The official corporate security response blog
@MSFTSecResponse
How to Report a Vulnerability to the MSRC
Hey everyone,
This is Jerry Bryant. I am the Business, Operations & Communications Manager on the Security Response Communications team. I am writing to let you know about a new process we are implementing regarding the questions and answers from our monthly security bulletin webcast.
Attendee’s to the webcast ask a lot of great questions concerning the security updates we just released and we have many subject matter experts (SME’s) on hand to answer them. In order for the broader community to also benefit from the exchange, we will now be posting the questions and answers here on the MSRC blog. Our goal is to get them here within two days of the webcast.
To kick things off, we have posted the questions and answers from the June 2008 and July 2008 webcasts:
http://blogs.technet.com/msrc/pages/microsoft-security-bulletin-webcast-q-a-june-2008.aspxhttp://blogs.technet.com/msrc/pages/microsoft-security-bulletin-webcast-q-a-july-2008.aspx
We will also maintain an index of the monthly postings here:
http://blogs.technet.com/msrc/pages/microsoft-security-bulletin-webcast-q-a-index-page.aspx
So look for a post with the August 2008 Q&A on or around August 15th!
If you would like to attend the August webcast in person, you can register here:http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032374631&Culture=en-US
You can also view all of our previous webcasts on demand. Just go here to find them:http://www.microsoft.com/events/security/ondemand.mspx
Thanks and I hope you can join us in August!
Jerry Bryant
*This posting is provided "AS IS" with no warranties, and confers no rights.*
Hi. Bill here.
Today we released Microsoft Security Advisory (956187) to warn you of public exploit code available for Microsoft Security Bulletin MS08-037 (Vulnerabilities in DNS Could Allow Spoofing (953230).
We have investigated the public exploit code and have determined that customers who have installed Microsoft Security Bulletin MS08-037 are not affected.
As you may recall, MS08-037 was released in coordination with other DNS vendors across the industry that were also impacted by this vulnerability.
We have not seen any active attacks as of yet. However, we are monitoring the situation and are working with our MSRA partners to monitor and help protect customers. We will update the Advisory and blog as new information becomes available.
Thanks,
Bill Sisk
I want to let you know that customers running Windows Server Update Services 3.0 Service Pack 1 on Windows Server 2008 may experience an issue installing the update provided in Microsoft Knowledge Base Article 954960. The update does not correctly elevate privileges, which are required for the installation to complete. In order to successfully install this update we have identified steps in Advisory 954960.
Additionally, the update does not place an entry in Add or Remove Programs, and cannot be uninstalled. Microsoft has identified the packaging inconsistencies in the current update and is investigating options to resolve them.
We will continue to monitor the situation and post updates to the advisory and the MSRC blog as we become aware of any important new information.
Bill
Hello,
This is Christopher Budd. I wanted to take a moment and let you know about a revision that we’ve made to MS08-037 today.
After the release of MS08-037, we became aware of reports of ZoneAlarm customers experiencing issues after applying the security updates. We started investigating these reports as soon as we heard about them and have been working to research this issue. We’re still working on this issue but we do have some information from our investigation so far, which we’ve put into the bulletin.
Specifically, we’ve identified that customers who are running either ZoneAlarm or Check Point Endpoint Security (previously named Check Point Integrity) who apply MS08-037 may lose network connectivity after applying these updates. Our investigation so far has shown that no other customers are affected by this issue.
We’re still investigating this issue but we encourage customers who are using ZoneAlarm to review the appropriate ZoneAlarm Web site and Check Point Endpoint customers to review the appropriate Check Point Web site for the latest guidance or software updates and factor this information into your risk assessment, testing, and deployment planning.
We will update the bulletin and the MSRC weblog with more information as we have it.
Thanks.
Christopher
I want to let you know that we updated Microsoft Security Advisory 954960, which contains information regarding deployment issues with Microsoft Windows Server Update Services (WSUS) version 3.0 and 3.0 Service Pack 1. Under specific conditions, the issue does not let clients detect any updates from a WSUS server on systems with Microsoft Office 2003 installed.
We have released an update to correct this issue under Microsoft Knowledge Base Article 954960. Microsoft encourages customers affected by this issue to review and install this update.
This issue is not related to Microsoft Security Advisory 954474 where systems were blocked from deploying security updates using System Center Configuration Manager 2007.
Hello, Bill here,
I wanted to let you know that we have just posted Microsoft Security Advisory (953635).
This advisory contains information regarding a new public report of a possible vulnerability within Microsoft Office Word which could allow for remote code execution. Our investigation thus far has shown that this vulnerability affects Microsoft Office Word 2002 Service Pack 3 only.
At this time, we are aware of limited, targeted attacks attempting to use the reported vulnerability, but we will continue to track this issue.
The advisory contains workarounds that customers can use to help protect themselves. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release.
We will continue to monitor the situation and post updates to the advisory and the MSRC Blog as we become aware of any important new information.
In the meantime, we encourage customers to review the advisory and implement the workarounds.
Hi,
Simon here again – I just wanted to follow up on the SQL update detection issue I mentioned below. We’ve released updated WU/MU detection and an updated WSUS catalog to resolve this issue.
Cheers,
Simon
Release Manager, MSRC
July 2008 Monthly Bulletin Release
I'm Simon, Release Manager in the MSRC. The July 2008 release contains 4 new bulletins, all with maximum severities of "Important".
MS08-037 Vulnerabilities in DNS Could Allow Spoofing (953230)
MS08-038 Vulnerability in Windows Explorer Could Allow Remote Code Execution (950582)
MS08-039 Vulnerabilities in Outlook Web Access for Exchange Server Could Allow Elevation of Privilege (953747)
MS08-040 Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203)
For a technical deep dive regarding these bulletins, please visit our Security Vulnerability Research and Defence blog.
If you have the Windows Internal Database (Microsoft Windows 2003 or Microsoft Windows 2008) installed on or enabled without SQL Server 2005 SP2 and you have are opt-into Microsoft Update, the SQL Server 2005 service pack 2 update may be offered incorrectly and fail to install. The Windows Internal Database will be updated as expected, since the Windows Internal Database update is also offered. Microsoft is working on resolving this issue and will be updating the detection logic to avoid the incorrect offering.
In addition, we’ll also be releasing an infrastructure update to the Windows Update client itself later this month, which has been standard practice for over 8 years. Windows Vista customers who select “never check for updates” (and Windows XP customers who select “turn off Automatic Update”) in their WU settings will not receive this WU infrastructure update unless they elect to install it manually by visiting Windows Update. For more information, please visit the Microsoft Update blog.
Please join us for the regular monthly security bulletin webcast, Wednesday July 9, 11:00 PDT (GMT -7). We'll have an overview of the July bulletins, and you'll have the opportunity to ask us questions around the release.
I want to let you know that we have just posted Microsoft Security Advisory 955179, which contains information regarding active, targeted attacks using a vulnerability in the Snapshot Viewer ActiveX control for Microsoft Access.
The Snapshot Viewer enables you to view a report snapshot without having the standard or run-time versions of Microsoft Office Access.
The vulnerability affects the Snapshot Viewer in Microsoft Office Access 2000, Microsoft Office Access 2002 and Microsoft Office Access 2003.
We’ve activated our Software Security Incident Response Process (SSIRP) to investigate and have identified steps customers can take to protect themselves in the workaround section.
We encourage affected customers to implement the manual workarounds included in the Advisory, which Microsoft has tested. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors.
While the attack appears to be targeted, and not widespread, we are monitoring the issue and are working with our MSRA partners to help protect customers. We will update the Advisory and this blog as new information becomes available.
Hello, Bill here.
I wanted to let you know that we just posted our Advance Notification for next week’s bulletin release which will occur on Tuesday, July 8, 2008 around 10 a.m. Pacific Standard Time.
It is important to remember that while the information posted below is intended to help with your planning, because it is preliminary information, it is subject to change.
As part of our regularly scheduled bulletin release, we’re currently planning to release:
· Four Microsoft Security Bulletins rated as Important. These updates may require a restart and will be detectable using the Microsoft Baseline Security Analyzer.
As we do each month, the Microsoft Windows Malicious Software Removal Tool will be updated.
We are also planning to release high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS) as well as high-priority, non-security updates on Microsoft Update and Windows Server Update Services (WSUS). For additional information, please see the Other Information section of the Advanced Notification.
Finally, in late July, we’ll also be releasing KB946928 which updates the infrastructure of the Windows Update client itself. For more information on this update, please visit the Microsoft Update blog.
As always, we’ll be holding the July edition of the monthly security bulletin webcast on Wednesday, July 9, 2008 at 11 a.m., Pacific Standard Time. We will review this month’s release and take your questions live on-air with answers from our panel of experts. As a friendly reminder, if you can’t make the live webcast, you can listen to it on-demand as well. You can register for the webcast here: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032374629&Culture=en-US