Last summer at the Black Hat security conference, we announced a philosophical shift in how we refer to vulnerability disclosure, called "Coordinated Vulnerability Disclosure" (CVD). Our intent was to focus on how coordination and collaboration are required to resolve security issues in a way that minimizes risk and disruption for customers.  Since then, feedback from the broader security community has been generally supportive.

Today, we're providing more transparency and insight into our disclosure philosophy by announcing three updates to our disclosure practices - a CVD at Microsoft document, MSVR Advisories, and our internal corporate Disclosure of Vulnerabilities policy. 

The Coordinated Vulnerability Disclosure (CVD) at Microsoft document clarifies how Microsoft responds not only as a vendor impacted by vulnerabilities in its products and services, but as a finder of vulnerabilities in third-party products and services, and as a coordinator of vulnerabilities that affect multiple vendors. Drawing upon our years of experience, we have seen that disclosing vulnerability details and/or exploits before a vendor has a chance to address the issue amplifies the risk of attacks.

As part of the Microsoft Vulnerability Research (MSVR) program, we are releasing the first MSVR Advisories for issues discovered by Microsoft in third party vendors' products.  These issues were privately reported to the companies who have since provided remediation. Since it began operating in August 2008, MSVR has privately reported many vulnerabilities to other vendors to help improve the broader security ecosystem.  MSVR Advisories further document our commitment to handling vulnerability disclosure in a coordinated way.  Read more about our CVD philosophy and commitment to the security research community on Katie Moussouris' post on the EcoStrat Blog.

To help affirm Microsoft's commitment to the security of the computing ecosystem, Microsoft adopted an internal corporate Disclosure of Vulnerabilities policy that establishes protocols for employees to follow when a vulnerability is discovered in a third party product or service.

We believe the most effective approach to security is a comprehensive Security Development Lifecycle that reduces or mitigates vulnerabilities before a product is released.  After a product or service is released, we feel security is a shared responsibility across the broad community. Collaboration between security researchers and vendors is ultimately about preventing attacks and protecting the computing ecosystem.  By working together through coordinated efforts when vulnerabilities are identified, we can effectively minimize customer risk while a solution is developed.   We encourage others to adopt this philosophy in the interest of creating a safer and more trusted internet for everyone. 

Thank you,

Matt Thomlinson
General Manager, Trustworthy Computing Security

Hello,

Today we published the April Security Bulletin Webcast Questions & Answers page. We fielded 14 questions on various topics during the webcast, including bulletins released, deployment tools, and update detection tools. There were two questions during the webcast that we were unable to answer and we have included those questions and answers on the QA page.

I also want to provide some clarity regarding our announcement that SMS 2003 with SUIT is retiring this month. SMS 2.0 and the SUIT add-on that can be installed on either SMS 2.0 or SMS 2003 are going out of support this month. SMS 2003 is not scheduled to go out of support until 2015. Customers who currently use SMS 2003 with SUIT should plan to use SCCM 2007 or SMS 2003 with ITMU starting next month. 

We invite our customers to join us for the next public webcast on Wednesday, May 11th at 11am PDT (-8 UTC), when we will go into detail about the April bulletin release and answer questions live on the air.

Customers can register to attend at the link below:

Date: Wednesday, March 9, 2011
Time: 11:00 a.m. PST (UTC -8)
Register: Attendee Registration

 " "

Thanks -

Jerry Bryant

Group Manager, Response Communications
Trustworthy Computing Group

Hello again everyone,

Pete Voss here, and as I previously mentioned in the Advanced Notification blog on Thursday, today we are releasing 17 security bulletins, nine of which are Critical, and eight rated Important.

These bulletins will increase protection by addressing 64 unique vulnerabilities in the following Microsoft products: Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, SMB, .NET Framework and GDI+. I did want to point out that 30 of these vulnerabilities are addressed by a single bulletin, MS11-034, and they all share the same couple of root causes. The bulletin is rated Important.

This month, there are three top priority bulletins, all rated Critical: MS11-020 (SMB Server), MS11-019 (SMB Client) and MS11-018 (Internet Explorer). As always, Microsoft recommends that customers test and deploy all bulletins as soon as possible.

MS11-018 (Internet Explorer). This security bulletin resolves four privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. This bulletin is rated Critical for IE 6, IE 7 and IE 8 on Windows clients; and Moderate for IE6, IE7, and IE8 on Windows servers. Internet Explorer 9 is not affected by the vulnerabilities. Microsoft is aware of limited attacks leveraging vulnerabilities addressed by this bulletin, including the vulnerability used at the CanSecWest 2011 Conference, which we tweeted about yesterday.

We encourage all customers apply this bulletin first of all our April bulletins.

MS11-019 (SMB Client). This bulletin resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow remote code executions if an attacker sent a specially crafted SMB response to a client-initiated SMB request. The publicly disclosed vulnerability was posted to full disclosure on February 15. Microsoft investigated the issue and found that remote-code execution was extremely unlikely. As Microsoft has not seen any active attacks, we opted not to disrupt customers with an out-of-band bulletin.

MS11-020 (SMB Server). This bulletin resolves an internally discovered vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system.

In this video, Jerry Bryant discusses this month's bulletins in further detail, focusing on these three bulletins:

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

More information about this month's security updates can be found on the Microsoft Security Bulletin summary web page.

This was a great month for industry collaboration. As we've said time and time again, it truly takes a community to keep customers and the overall ecosystem free from threats. Microsoft truly appreciates coordination with industry experts working together to keep customers protected. In total, 21 finders coordinated with Microsoft for the April release. Microsoft actively partners with the security community to assess threats and better protect customers, and April is an example of Coordinated Vulnerability Disclosure (CVD) at work.

I also wanted to shed some light on some interesting security enhancements our engineers have been working on. As you know, we're always looking to find new ways we can help protect people from current and future potential threats, and today, we're announcing two new tools:

Office File Validation: Blocks malware disguised as Office documents- Originally announced in December 2010, Microsoft Office File Validation is now available to Office 2003 and Office 2007 users via Security Advisory 2501584. According to Modesto Estrada, Office program manager:

"This feature, which is included in Word, Excel, PowerPoint and Publisher (.doc, .xls, .ppt and .pub file formats), will validate the file structure as it is being opened by the user.  The validation will check the file to make sure it conforms to expected Office specifications.  If this process fails the user will be notified of potential issues."  Modesto Estrada, Office Program Manager.  For further information visit the Microsoft Office blog.

Update for the Windows Operating System Loader to help prevent rootkit evasion-In the words of Dustin Childs, senior security program manager, MSRC:

"For a rootkit to be successful it must stay hidden and persistent on a system. One way we have seen rootkits hide themselves on 64-bit systems is bypassing driver signing checks done by winload.exe. While the update itself won't remove a rootkit, it will expose an installed rootkit and give your anti-malware software the ability to detect and remove the rootkit."

These security features, combined with today's bulletins are reminders that Microsoft remains committed to protecting customers. We encourage you to apply these updates and features right away. Additionally, please feel free to visit the SRD blog where Microsoft engineers have offered technical insight into some of these security enhancements.

Per our usual process, we'll offer the monthly technical webcast on Wednesday, hosted by Jerry Bryant and Jonathan Ness. I invite you to tune in and learn more about the April security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, April 13, 2011 at 11 a.m. PDT, and the registration can be found here.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thank you,

Pete Voss
Sr. Response Communications Manager
Microsoft Trustworthy Computing

Hello everyone,

My name is Pete Voss, and I'm a senior response communications manager with Microsoft Trustworthy Computing. I'll be joining the rest of the team on the MSRC blog and @MSFTSecResponse Twitter handle to help provide you with the latest information and guidance for Microsoft security.

Today, we're providing advanced notification on the release of 17 security bulletins, nine rated Critical and eight rated Important. This month's bulletin release will address 64 vulnerabilities across Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, .NET Framework and GDI+.

This month we'll be closing some issues that Microsoft has already previously spoken to, including the SMB Browser (Critical) issue publicly disclosed Feb. 15. Microsoft assessed the situation and reported that although the vulnerability could theoretically allow Remote Code Execution, that was extremely unlikely.  To this day, we have seen no evidence of attacks.

We are also planning a fix for the MHTML vulnerability in Windows, rated Important. We alerted people to this issue with Security Advisory 2501696 (including a Fix-It that fully protected customers once downloaded) back in late January. In March, we updated the advisory to let people know we were aware of limited, targeted attacks.

The bulletin release scheduled for the second Tuesday of the month, April 12, at approximately 10 a.m. PDT. Come back to this blog then for our official risk and impact analysis, as well as deployment guidance and a brief video overview of the month's highlights. Meanwhile, customers are encouraged to review Microsoft's advanced notification and assess it for their particular environment. Additionally, we recommend that administrators reference our Security Update Guide for help preparing for the bulletin release.

The monthly technical webcast is scheduled for Wednesday, April 13, hosted by Jerry Bryant and Jonathan Ness. I invite you to tune in and learn more about the security bulletins. The webcast is scheduled for Wednesday, April 13, 2011 at 11 a.m. PDT, and the registration can be found here.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,
Pete Voss
Sr. Response Communications Manager
Microsoft Trustworthy Computing

Hi all --

We're pleased to announce the release of the new Microsoft Security Update Guide, Second Edition. Fully revised and updated from the first edition, which was released in 2009, this edition focuses on best practices for prioritizing and testing security updates before deployment within your organization's IT environment.

Feedback from our enterprise customers tells us that more and more IT professionals are deploying Microsoft security updates quickly based on their assurance in in the quality and thoroughness of testing performed.   For the latest version of the Guide, we have detailed the extensive testing processes and procedures that we follow before releasing those updates, and we've pulled together our best guidance for assisting IT professionals with all aspects of deployment.

The latest edition of the Guide includes:

• Insight into how Microsoft tests security updates (including application-compatibility testing, rootkit detection, internal testing including live pre-release deployment on over 24,000 devices inside Microsoft);
• A guide to which update approach - Microsoft Update and Automatic Updates, Windows Server Update Service (WSUS), or Microsoft System Center Configuration Manager 2007 - is right for your enterprise;
• Information on our Security Update Validation Program, which allows selected partners and customers to test update functionality before release;
• Fully revised customer pre-deployment testing guidance, including guidance for Windows 7;
• Greater insight into our Severity Rating System and Exploitability Index;
• Refreshed and revised resources appendices.

The Microsoft Security Update Guide, Second Edition can be downloaded free from www.microsoft.com/securityupdateguide.

Thank you,

Angela Gunn
Trustworthy Computing.