December, 2009

  • Reports of Issues with November Security Updates

    We’ve received questions about public reports that customers might be experiencing system issues with the November Security Updates (which some are referring to “Black Screen” issues). We’ve investigated these reports and found that our November Security Updates are not making changes to the system that these reports say are responsible for these issues. While these reports weren’t brought to us directly, from our research into them, it appears they’re saying that our security updates are making...
  • New Reports of a Vulnerability in IIS

    Hi everyone, On Dec. 23 we were made aware of a new claim of a vulnerability in Internet Information Services (IIS). We are still investigating this issue and are not aware of any active attacks but wanted to let customers know that our initial assessment shows that the IIS web server must be in a non-default, unsafe configuration in order to be vulnerable. An attacker would have to be authenticated and have write access to a directory on the web server with execute permissions which does not align...
  • Results of Investigation into Holiday IIS Claim

    We’ve completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS. What we have seen is that there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It’s this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server. The key in this is the last point: for the scenario to work...
  • December 2009 Bulletin Release Advance Notification

    Advance Notification for the December 2009 Security Bulletin Release For December we are planning to release six new security bulletins addressing 12 vulnerabilities in Windows, Internet Explorer (IE) and Microsoft Office products. Three of the bulletins have a maximum severity rating of Critical and three have a maximum severity rating of Important. To help customers plan for their deployment of these updates, I want to specifically call out that they touch all supported versions of Windows and...
  • December 2009 Security Bulletin Release

    Summary of Microsoft’s Security Bulletin Release for December 2009 As noted in our Advance Notification ( ANS ) last Thursday, for the December bulletin release we issued six security bulletins addressing 12 vulnerabilities. Affected products include Windows, Internet Explorer (IE) and Microsoft Office products. In the ANS, we also noted that the bulletin for IE ( MS09-072 ) is at the top of our deployment priority list this month. As you can see from our Severity and Exploitability Index slide ...
  • December 2009 Security Bulletin Webcast

    Hello again. This is Jerry Bryant letting you know that the questions and answers from the December 2009 security bulletin webcast have now been posted here . There is one question that I wanted to provide a little more information on and that references reports of KB973917 causing problems with Internet Information Services (IIS) 6.0 running on Windows Server 2003 SP2. There are scenarios where the system can be in a state where the correct core IIS .dll files are not in place. This may be the case...
  • Monthly Security Bulletin Webcast Q&A - December 2009

    Hosts: Adrian Stone, Senior Security Program Manager Lead Jerry Bryant, Senior Security Program Manager Lead Website: TechNet/security Chat Topic: December 2009 Security Bulletins Date: Wednesday, December 9, 2009 Q: In reference to Windows Vista KB973565 , we have machines that install this update, then reboot and uninstall the update. Is this a known problem? It downloads and installs fine when manually running the file, WSUS, or Microsoft update, but on reboot, it gets stuck...