Hello, Bill here,

I wanted to let you know that we have just posted Microsoft Security Advisory (968272).

This advisory contains information regarding public reports of a vulnerability in Microsoft Office Excel that could allow for remote code execution if a user opens a specially crafted Excel file. At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability. We are developing a security update for Microsoft Office that addresses this vulnerability.

Products affected are Microsoft Office 2000, Microsoft Office 2002, Microsoft Office 2003, Microsoft Office 2007, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac.

The advisory contains workarounds that customers can use to help protect themselves. We will continue to monitor the situation and post updates to the advisory and the MSRC Blog as we become aware of any important new information.

Lastly, I want to let you know that we activated our Software Security Incident Response Process (SSIRP) and are working with our Microsoft Security Response Alliance (MSRA) and Microsoft Active Protections Program MAPP partners to help protect customers. We will update the advisory and this blog as new information becomes available.

Bill Sisk

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hey everyone,

This is Jerry Bryant, senior program manager on the security response communications team. We are already posting the Q&A from our monthly security bulletin webcasts here on the blog but if you attended our live webcast on Wednesday 2/11/2009, you may have heard Christopher Budd mention that we were recording the session and would be posting video as well. Our goal will be to post the recordings here each month. And, starting in March 2009, we will be streaming live video in the webcasts so be sure to attend in person and ask any questions you have about the bulletins we are releasing.

Because the webcasts last about an hour, we decided to break the video in to two parts. In part one, Adrian Stone and Christopher Budd present information on the months security updates. In part two, Adrian and Christopher answer questions submitted live during the webcast.

Here is part one:

February 2009 Security Bulletin Webcast Part 1
Higher quality download >>

And, here is part two:

Higher quality download >>

If you would like to register to attend the live webcast, you can always find that information Here >>. If you have ever attended one of our webcasts, you know that in addition to our presenters, we have a room full of subject matter experts ready to answer as many questions as we can during the event. It is a great opportunity to get answers directly from the people who were involved in producing the updates.

To see more security & privacy related videos from the Trustworthy Computing team, please visit http://edge.technet.com/twc.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hi,

During this month’s webcast we were able to address 37 questions in the time allotted. Most of the questions asked involved MS09-002 (Internet Explorer), MS09-003 (Exchange Server) and MS09-004 (SQL Server). We only received a few questions regarding MS-09-005 (Visio). There were also a couple of questions regarding update deployment and attack vectors addressed.

Here is the link to the full Q&A so you can see all of the answers that were provided for these great questions:

http://blogs.technet.com/msrc/pages/monthly-security-bulletin-webcast-q-a-February-2009.aspx

Also, here is the link to the Q&A index page in case you want to view previous months:

http://blogs.technet.com/msrc/pages/microsoft-security-bulletin-webcast-q-a-index-page.aspx

As always, customers experiencing issues installing any of the updates this month should contact our Customer Service and Support group:

Customers in the U.S. and Canada can receive technical support from Microsoft Customer Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Thanks!

Al Brown

*This posting is provided "AS IS" with no warranties, and confers no rights.*

There’s been a lot of activity today around the Conficker worm here at Microsoft and across the industry. I wanted to give everyone a quick, high-level overview on what’s been going on today.

First, today we’re making public, the work we and many other industry and academic partners have been doing behind the scenes to help combat the Conficker worm.

Second, we’ve provided additional information from our research to our Microsoft Active Protections Program (MAPP) partners and our Microsoft Security Response Alliance (MSRA) partners and posted it to the MSRC weblog in an effort to help customers and other researchers.

Finally, we have announced a US$250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker worm. Individuals with information about the Conficker worm are encouraged to contact their international law enforcement agencies.  Additionally, Microsoft has implemented an Antivirus Reward Hotline, 1-425-706-1111, and an Antivirus Reward Mailbox, avreward@microsoft.com, where tips can be shared.

The work that we’ve done with industry and academic partners and the additional information that we’ve provided all relate to the same thing: disrupting the Conficker worm’s attempts to connect to domains on the Internet after successfully attacking a system. By understanding the algorithm that the Conficker worm uses to generate the domain names that infected systems attempt to connect to, we can take steps to disrupt the Conficker worm by blocking access to those domains by infected systems.

We have worked with ICANN and operators within the domain name system to proactively disable a significant number of domains that systems infected by the Conficker worm would try to connect to.

We have also made information about the algorithm and the list of domain names available so that security researchers and customers can review logs to identify infected systems connecting to these domains and proactively block access to these domains.

As someone involved in security response for a number of years, it’s exciting for me to see the industry come together to take an innovative, new approach to combating malware. It helps prove again that while threats may be evolving, so too is our response as an industry to these threats.

Thanks.

Christopher

Updated 2/14/2009 with contact information regarding Antivirus Reward

*This posting is provided "AS IS" with no warranties, and confers no rights*

I wanted to follow up our recent Conficker post from last Friday where we posted new pages to consolidate our information on Conficker for enterprises and consumers. We’ve also made the easy-to-remember URL www.microsoft.com/conficker available that will take you directly to the Conficker page for enterprises.

We’ve shared some additional information today with our Microsoft Active Protections Program (MAPP) partners and our Microsoft Security Response Alliance (MSRA) partners. We believe that this information can be helpful for some of you as well, so we’re posting it here on the MSRC weblog as well.

We’ve seen that the Conficker worm will try every three hours to connect to specific domains over HTTP, a behavior sometimes referred to as “phoning home.” Conficker doesn’t carry a list of static domains, instead the domains that it connects to are generated by the malware through a specific algorithm. Because our Microsoft Malware Protection Center (MMPC) colleagues and others in the security community have successfully reverse-engineered this algorithm we can share what we’ve learned from that with you and others in the industry more broadly.

Most importantly, understanding this behavior and the algorithm gives us (and you) some additional options in combating Conficker.

First, it may be possible to identify infected hosts on your network if you’re able to log outbound traffic and then analyze those logs. If you see an entry in your logs for one of your systems connecting to one of these domains, that system may be infected by Conficker.

Second, you can also use this information that to block access to those domains at your network perimeter by adding these domains to any “block lists” you might have.

To help make it easier to use this domain information, we’ve gone ahead and made a list of domains available in a zipped text file available at the bottom of this post.

The text file is a list of domains that a system infected with Worm:Win32/Conficker.A or Worm:Win32/Conficker.B may try to contact. It is a list of comma-separated values (CSV) and lists out the specific Conficker variant that will try to use that domain, the date it will attempt to contact the domain, an arbitrary index number, and finally the domain itself.

As an example, here is an excerpt from the list of domains that Conficker may try to contact today, Feb. 12, 2009:

Variant, Date, Index, Hostname

A, 02/12/2009, 0, puxqy.net

A, 02/12/2009, 1, elvyodjjtao.net

A, 02/12/2009, 2, ltxbshpv.net

A, 02/12/2009, 3, ykjzaluthux.net

A, 02/12/2009, 4, lpiishmjlb.net

A, 02/12/2009, 5, arpsyp.com

A, 02/12/2009, 6, txkjngucnth.org

A, 02/12/2009, 7, vhslzulwn.org

A, 02/12/2009, 8, jcqavkkhg.net

A, 02/12/2009, 9, dmszsyfp.info

. . .

B, 02/12/2009, 0, tvxwoajfwad.info

B, 02/12/2009, 1, blojvbcbrwx.biz

B, 02/12/2009, 2, wimmugmq.biz

B, 02/12/2009, 3, fwnvlja.org

B, 02/12/2009, 4, umgrzaybbf.ws

B, 02/12/2009, 5, btgoyr.cc

B, 02/12/2009, 6, zboycplmkhc.cc

B, 02/12/2009, 7, qsqzphbn.biz

B, 02/12/2009, 8, xqdvmavs.cn

B, 02/12/2009, 9, wgrrrr.biz

Updated 3/2/2009 to clarify how the domain list can be used to scan logs and the format for log entries for infected systems

*This posting is provided "AS IS" with no warranties, and confers no rights*

Very briefly, I wanted to let everyone know that based on customer request, we’ve posted two new pages that provide information you can use to protect against and remove Conficker. These pages consolidate information that we have related to the Conficker incident and provide links to the other, more detailed resources like the Microsoft Malware Protection Center weblog and encyclopedia.

The page located here is intended to help consumers and home users.

The page located here is intended to help IT Professionals and those focused on security in the enterprise.

We hope you find these helpful.

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights*

Hello, Bill here.

I wanted to let you know that we just posted our Advance Notification for next week’s bulletin release which will occur on Tuesday, Feb. 10, 2009 around 10 a.m. Pacific Standard Time.

It is important to remember that while the information posted below is intended to help with your planning, because it is preliminary information, it is subject to change.

As part of this month’s security bulletin release process, we will issue four security bulletins – two rated ‘Critical’ and two rated ‘Important’ – to address vulnerabilities in Internet Explorer, Microsoft Exchange Server, Microsoft SQL Server and Microsoft Office. Depending on the bulletin, a restart may be required. The updates will be detectable using the Microsoft Baseline Security Analyzer.

As we do each month, the Microsoft Windows Malicious Software Removal Tool will be updated.

We are also planning to release high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS) as well as high-priority, non-security updates on Microsoft Update and Windows Server Update Services (WSUS). For additional information, please see the Other Information section of the Advanced Notification.

As always, we’ll be holding the February edition of the monthly security bulletin webcast on Wednesday, Feb. 11, 2009 at 11 a.m., Pacific Standard Time.  We will review this month’s release and take your questions live on-air with answers from our panel of experts. As a friendly reminder, if you can’t make the live webcast, you can listen to it on-demand as well at the same URL. In addition, we’ll also be posting the text of the questions and answers from each month’s webcast. You can see a full listing of the posted questions and answers on this page.

You can register for the webcast here: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032395122&Culture=en-US

*This posting is provided "AS IS" with no warranties, and confers no rights*