Future-proofing principles against technological change

March 29th, 2017 No comments

In recent years, governments’ concerns about cybersecurity, data protection, and other information and communications technology (ICT) related issues have led to new policies, legislation, and regulation. In response, the ICT industry has consistently called for laws and rules that focus on outcomes and on principles, rather than on processes and prescriptions. This call has become so ubiquitous, however, that there is a danger it has become a hollow form of words. A truly outcome-oriented approach would be revolutionary and perhaps government or even industry will shy away from it, having forgotten why we need this approach in the first place.

So, I’d like to take a moment to re-examine the why and the how of outcomes- and principles-led legislation and regulation.

Technology moves fast; in 2007 we had the first iPhone and now we’re rolling out cloud computing. As a result, laws designed for telephony or paper files are increasingly difficult to apply, if not wholly irrelevant. Governments are acting on this realization, but as they do so they are inevitably looking to enshrine certain unchangeable points of principle into their new laws – from European privacy to American freedom of speech. And this where the essential rationale for principles-led approaches is most obvious. Immovable principles could be laid down as particular behaviors within particular technologies but then they would live and die with that technology. Allowing unchangeable points of principle to become contingent on something we know will change, i.e. technology, won’t work for governments or societies. A different approach is needed, one that future-proofs our principles against technological change.

So how would that actually work? On the surface it seems simple enough: governments state the outcomes they expect or principles they demand, give whatever limited controls/incentives they think necessary, and allow ICT providers and regulators to get on with it. The reality is necessarily more complex. For one thing, even within a single nation there may be varied societal perspectives on what is wanted in principle. For another, the outcomes of today’s solutions can form tomorrow’s problems. In light of this, an effective “future-proofing” process may require new policy or regulatory bodies that are more flexible and more broad-based, because they can take account of divergent priorities and can also look more clearly at future consequences.

In the ferment of technological change, we can forget that society changes too, sometimes profoundly. Once concrete principles can shift over time and what was once acceptable or helpful can cease to be so. Amusingly, I know someone who is a Freeman of the City of London, with a right to drive sheep across a bridge over the Thames. This might have been very useful at one point but today most people would rather have free parking. More seriously, in the past women and minorities have been unfairly treated (and in places still are, even today). Applying this insight to the heart of law- and rule-making might seem odd, especially to the lawyers and technocrats that currently dominate the process. But if a principles-led approach is to have true meaning and longevity then the inclusiveness of the process must be genuine.

Equally, what seems like a good solution today can have unintended consequences. In the 1890s motorized vehicles solved horse-drawn vehicles’ endless manure and carcasses but eventually led to pollution and transport crises. In the 1920s lead in petrol solved “knocking” in automobile motors but paved the way for “a catastrophe for public health”. In the 1990s and 2000s diesel and biofuels answered petrol’s CO2-emissions but caused particulate air pollution and food supply problems. The chance of unintended consequences from government interventions in ICT are even more significant. Technology has spread throughout our lives, businesses, and governments. As a result, unexpectedly problematic outcomes are more likely and are potentially more damaging. Any structure process pushing an outcomes-led approach needs to have the breadth of insights and expertise to minimize this risk. This means, once again, expanding the participants in the new approach beyond the current roster of legal and regulatory experts.

In conclusion, in order to help formulate lasting policies, law and regulations with a genuine focus on outcomes and principles, governments will need advice from new bodies with diverse legal, technical, social, and even philosophical membership. The new, non-traditional membership of these bodies will likely have to go beyond current “public private partnerships” if they are to deal with the operational differences, varying priorities, and distinct needs of those affected by new rules – now and in the foreseeable future. This will be a revolution in policy-making, equal in its own way to the technological revolution that has sparked it.

 

 

Categories: Uncategorized Tags:

Germany steps up leadership in cybersecurity

March 28th, 2017 No comments

Cyberattacks are on the rise worldwide, but many countries are making strides in promoting and developing cybersecurity by developing policy frameworks, encouraging investment in research and development, and by driving awareness of cybersecurity best practices. Germany is one of the countries that has been trying to increase the cybersecurity of its broader online ecosystem for a number of years and is today more committed to that goal than ever. And what Germany does matters not just because it is one of the top five global economies, but because it is one of the leading European Union (EU) member states. What German policy-makers think and feel can have a major effect on the EU, a trading block of 500 million people with a GDP – on a par with the USA.

