MSRC

June 2013 Security Bulletin Webcast, Q&A, and Slide Deck

MSRCTeam — Fri, 14 Jun 2013 22:00:00 GMT

Today we’re publishing the June 2013 Security Bulletin Webcast Questions & Answers page. We fielded three questions during the webcast, with specific questions focusing primarily on Windows Print Spooler (MS13-050), Microsoft Office (MS13-051), and the security advisory addressing digital certificates (SA2854544). There was one question we were unable to field on the air which we answered on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, July 10, 2013, at 11 a.m. PDT (UTC -7), when we will go into detail about the July bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, July 10, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register: TBD

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Improved cryptography infrastructure and the June 2013 bulletins

MSRCTeam — Tue, 11 Jun 2013 17:00:00 GMT

It was just over one year ago, May 28, 2012, to be exact, that I transitioned from running active MSRC cases and writing bulletins to my current role managing software security incidents. A lot has changed in that year - and I’ve dealt with some interesting issues during my tenure - but our goal of providing the best customer protections possible remains a constant. For example, in June 2012, we introduced a new feature to automatically update the Certificate Trust List (CTL), allowing us to quickly move untrusted or compromised certificates to the CTL without customer interaction. Since this feature works by checking for new updates over the internet, enterprises that filter this type of network traffic are not able to take full advantage of this feature.

Today we are building on that functionality by releasing an update, in the form of Security Advisory 2854544, which gives enterprises more options for managing their private public key infrastructure (PKI) environments. This functionality, initially built into Windows 8, Windows Server 2012 and Windows RT, is now available for Windows Vista through Windows 7. Over the coming months, we’ll be rolling out additional updates to this advisory - all aimed at bolstering Windows’ cryptography and certificate-handling infrastructure. Our efforts here aren’t in response to any specific incident; it’s the continuing evolution of how we handle digital certificates to ensure the safest possible computing environment for our customers.

Speaking of safer computing, let’s talk about the five bulletins we released today - one Critical and four Important, addressing 23 vulnerabilities in Microsoft Windows, Office and Internet Explorer. For those who need to prioritize deployment, we recommend focusing on MS13-047 and MS13-051 first. As always, customers should deploy all security updates as soon as possible. Our Bulletin Deployment Priority guidance is below to further assist in deployment planning (click for larger view).

MS13-047 | Cumulative Security Update for Internet Explorer
This security update resolves 19 issues in Internet Explorer that could allow remote code execution if a customer views a specially crafted Web page using the browser. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. This security update is rated Critical for all versions of Internet Explorer, on all supported releases of Microsoft Windows. These issues were privately disclosed and we have not detected any attacks or customer impact.

MS13-051 | Vulnerability in Microsoft Office Could Allow Remote Code Execution
This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Office document using an affected version of Microsoft Office software, or previews or opens a specially crafted email message in Outlook while using Microsoft Word as the email reader. This issue is rated Important for Microsoft Office 2003 and Office for Mac 2011. While details about this issue were privately disclosed, we are aware of limited, targeted attacks that attempt to exploit this vulnerability.

Watch the bulletin overview video below for a brief summary of today’s releases.

Our Bulletin Deployment Priority graph provides an overview of this month’s priority releases
(click for larger view).

Our risk and impact graph shows an aggregate view of this month’s Severity and Exploitability Index
(click for larger view).

For more information about this month’s security updates, visit the Microsoft Bulletin Summary Web page.

Andrew Gross and I will host the monthly bulletin webcast, scheduled for Wednesday, June 12, 2013, at 11 a.m. PDT. I invite you to register here, and tune in to learn more about this month’s security bulletins and advisories.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

I look forward to hearing your questions about this month’s release in our webcast tomorrow.

Thank you,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Advanced Notification Service for the June 2013 Security Bulletin Release

MSRCTeam — Thu, 06 Jun 2013 17:00:00 GMT

Today we’re providing Advance Notification of five bulletins for release on Tuesday, June 11, 2013. This release brings one Critical- and four Important-class bulletins. The Critical-rated bulletin addresses issues in Internet Explorer, and the Important-rated bulletins address issues in Microsoft Windows and Office.

We will publish the bulletins on the second Tuesday of the month, at approximately 10 a.m. PT. Please revisit this blog at that time for our official risk and impact analysis, along with deployment guidance and a brief video overview of the month’s highlights. Until then, you should review the ANS Summary Page for more information and prepare for bulletin testing and deployment as soon as possible, to help ensure a smooth update process.

For the latest information, follow the MSRC team on Twitter at @MSFTSecResponse.

Thank you,

Dustin Childs
Group Manager
Microsoft Trustworthy Computing

May 2013 Security Bulletin Webcast, Q&A, and Slide Deck

MSRCTeam — Fri, 17 May 2013 18:00:00 GMT

For those who couldn’t attend the live webcast, today we’re publishing the May 2013 Security Bulletin Webcast Questions & Answers page. We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Internet Explorer (MS13-037 and MS13-038) and Visio (MS13-044).

We invite our customers to join us for the next public webcast on Wednesday, June 12, 2013, at 11 a.m. PDT (UTC -7), when we will go into detail about the June bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, June 12, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register: Attendee Registration

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Microsoft Customer Protections for May 2013

MSRCTeam — Tue, 14 May 2013 17:00:00 GMT

Today, we are releasing 10 bulletins, addressing 33 vulnerabilities in Microsoft products. Before we get into the details, we wanted to first let our enterprise customers know about a change in how we’re communicating technical details within our security advisories. Starting today, customers will be able to clearly identify key security updates within advisories. For further details, please visit Knowledge Base article 2849195.

Let’s talk about the updates that we released today. Ten bulletins were released, two Critical and eight Important, addressing 33 vulnerabilities in Internet Explorer, Microsoft Windows, Microsoft Office, Server and Tools, and .NET Framework. For those who need to prioritize deployment, we recommend focusing on MS13-037, MS13-038 and MS13-039 first. As always, customers should deploy all security updates as soon as possible. Our Bulletin Deployment Priority guidance is below to further assist in deployment planning (click for larger view).

MS13-037 | Cumulative Security Update for Internet Explorer
This security update resolves 11 issues in Internet Explorer that could allow remote code execution if a customer views a specially crafted Web page using the browser. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current administrator. This security update is rated Critical for all versions of Internet Explorer, on all supported releases of Microsoft Windows. These issues were privately disclosed and we have not detected any attacks or customer impact.

MS13-038 | Security Update for Internet Explorer
This security update permanently addresses the Internet Explorer 8 issue described in Security Advisory 2847140 to help ensure customers are protected. This security update is rated Critical for Internet Explorer 8 on Windows clients and Moderate for Internet Explorer 8 on Windows servers. There is no severity rating for Internet Explorer 9. This issue was publicly disclosed and there are limited known targeted attacks.

MS13-039 | Vulnerability in HTTP.sys Could Allow Denial of Service
This security update resolves one issue in Microsoft Windows that could allow denial of service if an attacker sends a specially crafted HTTP packet to an affected Windows server or client. The security update is rated Important for supported editions of Windows 8 and Windows Server 2012. This issue was privately disclosed and we have not detected any attacks or customer impact.

Watch the bulletin overview video below for a brief summary of today’s releases.

Our risk and impact graph shows an aggregate view of this month’s Severity and Exploitability Index
(click for larger view).

For more information about this month’s security updates, visit the Microsoft Bulletin Summary Web page.

Jonathan Ness and I will host the monthly technical webcast, scheduled for Wednesday, May 15, 2013, at 11 a.m. PT. I invite you to register here, and tune in to learn more about the May Security Bulletins and Advisories.

For the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

I look forward to hearing your questions about today’s release in our webcast tomorrow.

Thank you,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Advance Notification Service for the May 2013 Security Bulletin Release

MSRCTeam — Thu, 09 May 2013 17:00:00 GMT

Today we’re providing Advance Notification of 10 bulletins for release on Tuesday, May 14, 2013. This release brings two Critical and eight Important-class bulletins, which address 33 unique vulnerabilities. The Critical-rated bulletins address issues in Microsoft Windows and Internet Explorer. Of note, we are working to have the Internet Explorer Security Update address the issue described in Security Advisory 2847140, supplementing the currently available Fix it. The Important-rated bulletins address issues in Microsoft Windows, Microsoft Office, Server and Tools, and .NET Framework.

As always, we will publish the bulletins on the second Tuesday of the month, at approximately 10 a.m. PST. Please revisit this blog at that time for our official risk and impact analysis, along with deployment guidance and a brief video overview of the month’s highlights. Until then, you should review the ANS Summary Page for more information and prepare for bulleting testing and deployment as soon as possible to help ensure a smooth update process.

For the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thank you,

Dustin Childs
Group Manager
Microsoft Trustworthy Computing

Fix it for Security Advisory 2847140 is available

MSRCTeam — Wed, 08 May 2013 23:32:00 GMT

We have updated Security Advisory 2847140 to include an easy, one-click Fix it to address the known attack vectors. The Fix it is available to all customers and helps prevent known attacks that leverage the vulnerability to execute code and should not affect your ability to browse the Web. Additionally, applying the Fix it does not require a reboot. We encourage all customers using Internet Explorer 8 to apply this Fix it to help protect their systems. Internet Explorer 6, 7, 9 and 10 are not affected.

The Fix it is an effort to help protect as many customers as possible, as quickly as possible. We continue to work on a security update to address this issue and we’re closely monitoring the threat landscape. Tomorrow, please visit our monthly Advance Notification Service (ANS) blog for details on the Security Updates being released in May’s Security Bulletin cycle.

Thank you,
Dustin Childs
Group Manager, Response Communications
Trustworthy Computing

Microsoft Releases Security Advisory 2847140

MSRCTeam — Sat, 04 May 2013 02:15:00 GMT

Today, we released Security Advisory 2847140 regarding an issue that impacts Internet Explorer 8. Internet Explorer 6, 7, 9 and 10 are not affected by the vulnerability. This issue allows remote code execution if users browse to a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message.

Internet Explorer 9 and 10 are not affected by this issue, so upgrading to these versions will help protect you from this issue.

While we are actively working to develop a security update to address this issue, we encourage customers using affected versions of Internet Explorer to deploy the following workarounds and mitigations included in the advisory to help protect themselves:

Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones
This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.

We also always encourage people to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. We also encourage folks to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders. Additional information can be found at www.microsoft.com/protect.

We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect customers.

Thank you,
Dustin Childs
Group Manager, Response Communications
Trustworthy Computing

New update available for MS13-036

MSRCTeam — Tue, 23 Apr 2013 17:01:00 GMT

Portuguese (Brazil), Русский

Today we released a new update to replace KB2823324, which was originally made available through MS13-036. As we previously discussed, we stopped distributing this update when we learned some customers were having issues. The new update, KB2840149, still addresses the Moderate security issue described in MS13-036, and should not cause these issues. If you have automatic updates enabled, you won’t need to take any actions. For those manually updating, we encourage you to apply this update at your earliest convenience.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

April 2013 Security Bulletin Webcast, Q&A, and Slide Deck

MSRCTeam — Tue, 16 Apr 2013 17:00:00 GMT

Today we’re publishing the April 2013 Security Bulletin Webcast Questions & Answers page. We fielded nine questions during the webcast, with almost half of those focused on the Remote Desktop Client bulletin (MS13-024). One question that was not answered on air has been included on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, May 15, 2013, at 11 a.m. PDT (UTC -7), when we will go into detail about the May bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, May 15, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register: Attendee Registration

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing