The Microsoft Security Response Center (MSRC)

November 2009 Bulletin Release Advance Notification

2009-11-05T16:12:00Z

Advance Notification for the November 2009 Security Bulletin Release

To help customers plan and prioritize for this month’s security updates, we wanted to let you know that we will be releasing 6 bulletins (three critical and three important) addressing 15 vulnerabilities, affecting Windows and Microsoft Office products. Customers should plan a restart for the Windows bulletins. The Office bulletins may not require a restart if the components being updated are not in use. More information about the upcoming security updates can be found on the TechNet Web site.

The target release day is next Tuesday Nov. 10 at 10:00 a.m. PST (UTC -8). At that time we will post more detailed information about the bulletins here and on our Security Research & Defense (SRD) blog. We will also include our Risk and Impact guidance, our Deployment Priority guidance, and an overview video discussing these materials. For more detailed information concerning the upcoming bulletins, please review the ANS page here.

As always, Adrian Stone and I will be hosting a webcast to cover the bulletins in greater detail the day after bulletins release. So please join us on Wednesday Nov. 11 at 11:00 a.m. PST (UTC -8) and bring any questions you have about the bulletins. We will have a room full of subject matter experts on hand to answer them. To register for the webcast, please follow this link.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

Update released for MS09-054

2009-11-02T22:01:00Z

Today we released an update 976749 that addresses two issues with MS09-054 that a limited number customers reported to us through our Customer Service and Support (CSS) group. These two issues can affect the proper display of web pages. For additional details, please refer to Microsoft Knowledge Base article 976749.

Security update MS09-054 was released as part of the October Security Bulletin Release cycle and protects against the vulnerabilities outlined in the bulletin. Also, we’re not currently aware of any attempts to attack the vulnerabilities.

While the number of customers affected by these two issues is limited, after working both with affected customers and our CSS group, we feel the best thing for all customers is to proactively provide this update as widely as possible to help prevent other customers from encountering the issues outlined in the KB.

Because of this, we plan to release this update through the same broad release channels as the original security update, MS09-054. Customers will see 976749 offered by default through Windows Update, Microsoft Update, and Automatic Updates.

Customers who have applied MS09-054 should go ahead and apply 976749. Customers who have not yet applied MS09-054 should apply both MS09-054 and 976749.

There’s more information on the update and the issues it addresses in Microsoft Knowledge Base article 976749.

Thanks.

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights*

October 2009 Security Bulletin Webcast Questions and Answers

2009-10-20T21:23:09Z

Hi everyone. We have posted the questions and answers from the security bulletin webcast we conducted on October 14 at this link. It was clear from all of the questions concerning MS09-062 (the GDI+ update) that there is some confusion on how to apply the update when you have a combination of SQL Server and Windows 2000 clients.

To clarify what the bulletin states, if you do not have any Windows 2000 SP4 clients on your network then you do not need to apply the SQL Server update that corresponds to the version of SQL Server you are running. In this case, you would only need to apply the update for the client operating systems on your network. This is because on platforms newer than Windows 2000 SP4, the operating system will use its own version of the affected component (gdiplus.dll) rather than the one distributed by the RSClientPrint ActiveX control through SQL Server Reporting Services.

In the video below, Adrian Stone and I go in to details on each bulletin to cover the vulnerabilities, affected platforms, attack vectors, and mitigations:

More listening and viewing options:

Next month we will host our live security bulletin webcast on November 11 at 11:00 am Pacific time (UTC -7). To register for that webcast, please follow this link.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

October 2009 Security Bulletin Release

2009-10-13T17:05:34Z

Summary of Microsoft’s Security Bulletin Release for October 2009

This month, we released 13 new bulletins which address 33 vulnerabilities in Windows, Internet Explorer and Microsoft Office. Since we published this information in our advance notification (ANS) last Thursday, we have been asked “is this the most bulletins Microsoft has ever released”? The short answer to that question is yes. However, we have, on several occasions, released between 10 and 12 bulletins so this is business as usual. All of our updates go through extensive quality testing and when they reach the bar for broad distribution, we schedule them for release.