Microsoft’s Security Intelligence Report (SIR) shows Germany performs well compared to the global average when it comes to encounters with malware and the scale of infected computers (see the regional breakdown specific to Germany). Overall, the SIR shows the ongoing nature of the conflict between those delivering cybersecurity and those trying to break through, and even in the Germany of 2016 there was an uneven but upwards trend in encounters and infections.

A fundamental part of responding to these threats and the potentially significant economic damage they pose is, in my view, cooperation between government and the private sector. The new cybersecurity strategy seems to indicate that this is also the view of German policy-makers. Germany’s recognition of the importance of developing and implementing effective cyber security norms – along with the necessary means of verification/attribution – is very encouraging. And German support and leadership in the pertinent multi-lateral discussions will be crucial. In this context, it is worth noting that German leadership, during its 2016 Chairmanship of the Organization for Security and Co-operation in Europe, yielded concrete positive results in the related field of developing cybersecurity related confidence-building measures – which critically rely on different segments of society working together.

The strategy builds on Germany’s IT Security Law (IT-SiG), passed in 2015, which promoted cooperation between the German Federal Office for Information Security (BSI) and the industry in protecting critical infrastructure. Infrastructure protection is, of course, only one aspect of cybersecurity, and cooperation between governments and the private sector is only one part of the overall solution (for example, my Microsoft colleagues have also been arguing strongly for risk-based approaches to cybersecurity). Nonetheless, both the IT-SiG and the proposed strategy seem to be steps in the right direction. Cooperation between states and the private sector, including those who create information and communication technology (ICT) products and those who use them, seems like a very good way to develop effective cybersecurity policies and practices. What is true for Germany should be equally true for other EU member states.

The challenge is that, currently, not all companies may be happy about information exchange with the authorities (only 13 percent of companies in Germany are). It would be a terrible irony that just as governments realize the need for public-private partnerships in cybersecurity, companies start to step back from the opportunity. To prevent such a development, IT regulators will have to demonstrate the added value of receiving this information. They can do this by anonymizing it, and then sharing it with those private sector entities that need to know about it, and then acting on it to protect their systems and their customers.

Looking ahead, in order to enhance IT security in general and increase the protection of critical infrastructure in particular, public-private partnerships are essential, but they require commitment and buy-in from both sides. Microsoft is ready to play its part.

 

Categories: Uncategorized Tags:

Giving CISOs assurance in the cloud

This post is authored by Mark McIntyre, Chief Security Advisor, Enterprise Cybersecurity Group.

Recently, I hosted a Chief Information Security Officer roundtable in Washington, DC. Executives from several US government agencies and systems integrators attended to share cloud security concerns and challenges, such as balancing collaboration and productivity against data protection needs, cyber threat detection, and compliance. Toward the end of the day, one CISO reminded me he needed assurance. He asked, “How can we trust Microsoft to protect our data? And, how can I believe what you say?”

This post provides an opportunity to share important updates and assurances about practices and resources that Microsoft uses to protect data and user privacy in the Cloud. It also offers information on resources available to CISOs and others, that demonstrate our continuing investments in transparency.

Security at scale

Increasingly, government officials as well as industry analysts and executives are recognizing and evangelizing the security benefits of moving to hyper-scale cloud service providers.  Microsoft works at this scale, investing $15B in the public cloud.  The internet user maps below provide useful insight into why and where we are making these investments. Figure 1 represents internet usage in 2015. The size of the boxes reflect numbers of users.  The colors indicate the percentage of people with access to the internet.

Figure 1, source “Cyberspace 2025: Today’s Decisions, Tomorrow’s Terrain

Now look at Figure 2, showing expected internet usage in 2025.  As you can see, global internet use and accompanying economic activity will continue to grow.

Figure 2

In addition to serving millions of people around the world, we are also moving Microsoft’s 100,000+ employees and our corporate infrastructure and data to the Cloud. We must therefore be confident that we can protect our resources as well as our users’.

How do we do it?  Microsoft invests over $1B per year in cybersecurity and data protection.  We start by ensuring that the software powering our data centers is designed, built and maintained as securely as possible. This video illustrates the world-class security Microsoft applies to data center protection.  We also continue to improve on years of development investments in the Security Development Lifecycle (SDL), to ensure that security is addressed at the very beginning stages of any product or service.  In the Cloud, the Operational Security Assurance framework capitalizes on the SDL and on Microsoft’s deep insights into the cybersecurity threat landscape.

One way that Microsoft detects cybersecurity activity in our data centers is the Intelligent Security Graph. Microsoft has incredible breadth and depth of signal and information we analyze from 450B authentications per month across our cloud services, 400B emails scanned for spam and malware, over a billion enterprise and consumer devices updated monthly, and 18B+ Bing scans per month. This intelligence, enhanced by rich expertise of Microsoft’s world class talent of security researchers, analysts, hunters, and engineers, is built into our products and our platform – enabling customers, and Microsoft, to detect and respond to threats more quickly. (Figures 3 & 4).  Microsoft security teams use the graph to correlate large-scale critical security events, using innovative cloud-first machine learning and behavior and anomaly-based search queries, to surface actionable intelligence.  The graph enables teams to collaborate internally and apply preventive measures or mitigations in near real-time to counter cyber threats.  This supports protection for users around the world, and assures CISOs that Microsoft has the breadth and scale to monitor and protect users’ identities, devices, apps and data, and infrastructure.

Figure 3

Figure 4

Access to data

Technology is critical for advancing security at hyper-scale, therefore Microsoft continues to evolve the ways in which administrators access corporate assets.  The role of network administrators is significant. In our cloud services, we employ Just Enough and Just Enough Administration access, under which admins are provided the bare minimum window of time and physical and logical access to carry out a validated task.  No admin may create or approve their own ticket, either. Further, Windows Server 2016 clients can implement these policies internally. Security and managing data centers at scale is an ever evolving process based on the needs of our customers, the changing threat landscape, regulatory environments and more.

Compliance

Microsoft works with auditors and regulators around the world to ensure that we operate data centers at the highest levels of security and operational excellence.  We maintain the largest compliance portfolio in the industry, for example against the ISO 22301 privacy standard. In addition, Microsoft maintains certifications such as CSA STAR Certification, HITRUST, FACT and CDSA which many of our cloud competitors do not.  For more about Microsoft certifications, visit the Microsoft Trust Center Compliance page.

Transparency

Being compliant with local, industry, and international standards establishes that Microsoft is trustworthy, but our goal is to be trusted.  Toward that end—and to ensure we address the needs of CISOs, Microsoft provides a wealth of information about cloud services, designed to provide direct and customer self-service opportunities to answer three key questions:

  • How is may data secured and protected?
  • How does Microsoft Cloud help me be compliant with my regulatory needs?
  • How does Microsoft manage privacy around my data?

The comments at our roundtable that prompted this blog show that our cloud security and compliance resources can be difficult to find, so while we double down on our efforts to raise awareness, bookmark this update and read below.  We operate the following portals, designed to facilitate self-service access to security and compliance information, FAQs and white papers, in convenient formats, and tailored to an organization’s geography, industry and subscription(s):

  • The Microsoft Trust Center, a centralized resource for enterprise customers to find answers about what Microsoft is doing to protect data, comply with regulatory requirements, and verify that we are doing what we say.
  • The Service Trust Portal (STP) is available for organizations under nondisclosure to current and potential Microsoft customers. It includes hundreds of important third-party audit reports, information on certifications, and internal security documents, for Azure, O365, Dynamics CRM Online, and Yammer. Examples include SOC and ISO audits reports.
  • The Service Assurance Portal, available to current O365 users, offers the same level of access but directly through the O365 subscription. This is a unique “transparency window” to provide customers with in-depth understanding in how we implement and test controls to manage confidentiality, integrity, availability, reliability, and privacy around customer data. Not only do we share the “what” about controls, but also the “how” about testing and implementation.

Government Security Program

Microsoft also participates in the Government Security Program as another key transparency initiative. Through the GSP, national governments (including regulators) may access deep architecture details about our products and services, up to and including source code. The GSP also provides participants with opportunities to visit Microsoft headquarters in Redmond to meet face to face with the teams that operate, monitor, and defend our company and products and services—including data centers—from cyber threats. They can also visit any of our Transparency Centers in Redmond, Brussels, Brasilia, and Singapore. Several dozen governments around the world use the GSP to obtain greater insight into how Microsoft builds, operates and defends its data centers, and by extension, how we protect users.

Microsoft stands ready to work with CISOs to raise awareness and ensure access to the resources discussed above. Visit the following sites to learn more. Microsoft has also created a dedicated team of cybersecurity professionals to help move you securely to the Cloud and protect your data. Learn more about the Enterprise Cybersecurity Group, or contact your local Microsoft representative.

Blogs: Microsoft Secure Blog and Microsoft On the Issues
Learn more about the Microsoft Enterprise Cloud
Read the Microsoft Security Intelligence Report
Follow us on Twitter: @MSFTSecurity

Categories: Uncategorized Tags:

What you need to know about CASBs

Per Frost & Sullivan, more than 80 percent of employees admit to using non-approved SaaS apps in their jobs. The number of cloud services used by corporate employees is also quickly outpacing internal IT estimates. While IT groups typically estimate that employees are using 51 different services, the actual number is 15 times greater.

And it’s not just individual employees that are turning to shadow IT. Increasingly, non-approved SaaS applications are being adopted by entire work groups or departments, without IT’s knowledge, and with little consideration for the security risks they bring.

As employees continue to reach for tools and services that may not be IT-approved, IT professionals know they need to balance security risk tolerance while empowering departments and teams to achieve higher productivity.

How can you secure critical data without compromising productivity?

While the urge to block shadow IT is understandable, it’s at best, a short-term solution. Not only does it reduce an organization’s ability to innovate, it inevitably results in employees finding ways around the restrictions.

Rather than blocking users from accessing the services they need to do their jobs efficiently, IT administrators need to find ways to monitor these services, analyze their risk profile, and offer alternatives for apps that fail to meet security or compliance needs.

Cloud Access Security Brokers: Flexibility meets control

According to Gartner, Cloud Access Security Brokers (CASBs) are “on-premises or cloud-based security policy enforcement points that are placed between cloud service consumers and cloud service providers.”

They give organizations a detailed picture of how their employees are using the cloud.

  • Which apps are they using?
  • Are these apps risky for my organization?
  • Who are the top users?
  • What does the upload/download traffic look like?
  • Are there any anomalies in user behavior such as: impossible travel, failed logon attempts, suspicious IPs?

Such behaviors can indicate whether their account has been compromised or whether the worker is taking unauthorized actions.

Along with better threat protection, CASBs offer IT professionals better visibility and control over the apps used in their environment. Once you have discovered the full extent of the apps used in your environment, you can then set policies that control the data stored in these apps for data loss prevention.

Exploring a CASB solution can be a great step to enhancing your security environment. With better visibility, protection, and management over your shadow IT, you can give employees the choice to use the apps they need, without sacrificing the security and compliance your organization demands.

To learn more about shadow IT and how CASBs can help your organization, download the e-book.

Categories: Uncategorized Tags:

MS17-013 – Critical: Security Update for Microsoft Graphics Component (4013075) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (March 24, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync. The most serious of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Categories: Uncategorized Tags:

MS17-013 – Critical: Security Update for Microsoft Graphics Component (4013075) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (March 24, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync. The most serious of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Categories: Uncategorized Tags:

A new best practice to protect technology supply chain integrity

This post is authored by Mark Estberg, Senior Director, Trustworthy Computing. 

The success of digital transformation ultimately relies on trust in the security and integrity of information and communications technology (ICT). As ICT systems become more critical to economic prosperity, governments and organizations around the world are increasingly concerned about threats to the technology supply chain. These concerns stem from fear that an adversary might tamper with or manipulate products during development, manufacture, or delivery. This poses a challenge to the technology industry: If our products are to be fully trusted, we must be able to provide assurance to our customers that the technology they reviewed and approved before deployment is the same software that is running on their computers.

To increase confidence, organizations have increasingly turned to source code analysis through direct inspection of the supply chain by a human expert or an automated tool. Source code is a set of computer instructions written in a programming language that humans can read. This code is converted (or compiled) into a binary file of instructions—a language of zeroes and ones that machines can process and execute, or executable. This conversion of human-readable code to machine-readable code, however, raises the unsettling question of whether the machine code—and ultimately the software program running on computers—was built from the same source code files that the expert or tool analyzed. There has been no efficient and reliable method to answer this, even for open source software. Until now.

At Microsoft, we have developed a way to definitively demonstrate that a compiled machine-readable executable was generated from the same human-readable source code that was reviewed. It’s based on the concept of a “birth certificate” for binary files, which consists of unique numbers (or hash values) that are cryptographically strong enough to identify individual source code files.

As source code is compiled in Visual Studio, the compiler assigns the source code a hash value generated in such a way that it is virtually impossible that any other code will produce the same hash value. By matching hash values from the compiler to those generated from the examined source code files, we can verify that the executable code did indeed result from the original source code files.

This method is described in more detail in Hashing Source Code Files with Visual Studio to Assure File Integrity. The paper gives a full description of the new Visual Studio switch for choosing a hashing algorithm, suggested scenarios where such hashes might prove useful, and how to use Visual Studio to generate these source code hashes.

Microsoft believes that the technology industry must do more to assure its stakeholders of the integrity of software and the digital supply chain. Our work on hashing is both a way to help our customers and a way to further how the industry is addressing this growing problem:

  • This source file hashing can be employed when building C, C++, and C# executable programs in Visual Studio.
  • Technology providers can use unique hash value identifiers in their own software development for tracking, processing, and controlling source code files that definitively demonstrate a strong linkage to the specific executable files.
  • Standards organizations can include in their best practices the requirement to take this very specific and powerful step toward authenticity.

We believe that capabilities such as binary source file hashing are necessary to establish adequate trust to fulfill the potential of digital transformation. Microsoft is committed to building trust in the technology supply chain and will continue to innovate with our customers, partners and other industry stakeholders.

Practical applications of digital birth certificates

There are many practical applications for our binary source file hashing capability, including these:

  • Greater assurance through automated scanning. As an automated analysis tool scans the source code files, it can also generate a hash value for each of the files being scanned. Matching hash values from the compiler with hash values generated by the analysis not only definitively demonstrates that they were compiled into the executable code, but that the source code files were scanned with the approved tool.
  • Improved efficiency in identifying vulnerabilities. If a vulnerability is identified in a source file, the hash value of the source file can be used to search among the birth certificates of all the executable programs to identify programs likely to include the same vulnerability.

To learn more about evolving threats to the ICT supply chain, best practices, and Microsoft’s strategy, check out our webinar, Supply Chain Security: A Framework for Managing Risk.

Categories: Uncategorized Tags:

3 ways to outsmart attackers by using their own playbook

This blog post was authored by Andrej Budja, Frank Brinkmann, Heath Aubin, Jon Sabberton and Jörg Finkeisen from the Cybersecurity Protection Team, part of the Enterprise Cybersecurity Group.

The security landscape has changed.

Attackers often know more about the target network and all the ways they can compromise an organization than the targeted organization itself. As John Lambert writes in his blog, “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win”.

Attackers do think in graphs. Unfortunately, most organizations still think in lists and apply defenses based on asset value, rather than the security relationships between the assets.

So, what can you do to level the playing field? Use the attackers’ playbook against them!

Get ahead by creating your own graph

Start by reading John Lambert’s blog post, then do what attackers do – graph your network. At Microsoft, we are using graphs to identify potential attack paths on our assets by visualizing key assets and security relationships.

While we have not published our internal tools (you can find some similar open source tools on the Internet), we have created a special cybersecurity engagement delivered by our global Microsoft Services team, called Active Directory Hardening (ADH).

The ADH offer uses our tools to help discover and analyze privileged account exposure and provide transition assistance for deviations from the privileged administration recommendations used at Microsoft. The ADH provides assistance by reducing the number of highly privileged Active Directory (AD) administrative accounts and transitioning them into a recommended AD administration model.

Break connections in your graph

Once you have the graph for your AD accounts, you will notice clusters as well as the different paths attackers can use to move laterally on your network. You will want to implement security controls to close those paths. One of the most effective ways to reduce the number of paths is by reducing the number of administrators (this includes users that are local administrators on their workstations) and by using dedicated, hardened workstations for all privileged users – we call these Privileged Access Workstations (PAWs).

These PAWs are deployed from a clean source and make use of modern security controls available in Windows 10. Because PAWs are not used as general purpose workstations (no email and Internet browsing allowed), they provide high security assurances for sensitive accounts and block popular attack techniques. PAWs are recommended for administration of identity systems, cloud services, and private cloud fabric as well as sensitive business functions.

You can develop and deploy PAWs on your own by following our online guide, or you can engage Microsoft Services to help accelerate your adoption of PAWs using our standard PAW offering.

Bolster your defenses

PAWs provide excellent protection for your privileged users. However, they are less effective when your highest privileged accounts (Domain Administrators and Enterprise Administrators) have already been compromised. In this situation, you need to provide Domain Administrators a new, clean, and trusted environment from which they can regain control of the compromised network.

Enhanced Security Administrative Environment (ESAE) builds upon guidance and security controls from PAWs and adds additional controls by hosting highly-privileged accounts and workstations in a dedicated administrative forest. This new, minimal AD forest provides stronger security controls that are not possible in the production environment with PAWs. These controls are used to protect your most privileged production domain accounts. For more information about the ESAE administrative forest and security concepts, please read ESAE Administrative Forest Design Approach.

Conclusion

“If you know your enemy and know yourself you need not to fear the results of hundreds of battles”, Sun Tzu, Chinese general, military strategist, 6th Century BCE.

Protecting your valuable assets against sophisticated adversaries is challenging, but it can be made easier by learning from attackers and using their playbook. Our teams are working daily on the latest cybersecurity challenges and sharing our knowledge and experience. Discover more information in the following resources:

About the Cybersecurity Protection Team

Microsoft invests more than a billion dollars each year to build security into our products and services. One of the investments is the global Enterprise Cybersecurity Group (ECG) which consists of cybersecurity experts helping organizations to confidently move to the cloud and modernize their enterprises.

The Cybersecurity Protection Team (CPT) is part of ECG, and is a global team of Cybersecurity Architects that develops, pilots, and maintains cybersecurity offerings that protect your critical assets. The team works closely with other Microsoft teams, product groups, and customers to develop guidance and services that help protect your assets.

Categories: Uncategorized Tags:

MS16-JUL – Microsoft Security Bulletin Summary for July 2016 – Version: 1.2

Revision Note: V1.2 (March 17, 2017): For MS16-087, added a Known Issues reference to the Executive Summaries table. If you are using network printing in your environment, after you apply the 3170005 security update you may receive a warning about installing a printer driver, or the driver may fail to install without notification. For more information about the update and the known issue, see Microsoft Knowledge Base Article 3170005.
Summary: This bulletin summary lists security bulletins released for July 2016.

Categories: Uncategorized Tags:

MS16-084 – Critical: Cumulative Security Update for Internet Explorer (3169991) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (March 17, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Categories: Uncategorized Tags:

MS16-JUL – Microsoft Security Bulletin Summary for July 2016 – Version: 1.2

Revision Note: V1.2 (March 17, 2017): For MS16-087, added a Known Issues reference to the Executive Summaries table. If you are using network printing in your environment, after you apply the 3170005 security update you may receive a warning about installing a printer driver, or the driver may fail to install without notification. For more information about the update and the known issue, see Microsoft Knowledge Base Article 3170005.
Summary: This bulletin summary lists security bulletins released for July 2016.

Categories: Uncategorized Tags:

MS16-084 – Critical: Cumulative Security Update for Internet Explorer (3169991) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (March 17, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Categories: Uncategorized Tags:

MS17-017 – Important: Security Update for Windows Kernel (4013081) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application.

Categories: Uncategorized Tags:

MS17-MAR – Microsoft Security Bulletin Summary for March 2017 – Version: 1.0

Categories: Uncategorized Tags:

MS17-013 – Critical: Security Update for Microsoft Graphics Component (4013075) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync. The most serious of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Categories: Uncategorized Tags:

MS17-020 – Important: Security Update for Windows DVD Maker (3208223) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves an information disclosure vulnerability in Windows DVD Maker. The vulnerability could allow an attacker to obtain information to further compromise a target system.

Categories: Uncategorized Tags:

3123479 – SHA-1 Hashing Algorithm for Microsoft Root Certificate Program – Version: 2.0

Revision Note: V2.0 (March 14, 2017): Advisory rereleased to announce that the changes described in this advisory have been reverted as of November 2016. This is an informational change only.
Summary: Microsoft is announcing a policy change to the Microsoft Root Certificate Program.

Categories: Uncategorized Tags:

MS17-022 – Important: Security Update for Microsoft XML Core Services (4010321) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a user visits a malicious website. However, in all cases an attacker would have no way to force a user to click a specially crafted link. An attacker would have to convince a user to click the link, typically by way of an enticement in an email or Instant Messenger message.

Categories: Uncategorized Tags:

MS17-012 – Critical: Security Update for Microsoft Windows (4013078) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (March 14, 2017): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker running inside a virtual machine runs a specially crafted application.

Categories: Uncategorized Tags:

MS17-018 – Important: Security Update for Windows Kernel-Mode Drivers (4013083) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (March 14, 2017): Bulletin published
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

Categories: Uncategorized Tags: