Swedish Windows Security User Group

This month we release five bulletins to address 23 unique CVEs in Microsoft Windows, Internet Explorer and Silverlight. If you need to prioritize, the update for Internet Explorer addresses the issue first described in Security Advisory 2934088, so it should be at the top of your list. While that update does warrant your attention, I want to also call out another impactful update.

MS14-014 provides an update to address a security feature bypass in Silverlight. The issue wasn’t publicly known and it isn’t under active attack, however it can impact your security in ways that aren’t always obvious. Specifically, the update removes an avenue attackers could use to bypass ASLR protections. Fixes like this one increase the cost of exploitation to an attacker, who must now find a different way to make their code execution exploit reliable. Picasso said, “The hidden harmony is better than the obvious” – Shutting down an ASLR bypass could be considered one of the most harmonious things to do to help increase customer security.

Let’s not forget the other updates we released today. This month we release two Critical and three Important bulletins. Here’s an overview of this month’s release:

Click to enlarge

Our top deployment priority this month is MS14-012, which address 18 issues in Internet Explorer.

MS14-012 | Cumulative Security Update for Internet Explorer   
This cumulative update addresses one public and 17 privately disclosed issues in Internet Explorer. These issues could allow remote code execution if a user views a specially crafted webpage using an affected version of Internet Explorer. We are aware of targeted attacks using CVE-2014-0322 against Internet Explorer 10. This issue was first described in Security Advisory 2934088, which included a Fix it for the issue. We should also note that the observed attacks performed a check for the presence of the Enhanced Mitigation Experience Toolkit (EMET) and did not proceed if it was detected. This update also addresses CVE-2014-0324, which is a privately reported issue that has been seen in a very limited, targeted attack against Internet Explorer 8. Thanks to a previously released ASLR bypass update, the attack seen in the wild would not work against a fully updated system running Windows Vista and above. The SRD blog goes into more detail about how shutting down that bypass helped. For all issues addressed by this update, successful exploitation could allow an attacker to gain the same user rights as the local user. Customers with automatic updates enabled will not need to take action, as they will be updated automatically.

We are also revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-08. For more information about this update, including download links, see Microsoft Knowledge Base Article 2938527. Also, for those of you who may be interested, KB864199 provides a list of the non-security updates released today. This list includes the latest update for the Malicious Software Removal Tool (MSRT), which now includes detections for the Wysotot and Spacekito malware families.

Watch the bulletin overview video below for a brief summary of today's releases.

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Webpage.

My colleagues Andrew Gross and Pete Voss will host the monthly bulletin webcast and answer your questions about this month’s release. As usual, the webcast is scheduled for Wednesday, March 12, 2014, at 11 a.m. PDT. Please register here, and tune in to learn more about this month’s security bulletins and advisories.

For all the latest information, you can also follow us at @MSFTSecResponse.

If you happen to be at the CanSecWest conference in Vancouver, B.C, please swing by our booth (number 4) to say hello!

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

If you haven’t had a chance to see the movie Gravity, I highly recommend you take the time to check it out. The plot moves a bit slowly at times, but director Alfonso Cuaron’s work portrayal of zero gravity is worth the ticket price alone. Add in stellar acting and you end up with an epic movie that really makes you miss the shuttle program. Still, the movie has its detractors. Specifically, astrophysicist and geek icon Neil deGrasse Tyson has been critical about the movie’s authenticity. To deGrasse Tyson, a lack of authenticity disrupts the movie-going experience.

Similarly, a lack of authenticity can disrupt your computing experience, which leads me to a couple of interesting items in this month’s release.  Two advisories this month deal with authenticity by focusing on certificates and cryptography.  The first is Security Advisory 286725, which disables the use of the RC4 stream cipher. As computing power increases, cryptographic attacks that were once only theoretical become practical – this is the case with RC4, which was originally designed in 1987. That’s the same year The Simpsons first appeared as shorts on The Tracy Ullman Show. Computing has changed somewhat in that time.

We’ve already taken this step in Windows 8.1 and Internet Explorer 11, and now we’re providing an update to disable its use in other operating systems as well.  Rather than automatically disable the cipher, the update provides a registry key that allows developers to eliminate RC4 as an available cipher in their applications.  The SRD blog provides a deep dive into RC4 and the implications of disabling it.

Security Advisory 2880823 also impacts cryptography and authenticity but addresses SHA1. We aren’t going to surprise the world by saying we’re turning off support for SHA1 today, but we are announcing a new policy for Certificate Authorities (CAs) that deprecates the use of the SHA1 algorithm in SSL and code signing certificates in favor of the SHA2 algorithm. After January 2016, only SHA2 certificates can be issued. The good folks over on the PKI blog go into more detail about the change.

We have an update regarding a cryptographic function as well, MS13-095 addresses an issue in Digital Signatures that could cause a web service to stop responding if it receives a specially crafted X.509 certificate. Since these certificates are used to ensure authenticity, having the web service go down during negotiation is suboptimal.

Of course, another way to help ensure authenticity throughout your computing experience is to use EMET. An updated version of the program is available today. Of the many improvements, there is an update to the default settings that includes two new application protection profiles for applications. There’s also an update for the Certificate Trust profile that offers more applications protection. Full details about this release can be found on the SRD blog. It may not patch any holes, but it can make it harder to reach any issue that may exist on a system and, if your family is like mine, it will significantly reduce calls from relatives looking for tech support.

Of course it takes more than just authenticity to make a secure computing experience, which leads us to the other updates for November. Today, we released eight bulletins, three Critical and five Important, addressing 19 unique CVEs in Microsoft Windows, Internet Explorer, and Office. For those who need to prioritize their deployment planning we recommend focusing on MS13-090, MS13-088, and MS13-089.

Our Bulletin Deployment Priority graph provides an overview of this month’s priority releases (click to enlarge).

MS13-090 | Cumulative Security Update of Active X Kill Bits
This update addresses a remote code execution issue in an ActiveX control by providing a kill bit for associated ActiveX controls. We are aware of limited attacks that exploit this issue. The code execution occurs at the level of the logged on user, so non-admin users would face less of an impact.  The remote code execution vulnerability with higher severity rating be fixed in today’s release and we advise customers to prioritize the deployment of MS13-090 for their monthly release.  As usual, customer with Automatic Updates enabled will not need to take any action to receive the update.  Additional information about this vulnerability is available on the Security Research & Defense blog.

MS13-088 | Cumulative Update for Internet Explorer
This security update resolves ten privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user.

MS13-089 | Vulnerability in Windows Graphics Device Interface Could Allow Remote Code Execution
This update addresses one privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user views or opens a specially crafted Windows Write file in WordPad. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.

Last but not least, we are also providing an update for users of DirectAccess (DA) through Security Advisory 2862152. This security feature bypass issue would require a man-in-the-middle attacker to be successful, but if someone can snoop on your DA connection, it’s possible they could impersonate a legitimate DA server in order to establish connections with legitimate DA clients.  The attacker-controlled system could then intercept the target user’s network traffic and potentially determine the encrypted domain credentials. This update, along with the new configuration guidelines available in KB2862152, helps ensure the authenticity of DA connections.

Watch the bulletin overview video below for a brief summary of today’s releases.

Our risk and impact graph shows an aggregate view of this month’s Security and Exploitability Index (click to enlarge).

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Webpage.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, November 13, 2013, at 11 a.m. PST. I invite you to register here and tune in to learn more about this month’s security bulletins and advisories. We’ll provide authentic answers to your update deployment questions, but no zero gravity effects will be employed.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

I look forward to hearing your questions in the webcast tomorrow.

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

If you haven’t had a chance to see the movie Gravity, I highly recommend you take the time to check it out. The plot moves a bit slowly at times, but director Alfonso Cuaron’s work portrayal of zero gravity is worth the ticket price alone. Add in stellar acting and you end up with an epic movie that really makes you miss the shuttle program. Still, the movie has its detractors. Specifically, astrophysicist and geek icon Neil deGrasse Tyson has been critical about the movie’s authenticity. To deGrasse Tyson, a lack of authenticity disrupts the movie-going experience.

Similarly, a lack of authenticity can disrupt your computing experience, which leads me to a couple of interesting items in this month’s release.  Two advisories this month deal with authenticity by focusing on certificates and cryptography.  The first is Security Advisory 286725, which disables the use of the RC4 stream cipher. As computing power increases, cryptographic attacks that were once only theoretical become practical – this is the case with RC4, which was originally designed in 1987. That’s the same year The Simpsons first appeared as shorts on The Tracy Ullman Show. Computing has changed somewhat in that time.

We’ve already taken this step in Windows 8.1 and Internet Explorer 11, and now we’re providing an update to disable its use in other operating systems as well.  Rather than automatically disable the cipher, the update provides a registry key that allows developers to eliminate RC4 as an available cipher in their applications.  The SRD blog provides a deep dive into RC4 and the implications of disabling it.

Security Advisory 2880823 also impacts cryptography and authenticity but addresses SHA1. We aren’t going to surprise the world by saying we’re turning off support for SHA1 today, but we are announcing a new policy for Certificate Authorities (CAs) that deprecates the use of the SHA1 algorithm in SSL and code signing certificates in favor of the SHA2 algorithm. After January 2016, only SHA2 certificates can be issued. The good folks over on the PKI blog go into more detail about the change.

We have an update regarding a cryptographic function as well, MS13-095 addresses an issue in Digital Signatures that could cause a web service to stop responding if it receives a specially crafted X.509 certificate. Since these certificates are used to ensure authenticity, having the web service go down during negotiation is suboptimal.

Of course, another way to help ensure authenticity throughout your computing experience is to use EMET. An updated version of the program is available today. Of the many improvements, there is an update to the default settings that includes two new application protection profiles for applications. There’s also an update for the Certificate Trust profile that offers more applications protection. Full details about this release can be found on the SRD blog. It may not patch any holes, but it can make it harder to reach any issue that may exist on a system and, if your family is like mine, it will significantly reduce calls from relatives looking for tech support.

Of course it takes more than just authenticity to make a secure computing experience, which leads us to the other updates for November. Today, we released eight bulletins, three Critical and five Important, addressing 19 unique CVEs in Microsoft Windows, Internet Explorer, and Office. For those who need to prioritize their deployment planning we recommend focusing on MS13-090, MS13-088, and MS13-089.

Our Bulletin Deployment Priority graph provides an overview of this month’s priority releases (click to enlarge).

MS13-090 | Cumulative Security Update of Active X Kill Bits
This update addresses a remote code execution issue in an ActiveX control by providing a kill bit for associated ActiveX controls. We are aware of limited attacks that exploit this issue. The code execution occurs at the level of the logged on user, so non-admin users would face less of an impact.  The remote code execution vulnerability with higher severity rating be fixed in today’s release and we advise customers to prioritize the deployment of MS13-090 for their monthly release.  As usual, customer with Automatic Updates enabled will not need to take any action to receive the update.  Additional information about this vulnerability is available on the Security Research & Defense blog.

MS13-088 | Cumulative Update for Internet Explorer
This security update resolves ten privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user.

MS13-089 | Vulnerability in Windows Graphics Device Interface Could Allow Remote Code Execution
This update addresses one privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user views or opens a specially crafted Windows Write file in WordPad. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.

Last but not least, we are also providing an update for users of DirectAccess (DA) through Security Advisory 2862152. This security feature bypass issue would require a man-in-the-middle attacker to be successful, but if someone can snoop on your DA connection, it’s possible they could impersonate a legitimate DA server in order to establish connections with legitimate DA clients.  The attacker-controlled system could then intercept the target user’s network traffic and potentially determine the encrypted domain credentials. This update, along with the new configuration guidelines available in KB2862152, helps ensure the authenticity of DA connections.

Watch the bulletin overview video below for a brief summary of today’s releases.

Our risk and impact graph shows an aggregate view of this month’s Security and Exploitability Index (click to enlarge).

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Webpage.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, November 13, 2013, at 11 a.m. PST. I invite you to register here and tune in to learn more about this month’s security bulletins and advisories. We’ll provide authentic answers to your update deployment questions, but no zero gravity effects will be employed.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

I look forward to hearing your questions in the webcast tomorrow.

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Today we’re publishing the August 2013 Security Bulletin Webcast Questions & Answers page.  We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Exchange Server (MS13-061) and Windows Kernel (MS13-063).  There were 3 additional questions during the webcast that we were unable to answer on air, and we have also answered those on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, September 11, 2013, at 11 a.m. PDT (UTC -8), when we will go into detail about the September bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, September 11, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register: Attendee Registration

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Today we’re publishing the August 2013 Security Bulletin Webcast Questions & Answers page.  We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Exchange Server (MS13-061) and Windows Kernel (MS13-063).  There were 3 additional questions during the webcast that we were unable to answer on air, and we have also answered those on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, September 11, 2013, at 11 a.m. PDT (UTC -8), when we will go into detail about the September bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, September 11, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register: Attendee Registration

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Today we’re publishing the June 2013 Security Bulletin Webcast Questions & Answers page.  We fielded three questions during the webcast, with specific questions focusing primarily on Windows Print Spooler (MS13-050), Microsoft Office (MS13-051), and the security advisory addressing digital certificates (SA2854544). There was one question we were unable to field on the air which we answered on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, July 10, 2013, at 11 a.m. PDT (UTC -7), when we will go into detail about the July bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, July 10, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register: Attendee Registration 

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

For those who couldn’t attend the live webcast, today we’re publishing the May 2013 Security Bulletin Webcast Questions & Answers page.  We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Internet Explorer (MS13-037 and MS13-038) and Visio (MS13-044). 

We invite our customers to join us for the next public webcast on Wednesday, June 12, 2013, at 11 a.m. PDT (UTC -7), when we will go into detail about the June bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, June 12, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register: Attendee Registration

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Today we’re publishing the March 2013 Security Bulletin Webcast Questions & Answers page.  We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Internet Explorer (MS13-021), SharePoint (MS13-024) and the update for Kernel-Mode Drivers in MS13-027.  There were six additional questions during the webcast that we were unable to answer on air, and we have also answered those on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, April 10, 2013, at 11 a.m. PDT (UTC -7), when we will go into detail about the April bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, April 10, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register: Attendee Registration

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Hello.

Today we’re publishing the August 2012 Security Bulletin Webcast Questions & Answers page. During the webcast, we fielded twelve questions focusing primarily on MS12-060 covering Windows Common Controls,  MS12-052 regarding Internet Explorer, and Security Advisory 2661254 addressing trust certificates with RSA keys less than 1024 bit key lengths. Three additional questions were answered after the webcast. All questions are included on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, September 12th at 11 a.m. PDT (-7 UTC), when we will go into detail about the September bulletin release and answer questions live on the air.

Customers can register to attend at the link below:

Date: Wednesday, September 12, 2012

Time: 11:00 a.m. PDT (UTC -7)

Register: AttendeeRegistration

Thanks,

Yunsun Wee

Director, Trustworthy Computing.

Security Advisory 2661254 – Update For Minimum Certificate Key Length
Before we get into the details of this month’s bulletin release, let’s take a look at an important change on how Windows deals with certificates that have RSA keys of less than 1024 bits in length.

We’ve been talking about this subject since June, and today we are announcing the availability of an update to Windows that restricts the use of certificates with RSA keys less than 1024 bits in length with Security Advisory 2661254. As noted in the advisory, this update will be available in the Download Center as well as the Microsoft Update Catalog. This allows enterprise administrators to download and import the update into WSUS for testing before widely deploying the update throughout their enterprise. The security advisory includes instructions on how to configure the update and provides general guidance on what steps customers should take to become more secure. This update is planned to be released via Windows Update starting in October 2012.

For additional details on these defense-in-depth changes to how Windows deals with certificates please visit Public Key Infrastructure (PKI) blog.

Security Updates
For this Update Tuesday we are releasing nine security bulletins – five Critical-class and four Important – addressing 26 vulnerabilities in Microsoft Windows, Internet Explorer, Exchange Server, SQL Server, Server Software, Developer Tools, and Office. For those who need to prioritize deployment, we recommend focusing on the these three critical updates first:

MS12-060 (Windows Common Controls)
Multiple software products utilize Windows Common Controls , and the issues addressed in this bulletin affect Office, SQL Server, Server Software, and Developer Tools. We’re aware of limited, targeted attacks attempting to exploit this vulnerability, but we haven’t seen public proof-of-concept code published. These are important factors to consider when determining deployment priority and Microsoft recommends that customers test and deploy this update as soon as possible.

MS12-052 (Internet Explorer)
This security update addresses four privately disclosed issues, none of which are currently known to be under active attack. Successful exploitation of these issues could result in the execution of code with the privileges of the current user. You may notice that one of the issues addressed in the Cumulative Security Update for Internet Explorer is also listed in MS12-056 for the JScript and VBScript Engines. Since this issue affects both IE and Windows components, you will need to apply both updates to ensure the issue has been addressed on your system.

MS12-054 (Windows Networking Components)
This security update addresses three issues related to the Remote Administration Protocol (RAP) and one issue affecting the Print Spooler. The impact from these issues ranges from Denial of Service (DoS) to Remote Code Execution (RCE). All of these issues were reported to us through coordinated disclosure and we have no reports of these issues being exploited. As with our other top-priority bulletins, we encourage customers to test and deploy this update as soon as possible.

Of the remaining six bulletins, two are also rated as critical: one addressing issues affecting the Remote Desktop Protocol and the other affecting Exchange Server. The remaining four bulletins are all Important-class issues touching on Windows and Office.

Security Update Re-release
Last month, we published MS12-043 to address issues affecting Microsoft XML Core Services. The July release provided updates for Microsoft XML Core Services 3.0, 4.0, and 6.0. This month, we are re-releasing MS12-043 with additional updates for Microsoft XML Core Services 5.0. This re-release does not affect the previous updates for versions 3.0, 4.0, and 6.0.

Please watch the video below for an overview of this month’s bulletins and you can find more information about this month’s security updates on the Microsoft Security Bulletin Summary web page.

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view)

Our risk and impact graph provides an aggregate view of this month’s severity and exploitability index (click for larger view). For insightful details about the Exploitability Index and additional bulletin nuances, please see the Security Research & Defense (SRD) blog.

You can find more information about this month’s security updates on the Microsoft Security Bulletin Summary web page. Thanks for reading and join us tomorrow (Wednesday, August 15, 2012) at 11 a.m. PDT for a live webcast with Jonathan Ness and Dustin Childs, who will be sharing greater details about these bulletins and our other announcements this month. As always, they will be answering bulletin-related questions live during the webcast. You may register for that one-hour event here.

Yunsun Wee
Microsoft
Trustworthy Computing

Hello. As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing 13 security bulletins, three of which are rated Critical in severity, and 10 Important.

These bulletins will increase protection by addressing 19 unique vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on these critical updates:

• MS11-092 – Windows Media: Vulnerability In Windows Media Could Allow Remote Code Execution
• MS11-087 – Windows: Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution

Why 13 bulletins and not 14, as we stated in the ANS announcement on Thursday? After that announcement, we discovered an apps-compatibility issue between one bulletin-candidate and a major third-party vendor. We’re currently working with that vendor to address the issue on their platform, after which we’ll issue the bulletin as appropriate. As ever, we’d much rather withdraw a potential bulletin than ship something that might inconvenience customers, however limited that inconvenience in scope. The issue addressed in that bulletin, which we have been monitoring and against which we have seen no active attacks in the wild, was discussed in Security Advisory 2588513.

In the video below, Jerry Bryant discusses this month’s bulletins in further detail.

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month’s severity and exploitability index (click for larger view).

You can find more information about this month’s security updates on the Microsoft Security Bulletin Summary web page.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Jerry Bryant and Jonathan Ness. I invite you to tune in and learn more about the December security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, December 14, 2011 at 11 A.M. PST. Click here to register.

Thanks,
Angela Gunn
Trustworthy Computing.

Hello,

Today we published the August Security Bulletin Webcast Questions & Answers page. We fielded six questions on various topics during the webcast, including bulletins released and the Malicious Software Removal Tool. There was one question that we were unable to answer during the webcast due to time constraints, and we have included all questions and answers on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, September 14th at 11 a.m. PDT (-8 UTC), when we will go into detail about the September bulletin release and answer questions live on the air.

Customers can register to attend at the link below:

Date: Wednesday, September 14, 2011
Time: 11:00 a.m. PDT (UTC -8)
Register: Attendee Registration

Thanks,

Jerry Bryant

Group Manager, Response Communications
Trustworthy Computing Group

Hello there. First off, I’d like to share some news regarding the updates we made to the Autorun feature in Security Advisory 967940, which we released in February 2011. The advisory made changes to how Autorun handles “non-shiny” media (eg., USB thumb drives). The change was expected to make a significant difference to infection rates by malware that uses Autorun to propagate, and we’ve been monitoring those rates ever since.

The initial results are encouraging. As of May 2011, the number of infections found by the Malicious Software Removal Tool (MSRT) per scanned computer declined by 59 percent on Windows XP machines and by 74 percent on Windows Vista machines in comparison to the 2010 infection rates on those platforms. (Windows 7 had the updated Autorun settings built in by default.) For more details and statistics regarding the drop in Autorun-abusing malware infections, please see the Microsoft Malware Protection Center (MMPC) blog.

As we previously mentioned in the Advance Notification blog on Thursday, today we are releasing 16 security bulletins, nine of which are rated Critical, and seven of which are rated Important. There are four Critical-level updates that we want to call out as top priorities for our customers in June:

• MS11-042 (DFS). This bulletin resolves two privately reported issues affecting all versions of Windows.
• MS11-043 (SMB Client). This bulletin resolves one privately reported issue affecting all versions of SMB Client on Windows.
• MS11-050 (Internet Explorer). This security bulletin resolves 11 privately reported issues in Internet Explorer.
• MS11-052 (Windows). This bulletin resolves one privately reported issue in Windows and is also Critical.

We recommend that customers apply these and all other updates as soon as possible.

In this video, Jerry Bryant discusses this month’s bulletins in further detail, focusing on these four bulletins:

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view):

The Security Research & Defense team has further information on deployment priorities for today’s bulletins on their blog.

Meanwhile, our risk and impact graph shows an aggregate view of this month’s severity and exploitability index (click for larger view):

Since we’ve started specifying separate Exploitability Index ratings for the current and the earlier versions of products affected by each vulnerability, it’s easier to see how individual vulnerabilities affect newer products versus older ones. We assign Exploitability Index ratings solely to Critical- and Important-severity vulnerabilities, and there are 32 of those this month (the others are Moderate-level issues in MS11-050). Of those, 14 vulnerabilities have a lower Exploitability Index rating for the latest-and-greatest version of the software than for the older version, or the latest version isn’t affected at all. The remaining CVEs have no difference in severity between the versions.

More information about this month’s security updates can be found on the Microsoft Security Bulletin Summary web page. Also this month, Microsoft is increasing MSRT detection capabilities for three worm families — Win32/Rorpian, Win32/Yimfoca and Win32/Nugel. Please see today’s MMPC blog for more information.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, June 15, hosted by Jerry Bryant and Jonathan Ness. We invite you to tune in and learn more about the June security bulletins, as well as other announcements made today. The webcast is scheduled at 11 a.m. PDT, and the registration can be found here.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse. Also feel free to tweet the hash tag #MSFTSecWebcast and ask any questions you may have regarding the bulletins before Wednesday at 11am PDT. We’ll answer as many questions as possible live during the webcast.

Thanks,

Angela Gunn
Trustworthy Computing.

Hello,

Today we published the May Security Bulletin Webcast Questions & Answers page. We fielded twelve questions on various topics during the webcast, including bulletins released and the Malicious Software Removal Tool.  There were two questions during the webcast that we were unable to answer and we have included those questions and answers on the QA page.

We invite our customers to join us for the next public webcast on Wednesday, June 15th at 11am PDT (-8 UTC), when we will go into detail about the June bulletin release and answer questions live on the air.

Customers can register to attend at the link below:

Date: Wednesday, June 15, 2011
Time: 11:00 a.m. PDT (UTC -8)
Register: Attendee Registration

Thanks –

Jerry Bryant

Group Manager, Response Communications
Trustworthy Computing Group

Hello all —

Today, as part of our monthly security bulletin release, we have three bulletins addressing four vulnerabilities in Microsoft Windows and Microsoft Office. One bulletin is rated Critical, and this is the bulletin we recommend for priority deployment:

• MS11-015. This bulletin resolves one Critical-level and one Important-level vulnerability affecting certain media files in all versions of Microsoft Windows. It has an Exploitability Index rating of 1. Due to the nature of the affected software, this bulletin carries a Critical-level severity rating for all affected client systems, but only an Important-level rating for Windows Server 2008 R2 for x64. Other versions of Windows Server – 2003, 2008 and 2008 R2 – are unaffected. For both the Critical- and Important-level vulnerabilities, an attacker would have to convince a user to open a maliciously crafted file for an attack to work.

Our other two bulletins are somewhat similar in nature, both addressing the DLL-preloading issue described in Security Advisory 2269637, and both carrying an Important-level severity rating and an Exploitability Index rating of 1.

• MS11-016 is a DLL-preloading issue affecting Microsoft Groove 2007 Service Pack 2, which makes this an Office bulletin. Versions 2007 and 2010 of Groove are unaffected, as is Microsoft SharePoint Workspace 2010.
• MS11-017 is also a DLL-preloading issue, in this instance in Microsoft Windows Remote Client Desktop. This security update is rated Important for Remote Desktop Connection 5.2 Client, Remote Desktop Connection 6.0 Client, Remote Desktop Connection 6.1 Client, and Remote Desktop Connection 7.0 Client.

We continue to address DLL-preloading issues as they are discovered; however, it’s important to note that we have not seen exploitation of these issues in the wild.

In this video, Jerry Bryant discusses this month’s bulletins in further detail, focusing on MS11-015:

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month’s severity and exploitability index (click for larger view).

More information about this month’s security updates can be found on the Microsoft Security Bulletin summary web page.

As we often do in the wake of a Service Pack release, we’ve gotten deployment questions about Windows 7 SP1. To assist customers in that process, our TechNet site has posted an SP1 deployment guide to aid you in testing and deployment. You’ll also find release notes and links to handy information — for example, a spreadsheet that contains a list of all the hotfixes and security updates that are included in the Service Pack — as well as information on new features and functionality.

We’d also like to update you on Security Advisory 2501696, which describes an MHTML-related vulnerability in Microsoft Windows. Microsoft is actively monitoring the threat landscape in conjunction with our Microsoft Active Protections Program (MAPP) partners. We are currently working to provide a solution through our monthly security update release process and will continue to monitor the issue as we prepare that.

Finally, we mentioned previously that changes are coming to the system we use for publishing our bulletins and security advisories. We still expect those changes to go live in June of this year. The main impact to customers will be a URL change from microsoft.com/technet/security to technet.microsoft.com/security. We are planning to have both the old and new sites available simultaneously for a period of time.

Please join the monthly technical webcast with your hosts, Jerry Bryant and Dustin Childs, to learn more about the March 2011 security bulletins. The webcast is scheduled for Wednesday, March 9, 2011 at 11:00 a.m. PST (UTC -8). Registration is available here.

For all the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,

Angela Gunn
Trustworthy Computing.

Hi everyone. Mike Reavey from the MSRC here. Today we’re releasing
our Advance
Notification Service for the December 2010 security bulletin
release. As we do every month, we’ve given information about the coming
December release and provided links to detailed information so you can plan
your deployment by product, service pack level, and severity.  However, since this is the last release for
the year, I thought it would also be good time to take a look back at the security
releases we’ve had over the last 12 months.

First, for December we’re releasing 17 updates addressing 40
vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint and
Exchange. Of the 17, two bulletins are rated Critical, 14 are rated Important,
and one is rated Moderate. As always, we recommend that customers
review the ANS summary page
for more information and prepare for the testing and deployment of these
bulletins as soon as possible.

Looking back over 2010, that brings the total bulletin count
to 106, which is more bulletins than we have released in previous years. This
is partly due to vulnerability reports in Microsoft products increasing
slightly, as indicated by our latest Security
Intelligence Report. This isn’t really surprising when you think about
product life cycles and the nature of vulnerability research. Microsoft
supports products for up to ten years. (One of our most popular operating
systems from the turn of the century, XP SP2, reached its end-of-support life
in mid-2010, in fact.) Vulnerability research methodologies, on the other hand,
change and improve constantly. Older products meeting newer attack methods,
coupled with overall growth in the vulnerability marketplace, result in more
vulnerability reports. Meanwhile, the percentage of vulnerabilities reported to
us cooperatively continues to remain high at around 80 percent; in other words,
for most vulnerabilities we’re able to release a comprehensive security update
before the issue is broadly known.

At the end of the day, Microsoft’s primary focus is to
release reliable, high-quality updates to our customers.  Feedback from customers indicate that this is
the most important factor in minimizing disruption and allowing them to deploy
our updates quickly – even more important than the overall number of security
updates. 

Back to this month’s bulletins. We’re addressing two
issues this month that have attracted interest recently. First, we will be closing
the last Stuxnet-related issues this month. This is a local Elevation of
Privilege vulnerability and we’ve seen no evidence of its use in active
exploits aside from the Stuxnet malware. We’re also addressing
the Internet Explorer vulnerability described in Security
Advisory 2458511. Over the past month, Microsoft and our MAPP
partners actively monitored the threat landscape surrounding this vulnerability
and the total number of exploit attempts we monitored remained pretty low.
Furthermore, customers running Internet Explorer 8 remained protected by
default due to the extra protection provided by Data Execution Prevention
(DEP). On that note, I want to point you to a new post on the Security Research
& Defense team blog describing the
effectiveness of DEP and ASLR against the types of exploits we see in the
wild today.  

We encourage customers to review this month’s bulletins and
to prioritize their installation according to the needs of their
environment.  (And, of course, for most
home users these updates will be installed automatically.)  If you have questions, join us next Wednesday
(December 15) when Jonathan Ness and Jerry Bryant will host a live webcast
covering the December bulletins. They’ll go into detail about the release and
answer your bulletin-related questions live on the air. Register at the link
below:

Date: Wednesday, December 15
Time: 11:00 a.m. PST (UTC -8)
Registration: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID= 1032454441

Thanks,

Mike Reavey
Director, MSRC