As we noted in the ANS last week, two of the updates address open Security Advisories. MS09-050 addresses the SMBv2 issue in Security Advisory 975497 and MS09-053 addresses the IIS issue discussed in Security Advisory 975191.

Another issue being addressed this month that has received some public attention has to do with security certificates used for authentication. The vulnerabilities being addressed by Security Bulletin MS09-056 could allow spoofing if an attacker gains access to the certificate used by the end user for authentication. We are aware that a rogue certificate was distributed in a public forum but we are not aware of any attempts to use this to attack users.

Below is the severity summary and exploitability index for the 13 new bulletins. We also refer to this as the overall risk and impact summary. As you can see, eight of the bulletins have a rating of Critical. Of those eight, six have an exploitability index rating of 1, which means we believe it is highly likely that we will see exploit code in the wild within the first 30 days from the date of release.

To help with deployment planning, we started publishing our guidance (beginning last month) on which bulletins should be considered first for deployment. Obviously one size does not fit all and each customer will need to consider their own unique situations in addition to this guidance. Our approach is to take a combination of the severity, the exploitability index rating, the range of products affected, and potential mitigations to group these in to a priority 1, 2 or 3. Our Security Research & Defense team, who represent some of the best security researchers in the world, play a key role in this every month as well.

Most of this month’s updates require a restart, so please refer to the bulletins when you’re planning your deployment to ensure you’re fully protected. We want to specifically note that MS09-050 requires a restart but will not prompt you to do so if you install the update manually.

As we do every month, Adrian Stone and I provide a high-level overview of this month’s bulletin release in the following video:

Other listening and viewing options:

This month we are also re-releasing MS08-069, vulnerability in Microsoft XML Core Services could allow remote code execution (955218) to add detection for Windows 7 and Windows Server 2008 R2. This component does not ship with these platforms but many applications install it in order to use its functionality.

Finally, you may also notice a change in the severity rating since the advance notification for several versions of Windows in the .NET bulletin (MS09-061). We have elevated the severity of these products from Important to Critical. We do not typically make changes after the advance notification goes out but during our ongoing investigation to protect customers, we determined that this was the appropriate rating for these products when certain versions of the .NET Framework are installed on them.

We encourage all customers to join us tomorrow when Adrian and I will go in to detail on each bulletin and, along with a room full of subject matter experts, answer all of your questions live. So if you can, please join us at 11:00 a.m. PDT (UTC -7). You can register for the webcast at this link.

Thanks!

Jerry Bryant

Update – Resource links:

Assessing the risk of the October security bulletins – Security Research & Defense blog
MS09-051: A note on the affected platforms – Security Research & Defense blog
MS09-050: Exploit timeline for SMB2 RCE vulnerability – Security Research & Defense blog
MS09-054: Extra info on the attack surface for the IE security bulletin – Security Research & Defense blog
MS09-061: More information about the .NET security bulletin – Security Research & Defense blog
Scanti-ly Clad – Another Rogue Stripped by MSRT – Microsoft Malware Protection Center blog

Update (10/13) Changed the number of vulnerabilities addressed to 33 from 34. CVE-2009-2493 was counted in both MS09-055 and MS09-060.

*This posting is provided "AS IS" with no warranties, and confers no rights*

October 2009 Bulletin Release Advance Notification

2009-10-08T16:23:00Z

Advance Notification for the October 2009 Security Bulletin Release

For October we are releasing 13 bulletins (eight critical and five important), addressing 34 vulnerabilities, affecting Windows, Internet Explorer, Office, Silverlight, Forefront, Developer Tools, and SQL Server. Most of these updates require a restart so please factor that into your deployment planning.

Among the updates this month, we are closing out two current security advisories:

· Vulnerabilities in SMB Could Allow Remote Code Execution (975497)

· Vulnerabilities in the FTP Service in Internet Information Services (975191)

Usually we do not go into this level of detail in the advance notification but we felt that it is important guidance so customers can plan accordingly and deploy these updates as soon as possible.

The target to release the October security updates is next Tuesday Oct. 13 at 10:00 a.m. PDT (UTC -8). Check back here at that time for a more detailed overview of the updates (including an overview video), our risk and impact summary and our deployment prioritization guide. More information about the upcoming security updates can be found here in the ANS.

After you have had a chance to read through the bulletins, please join us for a live webcast on Wednesday Oct. 14 at 11:00 a.m. PDT (UTC -7) and get answers to any questions you might have. To register, just follow this link.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

September 2009 Security Bulletin Webcast Video and Customer Q and A

2009-09-12T01:11:39Z

In the September 2009 security bulletin webcast, it was clear that customers had a lot of concerns about MS09-048 as almost half the questions we answered were on that topic. The questions and answers from the session are now posted here on the blog.

As we mentioned in the webcast, The MS09-048 bulletin has been updated to call out Windows XP in the affected products list with a severity rating of low for the two Denial-of-Service vulnerabilities (the third, Remote Code Execution vulnerability, does not affect XP). As stated in the bulletin, in the default configuration, Windows XP is not affected by any of the issues addressed by the bulletin. However, we heard from enterprise customers that custom configurations that put XP in a vulnerable state are in use so we updated the bulletin for clarity. Does this mean there will be an update for Windows XP? No and I will use the text from the bulletin to explain why:

If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925. Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks.

Concerning MS09-048 and Windows 2000, the scenario is very similar to Windows XP in that an attack requires a sustained flood of specially crafted TCP packets and the system will recover once the flood stops. Keeping Windows 2000 servers behind a NAT or reverse proxy can help to reduce risk.

In the last blog post I called out MS09-045 and MS09-047 as the highest priorities for deployment and while MS09-048 has received a lot of attention, we want to continue to stress getting those updates installed to all users.

This month we are leaving the Q and A out of the video because we have posted those questions to the blog and to keep the overall duration of the video down. If you like it this way or if you prefer us to leave that portion in, head over to the TechNet Edge site where we host the videos and leave your feedback there.

More listening and viewing options:

Following the webcast we got feedback that folks liked the new deployment priority slide as well as the new detail slides for each bulletin. We appreciate the feedback and will keep looking for ways to improve the content.

Please plan on joining us for our next regularly scheduled webcast on October 13 at 11:00 a.m. Click HERE to register.

Thanks!

Jerry Bryant

Microsoft Security Advisory 975497 Released

2009-09-09T02:35:00Z

We’ve just released Microsoft released Security Advisory 975497 that provides information about a new, irresponsibly reported vulnerability in SMB 2.0. Our investigation has shown that Windows Vista, Windows Server 2008 and Windows 7 RC are affected by this vulnerability. Windows 7 RTM, Windows Server 2008 R2, Windows XP and Windows 2000 are not affected by this vulnerability.

The Security Advisory outlines steps that Windows Vista and Windows Server 2008 customers can take to help protect themselves while we work on a security update for this issue.

As always, we’ve provided information through Microsoft Active Protections Program (MAPP) as well as the Microsoft Security Response Alliance (MSRA) that they can use to help provide broader protections to customers.

We will update you through our security advisory and the MSRC Weblog as we have new information.

Thanks

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights*

September 2009 Security Bulletin Release

2009-09-08T20:50:47Z

Summary of Microsoft’s Security Bulletin Release for September 2009

Hello again,

This month we released five critical bulletins to address vulnerabilities in Windows and protect customers from two types of threats:

1. Browser based attacks where websites hosting malicious code attempt to compromise visitors. This includes MS09-045, MS09-046 and MS09-047.

2. Network based scenarios where attackers attempt Remote Code Execution (RCE) or Denial-of-Service (DoS) type attacks. This includes MS09-048 and MS09-049.

For this set of bulletins, we consider the first category to be the biggest threat to customers overall as reflected in our Severity and Exploitability Index slide where we present a high level, aggregate view of each bulletin:

We also refer to the slide above as our risk and impact assessment. The risk of exploitation combined with the impact of the vulnerability should help customers prioritize these bulletins for deployment. To provide further guidance in this area, this month we are providing a new deployment prioritization assessment. As noted on the slide below, there are several factors that we used to determine the priority. However, there are many other potential variables that may be unique to your environment so we recommend each customer perform their own assessment and install all security updates as soon as possible.

As you can see, we give MS09-045 and MS09-047 the highest deployment priority mainly due to these being browse and own attack scenarios and a high exploitability index rating. Exploits for MS09-047 can also be created through specially crafted files such as ASF and MP3 audio files. These files could then be sent via email.

Concerning MS09-046, our Security Research & Defense (SRD) team has determined that reliable exploit code would be difficult to produce hence the lower exploitability index rating. In this case and with MS09-045, users with Internet Explorer 8.0 are at reduced risk due to the protections provided by Date Execution Prevention (DEP). Also, while this is an ActiveX control update, it is not related to the ATL issue discussed in security advisory 973882.

The wireless update provided in MS09-049 addresses an issue with the Wireless AutoConfig Service in both Windows Vista and Windows Server 2008. We consider this one hard to exploit due to the work that has gone in to hardening the Windows Heap Manager. The SRD blog has a great write up on this.

MS09-048 contains updates for three vulnerabilities. One of those is a Remote Code Execution vulnerability affecting only Windows Vista and Windows Server 2008. We think this one would be difficult to produce reliable exploit code for as well. The SRD team did a write up on this one to provide additional details so I recommend reading it. The other two vulnerabilities are both Denial-of-Service issues and I want to point out that while Windows 2000 is affected by these, an update is not being provided. This is because the architecture to protect TCP/IP properly does not exist in Windows 2000. Customers on this platform who cannot update their systems to Windows Server 2003 or 2008 will need to carefully monitor their networks and assure that firewall best practices are followed.

Also, we re-released MS09-037. This bulletin for vulnerabilities in the Active Template Library (ATL), affecting components that shipped with Windows, was originally released in August 2009. In our ongoing investigation into the ATL issue, we identified a related vulnerable control so this bulletin has been updated to include it. This additional update affects users of Windows XP Media Center 2005 and Windows Vista systems. It is important to note that to date, we have not seen any new controls being used in active attacks. The Video ActiveX control that was under limited exploitation and which drove our out of band update in July, is still the only one we have seen used in attacks. Please refer to Security Advisory 973882 for the latest information and guidance from our investigation.

In this month’s overview video, Adrian Stone and I discuss the severity and exploitability index slide and the new deployment priority slide in a little more detail:

More viewing and listening options:

Please join Adrian and I for a live webcast tomorrow, Wednesday Sept. 9 at 11:00 a.m. PDT (UTC -7) where we will go in to detail on each bulletin and answer all of your questions, with the help of a room full of subject matter experts. Go here to register >>

In this post I also want to provide some clarity on Windows 7 and Windows Server 2008 R2. After the Advance Notification went out last Thursday, we saw speculation that these new products may be affected because they were not specifically listed. To be clear, Windows 7 and Windows Server 2008 R2 are not affected by any of the September security updates. Since the date these products were released to manufacturing (July 09), they have been part of our standard security update process. As such, they would have been called out in the ANS if they were affected.

Finally, we are not addressing the IIS/FTP vulnerability announced in Security Advisory 975191 with this month’s security bulletin release. Our teams are still working on an update for this issue and we encourage customers to review the advisory for the most current guidance on this issue.

That’s it for this month. If you cannot join us for the webcast tomorrow, come back to the blog Friday afternoon as we will be posting the webcast video and Q&A from the session.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Microsoft Security Advisory 975191 Revised

2009-09-04T08:50:00Z

Hi Everyone,

Today we updated Security Advisory 975191 as we are now seeing limited attacks. Additionally, a new proof of concept published allowing for Denial of Service (DoS) attacks on Windows XP and Windows Server 2003 with read access to the File Transfer Protocol (FTP) service. This does not require Write access. Also, a new POC allowing DoS was disclosed this afternoon that affects the version of FTP 6 which shipped with Windows Vista and Windows Server 2008. Customers should be aware that the Download Center has FTP 7.5 available for Windows Vista and Windows Server 2008. FTP 7.5 is not vulnerable to any of these exploits.

The initial vulnerability was not responsibly disclosed to Microsoft, which has led to limited, active attacks putting customers at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

Microsoft recommends customers review and implement the workarounds provided in the Advisory under the Workaround section. More information on suggested actions can be found in Microsoft Knowledge Base Article 975191.

While these workarounds do not completely mitigate the threat of DoS, we’re currently investigating the issue as part of our Software Security Incident Response Process (SSIRP) and working to develop a security update. This update will be released once it reaches an appropriate level of quality for broad distribution.

Additionally, we are actively working with partners in our Microsoft Active Protections Program (MAPP) as well as the Microsoft Security Response Alliance (MSRA) to share information that they can use to provide broader protections to customers.

For more technical details on the advisory, please see what our colleagues have written on Microsoft’s Internet Information Services (IIS) blog here: Microsoft IIS Blog. As always, be sure to check back here on the Microsoft Security Response Center (MSRC) blog or in the advisory for any additional information or updates that develop.

Thank you,

Alan Wallace

*This posting is provided "AS IS" with no warranties, and confers no rights*

September 2009 bulletin Release

2009-09-03T05:27:00Z

Advance Notification for the September 2009 Security Bulletin Release

This month we will be releasing 5 security bulletins, all affecting Windows, and all with an aggregate severity rating of critical.

As always, the target for release is the second Tuesday of the month at 10:00 a.m. PDT (UTC -8). Please check back here at that time as we will be posting our risk and impact assessment, a new deployment prioritization table and an overview video. Also, we encourage you to join us live on Wednesday September 9 at 11:00 a.m. (UTC -7) for our regular security bulletin webcast where we will cover the bulletins in greater detail and answer questions. Click here to register!

If the files being updated are in use at the time of installation then these updates would require a restart. Otherwise, they would not. For information on the reasons you may be prompted to restart the system, see Microsoft Knowledge Base Article 887012.

In related news, you will note that the ANS does not specify an update for the Internet Information Services FTP service vulnerability for which we released security advisory 975191 on Tuesday of this week. As noted in an earlier blog post, we have spun up our SSIRP (Software Security Incident Response Process) process to address this issue and our teams are working hard to produce an update. Please keep an eye on the advisory for more information and if you are not already, please subscribe to our comprehensive alerts to receive updates by email.

On a final note, I want to highlight our new Microsoft Security Update Guide which was written to help IT professionals better understand and use Microsoft security update release information, processes, communications, and tools – and how to manage organizational risk and develop a repeatable, effective deployment mechanism for security updates.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

Microsoft Security Advisory 975191 Released

2009-09-02T01:24:00Z

Hi Everyone,

This is Alan Wallace, senior communications manager for our security response communications team. Today, Microsoft released Security Advisory 975191, to provide customer guidance and protection from a vulnerability that could allow remote code execution on affected systems running the FTP service in Microsoft Internet Information Services (IIS) 5.0, 5.1 and 6.0, and connected to the Internet. While we have seen detailed exploit code published on the Internet for this vulnerability, we are not currently aware of active attacks that use this exploit code or of customer impact.

This vulnerability was not responsibly disclosed to Microsoft and may put customers at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

We’re currently investigating the issue as part of our Software Security Incident Response Process (SSIRP) and working to develop a security update. This update will be released once it reaches an appropriate level of quality for broad distribution.

Affected products include Windows 2000, Windows XP, and Windows Server 2003.

Microsoft recommends customers review and implement the workarounds provided in the Advisory under the Workaround section. More information on suggested actions can be found in Microsoft Knowledge Base Article 975191.

For more technical details on the advisory, please see what our colleagues have written over on the Security Research and Defense blog.

As always, be sure to check back here on the MSRC blog or in the advisory for any additional information or updates that develop.

Thank you,

Alan

*This posting is provided "AS IS" with no warranties, and confers no rights*

August 2009 Security Bulletin Webcast Video and Customer Q and A

2009-08-15T02:42:53Z

As we do every month on the Wednesday following our standard second Tuesday security bulletin release, we conducted a live webcast where Adrian Stone and myself went through the bulletins in detail and then answered customer questions with the help of several subject matter experts (SMEs).

It is apparent that there is still a bit of confusion around the Active Template Library (ATL) issue and how current updates relate to work we have already done to provide mitigations, protections and guidance to customers. To try and provide some clarity:

Security Advisory 972890: This advisory was released in response to active attacks against the Microsoft Video ActiveX Control in order to provide guidance and mitigations (including a Microsoft Fix it solution) to customers while we worked towards an update for the underlying issue.
MS09-032 – Cumulative Update of ActiveX Kill Bits (973346): This bulletin provided an official kill bit update to replace the Microsoft Fix it solution provided by Security Advisory 972890. The update addresses additional kill bits and is also available through Microsoft update technologies such as Windows Update, Microsoft Update, and Windows Software Update Services (WSUS). This kill bit blocked the ability to instantiate the Microsoft Video ActiveX Control in Internet Explorer to mitigate against known attacks.
MS09-034 – Cumulative Security Update for Internet Explorer (972260): This bulletin provided a defense-in-depth update that helps mitigate known attack vectors within Internet Explorer. To be clear, Internet Explorer is not vulnerable to these attacks but the vulnerable components can be reached through Internet Explorer. Installing this update mitigates that threat.
MS09-035 – Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706): This update is specifically geared towards developers of components and controls who use ATL. The update addresses the underlying issue in our Visual Studio development tools. Developers who use ATL should install this update and recompile their components and controls following the guidance in this MSDN article.
MS09-037 – Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908): This bulletin provides updates for vulnerable components and controls that shipped with Windows products. These are Microsoft components and controls were built using ATL. Among the updates in this bulletin is a binary level update that addresses the vulnerability in the Microsoft Video ActiveX Control that has seen some active attacks. So we previously released a kill bit update to provide immediate protection for customers and are addressing the underlying vulnerability with this update.
Security Advisory 973882: This advisory provides information on our ongoing investigation in to the ATL issue and serves as a single source for all related information.

To be even clearer, not every ActiveX control is vulnerable and we have an ongoing investigation into this issue. We will continue to provide updates via Security Advisory 973882 and Security Bulletins as necessary.

Of course this is not the only issue we addressed this month and customers had quite a few questions during the webcast that we provided answers and guidance for. Please review the text version of the Q&A here>>.

Here is the video of the webcast that includes the bulletin by bulletin presentation and the complete Q&A session:

More viewing and listening options:

Please plan to join us for the next regularly scheduled webcast on September 9, 2009 at 11:00 a.m. (UTC-7) where we will again cover any new bulletins and address your questions in real time. Click here to register >>.

Finally, please visit our Security Research & Defense blog where you will find some great deep dive articles full of analysis and guidance on these and many other security issues. You may also find our new blog aggregator useful for getting a consolidated view of all of our Trustworthy Computing blogs.

Thanks,

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

August 2009 Bulletin Release

2009-08-11T20:00:36Z

Summary of Microsoft’s Security Bulletin Release for August 2009

Hi everyone,

This month, we released nine security bulletins. Five of those are rated Critical and four have an aggregate severity rating of Important. Of the nine updates, eight affect Windows and the last one affects Office Web Components (OWC). It is also important to note that five of the six critical updates also have an Exploitability Index rating of “1” which means that we could expect there to be consistent, reliable code in the wild seeking to exploit one or more of these vulnerabilities within the first 30 days from release. The chart below shows the aggregate severity summary and exploitability index ratings for all nine bulletins. This overview chart should guide you in prioritizing this month’s updates in order to protect your systems efficiently and effectively.

Of particular note in this release is MS09-037 which is an update for Microsoft Active Template Library (ATL). Among the five updates in this bulletin is a binary level update for the Microsoft Video ActiveX Control. As you may recall, we originally released Security Advisory 972890 on July 6 in response to an active attack against this component and subsequently released Security Bulletin MS09-032 to supply an official kill bit update (rather than the temporary Microsoft Fix it supplied with the advisory). All of the included vulnerabilities were privately reported, have a critical severity and are rated “1” on our exploitability index. We encourage you to deploy this update as soon as possible. We will be updating Security Advisory 973882 to include a reference to this bulletin as it relates to ATL.

Another of the updates I would like to draw your attention to is MS09-043, which addresses the Office Web Components vulnerability discussed in Security Advisory 973472. We strongly encourage customers to review and deploy this bulletin if applicable given that we have seen exploitation in the wild. Even though this update addresses an ActiveX control issue, it is unrelated to the ATL issue we discuss in Security Advisory 973882.

If you are running a WINS server on either Windows 2000 or Windows Server 2003 then I would also call your attention to MS09-039 as this one has the potential for an un-authenticated, self-replicating attack across the network. Installing the update will protect your systems should any attacks be developed to exploit the vulnerabilities addressed in this update but at this time, we are not aware of any exploit code in the wild.

In the video below, Adrian Stone and I provide an overview of this month’s release and discuss the updates above in a little more detail. For even greater detail on all nine bulletins, please join us tomorrow, August 12 at 11:00 a.m. (UTC-7) for our monthly bulletin webcast where we will also address your questions concerning these updates. Click HERE to register >>

More viewing and listening options:

We are also re-releasing two bulletins this month:

MS09-029 to address a print spooler issue on various Windows platforms that could cause the print spooler to stop responding in certain scenarios. Please see Knowledge Base article 961371 for details.
MS09-035 to offer new updates for Visual Studio 2005 SP1, Visual Studio 2008 and Visual Studio 2008 SP1. The new security updates are for developers who use Visual Studio to create components and controls for mobile applications using ATL for Smart Devices. All Visual Studio developers should install these new updates so that they can use Visual Studio to create components and controls that are not vulnerable to the reported issues. For more information on this known issue, see Knowledge Base Article 969706.

To close this month’s blog post, I would encourage systems administrators and application developers to read through Security Advisory 973811 which was also released today. This is a non-security update that enables new protection technology that can be used to enhance the protection of credentials when authenticating network connections.

As always, please check the Security Research and Defense blog for additional technical information on these updates and we hope to see you at the webcast tomorrow.

Thanks,

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

August 2009 Advance Notification

2009-08-06T20:07:00Z

Advance Notification for the August 2009 Security Bulletin Release

In this month’s Advance Notification we are making customers aware that next Tuesday August 11^th we plan to release 9 security bulletins at approximately 10:00 a.m. PDT (UTC -8). Those bulletins consist of:

· 8 bulletins affecting Windows four of which are rated critical and four are rated as important.

o One of the critical Windows bulletins also affects Client for Mac.

o One of the important Windows bulletins also affects the .NET Framework.

· One critical bulletin affecting Microsoft Office, Microsoft Visual Studio, Microsoft ISA Server and Microsoft BizTalk Server. This update addresses the issue discussed in security advisory 973472.

Concerning restart requirements, all of the updates for Windows will require a restart except one (this is the update also affecting the .NET Framework). The Office related bulletin may require a restart if the binaries being updated are in use. To reduce your chances of requiring a restart, please see Knowledge Base article 887012.

On release day, look for additional information on both this blog and the Security Research and Defense blog. If you have questions or would like more information about this month’s release, please plan to attend our regularly scheduled security bulletin webcast on Wednesday, August 12, 2009, at 11:00 a.m. PDT (UTC –7). Click HERE to register.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

Update 8/7/2009: corrected the number of critical and important Windows bulletins to four each.

Security Bulletin Webcast Questions and Answers – Out-Of-Band July 2009

2009-07-30T02:51:00Z

Hi,

In conjunction with the Microsoft July 2009 Out-of-Band Bulletin release, we conducted two public webcasts to assist customers. During these webcasts, we were able to address 60 questions in the time allotted. The questions centered primarily on MS09-034: the Internet Explorer Cumulative Update Bulletin and MS09-035: the Visual Studio Bulletin. We also addressed questions regarding the Microsoft Security Advisory 973882 and the ATL issues as a whole.

Here is the link to the full Q&A so you can see all of the answers that were provided for these great questions:

http://blogs.technet.com/msrc/pages/security-bulletin-webcast-q-a-oob-july-2009.aspx

Also, here is the link to the Q&A index page in case you want to view previous months:

http://blogs.technet.com/msrc/pages/microsoft-security-bulletin-webcast-q-a-index-page.aspx

As always, customers experiencing issues installing any of the updates this month should contact our Customer Service and Support group:

Customers in the U.S. and Canada can receive technical support from Microsoft Customer Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Thanks!

Al Brown

*This posting is provided "AS IS" with no warranties, and confers no rights.*