The Microsoft Security Response Center (MSRC)

Microsoft Security Advisory 977544 Released

2009-11-13T23:08:00Z

Today we released Security Advisory 977544 to provide information, including customer guidance, on a publicly reported Denial-of-Service (DoS) vulnerability affecting Server Messaging Block (SMB) Protocol. This vulnerability, in SMBv1 and SMBv2, affects Windows 7 and Windows Server 2008 R2. Windows Vista, Windows Server 2008, Windows XP, Windows Server 2003 and Windows 2000 are not affected.

I want to be clear that this is a DoS vulnerability that is unrelated to Microsoft Security Bulletin MS09-050 which addressed a remote code execution vulnerability in the SMBv2 protocol. This vulnerability would not allow an attacker to take control or install malware on a user’s system, but could cause the affected system to stop responding until manually restarted.

We are actively monitoring this situation to keep customers informed and will provide additional guidance as necessary. While we are not currently aware of active attacks, we continue to recommend customers review the mitigations and workarounds detailed in the Security Advisory to protect themselves as we work to develop a comprehensive security update.

As always, we are working with our Microsoft Active Protections Program (MAPP) partners to help provide broader protections for customers and as we become aware of new information, we’ll provide additional updates as appropriate through the Security Advisory and the MSRC blog.

As always, we continue to encourage the responsible disclosure of vulnerabilities to help ensure customers receive high-quality security updates without exposure to malicious attacks.

Thanks,

Mike Reavey

*This posting is provided "AS IS" with no warranties, and confers no rights*

November 2009 Security Bulletin Webcast

2009-11-13T22:29:15Z

Hello. This is Jerry Bryant letting you know that the questions and answers from our November Security Bulletin webcast have been posted and the video from the webcast is below.

We did not get very many questions this month and the ones we did get covered various topics and were not focused in one particular area. One very good question we received had to do with the Microsoft Word bulletin, MS09-068. The user asked if an attack could execute via the Outlook 2007 preview function. This function allows a user to preview certain document types from within Outlook as demonstrated in these screen shots:

Above: what the user sees when clicking on the attached file.

Above: what the user sees after clicking the “Preview file” button.

The answer to the question is no. The preview option does not offer an attack vector for this vulnerability.

Here is the video from the webcast where Adrian Stone and I cover the bulletins in detail:

More listening and viewing options:

Please plan to join us next month for our regularly scheduled Security Bulletin webcast which will be held on December 9 at 11:00 a.m. PDT (UTC -8). You can register now for that webcast at this link.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

November 2009 Security Bulletin Release

2009-11-10T16:55:59Z

Summary of Microsoft’s Security Bulletin Release for November 2009

Today, we released six security bulletins addressing a total of 15 vulnerabilities. Four affect Windows and Windows Server and two affect Microsoft Office products (Excel and Word).

As we do every month, we have prepared our Risk & Impact and our Deployment Priority guidance to help customers assess risk to their environments and prioritize the deployment of this month’s updates. Risk & Impact is a snapshot of the cumulative severity and exploitability index ratings for each bulletin. This month, MS09-065 is the only bulletin with a critical severity rating and an Exploitability Index rating of 1 (“Consistent Exploit Code Likely”). This bulletin provides updates for three vulnerabilities in Windows Kernel-Mode Drivers. We recommend customers prioritize and deploy this update immediately.

To better demonstrate the affected products and important aspects of MS09-065, I am including a more detailed overview slide (below). As you can see, only one of the three vulnerabilities (CVE-2009-2514) is critical. That vulnerability only affects Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 (it does not affect Windows Vista or Windows Server 2008 so if you are using either of these platforms, you can lower the deployment priority to a two). The vulnerability was publicly disclosed and could be used to create a malicious web page which could potentially exploit vulnerable systems just by visiting the website. The other two vulnerabilities are Elevation of Privilege (EoP) which would require the attacker to have valid logon credentials in order to be able to exploit.

The following deployment priority guidance is based on a combination of severity rating, exploitability index rating, available mitigations and workarounds and range of affected products. All customers should perform their own prioritization assessment as each environment is different and other factors may apply. Microsoft recommends that all security updates be deployed as soon as possible.

· MS09-063 affects Windows Vista and Windows Server 2008. There is a potential for unauthenticated remote code execution (RCE) but only from the local subnet. Attacks cannot originate from outside of the network. This mitigation along with the exploitability index rating of 2 lowers the deployment priority. Obviously, this is still a critical bulletin so customers should deploy as soon as possible.

· MS09-064 affects only Windows 2000 Server SP4. This one also has the potential for unauthenticated RCE between systems running the License Logging Service. This service is enabled by default on Windows 2000 Server so this deployment priority should be moved up for customers who have Windows 2000 servers on public-facing networks.

· MS09-067 and MS09-068 both have similar attack vectors. A user would have to open a maliciously crafted Excel or Word file developed to exploit these vulnerabilities. Users of Office XP or later will be prompted to Open, Save, or Cancel before opening a document. These mitigations lower the severity and deployment priority. However, users should never open file attachments they receive in emails from unknown sources and should always question attachments from known sources if they are unexpected.

Adrian Stone from the Microsoft Security Response Center (MSRC) and I give a brief overview of this month’s bulletin release in the video below.

More listening and viewing options:

For more in-depth technical detail on MS09-063, MS09-064 and MS09-065, please visit our Security Research & Defense team blog at this link.

We also re-released MS09-045 and MS09-051. The former was re-released to add detection for users who may be running JScript 5.7 on Windows 2000 Service Pack 4 machines and the latter is a re-release of the update for Audio Compression Manager on Microsoft Windows 2000 Service Pack 4 to fix a detection issue.

As always, we encourage all customers to join us for our live security bulletin webcast which we conduct every month after release. Adrian and I will go in to detail on each bulletin and, along with a room full of subject matter experts, answer all of your questions live. So if you can, please join us tomorrow, Nov 11 at 11:00 a.m. PDT (UTC -8). You can register for the webcast at this link.

The last item I want to mention this month is that the Microsoft Malware Protection Center (MMPC) team has added Win32/fakevimes and Win32/privacycenter to the Windows Malicious Software Removal Tool (MSRT) this month. Please check their blog post for more information.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

November 2009 Bulletin Release Advance Notification

2009-11-05T16:12:00Z

Advance Notification for the November 2009 Security Bulletin Release

To help customers plan and prioritize for this month’s security updates, we wanted to let you know that we will be releasing 6 bulletins (three critical and three important) addressing 15 vulnerabilities, affecting Windows and Microsoft Office products. Customers should plan a restart for the Windows bulletins. The Office bulletins may not require a restart if the components being updated are not in use. More information about the upcoming security updates can be found on the TechNet Web site.

The target release day is next Tuesday Nov. 10 at 10:00 a.m. PST (UTC -8). At that time we will post more detailed information about the bulletins here and on our Security Research & Defense (SRD) blog. We will also include our Risk and Impact guidance, our Deployment Priority guidance, and an overview video discussing these materials. For more detailed information concerning the upcoming bulletins, please review the ANS page here.

As always, Adrian Stone and I will be hosting a webcast to cover the bulletins in greater detail the day after bulletins release. So please join us on Wednesday Nov. 11 at 11:00 a.m. PST (UTC -8) and bring any questions you have about the bulletins. We will have a room full of subject matter experts on hand to answer them. To register for the webcast, please follow this link.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

Update released for MS09-054

2009-11-02T22:01:00Z

Today we released an update 976749 that addresses two issues with MS09-054 that a limited number customers reported to us through our Customer Service and Support (CSS) group. These two issues can affect the proper display of web pages. For additional details, please refer to Microsoft Knowledge Base article 976749.

Security update MS09-054 was released as part of the October Security Bulletin Release cycle and protects against the vulnerabilities outlined in the bulletin. Also, we’re not currently aware of any attempts to attack the vulnerabilities.

While the number of customers affected by these two issues is limited, after working both with affected customers and our CSS group, we feel the best thing for all customers is to proactively provide this update as widely as possible to help prevent other customers from encountering the issues outlined in the KB.

Because of this, we plan to release this update through the same broad release channels as the original security update, MS09-054. Customers will see 976749 offered by default through Windows Update, Microsoft Update, and Automatic Updates.

Customers who have applied MS09-054 should go ahead and apply 976749. Customers who have not yet applied MS09-054 should apply both MS09-054 and 976749.

There’s more information on the update and the issues it addresses in Microsoft Knowledge Base article 976749.

Thanks.

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights*

October 2009 Security Bulletin Webcast Questions and Answers

2009-10-20T21:23:09Z

Hi everyone. We have posted the questions and answers from the security bulletin webcast we conducted on October 14 at this link. It was clear from all of the questions concerning MS09-062 (the GDI+ update) that there is some confusion on how to apply the update when you have a combination of SQL Server and Windows 2000 clients.

To clarify what the bulletin states, if you do not have any Windows 2000 SP4 clients on your network then you do not need to apply the SQL Server update that corresponds to the version of SQL Server you are running. In this case, you would only need to apply the update for the client operating systems on your network. This is because on platforms newer than Windows 2000 SP4, the operating system will use its own version of the affected component (gdiplus.dll) rather than the one distributed by the RSClientPrint ActiveX control through SQL Server Reporting Services.

In the video below, Adrian Stone and I go in to details on each bulletin to cover the vulnerabilities, affected platforms, attack vectors, and mitigations:

More listening and viewing options:

Next month we will host our live security bulletin webcast on November 11 at 11:00 am Pacific time (UTC -7). To register for that webcast, please follow this link.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

October 2009 Security Bulletin Release

2009-10-13T17:05:34Z

Summary of Microsoft’s Security Bulletin Release for October 2009

This month, we released 13 new bulletins which address 33 vulnerabilities in Windows, Internet Explorer and Microsoft Office. Since we published this information in our advance notification (ANS) last Thursday, we have been asked “is this the most bulletins Microsoft has ever released”? The short answer to that question is yes. However, we have, on several occasions, released between 10 and 12 bulletins so this is business as usual. All of our updates go through extensive quality testing and when they reach the bar for broad distribution, we schedule them for release.

As we noted in the ANS last week, two of the updates address open Security Advisories. MS09-050 addresses the SMBv2 issue in Security Advisory 975497 and MS09-053 addresses the IIS issue discussed in Security Advisory 975191.

Another issue being addressed this month that has received some public attention has to do with security certificates used for authentication. The vulnerabilities being addressed by Security Bulletin MS09-056 could allow spoofing if an attacker gains access to the certificate used by the end user for authentication. We are aware that a rogue certificate was distributed in a public forum but we are not aware of any attempts to use this to attack users.

Below is the severity summary and exploitability index for the 13 new bulletins. We also refer to this as the overall risk and impact summary. As you can see, eight of the bulletins have a rating of Critical. Of those eight, six have an exploitability index rating of 1, which means we believe it is highly likely that we will see exploit code in the wild within the first 30 days from the date of release.

To help with deployment planning, we started publishing our guidance (beginning last month) on which bulletins should be considered first for deployment. Obviously one size does not fit all and each customer will need to consider their own unique situations in addition to this guidance. Our approach is to take a combination of the severity, the exploitability index rating, the range of products affected, and potential mitigations to group these in to a priority 1, 2 or 3. Our Security Research & Defense team, who represent some of the best security researchers in the world, play a key role in this every month as well.

Most of this month’s updates require a restart, so please refer to the bulletins when you’re planning your deployment to ensure you’re fully protected. We want to specifically note that MS09-050 requires a restart but will not prompt you to do so if you install the update manually.

As we do every month, Adrian Stone and I provide a high-level overview of this month’s bulletin release in the following video:

Other listening and viewing options:

This month we are also re-releasing MS08-069, vulnerability in Microsoft XML Core Services could allow remote code execution (955218) to add detection for Windows 7 and Windows Server 2008 R2. This component does not ship with these platforms but many applications install it in order to use its functionality.

Finally, you may also notice a change in the severity rating since the advance notification for several versions of Windows in the .NET bulletin (MS09-061). We have elevated the severity of these products from Important to Critical. We do not typically make changes after the advance notification goes out but during our ongoing investigation to protect customers, we determined that this was the appropriate rating for these products when certain versions of the .NET Framework are installed on them.

We encourage all customers to join us tomorrow when Adrian and I will go in to detail on each bulletin and, along with a room full of subject matter experts, answer all of your questions live. So if you can, please join us at 11:00 a.m. PDT (UTC -7). You can register for the webcast at this link.

Thanks!

Jerry Bryant

Update – Resource links:

Assessing the risk of the October security bulletins – Security Research & Defense blog
MS09-051: A note on the affected platforms – Security Research & Defense blog
MS09-050: Exploit timeline for SMB2 RCE vulnerability – Security Research & Defense blog
MS09-054: Extra info on the attack surface for the IE security bulletin – Security Research & Defense blog
MS09-061: More information about the .NET security bulletin – Security Research & Defense blog
Scanti-ly Clad – Another Rogue Stripped by MSRT – Microsoft Malware Protection Center blog

Update (10/13) Changed the number of vulnerabilities addressed to 33 from 34. CVE-2009-2493 was counted in both MS09-055 and MS09-060.

*This posting is provided "AS IS" with no warranties, and confers no rights*

October 2009 Bulletin Release Advance Notification

2009-10-08T16:23:00Z

Advance Notification for the October 2009 Security Bulletin Release

For October we are releasing 13 bulletins (eight critical and five important), addressing 34 vulnerabilities, affecting Windows, Internet Explorer, Office, Silverlight, Forefront, Developer Tools, and SQL Server. Most of these updates require a restart so please factor that into your deployment planning.

Among the updates this month, we are closing out two current security advisories:

· Vulnerabilities in SMB Could Allow Remote Code Execution (975497)

· Vulnerabilities in the FTP Service in Internet Information Services (975191)

Usually we do not go into this level of detail in the advance notification but we felt that it is important guidance so customers can plan accordingly and deploy these updates as soon as possible.

The target to release the October security updates is next Tuesday Oct. 13 at 10:00 a.m. PDT (UTC -8). Check back here at that time for a more detailed overview of the updates (including an overview video), our risk and impact summary and our deployment prioritization guide. More information about the upcoming security updates can be found here in the ANS.

After you have had a chance to read through the bulletins, please join us for a live webcast on Wednesday Oct. 14 at 11:00 a.m. PDT (UTC -7) and get answers to any questions you might have. To register, just follow this link.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

September 2009 Security Bulletin Webcast Video and Customer Q and A

2009-09-12T01:11:39Z

In the September 2009 security bulletin webcast, it was clear that customers had a lot of concerns about MS09-048 as almost half the questions we answered were on that topic. The questions and answers from the session are now posted here on the blog.

As we mentioned in the webcast, The MS09-048 bulletin has been updated to call out Windows XP in the affected products list with a severity rating of low for the two Denial-of-Service vulnerabilities (the third, Remote Code Execution vulnerability, does not affect XP). As stated in the bulletin, in the default configuration, Windows XP is not affected by any of the issues addressed by the bulletin. However, we heard from enterprise customers that custom configurations that put XP in a vulnerable state are in use so we updated the bulletin for clarity. Does this mean there will be an update for Windows XP? No and I will use the text from the bulletin to explain why:

If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925. Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks.

Concerning MS09-048 and Windows 2000, the scenario is very similar to Windows XP in that an attack requires a sustained flood of specially crafted TCP packets and the system will recover once the flood stops. Keeping Windows 2000 servers behind a NAT or reverse proxy can help to reduce risk.

In the last blog post I called out MS09-045 and MS09-047 as the highest priorities for deployment and while MS09-048 has received a lot of attention, we want to continue to stress getting those updates installed to all users.

This month we are leaving the Q and A out of the video because we have posted those questions to the blog and to keep the overall duration of the video down. If you like it this way or if you prefer us to leave that portion in, head over to the TechNet Edge site where we host the videos and leave your feedback there.

More listening and viewing options:

Following the webcast we got feedback that folks liked the new deployment priority slide as well as the new detail slides for each bulletin. We appreciate the feedback and will keep looking for ways to improve the content.

Please plan on joining us for our next regularly scheduled webcast on October 13 at 11:00 a.m. Click HERE to register.

Thanks!

Jerry Bryant

Microsoft Security Advisory 975497 Released

2009-09-09T02:35:00Z

We’ve just released Microsoft released Security Advisory 975497 that provides information about a new, irresponsibly reported vulnerability in SMB 2.0. Our investigation has shown that Windows Vista, Windows Server 2008 and Windows 7 RC are affected by this vulnerability. Windows 7 RTM, Windows Server 2008 R2, Windows XP and Windows 2000 are not affected by this vulnerability.

The Security Advisory outlines steps that Windows Vista and Windows Server 2008 customers can take to help protect themselves while we work on a security update for this issue.

As always, we’ve provided information through Microsoft Active Protections Program (MAPP) as well as the Microsoft Security Response Alliance (MSRA) that they can use to help provide broader protections to customers.

We will update you through our security advisory and the MSRC Weblog as we have new information.

Thanks

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights*

September 2009 Security Bulletin Release

2009-09-08T20:50:47Z

Summary of Microsoft’s Security Bulletin Release for September 2009

Hello again,

This month we released five critical bulletins to address vulnerabilities in Windows and protect customers from two types of threats:

1. Browser based attacks where websites hosting malicious code attempt to compromise visitors. This includes MS09-045, MS09-046 and MS09-047.

2. Network based scenarios where attackers attempt Remote Code Execution (RCE) or Denial-of-Service (DoS) type attacks. This includes MS09-048 and MS09-049.

For this set of bulletins, we consider the first category to be the biggest threat to customers overall as reflected in our Severity and Exploitability Index slide where we present a high level, aggregate view of each bulletin:

We also refer to the slide above as our risk and impact assessment. The risk of exploitation combined with the impact of the vulnerability should help customers prioritize these bulletins for deployment. To provide further guidance in this area, this month we are providing a new deployment prioritization assessment. As noted on the slide below, there are several factors that we used to determine the priority. However, there are many other potential variables that may be unique to your environment so we recommend each customer perform their own assessment and install all security updates as soon as possible.

As you can see, we give MS09-045 and MS09-047 the highest deployment priority mainly due to these being browse and own attack scenarios and a high exploitability index rating. Exploits for MS09-047 can also be created through specially crafted files such as ASF and MP3 audio files. These files could then be sent via email.

Concerning MS09-046, our Security Research & Defense (SRD) team has determined that reliable exploit code would be difficult to produce hence the lower exploitability index rating. In this case and with MS09-045, users with Internet Explorer 8.0 are at reduced risk due to the protections provided by Date Execution Prevention (DEP). Also, while this is an ActiveX control update, it is not related to the ATL issue discussed in security advisory 973882.

The wireless update provided in MS09-049 addresses an issue with the Wireless AutoConfig Service in both Windows Vista and Windows Server 2008. We consider this one hard to exploit due to the work that has gone in to hardening the Windows Heap Manager. The SRD blog has a great write up on this.

MS09-048 contains updates for three vulnerabilities. One of those is a Remote Code Execution vulnerability affecting only Windows Vista and Windows Server 2008. We think this one would be difficult to produce reliable exploit code for as well. The SRD team did a write up on this one to provide additional details so I recommend reading it. The other two vulnerabilities are both Denial-of-Service issues and I want to point out that while Windows 2000 is affected by these, an update is not being provided. This is because the architecture to protect TCP/IP properly does not exist in Windows 2000. Customers on this platform who cannot update their systems to Windows Server 2003 or 2008 will need to carefully monitor their networks and assure that firewall best practices are followed.

Also, we re-released MS09-037. This bulletin for vulnerabilities in the Active Template Library (ATL), affecting components that shipped with Windows, was originally released in August 2009. In our ongoing investigation into the ATL issue, we identified a related vulnerable control so this bulletin has been updated to include it. This additional update affects users of Windows XP Media Center 2005 and Windows Vista systems. It is important to note that to date, we have not seen any new controls being used in active attacks. The Video ActiveX control that was under limited exploitation and which drove our out of band update in July, is still the only one we have seen used in attacks. Please refer to Security Advisory 973882 for the latest information and guidance from our investigation.

In this month’s overview video, Adrian Stone and I discuss the severity and exploitability index slide and the new deployment priority slide in a little more detail:

More viewing and listening options:

Please join Adrian and I for a live webcast tomorrow, Wednesday Sept. 9 at 11:00 a.m. PDT (UTC -7) where we will go in to detail on each bulletin and answer all of your questions, with the help of a room full of subject matter experts. Go here to register >>

In this post I also want to provide some clarity on Windows 7 and Windows Server 2008 R2. After the Advance Notification went out last Thursday, we saw speculation that these new products may be affected because they were not specifically listed. To be clear, Windows 7 and Windows Server 2008 R2 are not affected by any of the September security updates. Since the date these products were released to manufacturing (July 09), they have been part of our standard security update process. As such, they would have been called out in the ANS if they were affected.

Finally, we are not addressing the IIS/FTP vulnerability announced in Security Advisory 975191 with this month’s security bulletin release. Our teams are still working on an update for this issue and we encourage customers to review the advisory for the most current guidance on this issue.

That’s it for this month. If you cannot join us for the webcast tomorrow, come back to the blog Friday afternoon as we will be posting the webcast video and Q&A from the session.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Microsoft Security Advisory 975191 Revised

2009-09-04T08:50:00Z

Hi Everyone,

Today we updated Security Advisory 975191 as we are now seeing limited attacks. Additionally, a new proof of concept published allowing for Denial of Service (DoS) attacks on Windows XP and Windows Server 2003 with read access to the File Transfer Protocol (FTP) service. This does not require Write access. Also, a new POC allowing DoS was disclosed this afternoon that affects the version of FTP 6 which shipped with Windows Vista and Windows Server 2008. Customers should be aware that the Download Center has FTP 7.5 available for Windows Vista and Windows Server 2008. FTP 7.5 is not vulnerable to any of these exploits.

The initial vulnerability was not responsibly disclosed to Microsoft, which has led to limited, active attacks putting customers at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

Microsoft recommends customers review and implement the workarounds provided in the Advisory under the Workaround section. More information on suggested actions can be found in Microsoft Knowledge Base Article 975191.

While these workarounds do not completely mitigate the threat of DoS, we’re currently investigating the issue as part of our Software Security Incident Response Process (SSIRP) and working to develop a security update. This update will be released once it reaches an appropriate level of quality for broad distribution.

Additionally, we are actively working with partners in our Microsoft Active Protections Program (MAPP) as well as the Microsoft Security Response Alliance (MSRA) to share information that they can use to provide broader protections to customers.

For more technical details on the advisory, please see what our colleagues have written on Microsoft’s Internet Information Services (IIS) blog here: Microsoft IIS Blog. As always, be sure to check back here on the Microsoft Security Response Center (MSRC) blog or in the advisory for any additional information or updates that develop.

Thank you,

Alan Wallace

*This posting is provided "AS IS" with no warranties, and confers no rights*

September 2009 bulletin Release

2009-09-03T05:27:00Z

Advance Notification for the September 2009 Security Bulletin Release

This month we will be releasing 5 security bulletins, all affecting Windows, and all with an aggregate severity rating of critical.

As always, the target for release is the second Tuesday of the month at 10:00 a.m. PDT (UTC -8). Please check back here at that time as we will be posting our risk and impact assessment, a new deployment prioritization table and an overview video. Also, we encourage you to join us live on Wednesday September 9 at 11:00 a.m. (UTC -7) for our regular security bulletin webcast where we will cover the bulletins in greater detail and answer questions. Click here to register!

If the files being updated are in use at the time of installation then these updates would require a restart. Otherwise, they would not. For information on the reasons you may be prompted to restart the system, see Microsoft Knowledge Base Article 887012.

In related news, you will note that the ANS does not specify an update for the Internet Information Services FTP service vulnerability for which we released security advisory 975191 on Tuesday of this week. As noted in an earlier blog post, we have spun up our SSIRP (Software Security Incident Response Process) process to address this issue and our teams are working hard to produce an update. Please keep an eye on the advisory for more information and if you are not already, please subscribe to our comprehensive alerts to receive updates by email.

On a final note, I want to highlight our new Microsoft Security Update Guide which was written to help IT professionals better understand and use Microsoft security update release information, processes, communications, and tools – and how to manage organizational risk and develop a repeatable, effective deployment mechanism for security updates.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

Microsoft Security Advisory 975191 Released

2009-09-02T01:24:00Z

Hi Everyone,

This is Alan Wallace, senior communications manager for our security response communications team. Today, Microsoft released Security Advisory 975191, to provide customer guidance and protection from a vulnerability that could allow remote code execution on affected systems running the FTP service in Microsoft Internet Information Services (IIS) 5.0, 5.1 and 6.0, and connected to the Internet. While we have seen detailed exploit code published on the Internet for this vulnerability, we are not currently aware of active attacks that use this exploit code or of customer impact.

This vulnerability was not responsibly disclosed to Microsoft and may put customers at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

We’re currently investigating the issue as part of our Software Security Incident Response Process (SSIRP) and working to develop a security update. This update will be released once it reaches an appropriate level of quality for broad distribution.

Affected products include Windows 2000, Windows XP, and Windows Server 2003.

Microsoft recommends customers review and implement the workarounds provided in the Advisory under the Workaround section. More information on suggested actions can be found in Microsoft Knowledge Base Article 975191.

For more technical details on the advisory, please see what our colleagues have written over on the Security Research and Defense blog.

As always, be sure to check back here on the MSRC blog or in the advisory for any additional information or updates that develop.

Thank you,

Alan

*This posting is provided "AS IS" with no warranties, and confers no rights*

August 2009 Security Bulletin Webcast Video and Customer Q and A

2009-08-15T02:42:53Z

As we do every month on the Wednesday following our standard second Tuesday security bulletin release, we conducted a live webcast where Adrian Stone and myself went through the bulletins in detail and then answered customer questions with the help of several subject matter experts (SMEs).

It is apparent that there is still a bit of confusion around the Active Template Library (ATL) issue and how current updates relate to work we have already done to provide mitigations, protections and guidance to customers. To try and provide some clarity:

Security Advisory 972890: This advisory was released in response to active attacks against the Microsoft Video ActiveX Control in order to provide guidance and mitigations (including a Microsoft Fix it solution) to customers while we worked towards an update for the underlying issue.
MS09-032 – Cumulative Update of ActiveX Kill Bits (973346): This bulletin provided an official kill bit update to replace the Microsoft Fix it solution provided by Security Advisory 972890. The update addresses additional kill bits and is also available through Microsoft update technologies such as Windows Update, Microsoft Update, and Windows Software Update Services (WSUS). This kill bit blocked the ability to instantiate the Microsoft Video ActiveX Control in Internet Explorer to mitigate against known attacks.
MS09-034 – Cumulative Security Update for Internet Explorer (972260): This bulletin provided a defense-in-depth update that helps mitigate known attack vectors within Internet Explorer. To be clear, Internet Explorer is not vulnerable to these attacks but the vulnerable components can be reached through Internet Explorer. Installing this update mitigates that threat.
MS09-035 – Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706): This update is specifically geared towards developers of components and controls who use ATL. The update addresses the underlying issue in our Visual Studio development tools. Developers who use ATL should install this update and recompile their components and controls following the guidance in this MSDN article.
MS09-037 – Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908): This bulletin provides updates for vulnerable components and controls that shipped with Windows products. These are Microsoft components and controls were built using ATL. Among the updates in this bulletin is a binary level update that addresses the vulnerability in the Microsoft Video ActiveX Control that has seen some active attacks. So we previously released a kill bit update to provide immediate protection for customers and are addressing the underlying vulnerability with this update.
Security Advisory 973882: This advisory provides information on our ongoing investigation in to the ATL issue and serves as a single source for all related information.

To be even clearer, not every ActiveX control is vulnerable and we have an ongoing investigation into this issue. We will continue to provide updates via Security Advisory 973882 and Security Bulletins as necessary.

Of course this is not the only issue we addressed this month and customers had quite a few questions during the webcast that we provided answers and guidance for. Please review the text version of the Q&A here>>.

Here is the video of the webcast that includes the bulletin by bulletin presentation and the complete Q&A session:

More viewing and listening options:

Please plan to join us for the next regularly scheduled webcast on September 9, 2009 at 11:00 a.m. (UTC-7) where we will again cover any new bulletins and address your questions in real time. Click here to register >>.

Finally, please visit our Security Research & Defense blog where you will find some great deep dive articles full of analysis and guidance on these and many other security issues. You may also find our new blog aggregator useful for getting a consolidated view of all of our Trustworthy Computing blogs.

Thanks,

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*