVE-2014-1751 S784 4109/0 Microsoft Internet Explorer Remote Code Execution Yes High 85
    CVE-2014-1752 S784 4108/0 Microsoft Internet Explorer Use After Free Yes High 85
    CVE-2014-1753 S784 4136/0 Microsoft Internet Explorer Use After Free Yes High 85
    CVE-2014-1755 S784 4137/0 Microsoft Internet Explorer Memory Corruption Vulnerability Yes High 85

    * Fidelity is also referred to as Signature Fidelity Rating (SFR) and is the relative measure of the accuracy of the signature (predefined). The value ranges from 0 through 100 and is set by Cisco Systems, Inc.

    Administrators can configure Cisco IPS sensors to perform an event action when an attack is detected. The configured event action performs preventive or deterrent controls to help protect against an attack that is attempting to exploit the vulnerabilities listed in the preceding table.

    Cisco IPS sensors are most effective when deployed in inline protection mode combined with the use of an event action. Automatic Threat Prevention for Cisco IPS 7.x and 6.x sensors that are deployed in inline protection mode provides threat prevention against an attack that is attempting to exploit the vulnerabilities that are described in this document. Threat prevention is achieved through a default override that performs an event action for triggered signatures with a riskRatingValue greater than 90.

    For additional information about the risk rating and threat rating calculation, reference Risk Rating and Threat Rating: Simplify IPS Policy Management.

    For information on using Cisco Security Manager to view the activity from a Cisco IPS sensor, see Identification of Malicious Traffic Using Cisco Security Manager white paper.

    Sourcefire Signature Information

    The following Sourcefire Snort signatures are available for the Microsoft April 2014 Security Update.

    Microsoft Bulletin ID Applicable Rules
    MS14-017 1:24974
    MS14-017 1:24975
    MS14-018 1:30497
    MS14-018 1:30498
    MS14-018 1:30499
    MS14-018 1:30500
    MS14-018 1:30501
    MS14-018 1:30502
    MS14-020 1:30508
    MS14-020 1:30509

    Cisco Web and Email Security

    Mitigation: Web Security

    Cisco Web Security Appliances (WSA) can filter and protect corporate networks against web-based malware and spyware programs that can compromise corporate security and expose intellectual property. They operate as a proxy and can provide user- and group-based policies that filter certain URL categories, web content, web application visibility and control (AVC), websites based on web reputation, and malware. The WSA can also detect infected clients and stop malicious activity from going outside the corporate network using the L4 Traffic Monitor (L4TM). Policies can be configured using a web GUI. A CLI can also be used. The WSA includes protection for standard communication protocols, such as HTTP, HTTPS, FTP, and SOCKS.

    To operate with network devices such as routers and firewalls, the WSA uses the Web Cache Communication Protocol (WCCP). With WCCP, content requests are transparently redirected to the WSA, which acts based on its configuration. Users do not need to configure a web-proxy in their browsers. In Cisco IOS, WCCP is enabled using the ip wccp commands and in the Cisco ASA using the wccp commands.

    Cisco WSA can be used to mitigate MS14-017, MS14-019, and MS14-020 by filtering web traffic based on the following:

    • low-reputation URL  destinations
    • .rtf or .pub file types
    • .rtf or .pub malicious files

    For more information, see the ASA: WCCP Step-by-Step Configuration document in the Cisco Support Community and the Cisco AsyncOS Web User Guide (PDF).

    Mitigation: Email Security

    Cisco Email Security Appliances (ESA) eliminate email spam and viruses, enforce corporate policy, and secure the network perimeter. They operate as an SMTP gateway, also known as a mail exchanger or MX. They can filter virus, spam, and phishing outbreaks. They also provide email encryption, message filtering, anti-spam services, antivirus services and more.

    Cisco ESA can be used to mitigate MS14-017 and MS14-020 by filtering messages based on an attachment type of .rtf or .pub.

    Filter actions allow messages to be dropped, bounced, archived, blind carbon copied, or altered.

    Filters can also generate notifications.

    For more information, see the Cisco AsyncOS Email Configuration Guide (PDF).

    Cisco Cloud Web Security

    Mitigation: Cloud Web Security

    Cisco Cloud Web Security (CWS) analyzes every web request and response to determine whether content is malicious, inappropriate, or acceptable based on the defined security policy. This offers effective protection against threats, including zero-day threats that would otherwise be successful. Cisco CWS can provide user and group-based policies that filter certain URL categories, web content, files and file types, web applications (AVC), websites based on web reputation and malware. It can inspect both HTTP and HTTPS traffic.

    Starting in Cisco IOS 15.2MT on ISR-G2 routers and Cisco ASA Software Release 9.0, Cisco CWS can integrate transparently with Cisco IOS and Cisco ASA. In addition, starting with AnyConnect 3.0, CWS can be deployed with the AnyConnect client. CWS can also be deployed on end hosts as a Cisco Cloud Connector application.

    Cisco CWS can be used to mitigate MS14-017, MS14-019, and MS14-020 by filtering web traffic based on the following:

    • low-reputation URL destinations
    • .rtf and .pub file types
    • .rtf or .pub malicious files

    For configuration examples, see the ASA: ScanSafe Step-by-Step Configuration and IOS: ScanSafe Step-by-Step Configuration documents in the Cisco Support Community. For more information about Cisco IOS and ASA configuration, see Cisco Cloud Web Security and the Configuration Cisco Cloud Web Security section of the Cisco ASA configuration guide. For more information about the CWS portal, see Cisco ScanCenter Administrator Guide.

Additional Information

  • THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Related to This Bulletin

Revision History

  • Version Description Section Date
    1 Initial Release 2014-April-08 17:17 GMT
    Show Less

Cisco Security Procedures

Related Information

Affected Products

  • The security vulnerability applies to the following combinations of products.

    Primary Products
    Microsoft, Inc.Internet Explorer6.0 (Base) | 7.0 (Base) | 8.0 (Base) | 9.0 (Base) | 11.0 (Base)
    Microsoft Office Publisher2003 (SP3) | 2007 (SP3)
    Office2007 (SP3) | 2010 (SP1, SP2)
    Office Compatibility PackSP3 (Base)
    Office for Mac2011 (Base)
    Windows 7for 32-bit systems (SP1) | for x64-based systems (SP1)
    Windows 8for 32-bit systems (Base) | for x64-based systems (Base)
    Windows 8.1for 32-bit Systems (Base) | for x64-based Systems (Base)
    Windows RTOriginal Release (Base) | 8.1 (Base)
    Windows Server 2003Datacenter Edition (SP2) | Datacenter Edition, 64-bit (Itanium) (SP2) | Datacenter Edition x64 (AMD/EM64T) (SP2) | Enterprise Edition (SP2) | Enterprise Edition, 64-bit (Itanium) (SP2) | Enterprise Edition x64 (AMD/EM64T) (SP2) | Standard Edition (SP2) | Standard Edition, 64-bit (Itanium) (SP2) | Standard Edition x64 (AMD/EM64T) (SP2) | Web Edition (SP2)
    Windows Server 2008Datacenter Edition (SP2) | Datacenter Edition, 64-bit (SP2) | Itanium-Based Systems Edition (SP2) | Enterprise Edition (SP2) | Enterprise Edition, 64-bit (SP2) | Essential Business Server Standard (SP2) | Essential Business Server Premium (SP2) | Essential Business Server Premium, 64-bit (SP2) | Standard Edition (SP2) | Standard Edition, 64-bit (SP2) | Web Server (SP2) | Web Server, 64-bit (SP2)
    Windows Server 2008 R2x64-Based Systems Edition (SP1) | Itanium-Based Systems Edition (SP1)
    Windows Server 2012Original Release (Base)
    Windows Server 2012 R2Original Release (Base)
    Windows VistaHome Basic (SP2) | Home Premium (SP2) | Business (SP2) | Enterprise (SP2) | Ultimate (SP2) | Home Basic x64 Edition (SP2) | Home Premium x64 Edition (SP2) | Business x64 Edition (SP2) | Enterprise x64 Edition (SP2) | Ultimate x64 Edition (SP2)
    Word2003 (Base, SP1, SP2, SP3) | 2007 (Base, SP1, SP2, SP3) | 2010 (32-bit Edition, 64-bit Edition, SP1, SP2) | 2013 (Base, RT, 32-bit editions, 64-bit editions)
    Word ViewerOriginal Release (Base)
    Office Web Apps2010 (Base, SP1, SP2) | 2013 (Base)


    Associated Products
    Microsoft, Inc.Office2003 (Base, SP1, SP2, SP3) | 2007 (Base, SP1, SP2) | 2010 (Base) | 2013 (32-bit editions, 64-bit editions) | 2013 RT (Base)
    Windows 7for 32-bit systems | for x64-based systems
    Windows 8.1for 32-bit Systems | for x64-based Systems
    Windows RT8.1
    Windows Server 2003Datacenter Edition | Datacenter Edition, 64-bit (Itanium) | Datacenter Edition x64 (AMD/EM64T) | Enterprise Edition | Enterprise Edition, 64-bit (Itanium) | Enterprise Edition x64 (AMD/EM64T) | Standard Edition | Standard Edition, 64-bit (Itanium) | Standard Edition x64 (AMD/EM64T) | Web Edition
    Windows Server 2008Datacenter Edition | Datacenter Edition, 64-bit | Itanium-Based Systems Edition | Enterprise Edition | Enterprise Edition, 64-bit | Essential Business Server Standard | Essential Business Server Premium | Essential Business Server Premium, 64-bit | Standard Edition | Standard Edition, 64-bit | Web Server | Web Server, 64-bit
    Windows Server 2008 R2x64-Based Systems Edition | Itanium-Based Systems Edition
    Windows Server 2012 R2Original Release
    Windows VistaHome Basic | Home Premium | Business | Enterprise | Ultimate | Home Basic x64 Edition | Home Premium x64 Edition | Business x64 Edition | Enterprise x64 Edition | Ultimate x64 Edition

Related to This Bulletin