The official corporate security response blog
@MSFTSecResponse
How to Report a Vulnerability to the MSRC
Hi there. Mike Nash from the STU. Earlier this year, during our response to the WMF zero exploit with an out-of-band band security update, I wrote a blog entry explaining the details of how we got to the decision to release that update early. I received a lot of feedback from customers around the world that the blog entry and the internal insights into our decision-making process in that situation was very helpful and that we should make it a consistent practice for issues that have widespread impact on customers and need more clarity.
Based on the feedback I received from several customers on the upcoming change to the ActiveX capabilities in Internet Explorer in the next cumulative IE security update, I decided that this was a topic worthy of a blog entry.
So what’s going on? Three things really: The first relates to Microsoft’s involvement with the Eolas Technologies and the Regents of the University of California v. Microsoft patent case (Eolas v. Microsoft), which requires that Microsoft change the way that IE handles ActiveX controls.
So when we release the next cumulative IE security update, customers will only be able to interact with Microsoft ActiveX controls loaded in certain web pages after manually activating their user interfaces by clicking on it or using the TAB key and ENTER key.
To help developers verify that their applications work well with the ActiveX change, Microsoft made it available to developers on MSDN on February 9, 2006. Microsoft also made the change available as an optional update on Windows Update and the Microsoft Download Center on February 28th. At the same time, the ActiveX change was made available to OEMs to include on all new systems shipping with Windows.
The second issue is that we have a number of security vulnerabilities in IE that are scheduled to be addressed in our next release of security bulletins on Tuesday April 11, 2006. As you know, in order to reduce the complexity of updates and to improve quality, we ship all IE updates as cumulative updates. As a result, the April security updates will include the non-security ActiveX change to respond to the Eolas case.
The third issue is that Microsoft is responding to a zero-day vulnerability in IE. The good news here is that we are on a path to include the fix for the zero day vulnerability as part of the April IE cumulative security update and possibly sooner if our ongoing monitoring and analysis of attempts to exploit vulnerability shows customers are being impacted seriously.
While the functionality that we changed as part of the response to the lawsuit is a small part of the functionality of IE, we did get feedback from some ISV partners and from some enterprise customers that they need a little more time to test and update their applications.
So I met with the team over the last few days and we decided to make the following changes:
So, the real question you are asking is “Mike, what should I do?” Here is what I would do:
· For Enterprise Customers:
o Test the ActiveX change that we shipped on February 28th.
o Deploy the cumulative IE security update when it ships.
o If you have concerns about application compatibility with the ActiveX change, then deploy the compatibility patch to temporarily revert back to the old behavior for Active X. I STRONGLY advise that you NOT use this patch if you can avoid it, but if you do use the patch, as soon as you fix your application, remove the patch so that you can be sure that your applications work with the new ActiveX functionality.
o Know that starting in June we really will not be supporting the old ActiveX behavior.
· For ISVs
o Test your applications with the new IE ActiveX change.
o If you have problem, let your Microsoft representative know.
o Make sure that you have updated versions of your applications available and in the hands of your customers as soon as possible, since starting in June the old ActiveX control behavior won’t be supported.
· For End-Users
o Use Windows Update (and ideally Microsoft Update) to keep your systems up-to-date
If you have any questions, I want your feedback. My email is mikenash@microsoft.com.
-Mike
*This posting is provided "AS IS" with no warranties, and confers no rights.*
Hi everyone, Mike Reavey here. I wanted to make everyone aware of some recent developments regarding the “Create TextRange” IE vulnerability. First off we're still not seeing increased spread of attacks, and in fact have been very active in taking down sites as they come up with law enforcement. But attacks are still occurring so we certainly still recommend up to date AV software and our safe browsing guidance while we work on the update, and have updated the security advisory with a list of VIA partners that are currently providing protection. As always we’ll keep an eye out and we continue our work with law enforcement to take down any new attacks we see.
