MSRC

Microsoft security updates and the Common Vulnerability Reporting Framework

MSRCTeam — Thu, 17 May 2012 22:09:00 GMT

As a part of the Industry Consortium for Advancement of Security on the Internet (ICASI), Microsoft is pleased to present an initial set of monthly security updates – originally released on May 8 – in the consortium’s newly established Common Vulnerability Reporting Framework (CVRF) format, for your examination and feedback. Today, ICASI released version 1.1 of its CVRF – a markup system designed to make security bulletins and advisories machine readable in an industry-standard fashion.

Even though many vendors have followed Microsoft’s lead in providing comprehensive security updates to customers, the formats vendors use vary. CVRF provides the entire industry with a way to share and present data in a coordinated and structured manner.

CVRF is free for anyone to examine and use. The goal is to build a data-markup framework that can be used by anyone publishing or examining security update information on the Internet.

CVRF is a work in process. For many customers, a machine-readable markup framework for security releases might not be a pressing need. For instance, home-computer users or small businesses may choose to install security updates automatically. However, many business customers spend time “copying and pasting” our security bulletin content into their risk management systems, spreadsheets and corporate notification emails manually as part of their IT security compliance and remediation task list.

For these customers, this machine-readable format may enable more efficiency and automation. Faster and more efficient guidance for these customers means they can more quickly ensure protection, which is always our goal. For those that do not require automation, we will continue to offer our bulletins in the current format. For those customers looking to automate and streamline their security-management process, or for those who are simply curious to see what happens when vendors from around the industry roll up their sleeves and work to make the update process better, visit the Connect portal to read more about CVRF, and to examine CVRF-formatted bulletins. Visit https://connect.microsoft.com/ and click SIGN IN in the upper right-hand corner to sign in with your Windows Live ID. Once you are signed in and are looking at the home page, use the invitation code “cvrf-9BK8-6W2T” (without quotes) to join the program, or visit https://connect.microsoft.com/site1098/InvitationUse.aspx?ProgramID=7665&InvitationID=cvrf-9BK8-6W2T directly.

Your feedback will be relayed to the ICASI working group of which Microsoft is a member. Together we’ll continue to make CVRF a truly robust, collaborative standard throughout the Internet ecosystem.

Update: If you would like to find out more information about the CVRF standard, please join the CVRF working group webinar on Tuesday, 30 May at noon EDT. They will provide an overview of CVRF v1.1 and showcase the improvements in this latest revision. You can register at http://register.webcastgroup.com/L4/?wid=0557685978

Mike Reavey

Senior Director, MSRC

May 2012 Security Bulletin Webcast, Slide Deck, and Q&A

MSRCTeam — Fri, 11 May 2012 19:33:00 GMT

Hello,

Today we published the May Security Bulletin Webcast Questions & Answers page, and the May 2012 Security Bulletin Release Webcast slide deck. During the webcast, we fielded 8 questions on various topics, including bulletins released, deployment tools, and update detection tools.

We invite our customers to join us for the next public webcast on Wednesday, June 13 at 11am PDT (UTC -7), when we will go into detail about the June bulletin release and answer questions live on the air.

Customers can register to attend at the link below:
Date: Wednesday, June 13, 2012
Time: 11:00 a.m. PDT (UTC -7)
Register: Attendee Registration

Thanks,
Yunsun Wee
Director
Microsoft Trustworthy Computing

Bulletin Management Process and the May 2012 Bulletins

MSRCTeam — Tue, 08 May 2012 17:07:00 GMT

Hello,

Have you ever wondered why bulletins group particular issues together? Or one set of products and not another? Well today Jonathan Ness has posted an insightful Security Research & Defense (SRD) blog discussing some of the nuances and packaging decisions that went into MS12-034. This is a particularly interesting case to dive into and will give readers a better appreciation for the bulletin management process here at Microsoft.

For Update Tuesday we’re releasing seven security bulletins – three Critical-class and four Important – addressing 23 issues in Microsoft Windows, Office, Silverlight, and the .NET Framework. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing on the following two critical updates first:

MS12-034 (Microsoft Office, Windows, .NET Framework, and Silverlight): This security update addresses 10 issues affecting a cross section from Microsoft Windows , Office, Silverlight, and the Microsoft .NET Framework. The maximum severity for these issues is Critical and could result in remote code execution. To ensure protection all updates from this bulletin must be applied. We recommend that customers read through the bulletin information concerning MS12-034 and apply it as soon as possible.
MS12-029 (Microsoft Word): This security update addresses one Critical issue affecting Microsoft Office that could result in remote code execution. Attack vectors for this issue include maliciously crafted websites and email. We recommend that customers read through the bulletin information concerning MS12-029 and apply it as soon as possible.

Please watch the video below for details about this month's bulletins:

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Pete Voss and Dustin Childs. I invite you to tune in and learn more about the May security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, May 9, at 11 A.M. PDT. Click here to register.

Thanks,
Yunsun Wee
Director
Microsoft Trustworthy Computing

MAPP Update: Taking Action to Decrease Risk of Information Disclosure

MSRCTeam — Thu, 03 May 2012 17:32:00 GMT

During our investigation into the disclosure of confidential data shared with our Microsoft Active Protections Program (MAPP) partners, we determined that a member of the MAPP program, Hangzhou DPTech Technologies Co., Ltd., had breached our non-disclosure agreement (NDA). Microsoft takes breaches of our NDAs very seriously and has removed this partner from the MAPP Program.

Additionally, starting with our May release, we strengthened existing controls and took actions to better protect our information. We believe that these enhancements will better protect our information, while furthering customer protection by aiding partners developing active protections. For an in-depth look at how MAPP provides a critical head-start to defenders, while working to minimize risk, please read this blog by the MAPP team.

Yunsun Wee
Director
Microsoft Trustworthy Computing

Advanced Notification Service for May 2012 Security Bulletin Release

MSRCTeam — Thu, 03 May 2012 17:11:00 GMT

Hello,

Today we’re releasing our advance notification for the May security bulletin release, which is scheduled for Tuesday, May 8. This month’s release includes 7 bulletins addressing 23 vulnerabilities in Microsoft Windows, Office, Silverlight, and .NET Framework. All 7 bulletins will be released on Tuesday, May 8 at approximately 10 a.m. PDT. Revisit this blog on Tuesday for our official risk and impact analysis, along with deployment guidance and a video overview of the release.

As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.

Please join Dustin Childs and Pete Voss for a public webcast on Wednesday. They’ll go into detail about the bulletins and answer questions live on the air. See below for registration information.

Date: Wednesday, May 9, 2012
Time: 11:00 a.m. PDT (UTC -7)
Click Here To Register

Thanks,
Yunsun Wee
Director
Microsoft Trustworthy Computing

April 2012 Security Bulletin Webcast and Q&A

MSRCTeam — Fri, 13 Apr 2012 21:30:00 GMT

Hello,

Today we published the April Security Bulletin Webcast Questions & Answers page, and the slide deck presented in the webcast. We fielded 15 questions on various topics during the webcast, including bulletins released, deployment tools, and update detection tools.

We invite our customers to join us for the next public webcast on Wednesday, May 9 at 11am PDT (UTC -7), when we will go into detail about the May bulletin release and answer questions live on the air.

Customers can register to attend at the link below:
Date: Wednesday, May 9, 2012
Time: 11:00 a.m. PDT (UTC -7)
Register: Attendee Registration

Thanks,
Pete Voss
Senior Response Communications Manager
Microsoft Trustworthy Computing

Windows XP and Office 2003 countdown to end of support, and the April 2012 bulletins

MSRCTeam — Tue, 10 Apr 2012 17:02:51 GMT

Hello,

As you know, today is Update Tuesday. Before I go into the bulletin details, however, I wanted to let you know that today we’re notifying customers that Windows XP and Office 2003 will go out of support in April 2014. We understand that preparing to deploy the latest versions of Windows and Office may take time for some organizations, and we encourage all customers to upgrade to the latest operating system to help protect your systems.

Now, on to the updates. If you’re running Automatic Updates you’re automatically protected from the issues addressed this month, and for those of you who test and deploy your updates, we’ve offered some details and guidance below.

As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing six security bulletins, four of which are rated Critical in severity, and two Important.

These bulletins will increase protection by addressing 11 CVEs. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on these Critical updates:

MS12-027 (Windows Common Controls): This security update resolves a CVE in the MSCOMCTL.OCX ActiveX control, which could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability.
MS12-023 (Internet Explorer): This security update resolves five CVEs in Internet Explorer, which could allow a third party to gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

In the video below, Yunsun Wee discusses this month's bulletins in further detail.

