September, 2010

  • Security Advisory 2416728 Released

    Hi everyone, Today we released Security Advisory 2416728 describing a publicly disclosed vulnerability in ASP.NET that affects all versions of the .NET Framework. At this time we are not aware of any attacks using this vulnerability and we encourage customers to review the advisory for mitigations and workarounds. Our Security Research & Defense team has written a blog post to explain how the workarounds work and have provided a script to help administrators determine if they have ASP.NET...
  • September 2010 Security Bulletin Release

    Hi everyone, With this month's bulletin release, I want to highlight the great work done through our partnerships in the Microsoft Active Protections Program (MAPP). MAPP represents our commitment to community based defense and a shared sense of responsibility to help protect the computing ecosystem. In July of this year, the Stuxnet malware emerged onto the threat landscape and resulted in the release of an out-of-band security update, MS10-046 , to address a zero-day vulnerability the malware...
  • Out of Band Release to Address Microsoft Security Advisory 2416728

    Hello - Today we provided advance notification to customers that we will release an out-of-band security update to address the vulnerability discussed in Security Advisory 2416728 . The update is scheduled for release tomorrow, Tuesday, September 28, 2010 at approximately 10:00 AM PDT. The bulletin has a severity rating of Important and addresses a publicly disclosed vulnerability in ASP.NET that affects all versions of the .NET Framework when used on Windows Server operating systems. Windows...
  • MS10-070 Released Out-of-Band Today

    Hello, As we announced yesterday, today we released Security Bulletin MS10-070 out-of-band to address a vulnerability in ASP.NET. The bulletin and the blog by Scott Guthrie, corporate vice president of Microsoft's .NET Developer Platform are available for more information. This security update addresses a vulnerability affecting all versions of the .NET Framework when used on Windows Server operating system. While desktop systems are listed as affected, consumers are not vulnerable unless they...
  • Update to Security Advisory 2416728

    Hi everyone - We've just updated Microsoft Security Advisory 2416728 as we've begun to see limited attacks with the ASP.NET vulnerability. We have added questions and answers and encourage customers to review this information and evaluate it for their environment. We have also added additional technical questions and answers to the Security and Defense blog , which has previously discussed the issue. Additional and expanded questions will also be added to Scott Guthrie's blog shortly. As...
  • Security Advisory 2416728 - Workaround Update

    Hi everyone - We've updated Microsoft Security Advisory 2416728 to include a step in the workaround requiring the blocking of requests that specify the application error path on the querystring. This can be done using URLScan, a free tool for Internet Information Services (IIS) that can selectively block requests based on rules defined by the administrator. If your system is running Internet Information Services (IIS) on Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows...
  • September 2010 Bulletin Release Advance Notification

    Hello - Today we're releasing our Advance Notification Service (ANS) for the September Security Bulletins, which are scheduled for release Tuesday, September 14, 2010. This is a service we provide to help enterprises plan and prepare for the upcoming security bulletin release. This month we will be releasing 9 bulletins addressing 13 11 vulnerabilities affecting Windows, Internet Information Services (IIS), and Microsoft Office. Four of those bulletins carry a Critical rating, with the rest rated...
  • Microsoft Releases MS10-070 to all distribution channels

    Hi everyone - Today we released out-of-band Security Update MS10-070 through the remainder of our standard distribution channels, including Windows Update and Windows Server Update Services. We have completed our testing of these channels and confirmed the update can be successfully downloaded. Customers are strongly encouraged to download the Security Update, test it in their environments and deploy it as quickly as possible. For customers using Automatic Update, this update will automatically...
  • Q&A from the September 2010 Out-of-Band Security Release webcast

    Hello, Below you will find the webcast we conducted earlier this week as part of the MS10-070 Security Update which was released Out-of-Band. We have also published the questions and answers from that webcast and linked them here . The response for this webcast was amazing; however, due to time constraints, we were unable to answer all of the questions that were asked during the live webcast. We have included those questions and the answers in this document. Please join us on October 13...
  • Q&A from the September 2010 Security Release Bulletin Webcast

    Hello, Today we published the Questions & Answers from the September 2010 Security Bulleting webcast . During the webcast, we answered 10 questions concerning the September bulletins, including inquiries about bulletin, MS10-061 , involving the Stuxnet vulnerability. We also were asked about the Enhanced Mitigation Experience Toolkit 2.0 (EMET) as well as questions regarding the bulletin MS10-065 affecting IIS and its FastCGI vulnerability. In addition, we also announced during this month’s...