The official corporate security response blog
@MSFTSecResponse
How to Report a Vulnerability to the MSRC
Hey everyone. Stephen Toulouse here. There has been a bit of a flurry of activity here in Redmond this morning when we noticed a couple of people releasing information about an SMB vulnerability in Windows 2000.
We just want to let everyone know that we've investigated this claim and found the vulnerability being discussed is fixed by MS05-011, a security update released almost 16 months ago. We contacted our partners on this and made sure they understood this is not new. What *is* new is that someone reportedly has found a different way to exploit the vulnerability. But if you have the update, you're protected.
Just as a long U.S. holiday reminder, we watch the secure@microsoft.com email 365 days a year, so we'll have an eye out this weekend. In addition, teams are still working on the Office Word update.
Here's wishing everyone a safe Memorial Day weekend in the U.S., and a safe weekend in general to our international customers as well.
S.
*This posting is provided "AS IS" with no warranties, and confers no rights.*
Hi everyone, Stephen Toulouse here again. Just wanted to make you aware that we have reached the point in our investigation of the limited attacks trying to use the Word vulnerability that provided us with enough information to develop some stronger workarounds and mitigations. We've posted all that into a new security advisory:
Just to reiterate, this information is of course just a place holder while we are working on the update, which is still on track to be released in the June cycle or sooner if needed.
Hi everyone, Stephen Toulouse here again. I wanted to catch you up on where we’re at with our investigation of the Word vulnerability.
First off on the vulnerability itself: I want to reiterate we’re hard at work on an update. The attack vector here is Word documents attached to an email or otherwise delivered to a user’s computer. The user would have to open it first for anything to happen. That information isn’t meant to say the issue isn’t serious, it’s just meant to clearly denote the scope of the threat.
Now, we’ve received singular reports of attacks and have been working directly with the couple of customers thus far affected. In analyzing the malware we’ve added detection to the Windows Live Safety Center, and we’ve passed all that information over to our antivirus partners. But in breaking down the current malware we discovered some commonality to the current attack. The attack we’ve seen is email based. The emails tend to arrive in groups, they often have fake domains that are similar to real domains of the targets, but the targets are valid email addresses.
Currently two of the subject lines we have seen are:
Notice
RE Plan for final agreement
The attack we have seen so far requires admin rights, so limitations on user accounts can help here. I want to repeat that customers who believe they are affected can contact Product Support Services. You can contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location:
http://support.microsoft.com/security.
So far, this is a *very* limited attack, and most of our antivirus partners are rating this as “low”. But we’re working to investigate any variants we might see to make sure detection is out there, as well as working on the update to address the vulnerability.
PS: Michael Howard recently wrote a great article for not running as admin. It can be found here: http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure01182005.asp
Hi everyone, Stephen Toulouse here. We've been made aware of a new vulnerability in Microsoft Word XP and Word 2003. Customers using the Word viewer to view documents are not impacted. Yesterday we recieved a report that a customer had been subjected to a very targeted attack using this vulnerability.
Here's what we know: In order for this attack to be carried out, a user must first open a malicious Word document attached to an e-mail or otherwise provided to them by an attacker. (note that opening it out of email will prompt you to be careful about opening the attachment) So remember to be very careful opening unsolicited attachments from both known and unknown sources.
So what are we doing?
Our anti-malware teams are adding detection to the Windows Live Safety Center today for up-to-date removal of malicious software that attempts to exploit the vulnerability. The Windows Live Safety Center is located at the following website:
http://safety.live.com We’re also actively sharing that information with our Virus Information Alliance partners so that their detection can be up to date to detect and remove attacks. The Office team is hard at work on an update that addresses the vulnerability. It's in testing right now to make sure it's of the right quality for release. Right now we're on schedule to be released as part of the June security updates on June 13, 2006, or sooner as warranted. As always, customers who believe they are affected can contact Product Support Services. You can contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location: http://support.microsoft.com/security.
Hello,
This is Christopher Budd. I wanted to take a moment and let folks know that this month's IT Pro Security newsletter has an article that I hope will be helpful for those of you who manage security updates.