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page.

Jonathan Ness from the MSRC will join me Wednesday for a webcast. Please tune in and learn more about the April security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, April 11, at 11 A.M. PDT. Click here to register.

Thanks,
Pete Voss
Sr. Response Communications Manager
Microsoft Trustworthy Computing

Advance Notification Service for April 2012 security bulletin release

MSRCTeam — Thu, 05 Apr 2012 17:10:00 GMT

Hello,

Today we’re releasing our advance notification for the April security bulletin release, which is scheduled for Tuesday, April 10. This month’s release includes 6 bulletins addressing 11 vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, Forefront UAG, and .NET Framework. All 6 bulletins will be released on Tuesday, April 10 at approximately 10 a.m. PDT. Revisit this blog on Tuesday for our official risk and impact analysis, along with deployment guidance and a video overview of the release.

As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.

Jonathan Ness will join me for a public webcast on Wednesday. During the webcast, we will go into detail about the bulletins and answer questions live on the air. See below for registration information.

Date: Wednesday, April 11, 2012
Time: 11:00 a.m. PDT (UTC -7)
Click Here To Register

Thanks,
Pete Voss
Sr. Response Communications Manager
Microsoft Trustworthy Computing

BlueHat Prize: And now the fun begins

MSRCTeam — Wed, 04 Apr 2012 01:22:00 GMT

The entry window for the first annual BlueHat Prize closed at 11:59pm PDT on April 1. We've been eagerly awaiting a final entry count from the contest organizers, and senior security strategist Katie Moussouris has just posted that tally on the EcoStrat blog. Congratulations to all participants and good luck to the BlueHat Prize Board, which finds itself eyebrow-deep in exciting new defensive-security ideas as the competition judging process begins.

Angela Gunn
Trustworthy Computing.

6...5...4...3...2...

MSRCTeam — Mon, 26 Mar 2012 19:25:00 GMT

Nearly nine months after we announced the first annual BlueHat Prize competition for innovations in defensive security technologies, we’re just days away from the submission deadline. On the EcoStrat blog today, Senior Security Strategist Katie Moussouris gives a glimpse into the frantic final days of the competition period. If you’re working on your own entry (deadline April 1!) or simply wondering how the race for “mad loot” is shaping up, be sure to check out her post.

Angela Gunn
Trustworthy Computing.

March 2012 Security Bulletin Webcast and Q&A

MSRCTeam — Fri, 16 Mar 2012 23:44:00 GMT

Hello,

Today we published the March Security Bulletin Webcast Questions & Answers page. During the webcast, we fielded twelve questions focusing on MS12-020 (aka “the RDP update”). Two additional questions for MS12-022 regarding Microsoft Expression Design were answered after the webcast. All questions are included on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, April 11, 2012 at 11am PDT (UTC -7), when we will go into detail about the April bulletin release and answer questions live on the air.

Customers can register to attend at the link below:
Date: Wednesday, April 11, 2012
Time: 11:00 a.m. PDT (UTC -7)
Register: Attendee Registration

Thanks,
Angela Gunn
Trustworthy Computing

Proof-of-Concept Code available for MS12-020

MSRCTeam — Fri, 16 Mar 2012 20:17:00 GMT

On March 15, we became aware of public proof-of-concept code that results in denial of service for the issue addressed by MS12-020, which we released Tuesday.

We continue to watch the threat landscape and we are not aware of public proof-of-concept code that results in remote code execution.

We recommend customers deploy MS12-020 as soon as possible, as this security update protects against attempts to exploit CVE-2012-0002. Additionally we have offered a one-click Fix It to help mitigate risk for those customers who need time to test the update before deploying it.

The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) partners. Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements.

Customers who have deployed MS12-020 are protected from attempts to exploit CVE-2012-0002.

Consistent with the charter of the MAPP program, we released details related to the vulnerabilities addressed in MS12-020 to MAPP partners under a strict Non-Disclosure Agreement in advance of releasing the security bulletin. Security software partners use this type of information to build enhanced customer protections that, in many cases, provide customers with more time to make optimal deployment decisions for their environments. More information about the MAPP program can be found here: http://www.microsoft.com/security/msrc/whatwedo/securitycollaboration.aspx

Thanks,
Yunsun Wee
Director, Trustworthy Computing

Strength, flexibility and the March 2012 security bulletins

MSRCTeam — Tue, 13 Mar 2012 16:48:00 GMT

Hello. Today we’re releasing six security bulletins – one Critical-class, four Important and one Moderate – addressing seven issues in Microsoft Windows, Visual Studio, and Expression Design. We recommend that customers focus on MS12-020, our sole critical-class bulletin, as the March deployment priority. A little about MS12-020:

MS12-020 (Windows): This bulletin addresses one Critical-class issue and one Moderate-class issue in Remote Desktop Protocol (RDP). Both issues were cooperatively disclosed to Microsoft and we know of no active exploitation in the wild. The Critical-class issue applies to a fairly specific subset of systems – those running RDP – and is less problematic for those systems with Network Level Authentication (NLA) enabled. That said, we strongly recommend that customers examine and prepare to apply this bulletin as soon as possible. The Critical-class issue could allow a would-be attacker to achieve remote code execution on a machine running RDP (a non-default configuration); if the machine does not have NLA enabled, the attacker would not require authentication for RCE access.

We understand that our customers need time to evaluate and test all bulletins before applying them. To provide for a bit of scheduling flexibility, we’re offering a one-click, no-reboot Fix it that enables Network-Level Authentication, an effective mitigation for this issue. It applies to Vista, Server 2008, Win7 and Server 2008R2 systems, and you can read all about it on the SRD blog. We’re pleased that the circumstances around this issue -- well-understood, not under active attack, easy-to-apply mitigation – give us the chance to provide both strength and flexibility as customers go about their update routines.

In the video below, Yunsun Wee discusses this month's bulletins, including MS12-020, in further detail.

Below is this month’s deployment priority guidance, to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of March’s severity and exploitability index (click for larger view). Note that MS12-019 does not receive an XI rating.

You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page.

Per our usual process we’ll offer the monthly technical webcast on Wednesday, hosted by Pete Voss and Dustin Childs. They’ll talk through the March bulletins, discuss changes on the horizon for Technet, and answer any further questions about the NLA Fix it. The webcast is scheduled for tomorrow, March 14, 2012, at 11 a.m. PDT. Click here to register, and as always we look forward to taking your questions live during the webcast.

Thanks,
Angela Gunn
Trustworthy Computing.

March 2012 ANS

MSRCTeam — Thu, 08 Mar 2012 18:50:00 GMT

Hello. Today we’re releasing our advance notification for the March security bulletin release, which is scheduled for Tuesday, March 13. This month’s release includes six bulletins addressing seven vulnerabilities in Microsoft Windows, Visual Studio, and Expression Design. As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.

We’ll release all six bulletins on Tuesday, March 13 at approximately 10 a.m. PDT. Revisit this blog on Tuesday for our official risk and impact analysis, along with deployment guidance and a video overview of the release.

On Wednesday, please join Dustin Childs and Pete Voss for our regular bulletin-overview webcast. They’ll go into detail about the bulletins and answer questions live on the air. See below for registration information.

Date: Wednesday, March 14
Time: 11:00 a.m. PDT (UTC -7)
Click Here To Register

Thanks,
Angela Gunn
Trustworthy Computing

February 2012 Security Bulletin Webcast and Q&A

MSRCTeam — Fri, 17 Feb 2012 18:37:00 GMT

Hello,

Today we published the February Security Bulletin Webcast Questions & Answers page. We fielded ten questions on various topics during the webcast, including bulletins released, deployment tools, and update detection tools. Many of the questions centered on the .Net/Silverlight update MS12-016. Click here to access the slide deck that appears in the webcast.

We invite our customers to join us for the next public webcast on Wednesday, March 14 at 11am PST (UTC -7), when we will go into detail about the March bulletin release and answer questions live on the air.

Customers can register to attend at the link below:
Date: Wednesday, March 14, 2012
Time: 11:00 a.m. PST (UTC -7)
Register: Attendee Registration

Thanks,
Angela Gunn
Trustworthy Computing

MSRC looks back at ten years, and the February 2012 bulletins

MSRCTeam — Tue, 14 Feb 2012 18:05:00 GMT

Ever wondered where Update Tuesday bulletins come from, or what it’s like around Microsoft when a serious information-security situation arises? Or wondered who precisely is responsible for getting your monthly bulletin releases out the door?

Update Tuesday, which brings us here today, is one of the most prominent results of that famous Bill Gates memo that put security at the center of Microsoft’s development and support efforts -- just over 10 years ago. We Trustworthy Computing folk tend to look more to the future than to the past, but on the 10-year anniversary a few of us sat down to talk about incident response, the security ecosystem, and how Microsoft collaborates with the industry:

MSRC senior security program manager Dustin Childs explains why, in MSRC, “the second-Tuesday cycle is what we live for” and gives a glimpse at how the Microsoft response process handled MS08-067 – the case that became Conficker.
MSRC senior director Mike Reavey on never making the same hard decision twice in incident response.
MSRC security program manager Leigh Honeywell on coming to Microsoft from the open-source community and becoming an Internet firefighter.
EcoStrat senior security strategist Katie Moussouris on the crucial need to reach out to researchers, and the process of convincing Microsoft to pay out a quarter of a million dollars in the BlueHat Prize.
EcoStrat senior security manager Maarten van Horenbeeck on how keeping trusted industry partners in the loop on bulletins and advisories protects the entire ecosystem…quietly.
And, for a look at how we appear to a longtime observer, we set up a Skype chat with tech evangelist Ryan Naraine to get his perspective on how our process affects the broader ecosystem.

Meanwhile, as I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing nine security bulletins. Four of those are rated Critical in severity, with the remaining five classified as Important.

The bulletins will address 21 vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on two critical updates:

MS12-010 (Internet Explorer): Cumulative Security Update for Internet Explorer. This bulletin addresses two Critical, one Important and one Moderate issues affecting all versions of Internet Explorer. The most severe of these could allow for remote code execution, if an attacker were to convince a user to visit a maliciously constructed Web page. All of these issues were cooperatively disclosed to Microsoft, and we know of no active exploitation in the wild. We recommend that customers read through the bulletin information concerning MS12-010 and apply it as soon as possible.
MS12-013 (C Runtime Library): Vulnerabilities in C Run-Time Library Could Allow Remote Code Execution. This bulletin addresses an issue that could arise if a would-be attacker sent a malicious media file to a targeted user, or convinced the user to visit a Web page hosting such a file. The issue was cooperatively disclosed to Microsoft, and we know of no active exploitation in the wild. As with MS12-010, though, we recommend that customers read through the bulletin information and apply it as soon as possible.

In this video, Yunsun Wee discusses this month's bulletins in further detail.

Below is this month’s deployment priority guidance, to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of February’s severity and exploitability index (click for larger view).

You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page.

As usual, our colleagues in SRD have prepared blog posts that delve more deeply into technical aspects of this month’s releases. In addition to a chart delving into this month’s deployment priorities, SRD unpacks the details of MS12-013 and takes a longer look at MS12-014, which touches Indeo – a multimedia codec predating no small percentage of the people reading this sentence.

Per our usual process we’ll offer the monthly technical webcast on Wednesday, hosted by Pete Voss and Jonathan Ness. They’ll talk over the February bulletins, discuss changes on the horizon for Technet, and answer some questions we’ve been receiving about the support lifecycle for Vista. The webcast is scheduled for tomorrow, February 15, 2012, at 11 A.M. PST. Click here to register, and as always we look forward to taking your questions live during the webcast.

Thanks,
Angela Gunn
Trustworthy Computing.

ANS for February 2012, and some notes on SDL

MSRCTeam — Thu, 09 Feb 2012 18:03:00 GMT

Hello. Today we’re releasing our advance notification for the February security bulletin release, which is scheduled for Tuesday, February 14. This month’s release includes nine bulletins addressing 21 vulnerabilities in Microsoft Windows, Office, Internet Explorer, and .NET/Silverlight. As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.

We’ll release all nine bulletins on Tuesday, February 14 at approximately 10 a.m. PST. Revisit this blog on Tuesday for our official risk and impact analysis, along with deployment guidance and a video overview of the release.

Here at MSRC we know that over the years, information on Microsoft’s Security Development Lifecycle system has been downloaded over 850,000 times so far. (Happy coding, everyone!) As part of our look back over the first ten years of Trustworthy Computing, our friends in the SDL program caught up with Steve Lipner, our senior director of security engineering strategy, and asked him how his team made that famous Bill Gates memo the law of the land at Microsoft. Of course, the SDL is a living process and continues to change and grow. For information on what’s ahead, including news about our brand-new Security Development Conference, take a look at <>a href="http://blogs.technet.com/b/security/archive/2012/02/01/security-development-lifecycle-a-living-process.aspx"?Tim Rains’ post on the Security Blog. Perhaps some of us will see you in DC in May?

In the meantime, please join Jonathan Ness and Pete Voss for our regular webcast on Wednesday. They’ll go into detail about the bulletins and answer questions live on the air. See below for registration information.

Date: Wednesday, February 15
Time: 11:00 a.m. PST (UTC -8)
Click Here To Register

Thanks,
Angela Gunn
Trustworthy Computing.

January 2012 Security Bulletin Webcast Q&A

MSRCTeam — Fri, 13 Jan 2012 00:49:00 GMT

Hello,

Today we published the January Security Bulletin Webcast Questions & Answers page. We fielded nine questions on various topics during the webcast, including bulletins released, deployment tools, and update detection tools. There were two questions during the webcast that we were unable to answer and we have included those questions and answers on the Q&A page. Click here to access the slide deck that appears in the webcast.

We invite our customers to join us for the next public webcast on Wednesday, February 15 at 11am PST (UTC -8), when we will go into detail about the February bulletin release and answer questions live on the air.

Customers can register to attend at the link below:
Date: Wednesday, February 15, 2012
Time: 11:00 a.m. PST (UTC -8)
Register: Attendee Registration

Thanks,
Angela Gunn
Trustworthy Computing

January 2012 Security Bulletins Released

MSRCTeam — Tue, 10 Jan 2012 18:46:00 GMT

Hello. As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing seven security bulletins, one of which is rated Critical in severity, with the remaining six classified as Important.

These bulletins will address eight vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on the sole critical update:

MS12-004 (Windows Media Player): Vulnerabilities in Windows Media Player Could Cause Remote Code Execution. This bulletin – the only one in January’s set to include multiple CVEs – addresses two issues that could arise if a would-be attacker sent a malicious MIDI or DirectShow file to a targeted user. Both of these issues were cooperatively disclosed to Microsoft, and we know of no active exploitation in the wild. Still, we recommend that customers read through the bulletin information concerning MS12-004 and apply it as soon as possible.

In the video below, Pete Voss discusses this month's bulletins in further detail.

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page.

As you may remember, last month we announced a bulletin addressing the SSL issue we described in Security Advisory 2588513. Days before release, we noted a compatibility problem that might have affected certain users of third-party products, and decided to hold that bulletin until we could complete further investigation. We’re-releasing that bulletin today as MS12-006; we’re also providing further information and guidance to customers with a Knowledge Base article and a Fix-it that will be useful in certain installation circumstances.

As usual, our colleagues in SRD have prepared blog posts that delve more deeply into technical details of this month’s releases. In addition to a discussion of this month’s deployment priorities, SRD has a post examining some of the finer points of MS12-001, which addresses an Important-class issue affecting the SafeSEH security mitigation, and an overview of the aforementioned MS12-004.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Pete Voss and Dustin Childs. I invite you to tune in and learn more about the January security bulletins, as well as other announcements made today. The webcast is scheduled for tomorrow, January 11, 2012, at 11 A.M. PST. Click here to register.

Thanks,
Angela Gunn
Trustworthy Computing.

January 2012 ANS is released

MSRCTeam — Thu, 05 Jan 2012 17:50:00 GMT

Hello. Today we’re releasing our advance notification for the January security bulletin release, which is scheduled for Tuesday, January 10. This month’s release includes seven bulletins addressing eight vulnerabilities in Microsoft Windows and Microsoft Developer Tools And Software. As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.

We’ll release all seven bulletins on Tuesday, January 10 at approximately 10 a.m. PST. Revisit this blog on Tuesday for our official risk and impact analysis, along with deployment guidance and a video overview of the release.

In addition, eagle-eyed readers of the summary page will notice an unusual vulnerability classification, “Security Feature Bypass,” for one of our Important-severity bulletins. SFB-class issues in themselves can’t be leveraged by an attacker; rather, a would-be attacker would use them to facilitate use of another exploit. For those interested in learning more, we expect the SRD blog to publish a detailed analysis of the matter on Tuesday.

Please join Dustin Childs and Pete Voss for a webcast on Wednesday. They’ll go into detail about the bulletins and answer questions live on the air. See below for registration information.

Date: Wednesday, January 11
Time: 11:00 a.m. PST (UTC -8)
Click Here To Register

Thanks,
Angela Gunn
Trustworthy Computing

December 2011 Out-Of-Band Bulletin Release: Q&A and Webcast

MSRCTeam — Fri, 30 Dec 2011 23:00:00 GMT

Hello,

Today we published the December 2011 Out-of-Band Security Bulletin Webcast Questions & Answers page. We fielded 41 questions on the subject of MS11-100 . There were four questions during the webcast that we were unable to answer and we have included those questions and answers on the Q&A page.

We invite our customers to join us for the next public webcast scheduled for Wednesday, January 11, 2012 at 11 a.m. PST (UTC -8), when we will go into detail about the January 2012 bulletin release and answer questions live on the air.

Customers can register to attend at the link below:
Date: Wednesday, January 11, 2012
Time: 11:00 a.m. PDT (UTC -8)
Register: Attendee Registration

Thanks,
Pete Voss
Sr. Response Communications Manager
Microsoft Trustworthy Computing

Microsoft releases MS11-100 for Security Advisory 2659883

MSRCTeam — Thu, 29 Dec 2011 18:00:00 GMT

Hello,

Today we released Security Update MS11-100 to address the issue described in Security Advisory 2659883.

The security update has a severity rating of Critical and resolves a publicly disclosed remote unauthenticated Denial of Service issue in ASP.NET versions 1.1 and above on all supported versions of .NET Framework. Of note, the new method of hash collision attacks used to exploit this vulnerability is an industry-wide issue affecting various Web platforms, including ASP.NET.

While we have seen no attacks attempting to exploit this vulnerability, we encourage affected customers to test and deploy the update as soon as possible. Consumers are not vulnerable unless they are running a Web server from their computer. More technical details can be found at the Security Research & Defense Blog.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,
Dave Forstrom
Director
Microsoft Trustworthy Computing

Advanced Notification for out-of-band release to address Security Advisory 2659883

MSRCTeam — Thu, 29 Dec 2011 03:51:00 GMT

Hello,

Today we’re providing advance notification for an out-of-band security update to address the publicly disclosed issue described in Security Advisory 2659883. The release is scheduled for tomorrow, December 29, at approximately 10 a.m. PST.

The bulletin has a severity rating of Critical and addresses a publicly disclosed vulnerability in ASP.NET that affects all versions of the .NET Framework. While we’re currently unaware of any attacks targeting ASP.NET, we encourage all customers to test and deploy the update when it is available.

We will also hold a special edition webcast on Thursday, December 29 at 1 p.m. PST. Click here to register.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,

Dave Forstrom

Director

Microsoft Trustworthy Computing

Microsoft releases Security Advisory 2659883, offers workaround for industry-wide issue

MSRCTeam — Wed, 28 Dec 2011 12:57:00 GMT

Hello,

Today we published Security Advisory 2659883 to provide a workaround to help protect ASP.NET customers from a publicly disclosed vulnerability that affects various Web platforms industry-wide. We are not aware of any attacks using this vulnerability, which affects all supported versions of .NET Framework, however we recommend customers use the mitigation and workaround described in the Advisory to help protect sites against this new method to exploit hash tables.

Our teams are working around the clock worldwide to develop a security update of appropriate quality to address this issue. Meanwhile, our Security Research & Defense team has written a blog post to explain how to know if you are vulnerable and detect exploitation, as well as background on the workaround. We are also working closely with our Microsoft Active Protections Program (MAPP) to help our partners build protections when and where possible. We will continue to update customers with new information as it becomes available.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,
Dave Forstrom
Director
Microsoft Trustworthy Computing

December 2011 Bulletin Release Q&A and Slide Deck

MSRCTeam — Mon, 19 Dec 2011 18:32:00 GMT

Hello,

Today we published the December Security Bulletin Webcast Questions & Answers page. We fielded six questions on various topics during the webcast, including bulletins released, deployment tools, and update detection tools.

For more details on this month’s bulletins, click here to view the slide deck used in the webcast. See below to view the webcast.

We invite our customers to join us for the next public webcast on Wednesday, January 11, 2012 at 11am PST (UTC -8), when we will go into detail about the January bulletin release and answer questions live on the air.

Customers can register to attend at the link below:
Date: Wednesday, January 11, 2012
Time: 11:00 a.m. PST (UTC -8)
Register: Attendee Registration

Thanks,
Jerry Bryant
Group Manager, Response Communications
Microsoft Trustworthy Computing