Archive

Archive for the ‘Bulletins’ Category

August 2014 Security Updates

August 12th, 2014 No comments

Today, as part of Update Tuesday, we released nine security updates – two rated Critical and seven rated Important – to address 37 Common Vulnerabilities & Exposures (CVEs) in SQL Server, OneNote, SharePoint, .NET, Windows and Internet Explorer (IE). We encourage you to apply all of these updates, but for those who need to prioritize their deployment planning, we recommend focusing on the Critical updates first.

Here’s an overview slide and video of the security updates released today:

Click to enlarge

Microsoft also revised Security Advisory 2755801: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer.

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by each CVE, visit the Microsoft Bulletin Summary Web page. If you are not familiar with how we calculate the Exploitability Index (XI), a full description is found here.

You may notice a revision in the XI this month, which aims to better characterize the actual risk to a customer on the day the security update is released. Customers will see new wording for the rating, including a new rating of “0” for “Exploitation Detected.” More information about XI can be found here:  http://technet.microsoft.com/en-us/security/cc998259.aspx.

Last week, Microsoft announced some other news that relates to Update Tuesday:

  • On August 5, Windows published a Windows blog post discussing its non-security update strategy moving forward, which is now on a monthly cadence as part of Update Tuesday.
  • On August 6, IE announced in its IE Blog that it would begin blocking out-of-date ActiveX controls. This feature will be part of the August IE Cumulative Security Update, but no out-of-date ActiveX controls will be blocked for 30 days in order to give customers time to test and manage their environments.
  • On August 7, .NET and IE announced that Microsoft will support only the most recent versions of .NET and IE for each supported operating system.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, August 13, 2014, at 11 a.m. PDT.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks, 

Dustin Childs

Group Manager, Response Communications
Microsoft Trustworthy Computing

August 2014 Security Updates

August 12th, 2014 No comments

Today, as part of Update Tuesday, we released nine security updates – two rated Critical and seven rated Important – to address 37 Common Vulnerabilities & Exposures (CVEs) in SQL Server, OneNote, SharePoint, .NET, Windows and Internet Explorer (IE). We encourage you to apply all of these updates, but for those who need to prioritize their deployment planning, we recommend focusing on the Critical updates first.

Here’s an overview slide and video of the security updates released today:

Click to enlarge

Microsoft also revised Security Advisory 2755801: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer.

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by each CVE, visit the Microsoft Bulletin Summary Web page. If you are not familiar with how we calculate the Exploitability Index (XI), a full description is found here.

You may notice a revision in the XI this month, which aims to better characterize the actual risk to a customer on the day the security update is released. Customers will see new wording for the rating, including a new rating of “0” for “Exploitation Detected.” More information about XI can be found here:  http://technet.microsoft.com/en-us/security/cc998259.aspx.

Last week, Microsoft announced some other news that relates to Update Tuesday:

  • On August 5, Windows published a Windows blog post discussing its non-security update strategy moving forward, which is now on a monthly cadence as part of Update Tuesday.
  • On August 6, IE announced in its IE Blog that it would begin blocking out-of-date ActiveX controls. This feature will be part of the August IE Cumulative Security Update, but no out-of-date ActiveX controls will be blocked for 30 days in order to give customers time to test and manage their environments.
  • On August 7, .NET and IE announced that Microsoft will support only the most recent versions of .NET and IE for each supported operating system.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, August 13, 2014, at 11 a.m. PDT.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks, 

Dustin Childs

Group Manager, Response Communications
Microsoft Trustworthy Computing

The April 2014 Security Updates

April 8th, 2014 No comments

T. S. Elliot once said, “What we call the beginning is often the end. And to make an end is to make a beginning. The end is where we start from.” So as we put one season to bed, let’s start another by looking at the April security updates. Today, we release four bulletins to address 11 CVEs in Microsoft Windows, Internet Explorer and Microsoft Office. The update for Microsoft Word addresses the issues described in Microsoft Security Advisory 2953095. For those who prioritize, we recommend this bulletin as well as the update for Internet Explorer be on the top of your list.

We would be remiss if we did not mention another end; the end of support for Windows XP and Office 2003. The updates provided by MS14-018 and MS14-019 will be the final security updates for Windows XP; MS14-017 and MS14-020 are the final update for Office 2003.  For those who haven’t migrated yet, I recommend visiting the Microsoft Security Blog, where my colleague Tim Rains provides guidance for consumers and small businesses who may have questions about how end of support affects them. Enterprise administrators will also find this a worthwhile read.

Here’s an overview of all the updates released this month:

Click to enlarge


Our top priorities for this month are MS14-018 and MS14-017, which address issues in Internet Explorer and Microsoft Word respectively.

MS14-018 | Cumulative Update for Internet Explorer

This security update resolves six privately reported vulnerabilities in Internet Explorer. These vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. While the issues addressed by this bulletin are very straightforward, I wanted to specifically call your attention to the updates for Internet Explorer 11 on Windows 8.1 and Windows Server 2012 R2. For these platforms, the update is not cumulative – it only addresses this issues described in this bulletin. You also have the option of installing KB2919355, which is a cumulative update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2. In addition to previous updates for these operating systems, it includes enhancements such as improved Internet Explorer 11 compatibility for enterprise applications, usability improvements, extended mobile device management, and improved hardware support. Additionally, for Windows Server 2012 R2, it includes support for clustering configurations for hosters. For more information about this update, see Microsoft Knowledge Base Article 2919355.

Similarly, customers running Internet Explorer 11 on Windows 7 and Windows Server 2008 R2 also can choose a cumulative update: KB2929437. In addition to previous updates for Internet Explorer 11 on these operating systems, it includes enhancements such as improved Internet Explorer 11 compatibility for enterprise applications. If you install this cumulative update, you will not need to install the KB2936068 update offered through MS14-018. There may also be some who overlook the update for Internet Explorer 10. For this version of the browser, the update is non-security. The issues addressed by this bulletin do not impact Internet Explorer 10, but the update does include non-security related changes. For more information about the non-security-related fixes that are included in this update, see Microsoft Knowledge Base Article 2936068.

MS14-017 | Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution

This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft Word. The most severe of these vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Office software. This security update also addresses the vulnerability first described in Microsoft Security Advisory 2953095. If you have installed the Fix it provided through this advisory, you should remove it once you apply the update to ensure RTF files open correctly.

Finally, we are revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-09 For more information about this update, including download links, see Microsoft Knowledge Base Article 2942844.

Watch the bulletin overview video below for a brief summary of today's releases.

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Web page.

William Peteroy and I will host the monthly bulletin webcast, scheduled for Wednesday, April 9, 2014, at 11 a.m. PDT. I invite you to register here, and tune in to learn more about this month’s security bulletins and advisories.

For all the latest information, you can also follow us at @MSFTSecResponse.

Please join me in wishing Windows XP and Office 2003 a fond farewell as they head towards the sunset of their lives. I look forward to hearing your questions about this month’s release in our webcast tomorrow.

Thanks,
Dustin Childs

Group Manager, Response Communications
Microsoft Trustworthy Computing

The March 2014 Security Updates

March 11th, 2014 No comments

This month we release five bulletins to address 23 unique CVEs in Microsoft Windows, Internet Explorer and Silverlight. If you need to prioritize, the update for Internet Explorer addresses the issue first described in Security Advisory 2934088, so it should be at the top of your list. While that update does warrant your attention, I want to also call out another impactful update.

MS14-014 provides an update to address a security feature bypass in Silverlight. The issue wasn’t publicly known and it isn’t under active attack, however it can impact your security in ways that aren’t always obvious. Specifically, the update removes an avenue attackers could use to bypass ASLR protections. Fixes like this one increase the cost of exploitation to an attacker, who must now find a different way to make their code execution exploit reliable. Picasso said, “The hidden harmony is better than the obvious” – Shutting down an ASLR bypass could be considered one of the most harmonious things to do to help increase customer security.

Let’s not forget the other updates we released today. This month we release two Critical and three Important bulletins. Here’s an overview of this month’s release:

Click to enlarge


Our top deployment priority this month is MS14-012, which address 18 issues in Internet Explorer.

MS14-012 | Cumulative Security Update for Internet Explorer   
This cumulative update addresses one public and 17 privately disclosed issues in Internet Explorer. These issues could allow remote code execution if a user views a specially crafted webpage using an affected version of Internet Explorer. We are aware of targeted attacks using CVE-2014-0322 against Internet Explorer 10. This issue was first described in
Security Advisory 2934088, which included a Fix it for the issue. We should also note that the observed attacks performed a check for the presence of the Enhanced Mitigation Experience Toolkit (EMET) and did not proceed if it was detected. This update also addresses CVE-2014-0324, which is a privately reported issue that has been seen in a very limited, targeted attack against Internet Explorer 8. Thanks to a previously released ASLR bypass update, the attack seen in the wild would not work against a fully updated system running Windows Vista and above. The SRD blog goes into more detail about how shutting down that bypass helped. For all issues addressed by this update, successful exploitation could allow an attacker to gain the same user rights as the local user. Customers with automatic updates enabled will not need to take action, as they will be updated automatically.

We are also revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-08. For more information about this update, including download links, see Microsoft Knowledge Base Article 2938527. Also, for those of you who may be interested, KB864199 provides a list of the non-security updates released today. This list includes the latest update for the Malicious Software Removal Tool (MSRT), which now includes detections for the Wysotot and Spacekito malware families.

Watch the bulletin overview video below for a brief summary of today's releases.

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Webpage.

My colleagues Andrew Gross and Pete Voss will host the monthly bulletin webcast and answer your questions about this month’s release. As usual, the webcast is scheduled for Wednesday, March 12, 2014, at 11 a.m. PDT. Please register here, and tune in to learn more about this month’s security bulletins and advisories.

For all the latest information, you can also follow us at @MSFTSecResponse.

If you happen to be at the CanSecWest conference in Vancouver, B.C, please swing by our booth (number 4) to say hello!

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

MBSA 2.3 and the November 2013 Security Bulletin Webcast, Q&A, and Slide Deck

November 15th, 2013 No comments

Today we’re publishing the November 2013 Security Bulletin Webcast Questions & Answers page.  The majority of questions focused on the ActiveX Kill Bits bulletin (MS13-090) and the advisories. We also answered a few general questions that were not specific to any of this month’s updates, but that may be of interest.

We’ve discussed the Microsoft Baseline Security Analyzer (MBSA) tool in this and many other webcasts, and I’m happy to report version 2.3 is now available. This new version adds support for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. However, Windows 2000 systems will no longer be supported by MBSA. If you aren’t familiar with the tool or would just like to know more about it, we encourage you to read the FAQ found on the Security TechCenter. Thanks also go out to everyone who participated in the public preview leading up to this release.

We invite you to join us for the next scheduled webcast on Wednesday, December 11, 2013, at 11 a.m. PST (UTC -8), when we will go into detail about the December bulletin release and answer your bulletin deployment questions live on the air.

You can register to attend the webcast at the link below:

Date: Wednesday, December 11, 2013
Time: 11:00 a.m. PST (UTC -8)
Register: Attendee Registration

 

 

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

MBSA 2.3 and the November 2013 Security Bulletin Webcast, Q&A, and Slide Deck

November 15th, 2013 No comments

Today we’re publishing the November 2013 Security Bulletin Webcast Questions & Answers page.  The majority of questions focused on the ActiveX Kill Bits bulletin (MS13-090) and the advisories. We also answered a few general questions that were not specific to any of this month’s updates, but that may be of interest.

We’ve discussed the Microsoft Baseline Security Analyzer (MBSA) tool in this and many other webcasts, and I’m happy to report version 2.3 is now available. This new version adds support for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. However, Windows 2000 systems will no longer be supported by MBSA. If you aren’t familiar with the tool or would just like to know more about it, we encourage you to read the FAQ found on the Security TechCenter. Thanks also go out to everyone who participated in the public preview leading up to this release.

We invite you to join us for the next scheduled webcast on Wednesday, December 11, 2013, at 11 a.m. PST (UTC -8), when we will go into detail about the December bulletin release and answer your bulletin deployment questions live on the air.

You can register to attend the webcast at the link below:

Date: Wednesday, December 11, 2013
Time: 11:00 a.m. PST (UTC -8)
Register: Attendee Registration

 

 

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

The October 2013 security updates

October 8th, 2013 No comments

This month we release eight bulletins – four Critical and four Important – which address 25* unique CVEs in Microsoft Windows, Internet Explorer, SharePoint, .NET Framework, Office, and Silverlight. For those who need to prioritize their deployment planning, we recommend focusing on MS13-080, MS13-081, and MS13-083.

Our Bulletin Deployment Priority graph provides an overview of this month’s priority releases (click for larger view).

 

 MS13-080 | Cumulative Security Update for Internet Explorer
This security update resolves 9* issues in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a customer views a specially crafted webpage using Internet Explorer, as described in Microsoft Security Advisory 2887505. An attacker who successfully exploited these vulnerabilities could gain the same rights as the current user running Internet Explorer. All but one of these issues were privately disclosed.

MS13-081 | Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
This security update resolves seven issues in Microsoft Windows. The most severe vulnerability could allow remote code execution if a user views a malicious webpage with specially crafted OpenType fonts. This release also addresses vulnerabilities that could allow elevation of privilege if an attacker gains access to a system, in some cases physical access to a USB port is required. These issues were privately reported and we have not detected any attacks or customer impact.

MS13-083 | Vulnerability in Windows Common Control Library Could Allow Remote Code Execution
This security update resolves one issue in Microsoft Windows. The vulnerability could allow remote code execution if an affected system is accessible via an ASP.NET web application and can receive a specifically crafted request. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. This issue was privately reported and we have not detected any attacks or customer impact.

Security Advisory 2862973 Update for MD5 Certificates 
We would like to remind customers of the Update for MD5 Certificates that was released in August 2013 and will be released through Microsoft Update in February 2014. This update affects applications and services using certificates with the MD5 hashing algorithm. This restriction is limited to certificates issued under roots in the Microsoft root certificate program. This will apply only to certificates utilized for server authentication, code signing and time stamping. These applications and services will no longer trust certificates utilizing MD5. 

Our risk and impact graph shows an aggregate view of this month’s Severity and Exploitability Index (click for larger view).

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Web page.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, October 9, 2013, at 11 a.m. PDT. I invite you to register here and tune in to learn more about this month’s security bulletins and advisory.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

I look forward to hearing your questions in the webcast tomorrow.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

*Updated CVE count to accurately reflect the correct number which is 25. This is a documentation error and there is no known impact to customers.

The October 2013 security updates

October 8th, 2013 No comments

This month we release eight bulletins – four Critical and four Important – which address 25* unique CVEs in Microsoft Windows, Internet Explorer, SharePoint, .NET Framework, Office, and Silverlight. For those who need to prioritize their deployment planning, we recommend focusing on MS13-080, MS13-081, and MS13-083.

Our Bulletin Deployment Priority graph provides an overview of this month’s priority releases (click for larger view).

 

 MS13-080 | Cumulative Security Update for Internet Explorer
This security update resolves 9* issues in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a customer views a specially crafted webpage using Internet Explorer, as described in Microsoft Security Advisory 2887505. An attacker who successfully exploited these vulnerabilities could gain the same rights as the current user running Internet Explorer. All but one of these issues were privately disclosed.

MS13-081 | Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
This security update resolves seven issues in Microsoft Windows. The most severe vulnerability could allow remote code execution if a user views a malicious webpage with specially crafted OpenType fonts. This release also addresses vulnerabilities that could allow elevation of privilege if an attacker gains access to a system, in some cases physical access to a USB port is required. These issues were privately reported and we have not detected any attacks or customer impact.

MS13-083 | Vulnerability in Windows Common Control Library Could Allow Remote Code Execution
This security update resolves one issue in Microsoft Windows. The vulnerability could allow remote code execution if an affected system is accessible via an ASP.NET web application and can receive a specifically crafted request. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. This issue was privately reported and we have not detected any attacks or customer impact.

Security Advisory 2862973 Update for MD5 Certificates 
We would like to remind customers of the Update for MD5 Certificates that was released in August 2013 and will be released through Microsoft Update in February 2014. This update affects applications and services using certificates with the MD5 hashing algorithm. This restriction is limited to certificates issued under roots in the Microsoft root certificate program. This will apply only to certificates utilized for server authentication, code signing and time stamping. These applications and services will no longer trust certificates utilizing MD5. 

Our risk and impact graph shows an aggregate view of this month’s Severity and Exploitability Index (click for larger view).

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Web page.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, October 9, 2013, at 11 a.m. PDT. I invite you to register here and tune in to learn more about this month’s security bulletins and advisory.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

I look forward to hearing your questions in the webcast tomorrow.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

*Updated CVE count to accurately reflect the correct number which is 25. This is a documentation error and there is no known impact to customers.

Advance Notification Service for October 2013 Security Bulletin Release

October 3rd, 2013 No comments

Today we’re providing advance notification for the release of eight bulletins, four Critical and four Important, for October 2013. The Critical updates address vulnerabilities in Internet Explorer, .NET Framework and Windows. The Critical update for Internet Explorer will be a cumulative update which will address the publicly disclosed issue described in Security Advisory 2887505.  

As always, we’ve scheduled the security bulletin release for the second Tuesday of the month, October 8, 2013, at approximately 10:00 a.m. PDT. Revisit this blog then for analysis of the risk and impact, as well as deployment guidance, together with a brief video overview of the month’s updates. Until then, please review the ANS summary page for more information that will help customers prepare for security bulletin testing and deployment.

Don’t forget, you can also follow the MSRC team’s recent activity on Twitter at @MSFTSecResponse

Thank you,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing 

Advance Notification Service for October 2013 Security Bulletin Release

October 3rd, 2013 No comments

Today we’re providing advance notification for the release of eight bulletins, four Critical and four Important, for October 2013. The Critical updates address vulnerabilities in Internet Explorer, .NET Framework and Windows. The Critical update for Internet Explorer will be a cumulative update which will address the publicly disclosed issue described in Security Advisory 2887505.  

As always, we’ve scheduled the security bulletin release for the second Tuesday of the month, October 8, 2013, at approximately 10:00 a.m. PDT. Revisit this blog then for analysis of the risk and impact, as well as deployment guidance, together with a brief video overview of the month’s updates. Until then, please review the ANS summary page for more information that will help customers prepare for security bulletin testing and deployment.

Don’t forget, you can also follow the MSRC team’s recent activity on Twitter at @MSFTSecResponse

Thank you,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing 

September 2013 Security Bulletin Webcast, Q&A, and Slide Deck

September 13th, 2013 No comments

Today we’re publishing the September 2013 Security Bulletin Webcast Questions & Answers page.  The majority of questions focused on Office bulletins, especially SharePoint Server (MS13-067). We received multiple Office related questions that were very similar in nature, so the questions have been merged, as applicable, with consolidated answers provided. We were able to answer six questions on air, and those we did not have time for have been included on the Q&A page.  

We invite our customers to join us for the next public webcast on Wednesday, October 9, 2013, at 11 a.m. PDT (UTC -7), when we will go into detail about the October bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, October 11, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register:
Attendee Registration

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

September 2013 Security Bulletin Webcast, Q&A, and Slide Deck

September 13th, 2013 No comments

Today we’re publishing the September 2013 Security Bulletin Webcast Questions & Answers page.  The majority of questions focused on Office bulletins, especially SharePoint Server (MS13-067). We received multiple Office related questions that were very similar in nature, so the questions have been merged, as applicable, with consolidated answers provided. We were able to answer six questions on air, and those we did not have time for have been included on the Q&A page.  

We invite our customers to join us for the next public webcast on Wednesday, October 9, 2013, at 11 a.m. PDT (UTC -7), when we will go into detail about the October bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, October 11, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register:
Attendee Registration

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

August 2013 Security Bulletin Webcast, Q&A, and Slide Deck

August 19th, 2013 No comments

Today we’re publishing the August 2013 Security Bulletin Webcast Questions & Answers page.  We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Exchange Server (MS13-061) and Windows Kernel (MS13-063).  There were 3 additional questions during the webcast that we were unable to answer on air, and we have also answered those on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, September 11, 2013, at 11 a.m. PDT (UTC -8), when we will go into detail about the September bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, September 11, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register:
Attendee Registration

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

 

 

August 2013 Security Bulletin Webcast, Q&A, and Slide Deck

August 19th, 2013 No comments

Today we’re publishing the August 2013 Security Bulletin Webcast Questions & Answers page.  We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Exchange Server (MS13-061) and Windows Kernel (MS13-063).  There were 3 additional questions during the webcast that we were unable to answer on air, and we have also answered those on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, September 11, 2013, at 11 a.m. PDT (UTC -8), when we will go into detail about the September bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, September 11, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register:
Attendee Registration

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

 

 

A new policy for store apps and the July 2013 security updates

July 9th, 2013 No comments

There are those I’ve met who think my life is something akin to the classic comedy Groundhog Day. No, I don’t wake up to the musical stylings of Sonny and Cher each morning, but month after month after month, the second Tuesday rolls around and I’m involved in releasing security updates. As you may have noticed, there’s a second Tuesday in every month.

I don’t say this to garner any sympathy. I enjoy what I do, primarily because I know it helps protect people. It’s the reason we started update Tuesday nearly 10 years ago, and the reason we continue it still today. We want our customers to know that if there’s a problem, we’ll be working on a solution. But there are some things that can affect your computing experience that I can’t directly control. For example, we can’t directly update third-party apps that you install from the Windows Store if they have a problem. But we can influence when they get updated.

Today we are announcing a new policy for how we’ll handle vulnerabilities in apps available through the Windows Store, Windows Phone Store, Office Store, and Azure Marketplace. As with second Tuesday, we’re doing this to help protect customers and to ensure the apps available in our stores are as secure as possible. Starting today, developers will be required to submit an updated app within 180 days of being notified of a Critical or Important severity security issue. This assumes the app is not currently being exploited in the wild. In those cases, we’ll work with the developer to have an update available as soon as possible and may remove the app from the store earlier.

We also realize there may be rare cases where a developer needs more than 180 days. Should that occur – it hasn’t so far – we’ll work with the developer to get an updated app replacement as soon as possible.

Now let’s talk about some other customer security protections the seven bulletins we released today – six Critical and one Important, addressing 34 vulnerabilities in Microsoft Windows, Internet Explorer, .NET Framework, Silverlight, GDI+ and Windows Defender. For those who need to prioritize deployment, we recommend focusing on MS13-053 and MS13-055 first. As always, customers should deploy all security updates as soon as possible. Our Bulletin Deployment Priority guidance is below, to further assist in deployment planning.

MS13-053 | Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution

This security update resolves two publicly disclosed and six privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType font files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. We are aware of CVE-2013-3660 being used to achieve elevation of privilege in limited, targeted attacks. 

MS13-055 | Cumulative Security Update for Internet Explorer

This security update resolves 17 issues in Internet Explorer that could allow remote code execution if a customer views a specially-crafted Web page using the browser. An attacker who successfully exploited these vulnerabilities could gain the same rights as the logged-on user. This security update is rated Critical for all versions of Internet Explorer, on all supported releases of Microsoft Windows. These issues were privately disclosed and we have not detected any attacks or customer impact.

Watch the bulletin overview video below for a brief summary of today’s releases.

Our Bulletin Deployment Priority graph provides an overview of this month’s priority releases (click for larger view).

 

Our risk and impact graph shows an aggregate view of this month’s Severity and Exploitability Index (click for larger view).

 

For more information about this month’s security updates, visit the Microsoft Bulletin Summary Web page.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, July 10, 2013, at 11 a.m. PDT. I invite you to register here, and tune in to learn more about this month’s security bulletins and advisories.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

I look forward to hearing your questions about this month’s release in our webcast tomorrow.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Advance Notification Service for July 2013 Security Bulletin Release

July 4th, 2013 No comments

Today we’re providing advance notification for the release of seven bulletins, six Critical and one Important, for July 2013. The Critical bulletins address vulnerabilities in Microsoft Windows, .NET Framework, Silverlight, Internet Explorer and GDI+. Also scheduled for inclusion among these Critical bulletins is an update to address CVE-2013-3660, which is a publicly known issue in the Kernel-Mode Drivers component of Windows. The Important-rated bulletin will address an issue in Microsoft Security Software.

As usual, we’ve scheduled the bulletin release for the second Tuesday of the month, July 9, 2013, at approximately 10:00 a.m. PDT. Revisit this blog then for our analysis of the risk and impact, as well as our deployment guidance and a brief video overview of the month’s updates. Until then, please review the ANS summary page for more information that will help you prepare for bulletin testing and deployment.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thank you,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

June 2013 Security Bulletin Webcast, Q&A, and Slide Deck

June 14th, 2013 No comments

Today we’re publishing the June 2013 Security Bulletin Webcast Questions & Answers page.  We fielded three questions during the webcast, with specific questions focusing primarily on Windows Print Spooler (MS13-050), Microsoft Office (MS13-051), and the security advisory addressing digital certificates (SA2854544). There was one question we were unable to field on the air which we answered on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, July 10, 2013, at 11 a.m. PDT (UTC -7), when we will go into detail about the July bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, July 10, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register: Attendee Registration
 

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

May 2013 Security Bulletin Webcast, Q&A, and Slide Deck

May 17th, 2013 No comments

For those who couldn’t attend the live webcast, today we’re publishing the May 2013 Security Bulletin Webcast Questions & Answers page.  We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Internet Explorer (MS13-037 and MS13-038) and Visio (MS13-044). 

We invite our customers to join us for the next public webcast on Wednesday, June 12, 2013, at 11 a.m. PDT (UTC -7), when we will go into detail about the June bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, June 12, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register:
Attendee Registration

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

April 2013 Security Bulletin Webcast, Q&A, and Slide Deck

April 16th, 2013 No comments

Today we’re publishing the April 2013 Security Bulletin Webcast Questions & Answers page.  We fielded nine questions during the webcast, with almost half of those focused on the Remote Desktop Client bulletin (MS13-024).  One question that was not answered on air has been included on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, May 15, 2013, at 11 a.m. PDT (UTC -7), when we will go into detail about the May bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, May 15, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register:
Attendee Registration

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

KB2839011 Released to Address Security Bulletin Update Issue

April 12th, 2013 No comments

Portuguese (Brazil), Русский 

We are aware that some of our customers may be experiencing difficulties after applying security update 2823324, which we provided in security bulletin MS13-036 on Tuesday, April 9. We’ve determined that the update, when paired with certain third-party software, can cause system errors. As a precaution, we stopped pushing 2823324 as an update when we began investigating the error reports, and have since removed it from the download center.

Contrary to some reports, the system errors do not result in any data loss nor affect all Windows customers. However, all customers who have installed security update 2823324 should follow the guidance that we have provided in KB2839011 to uninstall it.

Update 2823324 addresses a Moderate-level vulnerability that requires an attacker to have physical computer access to exploit. The other security update provided in security bulletin MS13-036, 2808735, continues to be available for download for all affected platforms and is being pushed via updates to help protect customers against other issues – the bulletin no longer contains the affected update.

Dustin Childs
Group Manager,Response Communications
Microsoft Trustworthy Computing