We’ve also been made aware of some third party solutions being made available for this vulnerability. Some of these solutions make modifications to Windows itself to bypass the attack vector of the vulnerability. Of course, while the IE team is working on an update to address the problem, we certainly recommend a defense in depth strategy that involves third party tools such as AntiVirus or IDS/IPS solutions. However we cannot recommend third party solutions that modify the way the product itself operates. The reason is really around the fact that we carefully review and test our security updates to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. And for IE it’s not only application compatibility, but web compatibility also. Our updates are offered in 23 languages simultaneously for all affected versions of the software. Microsoft cannot provide similar assurance for independent third party security updates or mitigation tools.
Customers of course can weigh the risk of deploying a third party “patch” but it's unclear what impact this will have on the system. Addressing the vulnerability, as well as working with partners to address attacks, are a few of the main things that we’re working on and we’ll keep you up to date as progress is made.
-Mike Reavey
Hi gang, Stepto here again.
The MSRC in combination with our internal and external partner teams have been working through the weekend looking at the recent attacks involving the IE vulnerability I mentioned previously. So far we’re still seeing only limited attacks. But our anti-malware team, as always, is on the case and has uploaded removal information for the attacks to date to Windows Live Safety Center. I want to reiterate that the IE team has the update in process right now and if warranted we’ll release that as soon as it’s ready to protect customers (right now our testing plan has it ready in time for the April update release cycle). But if you’re concerned you may be impacted, now you can visit http://safety.live.com to scan your machine and remove current attacks using this vulnerability.
As always we will keep you up to date with the latest information as we get it.
S.
Hi everyone, Stepto here. Today the MSRC became aware of public reports of attacks on some PC users utilizing the vulnerability that Lennart posted about in Internet Explorer.
Here's what we know. The attacks are limited in scope for now and are being carried out by malicious Web sites exploiting a vulnerability in the method by which Internet Explorer handles HTML rendering. To be clear, and as our advisory states, the vulnerability affects currently supported versions of Windows 2000, Windows XP and Windows Server 2003.
So. What are the IE team and the MSRC doing right now? Well, first off we're working day and night on development of a cumulative security update for Internet Explorer that addresses the vulnerability. As we've been told many times, the focus should be on quality, but with a clear eye towards time. The security update is currently being finalized through testing to ensure the level of interoperability and application and web compatibility needed. Right now, the update is on schedule testing wise to be released (meeting the quality goals customers have asked for) as part of the April security updates on April 11, 2006. But as I said, we're actively keeping an eye on any attempts to utilize this in an attack. We'll release it sooner if warranted.
Right now we're monitoring the attempts to exploit this vulnerability and we're working with our industry partners and law enforcement to remove the malicious Web sites using the vulnerability as they pop up. That's a key point because it's important that we work to limit the ability of attackers to utilize this vulnerability in criminal attacks.
I want to caution everyone that they should take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code. If you are concerned about exploitation of the vulnerability by websites you frequently visit though, you should follow the guidance on safe browsing at:
http://www.microsoft.com/athome/security/online/browsing_safety.mspx.
Enterprise customers should review our recent Security Advisory (917077) for up-to-date guidance on how to prevent attacks through exploitation of this vulnerability while we work on the update.
One other thing to note. Everyone should know that the security update addressing this vulnerability is a cumulative update that contains all previous security updates for Internet Explorer, new security updates for issues unrelated to the current attacks, as well as minor non-security related changes to how Internet Explorer handles some Web pages that use ActiveX controls.
For more information on these changes, you should check out security advisory 912945.
The MSRC and your Internet Explorer team is working on this issue day and night. This is an ongoing issue and we will post more guidance as it becomes available.
Hi, It’s Lennart again. Wanted to let you know that today we saw another public posting around a vulnerability in Internet Explorer. This one is different than the crash bug I wrote about earlier. The public posting speaks about createTextRange() and a way that this could be utilized to get code to run when visiting a specially crafted Web page. We’re still investigating, but we have confirmed this vulnerability and I am writing a Microsoft Security Advisory on this. But we wanted to make sure customers knew we were aware of this and we will address it in a security update.
(If you're using the new refresh of the IE7 Beta 2 Preview announced at Mix06, then you are not affected by the public report. You can download the preview at http://www.microsoft.com/windows/ie/ie7/default.mspx)
Our initial investigation has revealed that if you turn off Active Scripting, that will prevent the attack as this requires script. Customers who use supported versions of Outlook or Outlook Express aren’t at risk from the email vector since script doesn’t render in mail (being read in the restricted sites zone).
We’re going to continue to look into this but remind you also that safe browsing practices can help here, like only visiting trusted websites, etc. As I noted the other day, if you think you might be impacted, remember you can contact Product Support Services. Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location: http://support.microsoft.com/security.
Kind regards,
/Lennart
Hi everyone, Lennart Wistrand here. You may have heard about an IE crashing vulnerability that was unfortunately publicly posted before the weekend. We just wanted to make a quick note here that, as always, we’re investigating it. So far we’ve determined that visiting a page that exploits it could cause IE to fail. We’re going to continue to look into this but remind you that safe browsing practices can help here, like only visiting trusted websites, etc. If you think you might be impacted though, remember you can contact Product Support Services. Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location: http://support.microsoft.com/security.
Cheers,
‘I want my two… bulletins’. For some reason an unrelenting paperboy’s quest for two dollars seems to echo in my mind today. It seems so small yet it is so important. Well today the MSRC released two new bulletins. One for Office and the other for Windows, more info below. The Windows one addresses an issue you may have been following via our advisories, 914457. BTW, this is Craig Gehre, the Release Manager for the MSRC (Don’t you get sick of team blogs saying "Jane here, blah blah blah…"?). We also released an Advisory in conjunction with an Adobe bulletin. Say heh? Adobe fixed some vulnerabilities in their Flash Player. Well, for Microsoft Windows XP Service Pack 1, Windows XP Service Pack 2, Windows 98, Windows 98 SE, and Windows Millennium Edition we redistributed an older version of the Flash Player. So have a read through the
*
The bulletins went live this morning at approximately 10:00 a.m. Pacific Time.
The monthly installment of the technology to remove malicious software from users systems is available today as well. This month’s update removes Win32/Atak, Win32/Torvil and Win32/Zlob. Customers can download the tool at
Hey folks, Mike Reavey here, I wanted to take a quick second to make sure everyone saw the Advance Notification for the Security Bulletin release for March.
This coming Tuesday, the 14th, we’re planning to release two security bulletins, and they are being released for Windows for Office. The maximum total severity rating for this month is Critical, so please update systems as soon as possible when they are available on Tuesday. The updates can be deployed and detected with MBSA, Microsoft Update, and WSUS.
Also, like we do each month we'll release an updated version of the Malicious Software Removal Tool.
Hi everyone, Stepto here. (I'm giving up on the "Stephen Toulouse here" after many people I met at RSA greeted me as "Stepto", but as a side note since I created the blog under "Stepto" please remember that posts made by individuals on the MSRC are made by themselves and not me.)
I wanted to check in real quick and make everyone aware of a security advisory that we have posted for a recent update to Internet Explorer that is not security related, but we still wanted to make sure people were aware of. The update itself may be non security (relating to a change in the way Internet Explorer handles ActiveX controls), but it's important to note that it contains the most recent security updates as well for the most recent platforms. We've published more detail here:
http://www.microsoft.com/technet/security/advisory/912945.mspx
I'd also like to take a moment and sum up some thoughts related to our presense at the recent RSA 2006 security conference in San Jose. I'll sum that up with: "wow". We showed up with the intent to gather feedback on the MSRC bulletins in general but it's always a pleasure to meet with customers and discuss just about anything related to security response. We had quite a few people drop by the booth and fill out our new security bulletin survey and the xbox 360 games were in high demand. But the opportunity to speak with people face to face on our communication efforts was fantastic and people had some great feedback. In short: we're doing a lot of the right things but there are opportunities to improve and we've heard you! We were especially pleased to entertain other bloggers who cover security at a lunch outside the event that gave us the opportunity to gather even more viewpoints on the blog and how we can make it better.
Thanks again to everyone that dropped by the RSA 2006 booth and provided your perspective into our new security bulletin redesign, and we're looking forward to implementing all the great feedback we got from you.