The official corporate security response blog
@MSFTSecResponse
How to Report a Vulnerability to the MSRC
Today we’re releasing Security Advisory 2607712, to address at least one fraudulent digital certificate issued by DigiNotar, a root certificate authority. DigiNotar has since revoked the digital certificate. This is not a Microsoft security vulnerability; however, the certificate potentially affects Internet users attempting to access websites belonging to Google. A fraudulent certificate may be used to spoof Web content, perform phishing attacks or perform man-in-the-middle attacks against end users.
We continue to work with the certificate authority to understand the scope of this issue, and have taken steps to further help protect customers by removing the DigiNotar root certificate from the list of trusted root certificates on Windows. Web sites with certificates issued by DigiNotar will no longer be trusted by Windows Vista and above. This protection is automatic and no customer action is required.
Click here for more information about the Windows Root Certificate Program and automatic updates. Customers should continue to utilize Internet Explorer’s Security Status bar located on the right side of the address bar to verify that the site being visited is valid and secure.
If you have not done so already, we highly recommend registering for our comprehensive security alerts. Sign up here: Microsoft Technical Security Notifications.
Thanks,
Dave ForstromDirector, Trustworthy Computing
Hello,
Today we published the August Security Bulletin Webcast Questions & Answers page. We fielded six questions on various topics during the webcast, including bulletins released and the Malicious Software Removal Tool. There was one question that we were unable to answer during the webcast due to time constraints, and we have included all questions and answers on the Q&A page.
We invite our customers to join us for the next public webcast on Wednesday, September 14th at 11 a.m. PDT (-8 UTC), when we will go into detail about the September bulletin release and answer questions live on the air.
Customers can register to attend at the link below:
Date: Wednesday, September 14, 2011Time: 11:00 a.m. PDT (UTC -8) Register: Attendee Registration
Jerry Bryant
Group Manager, Response CommunicationsTrustworthy Computing Group
Hi everyone,
Black Hat this year was really great. We spent a lot of time talking to people and getting new perspectives on the security landscape and of course, we announced the BlueHat Prize contest. The reaction to the contest was outstanding. In fact, within the first 24 hours, we had already received a few submissions and a bunch of questions indicating a lot of interest in winning the $200,000 grand prize.
Based on the questions, it was clear there were a couple of areas where we needed to provide more clarity. For example, who owns the technology, Microsoft or the inventor? The answer is the inventor. You can find answers to most of your questions in the official rules at www.bluehatprize.com but we also held a webcast today to go over some of the common questions. In the video below, Katie Moussouris sat down with me to address questions like “Can I make more than one submission?” and “What if my idea requires a compiler change?”
The deadline to enter the contest is 12 a.m. PDT April 1, 2012 at which time our internal panel of judges will pick the top three entries. We’ll fly all three to Black Hat USA 2012, where we will announce the grand prize winner. We will provide periodic updates along the way both on this blog and via our Twitter handle, @MSFTSecResponse.
Thanks!
Group Manager, Response Communications
Trustworthy Computing Group
Hello all. It has been very nearly a week since our BlueHat Prize contest announcement at Black Hat. Now that everyone’s had some time to digest the basics, we’ve asked Senior Security Strategist and chief BlueHat Prize architect Katie Moussouris to stop by the Trustworthy Computing studio today at 11 a.m. PDT to answer a few more questions about the contest. She’ll discuss how it works and what she expects will happen next, and she’ll answer some common questions such as who owns the intellectual property. We’ll be taking your questions, too! Register for the webcast at this link.
As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing 13 security bulletins, two of which are rated Critical in severity, nine Important and two Moderate.
These bulletins will increase protection by addressing 22 unique vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on the two critical updates:
In this video, Jerry Bryant discusses this month's bulletins in further detail, focusing on these two bulletins:
As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).
Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).
You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page. In addition, the SRD blog today has more information on MS11-058’s Exploitability Index rating and on the month’s deployment priorities.
Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Jerry Bryant and Jonathan Ness. I invite you to tune in and learn more about the June security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, August 10, 2011 at 11 a.m. PDT, and you can register here.
For all the latest information, please also follow the MSRC team on Twitter at @MSFTSecResponse.
Thank you,
Angela GunnTrustworthy Computing.
Hello all. Before we look at next week’s bulletin release, we’d like to recommend – for those of you who missed it in the run-up to this year’s Black Hat conference – the third annual Microsoft Security Response Center Progress Report. Every year around this time, we look back at the progress our key security programs have made. This year’s report, which recaps (among other things) the expansion of our Microsoft Active Protections Program and the launch of our Microsoft Vulnerability Research (MSVR) third-party security advisory program in April, makes for excellent reading.
Today we’re releasing our advance notification for the August security bulletin release, which is scheduled for Tuesday, August 9. This month’s release includes 13 bulletins addressing 22 vulnerabilities in Microsoft Windows, Office, Internet Explorer, .NET and Visual Studio. All 13 bulletins will be released on Tuesday, August 9 at approximately 10 a.m. PDT. Revisit this blog on Tuesday for our official risk and impact analysis, along with deployment guidance and a video overview of the release.
As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.
Please join Jonathan Ness and Jerry Bryant for a public webcast on Wednesday. They’ll go into detail about the bulletins and answer questions live on the air. Register at the link below:
Date: Wednesday, August 10Time: 11:00 a.m. PDT (UTC –7) Registration: https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032487857&Culture=en-US
Follow us on Twitter: @MSFTSecResponse