Hello. Today we're releasing Security Advisory 2501696, which describes a publicly disclosed scripting vulnerability affecting all versions of Microsoft Windows. The main impact of the vulnerability is unintended information disclosure. We're aware of published information and proof-of-concept code that attempts to exploit this vulnerability, but we haven't seen any indications of active exploitation.

The vulnerability lies in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler, which is used by applications to render certain kinds of documents. The impact of an attack on the vulnerability would be similar to that of server-side cross-site-scripting (XSS) vulnerabilities.  For instance, an attacker could construct an HTML link designed to trigger a malicious script and somehow convince the targeted user to click it. When the user clicked that link, the malicious script would run on the user's computer for the rest of the current Internet Explorer session.  Such a script might collect user information (eg., email), spoof content displayed in the browser, or otherwise interfere with the user's experience.

The workaround we are recommending customers apply locks down the MHTML protocol and effectively addresses the issue on the client system where it exists. We are providing a Microsoft Fix-it package to further automate installation.

In our collaboration with other service providers, we are looking for possible ways that they can take steps to provide protection on the server side. Our Security Research & Defense team has written a blog post that discusses some possible options. However, due to the nature of the issue, the only workaround Microsoft can officially recommend is what we have identified in the advisory. We will continue to work closely with others in the industry and appreciate the collaboration we have had to date.

We have initiated our Software Security Incident Response Process (SSIRP) to manage this issue. We're also in communication with other service providers to explain how the issue might affect third-party Web sites and to collaborate on developing a variety of further solutions that address the varied needs of all parts of the Internet ecosystem - large sites, small sites, and all those who visit them.

Meanwhile, we are working on a security update to address this vulnerability and we are monitoring the threat landscape very closely. If the situation changes, we'll post updates here on the MSRC blog.

Thanks -

Angela Gunn
Trustworthy Computing

Hello,

Today we published the January Security Bulletin Webcast Questions & Answers page. We fielded five questions on various topics during the webcast.

We invite our customers to join us for the next public webcast on Wednesday, February 9th at 11am PST (-8 UTC), when we will go into detail about the February bulletin release and answer questions live on the air.

Customers can register to attend at the link below:

Date: Wednesday, February 9, 2011
Time: 11:00 a.m. PST (UTC -8)
Register: Attendee Registration

Thanks -

Jerry Bryant

Group Manager, Response Communications
Trustworthy Computing Group

Hello -

Today as part of our monthly security bulletin release we have two bulletins addressing three vulnerabilities in Microsoft Windows and Windows Server. This first bulletin is rated Important, while the second is rated Critical.  

• MS11-001. This bulletin resolves one reported issue rated Important and affecting Windows Vista. This security bulletin addresses a vulnerability in Windows Backup Manager. This has an Exploitability Index rating of 1, and gets a 2 on our deployment priority list.
• MS11-002. This bulletin addresses two vulnerabilities affecting all supported versions of Windows. The first vulnerability is rated Critical for Windows XP, Vista and Windows 7 and the second rated Important for all supported versions of Windows Server. It involves the Microsoft Data Access Components (MDAC). This has an Exploitability Index rating of 1, and because there is a web based attack vector, this is at the top of our deployment priority list.

We are not aware of Proof of Concept code or of any active attacks seeking to exploit the vulnerabilities addressed in this month's release.

In the video below, Jerry Bryant discusses this month's bulletins in further detail:

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact slide shows an aggregate view of the severity and exploitability index:

 More information about this month's security updates can be found on the Microsoft Security Bulletin summary web page. 

This month we are revising Security Advisory 2488013 to include an additional workaround in the form of a FixIt package that uses the Windows Application Compatibility Toolkit to protect customers from this vulnerability. This workaround only applies to systems that have the MS10-090 update for Internet Explorer installed. The vulnerability discussed in the advisory occurs when an attacker creates a malicious CSS file that points to itself and provides it to Internet Explorer. This action corrupts memory and could be exploited. Customers are encouraged to review the new workaround and assess it for their particular environment. Please see the Security Research and Defense blog for more technical information and you can download the FixIt package here.

Last month we published a blog talking about the plan to back port Office File Validation to Office 2003 and 2007. We have still not announced the official launch date but the Office team made a post showing the user experience when a file does not pass Office File Validation.

Finally, please join the monthly technical webcast with your hosts, Jerry Bryant and Dustin Childs, to learn more about the January 2011 security bulletin release. The webcast is scheduled for Wednesday, January 12, 2011 at 11:00 a.m. PST (UTC -8). Registration is available here.

For all the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,

Carlene Chmaj
Sr. Security Response Communications Manager

Hello everyone -

It's a new year and the Microsoft Security Response Center is ready to provide the Advance Notice for January's security bulletins. We have two bulletins addressing three vulnerabilities in Windows.

The first bulletin is Important and affects Windows Vista.  The second bulletin has an aggregate of Critical and all supported versions of Windows are affected. As always, we recommend that customers deploy these updates as soon as possible. 

This month we will not be releasing updates to address Security Advisory 2490606 (public vulnerability affecting Windows Graphics Rendering Engine) and Security Advisory 2488013 (public vulnerability affecting Internet Explorer). We continue to actively monitor both vulnerabilities and for Advisory 2488013 we have started to see targeted attacks. If customers have not already, we recommend they consult the Advisory for the mitigation recommendations. We continue to watch the threat landscape very closely and if the situation changes, we will post updates here on the MSRC blog.

As always, the bulletin release is slated for the second Tuesday of the month, January 11^th, at 10:00 a.m. PST. Come back to this blog at that time for our official risk & impact analysis and deployment guidance.

We invite everyone to join the monthly technical webcast next week with your hosts, Jerry Bryant and Dustin Childs, to learn more about the January 2011 security bulletin release. The webcast is scheduled for Wednesday, January 12, 2011 at 11:00 a.m. PST (UTC -8). Registration for the webcast can be found here.

Thank you,

Carlene Chmaj

Microsoft Trustworthy Computing, Senior Response Communications Manager

Hello - Today we released Security Advisory 2490606, which addresses a publicly disclosed vulnerability affecting Microsoft Windows Graphics Rendering Engine on Vista, Server 2003, and Windows XP. We are not aware of any affected customers, nor of any active attacks targeting customers. The vulnerability does not affect Windows 7 or Windows Server 2008 R2, the newest versions of our operating system.

To target this vulnerability, an attacker must convince a user to visit a specially crafted malicious Web page, or to open a malicious Word or PowerPoint file. Furthermore, users whose accounts are configured to have fewer user rights on the system would be less affected by an attack then those running with administrative rights. The Advisory includes further mitigations and workarounds to protect our customers.

We have initiated our Software Security Incident Response Process (SSIRP) to manage this issue, and we are sharing detailed information through the Microsoft Active Protections Program (MAPP). Our 70 global MAPP partners, including leading providers of anti-virus and anti-malware products, provide protections for an estimated one billion customers worldwide. With our partners, Microsoft is actively working to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability. If your protection provider is in our MAPP program, you can contact them concerning the status of providing protections for this issue as it is likely that updated malware signatures in these products will offer further protection.

Meanwhile, we are working to develop a security update to address this vulnerability. The circumstances around the issue do not currently meet the criteria for an out-of-band release; however, we are monitoring the threat landscape very closely and if the situation changes, we will post updates here on the MSRC blog.

As always, we encourage Internet users to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at Home.

Happy New Year -

Angela Gunn

Sr. Marketing Communications Manager, Trustworthy Computing