It's called Ten Principles of Microsoft Patch Management and in it I try o outline not so much the "how" of patch management but rather more of the "why" behind what we do.
Over the years, I've found many questions that customers have around bulletins and security updates are best answered by trying to help people understand the way we approach the process. In this article, I've tried to outline the ten most important points that I think will help you to better understand how we approach patch management so you can integrate better with our processes.
You can see the current newsletter here:http://www.microsoft.com/technet/security/secnews/newsletter.htm
On that page, you can sign up to have each month's newsletter e-mailed directly to you. Also, here's a link directly to the article:http://www.microsoft.com/technet/community/columns/secmgmt/sm0506.mspx
I hope you find this article helpful.
Christopher
This is Craig Gehre and there are two things I wanted to let you know about. Some of you may have been getting install errors on the Flash update, MS06-020, we released on Tuesday. You would have seen these install failure errors on Windows Update, Microsoft Update, or on your system via Automatic Update. There is nothing wrong with the update itself. What was happening is that we were offering the update to newer versions of Flash, which did not need the update, in addition to the systems that did need it. We’ve now fixed the detection error so that the update's only offered to systems that do need it. If you already applied the update or previously got the error, you do not need to take any action.
The second thing is that WSUS and SMS admins are going to notice that there is a new wsusscan.cab available. This is to include the above mentioned Flash fix and also to fix some description text errors we had with part of the Exchange release, MS06-019.
Thanks,
Craig
Say heh?
I have to be honest. I’ve been in the MSRC now for a while, seen a lot of “interesting” things happen around here and it is a bit of a trip to look at our list of bulletins we shipped today and see the words Flash, Adobe, and Macromedia in the titles. Different to say the least. Anyways, below are links to the bulletins we release today. Fairly light release and the detection/deployment story is fairly smooth. Microsoft Update and WSUS will offer you everything we released this month. Yes, even the Flash fix…
MS06-018 applies to Microsoft Windows and is rated moderate.
MS06-019 applies to Microsoft Exchange and is rated critical.
MS06-020 applies to Microsoft Windows and is rated critical.
The bulletins went live this morning at approximately 10:25 a.m. Pacific Time but if you're looking for more information you can find it at: http://www.microsoft.com/security/.
Don't forget to tune into the monthly technical webcast tomorrow at 11am Pacific Time and, as an added resource this month, you can tune into TechNet Radio to hear the new monthly interview with our very own Christopher Budd discussing this months' updates as well: http://www.microsoft.com/tnradio.
Good afternoon,
This is Christopher Budd. I wanted to take a moment and let you know that we've posted our regular Monthly Advanced Notification for the upcoming bulletin release.
As a reminder, this month, our regularly scheduled monthly bulletin release is slated for Tuesday, 9 May 2006 with a target time of 10 AM Pacific Time. A quick reminder too that 10 AM is a target time and not a hard and fast deadline.
This month, we are planning 3 bulletins. One for Microsoft Exchange and two for Microsoft Windows. The maximum total severity for both Exchange and Windows is Critical. As always, we recommend you plan to test and deploy these updates as quickly as possible.
For Exchange, these updates may require a restart and will be detectable using the Microsoft Baseline Security Analyzer.
For Windows, these updates may require a restart and they will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scanning Tool.
On thing regarding the Exchange update we wanted to call out especially for planning purposes: this update will include the functionality change discussed in Microsoft Knowledge Base Article 912918. So, we urge administrators to go ahead review this Knowledge Base article prior to release and take steps appropriate for their environment.
Also, we will release our regularly updated Malicious Software Removal Tool.
As always, we will have full details and information in the bulletins when they are released on Tuesday.
Finally, I encourage you to go ahead and sign up for our regularly scheduled webcast where we provide more information and, most importantly, answer your questions on the air. This webcast regularly occurs on the day following release. This month, we'll be broadcasting at Wednesday, 10 May 2006 11:00 AM Pacific Time (although it is also available on-demand after that). Information on how to sign up can be located here:
Thank you and I hope you can join us on Wednesday.