Archive

Archive for the ‘Security Update’ Category

June 2016 security update release

June 14th, 2016 No comments

Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

More information about this month’s security updates and advisories can be found in the Security TechNet Library.

MSRC team

May 2016 security update release

May 10th, 2016 No comments

Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

More information about this month’s security updates and advisories can be found in the Security TechNet Library.

MSRC team

April 2016 Security Update Release

April 12th, 2016 No comments

Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

More information about this month’s security updates and advisories can be found in the Security TechNet Library.

MSRC Team

February 2016 Security Update Release Summary

February 9th, 2016 No comments

Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

More information about this month’s security updates and advisories can be found in the Security TechNet Library. 

MSRC Team

February 2016 Security Update Release Summary

February 9th, 2016 No comments

Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

More information about this month’s security updates and advisories can be found in the Security TechNet Library. 

MSRC Team

February 2016 Security Update Release Summary

February 9th, 2016 No comments

Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.

More information about this month’s security updates and advisories can be found in the Security TechNet Library. 

MSRC Team

December 2014 Updates

December 9th, 2014 No comments

Today, as part of Update Tuesday, we released seven security updates – three rated Critical and four rated Important in severity, to address 24 unique Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office and Exchange.

We encourage you to apply all of these updates. For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released two Security Bulletins:

 One Security Advisory was revised:

 For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

December 2014 Updates

December 9th, 2014 No comments

Today, as part of Update Tuesday, we released seven security updates – three rated Critical and four rated Important in severity, to address 24 unique Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office and Exchange.

We encourage you to apply all of these updates. For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released two Security Bulletins:

 One Security Advisory was revised:

 For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

The September 2014 Security Updates

September 9th, 2014 No comments

Today, as a part of our regular Update Tuesday process, we released four security bulletins – one rated Critical and three rated Important in severity – to address 42 Common Vulnerabilities & Exposures (CVEs) in Microsoft Windows, Internet Explorer, .NET Framework, and Lync Server. We encourage you to apply all of these updates, but for those who need to prioritize, we recommend focusing on the Critical update first.

Below is a graphical overview of this release and a brief video summarizing the updates released today:

The top deployment priority for our customers this month is the update for Internet Explorer, which addresses 37 CVEs. In case you missed it, the August update for Internet Explorer also included new functionality to block out-of-date ActiveX controls. This functionality will be enabled with today’s update. You can see what these notifications will look like by reviewing this TechNet article. Administrative Templates are also available for those who wish to manage these settings through Group Policy.

In addition to this month’s security bulletins, we have revised three Security Advisories. Security Advisory 2871997 – Update to Improve Credentials Protection and Management was revised to announce an update for supported editions of Windows 7 and Windows Server 2008 R2. The update adds additional protection for users’ credentials when logging into a Windows 7 or Windows Sever 2008 R2 system by ensuring that credentials are cleaned up immediately instead of waiting until a Kerberos TGT (Ticket Granting Ticket) has been obtained. Security Advisory 2905247 – Insecure ASP.Net Site Configuration Could Allow Remote Code Execution was revised to offer the update via Microsoft Update, in addition to the Download-Center-only option, which was provided when this advisory was originally released. If you have already installed this update, you do not need to take any action. Finally, we also revised Security Advisory 2755801: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer.

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by each CVE, visit the Microsoft Bulletin Summary Web page. If you are not familiar with how we calculate the Exploitability Index (XI), a full description is found here.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, September 10, 2014, at 11 a.m. PDT.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks, 
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

The September 2014 Security Updates

September 9th, 2014 No comments

Today, as a part of our regular Update Tuesday process, we released four security bulletins – one rated Critical and three rated Important in severity – to address 42 Common Vulnerabilities & Exposures (CVEs) in Microsoft Windows, Internet Explorer, .NET Framework, and Lync Server. We encourage you to apply all of these updates, but for those who need to prioritize, we recommend focusing on the Critical update first.

Below is a graphical overview of this release and a brief video summarizing the updates released today:

The top deployment priority for our customers this month is the update for Internet Explorer, which addresses 37 CVEs. In case you missed it, the August update for Internet Explorer also included new functionality to block out-of-date ActiveX controls. This functionality will be enabled with today’s update. You can see what these notifications will look like by reviewing this TechNet article. Administrative Templates are also available for those who wish to manage these settings through Group Policy.

In addition to this month’s security bulletins, we have revised three Security Advisories. Security Advisory 2871997 – Update to Improve Credentials Protection and Management was revised to announce an update for supported editions of Windows 7 and Windows Server 2008 R2. The update adds additional protection for users’ credentials when logging into a Windows 7 or Windows Sever 2008 R2 system by ensuring that credentials are cleaned up immediately instead of waiting until a Kerberos TGT (Ticket Granting Ticket) has been obtained. Security Advisory 2905247 – Insecure ASP.Net Site Configuration Could Allow Remote Code Execution was revised to offer the update via Microsoft Update, in addition to the Download-Center-only option, which was provided when this advisory was originally released. If you have already installed this update, you do not need to take any action. Finally, we also revised Security Advisory 2755801: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer.

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by each CVE, visit the Microsoft Bulletin Summary Web page. If you are not familiar with how we calculate the Exploitability Index (XI), a full description is found here.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, September 10, 2014, at 11 a.m. PDT.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks, 
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

August 2014 Security Updates

August 12th, 2014 No comments

Today, as part of Update Tuesday, we released nine security updates – two rated Critical and seven rated Important – to address 37 Common Vulnerabilities & Exposures (CVEs) in SQL Server, OneNote, SharePoint, .NET, Windows and Internet Explorer (IE). We encourage you to apply all of these updates, but for those who need to prioritize their deployment planning, we recommend focusing on the Critical updates first.

Here’s an overview slide and video of the security updates released today:

Click to enlarge

Microsoft also revised Security Advisory 2755801: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer.

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by each CVE, visit the Microsoft Bulletin Summary Web page. If you are not familiar with how we calculate the Exploitability Index (XI), a full description is found here.

You may notice a revision in the XI this month, which aims to better characterize the actual risk to a customer on the day the security update is released. Customers will see new wording for the rating, including a new rating of “0” for “Exploitation Detected.” More information about XI can be found here:  http://technet.microsoft.com/en-us/security/cc998259.aspx.

Last week, Microsoft announced some other news that relates to Update Tuesday:

  • On August 5, Windows published a Windows blog post discussing its non-security update strategy moving forward, which is now on a monthly cadence as part of Update Tuesday.
  • On August 6, IE announced in its IE Blog that it would begin blocking out-of-date ActiveX controls. This feature will be part of the August IE Cumulative Security Update, but no out-of-date ActiveX controls will be blocked for 30 days in order to give customers time to test and manage their environments.
  • On August 7, .NET and IE announced that Microsoft will support only the most recent versions of .NET and IE for each supported operating system.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, August 13, 2014, at 11 a.m. PDT.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks, 

Dustin Childs

Group Manager, Response Communications
Microsoft Trustworthy Computing

August 2014 Security Updates

August 12th, 2014 No comments

Today, as part of Update Tuesday, we released nine security updates – two rated Critical and seven rated Important – to address 37 Common Vulnerabilities & Exposures (CVEs) in SQL Server, OneNote, SharePoint, .NET, Windows and Internet Explorer (IE). We encourage you to apply all of these updates, but for those who need to prioritize their deployment planning, we recommend focusing on the Critical updates first.

Here’s an overview slide and video of the security updates released today:

Click to enlarge

Microsoft also revised Security Advisory 2755801: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer.

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by each CVE, visit the Microsoft Bulletin Summary Web page. If you are not familiar with how we calculate the Exploitability Index (XI), a full description is found here.

You may notice a revision in the XI this month, which aims to better characterize the actual risk to a customer on the day the security update is released. Customers will see new wording for the rating, including a new rating of “0” for “Exploitation Detected.” More information about XI can be found here:  http://technet.microsoft.com/en-us/security/cc998259.aspx.

Last week, Microsoft announced some other news that relates to Update Tuesday:

  • On August 5, Windows published a Windows blog post discussing its non-security update strategy moving forward, which is now on a monthly cadence as part of Update Tuesday.
  • On August 6, IE announced in its IE Blog that it would begin blocking out-of-date ActiveX controls. This feature will be part of the August IE Cumulative Security Update, but no out-of-date ActiveX controls will be blocked for 30 days in order to give customers time to test and manage their environments.
  • On August 7, .NET and IE announced that Microsoft will support only the most recent versions of .NET and IE for each supported operating system.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, August 13, 2014, at 11 a.m. PDT.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks, 

Dustin Childs

Group Manager, Response Communications
Microsoft Trustworthy Computing

Theoretical Thinking and the June 2014 Bulletin Release

June 10th, 2014 No comments

As security professionals, we are trained to think in worst-case scenarios.  We run through the land of the theoretical, chasing “what if” scenarios as though they are lightning bugs to be gathered and stashed in a glass jar.  Most of time, this type of thinking is absolutely the correct thing for security professionals to do.  We need to be prepared for when, not if, these disruptive events occur.  However, every now and then, it can be productive to draw ourselves out of this hypothetical mentality and look instead at the real impact in the here and now.

Speaking of the here and now, today we release seven security bulletins, two rated Critical and five rated Important in severity, addressing 66 Common Vulnerabilities and Exposures (CVEs) for Microsoft Windows, Internet Explorer, and Microsoft Office customers.  But before we get into the details of the updates, I want to take a moment to provide some additional insight into how we assess and recommend those severity ratings.  For every issue, we consider ”what if” – what’s the severest outcome from a potential cyberattack?  We want to provide our best guidance on the risk assessment for our customers, and that requires consideration of the worst-case scenario.

If we consider the worst-case scenario analogous to a tree falling in the woods, is there a sound if no one is around to hear it?  Similarly, does a vulnerability make a sound if it never gets exploited?  When we become aware of a potential security issue, we work to fix it regardless of whether or not it is under active attack.  In other words, it doesn’t matter if that falling tree makes a noise; we still have an action to take.  Why?  Because one day in the future, it’s possible what we’re delivering today could get exploited if not addressed.  However, we’re not in the future; we’re in the land of the here and now.  And while we are in this land, we sometimes confuse theoretical thinking with the actuality of impact to real people.  Until something actually occurs it is still theory; we’re taking the theoretical and making practical updates against future “what ifs”.

Let’s look at an example from this month’s release.  The security bulletin for Internet Explorer (IE) resolves 59 items, including CVE-2014-1770.  The most serious of these could allow remote code execution if a user views a webpage specially crafted by a cybercriminal.  We still haven’t seen any active attacks attempting to exploit any of the other CVEs addressed by this bulletin.  While there are a number of things being addressed this time around, it’s important to note that, to our knowledge, none of these now-addressed CVEs have caused any customer impact to date.  

Addressing items before active attacks occur helps keep customers better protected.  The Internet Explorer update for this month includes additional security updates that will help protect our customers, which is yet another reason why it’s good to stay current with the latest updates.

If you’ve seen the recent blog from the IE team, you’ll also see another message:  Customers should update to the latest version of Internet Explorer.  For Windows 7 and Windows 8.1, that means Internet Explorer 11—the most modern, secure browser we’ve ever built.  IE11 has advanced security features like Enhanced Protection Mode (EPM) and SmartScreen Filter, support for modern web standards, and Enterprise Mode for rendering legacy web apps.  Internet Explorer 11 is much more secure than older versions, which is why we encourage customers to upgrade.

There are six other bulletins released today to improve your security as well.  For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Web page.

Here’s an overview of all the updates released today:

Click to enlarge

As always, we encourage you to apply all of the updates, but for those who prioritize, we recommend the Word and Internet Explorer updates be on the top of your list.

Finally, we are revising Security Advisory 2755801 with the latest update for Adobe Flash Player. in Internet Explorer.  The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-16.  For more information about this update, including download links, see Microsoft Knowledge Base Article 2966072.

Watch the bulletin overview video below for a brief summary of today's releases.

Andrew Gross and I will host the monthly security bulletin webcast, scheduled for Wednesday, June 11, 2014, at 11 a.m. PDT. I invite you to register here, and tune in to learn more about this month’s security bulletins.

For all the latest information, you can also follow us at @MSFTSecResponse.

I look forward to hearing any questions about this month’s release during our webcast tomorrow.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Omphaloskepsis and the December 2013 Security Update Release

December 10th, 2013 No comments

There are times when we get too close to a topic. We familiarize ourselves with every aspect and nuance, but fail to recognize not everyone else has done the same. Whether you consider this myopia, navel-gazing, or human nature, the effect is the same. I recognized this during the recent webcast when someone asked the question – “What’s the difference between a security advisory and a security bulletin?” The answer was simple to me, as I’ve been doing this for years, but the question was valid and it reminded me that not every person on the planet knows all of the ins and outs of Update Tuesday.

Given this month’s release, the question is timely, as we have 11 bulletins and 3 new advisories releasing today. As we look through today’s release, I thought it would be helpful to step back and take a closer look at some of the terminology we use frequently. Let’s begin by taking a look at the bulletins for December.

You may notice the graphic is significantly different from past months. In the new format, where you see circles throughout the deck, that’s the deployment priority. The numbers in squares represent the exploit index and the words in color indicate bulletin severity.

As we review our top bulletin deployment priorities for this month, let’s pause to review the official definition of a security bulletin.

Security bulletins include the following:

  • Details of all affected products
  • A list of frequently asked questions
  • Information about workarounds and mitigations
  • Any other information that IT staff needs to address the issue

But that doesn’t really explain why a security bulletin is released. Simply put, when there is a significant security-related update for something we ship, it goes in a security bulletin. If an issue in software can be corrected by applying new software, it becomes a security bulletin. Update for the Windows kernel? Security bulletin. Cumulative update for Internet Explorer? Security bulletin. Code problem with .NET Framework? Security bulletin. I think you see where I’m going with this.

This month, we have 11 security bulletins, 5 Critical and 6 Important in severity, addressing 24 unique CVEs in Microsoft Windows, Internet Explorer, Office and Exchange. For those who need to prioritize deployment planning we recommend focusing on MS13-096, MS13-097, and MS13-099.

MS13-096 | Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution
This security update resolves a publicly disclosed vulnerability in Microsoft Windows, Microsoft Office, and Microsoft Lync. The vulnerability could allow remote code execution if a user views content that contains specially crafted TIFF files. As we highlighted through ANS, this update fully resolves the issue first described in Security Advisory 2896666. For those who installed the Fix it released through the advisory, you do not need to uninstall the Fix it prior to installing the update, but we do recommend disabling the Fix it after installation to ensure TIFF images are displayed correctly.

MS13-097 | Cumulative Update for Internet Explorer
This security update resolves seven privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user.

MS13-099 | Vulnerability in Microsoft Scripting Runtime Object Library Could Allow Remote Code Execution
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker convinces a user to visit a specially crafted website or a website that hosts specially crafted content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

In addition to the security bulletins, we are also releasing three security advisories this month and revising one more. So how do security advisories differ from security bulletins? After all, sometimes we see updates included in Security Advisories as well – including advisories this month. What’s the difference?

The easiest way to think of advisories is to consider them as a call to action. With bulletins, updates are usually sent out through Windows or Microsoft Update. If you’ve enabled automatic updating, there’s no action for you – the update will be installed and if needed, your system will reboot. Even if you manually apply all updates, bulletins should require nothing more than installing a package and potentially restarting a service or system. Advisories cover topics that potentially affect your security but cannot be resolved through an update alone. Let’s look at the advisories this month as examples.

Security Advisory 2905247 – Insecure ASP.NET Site Configuration Could Allow Elevation of Privilege
This update enables administrators to configure their ASP.NET servers to ensure that view state MAC remains enabled at all times, as well as to provide general guidance on how to enable view state MAC on IIS servers.

In this instance, we’re not correcting faulty code; we’re allowing administrators to enforce a default behavior that’s more secure than the non-default setting.

Security Advisory 2871690 – Update to Revoke Non-compliant UEFI Modules
This advisory notifies customers that an update is available for Windows 8 and Windows Server 2012 that revokes the digital signatures for specific Unified Extensible Firmware Interface (UEFI) modules. The affected UEFI modules consist of specific Microsoft-signed modules that are either not in compliance with our certification program or their authors have requested that the packages be revoked. This update applies to nine private, third-party UEFI modules used for test purposes only.

While this may seem like something we can address through a security bulletin, these UEFI modules are not known to be in public distribution. In all likelihood, you are not affected. Your friends aren’t affected. No one you know is affected. Still, we can’t be 100% certain that no one is affected, so we’re releasing this advisory with instructions for checking just in case.

Security Advisory 2915720 – Changes in Windows Authenticode Signature Verification
This advisory informs customers of an impending change to how Windows verifies Authenticode-signed binaries. It also recommends that developers who sign binaries with Windows Authenticode ensure that their signatures conform to the change by June 10, 2014. The SRD blog covers additional technical details about the changes.

This is an interesting advisory on an interesting topic. It accompanies a security bulletin, MS13-098, which does address an issue in Windows. In addition to resolving a security issue through new code, the update also introduces new functionality. This advisory details the new functionality and provides guidelines to both administrators and developers. The advisory provide some suggested test scenarios to ensure your enterprise and executables are ready for the change. Again, since this change tightens security rather than addresses an issue, it’s more appropriate that we communicate this to you through an advisory.

Finally, we are also revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-28. For more information about this update, including download links, see Microsoft Knowledge Base Article 2907997.

If you’ve been intrepid enough to read this far down, watch the bulletin overview video below for a brief summary of today’s releases.

For more information about this month’s security updates, visit the Microsoft Bulletin Summary Web page.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, December 11, 2013, at 11 a.m. PST. I invite you to register here, and tune in to learn more about this month’s security bulletins and advisories.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

I hope this in-depth discussion of bulletins and advisories has been worth your time. If so, let me know what other topics you would like to see covered here. I never grow weary of talking about second Tuesday.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Omphaloskepsis and the December 2013 Security Update Release

December 10th, 2013 No comments

There are times when we get too close to a topic. We familiarize ourselves with every aspect and nuance, but fail to recognize not everyone else has done the same. Whether you consider this myopia, navel-gazing, or human nature, the effect is the same. I recognized this during the recent webcast when someone asked the question – “What’s the difference between a security advisory and a security bulletin?” The answer was simple to me, as I’ve been doing this for years, but the question was valid and it reminded me that not every person on the planet knows all of the ins and outs of Update Tuesday.

Given this month’s release, the question is timely, as we have 11 bulletins and 3 new advisories releasing today. As we look through today’s release, I thought it would be helpful to step back and take a closer look at some of the terminology we use frequently. Let’s begin by taking a look at the bulletins for December.

You may notice the graphic is significantly different from past months. In the new format, where you see circles throughout the deck, that’s the deployment priority. The numbers in squares represent the exploit index and the words in color indicate bulletin severity.

As we review our top bulletin deployment priorities for this month, let’s pause to review the official definition of a security bulletin.

Security bulletins include the following:

  • Details of all affected products
  • A list of frequently asked questions
  • Information about workarounds and mitigations
  • Any other information that IT staff needs to address the issue

But that doesn’t really explain why a security bulletin is released. Simply put, when there is a significant security-related update for something we ship, it goes in a security bulletin. If an issue in software can be corrected by applying new software, it becomes a security bulletin. Update for the Windows kernel? Security bulletin. Cumulative update for Internet Explorer? Security bulletin. Code problem with .NET Framework? Security bulletin. I think you see where I’m going with this.

This month, we have 11 security bulletins, 5 Critical and 6 Important in severity, addressing 24 unique CVEs in Microsoft Windows, Internet Explorer, Office and Exchange. For those who need to prioritize deployment planning we recommend focusing on MS13-096, MS13-097, and MS13-099.

MS13-096 | Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution
This security update resolves a publicly disclosed vulnerability in Microsoft Windows, Microsoft Office, and Microsoft Lync. The vulnerability could allow remote code execution if a user views content that contains specially crafted TIFF files. As we highlighted through ANS, this update fully resolves the issue first described in Security Advisory 2896666. For those who installed the Fix it released through the advisory, you do not need to uninstall the Fix it prior to installing the update, but we do recommend disabling the Fix it after installation to ensure TIFF images are displayed correctly.

MS13-097 | Cumulative Update for Internet Explorer
This security update resolves seven privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user.

MS13-099 | Vulnerability in Microsoft Scripting Runtime Object Library Could Allow Remote Code Execution
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker convinces a user to visit a specially crafted website or a website that hosts specially crafted content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

In addition to the security bulletins, we are also releasing three security advisories this month and revising one more. So how do security advisories differ from security bulletins? After all, sometimes we see updates included in Security Advisories as well – including advisories this month. What’s the difference?

The easiest way to think of advisories is to consider them as a call to action. With bulletins, updates are usually sent out through Windows or Microsoft Update. If you’ve enabled automatic updating, there’s no action for you – the update will be installed and if needed, your system will reboot. Even if you manually apply all updates, bulletins should require nothing more than installing a package and potentially restarting a service or system. Advisories cover topics that potentially affect your security but cannot be resolved through an update alone. Let’s look at the advisories this month as examples.

Security Advisory 2905247 – Insecure ASP.NET Site Configuration Could Allow Elevation of Privilege
This update enables administrators to configure their ASP.NET servers to ensure that view state MAC remains enabled at all times, as well as to provide general guidance on how to enable view state MAC on IIS servers.

In this instance, we’re not correcting faulty code; we’re allowing administrators to enforce a default behavior that’s more secure than the non-default setting.

Security Advisory 2871690 – Update to Revoke Non-compliant UEFI Modules
This advisory notifies customers that an update is available for Windows 8 and Windows Server 2012 that revokes the digital signatures for specific Unified Extensible Firmware Interface (UEFI) modules. The affected UEFI modules consist of specific Microsoft-signed modules that are either not in compliance with our certification program or their authors have requested that the packages be revoked. This update applies to nine private, third-party UEFI modules used for test purposes only.

While this may seem like something we can address through a security bulletin, these UEFI modules are not known to be in public distribution. In all likelihood, you are not affected. Your friends aren’t affected. No one you know is affected. Still, we can’t be 100% certain that no one is affected, so we’re releasing this advisory with instructions for checking just in case.

Security Advisory 2915720 – Changes in Windows Authenticode Signature Verification
This advisory informs customers of an impending change to how Windows verifies Authenticode-signed binaries. It also recommends that developers who sign binaries with Windows Authenticode ensure that their signatures conform to the change by June 10, 2014. The SRD blog covers additional technical details about the changes.

This is an interesting advisory on an interesting topic. It accompanies a security bulletin, MS13-098, which does address an issue in Windows. In addition to resolving a security issue through new code, the update also introduces new functionality. This advisory details the new functionality and provides guidelines to both administrators and developers. The advisory provide some suggested test scenarios to ensure your enterprise and executables are ready for the change. Again, since this change tightens security rather than addresses an issue, it’s more appropriate that we communicate this to you through an advisory.

Finally, we are also revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-28. For more information about this update, including download links, see Microsoft Knowledge Base Article 2907997.

If you’ve been intrepid enough to read this far down, watch the bulletin overview video below for a brief summary of today’s releases.

For more information about this month’s security updates, visit the Microsoft Bulletin Summary Web page.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, December 11, 2013, at 11 a.m. PST. I invite you to register here, and tune in to learn more about this month’s security bulletins and advisories.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

I hope this in-depth discussion of bulletins and advisories has been worth your time. If so, let me know what other topics you would like to see covered here. I never grow weary of talking about second Tuesday.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

MBSA 2.3 and the November 2013 Security Bulletin Webcast, Q&A, and Slide Deck

November 15th, 2013 No comments

Today we’re publishing the November 2013 Security Bulletin Webcast Questions & Answers page.  The majority of questions focused on the ActiveX Kill Bits bulletin (MS13-090) and the advisories. We also answered a few general questions that were not specific to any of this month’s updates, but that may be of interest.

We’ve discussed the Microsoft Baseline Security Analyzer (MBSA) tool in this and many other webcasts, and I’m happy to report version 2.3 is now available. This new version adds support for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. However, Windows 2000 systems will no longer be supported by MBSA. If you aren’t familiar with the tool or would just like to know more about it, we encourage you to read the FAQ found on the Security TechCenter. Thanks also go out to everyone who participated in the public preview leading up to this release.

We invite you to join us for the next scheduled webcast on Wednesday, December 11, 2013, at 11 a.m. PST (UTC -8), when we will go into detail about the December bulletin release and answer your bulletin deployment questions live on the air.

You can register to attend the webcast at the link below:

Date: Wednesday, December 11, 2013
Time: 11:00 a.m. PST (UTC -8)
Register: Attendee Registration

 

 

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

MBSA 2.3 and the November 2013 Security Bulletin Webcast, Q&A, and Slide Deck

November 15th, 2013 No comments

Today we’re publishing the November 2013 Security Bulletin Webcast Questions & Answers page.  The majority of questions focused on the ActiveX Kill Bits bulletin (MS13-090) and the advisories. We also answered a few general questions that were not specific to any of this month’s updates, but that may be of interest.

We’ve discussed the Microsoft Baseline Security Analyzer (MBSA) tool in this and many other webcasts, and I’m happy to report version 2.3 is now available. This new version adds support for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. However, Windows 2000 systems will no longer be supported by MBSA. If you aren’t familiar with the tool or would just like to know more about it, we encourage you to read the FAQ found on the Security TechCenter. Thanks also go out to everyone who participated in the public preview leading up to this release.

We invite you to join us for the next scheduled webcast on Wednesday, December 11, 2013, at 11 a.m. PST (UTC -8), when we will go into detail about the December bulletin release and answer your bulletin deployment questions live on the air.

You can register to attend the webcast at the link below:

Date: Wednesday, December 11, 2013
Time: 11:00 a.m. PST (UTC -8)
Register: Attendee Registration

 

 

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

The October 2013 security updates

October 8th, 2013 No comments

This month we release eight bulletins – four Critical and four Important – which address 25* unique CVEs in Microsoft Windows, Internet Explorer, SharePoint, .NET Framework, Office, and Silverlight. For those who need to prioritize their deployment planning, we recommend focusing on MS13-080, MS13-081, and MS13-083.

Our Bulletin Deployment Priority graph provides an overview of this month’s priority releases (click for larger view).

 

 MS13-080 | Cumulative Security Update for Internet Explorer
This security update resolves 9* issues in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a customer views a specially crafted webpage using Internet Explorer, as described in Microsoft Security Advisory 2887505. An attacker who successfully exploited these vulnerabilities could gain the same rights as the current user running Internet Explorer. All but one of these issues were privately disclosed.

MS13-081 | Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
This security update resolves seven issues in Microsoft Windows. The most severe vulnerability could allow remote code execution if a user views a malicious webpage with specially crafted OpenType fonts. This release also addresses vulnerabilities that could allow elevation of privilege if an attacker gains access to a system, in some cases physical access to a USB port is required. These issues were privately reported and we have not detected any attacks or customer impact.

MS13-083 | Vulnerability in Windows Common Control Library Could Allow Remote Code Execution
This security update resolves one issue in Microsoft Windows. The vulnerability could allow remote code execution if an affected system is accessible via an ASP.NET web application and can receive a specifically crafted request. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. This issue was privately reported and we have not detected any attacks or customer impact.

Security Advisory 2862973 Update for MD5 Certificates 
We would like to remind customers of the Update for MD5 Certificates that was released in August 2013 and will be released through Microsoft Update in February 2014. This update affects applications and services using certificates with the MD5 hashing algorithm. This restriction is limited to certificates issued under roots in the Microsoft root certificate program. This will apply only to certificates utilized for server authentication, code signing and time stamping. These applications and services will no longer trust certificates utilizing MD5. 

Our risk and impact graph shows an aggregate view of this month’s Severity and Exploitability Index (click for larger view).

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Web page.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, October 9, 2013, at 11 a.m. PDT. I invite you to register here and tune in to learn more about this month’s security bulletins and advisory.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

I look forward to hearing your questions in the webcast tomorrow.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

*Updated CVE count to accurately reflect the correct number which is 25. This is a documentation error and there is no known impact to customers.

The October 2013 security updates

October 8th, 2013 No comments

This month we release eight bulletins – four Critical and four Important – which address 25* unique CVEs in Microsoft Windows, Internet Explorer, SharePoint, .NET Framework, Office, and Silverlight. For those who need to prioritize their deployment planning, we recommend focusing on MS13-080, MS13-081, and MS13-083.

Our Bulletin Deployment Priority graph provides an overview of this month’s priority releases (click for larger view).

 

 MS13-080 | Cumulative Security Update for Internet Explorer
This security update resolves 9* issues in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a customer views a specially crafted webpage using Internet Explorer, as described in Microsoft Security Advisory 2887505. An attacker who successfully exploited these vulnerabilities could gain the same rights as the current user running Internet Explorer. All but one of these issues were privately disclosed.

MS13-081 | Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
This security update resolves seven issues in Microsoft Windows. The most severe vulnerability could allow remote code execution if a user views a malicious webpage with specially crafted OpenType fonts. This release also addresses vulnerabilities that could allow elevation of privilege if an attacker gains access to a system, in some cases physical access to a USB port is required. These issues were privately reported and we have not detected any attacks or customer impact.

MS13-083 | Vulnerability in Windows Common Control Library Could Allow Remote Code Execution
This security update resolves one issue in Microsoft Windows. The vulnerability could allow remote code execution if an affected system is accessible via an ASP.NET web application and can receive a specifically crafted request. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. This issue was privately reported and we have not detected any attacks or customer impact.

Security Advisory 2862973 Update for MD5 Certificates 
We would like to remind customers of the Update for MD5 Certificates that was released in August 2013 and will be released through Microsoft Update in February 2014. This update affects applications and services using certificates with the MD5 hashing algorithm. This restriction is limited to certificates issued under roots in the Microsoft root certificate program. This will apply only to certificates utilized for server authentication, code signing and time stamping. These applications and services will no longer trust certificates utilizing MD5. 

Our risk and impact graph shows an aggregate view of this month’s Severity and Exploitability Index (click for larger view).

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Web page.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, October 9, 2013, at 11 a.m. PDT. I invite you to register here and tune in to learn more about this month’s security bulletins and advisory.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

I look forward to hearing your questions in the webcast tomorrow.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

*Updated CVE count to accurately reflect the correct number which is 25. This is a documentation error and there is no known impact to customers.

ISA 2006 / TMG 2010: DISABLE CLIENT-INITIATED SSL RENEGOTIATION, PROTECTING AGAINST DOS ATTACKS AND MALICIOUS DATA INJECTION

September 18th, 2013 No comments

In these days we received a considerable number of support requests asking for more info about SSL/TLS Renegotiation and the risk it introduces of being exposed to DoS attacks and malicious code injections.

The requests in object were focused on ISA/TMG products, considering they are used as reverse proxy for web publishing purposes, but the below considerations can be considered valid for every kind of Windows server/client supporting SSL/TLS connections.

First, what is exactly SSL/TLS Renegotiation?

"TLS [as defined in RFC 5246] allows either the client or the server to initiate a renegotiation — a new handshake that establishes new cryptographic parameters. Unfortunately, although the new handshake is carried out using the cryptographic parameters established by the original handshake, there is no cryptographic binding between the two. This creates the opportunity for an attack in which the attacker who can intercept a client’s transport layer connection can inject traffic of his own as a prefix to the client’s interaction with the server"

The above definition is taken from RFC 5746.

The following is a graphic representation of a basic SSL/TLS Handshake:

clip_image002

 

 

 

 

 

 

 

 

 

 

Under certain circumstances, the client could be asking the server a renegotiation of the SSL/TLS parameters using the same TCP socket:

clip_image004

If the SSL/TLS is not secure (as per RFC 5746 recommendations) a MITM could use the renegotiation to send the server malicious data, pretending to be "good" user.

clip_image006

What chances do we have to mitigate this issue?

You should make sure, that the following security hotfix is installed:

http://support.microsoft.com/kb/980436

This fix is making the system compliant with RFC 5746, mitigating the risk of malicious data injection.

To provide backward compatibility, this security update works in the following modes: STRICT and COMPATIBLE

Compatible mode

o If this security update is applied to the server, and the server is in compatible mode, the server allows all clients to set up and renegotiate Transport Layer Security (TLS) sessions. This occurs whether the clients are updated or are not updated by using this security update.

o Similarly, if this security update is applied to the client, and the client is in compatible mode, the client can set up and renegotiate TLS sessions with all the servers for which this security update is applied or is not applied.

Strict mode

o If this security update is applied to the server, and the server is in strict mode, the server allows only those clients to which this security update is applied to set up and renegotiate TLS sessions. The server does not allow the clients to which this security update is not applied to set up the TLS session. In this case, the server terminates such requests from the clients.

Similarly, if this security update is applied to the client, and the client is in strict mode, the client can set up and renegotiate TLS sessions with all the servers for which this security update is applied. The clients cannot set up TLS sessions at all with servers for which this security update is not applied. The client cannot move ahead with a TLS negotiation attempt with such servers.

By default, this security update enables the TLS or Secure Sockets Layer (SSL) client or server to stay in compatible mode. An administrator can use the AllowInsecureRenegoClients and the AllowInsecureRenegoServers entry DWORD values in the following registry path to enable strict mode on the client or on the server:

HKEY_LOCAL_MACHINESystemCurrentControlSetControlSecurityProvidersSCHANNEL

The following table shows how these DWORD values can be used:

DWORD

Value = zero

Value = nonzero

AllowInsecureRenegoClients

Strict Server

Compatible Server

AllowInsecureRenegoServers

Strict Client

Compatible Client

Malicious data injection is not the only problem related to Renegotiation: it can be in fact used to perform DoS attacks against a server.

When a new SSL/TLS connection is being negotiated, the server will typically spend significantly more CPU resources than the client. A malicious user, leveraging the Renegotiation, could be able to enhance the server’s CPU usage causing DoS.

In order to have a better mitigation for both malicious data injection and DoS attacks, the best option would be to reject the client-initiated SSL/TLS renegotiation at all.

The following Microsoft Security Advisory explains how:

http://support.microsoft.com/kb/977377/en-us

As reported in the article, the behavior can be modified by changing the value of the following registry key:

HKEY_LOCAL_MACHINESystemCurrentControlSetControlSecurityProvidersSCHANNELDisableRenegoOnServer

Notes

· If the DisableRenegoOnClient subkey is present and has any nonzero value:

o The client will not initiate renegotiation.

o The client will not respond to renegotiation.

· If the DisableRenegoOnClient subkey is missing or is present and has a zero value:

o The client will initiate renegotiation.

o The client will respond to renegotiation.

· If the DisableRenegoOnServer subkey is present and has any nonzero value:

o Server initiated renegotiation is not allowed.

o The server will not respond to renegotiation requests from the client.

· If the DisableRenegoOnServer subkey is missing or is present and has a zero value:

o Server initiated renegotiation is allowed.

o The server will respond to renegotiation requests from the client.

Of course, this may have an impact on the use of specific applications requiring SSL/TLS renegotiation feature.

The KB article underlines the following:

o After you install this security update, you cannot use the legacy provisioning service parameter (–UseLegacyProvisioningService) when you create a federation trust with the Microsoft Federation Gateway. The security update will prevent the federation trust from working correctly. This problem will occur if you install this security update on a computer that is running Exchange Server 2010 or Exchange Server 2010 Service Pack 1 before you have created a federation trust. To avoid this problem, you must create the federation trust before you install this security update. 
For more information about how to create a federation trust by using the –UseLegacyProvisioningService parameter, visit the following Microsoft webpage:
Create a Federation Trust

o When you install this update on a computer that has the Microsoft Online Single Sign-In services client installed, you may experience the following issues:

· The Sign In client cannot obtain user configuration information. This only affects new users who are running the Sign In client for the first time. The Sign In client cannot obtain information to configure Outlook. If the Sign In client has already run and configured the applications, there are no additional issues with the Sign In client.

· Outlook users cannot see free/busy information. Therefore, this update also affects existing Outlook users.
To resolve this problem, set the DisableRenegoOnClient registry entry to a value of 0 (zero), and then restart the computer.

o This update disables TLS/SSL renegotiation, common protocol functionality that is required for specific applications. This may cause this software to no longer function as expected. If any side effects are experienced, customers should uninstall the workaround to resolve the issue.
The following software has been tested by Microsoft and that has been found to experience problems when you install this update:

· Windows 7 DirectAccess: The IP HTTPS interface will not function.

· Exchange ActiveSync: Does not function when it uses certificate client authentication.

· Internet Information Services (IIS): In certain configurations, IIS using certificate client authentication, including certificate mapping scenarios, will be affected. Site-wide client certificate authentication will not be affected and will continue to function.

· Internet Explorer: When you browse Web sites that require client certificate authentication, but not site-wide client certificate authentication, you may not successfully be able to connect.

Of course, it’s not possible to predict the implications of disabling client-initiated renegotiation for various applications: this solution should be appropriately tested in each specific environment.

From a security point of view, though, this is the recommended way to mitigate all the above described problems.

Hope this can help!

 

Author: 

Daniele Gaiulli

Support Engineer – Microsoft Forefront Edge Security Team

Reviewer:

Philipp Sand

Sr. Support Escalation Engineer – Microsoft Forefront Edge Security Team

Categories: https tls, secure, Security Update Tags: