Microsoft Security Advisory 2962393

Update for Vulnerability in Juniper Networks Windows In-Box Junos Pulse Client

Published: May 5, 2014 | Updated: June 9, 2015

Version: 2.0

Executive Summary

Microsoft is announcing the availability of an update for the Juniper Networks Windows In-Box Junos Pulse Client for Windows 8.1 and Windows RT 8.1. The update addresses a vulnerability in the Juniper VPN client by updating the affected Juniper VPN client libraries contained in affected versions of Microsoft Windows.

Juniper VPN Client Update

Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

  • On June 9, 2015, Microsoft released an update (3062760) for the Juniper Networks Windows In-Box Junos Pulse VPN client. The update addresses the vulnerability described in Juniper Security Advisory JSA29833. Customers who are not using a Juniper VPN solution are not vulnerable; however, Microsoft recommends applying the update on an all affected operating systems since the affected component is present in-box. For more information about this update, including download links, see Microsoft Knowledge Base Article 3062760.

    Note Updates for Windows RT 8.1, Windows Technical Preview, and Windows Server Technical Preview are available via Windows Update

Affected Software

This advisory discusses the following software.

Operating System Component
Windows 8.1 for 32-bit Systems Juniper Networks Windows In-Box Junos Pulse Client
Windows 8.1 for x64-based Systems Juniper Networks Windows In-Box Junos Pulse Client
Windows RT 8.1 Juniper Networks Windows In-Box Junos Pulse Client

 

Non-Affected Software
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows Server 2012
Windows RT
Windows Server 2012 R2
Server Core installation option
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2 (Server Core installation)

Frequently Asked Questions


What is the scope of the advisory?
The purpose of this advisory is to announce the availability of an update for Juniper Networks Windows In-Box Junos Pulse VPN client for Windows 8.1 and Windows RT 8.1.

What is Juniper Networks Windows In-Box Junos Pulse Client?
Juniper Networks Windows In-Box Junos Pulse Client is a third-party VPN product that is shipped in-box as part of the Windows operating system. Windows In-Box Pulse Client appears as a VPN Provider network option within Windows 8.1 and later endpoints, including Windows RT 8.1 endpoints. It allows the user to establish a Layer 3 VPN connection to Junos Pulse Secure Access Service and to create, manage, and remove Pulse VPN connections on the Windows endpoint through Windows PowerShell scripts. The user can also create connections manually on the endpoint. Windows In-Box Junos Pulse Client provides a subset of the features that are available through the Junos Pulse for Windows client.

What is VPN?
Virtual private networks (VPNs) are point-to-point connections over a private or public intermediate network, such as the Internet, allowing users to remotely access private networks that otherwise would not be accessible from the Internet, or administrators to connect remote sites together.  For more information about VPN technologies as well as how to configure them on Windows, please see What Is VPN?.

What does the update do?
The update addresses the vulnerability by updating the Juniper Networks VPN client libraries contained in Windows 8.1 and Windows RT 8.1.

Mitigating Factors

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

  • To successfully exploit the vulnerability, an attacker would have to host a specially crafted VPN server and then convince users to connect to that server directly (or by way of a redirect to the specially crafted VPN server). In all cases, an attacker would have no way to force users to connect to the specially crafted VPN server.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

Previous Updates

  • On May 5, 2014, Microsoft released an update for the Juniper Networks Windows In-Box Junos Pulse VPN client. The update addresses the vulnerability described in Juniper Security Advisory JSA10623. For more information about this update, including download links, see Microsoft Knowledge Base Article 2962393. Note Updates for Windows RT 8.1 are available via Windows Update

Other Information

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Feedback

Support

  • Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see Microsoft Help and Support.
  • International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.
  • Microsoft TechNet Security provides additional information about security in Microsoft products.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (May 5, 2014): Advisory published.
  • V2.0 (June 9, 2015): Added the 3062760 update to the Juniper VPN Client Update section.

Page generated 2015-06-03 14:02Z-07:00.