Archive

Archive for the ‘IIS’ Category

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

Advance Notification Service for the November 2014 Security Bulletin Release

November 6th, 2014 No comments

Today, we provide advance notification for the release of 16 Security Bulletins. Five of these updates are rated Critical, nine are rated as Important, and two are rated Moderate in severity. These updates are for Microsoft Windows, Internet Explorer, Office, Exchange, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

As per our monthly process, we've scheduled the Security Bulletin release for the second Tuesday of the month, November 11, 2014, at approximately 10 a.m. PST. At that time, we'll provide deployment guidance. Until then, please review the ANS summary page for more information to help you prepare for Security Bulletin testing and deployment.

We also want to let you know about a new way we will deliver our Security Bulletins. To streamline the way customers receive our security updates, we are directing customers to resources that will be available on the MSRC blog on Update Tuesday.

Follow us on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

Advance Notification Service for the November 2014 Security Bulletin Release

November 6th, 2014 No comments

Today, we provide advance notification for the release of 16 Security Bulletins. Five of these updates are rated Critical, nine are rated as Important, and two are rated Moderate in severity. These updates are for Microsoft Windows, Internet Explorer, Office, Exchange, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

As per our monthly process, we've scheduled the Security Bulletin release for the second Tuesday of the month, November 11, 2014, at approximately 10 a.m. PST. At that time, we'll provide deployment guidance. Until then, please review the ANS summary page for more information to help you prepare for Security Bulletin testing and deployment.

We also want to let you know about a new way we will deliver our Security Bulletins. To streamline the way customers receive our security updates, we are directing customers to resources that will be available on the MSRC blog on Update Tuesday.

Follow us on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

November 2012 Bulletin Release

November 13th, 2012 No comments

Security Updates
Today we released six security bulletins to help protect our customers – four Critical, one Important, and one Moderate – addressing 19 vulnerabilities in Microsoft Windows Shell, Windows Kernel, Internet Explorer, Internet Information Services (IIS), .NET Framework, and Excel. For those who need to prioritize deployment, we recommend focusing on these two Critical updates first:

MS12-071 (Internet Explorer): This bulletin addresses three privately disclosed issues, none of which are currently known to be under active attack. Successful exploitation of these issues could result in code execution with the current user’s privileges. As such, we recommend the best practice of running applications with the least privileges possible in order to help mitigate potential risks. These issues do not affect Internet Explorer 10.

MS12-075 (Windows Kernel): This security update addresses three privately reported issues, none of which are currently known to be under active attack. This bulletin affects all supported versions of Microsoft Windows. The most severe issue could result in remote code execution if an attacker is able to lure a user to a website with a maliciously crafted TrueType font file embedded.

Security Update Re-release
In October we released Security Advisory 2749655 that addresses potential compatibility issues due to signature timestamps expiring before they should and noted we would be providing updates as they become available. Today we are providing one such update for MS12-046 (Visual Basic), which is now listed as available in the advisory. We have also released MS12-062 (System Center Configuration Manager 2007) to address an issue in the localization of resource files. Users who have already successfully installed the English versions of this update do not need to take any action.

You can find more information about this month’s security updates on the Microsoft Security Bulletin Summary web page. For an overview of the bulletins please watch the video below.

 

 

 

We recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in deployment planning (click for larger view).

 

Our risk and impact graph provides an aggregate view of this month’s severity and exploitability index (click for larger view).

 

Thanks for reading and join us tomorrow (Wednesday, Nov. 14, 2012) at 11 a.m. PST for a live webcast with Jeremy Tinder and myself, as we share greater details about these bulletins. As always, we will answer bulletin-related questions live during the webcast. You may register for that one-hour event here.

Thank you,

Dustin Childs
Group Manager
Microsoft Trustworthy Computing

February 2011 Security Bulletin Release

February 8th, 2011 Comments off

Hello all —

Today, as part of our monthly security
bulletin release, we have 12 bulletins addressing 22 vulnerabilities in
Microsoft Windows, Office, Internet Explorer, and IIS (Internet Information
Services). Three bulletins are rated Critical, and these are the bulletins we
recommend for priority deployment:  

o   
MS11-003. This bulletin resolves three
critical-level and moderate-level vulnerabilities affecting all versions of
Internet Explorer. Due to existing mitigations, this bulletin is only rated at
Moderate severity for all versions of Windows Server, has an Exploitability
Index rating of 1, and will deprecate Security
Advisory 2488013
.

o   
MS11-006. This bulletin addresses one Critical-level
vulnerability affecting Windows XP, Vista, Server 2003, and Server 2008. Newer
versions of our operating system are unaffected. The vulnerability involves
Windows Shell Graphics and could if exploited lead to remote code execution.
This has an Exploitability Index rating of 1 and will deprecate Security
Advisory 2490606
which we released on January 4th. Since that
time, we have not seen any attacks against this issue.

o   
MS11-007. This bulletin addresses one privately
reported vulnerability affecting all supported versions of Windows and
involving the OpenType Compact Font Driver. It’s rated Critical for Windows
Vista, Windows 7, Server 2008 and Server 2008 R2; it’s rated Important for
Windows XP and Server 2003.  This issue has
an Exploitability Index rating of 2.

In this video, Jerry Bryant discusses this
month’s bulletins in further detail:

As always, we recommend that customers
deploy all security updates as soon as possible. Below is our deployment
priority guidance to further assist customers in their deployment planning
(click for larger view).

Our risk and impact graph shows an aggregate
view of this month’s severity and exploitability index (click for larger view).

More information about this month’s
security updates can be found on the Microsoft Security Bulletin summary web page

As mentioned, we are addressing Security Advisory 2488013 as part of the regularly scheduled
Internet Explorer cumulative update. This Security Advisory and the zero-day
disclosure on which it was predicated caused discussion in the security
community, and some observers thought that we might be forced to release an
out-of-band bulletin to protect customers. However, out-of-band releases are
disruptive to customers and we try to avoid them where possible. Based on our
capabilities to closely monitor the threat landscape, we were able to determine
that attempts to attack this vulnerability were very low. With that
information, we were able to extensively test a bulletin to be released as part
of our regular bulletin cadence. The MMPC (Microsoft Malware Protection Center)
blog has
details
about the telemetry we used to guide us. There we
contrast this issue with telemetry from an out-of-band release last year to
demonstrate why one was not needed here.

Also this month, we’re updating Security Advisory 967940, “Update for Windows Autorun,” to change
how earlier versions of Windows handle security when reading “non-shiny”
storage media. (“Shiny” storage media would include CD-ROMs and DVDs.) Windows
7 already disables Autorun for devices such as USB thumb drives, which prevents
malware lurking on such drives from loading itself onto computers without user
interaction. With the change to the Advisory, earlier versions of Windows that
receive their updates automatically via Windows Update “AutoUpdate” will now
gain that security-conscious functionality as well. We believe this is a huge
step towards combating one of the most prevalent infection vectors used by
malware such as Conficker.

Finally, we’re excited to announce that
changes are coming to the system we use for publishing our bulletins and
security advisories – changes that will bring better integration with the
wealth of other content on Technet and a richer experience for customers. We
are expecting the changes to go live in the June 2011 timeframe. The main
impact to customers will be a URL change from microsoft.com/technet/security to
technet.microsoft.com/security. We are planning to have both the old and new
sites available simultaneously for a period of time and will be providing more
details in March.

Please join the monthly technical webcast
with your hosts, Jerry Bryant and Jonathan Ness, to learn more about all the February
2011 security bulletins. The webcast is scheduled for Wednesday, February 9,
2011 at 11:00 a.m. PST (UTC -8). Registration is available here.

For all the latest information, you can
follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,

Angela Gunn
Trustworthy Computing.