Archive

Archive for the ‘Microsoft Office’ Category

Where’s the Macro? Malware authors are now using OLE embedding to deliver malicious files

June 14th, 2016 No comments

Recently, we’ve seen reports of malicious files that misuse the legitimate Office object linking and embedding (OLE) capability to trick users into enabling and downloading malicious content. Previously, we’ve seen macros used in a similar matter, and this use of OLE might indicate a shift in behavior as administrators and enterprises are mitigating against this infection vector with better security and new options in Office.

In these new cases, we’re seeing OLE-embedded objects and content surrounded by well-formatted text and images to encourage users to enable the object or content, and thus run the malicious code. So far, we’ve seen these files use malicious Visual Basic (VB) and JavaScript (JS) scripts embedded in a document.

The script or object is surrounded by text that encourages the user to click or interact with the script (which is usually represented with a script-like icon). When the user interacts with the object, a warning prompts the user whether to proceed or not. If the user chooses to proceed (by clicking Open), the malicious script runs and any form of infection can occur.

Packager warning

Figure 1: Warning message prompts the users to check whether they should open the script or not.

It’s important to note that user interaction and consent is still required to execute the malicious payload. If the user doesn’t enable the object or click on the object – then the code will not run and an infection will not occur.

Education is therefore an important part of mitigation – as with spam emails, suspicious websites, and unverified apps. Don’t click the link, enable the content, or run the program unless you absolutely trust it and can verify its source.

In late May 2016, we came across the following Word document (Figure 2) that used VB script and language similar to that used in CAPTCHA and other human-verification tools.

 

Screenshot of an invitation to unlock contents

Figure 2: Invitation to unlock contents

 

It’s relatively easy for the malware author to replace the contents of the file (the OLE or embedded object that the user is invited to double-click or activate). We can see this in Figure 3, which indicates the control or script is a JS script.

A screenshot of a possible JavaScript variant

Figure 3: Possible JavaScript variant

 

The icon used to indicate the object or content can be just about anything. It can be a completely different icon that has nothing to do with the scripting language being used – as the authors can use any pictures and any type

Screenshot of an embedded object variant

Figure 4: Embedded object variant

 

It’s helpful to be aware of what this kind of threat looks like, what it can look like, and to educate users to not enable, double-click, or activate embedded content in any file without first verifying its source.

Technical details – downloading and decrypting a binary

On the sample we investigated, the contents of the social engineering document is a malicious VB script, which we detect as TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs. This sample also distinguishes itself from the typical download-and-execute routine common to this type of infection vector – it has a “decryption function”.

This malicious VB script will download an encrypted binary, bypassing any network-based protection designed to recognize malicious formats and block them, decrypt the binary, and then run it. Figure 5 illustrates the encrypted binary we saw in this sample.

Screenshot of the encrypted binary

Figure 5: The encrypted binary

 

The embedded object or script downloads the encrypted file to %appdata% with a random file name, and proceeds to decrypt it using the script’s decryption function (Figure 6).

Screenshot of the decryption process, part 1

Screenshot of the decryption process, part 2

Screenshot of the decryption process, part 3

Figure 6: Decryption process

Lastly, it executes the now-decrypted binary, which in this example was Ransom:Win32/Cerber.

Screenshot of the decrypted Win32 executable

Figure 7: Decrypted Win32 executable

Prevalence

Our data shows these threats (TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs) are not particularly prevalent, with the greatest concentration in the United States.

We’ve also seen a steady decline since we first discovered it in late May 2016.

Worldwide prevalence of TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs

Figure 8: Worldwide prevalence

Daily prevalence of TrojanDownloader:VBS/Vibrio and TrojanDownloader:VBS/Donvibs

Figure 9: Daily prevalence

 

Prevention and recovery recommendations

Administrators can prevent activation of OLE packages by modifying the registry key HKCUSoftwareMicrosoftOffice<Office Version><Office application>SecurityPackagerPrompt.

The Office version values should be:

  • 16.0 (Office 2016)
  • 15.0 (Office 2013)
  • 14.0 (Office 2010)
  • 12.0 (Office 2007)

 

Setting the value to 2 will cause the  to disable packages, and they won’t be activated if a user tries to interact with or double-click them.

The value options for the key are:

  • 0 – No prompt from Office when user clicks, object executes
  • 1 – Prompt from Office when user clicks, object executes
  • 2 – No prompt, Object does not execute

You can find details about this registry key the Microsoft Support article, https://support.microsoft.com/en-us/kb/926530

 

See our other blogs and our ransomware help page for further guidance on preventing and recovering from these types of attacks:

 

 

Alden Pornasdoro

MMPC

 

February 2015 Updates

February 10th, 2015 No comments

Today, as part of Update Tuesday, we released nine security bulletins – three rated Critical and six rated Important in severity, to address 56 unique Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Microsoft Office, Internet Explorer, and Microsoft Server software. 

We encourage you to apply all of these updates. For more information about this month’s security updates, including the detailed view of the Exploitability Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate the XI, a full description can be found here.

We re-released one Security Bulletin:

One new Security Advisory was released:

One Security Advisory was revised:

We also announced changes related to SSL 3.0 and you can read more about these on the IE blog.

For the latest information, you can follow the Microsoft Security Response Center (MSRC) team on Twitter at @MSFTSecResponse.

MSRC Team

February 2015 Updates

February 10th, 2015 No comments

Today, as part of Update Tuesday, we released nine security bulletins – three rated Critical and six rated Important in severity, to address 56 unique Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Microsoft Office, Internet Explorer, and Microsoft Server software. 

We encourage you to apply all of these updates. For more information about this month’s security updates, including the detailed view of the Exploitability Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate the XI, a full description can be found here.

We re-released one Security Bulletin:

One new Security Advisory was released:

One Security Advisory was revised:

We also announced changes related to SSL 3.0 and you can read more about these on the IE blog.

For the latest information, you can follow the Microsoft Security Response Center (MSRC) team on Twitter at @MSFTSecResponse.

MSRC Team

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

Advance Notification Service for the November 2014 Security Bulletin Release

November 6th, 2014 No comments

Today, we provide advance notification for the release of 16 Security Bulletins. Five of these updates are rated Critical, nine are rated as Important, and two are rated Moderate in severity. These updates are for Microsoft Windows, Internet Explorer, Office, Exchange, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

As per our monthly process, we've scheduled the Security Bulletin release for the second Tuesday of the month, November 11, 2014, at approximately 10 a.m. PST. At that time, we'll provide deployment guidance. Until then, please review the ANS summary page for more information to help you prepare for Security Bulletin testing and deployment.

We also want to let you know about a new way we will deliver our Security Bulletins. To streamline the way customers receive our security updates, we are directing customers to resources that will be available on the MSRC blog on Update Tuesday.

Follow us on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

Advance Notification Service for the November 2014 Security Bulletin Release

November 6th, 2014 No comments

Today, we provide advance notification for the release of 16 Security Bulletins. Five of these updates are rated Critical, nine are rated as Important, and two are rated Moderate in severity. These updates are for Microsoft Windows, Internet Explorer, Office, Exchange, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

As per our monthly process, we've scheduled the Security Bulletin release for the second Tuesday of the month, November 11, 2014, at approximately 10 a.m. PST. At that time, we'll provide deployment guidance. Until then, please review the ANS summary page for more information to help you prepare for Security Bulletin testing and deployment.

We also want to let you know about a new way we will deliver our Security Bulletins. To streamline the way customers receive our security updates, we are directing customers to resources that will be available on the MSRC blog on Update Tuesday.

Follow us on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

Security Advisory 3010060 released

October 21st, 2014 No comments

Today, we released Security Advisory 3010060 to provide additional protections regarding limited, targeted attacks directed at Microsoft Windows customers. A cyberattacker could cause remote code execution if someone is tricked into opening a maliciously-crafted PowerPoint document that contains an infected Object Linking and Embedding (OLE) file.

As part of this Security Advisory, we have included an easy, one-click Fix it solution to address the known cyberattack. Please review the "Suggested Actions" section of the Security Advisory for additional guidance. Applying the Fix it does not require a reboot. We suggest customers apply this Fix it to help protect their systems.

The Enhanced Mitigation Experience Toolkit (EMET) also helps to defend against this cyberattack when configured to work with Microsoft Office software. The necessary configuration steps for EMET, are provided in the "Suggested Actions" section of the Security Advisory.

We also encourage you to follow the "Protect Your Computer" guidance by enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. In addition, we recommend that individuals avoid clicking suspicious links, or opening email messages from unfamiliar senders. More information can be found at www.microsoft.com/protect.

We continue to work on a security update to address this cyberattack. We're monitoring the threat landscape very closely and will continue to take appropriate action to help protect our global customers.

Tracey Pretorius
Director, Response Communications

Security Advisory 3010060 released

October 21st, 2014 No comments

Today, we released Security Advisory 3010060 to provide additional protections regarding limited, targeted attacks directed at Microsoft Windows customers. A cyberattacker could cause remote code execution if someone is tricked into opening a maliciously-crafted PowerPoint document that contains an infected Object Linking and Embedding (OLE) file.

As part of this Security Advisory, we have included an easy, one-click Fix it solution to address the known cyberattack. Please review the "Suggested Actions" section of the Security Advisory for additional guidance. Applying the Fix it does not require a reboot. We suggest customers apply this Fix it to help protect their systems.

The Enhanced Mitigation Experience Toolkit (EMET) also helps to defend against this cyberattack when configured to work with Microsoft Office software. The necessary configuration steps for EMET, are provided in the "Suggested Actions" section of the Security Advisory.

We also encourage you to follow the "Protect Your Computer" guidance by enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. In addition, we recommend that individuals avoid clicking suspicious links, or opening email messages from unfamiliar senders. More information can be found at www.microsoft.com/protect.

We continue to work on a security update to address this cyberattack. We're monitoring the threat landscape very closely and will continue to take appropriate action to help protect our global customers.

Tracey Pretorius
Director, Response Communications

Get security updates for June 2014

June 10th, 2014 No comments

Microsoft releases security updates on the second Tuesday of every month.

Skip the details and check for the latest updates.

This bulletin announces the release of security updates for Windows, Microsoft Office, and other programs.

To get more information about security updates and other privacy and security issues delivered to your email inbox, sign up for our newsletter.

Theoretical Thinking and the June 2014 Bulletin Release

June 10th, 2014 No comments

As security professionals, we are trained to think in worst-case scenarios.  We run through the land of the theoretical, chasing “what if” scenarios as though they are lightning bugs to be gathered and stashed in a glass jar.  Most of time, this type of thinking is absolutely the correct thing for security professionals to do.  We need to be prepared for when, not if, these disruptive events occur.  However, every now and then, it can be productive to draw ourselves out of this hypothetical mentality and look instead at the real impact in the here and now.

Speaking of the here and now, today we release seven security bulletins, two rated Critical and five rated Important in severity, addressing 66 Common Vulnerabilities and Exposures (CVEs) for Microsoft Windows, Internet Explorer, and Microsoft Office customers.  But before we get into the details of the updates, I want to take a moment to provide some additional insight into how we assess and recommend those severity ratings.  For every issue, we consider ”what if” – what’s the severest outcome from a potential cyberattack?  We want to provide our best guidance on the risk assessment for our customers, and that requires consideration of the worst-case scenario.

If we consider the worst-case scenario analogous to a tree falling in the woods, is there a sound if no one is around to hear it?  Similarly, does a vulnerability make a sound if it never gets exploited?  When we become aware of a potential security issue, we work to fix it regardless of whether or not it is under active attack.  In other words, it doesn’t matter if that falling tree makes a noise; we still have an action to take.  Why?  Because one day in the future, it’s possible what we’re delivering today could get exploited if not addressed.  However, we’re not in the future; we’re in the land of the here and now.  And while we are in this land, we sometimes confuse theoretical thinking with the actuality of impact to real people.  Until something actually occurs it is still theory; we’re taking the theoretical and making practical updates against future “what ifs”.

Let’s look at an example from this month’s release.  The security bulletin for Internet Explorer (IE) resolves 59 items, including CVE-2014-1770.  The most serious of these could allow remote code execution if a user views a webpage specially crafted by a cybercriminal.  We still haven’t seen any active attacks attempting to exploit any of the other CVEs addressed by this bulletin.  While there are a number of things being addressed this time around, it’s important to note that, to our knowledge, none of these now-addressed CVEs have caused any customer impact to date.  

Addressing items before active attacks occur helps keep customers better protected.  The Internet Explorer update for this month includes additional security updates that will help protect our customers, which is yet another reason why it’s good to stay current with the latest updates.

If you’ve seen the recent blog from the IE team, you’ll also see another message:  Customers should update to the latest version of Internet Explorer.  For Windows 7 and Windows 8.1, that means Internet Explorer 11—the most modern, secure browser we’ve ever built.  IE11 has advanced security features like Enhanced Protection Mode (EPM) and SmartScreen Filter, support for modern web standards, and Enterprise Mode for rendering legacy web apps.  Internet Explorer 11 is much more secure than older versions, which is why we encourage customers to upgrade.

There are six other bulletins released today to improve your security as well.  For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Web page.

Here’s an overview of all the updates released today:

Click to enlarge

As always, we encourage you to apply all of the updates, but for those who prioritize, we recommend the Word and Internet Explorer updates be on the top of your list.

Finally, we are revising Security Advisory 2755801 with the latest update for Adobe Flash Player. in Internet Explorer.  The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-16.  For more information about this update, including download links, see Microsoft Knowledge Base Article 2966072.

Watch the bulletin overview video below for a brief summary of today's releases.

Andrew Gross and I will host the monthly security bulletin webcast, scheduled for Wednesday, June 11, 2014, at 11 a.m. PDT. I invite you to register here, and tune in to learn more about this month’s security bulletins.

For all the latest information, you can also follow us at @MSFTSecResponse.

I look forward to hearing any questions about this month’s release during our webcast tomorrow.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

May 2014 Security Bulletin Webcast and Q&A

May 16th, 2014 No comments

Today we published the May 2014 Security Bulletin Webcast Questions & Answers page. We answered 17 questions in total, with the majority focusing on the update for SharePoint (MS14-022), Group Policy (MS14-025) and Internet Explorer (MS14-029).

Here is the video replay:

We invite you to join us for the next scheduled webcast on Wednesday, June 11, 2014, at 11 a.m. PDT (UTC -7), when we will go into detail about the June bulletin release and answer your bulletin deployment questions live on the air.

You can register to attend the webcast at the link below:

Date: Wednesday, June 11, 2014
Time: 11:00 a.m. PDT (UTC -7)
Register:
Attendee Registration

I look forward to seeing you next month.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

The May 2014 Security Updates

May 13th, 2014 No comments

Today, we released eight security bulletins – two rated Critical and six rated Important – to address 13 Common Vulnerability & Exposures (CVEs) in .NET Framework, Office, SharePoint, Internet Explorer, and Windows. We encourage you to apply all of these updates, but for those who need to prioritize their deployment planning, we recommend focusing on MS14-024, MS14-025 and MS14-029.

We also have some new security advisories releasing today. Security Advisory 2871997 provides an update for Windows 8 and Windows Server 2012 that enhances credential protection and domain authentication controls to reduce credential theft by making specific improvements. These features are currently available in Windows 8.1 and Windows Server 2012 R2, and we are making them available for other platforms.

The .NET Framework update provided by Security Advisory 2960358 disables Rivest Cipher 4 (RC4) in Transport Layer Security (TLS). This is similar to what we did with Security Advisory 2868725 back in November, 2013. The only difference here is this month’s advisory is specific to the .NET Framework.

The last of the new advisories is Security Advisory 2962824. This update revokes the digital signature for a specific Unified Extensible Firmware Interface (UEFI) module.  Although we are not currently aware of any customer impact, we’re taking this step out of an abundance of caution as a part of our ongoing efforts to provide the best customer protections available. If you are not running a system that supports UEFI Secure Boot or you have it disabled, there is no risk, and no action for you to take.

Finally, we are revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-14. For more information about this update, including download links, see Microsoft Knowledge Base Article 2957151.

For those wondering, Windows XP will not be receiving any security updates today. For some time we have been recommending customers move to a modern operating system like Windows 7 or Windows 8.1 to help stay safe, and now is a great time to make that move. For more information, see the Windows Experience Blog.

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by each CVE, visit the Microsoft Bulletin Summary Web page. If you are not familiar with how we calculate the Exploit Index (XI), a full description is found here.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, May 14, 2014, at 11 a.m. PDT. I invite you to register here and tune in to learn more about this month’s security bulletins and advisories.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Advance Notification Service for the May 2014 Security Bulletin Release

Today we provide Advance Notification Service (ANS) for the release of eight bulletins, two rated Critical and six rated Important in severity. These updates will address vulnerabilities for .NET Framework, Office, Internet Explorer, and Windows.

As we do every month, we’ve scheduled the security bulletin release for the second Tuesday of the month, May 13, 2014, at approximately 10:00 a.m. PDT. Revisit this blog then for deployment guidance and further analysis together with a brief video overview of the month’s updates. Until then, please review the ANS summary page for more information to help you prepare for deployment priorities and security bulletin testing.

You can follow us on Twitter. The MSRC handle is @MSFTSecResponse

Thank you,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

April 2014 Security Bulletin Webcast and Q&A

April 11th, 2014 No comments

Today we published the April 2013 Security Bulletin Webcast Questions & Answers page. We answered 13 questions in total, with the majority focusing on the update for Internet Explorer (MS14-018) and the Windows 8.1 Update (KB2919355). Two questions that were not answered on air have been included on the Q&A page.

Here is the video replay.

For those of you following the ongoing investigation around the industry-wide issue known as “Heartbleed,” please refer to this post on the Microsoft Security Blog for the status of our investigation.

We invite you to join us for the next scheduled webcast on Wednesday, May 14, 2014, at 11 a.m. PDT (UTC -7), when we will go into detail about the May bulletin release and answer your bulletin deployment questions live on the air.

You can register to attend the webcast at the link below:

Date: Wednesday, May 14, 2014
Time: 11:00 a.m. PDT (UTC -7)
Register:
Attendee Registration

I look forward to seeing you next month.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

The April 2014 Security Updates

April 8th, 2014 No comments

T. S. Elliot once said, “What we call the beginning is often the end. And to make an end is to make a beginning. The end is where we start from.” So as we put one season to bed, let’s start another by looking at the April security updates. Today, we release four bulletins to address 11 CVEs in Microsoft Windows, Internet Explorer and Microsoft Office. The update for Microsoft Word addresses the issues described in Microsoft Security Advisory 2953095. For those who prioritize, we recommend this bulletin as well as the update for Internet Explorer be on the top of your list.

We would be remiss if we did not mention another end; the end of support for Windows XP and Office 2003. The updates provided by MS14-018 and MS14-019 will be the final security updates for Windows XP; MS14-017 and MS14-020 are the final update for Office 2003.  For those who haven’t migrated yet, I recommend visiting the Microsoft Security Blog, where my colleague Tim Rains provides guidance for consumers and small businesses who may have questions about how end of support affects them. Enterprise administrators will also find this a worthwhile read.

Here’s an overview of all the updates released this month:

Click to enlarge


Our top priorities for this month are MS14-018 and MS14-017, which address issues in Internet Explorer and Microsoft Word respectively.

MS14-018 | Cumulative Update for Internet Explorer

This security update resolves six privately reported vulnerabilities in Internet Explorer. These vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. While the issues addressed by this bulletin are very straightforward, I wanted to specifically call your attention to the updates for Internet Explorer 11 on Windows 8.1 and Windows Server 2012 R2. For these platforms, the update is not cumulative – it only addresses this issues described in this bulletin. You also have the option of installing KB2919355, which is a cumulative update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2. In addition to previous updates for these operating systems, it includes enhancements such as improved Internet Explorer 11 compatibility for enterprise applications, usability improvements, extended mobile device management, and improved hardware support. Additionally, for Windows Server 2012 R2, it includes support for clustering configurations for hosters. For more information about this update, see Microsoft Knowledge Base Article 2919355.

Similarly, customers running Internet Explorer 11 on Windows 7 and Windows Server 2008 R2 also can choose a cumulative update: KB2929437. In addition to previous updates for Internet Explorer 11 on these operating systems, it includes enhancements such as improved Internet Explorer 11 compatibility for enterprise applications. If you install this cumulative update, you will not need to install the KB2936068 update offered through MS14-018. There may also be some who overlook the update for Internet Explorer 10. For this version of the browser, the update is non-security. The issues addressed by this bulletin do not impact Internet Explorer 10, but the update does include non-security related changes. For more information about the non-security-related fixes that are included in this update, see Microsoft Knowledge Base Article 2936068.

MS14-017 | Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution

This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft Word. The most severe of these vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Office software. This security update also addresses the vulnerability first described in Microsoft Security Advisory 2953095. If you have installed the Fix it provided through this advisory, you should remove it once you apply the update to ensure RTF files open correctly.

Finally, we are revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-09 For more information about this update, including download links, see Microsoft Knowledge Base Article 2942844.

Watch the bulletin overview video below for a brief summary of today's releases.

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Web page.

William Peteroy and I will host the monthly bulletin webcast, scheduled for Wednesday, April 9, 2014, at 11 a.m. PDT. I invite you to register here, and tune in to learn more about this month’s security bulletins and advisories.

For all the latest information, you can also follow us at @MSFTSecResponse.

Please join me in wishing Windows XP and Office 2003 a fond farewell as they head towards the sunset of their lives. I look forward to hearing your questions about this month’s release in our webcast tomorrow.

Thanks,
Dustin Childs

Group Manager, Response Communications
Microsoft Trustworthy Computing

Advance Notification Service for the April 2014 Security Bulletin Release

April 3rd, 2014 No comments

Today we provide advance notification for the release of four bulletins, two rated Critical and two rated Important in severity. These updates address issues in Microsoft Windows, Office and Internet Explorer.

The update provided through MS14-017 fully addresses the Microsoft Word issue first described in Security Advisory 2953095. This advisory also included a Fix it to disable opening rich-text format (RTF) files within Microsoft Word. Once the security update is applied, you should disable the Fix it to ensure RTF files will again render normally. At this time, we are still only aware of limited, targeted attacks directed at Microsoft Word 2010. The update will fully address all affected versions.

This Tuesday‘s release will offer the last security updates made available for Windows XP and Office 2003. Both of these products go out of support on April 8, 2014. If you are unsure about the impact this may have on your environment, I recommend you read the recent blog from Trustworthy Computing’s Tim Rains, which discusses some of the threats to Windows XP and provides guidance for small businesses and consumers.

As per our usual process, we’ve scheduled the security bulletin release for the second Tuesday of the month, April 8, 2014, at approximately 10:00 a.m. PDT. Revisit this blog then for analysis of the risk and impact, as well as deployment guidance, together with a brief video overview of the month’s updates. Until then, please review the ANS summary page for more information to help you prepare for security bulletin testing and deployment.

Finally, you can stay on top of the MSRC team’s recent activities by following us on Twitter at @MSFTSecResponse

Thank you,
Dustin Childs

Group Manager, Response Communications
Microsoft Trustworthy Computing

Microsoft Releases Security Advisory 2953095

March 24th, 2014 No comments

Today we released Security Advisory 2953095 to notify customers of a vulnerability in Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. An attacker could cause remote code execution if someone was convinced to open a specially crafted Rich Text Format (RTF) file or a specially crafted mail in Microsoft Outlook while using Microsoft Word as the email viewer.

As part of the security advisory, we have included an easy, one-click Fix it to address the known attack vectors. The Fix it is available to all customers and helps prevent known attacks that leverage the vulnerability to execute code. Additionally, applying the Fix it does not require a reboot. We encourage all customers using Microsoft Word to apply this Fix it to help protect their systems.

The Enhanced Mitigation Experience Toolkit (EMET) also helps to defend against this vulnerability when configured to work with Microsoft Office software. If you are using EMET 4.1 with the recommended settings, this configuration is already enabled and no additional steps are required.

We also encourage you to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. In addition, we encourage everyone to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders. More information can be found at www.microsoft.com/protect.

We continue to work on a security update to address this issue. We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect our global customers.

Thank you,
Dustin Childs
Group Manager, Response Communications
Trustworthy Computing