Archive

Archive for the ‘bulletin’ Category

August 2013 Security Bulletin Webcast, Q&A, and Slide Deck

August 19th, 2013 No comments

Today we’re publishing the August 2013 Security Bulletin Webcast Questions & Answers page.  We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Exchange Server (MS13-061) and Windows Kernel (MS13-063).  There were 3 additional questions during the webcast that we were unable to answer on air, and we have also answered those on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, September 11, 2013, at 11 a.m. PDT (UTC -8), when we will go into detail about the September bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, September 11, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register:
Attendee Registration

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

 

 

New update available for MS13-036

April 23rd, 2013 No comments

 Portuguese (Brazil), Русский

Today we released a new update to replace KB2823324, which was originally made available through MS13-036. As we previously discussed, we stopped distributing this update when we learned some customers were having issues. The new update, KB2840149, still addresses the Moderate security issue described in MS13-036, and should not cause these issues. If you have automatic updates enabled, you won’t need to take any actions. For those manually updating, we encourage you to apply this update at your earliest convenience.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Categories: bulletin, security, Security Update Tags:

Out with the old, in with the April 2013 security updates

April 9th, 2013 No comments

Windows XP was originally released on August 24, 2001. Since that time, high-speed Internet connections and wireless networking have gone from being a rarity to the norm, and Internet usage has grown from 360 million to almost two-and-a-half billion users. Thanks to programs like Skype, we now make video calls with regularity, and social media has grown from a curiosity to a part of our everyday lives. But through it all, Windows XP keeps chugging along. With its longevity and wide user base, Windows XP has served its customers faithfully over the years, but all good things must come to an end, and Windows XP is no exception.

In just 52 shorts weeks, support for the Windows XP will come to an end. I won’t go into the benefits of upgrading platforms here – you can read about these in Tim Rains’ blog “The Countdown Begins” – but I will highlight that this means there will be no more security updates for Windows XP after April 2014. Of course, Windows XP leaving support doesn’t mean bad guys will stop trying to exploit it; however, the absence of new security updates will make it easier for attacks to succeed. We talk a lot about mitigating risks through our security updates, and with Windows XP retiring, the best mitigation will be to upgrade to a modern Windows operating system.

And since we are talking about going out with the old, let’s talk about what’s new today. We are releasing nine bulletins, two Critical-class and seven Important-class, addressing 14 vulnerabilities in Tools Microsoft Windows, Internet Explorer, Microsoft Antimalware Client, Office, and Server Software. For those who need to prioritize deployment, we recommend focusing on MS13-028 and MS13-029 first.

MS13-028 (Microsoft Internet Explorer)
This security update resolves two issues in Internet Explorer, both of which could allow remote code execution if a customer views a specially crafted webpage using the browser. An attacker who successfully exploited these vulnerabilities could gain the same rights as the current user. Both of these issues were privately disclosed and we have not detected any attacks or customer impact.

MS13-029 (Windows Remote Desktop Client)
This security update resolves an issue in the Windows Remote Desktop Client ActiveX control. The vulnerability could allow remote code execution if an attacker convinces a customer to view a website containing specially crafted content that exploits the vulnerability. This issue was privately reported and we have not detected any attacks or customer impact.

Please watch the bulletin overview video below for a quick summary of today’s releases.

As always, we urge you deploy all security updates as soon as possible. Our deployment priority guidance is below to further assist in deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month’s severity and exploitability index (click for larger view).

For more information about this month’s security updates, visit the Microsoft Security Bulletin summary webpage.

Jonathan Ness and I will host the monthly technical webcast, scheduled for Wednesday, April 9, 2013, at 11 a.m. PDT. I invite you to register here, and tune in to learn more about the April security bulletins and advisories.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

It’s been great strolling down memory lane, recalling a time when mobile phones where used for phone calls, but I look forward to hearing your questions during our future webcast via the “Internet.”
Thank you,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Advance Notification Service for the April 2013 Security Bulletin Release

April 4th, 2013 No comments

In celebration of spring’s onset, today we’re providing advance notification for the April 2013 release of nine bulletins; two Critical and seven Important. The Critical bulletins address vulnerabilities in Microsoft Windows and Internet Explorer, and the seven Important-rated bulletins will address issues in Microsoft Windows, Office, Antimalware Software, and Server Software.

As always, we’ll publish the bulletins on the second Tuesday of the month, April 9, 2013 at approximately 10 a.m. PDT. We encourage you to revisit this blog at that time for our risk and impact analysis, as well as deployment guidance and a brief video overview of the month’s updates. Until then, we recommend you review the ANS summary page for more information to help you prepare for bulletin testing and deployment.

For all the latest information, follow the MSRC team on Twitter at @MSFTSecResponse.

Thank you,
Dustin Childs
Group Manager
Microsoft Trustworthy Computing

January 2013 Out-of-Band Security Bulletin Webcast, Q&A, and Slide Deck

January 15th, 2013 No comments

Today we’re publishing the January 2013 Out-of-Band Security Bulletin Webcast Questions & Answers page. During the webcast, we fielded 17 questions focusing on Security Update MS13-088, and SecurityAdvisory 2794220 which was deprecated by this update release. All questions and answers are included in the transcript.

 

We invite our customers to join us for the next scheduled webcast on Wednesday, February 13th at 11 a.m. PST (UTC-8), when we will go into detail about the February bulletin release and answer questions live on the air.

 

Customers can register to attend at the link below:

Date: Wednesday, February 13, 2013
Time: 11:00 a.m. PST (UTC -8)
Register:
Attendee Registration

 

 

Thanks,

Dustin Childs
Group Manager, Trustworthy Computing

December 2012 Security Bulletin Webcast, Q&A, and Slide Deck

December 17th, 2012 No comments

Hello,

Today we’re publishing the December 2012 Security Bulletin Webcast Questions & Answers page. During the webcast, we fielded five questions focusing primarily on Microsoft Word and the Office compatibility pack in MS12-079. All questions are included on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, January 9th at 11 a.m. PST (UTC -8), when we will go into detail about the January bulletin release and answer questions live on the air.

Customers can register to attend at the link below:

Date: Wednesday, January 9, 2013
Time: 11:00 a.m. PST (UTC -8)
Register:
Attendee Registration

Thanks,

Dustin Childs
Group Manager, Trustworthy Computing

 

It’s That Time of Year, For the December 2012 Bulletin Release

December 11th, 2012 No comments

Happy holidays! I hope everyone is enjoying the festive season. I like to get my holiday shopping done early, and this year was no exception. In the middle of my holiday shopping last week, as I passed my cash from one store to the next, I was reminded of “Pass-the-Hash.” (My mind does tend to wander a bit as I shop.) For those not familiar, Pass-the-Hash (PtH) is a technique in which an attacker captures account logon credentials on one computer and then uses those captured credentials to authenticate to other computers over the network. Various folks have discussed this technique in the past, and we have seen it used in attacks as well. Today, TwC released a whitepaper that lays out ways to help prevent these types of attacks. Please take a few minutes to read about the Pass-the-Hash technique on the TwC team blog or download the whitepaper to read on the way over the river and through to woods to Grandma’s house. You won’t be disappointed.

Now, on to the news of the day; today we’re releasing seven bulletins, five Critical-class and two Important-class, addressing 12 vulnerabilities in Microsoft Windows, Internet Explorer (IE), Word and Windows Server. For those who need to prioritize deployment, we recommend focusing on the following two critical updates first:

MS12-077 (Internet Explorer)

This security update addresses three Critical-class Internet Explorer issues that could result in remote code execution. These issues exist in all versions of IE, but there is no evidence that they are known publically or under exploit in the wild. You’ll notice there is no severity rating for IE versions prior to IE 9. On these versions, the update is a defense-in-depth change only. Although there are no known attack vectors for these versions, we still recommend that our customers using these versions apply the update.

MS12-079 (Microsoft Word)

This security update resolves one issue in Microsoft Word. This bulletin has a Critical severity rating and can result in remote code execution. An attacker could run code in the context of the logged-on user if they were to open a specially crafted Rich Text Format (RTF) file, or preview or open a specially-crafted RTF email message in Outlook while using Microsoft Word as the email viewer. This issue was privately disclosed and we’re not aware of any attacks or customer impact.

Security Advisory 2755801

With this month’s release, we are also revising Security Advisory 2755801 to address issues in Adobe Flash Player in IE 10. This is a cumulative update, which means customers do not need to install previous updates as a prerequisite for installing the current update. We remain committed to working closely with Adobe to deliver quality protections that are aligned with Adobe’s update process.

Please watch the bulletin overview video below for more information.

As always, we recommend that our customers deploy all security updates as soon as possible. Our deployment priority guidance is below to further assist in deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month’s severity and exploitability index (click for larger view).

For more information about this month’s security updates, visit the Microsoft Security Bulletin summary web page.

Per our usual process, Jonathan Ness and I will host the monthly technical webcast on Wednesday. I invite you to tune in and learn more about the December security bulletins and advisories. We’ve scheduled the webcast for Wednesday, Dec. 12, 2012 at 11 a.m. PST, and you can register here.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

I hope everyone has a wonderful holiday season, safe travels and I look forward to hearing your questions during the webcast.

Dustin Childs
Group Manager
Trustworthy Computing

 

November 2012 Bulletin Release

November 13th, 2012 No comments

Security Updates
Today we released six security bulletins to help protect our customers – four Critical, one Important, and one Moderate – addressing 19 vulnerabilities in Microsoft Windows Shell, Windows Kernel, Internet Explorer, Internet Information Services (IIS), .NET Framework, and Excel. For those who need to prioritize deployment, we recommend focusing on these two Critical updates first:

MS12-071 (Internet Explorer): This bulletin addresses three privately disclosed issues, none of which are currently known to be under active attack. Successful exploitation of these issues could result in code execution with the current user’s privileges. As such, we recommend the best practice of running applications with the least privileges possible in order to help mitigate potential risks. These issues do not affect Internet Explorer 10.

MS12-075 (Windows Kernel): This security update addresses three privately reported issues, none of which are currently known to be under active attack. This bulletin affects all supported versions of Microsoft Windows. The most severe issue could result in remote code execution if an attacker is able to lure a user to a website with a maliciously crafted TrueType font file embedded.

Security Update Re-release
In October we released Security Advisory 2749655 that addresses potential compatibility issues due to signature timestamps expiring before they should and noted we would be providing updates as they become available. Today we are providing one such update for MS12-046 (Visual Basic), which is now listed as available in the advisory. We have also released MS12-062 (System Center Configuration Manager 2007) to address an issue in the localization of resource files. Users who have already successfully installed the English versions of this update do not need to take any action.

You can find more information about this month’s security updates on the Microsoft Security Bulletin Summary web page. For an overview of the bulletins please watch the video below.

 

 

 

We recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in deployment planning (click for larger view).

 

Our risk and impact graph provides an aggregate view of this month’s severity and exploitability index (click for larger view).

 

Thanks for reading and join us tomorrow (Wednesday, Nov. 14, 2012) at 11 a.m. PST for a live webcast with Jeremy Tinder and myself, as we share greater details about these bulletins. As always, we will answer bulletin-related questions live during the webcast. You may register for that one-hour event here.

Thank you,

Dustin Childs
Group Manager
Microsoft Trustworthy Computing

Advance Notification Service for November 2012 Security Bulletin Release

November 8th, 2012 No comments

Today, we’re providing advance notification for six bulletins to help protect customers against 19 CVEs. The four Critical-rated updates will address 13 vulnerabilities in Microsoft Windows, Internet Explorer and the .NET Framework. One bulletin rated Important will address four vulnerabilities in Microsoft Office and finally, one Moderate update will address two issues in Microsoft Windows.

As usual, the bulletin release is scheduled for the second Tuesday of the month, November 13, 2012, at approximately 10 a.m. PST. We recommend that customers review the ANS summary page for more information and prepare for bulletin testing and deployment as soon as possible to help ensure a smooth update process. For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thank you,

Dustin Childs
Group Manager
Microsoft Trustworthy Computing

Update Tuesday overview for September 2012

September 11th, 2012 No comments

As I previously mentioned in the Advance Notification blog on Thursday, today we are releasing two security bulletins, both of which are rated Important.

These bulletins will increase protection by addressing two unique vulnerabilities in the following Microsoft products:

  • MS12-061 (Visual Studio Team Foundation Server) This security update resolves a privately reported vulnerability in Visual Studio Team Foundation Server. This bulletin is rated Important for Microsoft Visual Studio Team Foundation Server 2010 Service Pack 1.
  • MS12-062 (System Center Configuration Manager) This security update resolves a privately reported vulnerability in Microsoft System Center Configuration Manager. The bulletin is rated Important for Microsoft Systems Management Server 2003 Service Pack 3 and Microsoft System Center Configuration Manager 2007 Service Pack 2.

Neither of the issues addressed is known to be under active exploit in the wild – and, on another positive note, neither bulletin requires customers to restart their machines.

In this video, Yunsun Wee discusses this month’s bulletins in further detail, focusing on these two bulletins as well as on an important announcement concerning a certificate-related advisory to be released in October:

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month’s severity and exploitability index (click for larger view).

More information about this month’s security updates can be found on the Microsoft Security Bulletin summary web page.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Dustin Childs and Andrew Gross.  I invite you to tune in and learn more about the September security bulletins. The webcast is scheduled for Wednesday, September 12, 2012 at 11 a.m. PDT, and the registration can be found here.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thank you,

Angela Gunn
Trustworthy Computing.

August 2012 Security Bulletin Webcast, Q&A, and Slide Deck

August 18th, 2012 No comments

Hello.

Today we’re publishing the August 2012 Security Bulletin Webcast Questions & Answers page. During the webcast, we fielded twelve questions focusing primarily on MS12-060 covering Windows Common Controls,  MS12-052 regarding Internet Explorer, and Security Advisory 2661254 addressing trust certificates with RSA keys less than 1024 bit key lengths. Three additional questions were answered after the webcast. All questions are included on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, September 12th at 11 a.m. PDT (-7 UTC), when we will go into detail about the September bulletin release and answer questions live on the air.

Customers can register to attend at the link below:

Date: Wednesday, September 12, 2012

Time: 11:00 a.m. PDT (UTC -7)

Register: AttendeeRegistration

Thanks,

Yunsun Wee

Director, Trustworthy Computing.

August 2012 Bulletin Release

August 14th, 2012 No comments

Security Advisory 2661254 – Update For Minimum Certificate Key Length
Before we get into the details of this month’s bulletin release, let’s take a look at an important change on how Windows deals with certificates that have RSA keys of less than 1024 bits in length.

We’ve been talking about this subject since June, and today we are announcing the availability of an update to Windows that restricts the use of certificates with RSA keys less than 1024 bits in length with Security Advisory 2661254. As noted in the advisory, this update will be available in the Download Center as well as the Microsoft Update Catalog. This allows enterprise administrators to download and import the update into WSUS for testing before widely deploying the update throughout their enterprise. The security advisory includes instructions on how to configure the update and provides general guidance on what steps customers should take to become more secure. This update is planned to be released via Windows Update starting in October 2012.

For additional details on these defense-in-depth changes to how Windows deals with certificates please visit Public Key Infrastructure (PKI) blog.

Security Updates
For this Update Tuesday we are releasing nine security bulletins – five Critical-class and four Important – addressing 26 vulnerabilities in Microsoft Windows, Internet Explorer, Exchange Server, SQL Server, Server Software, Developer Tools, and Office. For those who need to prioritize deployment, we recommend focusing on the these three critical updates first:

MS12-060 (Windows Common Controls)
Multiple software products utilize Windows Common Controls , and the issues addressed in this bulletin affect Office, SQL Server, Server Software, and Developer Tools. We’re aware of limited, targeted attacks attempting to exploit this vulnerability, but we haven’t seen public proof-of-concept code published. These are important factors to consider when determining deployment priority and Microsoft recommends that customers test and deploy this update as soon as possible.

MS12-052 (Internet Explorer)
This security update addresses four privately disclosed issues, none of which are currently known to be under active attack. Successful exploitation of these issues could result in the execution of code with the privileges of the current user. You may notice that one of the issues addressed in the Cumulative Security Update for Internet Explorer is also listed in MS12-056 for the JScript and VBScript Engines. Since this issue affects both IE and Windows components, you will need to apply both updates to ensure the issue has been addressed on your system.

MS12-054 (Windows Networking Components)
This security update addresses three issues related to the Remote Administration Protocol (RAP) and one issue affecting the Print Spooler. The impact from these issues ranges from Denial of Service (DoS) to Remote Code Execution (RCE). All of these issues were reported to us through coordinated disclosure and we have no reports of these issues being exploited. As with our other top-priority bulletins, we encourage customers to test and deploy this update as soon as possible.

Of the remaining six bulletins, two are also rated as critical: one addressing issues affecting the Remote Desktop Protocol and the other affecting Exchange Server. The remaining four bulletins are all Important-class issues touching on Windows and Office.

Security Update Re-release
Last month, we published MS12-043 to address issues affecting Microsoft XML Core Services. The July release provided updates for Microsoft XML Core Services 3.0, 4.0, and 6.0. This month, we are re-releasing MS12-043 with additional updates for Microsoft XML Core Services 5.0. This re-release does not affect the previous updates for versions 3.0, 4.0, and 6.0.

Please watch the video below for an overview of this month’s bulletins and you can find more information about this month’s security updates on the Microsoft Security Bulletin Summary web page.

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view)

 

Our risk and impact graph provides an aggregate view of this month’s severity and exploitability index (click for larger view). For insightful details about the Exploitability Index and additional bulletin nuances, please see the Security Research & Defense (SRD) blog.

You can find more information about this month’s security updates on the Microsoft Security Bulletin Summary web page. Thanks for reading and join us tomorrow (Wednesday, August 15, 2012) at 11 a.m. PDT for a live webcast with Jonathan Ness and Dustin Childs, who will be sharing greater details about these bulletins and our other announcements this month. As always, they will be answering bulletin-related questions live during the webcast. You may register for that one-hour event here.

Yunsun Wee
Microsoft
Trustworthy Computing

June 2012 Security Bulletin Webcast, Q&A, and Slide Deck

June 15th, 2012 No comments

Hello,

Today we published the June Security Bulletin Webcast Questions & Answers page, and the June 2012 Security Bulletin Release Webcast slide deck. We fielded 23 questions on various topics during the webcast, including bulletins released, deployment tools, and update detection tools.

Our webcast from Wednesday is now available for on-demand viewing. See below:

We invite our customers to join us for the next public webcast on Wednesday, July 11 at 11am PDT (UTC -7), when we will go into detail about the July bulletin release and answer questions live on the air. Customers can register to attend at the link below:

Date: Wednesday, July 11, 2012
Time: 11:00 a.m. PDT (UTC -7)
Register: Attendee Registration

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Categories: bulletin, security, Update Tuesday, Webcast Tags: