Hello,

Today we published the February Security Bulletin Webcast Questions & Answers page. We fielded ten questions on various topics during the webcast, including bulletins released, deployment tools, and update detection tools. Many of the questions centered on the .Net/Silverlight update MS12-016. Click here to access the slide deck that appears in the webcast.

We invite our customers to join us for the next public webcast on Wednesday, March 14 at 11am PST (UTC -7), when we will go into detail about the March bulletin release and answer questions live on the air.

Customers can register to attend at the link below:
Date: Wednesday, March 14, 2012
Time: 11:00 a.m. PST (UTC -7)
Register: Attendee Registration

Thanks,
Angela Gunn
Trustworthy Computing

Ever wondered where Update Tuesday bulletins come from, or what it’s like around Microsoft when a serious information-security situation arises? Or wondered who precisely is responsible for getting your monthly bulletin releases out the door?

Update Tuesday, which brings us here today, is one of the most prominent results of that famous Bill Gates memo that put security at the center of Microsoft’s development and support efforts -- just over 10 years ago. We Trustworthy Computing folk tend to look more to the future than to the past, but on the 10-year anniversary a few of us sat down to talk about incident response, the security ecosystem, and how Microsoft collaborates with the industry:

• MSRC senior security program manager Dustin Childs explains why, in MSRC, “the second-Tuesday cycle is what we live for” and gives a glimpse at how the Microsoft response process handled MS08-067 – the case that became Conficker.
• MSRC senior director Mike Reavey on never making the same hard decision twice in incident response.
• MSRC security program manager Leigh Honeywell on coming to Microsoft from the open-source community and becoming an Internet firefighter.
• EcoStrat senior security strategist Katie Moussouris on the crucial need to reach out to researchers, and the process of convincing Microsoft to pay out a quarter of a million dollars in the BlueHat Prize.
• EcoStrat senior security manager Maarten van Horenbeeck on how keeping trusted industry partners in the loop on bulletins and advisories protects the entire ecosystem…quietly.
• And, for a look at how we appear to a longtime observer, we set up a Skype chat with tech evangelist Ryan Naraine to get his perspective on how our process affects the broader ecosystem.

Meanwhile, as I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing nine security bulletins. Four of those are rated Critical in severity, with the remaining five classified as Important.

The bulletins will address 21 vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on two critical updates:

• MS12-010 (Internet Explorer): Cumulative Security Update for Internet Explorer. This bulletin addresses two Critical, one Important and one Moderate issues affecting all versions of Internet Explorer. The most severe of these could allow for remote code execution, if an attacker were to convince a user to visit a maliciously constructed Web page. All of these issues were cooperatively disclosed to Microsoft, and we know of no active exploitation in the wild. We recommend that customers read through the bulletin information concerning MS12-010 and apply it as soon as possible.
• MS12-013 (C Runtime Library): Vulnerabilities in C Run-Time Library Could Allow Remote Code Execution. This bulletin addresses an issue that could arise if a would-be attacker sent a malicious media file to a targeted user, or convinced the user to visit a Web page hosting such a file. The issue was cooperatively disclosed to Microsoft, and we know of no active exploitation in the wild. As with MS12-010, though, we recommend that customers read through the bulletin information and apply it as soon as possible.

In this video, Yunsun Wee discusses this month's bulletins in further detail.

Below is this month’s deployment priority guidance, to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of February’s severity and exploitability index (click for larger view).

You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page.

As usual, our colleagues in SRD have prepared blog posts that delve more deeply into technical aspects of this month’s releases. In addition to a chart delving into this month’s deployment priorities, SRD unpacks the details of MS12-013 and takes a longer look at MS12-014, which touches Indeo – a multimedia codec predating no small percentage of the people reading this sentence.

Per our usual process we’ll offer the monthly technical webcast on Wednesday, hosted by Pete Voss and Jonathan Ness. They’ll talk over the February bulletins, discuss changes on the horizon for Technet, and answer some questions we’ve been receiving about the support lifecycle for Vista. The webcast is scheduled for tomorrow, February 15, 2012, at 11 A.M. PST. Click here to register, and as always we look forward to taking your questions live during the webcast.

Thanks,
Angela Gunn
Trustworthy Computing.

Hello. Today we’re releasing our advance notification for the February security bulletin release, which is scheduled for Tuesday, February 14. This month’s release includes nine bulletins addressing 21 vulnerabilities in Microsoft Windows, Office, Internet Explorer, and .NET/Silverlight. As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.

We’ll release all nine bulletins on Tuesday, February 14 at approximately 10 a.m. PST. Revisit this blog on Tuesday for our official risk and impact analysis, along with deployment guidance and a video overview of the release.

Here at MSRC we know that over the years, information on Microsoft’s Security Development Lifecycle system has been downloaded over 850,000 times so far. (Happy coding, everyone!) As part of our look back over the first ten years of Trustworthy Computing, our friends in the SDL program caught up with Steve Lipner, our senior director of security engineering strategy, and asked him how his team made that famous Bill Gates memo the law of the land at Microsoft. Of course, the SDL is a living process and continues to change and grow. For information on what’s ahead, including news about our brand-new Security Development Conference, take a look at <>a href="http://blogs.technet.com/b/security/archive/2012/02/01/security-development-lifecycle-a-living-process.aspx"?Tim Rains’ post on the Security Blog. Perhaps some of us will see you in DC in May?

In the meantime, please join Jonathan Ness and Pete Voss for our regular webcast on Wednesday. They’ll go into detail about the bulletins and answer questions live on the air. See below for registration information.

Date: Wednesday, February 15
Time: 11:00 a.m. PST (UTC -8)
Click Here To Register

Thanks,
Angela Gunn
Trustworthy Computing.