Archive

Archive for the ‘Microsoft Exchange’ Category

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

Advance Notification Service for the November 2014 Security Bulletin Release

November 6th, 2014 No comments

Today, we provide advance notification for the release of 16 Security Bulletins. Five of these updates are rated Critical, nine are rated as Important, and two are rated Moderate in severity. These updates are for Microsoft Windows, Internet Explorer, Office, Exchange, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

As per our monthly process, we've scheduled the Security Bulletin release for the second Tuesday of the month, November 11, 2014, at approximately 10 a.m. PST. At that time, we'll provide deployment guidance. Until then, please review the ANS summary page for more information to help you prepare for Security Bulletin testing and deployment.

We also want to let you know about a new way we will deliver our Security Bulletins. To streamline the way customers receive our security updates, we are directing customers to resources that will be available on the MSRC blog on Update Tuesday.

Follow us on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

Advance Notification Service for the November 2014 Security Bulletin Release

November 6th, 2014 No comments

Today, we provide advance notification for the release of 16 Security Bulletins. Five of these updates are rated Critical, nine are rated as Important, and two are rated Moderate in severity. These updates are for Microsoft Windows, Internet Explorer, Office, Exchange, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

As per our monthly process, we've scheduled the Security Bulletin release for the second Tuesday of the month, November 11, 2014, at approximately 10 a.m. PST. At that time, we'll provide deployment guidance. Until then, please review the ANS summary page for more information to help you prepare for Security Bulletin testing and deployment.

We also want to let you know about a new way we will deliver our Security Bulletins. To streamline the way customers receive our security updates, we are directing customers to resources that will be available on the MSRC blog on Update Tuesday.

Follow us on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

Safer Internet Day 2014 and Our February 2014 Security Updates

February 11th, 2014 No comments

In addition to today being the security update release, February 11 is officially Safer Internet Day for 2014. This year, we’re asking folks to Do 1 Thing to stay safer online. While you may expect my “Do 1 Thing” recommendation would be to apply security updates, I’m guessing that for readers of this blog, that request would be redundant. Instead, I’ll ask that you also install the latest version of the Enhanced Mitigation Experience Toolkit (EMET). If you aren’t familiar with EMET, the utility helps prevent vulnerabilities from being successfully exploited by using security mitigation technologies built into the operating system. EMET doesn’t guarantee that vulnerabilities cannot be exploited, but it works to make exploitation as difficult as possible and is a great addition to any layered defense.

If you choose to install EMET as part of Safer Internet Day, you won’t just be making a difference on your own systems, you can also help a great non-profit organization. Starting today, when you share your promise to create a better Internet or participate in selected social media activities, Microsoft will make a donation to TechSoup Global – a nonprofit organization using technology to solve global problems and foster social change.

Now let’s get back to that other “One Thing” – This month, we’re releasing seven updates, four rated Critical and three rated Important, addressing 31 unique CVEs in Microsoft Windows, Internet Explorer, .NET Framework and Forefront Protection for Exchange. Here’s an overview of this month’s release:

Click to enlarge

Our top deployment priorities for this month are MS14-007, MS14-010 and MS14-011, which address issues in Microsoft Windows Direct2D, Internet Explorer, and the VBScript Scripting Engine.

MS14-007 | Vulnerability in Direct2D Could Allow Remote Code Execution  
This update addresses a privately reported vulnerability in the Microsoft Windows Direct2D component. The vulnerability could allow remote code execution if a customer views a specially crafted webpage using Internet Explorer.

MS14-010 | Cumulative Security Update for Internet Explorer   
This cumulative update addresses one public and 23 privately disclosed issues in Internet Explorer. It’s important to remember that this is still just one update. Our guidance to customers does not change based on the number of CVEs contained in a single Internet Explorer update. An attacker who successfully exploited the most severe of these issues could execute code at the level of the logged on user. Customers who deploy this update will be protected from that scenario.

MS14-011 | Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution  
This update addresses a privately reported vulnerability in the VBScript scripting engine within Microsoft Windows. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. Although this update and MS14-007 have similar exploit vectors to the update for Internet Explorer, these issues actually reside in Windows components – not Internet Explorer. This update also shares a CVE with the MS14-010 update for Internet Explorer as the VBScript scripting engine was included in Internet Explorer 9.

We’ve mentioned it several times before, but in case you missed it, we revised Security Advisory 2862973 today to provide the update through automatic updates. We originally released this update last August to allow for testing, as the update will impact applications and services using certificates with the MD5 hashing algorithm. If you have already applied the update, you won’t need to take any additional action. If you haven’t applied this update yet, you can do so through automatic updates.

Watch the bulletin overview video below for a brief summary of today's releases.

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Web page.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, February 12, 2014, at 11 a.m. PST. I invite you to register here, and tune in to learn more about this month’s security bulletins and advisories.

For all the latest information, you can also follow us at @MSFTSecResponse.

I encourage you to consider what “one thing” you can do to improve your internet safety, and I look forward to hearing your questions about this month’s release in our webcast tomorrow.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Omphaloskepsis and the December 2013 Security Update Release

December 10th, 2013 No comments

There are times when we get too close to a topic. We familiarize ourselves with every aspect and nuance, but fail to recognize not everyone else has done the same. Whether you consider this myopia, navel-gazing, or human nature, the effect is the same. I recognized this during the recent webcast when someone asked the question – “What’s the difference between a security advisory and a security bulletin?” The answer was simple to me, as I’ve been doing this for years, but the question was valid and it reminded me that not every person on the planet knows all of the ins and outs of Update Tuesday.

Given this month’s release, the question is timely, as we have 11 bulletins and 3 new advisories releasing today. As we look through today’s release, I thought it would be helpful to step back and take a closer look at some of the terminology we use frequently. Let’s begin by taking a look at the bulletins for December.

You may notice the graphic is significantly different from past months. In the new format, where you see circles throughout the deck, that’s the deployment priority. The numbers in squares represent the exploit index and the words in color indicate bulletin severity.

As we review our top bulletin deployment priorities for this month, let’s pause to review the official definition of a security bulletin.

Security bulletins include the following:

  • Details of all affected products
  • A list of frequently asked questions
  • Information about workarounds and mitigations
  • Any other information that IT staff needs to address the issue

But that doesn’t really explain why a security bulletin is released. Simply put, when there is a significant security-related update for something we ship, it goes in a security bulletin. If an issue in software can be corrected by applying new software, it becomes a security bulletin. Update for the Windows kernel? Security bulletin. Cumulative update for Internet Explorer? Security bulletin. Code problem with .NET Framework? Security bulletin. I think you see where I’m going with this.

This month, we have 11 security bulletins, 5 Critical and 6 Important in severity, addressing 24 unique CVEs in Microsoft Windows, Internet Explorer, Office and Exchange. For those who need to prioritize deployment planning we recommend focusing on MS13-096, MS13-097, and MS13-099.

MS13-096 | Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution
This security update resolves a publicly disclosed vulnerability in Microsoft Windows, Microsoft Office, and Microsoft Lync. The vulnerability could allow remote code execution if a user views content that contains specially crafted TIFF files. As we highlighted through ANS, this update fully resolves the issue first described in Security Advisory 2896666. For those who installed the Fix it released through the advisory, you do not need to uninstall the Fix it prior to installing the update, but we do recommend disabling the Fix it after installation to ensure TIFF images are displayed correctly.

MS13-097 | Cumulative Update for Internet Explorer
This security update resolves seven privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user.

MS13-099 | Vulnerability in Microsoft Scripting Runtime Object Library Could Allow Remote Code Execution
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker convinces a user to visit a specially crafted website or a website that hosts specially crafted content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

In addition to the security bulletins, we are also releasing three security advisories this month and revising one more. So how do security advisories differ from security bulletins? After all, sometimes we see updates included in Security Advisories as well – including advisories this month. What’s the difference?

The easiest way to think of advisories is to consider them as a call to action. With bulletins, updates are usually sent out through Windows or Microsoft Update. If you’ve enabled automatic updating, there’s no action for you – the update will be installed and if needed, your system will reboot. Even if you manually apply all updates, bulletins should require nothing more than installing a package and potentially restarting a service or system. Advisories cover topics that potentially affect your security but cannot be resolved through an update alone. Let’s look at the advisories this month as examples.

Security Advisory 2905247 – Insecure ASP.NET Site Configuration Could Allow Elevation of Privilege
This update enables administrators to configure their ASP.NET servers to ensure that view state MAC remains enabled at all times, as well as to provide general guidance on how to enable view state MAC on IIS servers.

In this instance, we’re not correcting faulty code; we’re allowing administrators to enforce a default behavior that’s more secure than the non-default setting.

Security Advisory 2871690 – Update to Revoke Non-compliant UEFI Modules
This advisory notifies customers that an update is available for Windows 8 and Windows Server 2012 that revokes the digital signatures for specific Unified Extensible Firmware Interface (UEFI) modules. The affected UEFI modules consist of specific Microsoft-signed modules that are either not in compliance with our certification program or their authors have requested that the packages be revoked. This update applies to nine private, third-party UEFI modules used for test purposes only.

While this may seem like something we can address through a security bulletin, these UEFI modules are not known to be in public distribution. In all likelihood, you are not affected. Your friends aren’t affected. No one you know is affected. Still, we can’t be 100% certain that no one is affected, so we’re releasing this advisory with instructions for checking just in case.

Security Advisory 2915720 – Changes in Windows Authenticode Signature Verification
This advisory informs customers of an impending change to how Windows verifies Authenticode-signed binaries. It also recommends that developers who sign binaries with Windows Authenticode ensure that their signatures conform to the change by June 10, 2014. The SRD blog covers additional technical details about the changes.

This is an interesting advisory on an interesting topic. It accompanies a security bulletin, MS13-098, which does address an issue in Windows. In addition to resolving a security issue through new code, the update also introduces new functionality. This advisory details the new functionality and provides guidelines to both administrators and developers. The advisory provide some suggested test scenarios to ensure your enterprise and executables are ready for the change. Again, since this change tightens security rather than addresses an issue, it’s more appropriate that we communicate this to you through an advisory.

Finally, we are also revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-28. For more information about this update, including download links, see Microsoft Knowledge Base Article 2907997.

If you’ve been intrepid enough to read this far down, watch the bulletin overview video below for a brief summary of today’s releases.

For more information about this month’s security updates, visit the Microsoft Bulletin Summary Web page.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, December 11, 2013, at 11 a.m. PST. I invite you to register here, and tune in to learn more about this month’s security bulletins and advisories.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

I hope this in-depth discussion of bulletins and advisories has been worth your time. If so, let me know what other topics you would like to see covered here. I never grow weary of talking about second Tuesday.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Omphaloskepsis and the December 2013 Security Update Release

December 10th, 2013 No comments

There are times when we get too close to a topic. We familiarize ourselves with every aspect and nuance, but fail to recognize not everyone else has done the same. Whether you consider this myopia, navel-gazing, or human nature, the effect is the same. I recognized this during the recent webcast when someone asked the question – “What’s the difference between a security advisory and a security bulletin?” The answer was simple to me, as I’ve been doing this for years, but the question was valid and it reminded me that not every person on the planet knows all of the ins and outs of Update Tuesday.

Given this month’s release, the question is timely, as we have 11 bulletins and 3 new advisories releasing today. As we look through today’s release, I thought it would be helpful to step back and take a closer look at some of the terminology we use frequently. Let’s begin by taking a look at the bulletins for December.

You may notice the graphic is significantly different from past months. In the new format, where you see circles throughout the deck, that’s the deployment priority. The numbers in squares represent the exploit index and the words in color indicate bulletin severity.

As we review our top bulletin deployment priorities for this month, let’s pause to review the official definition of a security bulletin.

Security bulletins include the following:

  • Details of all affected products
  • A list of frequently asked questions
  • Information about workarounds and mitigations
  • Any other information that IT staff needs to address the issue

But that doesn’t really explain why a security bulletin is released. Simply put, when there is a significant security-related update for something we ship, it goes in a security bulletin. If an issue in software can be corrected by applying new software, it becomes a security bulletin. Update for the Windows kernel? Security bulletin. Cumulative update for Internet Explorer? Security bulletin. Code problem with .NET Framework? Security bulletin. I think you see where I’m going with this.

This month, we have 11 security bulletins, 5 Critical and 6 Important in severity, addressing 24 unique CVEs in Microsoft Windows, Internet Explorer, Office and Exchange. For those who need to prioritize deployment planning we recommend focusing on MS13-096, MS13-097, and MS13-099.

MS13-096 | Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution
This security update resolves a publicly disclosed vulnerability in Microsoft Windows, Microsoft Office, and Microsoft Lync. The vulnerability could allow remote code execution if a user views content that contains specially crafted TIFF files. As we highlighted through ANS, this update fully resolves the issue first described in Security Advisory 2896666. For those who installed the Fix it released through the advisory, you do not need to uninstall the Fix it prior to installing the update, but we do recommend disabling the Fix it after installation to ensure TIFF images are displayed correctly.

MS13-097 | Cumulative Update for Internet Explorer
This security update resolves seven privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user.

MS13-099 | Vulnerability in Microsoft Scripting Runtime Object Library Could Allow Remote Code Execution
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker convinces a user to visit a specially crafted website or a website that hosts specially crafted content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

In addition to the security bulletins, we are also releasing three security advisories this month and revising one more. So how do security advisories differ from security bulletins? After all, sometimes we see updates included in Security Advisories as well – including advisories this month. What’s the difference?

The easiest way to think of advisories is to consider them as a call to action. With bulletins, updates are usually sent out through Windows or Microsoft Update. If you’ve enabled automatic updating, there’s no action for you – the update will be installed and if needed, your system will reboot. Even if you manually apply all updates, bulletins should require nothing more than installing a package and potentially restarting a service or system. Advisories cover topics that potentially affect your security but cannot be resolved through an update alone. Let’s look at the advisories this month as examples.

Security Advisory 2905247 – Insecure ASP.NET Site Configuration Could Allow Elevation of Privilege
This update enables administrators to configure their ASP.NET servers to ensure that view state MAC remains enabled at all times, as well as to provide general guidance on how to enable view state MAC on IIS servers.

In this instance, we’re not correcting faulty code; we’re allowing administrators to enforce a default behavior that’s more secure than the non-default setting.

Security Advisory 2871690 – Update to Revoke Non-compliant UEFI Modules
This advisory notifies customers that an update is available for Windows 8 and Windows Server 2012 that revokes the digital signatures for specific Unified Extensible Firmware Interface (UEFI) modules. The affected UEFI modules consist of specific Microsoft-signed modules that are either not in compliance with our certification program or their authors have requested that the packages be revoked. This update applies to nine private, third-party UEFI modules used for test purposes only.

While this may seem like something we can address through a security bulletin, these UEFI modules are not known to be in public distribution. In all likelihood, you are not affected. Your friends aren’t affected. No one you know is affected. Still, we can’t be 100% certain that no one is affected, so we’re releasing this advisory with instructions for checking just in case.

Security Advisory 2915720 – Changes in Windows Authenticode Signature Verification
This advisory informs customers of an impending change to how Windows verifies Authenticode-signed binaries. It also recommends that developers who sign binaries with Windows Authenticode ensure that their signatures conform to the change by June 10, 2014. The SRD blog covers additional technical details about the changes.

This is an interesting advisory on an interesting topic. It accompanies a security bulletin, MS13-098, which does address an issue in Windows. In addition to resolving a security issue through new code, the update also introduces new functionality. This advisory details the new functionality and provides guidelines to both administrators and developers. The advisory provide some suggested test scenarios to ensure your enterprise and executables are ready for the change. Again, since this change tightens security rather than addresses an issue, it’s more appropriate that we communicate this to you through an advisory.

Finally, we are also revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-28. For more information about this update, including download links, see Microsoft Knowledge Base Article 2907997.

If you’ve been intrepid enough to read this far down, watch the bulletin overview video below for a brief summary of today’s releases.

For more information about this month’s security updates, visit the Microsoft Bulletin Summary Web page.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, December 11, 2013, at 11 a.m. PST. I invite you to register here, and tune in to learn more about this month’s security bulletins and advisories.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

I hope this in-depth discussion of bulletins and advisories has been worth your time. If so, let me know what other topics you would like to see covered here. I never grow weary of talking about second Tuesday.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Advance Notification Service for December 2013 Security Bulletin Release

December 5th, 2013 No comments

Today we’re providing advance notification for the release of 11 bulletins, five Critical and six Important, for December 2013. The Critical updates address vulnerabilities in Internet Explorer, Windows, Microsoft Exchange and GDI+. The Critical update for GDI+ fully addresses the publicly disclosed issue described in Security Advisory 2896666.  

This release won’t include an update for the issue described in Security Advisory 2914486. We’re still working to develop a security update and we’ll release it when ready. Until then, we recommend folks review the advisory and apply the suggested workaround on their Windows XP and Windows Server 2003 systems. Customers with more recent versions of Windows are not affected by this issue.

As always, we’ve scheduled the security bulletin release for the second Tuesday of the month, December 10, 2013, at approximately 10:00 a.m. PST. Revisit this blog then for analysis of the risk and impact, as well as deployment guidance, together with a brief video overview of the month’s updates. Until then, please review the ANS summary page for more information that will help customers prepare for security bulletin testing and deployment.

Don’t forget, you can also follow the MSRC team’s recent activity on Twitter at @MSFTSecResponse

Thank you,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Advance Notification Service for December 2013 Security Bulletin Release

December 5th, 2013 No comments

Today we’re providing advance notification for the release of 11 bulletins, five Critical and six Important, for December 2013. The Critical updates address vulnerabilities in Internet Explorer, Windows, Microsoft Exchange and GDI+. The Critical update for GDI+ fully addresses the publicly disclosed issue described in Security Advisory 2896666.  

This release won’t include an update for the issue described in Security Advisory 2914486. We’re still working to develop a security update and we’ll release it when ready. Until then, we recommend folks review the advisory and apply the suggested workaround on their Windows XP and Windows Server 2003 systems. Customers with more recent versions of Windows are not affected by this issue.

As always, we’ve scheduled the security bulletin release for the second Tuesday of the month, December 10, 2013, at approximately 10:00 a.m. PST. Revisit this blog then for analysis of the risk and impact, as well as deployment guidance, together with a brief video overview of the month’s updates. Until then, please review the ANS summary page for more information that will help customers prepare for security bulletin testing and deployment.

Don’t forget, you can also follow the MSRC team’s recent activity on Twitter at @MSFTSecResponse

Thank you,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing