Hi everyone, Debby Fry Wilson here.  Just wanted to talk a little bit about a security advisory we have released today just as a precaution.   

There's been a lot of concern about MS05-039 because of the recent attacks against unpatched Windows 2000 systems.  On operating systems like Windows XP Service Pack 2 and Windows Server 2003, any attack trying to exploit MS05-039 would have to be local to the computer, and could not travel automatically across a network unless the attacker was already at the system.  On Windows XP Service Pack 1, we detailed in the bulletin that the attack could travel across a network but would require authentication.  We have seen no attacks that target Windows XP or Windows Server 2003. 

However, we are now aware of a very narrow and limited case on Windows XP SP1 whereby an unauthenticated attack might be possible.  It's pretty specific (and to reiterate, if you are on Windows XP SP2 or have applied MS05-039, you are not impacted by this).  But in the interests of making sure people have the right information to assess their risk we are providing an advisory as a precaution. 

The new scenario only impacts computers that have not been upgraded to SP2, are not part of a domain, are not protected by a firewall, have not applied MS05-039, and have enabled "Simple File and Print Sharing" in a home environment or in a workgroup.  Under this circumstance, the "Guest" account on the computer would then be available to remote users.   

Domain users of Windows XP SP1 aren't impacted by this scenario at all.  This is very specific to the “Guest” account when “Simple File and Print Sharing” has been enabled on Windows XP SP1 in a home or workgroup environment. 

There is no known attack that is seeking to exploit this scenario.  Of course, if you are concerned about this, simply apply MS05-039, as we continue to urge everyone to do.  Oh, and upgrade to SP2! 

The technical details are provided in the security advisory located here: 

http://www.microsoft.com/technet/security/advisory/906574.mspx

- Debby

Hey folks – Mike Reavey here, live from the situation room. (BTW- “live from the situation room” is a new favorite term ever since our big television debut this week!)  I wanted to let you know that we published an advisory on a security issue in COM object, MSDDS.DLL, that when loaded in Internet Explorer could potentially run malicious code a system.  The advisory is here. Some quick excerpts that are important for customers to know:

·         The Microsoft DDS Library Shape Control (Msdds.dll) does not ship in the .NET Framework.

·         Microsoft Office 2003 are not affected by this vulnerability.

·         Microsoft Access 2003 are not affected by this vulnerability.

·         Microsoft Visual Studio 2003 are not affected by this vulnerability.

·         Microsoft Visual Studio 2002 Service Pack 1 are not affected by this vulnerability.

As far as where the control does ship:

·         Microsoft Visual Studio 2002 with no service packs ships the control, but customers that have applied Service Pack 1 for Visual Studio 2002 will be protected.

·         Microsoft Office XP Service Pack 3 are not by default affected by this vulnerability. However, its only in a vulnerable configuration if the C runtime library files are in the search path for Internet Explorer. These files are Msvcr70.dll and Msvscp70.dll. For instance placing them in the same directory as Msdds.dll or in the %windir%/system32 directory could expose Office XP customers to this issue.

Of course, there are more suggested actions in the advisory that can help protect customers and we’ll keep investigating this issue. Finally, you’ve heard us say it before, but I’ll say it again; publicly posting details and exploit code for a vulnerability puts customers at risk. We really want to encourage security researchers to work with us by sending information to secure@microsoft.com. You can read more about how to work with us here.

Hi everyone, Mike Reavey here.  I wanted to take a moment and blog live from our MSRC Situation Room.  (those of you watching CNN this morning got a glimpse of it!)  The Situation Room is a dedicated room inside the Microsoft campus.  When there is a problem or an attack impacting customers, we bring all of the right people into that room to work on the problem.  That means at any given time during an incident there’s lot of people, a lot of empty coke cans, and a lot of pizza boxes.  Sometimes there’s a sleeping bag in the corner, or it might be a pile of stuff someone fashioned into a spot to nap in the middle of the night.  The room allows us to bring together our experts and develop our guidance, and we're here as long as it takes.

So I wanted to provide you all with some more information on Zotob. We've published a statement on our PressPass site regarding this issue and want to reiterate that customers running any version other than Windows 2000 are still thus far not impacted by the Zotob attack itself.  And if you have applied the MS05-039 update to Windows 2000 you likewise are not impacted.  We're still not seeing an internet-wide event here, and infection rates remain low.  But we're working to continue our investigations and provide the guidance you need to be protected and recover from the impact of an attack.  There will probably be more variants of the attack, and we are working to break down each one and make sure our guidance is still accurate.

That includes helping people get MS05-039 on their systems. A firewall can of course provide some interim protection, however for Windows 2000 users really the best remediation is to make sure the update is applied to the system.  In fact, it's important to keep in mind that no matter what operating system you are on, all of the most current updates should be applied!

Right now, the MS05-039 update is deployable through SUS 1.0, WSUS, and SMS.  It's also fully supported by MBSA 2.0 as well as the previous version of MBSA.  Individual machines can obtain the update either from Microsoft Update or Windows Update.  Customers have also asked us "how do I enable automatic updates on Windows 2000?"  Check out this knowledge base article.  It has all the steps needed to help make sure your Windows 2000 computers are automatically kept up to date.

If you are having difficulty applying this update, I want to remind everyone we're here to help.  Our Product Support Services team can be contacted at 1-866-PCSAFETY in the United States and Canada for no charge help if you have been impacted by Zotob or are having trouble applying the updates.  Our goal is to get you up and running and help you be protected, so please contact us.

Meanwhile we'll be here in the situation room, investigating any new variations or attacks that might impact you.

-Mike

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Ok, earlier this morning we activated our Software Security Incident Reponse Process to respond to a malicious attack known as Worm:Win32/Zotob.A. Our investigation has determined that only a small number of customers have been affected and we're working directly with them.  We have seen no indication of widespread impact to the Internet, but we have posted a guidance page as well as an encyclopedia entry on this attack.  We will remain watchful for any variants or any further customer impact.

As always, Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country. Customers in the U.S. and Canada who believe they may have been affected by this possible vulnerability can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support that is associated with security update issues or viruses." International customers can receive support by using any of the methods that are listed at Security Help and Support for Home Users Web site.

S.

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hi everyone, Stephen Toulouse here.

We now have reports of an attack against the MS05-039 vulnerability.  We have updated our security advisory located at:

http://www.microsoft.com/technet/security/advisory/899588.mspx

To provide our initial information and guidance.

More information shortly.

S.

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hi everyone,  Unfortunately it looks like someone has posted exploit code for MS05-039 publicly.  Please be sure that you are deploying this update, Windows 2000 users are particularly at risk.  We have posted a security advisory on this at the following link:

http://www.microsoft.com/technet/security/advisory/899588.mspx

S.

*This posting is provided "AS IS" with no warranties, and confers no rights.*

What a crazy 24 hours.  We have now re-released MS05-038, the IE bulletin, as version 2.0.  We have pushed out the updates to the Download Center with the digital signature issue resolved.  If you got your updates from Windows Update, Microsoft Update, WSUS, or SUS yesterday you have nothing to worry about.  For you admins out there the binaries and install are all the same so need to change any detection you may have worked up.

Here’s what happened:

During the publication of the MS05-038 updates to the download center yesterday, a corruption occurred in one of the final stages of publication that affected the updates. Again, the packages on Windows Update, Microsoft Update, and the Windows catalog were unaffected by this issue. But if you got the update from the download center in the first few hours after the 10am release, then the update you downloaded would not install.  We immediately pulled the ability to get the updates from the Download Center, investigated the cause of the problem, and re-published the updates. The updates are now available on the Download center and we have re-released the bulletin to notify customers.

There was some serious dedication from the IE team and some folks in the Download Center world working through the night to get this resolved.  So big props to them for putting up with Mike Reavey and I driving them to fix the issue all night long.

Total side note; Something I learned during this process that I thought was kind of cool is that SMS will throw back an error if (when downloading the bits you want) it sees that a signature is bad.  Maybe, since I don’t believe we’ve ever had this particular problem, I was never made aware of this feature.  Maybe that is my personal silver lining in all of this.  Now it is time for some super quad nitro almond mocha action. 

-Craig

*This posting is provided "AS IS" with no warranties, and confers no rights.*

So here is what we cranked out today. You can find all the details on the bulletins here:

Also we re-released two other bulletins MS05-023 and MS05-032.

We’ve also updated the Malicious Software Removal available here and as always we encourage folks to join the monthly technical webcast tomorrow to learn more about the bulletins. You can sign up here.

-Craig

*This posting is provided "AS IS" with no warranties, and confers no rights.*

An article on Slashdot is saying that Monad was pulled from Windows Vista due to the virus story.  This is 100% incorrect.  One had nothing to do with the other.  Monad is probably going to be a longer term project than Windows Vista, and we didn't just decide to remove it today or yesterday.  Just wanted to clarify that.

S. 

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hi everyone, Stephen Toulouse here.  There’s been some commentary the past couple of days regarding a potential Windows Vista virus and we wanted to weigh in with some details.  First of all, in examining the details of the reports, there is no Windows Vista virus described in them. Instead, the reports are regarding potential proof of concept viruses in the form of malicious scripts that are developed to affect a new interactive shell codenamed "Monad", which is currently in early phase of beta testing.

Now to be clear, these reports pose no risk for Microsoft customers. The viruses do not attempt to exploit a software vulnerability and do not encompass a new method of attack.  Furthermore, “Monad” is not widely available for general use. It’s a beta, and we do not recommend or support the use of beta software in a production environment. Microsoft continues to analyze the feedback from testers as Monad continues to be developed.

But most important, “Monad” is not included in the beta release of Windows Vista or in Windows Server 2003 R2.

Monad will not be included in the final version of Windows Vista and there is no relation between Monad and Windows Vista Beta 1. Monad is being considered for the Windows Operating System platform for the next three to five years.  So these potential viruses do not affect Windows Vista or any other version of Windows if “Monad” has not been installed on the system.

It’s hard to predict what type of malicious software criminals might develop to attack future versions of operating systems.  But rest assured we’re on the case!  The MSRC will be here to investigate and provide the guidance to help protect customers no matter what attacks may impact customers.

S.

*This posting is provided "AS IS" with no warranties, and confers no rights.*