Archive

Archive for the ‘Exploitability Index’ Category

August 2013 Security Bulletin Webcast, Q&A, and Slide Deck

August 19th, 2013 No comments

Today we’re publishing the August 2013 Security Bulletin Webcast Questions & Answers page.  We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Exchange Server (MS13-061) and Windows Kernel (MS13-063).  There were 3 additional questions during the webcast that we were unable to answer on air, and we have also answered those on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, September 11, 2013, at 11 a.m. PDT (UTC -8), when we will go into detail about the September bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, September 11, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register:
Attendee Registration

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

 

 

August 2013 Security Bulletin Webcast, Q&A, and Slide Deck

August 19th, 2013 No comments

Today we’re publishing the August 2013 Security Bulletin Webcast Questions & Answers page.  We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Exchange Server (MS13-061) and Windows Kernel (MS13-063).  There were 3 additional questions during the webcast that we were unable to answer on air, and we have also answered those on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, September 11, 2013, at 11 a.m. PDT (UTC -8), when we will go into detail about the September bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, September 11, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register:
Attendee Registration

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

 

 

Out with the old, in with the April 2013 security updates

April 9th, 2013 No comments

Windows XP was originally released on August 24, 2001. Since that time, high-speed Internet connections and wireless networking have gone from being a rarity to the norm, and Internet usage has grown from 360 million to almost two-and-a-half billion users. Thanks to programs like Skype, we now make video calls with regularity, and social media has grown from a curiosity to a part of our everyday lives. But through it all, Windows XP keeps chugging along. With its longevity and wide user base, Windows XP has served its customers faithfully over the years, but all good things must come to an end, and Windows XP is no exception.

In just 52 shorts weeks, support for the Windows XP will come to an end. I won’t go into the benefits of upgrading platforms here – you can read about these in Tim Rains’ blog “The Countdown Begins” – but I will highlight that this means there will be no more security updates for Windows XP after April 2014. Of course, Windows XP leaving support doesn’t mean bad guys will stop trying to exploit it; however, the absence of new security updates will make it easier for attacks to succeed. We talk a lot about mitigating risks through our security updates, and with Windows XP retiring, the best mitigation will be to upgrade to a modern Windows operating system.

And since we are talking about going out with the old, let’s talk about what’s new today. We are releasing nine bulletins, two Critical-class and seven Important-class, addressing 14 vulnerabilities in Tools Microsoft Windows, Internet Explorer, Microsoft Antimalware Client, Office, and Server Software. For those who need to prioritize deployment, we recommend focusing on MS13-028 and MS13-029 first.

MS13-028 (Microsoft Internet Explorer)
This security update resolves two issues in Internet Explorer, both of which could allow remote code execution if a customer views a specially crafted webpage using the browser. An attacker who successfully exploited these vulnerabilities could gain the same rights as the current user. Both of these issues were privately disclosed and we have not detected any attacks or customer impact.

MS13-029 (Windows Remote Desktop Client)
This security update resolves an issue in the Windows Remote Desktop Client ActiveX control. The vulnerability could allow remote code execution if an attacker convinces a customer to view a website containing specially crafted content that exploits the vulnerability. This issue was privately reported and we have not detected any attacks or customer impact.

Please watch the bulletin overview video below for a quick summary of today’s releases.

As always, we urge you deploy all security updates as soon as possible. Our deployment priority guidance is below to further assist in deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month’s severity and exploitability index (click for larger view).

For more information about this month’s security updates, visit the Microsoft Security Bulletin summary webpage.

Jonathan Ness and I will host the monthly technical webcast, scheduled for Wednesday, April 9, 2013, at 11 a.m. PDT. I invite you to register here, and tune in to learn more about the April security bulletins and advisories.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

It’s been great strolling down memory lane, recalling a time when mobile phones where used for phone calls, but I look forward to hearing your questions during our future webcast via the “Internet.”
Thank you,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

It’s That Time of Year, For the December 2012 Bulletin Release

December 11th, 2012 No comments

Happy holidays! I hope everyone is enjoying the festive season. I like to get my holiday shopping done early, and this year was no exception. In the middle of my holiday shopping last week, as I passed my cash from one store to the next, I was reminded of “Pass-the-Hash.” (My mind does tend to wander a bit as I shop.) For those not familiar, Pass-the-Hash (PtH) is a technique in which an attacker captures account logon credentials on one computer and then uses those captured credentials to authenticate to other computers over the network. Various folks have discussed this technique in the past, and we have seen it used in attacks as well. Today, TwC released a whitepaper that lays out ways to help prevent these types of attacks. Please take a few minutes to read about the Pass-the-Hash technique on the TwC team blog or download the whitepaper to read on the way over the river and through to woods to Grandma’s house. You won’t be disappointed.

Now, on to the news of the day; today we’re releasing seven bulletins, five Critical-class and two Important-class, addressing 12 vulnerabilities in Microsoft Windows, Internet Explorer (IE), Word and Windows Server. For those who need to prioritize deployment, we recommend focusing on the following two critical updates first:

MS12-077 (Internet Explorer)

This security update addresses three Critical-class Internet Explorer issues that could result in remote code execution. These issues exist in all versions of IE, but there is no evidence that they are known publically or under exploit in the wild. You’ll notice there is no severity rating for IE versions prior to IE 9. On these versions, the update is a defense-in-depth change only. Although there are no known attack vectors for these versions, we still recommend that our customers using these versions apply the update.

MS12-079 (Microsoft Word)

This security update resolves one issue in Microsoft Word. This bulletin has a Critical severity rating and can result in remote code execution. An attacker could run code in the context of the logged-on user if they were to open a specially crafted Rich Text Format (RTF) file, or preview or open a specially-crafted RTF email message in Outlook while using Microsoft Word as the email viewer. This issue was privately disclosed and we’re not aware of any attacks or customer impact.

Security Advisory 2755801

With this month’s release, we are also revising Security Advisory 2755801 to address issues in Adobe Flash Player in IE 10. This is a cumulative update, which means customers do not need to install previous updates as a prerequisite for installing the current update. We remain committed to working closely with Adobe to deliver quality protections that are aligned with Adobe’s update process.

Please watch the bulletin overview video below for more information.

As always, we recommend that our customers deploy all security updates as soon as possible. Our deployment priority guidance is below to further assist in deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month’s severity and exploitability index (click for larger view).

For more information about this month’s security updates, visit the Microsoft Security Bulletin summary web page.

Per our usual process, Jonathan Ness and I will host the monthly technical webcast on Wednesday. I invite you to tune in and learn more about the December security bulletins and advisories. We’ve scheduled the webcast for Wednesday, Dec. 12, 2012 at 11 a.m. PST, and you can register here.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

I hope everyone has a wonderful holiday season, safe travels and I look forward to hearing your questions during the webcast.

Dustin Childs
Group Manager
Trustworthy Computing

 

November 2012 Bulletin Release

November 13th, 2012 No comments

Security Updates
Today we released six security bulletins to help protect our customers – four Critical, one Important, and one Moderate – addressing 19 vulnerabilities in Microsoft Windows Shell, Windows Kernel, Internet Explorer, Internet Information Services (IIS), .NET Framework, and Excel. For those who need to prioritize deployment, we recommend focusing on these two Critical updates first:

MS12-071 (Internet Explorer): This bulletin addresses three privately disclosed issues, none of which are currently known to be under active attack. Successful exploitation of these issues could result in code execution with the current user’s privileges. As such, we recommend the best practice of running applications with the least privileges possible in order to help mitigate potential risks. These issues do not affect Internet Explorer 10.

MS12-075 (Windows Kernel): This security update addresses three privately reported issues, none of which are currently known to be under active attack. This bulletin affects all supported versions of Microsoft Windows. The most severe issue could result in remote code execution if an attacker is able to lure a user to a website with a maliciously crafted TrueType font file embedded.

Security Update Re-release
In October we released Security Advisory 2749655 that addresses potential compatibility issues due to signature timestamps expiring before they should and noted we would be providing updates as they become available. Today we are providing one such update for MS12-046 (Visual Basic), which is now listed as available in the advisory. We have also released MS12-062 (System Center Configuration Manager 2007) to address an issue in the localization of resource files. Users who have already successfully installed the English versions of this update do not need to take any action.

You can find more information about this month’s security updates on the Microsoft Security Bulletin Summary web page. For an overview of the bulletins please watch the video below.

 

 

 

We recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in deployment planning (click for larger view).

 

Our risk and impact graph provides an aggregate view of this month’s severity and exploitability index (click for larger view).

 

Thanks for reading and join us tomorrow (Wednesday, Nov. 14, 2012) at 11 a.m. PST for a live webcast with Jeremy Tinder and myself, as we share greater details about these bulletins. As always, we will answer bulletin-related questions live during the webcast. You may register for that one-hour event here.

Thank you,

Dustin Childs
Group Manager
Microsoft Trustworthy Computing

August 2012 Bulletin Release

August 14th, 2012 No comments

Security Advisory 2661254 – Update For Minimum Certificate Key Length
Before we get into the details of this month’s bulletin release, let’s take a look at an important change on how Windows deals with certificates that have RSA keys of less than 1024 bits in length.

We’ve been talking about this subject since June, and today we are announcing the availability of an update to Windows that restricts the use of certificates with RSA keys less than 1024 bits in length with Security Advisory 2661254. As noted in the advisory, this update will be available in the Download Center as well as the Microsoft Update Catalog. This allows enterprise administrators to download and import the update into WSUS for testing before widely deploying the update throughout their enterprise. The security advisory includes instructions on how to configure the update and provides general guidance on what steps customers should take to become more secure. This update is planned to be released via Windows Update starting in October 2012.

For additional details on these defense-in-depth changes to how Windows deals with certificates please visit Public Key Infrastructure (PKI) blog.

Security Updates
For this Update Tuesday we are releasing nine security bulletins – five Critical-class and four Important – addressing 26 vulnerabilities in Microsoft Windows, Internet Explorer, Exchange Server, SQL Server, Server Software, Developer Tools, and Office. For those who need to prioritize deployment, we recommend focusing on the these three critical updates first:

MS12-060 (Windows Common Controls)
Multiple software products utilize Windows Common Controls , and the issues addressed in this bulletin affect Office, SQL Server, Server Software, and Developer Tools. We’re aware of limited, targeted attacks attempting to exploit this vulnerability, but we haven’t seen public proof-of-concept code published. These are important factors to consider when determining deployment priority and Microsoft recommends that customers test and deploy this update as soon as possible.

MS12-052 (Internet Explorer)
This security update addresses four privately disclosed issues, none of which are currently known to be under active attack. Successful exploitation of these issues could result in the execution of code with the privileges of the current user. You may notice that one of the issues addressed in the Cumulative Security Update for Internet Explorer is also listed in MS12-056 for the JScript and VBScript Engines. Since this issue affects both IE and Windows components, you will need to apply both updates to ensure the issue has been addressed on your system.

MS12-054 (Windows Networking Components)
This security update addresses three issues related to the Remote Administration Protocol (RAP) and one issue affecting the Print Spooler. The impact from these issues ranges from Denial of Service (DoS) to Remote Code Execution (RCE). All of these issues were reported to us through coordinated disclosure and we have no reports of these issues being exploited. As with our other top-priority bulletins, we encourage customers to test and deploy this update as soon as possible.

Of the remaining six bulletins, two are also rated as critical: one addressing issues affecting the Remote Desktop Protocol and the other affecting Exchange Server. The remaining four bulletins are all Important-class issues touching on Windows and Office.

Security Update Re-release
Last month, we published MS12-043 to address issues affecting Microsoft XML Core Services. The July release provided updates for Microsoft XML Core Services 3.0, 4.0, and 6.0. This month, we are re-releasing MS12-043 with additional updates for Microsoft XML Core Services 5.0. This re-release does not affect the previous updates for versions 3.0, 4.0, and 6.0.

Please watch the video below for an overview of this month’s bulletins and you can find more information about this month’s security updates on the Microsoft Security Bulletin Summary web page.

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view)

 

Our risk and impact graph provides an aggregate view of this month’s severity and exploitability index (click for larger view). For insightful details about the Exploitability Index and additional bulletin nuances, please see the Security Research & Defense (SRD) blog.

You can find more information about this month’s security updates on the Microsoft Security Bulletin Summary web page. Thanks for reading and join us tomorrow (Wednesday, August 15, 2012) at 11 a.m. PDT for a live webcast with Jonathan Ness and Dustin Childs, who will be sharing greater details about these bulletins and our other announcements this month. As always, they will be answering bulletin-related questions live during the webcast. You may register for that one-hour event here.

Yunsun Wee
Microsoft
Trustworthy Computing

A live BlueHat Prize webcast and the August 2011 security updates

August 9th, 2011 No comments

Hello all. It has been very nearly a week since our BlueHat Prize contest announcement at Black Hat. Now that everyone’s had some time to digest the basics, we’ve asked Senior Security Strategist and chief BlueHat Prize architect Katie Moussouris to stop by the Trustworthy Computing studio today at 11 a.m. PDT to answer a few more questions about the contest.  She’ll discuss how it works and what she expects will happen next, and she’ll answer some common questions such as who owns the intellectual property. We’ll be taking your questions, too! Register for the webcast at this link.

As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing 13 security bulletins, two of which are rated Critical in severity, nine Important and two Moderate.

These bulletins will increase protection by addressing 22 unique vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on the two critical updates:

  • MS11-057 (Internet Explorer). This security update resolves five privately reported vulnerabilities and two publicly disclosed vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. Microsoft is not aware of any attacks leveraging the vulnerabilities addressed in this bulletin.
  • MS11-058 (DNS Server). This security update resolves two privately reported vulnerabilities in Windows DNS server. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a specially crafted Naming Authority Pointer (NAPTR) query to a DNS server. Servers that do not have the DNS role enabled are not at risk.

In this video, Jerry Bryant discusses this month’s bulletins in further detail, focusing on these two bulletins:

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month’s severity and exploitability index (click for larger view).

You can find more information about this month’s security updates on the Microsoft Security Bulletin Summary web page. In addition, the SRD blog today has more information on MS11-058’s Exploitability Index rating and on the month’s deployment priorities.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Jerry Bryant and Jonathan Ness. I invite you to tune in and learn more about the June security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, August 10, 2011 at 11 a.m. PDT, and you can register here.

For all the latest information, please also follow the MSRC team on Twitter at @MSFTSecResponse.

Thank you,

Angela Gunn
Trustworthy Computing.

Exploitability Index Improvements & Advance Notification Service for May 2011 Bulletin Release

May 5th, 2011 No comments

Hello everyone,

Today we are announcing changes to Microsoft’s Exploitability Index.

Since October 2008, we have used the Exploitability Index to provide customers with valuable exploitability analysis for our security bulletins, and starting Tuesday this information will become even more comprehensive for those who use Microsoft’s latest platforms.

The Exploitability Index assesses the likelihood of functional exploit code being developed for a particular vulnerability. By providing the index information month over month, we’re helping customers prioritize the security updates that matter to them. The Exploitability Index will continue to provide an aggregate exploitability rating across all affected products, and the improvements made to Exploitability Index will now offer additional information to help customers prioritize bulletins, specifically for the most recent platforms, e.g. Windows 7 Service Pack 1 and Office 2010.

For example, the Exploitability Index for CVE-2011-0097, a security issue addressed by MS11-021in the April 2011 release, originally rated a “1 – Consistent Exploit Code Likely”. However, under the previous system, the Exploitability Index did not specifically illustrate that customers using Excel 2010 were at less risk; with Excel 2010, CVE-2011-0097 would rate a “2 – Inconsistent Exploit Code Likely”. In fact, our research has shown that 37 percent of the vulnerabilities addressed since July 2010 have had similar results; the latest platform was either entirely unaffected, or significantly more difficult to exploit.

Maarten Van Horenbeeck, senior security program manager, goes into more depth around the background of Exploitability Index and the value of these improvements in the MSRC blog post: “Exploitability Index Improvements Now Offer Additional Guidance

Additionally, we’re providing advanced notification on the release of a Critical security bulletin addressing a vulnerability in Windows, and an Important bulletin addressing two vulnerabilities in Microsoft Office. As usual, the bulletin release is scheduled for the second Tuesday of the month, May 10, at approximately 10 a.m. PDT.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

 

Thanks,
Pete Voss
Sr. Response Communications Manager
Microsoft Trustworthy Computing

Exploitability Index Improvements Now Offer Additional Guidance

May 5th, 2011 No comments

Exploitability Index Improvements Now Offer Additional Guidance

In October of 2008, Microsoft published its first Exploitability Index: a rating system that helps customers identify the likelihood that a specific vulnerability would be exploited within the first 30 days after bulletin release.

As of this month, we are making some changes to the rating system to make vulnerability assessment more clear and digestible for customers. Specifically, we will be publishing two Exploitability Index ratings per vulnerability- one for the most recent platform, the other as an aggregate rating for all older versions of the software. This change makes it easier for customers on recent platforms to determine their risk given the extra security mitigations and features built in to Microsoft’s newest products; under the previous system, vulnerabilities were given an aggregate rating across all product versions.

 

How do we build an Exploitability Index?

Each vulnerability rating is based on a thorough review by the MSRC Engineering team, as well as close cooperation with a number of key partners. The ratings are qualitative: our team does an in-depth technical analysis of the vulnerability in question, and identifies the likelihood that an experienced exploit developer would be able to exploit the vulnerability. Some great examples of these types of reviews can be found on the SRD blog here and here.

We have received feedback in the past that the Exploitability Index did not take into account more recent mitigations implemented in our operating systems. For instance, Windows 7 hosts Address Space Layout Randomization (ASLR), a mitigation technique which repositions code fragments in memory, and makes it much harder for an attacker to write a reliable exploit. This functionality is not available by default on older operating systems such as Windows XP.

If consistent exploit code was considered likely for any supported version, despite being made significantly more difficult with ASLR, the Exploitability Index rating of that vulnerability would receive Microsoft’s highest rating of “1,” indicating that a reliable exploit within 30 days is likely. While this is accurate for the older version, it does not correctly reflect risk for users with Windows 7.

 

Rating the Latest Platform Separately from Older Platforms

As of this month, we will split out the Exploitability Index into a rating for the most recent version of the software, and an aggregate rating for all older versions. In the scenario above, the rating for Windows 7 could be “2″ whereas the rating for all other platforms would be “1”. This more accurately reflects risk to customers that keep their environment updated with the latest product releases.

 

Assessing Denial of Service Risk

An additional item we are now providing with the Exploitability Index, is an assessment of the Denial of Service risk a vulnerability poses. In the case of remote code execution vulnerabilities, an issue that is difficult to exploit may still be used to crash a computer. Even when an attacker cannot control memory addresses sufficiently to execute code, he may still be able to corrupt memory sufficiently to stop the computer from responding.

For IT administrators, it is important to understand whether the denial of service will be “permanent,” in which case the program or operating system exits unexpectedly, such that the system will need to be restarted; or “temporary,” in which case the program or operating merely becomes unresponsive during the attack, but eventually recovers. In the example table below, for CVE-2011-0673, the table indicates that an attacker who attempts to exploit the service, even when failed, may render the system entirely unavailable. For administrators of internet-facing services, this can often be the difference between a highly important, and insignificant vulnerability.

 

An Example of Our New Exploitability Index Rating System

To help you prepare for these changes in the May release, we are providing an example of these changes applied to three different CVEs from the April Bulletin Release:

Bulletin

CVE

CVE Title

Code Execution Exploitability Assessment for Latest Software Release1

 

Code Execution Exploitability Assessment for Older Software Release2

DOS  Exploitability Assessment3

Key Notes

MS11-021

CVE-2011-0097

 

Excel Integer Overrun Vulnerability

2 – Inconsistent exploit code likely

1 – Consistent exploit code likely

Temporary

(None)

MS11-029

CVE-2011-0041

 

GDI+ Integer Overflow Vulnerability

Not affected

1 – Consistent exploit code likely

Temporary

 (None)

MS11-034

CVE-2011-0673

Win32k Null Pointer De-reference vulnerability

Not affected

 

1 – Consistent exploit code likely

Permanent

(None)

 

1 The Latest Software Release refers to the latest supported release of the software as listed in both the “Affected Software” and “Non-Affected Software” tables in the bulletin

2 The Older Software Release refers to any other version of the software as listed in both the “Affected Software” and “Non-Affected Software” tables in the bulletin

In the case of CVE-2011-0097, the most recent version of Microsoft Office, additional mitigations are in place that would make exploitation less reliable. For CVE-2011-0041, the latest version of the product, Windows 7, was not affected at all.

CVE-2011-0673 is a local elevation of privilege vulnerability which could lead to a permanent Denial of Service, and may require the machine to be restarted in order to restore functionality. Again, the latest version of the product was not affected by this issue.

In the table, the “Latest Software Release” is always the very latest version listed across both the “Affected Software” and “Non-Affected Software” tables in the security bulletin. The Exploitability Index Assessment for the “Older Software Release” is always the highest rating across any other platform listed in either of these tables. In the case of a complex security bulletin, where for instance both Microsoft Office and Microsoft Windows are affected, the Exploitability Index Assessment for the “Latest Software Release” will be the highest across both software products.

For instance, if the exploitability index assessment for Windows 7 Service Pack 1 is “1,” and for Office 2010 is “2,” the rating in the “Latest Software Release” column will be “1”.

 

A historical perspective

At Microsoft, we have been collecting ratings internally in this way for the last eight months. Out of a total of 256 ratings, we found that 97 issues were less serious, or not applicable on the latest version of the product. In contrast, only seven cases affected the most recent product version and not the older platforms.

 

Some changes, but the same goal

Our goal in publishing Exploitability Index ratings is to make it easier for enterprises to prioritize which updates to install first. We understand that some customers may not be able to install all updates at the same time. By giving an assessment of the exploitability and impact, of an issue, we hope to support IT administrators in making rational decisions on which security updates to install first. We hope these changes prove useful in your monthly assessment of our security updates!

 

Maarten Van Horenbeeck
Senior Security Program Manager
EcoStrat

Q&A from April 2011 Security Bulletin Webcast

April 14th, 2011 Comments off

Hello,

Today we published the April Security Bulletin Webcast Questions & Answers page. We fielded 14 questions on various topics during the webcast, including bulletins released, deployment tools, and update detection tools. There were two questions during the webcast that we were unable to answer and we have included those questions and answers on the QA page.

I also want to provide some clarity regarding our announcement that SMS 2003 with SUIT is retiring this month. SMS 2.0 and the SUIT add-on that can be installed on either SMS 2.0 or SMS 2003 are going out of support this month. SMS 2003 is not scheduled to go out of support until 2015. Customers who currently use SMS 2003 with SUIT should plan to use SCCM 2007 or SMS 2003 with ITMU starting next month. 

We invite our customers to join us for the next public webcast on Wednesday, May 11th at 11am PDT (-8 UTC), when we will go into detail about the April bulletin release and answer questions live on the air.

Customers can register to attend at the link below:

Date: Wednesday, March 9, 2011
Time: 11:00 a.m. PST (UTC -8)

Register:
Attendee Registration

 ”

 

Thanks –

Jerry Bryant

Group Manager, Response Communications
Trustworthy Computing Group

February 2011 Security Bulletin Release

February 8th, 2011 Comments off

Hello all —

Today, as part of our monthly security
bulletin release, we have 12 bulletins addressing 22 vulnerabilities in
Microsoft Windows, Office, Internet Explorer, and IIS (Internet Information
Services). Three bulletins are rated Critical, and these are the bulletins we
recommend for priority deployment:  

o   
MS11-003. This bulletin resolves three
critical-level and moderate-level vulnerabilities affecting all versions of
Internet Explorer. Due to existing mitigations, this bulletin is only rated at
Moderate severity for all versions of Windows Server, has an Exploitability
Index rating of 1, and will deprecate Security
Advisory 2488013
.

o   
MS11-006. This bulletin addresses one Critical-level
vulnerability affecting Windows XP, Vista, Server 2003, and Server 2008. Newer
versions of our operating system are unaffected. The vulnerability involves
Windows Shell Graphics and could if exploited lead to remote code execution.
This has an Exploitability Index rating of 1 and will deprecate Security
Advisory 2490606
which we released on January 4th. Since that
time, we have not seen any attacks against this issue.

o   
MS11-007. This bulletin addresses one privately
reported vulnerability affecting all supported versions of Windows and
involving the OpenType Compact Font Driver. It’s rated Critical for Windows
Vista, Windows 7, Server 2008 and Server 2008 R2; it’s rated Important for
Windows XP and Server 2003.  This issue has
an Exploitability Index rating of 2.

In this video, Jerry Bryant discusses this
month’s bulletins in further detail:

As always, we recommend that customers
deploy all security updates as soon as possible. Below is our deployment
priority guidance to further assist customers in their deployment planning
(click for larger view).

Our risk and impact graph shows an aggregate
view of this month’s severity and exploitability index (click for larger view).

More information about this month’s
security updates can be found on the Microsoft Security Bulletin summary web page

As mentioned, we are addressing Security Advisory 2488013 as part of the regularly scheduled
Internet Explorer cumulative update. This Security Advisory and the zero-day
disclosure on which it was predicated caused discussion in the security
community, and some observers thought that we might be forced to release an
out-of-band bulletin to protect customers. However, out-of-band releases are
disruptive to customers and we try to avoid them where possible. Based on our
capabilities to closely monitor the threat landscape, we were able to determine
that attempts to attack this vulnerability were very low. With that
information, we were able to extensively test a bulletin to be released as part
of our regular bulletin cadence. The MMPC (Microsoft Malware Protection Center)
blog has
details
about the telemetry we used to guide us. There we
contrast this issue with telemetry from an out-of-band release last year to
demonstrate why one was not needed here.

Also this month, we’re updating Security Advisory 967940, “Update for Windows Autorun,” to change
how earlier versions of Windows handle security when reading “non-shiny”
storage media. (“Shiny” storage media would include CD-ROMs and DVDs.) Windows
7 already disables Autorun for devices such as USB thumb drives, which prevents
malware lurking on such drives from loading itself onto computers without user
interaction. With the change to the Advisory, earlier versions of Windows that
receive their updates automatically via Windows Update “AutoUpdate” will now
gain that security-conscious functionality as well. We believe this is a huge
step towards combating one of the most prevalent infection vectors used by
malware such as Conficker.

Finally, we’re excited to announce that
changes are coming to the system we use for publishing our bulletins and
security advisories – changes that will bring better integration with the
wealth of other content on Technet and a richer experience for customers. We
are expecting the changes to go live in the June 2011 timeframe. The main
impact to customers will be a URL change from microsoft.com/technet/security to
technet.microsoft.com/security. We are planning to have both the old and new
sites available simultaneously for a period of time and will be providing more
details in March.

Please join the monthly technical webcast
with your hosts, Jerry Bryant and Jonathan Ness, to learn more about all the February
2011 security bulletins. The webcast is scheduled for Wednesday, February 9,
2011 at 11:00 a.m. PST (UTC -8). Registration is available here.

For all the latest information, you can
follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,

Angela Gunn
Trustworthy Computing.

 

December 2010 Security Bulletin Release

December 14th, 2010 Comments off

Hi everyone. As part of our usual cycle of monthly
security updates, today Microsoft is releasing 17 bulletins addressing 40
vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint
Server and Exchange. Two of those bulletins carry a Critical rating, while 14
are rated Important and one is rated Moderate.

We’ve assigned our highest deployment priority to the two
Critical bulletins, though we recommend that customers deploy all updates as
soon as possible.

  • MS10-090 This bulletin resolves seven issues — five Critical, two Moderate —
    affecting all supported versions of Internet Explorer, on both Windows clients
    and Windows servers. Among its other updates, it addresses a vulnerability
    previously described in Security Advisory 2458511.
  • MS10-091 This bulletin is Critical and addresses three vulnerabilities in Windows’
    OpenType Font driver. All three issues were privately reported and we are not
    aware of any active attacks using them.

As mentioned, the other 15 bulletins this month carry
lower severity ratings – including MS10-092, the bulletin that closes out the last known vulnerability exploited by
the Stuxnet malware. To assist in your planning and implementation of the
bulletins, please consult this month’s Deployment Priority chart (click for
larger view).

Jerry Bryant, group manager for response communications,
gives more information about the December bulletins in this overview video:

 

More information about this month’s security updates can
be found on the Microsoft Security Bulletin summary web page.  Our Exploitability Index provides additional information to help
customers plan for deployment of these monthly security bulletins.

 

We are also releasing updated Malicious Software Removal
Tool signatures this month. The MMPC blog goes into detail on QakBot, the subject of
this month’s update.

Finally, we invite everyone to join the monthly technical
webcast to learn more about the December 2010 security bulletin release. The webcast
is scheduled for Wednesday, December 15, 2010 at 11:00 a.m. PST (UTC
-8). Registration is available here.

Remember, you can follow the MSRC team for late-breaking
news and updates on the threat landscape on Twitter at @MSFTSecResponse.

Thanks,

Angela Gunn
Senior Marketing Communications Manager