Archive

Archive for the ‘Security Bulletins’ Category

Changes to Security Update Links

April 29th, 2016 No comments

Updates have historically been published on both both the Microsoft Download Center and the Microsoft Update Catalog and Security Bulletins linked directly to update packages on the Microsoft Download Center. Starting May 10, some updates will no longer be available from the Microsoft Download Center.

Security bulletins will continue to link directly to the updates, but will now point to the packages on the Microsoft Update Catalog for updates not available on the Microsoft Download Center. Customers that use tools linking to the Microsoft Download Center should follow the links provided in the Security Bulletins or search directly on the Microsoft Update Catalog.

For tips on searching the Microsoft Update Catalogue visit the frequently asked questions page.

Evolving Microsoft’s Advance Notification Service in 2015

January 8th, 2015 No comments

Our Advance Notification Service (ANS) was created more than a decade ago as part of Update Tuesday to broadly communicate in advance, about the security updates being released for Microsoft products and services each month. Over the years, technology environments and customer needs have evolved, prompting us to evaluate our existing information and distribution channels. This desire to improve is why customers may have seen us introduce myBulletins to provide bulletin reports tailored to customer preferences, discontinue the Deployment Priority matrix in favor of the Exploitability Index, modify the Exploitability Index to account for more threat scenarios, simplify security bulletin content to help customer understanding, and create a centralized glossary for bulletin definitions. The change being announced today fits within that context.

We are making changes to how we distribute ANS to customers. Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and web page. 

ANS has always been optimized for large organizations. However, customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimized testing and deployment methodologies. While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically. More and more customers today are seeking to cut through the clutter and obtain security information tailored to their organizations. Rather than using ANS to help plan security update deployments, customers are increasingly turning to Microsoft Update and security update management tools such as Windows Server Update Service to help organize and prioritize deployment. Customers are also moving to cloud-based systems, which provide continuous updating.

For Premier customers who would still like to receive this information, Microsoft will continue to provide ANS through their Technical Account Manager support representatives. ANS will also continue to be provided to current organizations that are part of our security programs such as the Microsoft Active Protections Program.  For customers without a Premier support contract, we recommend taking advantage of myBulletins, which enables customers to tailor security bulletin information based on only those applications running in their environment.
 
As our customers’ needs change, so must our approach to security. We remain relentless in our commitment to protect customers and the ongoing delivery of secure computing experiences.

Thank you,

Chris Betz
Senior Director, MSRC

Evolving Microsoft’s Advance Notification Service in 2015

January 8th, 2015 No comments

Our Advance Notification Service (ANS) was created more than a decade ago as part of Update Tuesday to broadly communicate in advance, about the security updates being released for Microsoft products and services each month. Over the years, technology environments and customer needs have evolved, prompting us to evaluate our existing information and distribution channels. This desire to improve is why customers may have seen us introduce myBulletins to provide bulletin reports tailored to customer preferences, discontinue the Deployment Priority matrix in favor of the Exploitability Index, modify the Exploitability Index to account for more threat scenarios, simplify security bulletin content to help customer understanding, and create a centralized glossary for bulletin definitions. The change being announced today fits within that context.

We are making changes to how we distribute ANS to customers. Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and web page. 

ANS has always been optimized for large organizations. However, customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimized testing and deployment methodologies. While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically. More and more customers today are seeking to cut through the clutter and obtain security information tailored to their organizations. Rather than using ANS to help plan security update deployments, customers are increasingly turning to Microsoft Update and security update management tools such as Windows Server Update Service to help organize and prioritize deployment. Customers are also moving to cloud-based systems, which provide continuous updating.

For Premier customers who would still like to receive this information, Microsoft will continue to provide ANS through their Technical Account Manager support representatives. ANS will also continue to be provided to current organizations that are part of our security programs such as the Microsoft Active Protections Program.  For customers without a Premier support contract, we recommend taking advantage of myBulletins, which enables customers to tailor security bulletin information based on only those applications running in their environment.
 
As our customers’ needs change, so must our approach to security. We remain relentless in our commitment to protect customers and the ongoing delivery of secure computing experiences.

Thank you,

Chris Betz
Senior Director, MSRC

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

August 2014 Security Updates

August 12th, 2014 No comments

Today, as part of Update Tuesday, we released nine security updates – two rated Critical and seven rated Important – to address 37 Common Vulnerabilities & Exposures (CVEs) in SQL Server, OneNote, SharePoint, .NET, Windows and Internet Explorer (IE). We encourage you to apply all of these updates, but for those who need to prioritize their deployment planning, we recommend focusing on the Critical updates first.

Here’s an overview slide and video of the security updates released today:

Click to enlarge

Microsoft also revised Security Advisory 2755801: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer.

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by each CVE, visit the Microsoft Bulletin Summary Web page. If you are not familiar with how we calculate the Exploitability Index (XI), a full description is found here.

You may notice a revision in the XI this month, which aims to better characterize the actual risk to a customer on the day the security update is released. Customers will see new wording for the rating, including a new rating of “0” for “Exploitation Detected.” More information about XI can be found here:  http://technet.microsoft.com/en-us/security/cc998259.aspx.

Last week, Microsoft announced some other news that relates to Update Tuesday:

  • On August 5, Windows published a Windows blog post discussing its non-security update strategy moving forward, which is now on a monthly cadence as part of Update Tuesday.
  • On August 6, IE announced in its IE Blog that it would begin blocking out-of-date ActiveX controls. This feature will be part of the August IE Cumulative Security Update, but no out-of-date ActiveX controls will be blocked for 30 days in order to give customers time to test and manage their environments.
  • On August 7, .NET and IE announced that Microsoft will support only the most recent versions of .NET and IE for each supported operating system.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, August 13, 2014, at 11 a.m. PDT.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks, 

Dustin Childs

Group Manager, Response Communications
Microsoft Trustworthy Computing

August 2014 Security Updates

August 12th, 2014 No comments

Today, as part of Update Tuesday, we released nine security updates – two rated Critical and seven rated Important – to address 37 Common Vulnerabilities & Exposures (CVEs) in SQL Server, OneNote, SharePoint, .NET, Windows and Internet Explorer (IE). We encourage you to apply all of these updates, but for those who need to prioritize their deployment planning, we recommend focusing on the Critical updates first.

Here’s an overview slide and video of the security updates released today:

Click to enlarge

Microsoft also revised Security Advisory 2755801: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer.

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by each CVE, visit the Microsoft Bulletin Summary Web page. If you are not familiar with how we calculate the Exploitability Index (XI), a full description is found here.

You may notice a revision in the XI this month, which aims to better characterize the actual risk to a customer on the day the security update is released. Customers will see new wording for the rating, including a new rating of “0” for “Exploitation Detected.” More information about XI can be found here:  http://technet.microsoft.com/en-us/security/cc998259.aspx.

Last week, Microsoft announced some other news that relates to Update Tuesday:

  • On August 5, Windows published a Windows blog post discussing its non-security update strategy moving forward, which is now on a monthly cadence as part of Update Tuesday.
  • On August 6, IE announced in its IE Blog that it would begin blocking out-of-date ActiveX controls. This feature will be part of the August IE Cumulative Security Update, but no out-of-date ActiveX controls will be blocked for 30 days in order to give customers time to test and manage their environments.
  • On August 7, .NET and IE announced that Microsoft will support only the most recent versions of .NET and IE for each supported operating system.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, August 13, 2014, at 11 a.m. PDT.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks, 

Dustin Childs

Group Manager, Response Communications
Microsoft Trustworthy Computing

Theoretical Thinking and the June 2014 Bulletin Release

June 10th, 2014 No comments

As security professionals, we are trained to think in worst-case scenarios.  We run through the land of the theoretical, chasing “what if” scenarios as though they are lightning bugs to be gathered and stashed in a glass jar.  Most of time, this type of thinking is absolutely the correct thing for security professionals to do.  We need to be prepared for when, not if, these disruptive events occur.  However, every now and then, it can be productive to draw ourselves out of this hypothetical mentality and look instead at the real impact in the here and now.

Speaking of the here and now, today we release seven security bulletins, two rated Critical and five rated Important in severity, addressing 66 Common Vulnerabilities and Exposures (CVEs) for Microsoft Windows, Internet Explorer, and Microsoft Office customers.  But before we get into the details of the updates, I want to take a moment to provide some additional insight into how we assess and recommend those severity ratings.  For every issue, we consider ”what if” – what’s the severest outcome from a potential cyberattack?  We want to provide our best guidance on the risk assessment for our customers, and that requires consideration of the worst-case scenario.

If we consider the worst-case scenario analogous to a tree falling in the woods, is there a sound if no one is around to hear it?  Similarly, does a vulnerability make a sound if it never gets exploited?  When we become aware of a potential security issue, we work to fix it regardless of whether or not it is under active attack.  In other words, it doesn’t matter if that falling tree makes a noise; we still have an action to take.  Why?  Because one day in the future, it’s possible what we’re delivering today could get exploited if not addressed.  However, we’re not in the future; we’re in the land of the here and now.  And while we are in this land, we sometimes confuse theoretical thinking with the actuality of impact to real people.  Until something actually occurs it is still theory; we’re taking the theoretical and making practical updates against future “what ifs”.

Let’s look at an example from this month’s release.  The security bulletin for Internet Explorer (IE) resolves 59 items, including CVE-2014-1770.  The most serious of these could allow remote code execution if a user views a webpage specially crafted by a cybercriminal.  We still haven’t seen any active attacks attempting to exploit any of the other CVEs addressed by this bulletin.  While there are a number of things being addressed this time around, it’s important to note that, to our knowledge, none of these now-addressed CVEs have caused any customer impact to date.  

Addressing items before active attacks occur helps keep customers better protected.  The Internet Explorer update for this month includes additional security updates that will help protect our customers, which is yet another reason why it’s good to stay current with the latest updates.

If you’ve seen the recent blog from the IE team, you’ll also see another message:  Customers should update to the latest version of Internet Explorer.  For Windows 7 and Windows 8.1, that means Internet Explorer 11—the most modern, secure browser we’ve ever built.  IE11 has advanced security features like Enhanced Protection Mode (EPM) and SmartScreen Filter, support for modern web standards, and Enterprise Mode for rendering legacy web apps.  Internet Explorer 11 is much more secure than older versions, which is why we encourage customers to upgrade.

There are six other bulletins released today to improve your security as well.  For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Web page.

Here’s an overview of all the updates released today:

Click to enlarge

As always, we encourage you to apply all of the updates, but for those who prioritize, we recommend the Word and Internet Explorer updates be on the top of your list.

Finally, we are revising Security Advisory 2755801 with the latest update for Adobe Flash Player. in Internet Explorer.  The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-16.  For more information about this update, including download links, see Microsoft Knowledge Base Article 2966072.

Watch the bulletin overview video below for a brief summary of today's releases.

Andrew Gross and I will host the monthly security bulletin webcast, scheduled for Wednesday, June 11, 2014, at 11 a.m. PDT. I invite you to register here, and tune in to learn more about this month’s security bulletins.

For all the latest information, you can also follow us at @MSFTSecResponse.

I look forward to hearing any questions about this month’s release during our webcast tomorrow.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Security Update Released to Address Recent Internet Explorer Vulnerability

Today, we released a security update to address the Internet Explorer (IE) vulnerability first described in Security Advisory 2963983. This security update addresses every version of Internet Explorer.

While we’ve seen only a limited number of targeted attacks, customers are advised to install this update promptly. The majority of our customers have automatic updates enabled and so will not need to take any action as protections will be downloaded and installed automatically. If you’re unsure if you have automatic updates, or you haven’t enabled Automatic Update, now is the time. 

For those manually updating, we strongly encourage you to apply this update as quickly as possible, following the directions in the released security bulletin.

We have made the decision to issue a security update for Windows XP users. Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1. Additionally, customers are encouraged to upgrade to the latest version of Internet Explorer, IE 11. You can find more information on the Microsoft Security Bulletin summary webpage.

We invite you to join Jonathan Ness and myself for a live webcast at 11 a.m. PDT tomorrow, where we’ll provide a detailed review of the bulletin. You can register here.

*Updated 5/2/2014 – The 11 a.m. webcast has reached capacity, so a second webcast has been scheduled for 2 p.m. on Friday, May 2. Details on registration can be found here.

For more information, please see the Microsoft News blog.

Dustin Childs
Group Manager, Response Communications
Trustworthy Computing

The March 2014 Security Updates

March 11th, 2014 No comments

This month we release five bulletins to address 23 unique CVEs in Microsoft Windows, Internet Explorer and Silverlight. If you need to prioritize, the update for Internet Explorer addresses the issue first described in Security Advisory 2934088, so it should be at the top of your list. While that update does warrant your attention, I want to also call out another impactful update.

MS14-014 provides an update to address a security feature bypass in Silverlight. The issue wasn’t publicly known and it isn’t under active attack, however it can impact your security in ways that aren’t always obvious. Specifically, the update removes an avenue attackers could use to bypass ASLR protections. Fixes like this one increase the cost of exploitation to an attacker, who must now find a different way to make their code execution exploit reliable. Picasso said, “The hidden harmony is better than the obvious” – Shutting down an ASLR bypass could be considered one of the most harmonious things to do to help increase customer security.

Let’s not forget the other updates we released today. This month we release two Critical and three Important bulletins. Here’s an overview of this month’s release:

Click to enlarge


Our top deployment priority this month is MS14-012, which address 18 issues in Internet Explorer.

MS14-012 | Cumulative Security Update for Internet Explorer   
This cumulative update addresses one public and 17 privately disclosed issues in Internet Explorer. These issues could allow remote code execution if a user views a specially crafted webpage using an affected version of Internet Explorer. We are aware of targeted attacks using CVE-2014-0322 against Internet Explorer 10. This issue was first described in
Security Advisory 2934088, which included a Fix it for the issue. We should also note that the observed attacks performed a check for the presence of the Enhanced Mitigation Experience Toolkit (EMET) and did not proceed if it was detected. This update also addresses CVE-2014-0324, which is a privately reported issue that has been seen in a very limited, targeted attack against Internet Explorer 8. Thanks to a previously released ASLR bypass update, the attack seen in the wild would not work against a fully updated system running Windows Vista and above. The SRD blog goes into more detail about how shutting down that bypass helped. For all issues addressed by this update, successful exploitation could allow an attacker to gain the same user rights as the local user. Customers with automatic updates enabled will not need to take action, as they will be updated automatically.

We are also revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-08. For more information about this update, including download links, see Microsoft Knowledge Base Article 2938527. Also, for those of you who may be interested, KB864199 provides a list of the non-security updates released today. This list includes the latest update for the Malicious Software Removal Tool (MSRT), which now includes detections for the Wysotot and Spacekito malware families.

Watch the bulletin overview video below for a brief summary of today's releases.

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Webpage.

My colleagues Andrew Gross and Pete Voss will host the monthly bulletin webcast and answer your questions about this month’s release. As usual, the webcast is scheduled for Wednesday, March 12, 2014, at 11 a.m. PDT. Please register here, and tune in to learn more about this month’s security bulletins and advisories.

For all the latest information, you can also follow us at @MSFTSecResponse.

If you happen to be at the CanSecWest conference in Vancouver, B.C, please swing by our booth (number 4) to say hello!

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Safer Internet Day 2014 and Our February 2014 Security Updates

February 11th, 2014 No comments

In addition to today being the security update release, February 11 is officially Safer Internet Day for 2014. This year, we’re asking folks to Do 1 Thing to stay safer online. While you may expect my “Do 1 Thing” recommendation would be to apply security updates, I’m guessing that for readers of this blog, that request would be redundant. Instead, I’ll ask that you also install the latest version of the Enhanced Mitigation Experience Toolkit (EMET). If you aren’t familiar with EMET, the utility helps prevent vulnerabilities from being successfully exploited by using security mitigation technologies built into the operating system. EMET doesn’t guarantee that vulnerabilities cannot be exploited, but it works to make exploitation as difficult as possible and is a great addition to any layered defense.

If you choose to install EMET as part of Safer Internet Day, you won’t just be making a difference on your own systems, you can also help a great non-profit organization. Starting today, when you share your promise to create a better Internet or participate in selected social media activities, Microsoft will make a donation to TechSoup Global – a nonprofit organization using technology to solve global problems and foster social change.

Now let’s get back to that other “One Thing” – This month, we’re releasing seven updates, four rated Critical and three rated Important, addressing 31 unique CVEs in Microsoft Windows, Internet Explorer, .NET Framework and Forefront Protection for Exchange. Here’s an overview of this month’s release:

Click to enlarge

Our top deployment priorities for this month are MS14-007, MS14-010 and MS14-011, which address issues in Microsoft Windows Direct2D, Internet Explorer, and the VBScript Scripting Engine.

MS14-007 | Vulnerability in Direct2D Could Allow Remote Code Execution  
This update addresses a privately reported vulnerability in the Microsoft Windows Direct2D component. The vulnerability could allow remote code execution if a customer views a specially crafted webpage using Internet Explorer.

MS14-010 | Cumulative Security Update for Internet Explorer   
This cumulative update addresses one public and 23 privately disclosed issues in Internet Explorer. It’s important to remember that this is still just one update. Our guidance to customers does not change based on the number of CVEs contained in a single Internet Explorer update. An attacker who successfully exploited the most severe of these issues could execute code at the level of the logged on user. Customers who deploy this update will be protected from that scenario.

MS14-011 | Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution  
This update addresses a privately reported vulnerability in the VBScript scripting engine within Microsoft Windows. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. Although this update and MS14-007 have similar exploit vectors to the update for Internet Explorer, these issues actually reside in Windows components – not Internet Explorer. This update also shares a CVE with the MS14-010 update for Internet Explorer as the VBScript scripting engine was included in Internet Explorer 9.

We’ve mentioned it several times before, but in case you missed it, we revised Security Advisory 2862973 today to provide the update through automatic updates. We originally released this update last August to allow for testing, as the update will impact applications and services using certificates with the MD5 hashing algorithm. If you have already applied the update, you won’t need to take any additional action. If you haven’t applied this update yet, you can do so through automatic updates.

Watch the bulletin overview video below for a brief summary of today's releases.

For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Web page.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, February 12, 2014, at 11 a.m. PST. I invite you to register here, and tune in to learn more about this month’s security bulletins and advisories.

For all the latest information, you can also follow us at @MSFTSecResponse.

I encourage you to consider what “one thing” you can do to improve your internet safety, and I look forward to hearing your questions about this month’s release in our webcast tomorrow.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Update (2/10) – Advance Notification Service for February 2014 Security Bulletin Release

February 10th, 2014 No comments

Update as of February 10, 2014

We are adding two updates to the February release. There will be Critical-rated updates for Internet Explorer and VBScript in addition to the previously announced updates scheduled for release on February 11, 2014. These updates have completed testing and will be included in tomorrow’s release.

This brings the total for Tuesday’s release to seven bulletins, four Critical. Please review the ANS summary page for updated information to help customers prepare for security bulletin testing and deployment.

Thanks,
Dustin

——

Today we are providing advance notification for the release of five bulletins, two rated Critical and three rated Important, for February 2014. The Critical updates address vulnerabilities in Microsoft Windows and Security Software while the Important-rated updates address issues in Windows and the .NET Framework.

As per usual, we’ve scheduled the security bulletin release for the second Tuesday of the month, February 11, 2014, at approximately 10:00 a.m. PST. Revisit this blog then for analysis of the risk and impact, as well as deployment guidance, together with a brief video overview of the month’s updates. Until then, please review the ANS summary page for more information that will help customers prepare for security bulletin testing and deployment.

Don’t forget, you can also follow the MSRC team’s recent activity on Twitter at @MSFTSecResponse

Thank you,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Advance Notification Service for the January 2014 Security Bulletin Release

January 9th, 2014 No comments

Today we provide advance notification for the release of four bulletins for January 2014. All bulletins this month are rated Important in severity and address vulnerabilities in Microsoft Windows, Office, and Dynamics AX. The update provided in MS14-002 fully addresses the issue first described in Security Advisory 2914486. We have only seen this issue used in conjunction with a PDF exploit in targeted attacks and not on its own. This only impacts customers using Windows XP or Server 2003 as more recent Windows versions are not affected.

As always, we’ve scheduled the security bulletin release for the second Tuesday of the month, January 14, 2014, at approximately 10:00 a.m. PST. Revisit this blog then for analysis of the risk and impact, as well as deployment guidance, together with a brief video overview of the month’s updates. Until then, please review the ANS summary page for more information to help you prepare for security bulletin testing and deployment.

Don’t forget, you can also follow the MSRC team’s recent activity on Twitter at @MSFTSecResponse

Thank you,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Advance Notification Service for December 2013 Security Bulletin Release

December 5th, 2013 No comments

Today we’re providing advance notification for the release of 11 bulletins, five Critical and six Important, for December 2013. The Critical updates address vulnerabilities in Internet Explorer, Windows, Microsoft Exchange and GDI+. The Critical update for GDI+ fully addresses the publicly disclosed issue described in Security Advisory 2896666.  

This release won’t include an update for the issue described in Security Advisory 2914486. We’re still working to develop a security update and we’ll release it when ready. Until then, we recommend folks review the advisory and apply the suggested workaround on their Windows XP and Windows Server 2003 systems. Customers with more recent versions of Windows are not affected by this issue.

As always, we’ve scheduled the security bulletin release for the second Tuesday of the month, December 10, 2013, at approximately 10:00 a.m. PST. Revisit this blog then for analysis of the risk and impact, as well as deployment guidance, together with a brief video overview of the month’s updates. Until then, please review the ANS summary page for more information that will help customers prepare for security bulletin testing and deployment.

Don’t forget, you can also follow the MSRC team’s recent activity on Twitter at @MSFTSecResponse

Thank you,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Advance Notification Service for December 2013 Security Bulletin Release

December 5th, 2013 No comments

Today we’re providing advance notification for the release of 11 bulletins, five Critical and six Important, for December 2013. The Critical updates address vulnerabilities in Internet Explorer, Windows, Microsoft Exchange and GDI+. The Critical update for GDI+ fully addresses the publicly disclosed issue described in Security Advisory 2896666.  

This release won’t include an update for the issue described in Security Advisory 2914486. We’re still working to develop a security update and we’ll release it when ready. Until then, we recommend folks review the advisory and apply the suggested workaround on their Windows XP and Windows Server 2003 systems. Customers with more recent versions of Windows are not affected by this issue.

As always, we’ve scheduled the security bulletin release for the second Tuesday of the month, December 10, 2013, at approximately 10:00 a.m. PST. Revisit this blog then for analysis of the risk and impact, as well as deployment guidance, together with a brief video overview of the month’s updates. Until then, please review the ANS summary page for more information that will help customers prepare for security bulletin testing and deployment.

Don’t forget, you can also follow the MSRC team’s recent activity on Twitter at @MSFTSecResponse

Thank you,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

MBSA 2.3 and the November 2013 Security Bulletin Webcast, Q&A, and Slide Deck

November 15th, 2013 No comments

Today we’re publishing the November 2013 Security Bulletin Webcast Questions & Answers page.  The majority of questions focused on the ActiveX Kill Bits bulletin (MS13-090) and the advisories. We also answered a few general questions that were not specific to any of this month’s updates, but that may be of interest.

We’ve discussed the Microsoft Baseline Security Analyzer (MBSA) tool in this and many other webcasts, and I’m happy to report version 2.3 is now available. This new version adds support for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. However, Windows 2000 systems will no longer be supported by MBSA. If you aren’t familiar with the tool or would just like to know more about it, we encourage you to read the FAQ found on the Security TechCenter. Thanks also go out to everyone who participated in the public preview leading up to this release.

We invite you to join us for the next scheduled webcast on Wednesday, December 11, 2013, at 11 a.m. PST (UTC -8), when we will go into detail about the December bulletin release and answer your bulletin deployment questions live on the air.

You can register to attend the webcast at the link below:

Date: Wednesday, December 11, 2013
Time: 11:00 a.m. PST (UTC -8)
Register: Attendee Registration

 

 

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

MBSA 2.3 and the November 2013 Security Bulletin Webcast, Q&A, and Slide Deck

November 15th, 2013 No comments

Today we’re publishing the November 2013 Security Bulletin Webcast Questions & Answers page.  The majority of questions focused on the ActiveX Kill Bits bulletin (MS13-090) and the advisories. We also answered a few general questions that were not specific to any of this month’s updates, but that may be of interest.

We’ve discussed the Microsoft Baseline Security Analyzer (MBSA) tool in this and many other webcasts, and I’m happy to report version 2.3 is now available. This new version adds support for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. However, Windows 2000 systems will no longer be supported by MBSA. If you aren’t familiar with the tool or would just like to know more about it, we encourage you to read the FAQ found on the Security TechCenter. Thanks also go out to everyone who participated in the public preview leading up to this release.

We invite you to join us for the next scheduled webcast on Wednesday, December 11, 2013, at 11 a.m. PST (UTC -8), when we will go into detail about the December bulletin release and answer your bulletin deployment questions live on the air.

You can register to attend the webcast at the link below:

Date: Wednesday, December 11, 2013
Time: 11:00 a.m. PST (UTC -8)
Register: Attendee Registration

 

 

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

10 years of Update Tuesdays

October 14th, 2013 No comments

On October 1, 2003, Microsoft announced it would move to a monthly security bulletin cadence. Today, marks 10 years since that first monthly security update. We looked at many ways to improve our security preparedness and patch timing was the number one customer request. Your feedback was clear and we delivered a predictable schedule.

Since then, we have seen others in the industry follow our move to monthly updates. As we continue to act on feedback, one thing stays the same: our ongoing commitment to help protect our 1 billion global customers.

If, like me, you are active on Twitter, you may have seen some others notice this milestone too:

This last decade has been a journey of discovery, key learnings and providing customer protections. Our business continues to evolve and adapt in an ever changing security response landscape.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Categories: Security Bulletins, Update Tuesday Tags: