Today, as a part of our regular Update Tuesday process, we released four security bulletins – one rated Critical and three rated Important in severity – to address 42 Common Vulnerabilities & Exposures (CVEs) in Microsoft Windows, Internet Explorer, .NET Framework, and Lync Server. We encourage you to apply all of these updates, but for those who need to prioritize, we recommend focusing on the Critical update first.
Below is a graphical overview of this release and a brief video summarizing the updates released today:
The top deployment priority for our customers this month is the update for Internet Explorer, which addresses 37 CVEs. In case you missed it, the August update for Internet Explorer also included new functionality to block out-of-date ActiveX controls. This functionality will be enabled with today’s update. You can see what these notifications will look like by reviewing this TechNet article. Administrative Templates are also available for those who wish to manage these settings through Group Policy.
For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by each CVE, visit the Microsoft Bulletin Summary Web page. If you are not familiar with how we calculate the Exploitability Index (XI), a full description is found here.
Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, September 10, 2014, at 11 a.m. PDT.
For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.
Thanks, Dustin Childs Group Manager, Response Communications Microsoft Trustworthy Computing
Today, as a part of our regular Update Tuesday process, we released four security bulletins – one rated Critical and three rated Important in severity – to address 42 Common Vulnerabilities & Exposures (CVEs) in Microsoft Windows, Internet Explorer, .NET Framework, and Lync Server. We encourage you to apply all of these updates, but for those who need to prioritize, we recommend focusing on the Critical update first.
Below is a graphical overview of this release and a brief video summarizing the updates released today:
The top deployment priority for our customers this month is the update for Internet Explorer, which addresses 37 CVEs. In case you missed it, the August update for Internet Explorer also included new functionality to block out-of-date ActiveX controls. This functionality will be enabled with today’s update. You can see what these notifications will look like by reviewing this TechNet article. Administrative Templates are also available for those who wish to manage these settings through Group Policy.
For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by each CVE, visit the Microsoft Bulletin Summary Web page. If you are not familiar with how we calculate the Exploitability Index (XI), a full description is found here.
Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, September 10, 2014, at 11 a.m. PDT.
For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.
Thanks, Dustin Childs Group Manager, Response Communications Microsoft Trustworthy Computing
As security professionals, we are trained to think in worst-case scenarios. We run through the land of the theoretical, chasing “what if” scenarios as though they are lightning bugs to be gathered and stashed in a glass jar. Most of time, this type of thinking is absolutely the correct thing for security professionals to do. We need to be prepared for when, not if, these disruptive events occur. However, every now and then, it can be productive to draw ourselves out of this hypothetical mentality and look instead at the real impact in the here and now.
Speaking of the here and now, today we release seven security bulletins, two rated Critical and five rated Important in severity, addressing 66 Common Vulnerabilities and Exposures (CVEs) for Microsoft Windows, Internet Explorer, and Microsoft Office customers. But before we get into the details of the updates, I want to take a moment to provide some additional insight into how we assess and recommend those severity ratings. For every issue, we consider ”what if”– what’s the severest outcome from a potential cyberattack? We want to provide our best guidance on the risk assessment for our customers, and that requires consideration of the worst-case scenario.
If we consider the worst-case scenario analogous to a tree falling in the woods, is there a sound if no one is around to hear it? Similarly, does a vulnerability make a sound if it never gets exploited? When we become aware of a potential security issue, we work to fix it regardless of whether or not it is under active attack. In other words, it doesn’t matter if that falling tree makes a noise; we still have an action to take. Why? Because one day in the future, it’s possible what we’re delivering today could get exploited if not addressed. However, we’re not in the future; we’re in the land of the here and now. And while we are in this land, we sometimes confuse theoretical thinking with the actuality of impact to real people. Until something actually occurs it is still theory; we’re taking the theoretical and making practical updates against future “what ifs”.
Let’s look at an example from this month’s release. The security bulletin for Internet Explorer (IE) resolves 59 items, including CVE-2014-1770. The most serious of these could allow remote code execution if a user views a webpage specially crafted by a cybercriminal. We still haven’t seen any active attacks attempting to exploit any of the other CVEs addressed by this bulletin. While there are a number of things being addressed this time around, it’s important to note that, to our knowledge, none of these now-addressed CVEs have caused any customer impact to date.
Addressing items before active attacks occur helps keep customers better protected. The Internet Explorer update for this month includes additional security updates that will help protect our customers, which is yet another reason why it’s good to stay current with the latest updates.
If you’ve seen the recent blog from the IE team, you’ll also see another message: Customers should update to the latest version of Internet Explorer. For Windows 7 and Windows 8.1, that means Internet Explorer 11—the most modern, secure browser we’ve ever built. IE11 has advanced security features like Enhanced Protection Mode (EPM) and SmartScreen Filter, support for modern web standards, and Enterprise Mode for rendering legacy web apps. Internet Explorer 11 is much more secure than older versions, which is why we encourage customers to upgrade.
There are six other bulletins released today to improve your security as well. For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Web page.
Here’s an overview of all the updates released today:
Click to enlarge
As always, we encourage you to apply all of the updates, but for those who prioritize, we recommend the Word and Internet Explorer updates be on the top of your list.
Finally, we are revising Security Advisory 2755801 with the latest update for Adobe Flash Player. in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-16. For more information about this update, including download links, see Microsoft Knowledge Base Article 2966072.
Watch the bulletin overview video below for a brief summary of today's releases.
Andrew Gross and I will host the monthly security bulletin webcast, scheduled for Wednesday, June 11, 2014, at 11 a.m. PDT. I invite you to register here, and tune in to learn more about this month’s security bulletins.
For all the latest information, you can also follow us at @MSFTSecResponse.
I look forward to hearing any questions about this month’s release during our webcast tomorrow.
Thanks, Dustin Childs Group Manager, Response Communications Microsoft Trustworthy Computing
Today we provide advance notification for the release of seven Bulletins, two rated Critical and five rated Important in severity. These Updates are for Microsoft Windows, Microsoft Office and Internet Explorer. The Update for Internet Explorer addresses CVE-2014-1770, which we have not seen used in any active attacks.
Also, in case you missed it, last month we released Security Advisory 2871997 to further enhance credentials management and protections on Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 2012. Since then, we have received some questions about the functionality changes introduced by the advisory. Over on the Security Research & Defense (SRD) blog, Joe Bailek from the MRSC Engineering team provides an overview of those changes, their impact and some other important configuration changes that can be made in conjunction with the update to further improve system security. I recommend you take a few moments to read the SRD blog and consider implementing some or all of the changes in your environment.
As always, we’ve scheduled the Security Bulletin release for the second Tuesday of the month, June 10, 2014, at approximately 10:00 a.m. PDT. Revisit this blog then for analysis of the relative risk and impact, as well as deployment guidance, together with a brief video overview of the month’s Updates. Until then, please review the ANS summary page for more information to help you prepare for Security Bulletin testing and deployment.
Don’t forget, you can also follow the MSRC team’s recent activity on Twitter at @MSFTSecResponse.
Thank you, Dustin Childs Group Manager, Response Communications Microsoft Trustworthy Computing
T. S. Elliot once said, “What we call the beginning is often the end. And to make an end is to make a beginning. The end is where we start from.” So as we put one season to bed, let’s start another by looking at the April security updates. Today, we release four bulletins to address 11 CVEs in Microsoft Windows, Internet Explorer and Microsoft Office. The update for Microsoft Word addresses the issues described in Microsoft Security Advisory 2953095. For those who prioritize, we recommend this bulletin as well as the update for Internet Explorer be on the top of your list.
We would be remiss if we did not mention another end; the end of support for Windows XP and Office 2003. The updates provided by MS14-018 and MS14-019 will be the final security updates for Windows XP; MS14-017 and MS14-020 are the final update for Office 2003. For those who haven’t migrated yet, I recommend visiting the Microsoft Security Blog, where my colleague Tim Rains provides guidance for consumers and small businesses who may have questions about how end of support affects them. Enterprise administrators will also find this a worthwhile read.
Here’s an overview of all the updates released this month:
Click to enlarge
Our top priorities for this month are MS14-018 and MS14-017, which address issues in Internet Explorer and Microsoft Word respectively.
This security update resolves six privately reported vulnerabilities in Internet Explorer. These vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. While the issues addressed by this bulletin are very straightforward, I wanted to specifically call your attention to the updates for Internet Explorer 11 on Windows 8.1 and Windows Server 2012 R2. For these platforms, the update is not cumulative – it only addresses this issues described in this bulletin. You also have the option of installing KB2919355, which is a cumulative update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2. In addition to previous updates for these operating systems, it includes enhancements such as improved Internet Explorer 11 compatibility for enterprise applications, usability improvements, extended mobile device management, and improved hardware support. Additionally, for Windows Server 2012 R2, it includes support for clustering configurations for hosters. For more information about this update, see Microsoft Knowledge Base Article 2919355.
Similarly, customers running Internet Explorer 11 on Windows 7 and Windows Server 2008 R2 also can choose a cumulative update: KB2929437. In addition to previous updates for Internet Explorer 11 on these operating systems, it includes enhancements such as improved Internet Explorer 11 compatibility for enterprise applications. If you install this cumulative update, you will not need to install the KB2936068 update offered through MS14-018. There may also be some who overlook the update for Internet Explorer 10. For this version of the browser, the update is non-security. The issues addressed by this bulletin do not impact Internet Explorer 10, but the update does include non-security related changes. For more information about the non-security-related fixes that are included in this update, see Microsoft Knowledge Base Article 2936068.
This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft Word. The most severe of these vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Office software. This security update also addresses the vulnerability first described in Microsoft Security Advisory 2953095. If you have installed the Fix it provided through this advisory, you should remove it once you apply the update to ensure RTF files open correctly.
Finally, we are revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-09 For more information about this update, including download links, see Microsoft Knowledge Base Article 2942844.
Watch the bulletin overview video below for a brief summary of today's releases.
For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Web page.
William Peteroy and I will host the monthly bulletin webcast, scheduled for Wednesday, April 9, 2014, at 11 a.m. PDT. I invite you to register here, and tune in to learn more about this month’s security bulletins and advisories.
For all the latest information, you can also follow us at @MSFTSecResponse.
Please join me in wishing Windows XP and Office 2003 a fond farewell as they head towards the sunset of their lives. I look forward to hearing your questions about this month’s release in our webcast tomorrow.
Thanks, Dustin Childs Group Manager, Response Communications Microsoft Trustworthy Computing
This month we release five bulletins to address 23 unique CVEs in Microsoft Windows, Internet Explorer and Silverlight. If you need to prioritize, the update for Internet Explorer addresses the issue first described in Security Advisory 2934088, so it should be at the top of your list. While that update does warrant your attention, I want to also call out another impactful update.
MS14-014 provides an update to address a security feature bypass in Silverlight. The issue wasn’t publicly known and it isn’t under active attack, however it can impact your security in ways that aren’t always obvious. Specifically, the update removes an avenue attackers could use to bypass ASLR protections. Fixes like this one increase the cost of exploitation to an attacker, who must now find a different way to make their code execution exploit reliable. Picasso said, “The hidden harmony is better than the obvious” – Shutting down an ASLR bypass could be considered one of the most harmonious things to do to help increase customer security.
Let’s not forget the other updates we released today. This month we release two Critical and three Important bulletins. Here’s an overview of this month’s release:
Click to enlarge
Our top deployment priority this month is MS14-012, which address 18 issues in Internet Explorer.
MS14-012 | Cumulative Security Update for Internet Explorer This cumulative update addresses one public and 17 privately disclosed issues in Internet Explorer. These issues could allow remote code execution if a user views a specially crafted webpage using an affected version of Internet Explorer. We are aware of targeted attacks using CVE-2014-0322 against Internet Explorer 10. This issue was first described in Security Advisory 2934088, which included a Fix it for the issue. We should also note that the observed attacks performed a check for the presence of the Enhanced Mitigation Experience Toolkit (EMET) and did not proceed if it was detected. This update also addresses CVE-2014-0324, which is a privately reported issue that has been seen in a very limited, targeted attack against Internet Explorer 8. Thanks to a previously released ASLR bypass update, the attack seen in the wild would not work against a fully updated system running Windows Vista and above. The SRD blog goes into more detail about how shutting down that bypass helped. For all issues addressed by this update, successful exploitation could allow an attacker to gain the same user rights as the local user. Customers with automatic updates enabled will not need to take action, as they will be updated automatically.
We are also revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-08. For more information about this update, including download links, see Microsoft Knowledge Base Article 2938527. Also, for those of you who may be interested, KB864199 provides a list of the non-security updates released today. This list includes the latest update for the Malicious Software Removal Tool (MSRT), which now includes detections for the Wysotot and Spacekito malware families.
Watch the bulletin overview video below for a brief summary of today's releases.
For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Webpage.
My colleagues Andrew Gross and Pete Voss will host the monthly bulletin webcast and answer your questions about this month’s release. As usual, the webcast is scheduled for Wednesday, March 12, 2014, at 11 a.m. PDT. Please register here, and tune in to learn more about this month’s security bulletins and advisories.
For all the latest information, you can also follow us at @MSFTSecResponse.
If you happen to be at the CanSecWest conference in Vancouver, B.C, please swing by our booth (number 4) to say hello!
