Hey folks, Stephen Toulouse here blogging live from San Jose, at the RSA 2006 security conference.  First a quick update on the MS06-007 update issue Craig mentioned earlier.  This situation is now resolved and customers should be able to get the update. I want to reiterate that the problem had nothing to do with the update itself, you applied it manually from the download center or got it through SUS 1.0 it should install correctly and protect against the vulnerability.  But it’s available now for everyone.

It's hard to believe, but it's been one year now that we've been using blogging to communicate late breaking security update and incident information to you. From our humble beginnings on MSN Spaces, to the current version of the blog, the feedback has been tremendous and we're glad you find it useful.  As we always do when we have a deployment glitch in the system, let me explain just a bit about what happened in our process that caused MS06-007 to fail to install in certain situations.

The short story is that we had an error in the way that we handle delta patching in our publishing infrastructure.  It resulted in the client end not downloading the binaries and reporting a download error.  This only affected Windows Update and Microsoft update and WSUS (SUS was not affected).  This did not impact SMS or updates obtained from the download center.  So we've corrected that error today and the update is available from all sources.  Moving forward we're taking a short term fix in the checking processes prior to release to help us catch this, and in the longer term we're going to be changing our internal publishing process to completely eliminate the problem.

Moving on to the RSA Security Conference!  Bill Gates gave the opening keynote this morning, sharing Microsoft's vision for a more secure future.  There's a lot of great stuff if you missed it on our PressPass site, here are some links:

Main site for the content

  Transcript of the keynote

  Video Q&A between Bill Gates and Mike Nash, our Corporate Vice President of   the Security Technology Unit

Last year's readers will remember the MSRC wheel of fortune, where customers filled out our feedback survey and got a chance to win an Xbox game or a PC game.  Well the wheel is back!  And this time it’s a chance to win Xbox 360 game (Project Gotham Racing 3), or an Xbox1 game (Halo2) or Fable for the PC, or a 12 month Xbox Live subscription!  Why are we doing this?  We'll we're always looking for feedback on how we can make things better for customers, and this year we're taking a close look at our security bulletin format.  So if you're at RSA come by the Microsoft booth, look at our proposed mock up for changes to the online experience of the Microsoft Security Bulletins, fill out the survey and have a chance to spin the wheel! 

What's that?  Don't have an Xbox360?  Oh I should mention our main prize drawing for our booth if you get all the stamps is...you got it, an Xbox 360. 

We'll have more blogging soon.

S.

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hey folks – Craig here taking a step away from the Tuesday release.

Hey – Brian here, As we’re gearing up for release tomorrow I wanted to take a second to discuss a recent posting of a security issue to some mailing lists. Matt Murphy, a well known security researcher posted an alert today regarding a “drag and drop” issue affecting Windows. I actually handled this case and worked with Matt. We’ve been working with Matt for quite some time on this issue, and I want to thank him for working with us.  We’ve had some long Instant Messenger sessions and E-mail threads while we worked together to understand the issue. 

To provide some insight on this issue, it is different from past drag-and-drop issues like MS05-008. For example, the issue fixed by MS05-008 could be exploited by taking a “drag-and-drop” action within IE, like using the scrollbar.  This issue is different. In working with Matt and our internal teams we found this issue has very exact and specific requirements. It is only problematic in specific circumstances that require the user to take a specific action timed very precisely.

The specific configuration consists of having two windows open: one an IE window, and the other a folder to a resource. The specific user action is the user clicking and dragging an object from the IE window over to the folder window. The timing is very exact: when this is happening the windows would flip back and forth visibly at a set interval. The user would have to time it such that they catch the windows as they’re flipping back and forth.

We will update the behavior, but in looking at the severity of the issue and balancing the risk inherent in any fix, we believe a future service pack is the best way to address this issue. Some thoughts on fixing issues in service packs – service pack allow for additional testing, including beta testing, to reduce the risk of quality issues impacting 3rd party applications.  This extra testing is especially important for complicated fixes that require extensive behavior changes.  That said we work hard to make sure that when we resolve issues found in service packs (as opposed to security updates) these are only for issues that are of a reduced severity, and we continually monitor those issues for a change in status.

I hope this provides some additional insight to this issue, and answers some questions. We’ll continue to work with Matt and others that have questions on this as we continue the investigation.

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Many of you may recognize my standard introduction from each month’s Security Bulletin Webcast. My name is Christopher Budd and I’ve been the primary technical presenter for the Monthly Security Bulletin webcast since January 2004.

I’ve recently changed roles a bit and wanted to take a few minutes to introduce myself as you’ll be seeing me on this space more moving forward.

I’m a Security Program Manager working on communications here in the MSRC.  Specifically I’m focusing on technical communications around Incident Response, Vulnerability Handling and Forensics.  I’ve been working with security and incident response at Microsoft for about 5 years now so I’m one of the old timers. My colleagues can tell you that I can rattle off information about security bulletins going back to 2000 off the top of my head!

One thing I can say first-hand is that our response process has made huge strides over the years: I’m constantly impressed by how far we’ve come and am proud of that work and to be a part of that. To be sure, there’s always room for improvement and work to do. And I’m looking forward to helping everyone here continue to push forward with improvements, especially in the more technical arenas.

I’ve had some folks ask about the letters after my name that they see on the title slide each month.  Each of these is a different security industry certification focusing on areas of forensics, security auditing, and security management:

• Certified Computer Examiner (CCE)
• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM)
• Certified Information System Security Professional (CISSP)
• Information Systems Security Management Professional (ISSMP)

Those of you who aren’t familiar with our Monthly Webcast or haven’t yet signed up for the February webcast, I’d encourage you to go ahead and sign up here:

http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032288940&EventCategory=4&culture=en-US&CountryCode=US

Each month, we try to review the bulletins we’ve released, cover information to help with your risk assessment and deployment, cover security information and announcements we think are valuable and, most importantly, answer your questions live during the broadcast.  This is a great resource for folks and one we’re constantly working to improve based on your feedback.

So, please join us, help us make it a better, more valuable resource for you.

Thanks very much and I’m looking forward to talking and working with everyone out there more.

Christopher

Hey folks, Mike Reavey here, I wanted to take a quick second to make sure everyone saw the Advance Notification for the Security Bulletin release for February. This coming Tuesday, we’re planning to release seven security bulletins, and they are being released for Windows, one for Windows and Office and one for Office. The maximum total severity rating for this month is Critical, so please update systems as soon as possible when they are available on Tuesday. The updates can be deployed and detected with MBSA, Microsoft Update, and WSUS and the Enterprise Scanning Tool. Also, we’re going to release an updated version of the Malicious Software Removal Tool.

-Mike Reavey

Hi folks, Mike Reavey here.  Just wanted to point out two new security advisories that we posted late last night.

The first is related to a WMF vulnerability in older versions of Internet Explorer.  This is different from the issue addressed by MS06-001 and only impacts older versions of Internet Explorer – if you’re using IE6SP1 or later, you’re protected from this issue.  The second is related to a research paper regarding default services behavior that has already been addressed in Windows XP SP2 and Windows Server 2003 SP1.  For more information, check out the advisories located here:

http://www.microsoft.com/technet/security/advisory/913333.mspx

http://www.microsoft.com/technet/security/advisory/914457.mspx

 -Mike

*This posting is provided "AS IS" with no warranties, and confers no rights.*