The official corporate security response blog
@MSFTSecResponse
How to Report a Vulnerability to the MSRC
This Thursday, many people in the United States will celebrate Thanksgiving. As you probably all know, this is traditionally seen as a time to express gratitude. Well, yesterday, we updated our “Security Researcher Acknowledgments for Microsoft Online Services” page to publicly say “thank-you” to researchers that reported issues in our online services to us for the month of October.
This page doesn’t get a whole lot of attention, at least not as much as our security bulletins, but a quick look shows there’s a large, valuable and active community working with us to help secure our online services.
We launched this page in July of 2007. Since then, we’ve provided over 150 public acknowledgments of our appreciation. We’ve linked to sites researchers have provided so folks could learn more about them and their services. And we update this page each month as new researchers are discovered and new issues are fixed.
We’ve got a full archive of all the researchers listed on Security TechCenter’s “Community” Web page as well as a Frequently Asked Questions page about how we acknowledge researchers who find issues in online services. Here are a couple key questions that are answered on this page:
Q: Why are you acknowledging online services security researchers?
We want online services security researchers to know that we respect and appreciate their contribution to the security of Microsoft’s Web properties. We appreciate any researcher who responsibly submits vulnerabilities, which helps protect customers from security threats.
Q: Why do you not recognize online services security researchers via bulletins?
Security bulletins are a "call-to-action" from the Microsoft Security Response Center and generally include mitigations, workarounds, and vulnerability details that customers can use to help protect themselves. They also include security update information that will help customers verify their status. Because Microsoft fixes online services vulnerabilities on our side, there is generally no call-to-action for customers and generally no security bulletin.
Q: Will Microsoft take legal action against those who submit online services security vulnerabilities?
Microsoft will not pursue legal action against security researchers that responsibly submit potential online services security vulnerabilities.
That last one is particularly important, as a few weeks ago an individual found an issue with Bing Cashback that prompted a letter from our legal services team. This was due to the fact that an actual fraudulent transaction occurred. However, as demonstrated above, letters from our legal team are not the experience most researchers have when reporting vulnerabilities to us in our products (online or otherwise), even when reporting them publicly. Reporting vulnerabilities to vendors, especially for new researchers, can be intimidating. So the easiest way to avoid any confusion is to submit potential vulnerabilities to secure@microsoft.com directly, and we’ll start a dialog to work on the issue together.
The main reason we created this page is we wanted to let online services security researchers know that we respect and appreciate their contribution to the security of Microsoft’s Web properties. We appreciate any researcher who responsibly submits vulnerabilities, which helps protect customers from security threats. There’s likely a lot more that folks think we should do to credit the researcher community for their work. This is an area that results in a lot of discussion within the community, within our halls, and on the blogosphere. Hopefully, our track record shows we understand the importance of saying “thank you” to folks who responsibly report vulnerabilities —both with the Security Researcher Acknowledgments for Microsoft Online Services site above and in our Security Bulletins themselves.
Thanks,
Mike Reavey
*This posting is provided "AS IS" with no warranties, and confers no rights.*
We just released Security Advisory 977981 concerning an issue affecting Internet Explorer 6 and Internet Explorer 7 that could lead to remote code execution. At this time, we are not aware of any active attacks seeking to use this vulnerability. Our teams are currently working to develop an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out of band.
I want to point out that Internet Explorer 8 is not affected on any platform and that running Protected Mode in Internet Explorer 7 on Windows Vista mitigates this issue. We provide more guidance and workarounds in the advisory so I encourage customers to review it right away.
We are also working with our Microsoft Active Protections Program (MAPP) and Microsoft Security Response Alliance (MSRA) partners to help provide broader protections for customers. Together with our partners, we will continue to monitor the threat landscape and will take action against any web sites that seek to exploit this vulnerability.
The Security Advisory will be updated with any new developments so if you are not already subscribed to our comprehensive alerts, please do so in order to be alerted by email when new information is added.
Thanks!
Jerry Bryant
*Postings are provided "AS IS" with no warranties, and confers no rights.*
Today we released Security Advisory 977544 to provide information, including customer guidance, on a publicly reported Denial-of-Service (DoS) vulnerability affecting Server Messaging Block (SMB) Protocol. This vulnerability, in SMBv1 and SMBv2, affects Windows 7 and Windows Server 2008 R2. Windows Vista, Windows Server 2008, Windows XP, Windows Server 2003 and Windows 2000 are not affected.
I want to be clear that this is a DoS vulnerability that is unrelated to Microsoft Security Bulletin MS09-050 which addressed a remote code execution vulnerability in the SMBv2 protocol. This vulnerability would not allow an attacker to take control or install malware on a user’s system, but could cause the affected system to stop responding until manually restarted.
We are actively monitoring this situation to keep customers informed and will provide additional guidance as necessary. While we are not currently aware of active attacks, we continue to recommend customers review the mitigations and workarounds detailed in the Security Advisory to protect themselves as we work to develop a comprehensive security update.
As always, we are working with our Microsoft Active Protections Program (MAPP) partners to help provide broader protections for customers and as we become aware of new information, we’ll provide additional updates as appropriate through the Security Advisory and the MSRC blog.
As always, we continue to encourage the responsible disclosure of vulnerabilities to help ensure customers receive high-quality security updates without exposure to malicious attacks.
*This posting is provided "AS IS" with no warranties, and confers no rights*
Hello. This is Jerry Bryant letting you know that the questions and answers from our November Security Bulletin webcast have been posted and the video from the webcast is below.
We did not get very many questions this month and the ones we did get covered various topics and were not focused in one particular area. One very good question we received had to do with the Microsoft Word bulletin, MS09-068. The user asked if an attack could execute via the Outlook 2007 preview function. This function allows a user to preview certain document types from within Outlook as demonstrated in these screen shots:
Above: what the user sees when clicking on the attached file.
Above: what the user sees after clicking the “Preview file” button.
The answer to the question is no. The preview option does not offer an attack vector for this vulnerability.
Here is the video from the webcast where Adrian Stone and I cover the bulletins in detail:
Please plan to join us next month for our regularly scheduled Security Bulletin webcast which will be held on December 9 at 11:00 a.m. PDT (UTC -8). You can register now for that webcast at this link.
Summary of Microsoft’s Security Bulletin Release for November 2009
Today, we released six security bulletins addressing a total of 15 vulnerabilities. Four affect Windows and Windows Server and two affect Microsoft Office products (Excel and Word).
As we do every month, we have prepared our Risk & Impact and our Deployment Priority guidance to help customers assess risk to their environments and prioritize the deployment of this month’s updates. Risk & Impact is a snapshot of the cumulative severity and exploitability index ratings for each bulletin. This month, MS09-065 is the only bulletin with a critical severity rating and an Exploitability Index rating of 1 (“Consistent Exploit Code Likely”). This bulletin provides updates for three vulnerabilities in Windows Kernel-Mode Drivers. We recommend customers prioritize and deploy this update immediately.
To better demonstrate the affected products and important aspects of MS09-065, I am including a more detailed overview slide (below). As you can see, only one of the three vulnerabilities (CVE-2009-2514) is critical. That vulnerability only affects Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 (it does not affect Windows Vista or Windows Server 2008 so if you are using either of these platforms, you can lower the deployment priority to a two). The vulnerability was publicly disclosed and could be used to create a malicious web page which could potentially exploit vulnerable systems just by visiting the website. The other two vulnerabilities are Elevation of Privilege (EoP) which would require the attacker to have valid logon credentials in order to be able to exploit.
The following deployment priority guidance is based on a combination of severity rating, exploitability index rating, available mitigations and workarounds and range of affected products. All customers should perform their own prioritization assessment as each environment is different and other factors may apply. Microsoft recommends that all security updates be deployed as soon as possible.
· MS09-063 affects Windows Vista and Windows Server 2008. There is a potential for unauthenticated remote code execution (RCE) but only from the local subnet. Attacks cannot originate from outside of the network. This mitigation along with the exploitability index rating of 2 lowers the deployment priority. Obviously, this is still a critical bulletin so customers should deploy as soon as possible.
· MS09-064 affects only Windows 2000 Server SP4. This one also has the potential for unauthenticated RCE between systems running the License Logging Service. This service is enabled by default on Windows 2000 Server so this deployment priority should be moved up for customers who have Windows 2000 servers on public-facing networks.
· MS09-067 and MS09-068 both have similar attack vectors. A user would have to open a maliciously crafted Excel or Word file developed to exploit these vulnerabilities. Users of Office XP or later will be prompted to Open, Save, or Cancel before opening a document. These mitigations lower the severity and deployment priority. However, users should never open file attachments they receive in emails from unknown sources and should always question attachments from known sources if they are unexpected.
Adrian Stone from the Microsoft Security Response Center (MSRC) and I give a brief overview of this month’s bulletin release in the video below.
For more in-depth technical detail on MS09-063, MS09-064 and MS09-065, please visit our Security Research & Defense team blog at this link.
We also re-released MS09-045 and MS09-051. The former was re-released to add detection for users who may be running JScript 5.7 on Windows 2000 Service Pack 4 machines and the latter is a re-release of the update for Audio Compression Manager on Microsoft Windows 2000 Service Pack 4 to fix a detection issue.
As always, we encourage all customers to join us for our live security bulletin webcast which we conduct every month after release. Adrian and I will go in to detail on each bulletin and, along with a room full of subject matter experts, answer all of your questions live. So if you can, please join us tomorrow, Nov 11 at 11:00 a.m. PDT (UTC -8). You can register for the webcast at this link.
The last item I want to mention this month is that the Microsoft Malware Protection Center (MMPC) team has added Win32/fakevimes and Win32/privacycenter to the Windows Malicious Software Removal Tool (MSRT) this month. Please check their blog post for more information.
Advance Notification for the November 2009 Security Bulletin Release
To help customers plan and prioritize for this month’s security updates, we wanted to let you know that we will be releasing 6 bulletins (three critical and three important) addressing 15 vulnerabilities, affecting Windows and Microsoft Office products. Customers should plan a restart for the Windows bulletins. The Office bulletins may not require a restart if the components being updated are not in use. More information about the upcoming security updates can be found on the TechNet Web site.
The target release day is next Tuesday Nov. 10 at 10:00 a.m. PST (UTC -8). At that time we will post more detailed information about the bulletins here and on our Security Research & Defense (SRD) blog. We will also include our Risk and Impact guidance, our Deployment Priority guidance, and an overview video discussing these materials. For more detailed information concerning the upcoming bulletins, please review the ANS page here.
As always, Adrian Stone and I will be hosting a webcast to cover the bulletins in greater detail the day after bulletins release. So please join us on Wednesday Nov. 11 at 11:00 a.m. PST (UTC -8) and bring any questions you have about the bulletins. We will have a room full of subject matter experts on hand to answer them. To register for the webcast, please follow this link.
Today we released an update 976749 that addresses two issues with MS09-054 that a limited number customers reported to us through our Customer Service and Support (CSS) group. These two issues can affect the proper display of web pages. For additional details, please refer to Microsoft Knowledge Base article 976749.
Security update MS09-054 was released as part of the October Security Bulletin Release cycle and protects against the vulnerabilities outlined in the bulletin. Also, we’re not currently aware of any attempts to attack the vulnerabilities.
While the number of customers affected by these two issues is limited, after working both with affected customers and our CSS group, we feel the best thing for all customers is to proactively provide this update as widely as possible to help prevent other customers from encountering the issues outlined in the KB.
Because of this, we plan to release this update through the same broad release channels as the original security update, MS09-054. Customers will see 976749 offered by default through Windows Update, Microsoft Update, and Automatic Updates.
Customers who have applied MS09-054 should go ahead and apply 976749. Customers who have not yet applied MS09-054 should apply both MS09-054 and 976749.
There’s more information on the update and the issues it addresses in Microsoft Knowledge Base article 976749.
Thanks.
Christopher