Hi, In conjunction with the Microsoft July 2009 Out-of-Band Bulletin release, we conducted two public webcasts to assist customers. During these webcasts, we were able to address 60 questions in the time allotted. The questions centered primarily on MS09-034 : the Internet Explorer Cumulative Update Bulletin and MS09-035 : the Visual Studio Bulletin. We also addressed questions regarding the Microsoft Security Advisory 973882 and the ATL issues as a whole. Here is the link to the full Q&A...

Today, we’re releasing guidance and security updates to help better protect customers from responsibly reported security vulnerabilities discovered in the Microsoft Active Template Library ( ATL ). Because libraries function as building blocks that can be used to build software, vulnerabilities in software libraries can be complex issues and benefit from what we call community based defense – broad collaboration and action from Microsoft, the security community and industry. Because of this...

We have just published our advance notification for an out-of-band security bulletin release, with a target of 10:00 AM Pacific Time next Tuesday, July 28, 2009. While this release is to address a single, overall issue, in order to provide the broadest protections possible to customers, we’ll be releasing two separate security bulletins: 1. One Security Bulletin for Visual Studio 2. One Security Bulletin for Internet Explorer While we can’t go into specifics about the issue prior to release...

Today Adrian Stone and I conducted the security bulletin webcast for June covering the six bulletins we released yesterday and Security Advisory 973472 (vulnerability in Office Web Components). There were several questions about MS09-028 and MS09-032 . These security updates addressed two open security advisories ( 971778 and 972890 respectively). One common question was “if I installed the Fix it workaround in the advisory, do I need to uninstall it before installing the update in the bulletin?...

Summary of Microsoft’s monthly security bulletin release for July 2009. This month we are releasing six bulletins. Three of those affect Windows and are rated Critical. All three of those also have an Exploitability Index rating of “1” which means that we believe that consistent exploit code in the wild is highly likely within the first 30 days. In fact, as we discussed in the advance notification blog post last week, two of those are under active attack and were discussed in security advisories...

Hi Everyone, This is Dave Forstrom, group manager for our security response communications team. We have just posted Microsoft Security Advisory 973472, which highlights a vulnerability in Microsoft Office Web Components. Specifically, the vulnerability exists in the Spreadsheet ActiveX control and while we’ve only seen limited attacks, if exploited successfully, an attacker could gain the same user rights as the local user. Products affected are Microsoft Office XP Service Pack 3, Microsoft...

Hi everyone, Mike Reavey here. You’ve probably seen in Jerry’s Advance Notification posting today announcing that we’re on track to release an update to address the issue discussed in Microsoft Security Advisory 972890 . We’ve gotten some questions from customers about when we got the first report of this vulnerability and how long the investigation has taken relative to the outbreak of attacks against this vulnerability. Before I go into the details, the key thing I want customers...

Advance Notification for the July 2009 Security Bulletin Release Our Advance Notification was published today and indicates that next Tuesday, July 14 at 10:00 a.m. PDT (UTC -8), we will be releasing a total of 6 security bulletins consisting of: · Three Critical updates affecting Windows. · One Important update affecting Publisher. · One Important update affecting Internet Security and Acceleration (ISA) Server. · One Important update affecting Virtual PC and Virtual Server. I...

I wanted to let you know that we have just posted Microsoft Security Advisory 972890 that discusses new, limited attacks against a Microsoft Video ActiveX Control affecting Windows XP and Windows Server 2003. Specifically, we’re aware of a code execution vulnerability within this control that can enable an attacker to run code as the logged-on user if they browse to a malicious site. We have an investigation into this issue under way as part of our Software Security Incident Response...