April, 2010

  • Guidance on Internet Explorer XSS Filter

    The XSS Filter related Blackhat EU presentation discussed a vulnerability that was previously disclosed and addressed in the January security update to Internet Explorer ( MS10-002 ). This attack scenario involved modified HTTP responses, enabling XSS on sites that would not otherwise be vulnerable. An additional update to the IE XSS Filter is currently scheduled for release in June. This change will address a SCRIPT tag attack scenario described in the Blackhat EU presentation. This issue...
  • April 2010 Security Bulletin Release

    Hi everyone, Today, as part of our monthly security update cycle, we are releasing 11 security bulletins to address 25 vulnerabilities: five rated Critical, five rated Important and one rated Moderate. This month’s release affects Windows, Microsoft Office, and Microsoft Exchange. Additionally, the Malicious Software Removal Tool (MSRT) was updated to include Win32/Magania . Our guidance on deployment priority is that customers should consider MS10-019 , MS10-026 , and MS10-027 as the top priority...
  • New email address for Microsoft security email notifications

    4/13/2010 Update: The migration to the new mail system has not gone fully as planned but the good news in our update today is that we "will" be using a microsoft.com email address to send the security notifications to customers. The bad news is that PGP signing is not working correctly in the new system so the mailers going out today announcing our security bulletin release will not be signed. We will keep you posted. Over the last several months we have been working with internal teams to migrate...
  • MS10-025 Security Update to be Re-released

    Hi, MS10-025 is a security update that only affects Windows 2000 Server customers who have installed Windows Media Services (this is a non-default configuration). Today we pulled the update because we found it does not address the underlying issue effectively. We are not aware of any active attacks seeking to exploit this issue and are targeting a re-release of the update for next week. Customers should review the bulletin for mitigations and workarounds and those with internet facing systems...
  • MS10-025 Re-Release Ready

    Hi everyone – I’m Carlene Chmaj, new to the Security Response team and here to tell you that the re-release of MS10-025 is available. Again, this only affects those with Windows 2000 Servers in a non-default configuration with Windows Media Services installed . All customers with this configurartion are advised to install this re-released update. Thanks, Carlene Chmaj (that’s pronounced ‘Shmay’ for you non-Polish speaking folk) *This posting is provided "AS IS" with no warranties...
  • Security Advisory 983438 Released

    Hello. Today we released Security Advisory 983438 , addressing a cross-site scripting (XSS) vulnerability in SharePoint Server 2007 and SharePoint Services 3.0 that could allow Elevation of Privilege (EoP) within the SharePoint site itself. Servers are at reduced risk from Internet Explorer 8 clients, as the Internet Explorer 8 XSS filter helps to mitigate the issue in the internet zone. We are not aware of any active attacks at this time. Customers running SharePoint Server 2007 or SharePoint...
  • Update on MS10-025

    I wanted to give customers an update on the status of MS10-025 . First, I want to reiterate that this issue affects only Windows 2000 Servers in a non-default configuration: Windows Media Services needs to be installed. Customers who do not have Windows Media Services installed are not affected and were not offered this update. Shortly after we released the update we received several reports that it did not protect against the vulnerability reported to us. At that time, we pulled the update and...
  • April 2010 Bulletin Release Advance Notification

    Hi everyone, Our ANS (Advance Notification Service) went out today informing customers that next Tuesday we will release 11 bulletins addressing 25 vulnerabilities in Windows, Microsoft Office, and Microsoft Exchange. We recommend that customers review the ANS summary page and prepare to test and deploy the bulletins as quickly as possible. I also want to point out to customers that we will be closing the following open Security Advisories with next week’s updates: · Microsoft Security Advisory...
  • New Twitter Account: @MSFTSecResponse

    Hi everyone, I am just writing to formally announce that we have launched a Twitter account: @MSFTSecResponse We will use this account to augment the content here on the blog. For example, we will use the account to rapidly respond to emerging issues while we are gathering information for a more complete blog post. In addition, we will also use the account as a way to push content to our followers quickly. You probably will not see us responding to each reply or request that we get but we will be...
  • March Out-of-Band Security Bulletin Webcast

    Hi everyone, Last week Adrian Stone and I conducted a webcast to cover the Internet Explorer out-of-band security bulletin release. We only spent a short period of timing on the presentation and then spent the rest of the time answering customer questions which you can read here . There were some interesting questions and hopefully those who attended came away with a better understanding about how to better protect themselves from emerging threats. One resource we referred customers to several times...