Thanks, Dustin Childs Group Manager, Response Communications Microsoft Trustworthy Computing
In January, there are those who like to make predictions about the upcoming year. I am not one of those people. Instead, I like to quote Niels Bohr who said, “Prediction is very difficult, especially if it’s about the future.” However, I can say without a doubt that change is afoot in 2014.
In February, usage of the MD5 hash algorithm in certificates will be restricted, as first discussed in Security Advisory 2862973, and the update goes out through Microsoft Update on the 11th. This will impact applications and services using certificates with the MD5 hashing algorithm and will apply only to certificates utilized for server authentication, code signing and time stamping. The restriction is limited to certificates issued under roots in the Microsoft root certificate program.
Support for Windows XP comes to an end in April. There has already been muchwrittenaboutthisauspiciousevent, so I won’t rehash it all here. Of course, we realize that just because support is ending, it does not mean XP usage will – much to the delight of attackers around the world. I’m not sure if it’s possible to have fond memories of an operating system, but XP will always maintain a warm place in my heart – just not on my laptop.
June brings changes to the Windows Authenticode verification function. This affects developers more than consumers, but it’s an important change. Once implemented, certain programs will be considered "unsigned" if Windows identifies content that does not conform to the Authenticode specification. You can read all about this change in Security Advisory 2915720 and over on the SRD blog.
Some things will remain the same. Sun or snow, we will still be here every second Tuesday of the month to bring you the latest security updates. This month, we’re releasing four security bulletins addressing six unique CVEs in Microsoft Windows, Office, and Dynamics AX. All updates this month are rated Important. Here’s on overview of this month’s release:
Click to embiggen
Our top deployment priority for this month is MS14-002, which addresses a publicly known issue in the Windows Kernel.
MS14-002 | Vulnerability in Windows Kernel Could Allow Elevation of Privilege This bulletin addresses the issue first described in Security Advisory 2918840, which allows an attacker to perform an elevation of privilege if they are able to log on to a system and run a specially crafted application. We are aware of targeted attacks using this vulnerability, where attackers attempts to lure someone into opening a specially crafted PDF to access the system. Even when we first saw this, the PDF portion of the attack did not affect those with a fully updated system.
We’re also re-releasing MS13-081 to provide a re-offering of KB2862330 for Windows 7 and Windows Server 2008 R2. The re-released update addresses an issue in the original offering that caused the KB2862330 update to fail or only partially install on some systems with third-party USB drivers. If you are running an affected system, you will be re-offered the new update and we encourage you to install it at the earliest opportunity.
Finally, we are also revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-02. For more information about this update, including download links, see Microsoft Knowledge Base Article 2916626.
Watch the bulletin overview video below for a brief summary of today's releases.
For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Web page.
William Peteroy and I will host the monthly bulletin webcast, scheduled for Wednesday, January 15, 2013, at 11 a.m. PST. I invite you to register here, and tune in to learn more about this month’s security bulletins and advisories.
For all the latest information, you can also follow us at @MSFTSecResponse.
I look forward to hearing your questions about this month’s release in our webcast tomorrow.
Thanks, Dustin Childs Group Manager, Response Communications Microsoft Trustworthy Computing
There are times when we get too close to a topic. We familiarize ourselves with every aspect and nuance, but fail to recognize not everyone else has done the same. Whether you consider this myopia, navel-gazing, or human nature, the effect is the same. I recognized this during the recent webcast when someone asked the question – “What’s the difference between a security advisory and a security bulletin?” The answer was simple to me, as I’ve been doing this for years, but the question was valid and it reminded me that not every person on the planet knows all of the ins and outs of Update Tuesday.
Given this month’s release, the question is timely, as we have 11 bulletins and 3 new advisories releasing today. As we look through today’s release, I thought it would be helpful to step back and take a closer look at some of the terminology we use frequently. Let’s begin by taking a look at the bulletins for December.
You may notice the graphic is significantly different from past months. In the new format, where you see circles throughout the deck, that’s the deployment priority. The numbers in squares represent the exploit index and the words in color indicate bulletin severity.
As we review our top bulletin deployment priorities for this month, let’s pause to review the official definition of a security bulletin.
Any other information that IT staff needs to address the issue
But that doesn’t really explain why a security bulletin is released. Simply put, when there is a significant security-related update for something we ship, it goes in a security bulletin. If an issue in software can be corrected by applying new software, it becomes a security bulletin. Update for the Windows kernel? Security bulletin. Cumulative update for Internet Explorer? Security bulletin. Code problem with .NET Framework? Security bulletin. I think you see where I’m going with this.
This month, we have 11 security bulletins, 5 Critical and 6 Important in severity, addressing 24 unique CVEs in Microsoft Windows, Internet Explorer, Office and Exchange. For those who need to prioritize deployment planning we recommend focusing on MS13-096, MS13-097, and MS13-099.
MS13-096 | Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution This security update resolves a publicly disclosed vulnerability in Microsoft Windows, Microsoft Office, and Microsoft Lync. The vulnerability could allow remote code execution if a user views content that contains specially crafted TIFF files. As we highlighted through ANS, this update fully resolves the issue first described in Security Advisory 2896666. For those who installed the Fix it released through the advisory, you do not need to uninstall the Fix it prior to installing the update, but we do recommend disabling the Fix it after installation to ensure TIFF images are displayed correctly.
MS13-097 | Cumulative Update for Internet Explorer This security update resolves seven privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user.
MS13-099 | Vulnerability in Microsoft Scripting Runtime Object Library Could Allow Remote Code Execution This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker convinces a user to visit a specially crafted website or a website that hosts specially crafted content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.
In addition to the security bulletins, we are also releasing three security advisories this month and revising one more. So how do security advisories differ from security bulletins? After all, sometimes we see updates included in Security Advisories as well – including advisories this month. What’s the difference?
The easiest way to think of advisories is to consider them as a call to action. With bulletins, updates are usually sent out through Windows or Microsoft Update. If you’ve enabled automatic updating, there’s no action for you – the update will be installed and if needed, your system will reboot. Even if you manually apply all updates, bulletins should require nothing more than installing a package and potentially restarting a service or system. Advisories cover topics that potentially affect your security but cannot be resolved through an update alone. Let’s look at the advisories this month as examples.
In this instance, we’re not correcting faulty code; we’re allowing administrators to enforce a default behavior that’s more secure than the non-default setting.
Security Advisory 2871690 – Update to Revoke Non-compliant UEFI Modules This advisory notifies customers that an update is available for Windows 8 and Windows Server 2012 that revokes the digital signatures for specific Unified Extensible Firmware Interface (UEFI) modules. The affected UEFI modules consist of specific Microsoft-signed modules that are either not in compliance with our certification program or their authors have requested that the packages be revoked. This update applies to nine private, third-party UEFI modules used for test purposes only.
While this may seem like something we can address through a security bulletin, these UEFI modules are not known to be in public distribution. In all likelihood, you are not affected. Your friends aren’t affected. No one you know is affected. Still, we can’t be 100% certain that no one is affected, so we’re releasing this advisory with instructions for checking just in case.
Security Advisory 2915720 – Changes in Windows Authenticode Signature Verification This advisory informs customers of an impending change to how Windows verifies Authenticode-signed binaries. It also recommends that developers who sign binaries with Windows Authenticode ensure that their signatures conform to the change by June 10, 2014. The SRD blog covers additional technical details about the changes.
This is an interesting advisory on an interesting topic. It accompanies a security bulletin, MS13-098, which does address an issue in Windows. In addition to resolving a security issue through new code, the update also introduces new functionality. This advisory details the new functionality and provides guidelines to both administrators and developers. The advisory provide some suggested test scenarios to ensure your enterprise and executables are ready for the change. Again, since this change tightens security rather than addresses an issue, it’s more appropriate that we communicate this to you through an advisory.
Finally, we are also revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-28. For more information about this update, including download links, see Microsoft Knowledge Base Article 2907997.
If you’ve been intrepid enough to read this far down, watch the bulletin overview video below for a brief summary of today’s releases.
Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, December 11, 2013, at 11 a.m. PST. I invite you to register here, and tune in to learn more about this month’s security bulletins and advisories.
For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.
I hope this in-depth discussion of bulletins and advisories has been worth your time. If so, let me know what other topics you would like to see covered here. I never grow weary of talking about second Tuesday.
Thanks, Dustin Childs Group Manager, Response Communications Microsoft Trustworthy Computing
There are times when we get too close to a topic. We familiarize ourselves with every aspect and nuance, but fail to recognize not everyone else has done the same. Whether you consider this myopia, navel-gazing, or human nature, the effect is the same. I recognized this during the recent webcast when someone asked the question – “What’s the difference between a security advisory and a security bulletin?” The answer was simple to me, as I’ve been doing this for years, but the question was valid and it reminded me that not every person on the planet knows all of the ins and outs of Update Tuesday.
Given this month’s release, the question is timely, as we have 11 bulletins and 3 new advisories releasing today. As we look through today’s release, I thought it would be helpful to step back and take a closer look at some of the terminology we use frequently. Let’s begin by taking a look at the bulletins for December.
You may notice the graphic is significantly different from past months. In the new format, where you see circles throughout the deck, that’s the deployment priority. The numbers in squares represent the exploit index and the words in color indicate bulletin severity.
As we review our top bulletin deployment priorities for this month, let’s pause to review the official definition of a security bulletin.
Any other information that IT staff needs to address the issue
But that doesn’t really explain why a security bulletin is released. Simply put, when there is a significant security-related update for something we ship, it goes in a security bulletin. If an issue in software can be corrected by applying new software, it becomes a security bulletin. Update for the Windows kernel? Security bulletin. Cumulative update for Internet Explorer? Security bulletin. Code problem with .NET Framework? Security bulletin. I think you see where I’m going with this.
This month, we have 11 security bulletins, 5 Critical and 6 Important in severity, addressing 24 unique CVEs in Microsoft Windows, Internet Explorer, Office and Exchange. For those who need to prioritize deployment planning we recommend focusing on MS13-096, MS13-097, and MS13-099.
MS13-096 | Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution This security update resolves a publicly disclosed vulnerability in Microsoft Windows, Microsoft Office, and Microsoft Lync. The vulnerability could allow remote code execution if a user views content that contains specially crafted TIFF files. As we highlighted through ANS, this update fully resolves the issue first described in Security Advisory 2896666. For those who installed the Fix it released through the advisory, you do not need to uninstall the Fix it prior to installing the update, but we do recommend disabling the Fix it after installation to ensure TIFF images are displayed correctly.
MS13-097 | Cumulative Update for Internet Explorer This security update resolves seven privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user.
MS13-099 | Vulnerability in Microsoft Scripting Runtime Object Library Could Allow Remote Code Execution This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker convinces a user to visit a specially crafted website or a website that hosts specially crafted content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.
In addition to the security bulletins, we are also releasing three security advisories this month and revising one more. So how do security advisories differ from security bulletins? After all, sometimes we see updates included in Security Advisories as well – including advisories this month. What’s the difference?
The easiest way to think of advisories is to consider them as a call to action. With bulletins, updates are usually sent out through Windows or Microsoft Update. If you’ve enabled automatic updating, there’s no action for you – the update will be installed and if needed, your system will reboot. Even if you manually apply all updates, bulletins should require nothing more than installing a package and potentially restarting a service or system. Advisories cover topics that potentially affect your security but cannot be resolved through an update alone. Let’s look at the advisories this month as examples.
In this instance, we’re not correcting faulty code; we’re allowing administrators to enforce a default behavior that’s more secure than the non-default setting.
Security Advisory 2871690 – Update to Revoke Non-compliant UEFI Modules This advisory notifies customers that an update is available for Windows 8 and Windows Server 2012 that revokes the digital signatures for specific Unified Extensible Firmware Interface (UEFI) modules. The affected UEFI modules consist of specific Microsoft-signed modules that are either not in compliance with our certification program or their authors have requested that the packages be revoked. This update applies to nine private, third-party UEFI modules used for test purposes only.
While this may seem like something we can address through a security bulletin, these UEFI modules are not known to be in public distribution. In all likelihood, you are not affected. Your friends aren’t affected. No one you know is affected. Still, we can’t be 100% certain that no one is affected, so we’re releasing this advisory with instructions for checking just in case.
Security Advisory 2915720 – Changes in Windows Authenticode Signature Verification This advisory informs customers of an impending change to how Windows verifies Authenticode-signed binaries. It also recommends that developers who sign binaries with Windows Authenticode ensure that their signatures conform to the change by June 10, 2014. The SRD blog covers additional technical details about the changes.
This is an interesting advisory on an interesting topic. It accompanies a security bulletin, MS13-098, which does address an issue in Windows. In addition to resolving a security issue through new code, the update also introduces new functionality. This advisory details the new functionality and provides guidelines to both administrators and developers. The advisory provide some suggested test scenarios to ensure your enterprise and executables are ready for the change. Again, since this change tightens security rather than addresses an issue, it’s more appropriate that we communicate this to you through an advisory.
Finally, we are also revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-28. For more information about this update, including download links, see Microsoft Knowledge Base Article 2907997.
If you’ve been intrepid enough to read this far down, watch the bulletin overview video below for a brief summary of today’s releases.
Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, December 11, 2013, at 11 a.m. PST. I invite you to register here, and tune in to learn more about this month’s security bulletins and advisories.
For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.
I hope this in-depth discussion of bulletins and advisories has been worth your time. If so, let me know what other topics you would like to see covered here. I never grow weary of talking about second Tuesday.
Thanks, Dustin Childs Group Manager, Response Communications Microsoft Trustworthy Computing
Today we’re publishing the November 2013 Security Bulletin Webcast Questions & Answers page. The majority of questions focused on the ActiveX Kill Bits bulletin (MS13-090) and the advisories. We also answered a few general questions that were not specific to any of this month’s updates, but that may be of interest.
We’ve discussed the Microsoft Baseline Security Analyzer (MBSA) tool in this and many other webcasts, and I’m happy to report version 2.3 is now available. This new version adds support for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. However, Windows 2000 systems will no longer be supported by MBSA. If you aren’t familiar with the tool or would just like to know more about it, we encourage you to read the FAQ found on the Security TechCenter. Thanks also go out to everyone who participated in the public preview leading up to this release.
We invite you to join us for the next scheduled webcast on Wednesday, December 11, 2013, at 11 a.m. PST (UTC -8), when we will go into detail about the December bulletin release and answer your bulletin deployment questions live on the air.
You can register to attend the webcast at the link below:
Today we’re publishing the November 2013 Security Bulletin Webcast Questions & Answers page. The majority of questions focused on the ActiveX Kill Bits bulletin (MS13-090) and the advisories. We also answered a few general questions that were not specific to any of this month’s updates, but that may be of interest.
We’ve discussed the Microsoft Baseline Security Analyzer (MBSA) tool in this and many other webcasts, and I’m happy to report version 2.3 is now available. This new version adds support for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. However, Windows 2000 systems will no longer be supported by MBSA. If you aren’t familiar with the tool or would just like to know more about it, we encourage you to read the FAQ found on the Security TechCenter. Thanks also go out to everyone who participated in the public preview leading up to this release.
We invite you to join us for the next scheduled webcast on Wednesday, December 11, 2013, at 11 a.m. PST (UTC -8), when we will go into detail about the December bulletin release and answer your bulletin deployment questions live on the air.
You can register to attend the webcast at the link below:
Today we’re publishing the September 2013 Security Bulletin Webcast Questions & Answers page. The majority of questions focused on Office bulletins, especially SharePoint Server (MS13-067). We received multiple Office related questions that were very similar in nature, so the questions have been merged, as applicable, with consolidated answers provided. We were able to answer six questions on air, and those we did not have time for have been included on the Q&A page.
We invite our customers to join us for the next public webcast on Wednesday, October 9, 2013, at 11 a.m. PDT (UTC -7), when we will go into detail about the October bulletin release and answer questions live on the air.
Customers can register to attend the webcast at the link below:
Today we’re publishing the September 2013 Security Bulletin Webcast Questions & Answers page. The majority of questions focused on Office bulletins, especially SharePoint Server (MS13-067). We received multiple Office related questions that were very similar in nature, so the questions have been merged, as applicable, with consolidated answers provided. We were able to answer six questions on air, and those we did not have time for have been included on the Q&A page.
We invite our customers to join us for the next public webcast on Wednesday, October 9, 2013, at 11 a.m. PDT (UTC -7), when we will go into detail about the October bulletin release and answer questions live on the air.
Customers can register to attend the webcast at the link below:
Today we’re publishing the August 2013 Security Bulletin Webcast Questions & Answers page. We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Exchange Server (MS13-061)and Windows Kernel (MS13-063). There were 3 additional questions during the webcast that we were unable to answer on air, and we have also answered those on the Q&A page.
We invite our customers to join us for the next public webcast on Wednesday, September 11, 2013, at 11 a.m. PDT (UTC -8), when we will go into detail about the September bulletin release and answer questions live on the air.
Customers can register to attend the webcast at the link below:
Today we’re publishing the August 2013 Security Bulletin Webcast Questions & Answers page. We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Exchange Server (MS13-061)and Windows Kernel (MS13-063). There were 3 additional questions during the webcast that we were unable to answer on air, and we have also answered those on the Q&A page.
We invite our customers to join us for the next public webcast on Wednesday, September 11, 2013, at 11 a.m. PDT (UTC -8), when we will go into detail about the September bulletin release and answer questions live on the air.
Customers can register to attend the webcast at the link below:
Today we’re providing advance notification for the release of seven bulletins, six Critical and one Important, for July 2013. The Critical bulletins address vulnerabilities in Microsoft Windows, .NET Framework, Silverlight, Internet Explorer and GDI+. Also scheduled for inclusion among these Critical bulletins is an update to address CVE-2013-3660, which is a publicly known issue in the Kernel-Mode Drivers component of Windows. The Important-rated bulletin will address an issue in Microsoft Security Software.
As usual, we’ve scheduled the bulletin release for the second Tuesday of the month, July 9, 2013, at approximately 10:00 a.m. PDT. Revisit this blog then for our analysis of the risk and impact, as well as our deployment guidance and a brief video overview of the month’s updates. Until then, please review the ANS summary page for more information that will help you prepare for bulletin testing and deployment.
For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.
Thank you, Dustin Childs Group Manager, Response Communications Microsoft Trustworthy Computing
Today we’re publishing the June 2013 Security Bulletin Webcast Questions & Answers page. We fielded three questions during the webcast, with specific questions focusing primarily on Windows Print Spooler (MS13-050), Microsoft Office (MS13-051), and the security advisory addressing digital certificates (SA2854544). There was one question we were unable to field on the air which we answered on the Q&A page.
We invite our customers to join us for the next public webcast on Wednesday, July 10, 2013, at 11 a.m. PDT (UTC -7), when we will go into detail about the July bulletin release and answer questions live on the air.
Customers can register to attend the webcast at the link below:
We invite our customers to join us for the next public webcast on Wednesday, June 12, 2013, at 11 a.m. PDT (UTC -7), when we will go into detail about the June bulletin release and answer questions live on the air.
Customers can register to attend the webcast at the link below:
Today we’re publishing the April 2013 Security Bulletin Webcast Questions & Answers page. We fielded nine questions during the webcast, with almost half of those focused on the Remote Desktop Client bulletin (MS13-024). One question that was not answered on air has been included on the Q&A page.
We invite our customers to join us for the next public webcast on Wednesday, May 15, 2013, at 11 a.m. PDT (UTC -7), when we will go into detail about the May bulletin release and answer questions live on the air.
Customers can register to attend the webcast at the link below:
Windows XP was originally released on August 24, 2001. Since that time, high-speed Internet connections and wireless networking have gone from being a rarity to the norm, and Internet usage has grown from 360 million to almost two-and-a-half billion users. Thanks to programs like Skype, we now make video calls with regularity, and social media has grown from a curiosity to a part of our everyday lives. But through it all, Windows XP keeps chugging along. With its longevity and wide user base, Windows XP has served its customers faithfully over the years, but all good things must come to an end, and Windows XP is no exception.
In just 52 shorts weeks, support for the Windows XP will come to an end. I won’t go into the benefits of upgrading platforms here – you can read about these in Tim Rains’ blog “The Countdown Begins” – but I will highlight that this means there will be no more security updates for Windows XP after April 2014. Of course, Windows XP leaving support doesn’t mean bad guys will stop trying to exploit it; however, the absence of new security updates will make it easier for attacks to succeed. We talk a lot about mitigating risks through our security updates, and with Windows XP retiring, the best mitigation will be to upgrade to a modern Windows operating system.
And since we are talking about going out with the old, let’s talk about what’s new today. We are releasing nine bulletins, two Critical-class and seven Important-class, addressing 14 vulnerabilities in Tools Microsoft Windows, Internet Explorer, Microsoft Antimalware Client, Office, and Server Software. For those who need to prioritize deployment, we recommend focusing on MS13-028 and MS13-029 first.
MS13-028 (Microsoft Internet Explorer) This security update resolves two issues in Internet Explorer, both of which could allow remote code execution if a customer views a specially crafted webpage using the browser. An attacker who successfully exploited these vulnerabilities could gain the same rights as the current user. Both of these issues were privately disclosed and we have not detected any attacks or customer impact.
MS13-029 (Windows Remote Desktop Client) This security update resolves an issue in the Windows Remote Desktop Client ActiveX control. The vulnerability could allow remote code execution if an attacker convinces a customer to view a website containing specially crafted content that exploits the vulnerability. This issue was privately reported and we have not detected any attacks or customer impact.
Please watch the bulletin overview video below for a quick summary of today’s releases.
As always, we urge you deploy all security updates as soon as possible. Our deployment priority guidance is below to further assist in deployment planning (click for larger view).
Our risk and impact graph shows an aggregate view of this month’s severity and exploitability index (click for larger view).
For more information about this month’s security updates, visit the Microsoft Security Bulletin summary webpage.
Jonathan Ness and I will host the monthly technical webcast, scheduled for Wednesday, April 9, 2013, at 11 a.m. PDT. I invite you to register here, and tune in to learn more about the April security bulletins and advisories.
For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.
It’s been great strolling down memory lane, recalling a time when mobile phones where used for phone calls, but I look forward to hearing your questions during our future webcast via the “Internet.” Thank you,
Dustin Childs Group Manager, Response Communications Microsoft Trustworthy Computing
