The official corporate security response blog
@MSFTSecResponse
How to Report a Vulnerability to the MSRC
As a part of the Industry Consortium for Advancement of Security on the Internet (ICASI), Microsoft is pleased to present an initial set of monthly security updates – originally released on May 8 – in the consortium’s newly established Common Vulnerability Reporting Framework (CVRF) format, for your examination and feedback. Today, ICASI released version 1.1 of its CVRF – a markup system designed to make security bulletins and advisories machine readable in an industry-standard fashion.
Even though many vendors have followed Microsoft’s lead in providing comprehensive security updates to customers, the formats vendors use vary. CVRF provides the entire industry with a way to share and present data in a coordinated and structured manner.
CVRF is free for anyone to examine and use. The goal is to build a data-markup framework that can be used by anyone publishing or examining security update information on the Internet.
CVRF is a work in process. For many customers, a machine-readable markup framework for security releases might not be a pressing need. For instance, home-computer users or small businesses may choose to install security updates automatically. However, many business customers spend time “copying and pasting” our security bulletin content into their risk management systems, spreadsheets and corporate notification emails manually as part of their IT security compliance and remediation task list.
For these customers, this machine-readable format may enable more efficiency and automation. Faster and more efficient guidance for these customers means they can more quickly ensure protection, which is always our goal. For those that do not require automation, we will continue to offer our bulletins in the current format. For those customers looking to automate and streamline their security-management process, or for those who are simply curious to see what happens when vendors from around the industry roll up their sleeves and work to make the update process better, visit the Connect portal to read more about CVRF, and to examine CVRF-formatted bulletins. Visit https://connect.microsoft.com/ and click SIGN IN in the upper right-hand corner to sign in with your Windows Live ID. Once you are signed in and are looking at the home page, use the invitation code “cvrf-9BK8-6W2T” (without quotes) to join the program, or visit https://connect.microsoft.com/site1098/InvitationUse.aspx?ProgramID=7665&InvitationID=cvrf-9BK8-6W2T directly.
Your feedback will be relayed to the ICASI working group of which Microsoft is a member. Together we’ll continue to make CVRF a truly robust, collaborative standard throughout the Internet ecosystem.
Update: If you would like to find out more information about the CVRF standard, please join the CVRF working group webinar on Tuesday, 30 May at noon EDT. They will provide an overview of CVRF v1.1 and showcase the improvements in this latest revision. You can register at http://register.webcastgroup.com/L4/?wid=0557685978
Mike Reavey
Senior Director, MSRC
Hello,
Today we published the May Security Bulletin Webcast Questions & Answers page, and the May 2012 Security Bulletin Release Webcast slide deck. During the webcast, we fielded 8 questions on various topics, including bulletins released, deployment tools, and update detection tools.
We invite our customers to join us for the next public webcast on Wednesday, June 13 at 11am PDT (UTC -7), when we will go into detail about the June bulletin release and answer questions live on the air.
Customers can register to attend at the link below: Date: Wednesday, June 13, 2012 Time: 11:00 a.m. PDT (UTC -7) Register: Attendee Registration
Thanks, Yunsun Wee Director Microsoft Trustworthy Computing
Have you ever wondered why bulletins group particular issues together? Or one set of products and not another? Well today Jonathan Ness has posted an insightful Security Research & Defense (SRD) blog discussing some of the nuances and packaging decisions that went into MS12-034. This is a particularly interesting case to dive into and will give readers a better appreciation for the bulletin management process here at Microsoft.
For Update Tuesday we’re releasing seven security bulletins – three Critical-class and four Important – addressing 23 issues in Microsoft Windows, Office, Silverlight, and the .NET Framework. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing on the following two critical updates first:
Please watch the video below for details about this month's bulletins:
As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).
Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).
You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page.
Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Pete Voss and Dustin Childs. I invite you to tune in and learn more about the May security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, May 9, at 11 A.M. PDT. Click here to register.
During our investigation into the disclosure of confidential data shared with our Microsoft Active Protections Program (MAPP) partners, we determined that a member of the MAPP program, Hangzhou DPTech Technologies Co., Ltd., had breached our non-disclosure agreement (NDA). Microsoft takes breaches of our NDAs very seriously and has removed this partner from the MAPP Program.
Additionally, starting with our May release, we strengthened existing controls and took actions to better protect our information. We believe that these enhancements will better protect our information, while furthering customer protection by aiding partners developing active protections. For an in-depth look at how MAPP provides a critical head-start to defenders, while working to minimize risk, please read this blog by the MAPP team.
Yunsun Wee Director Microsoft Trustworthy Computing
Today we’re releasing our advance notification for the May security bulletin release, which is scheduled for Tuesday, May 8. This month’s release includes 7 bulletins addressing 23 vulnerabilities in Microsoft Windows, Office, Silverlight, and .NET Framework. All 7 bulletins will be released on Tuesday, May 8 at approximately 10 a.m. PDT. Revisit this blog on Tuesday for our official risk and impact analysis, along with deployment guidance and a video overview of the release.
As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.
Please join Dustin Childs and Pete Voss for a public webcast on Wednesday. They’ll go into detail about the bulletins and answer questions live on the air. See below for registration information.
Date: Wednesday, May 9, 2012 Time: 11:00 a.m. PDT (UTC -7) Click Here To Register
Today we published the April Security Bulletin Webcast Questions & Answers page, and the slide deck presented in the webcast. We fielded 15 questions on various topics during the webcast, including bulletins released, deployment tools, and update detection tools.
We invite our customers to join us for the next public webcast on Wednesday, May 9 at 11am PDT (UTC -7), when we will go into detail about the May bulletin release and answer questions live on the air.
Customers can register to attend at the link below: Date: Wednesday, May 9, 2012 Time: 11:00 a.m. PDT (UTC -7) Register: Attendee Registration
Thanks, Pete Voss Senior Response Communications Manager Microsoft Trustworthy Computing
As you know, today is Update Tuesday. Before I go into the bulletin details, however, I wanted to let you know that today we’re notifying customers that Windows XP and Office 2003 will go out of support in April 2014. We understand that preparing to deploy the latest versions of Windows and Office may take time for some organizations, and we encourage all customers to upgrade to the latest operating system to help protect your systems.
Now, on to the updates. If you’re running Automatic Updates you’re automatically protected from the issues addressed this month, and for those of you who test and deploy your updates, we’ve offered some details and guidance below.
As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing six security bulletins, four of which are rated Critical in severity, and two Important.
These bulletins will increase protection by addressing 11 CVEs. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on these Critical updates:
In the video below, Yunsun Wee discusses this month's bulletins in further detail.
Jonathan Ness from the MSRC will join me Wednesday for a webcast. Please tune in and learn more about the April security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, April 11, at 11 A.M. PDT. Click here to register.
Thanks, Pete Voss Sr. Response Communications Manager Microsoft Trustworthy Computing
Today we’re releasing our advance notification for the April security bulletin release, which is scheduled for Tuesday, April 10. This month’s release includes 6 bulletins addressing 11 vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, Forefront UAG, and .NET Framework. All 6 bulletins will be released on Tuesday, April 10 at approximately 10 a.m. PDT. Revisit this blog on Tuesday for our official risk and impact analysis, along with deployment guidance and a video overview of the release.
Jonathan Ness will join me for a public webcast on Wednesday. During the webcast, we will go into detail about the bulletins and answer questions live on the air. See below for registration information.
Date: Wednesday, April 11, 2012 Time: 11:00 a.m. PDT (UTC -7) Click Here To Register
The entry window for the first annual BlueHat Prize closed at 11:59pm PDT on April 1. We've been eagerly awaiting a final entry count from the contest organizers, and senior security strategist Katie Moussouris has just posted that tally on the EcoStrat blog. Congratulations to all participants and good luck to the BlueHat Prize Board, which finds itself eyebrow-deep in exciting new defensive-security ideas as the competition judging process begins.
Angela GunnTrustworthy Computing.
Nearly nine months after we announced the first annual BlueHat Prize competition for innovations in defensive security technologies, we’re just days away from the submission deadline. On the EcoStrat blog today, Senior Security Strategist Katie Moussouris gives a glimpse into the frantic final days of the competition period. If you’re working on your own entry (deadline April 1!) or simply wondering how the race for “mad loot” is shaping up, be sure to check out her post.