MSRC

  • A Look Into the Future and the January 2014 Bulletin Release

    In January, there are those who like to make predictions about the upcoming year. I am not one of those people. Instead, I like to quote Niels Bohr who said, “Prediction is very difficult, especially if it’s about the future.” However, I can say without a doubt that change is afoot in 2014. In February, usage of the MD5 hash algorithm in certificates will be restricted, as first discussed in Security Advisory 2862973 , and the update goes out through Microsoft Update on the 11th...
  • Predictions for 2014 and the December 2013 Security Bulletin Webcast, Q&A, and Slide Deck

    Today we’re publishing the December 2013 Security Bulletin Webcast Questions & Answers page . We answered 17 questions in total, with the majority of questions focusing on the Graphics Component bulletin ( MS13-096 ), Security Advisory 2915720 and Security Advisory 2905247 . We also wanted to note a new blog on the Microsoft Security Blog site on the top cyber threat predications for 2014. Topics from ransomware to regulation are covered by seven of Trustworthy Computing’s top...
  • Advance Notification Service for the January 2014 Security Bulletin Release

    Today we provide advance notification for the release of four bulletins for January 2014. All bulletins this month are rated Important in severity and address vulnerabilities in Microsoft Windows, Office, and Dynamics AX. The update provided in MS14-002 fully addresses the issue first described in Security Advisory 2914486 . We have only seen this issue used in conjunction with a PDF exploit in targeted attacks and not on its own. This only impacts customers using Windows XP or Server 2003 as more...
  • Update (2/10) - Advance Notification Service for February 2014 Security Bulletin Release

    Update as of February 10, 2014 We are adding two updates to the February release. There will be Critical-rated updates for Internet Explorer and VBScript in addition to the previously announced updates scheduled for release on February 11, 2014. These updates have completed testing and will be included in tomorrow’s release. This brings the total for Tuesday’s release to seven bulletins, four Critical. Please review the ANS summary page for updated information to help customers...
  • Omphaloskepsis and the December 2013 Security Update Release

    There are times when we get too close to a topic. We familiarize ourselves with every aspect and nuance, but fail to recognize not everyone else has done the same. Whether you consider this myopia, navel-gazing, or human nature, the effect is the same. I recognized this during the recent webcast when someone asked the question – “What’s the difference between a security advisory and a security bulletin?” The answer was simple to me, as I’ve been doing this for years...
  • Microsoft Releases Security Advisory 2934088

    Today, we released Security Advisory 2934088 regarding an issue that impacts Internet Explorer 9 and 10. Internet Explorer 6, 7, 8 and 11 are not affected. At this time, we are only aware of limited, targeted attacks against Internet Explorer 10. This issue allows remote code execution if users browse to a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message. As part of the security advisory, we...
  • Microsoft Releases Security Advisory 2953095

    Today we released Security Advisory 2953095 to notify customers of a vulnerability in Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. An attacker could cause remote code execution if someone was convinced to open a specially crafted Rich Text Format (RTF) file or a specially crafted mail in Microsoft Outlook while using Microsoft Word as the email viewer. As part of the security advisory, we have included an easy, one-click Fix it to address...
  • Announcing the Enhanced Mitigation Experience Toolkit (EMET) 5.0 Technical Preview

    I’m here at the Moscone Center, San Francisco, California, attending the annual RSA Conference USA 2014 . There’s a great crowd here and many valuable discussions. Our Microsoft Security Response Center (MSRC) engineering teams have been working hard on the next version of EMET, which helps customers increase the effort attackers must make to compromise a computer system. I’m happy to announce the public release of the EMET 5.0 Technical Preview today from the RSA exhibit hall...
  • Antimalware Support for Windows XP and the January 2014 Security Bulletin Webcast and Q&A

    Today we’re publishing the January 2014 Security Bulletin Webcast Questions & Answers page . We answered 16 questions in total, with the majority of questions focusing on the Dynamics AX bulletin ( MS14-004 ), the update for Microsoft Word ( MS14-001 ) and the re-release of the Windows 7 and Windows Server 2008 R2 updates provided through MS13-081 . We also wanted to point out a new blog from the Microsoft Malware Protection Center (MMPC) detailing support antimalware support for Windows...
  • Safer Internet Day 2014 and Our February 2014 Security Updates

    In addition to today being the security update release , February 11 is officially Safer Internet Day for 2014. This year, we’re asking folks to Do 1 Thing to stay safer online. While you may expect my “Do 1 Thing” recommendation would be to apply security updates, I’m guessing that for readers of this blog, that request would be redundant. Instead, I’ll ask that you also install the latest version of the Enhanced Mitigation Experience Toolkit ( EMET ). If you aren’t...