The Microsoft Security Response Center (MSRC)

During the security bulletin webcast for June 2009, we answered a wide array of questions around the 10 bulletins we released. Of primary interest to customers, based on the number of questions we received on the topic, is the RPC issue addressed by MS09-026. As this issue affects third party products that utilize RPC in Windows, customers wanted to know if there is a way to tell if their third party product was vulnerable. First, we are not aware of any applications that are vulnerable to this issue at this time. Second, we recommend that you consult with your application developer as they are in the best position to analyze their code for this issue. To help with this, the Security Research & Defense team posted guidance to their blog on “How a developer can know if their RPC interface is affected”.

The complete list of questions and answers from the webcast is now posted here:
http://blogs.technet.com/msrc/pages/monthly-security-bulletin-webcast-q-a-june-2009.aspx

Also, here is the link to the Q&A index page in case you want to view previous months:
http://blogs.technet.com/msrc/pages/microsoft-security-bulletin-webcast-q-a-index-page.aspx

The video of this month’s webcast is just over an hour long as we had 10 bulletins and a couple of advisories to cover. The Q&A portion starts at around 39 minutes in if you want to skip to that portion.

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) Large Preview Image (PNG) Small Preview Image (PNG) iPod Video (MP4) MP3 Audio Streaming WMV (512kbps) High Quality WMV (2.5 Mbps) Zune Video (WMV)

Every month in the webcast, we cover an aggregate severity and exploitability index ratings slide that we think is useful as a quick reference when doing a risk assessment. Here is that slide for your reference in case you were not able to attend the webcast or print the slides out during the webcast:

Finally, there are two additional items I want to mention that we covered in the webcast this month:

First, we put out a call for feedback on the Exploitability Index. The index provides customers with guidance on the likelihood of functioning exploit code being developed in the first 30 days for vulnerabilities addressed in our bulletins. This index has been available now for 9 months and we want to get your feedback on it positive or negative and how you use it in your risk assessments. To submit your feedback, simply email it to msrcteam@microsoft.com.

The second thing we covered that I wanted to mention here is that Office Update is retiring. Starting August 1, 2009, we will discontinue support for Office Update and the Office Update Inventory Tool. At that time, to continue receiving updates for Office products, you will need to use Microsoft Update. For more information see the FAQ (http://office.microsoft.com/en-us/downloads/FX010402221033.aspx).

As always, customers experiencing issues installing any of the updates this month should contact our Customer Service and Support group:

Customers in the U.S. and Canada can receive technical support from Microsoft Customer Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Please join us for our next live webcast on July 14, 2009 at 11:00 am PDT (UTC –7). Follow this link to pre-register:
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032407482 

Hope to see you then!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Summary of Microsoft’s monthly security bulletin release for June 2009.

Today we released 10 new security bulletins. 6 of those affect Windows with two rated as critical, three rated as important and one as moderate. The remaining four all have an aggregate rating of critical and affect Internet Explorer, Microsoft Office Word, Microsoft Office Excel and Microsoft Works Converters.

In addition to these new bulletins, we are releasing the remaining updates for MS09-017 which now includes updates for Microsoft Office for Mac (versions 2004 and 2008) and Microsoft Works 8.5 and 9.0. You may recall that we released this bulletin last month with updates only for versions of PowerPoint that run on Windows. Please refer to last month’s bulletin blog post for more information.

This month we are also releasing two security advisories. The first advisory, 969898, is for a new set of ActiveX kill bits. The list of kill bits in this rollup includes an update for Microsoft Visual Basic 6.0 SP6, and ActiveX controls developed by Microgaming, eBay, and HP (click the company names to view their security release for these kill bits).

The second advisory, 971888, is providing a non-security update for DNS devolution. While this is a non-security update, it changes the security configuration of systems it is applied to and that is why we are releasing it with an advisory. This advisory is also related to the WPAD issue for which we originally released Security Advisory 945731 and subsequently Security Bulletin MS09-008. With the release of this new advisory, we are closing out Security Advisory 945731. Security Advisory 971888 and the associated KB article go in to detail on DNS devolution and how the update changes the configuration. If you have any follow up questions, our live webcast tomorrow would be a great place to ask them.

Concerning open advisories going in to this month, with the release of MS09-020, Security Advisory 971492, which discusses an issue with Internet Information Services, specifically in WebDAV, is now closed. And, as we noted in our Advance Notification (ANS) blog post last week, we do not yet have an update ready for the DirectShow vulnerability discussed in Security Advisory 971778. Our security teams are working hard on this issue but the update has to meet the right quality bar before we can release it. We continue to monitor the threat landscape through our Software Security Incident Response Process (SSIRP), and will provide updates to the advisory if needed. We continue to encourage customers to review the mitigations and workarounds in the advisory and check out the “Fix It For Me” solution in Knowledgebase Article 971778. Additionally, please refer to these blog posts for more information on this issue:

• New vulnerability in quartz.dll Quicktime parsing
• Microsoft Security Advisory 971778 Vulnerability in Microsoft DirectShow Released

On the Anti-Malware front, the Microsoft Malware Protection Center (MMPC) has added one new malware family: Win32/InternetAntivirus which is a fake online scanner that leads to a rogue downloader. For details, please refer to the MMPC Blog.

In the video below, Adrian Stone from the Microsoft Security Response Center (MSRC) and I go in to a little more detail on issues customers should be thinking about when considering the deployment of this month’s updates.

More viewing and listening options: Windows Media Video (WMV) Windows Media Audio (WMA) Large Preview Image (PNG) Small Preview Image (PNG) iPod Video (MP4) MP3 Audio Streaming WMV (512kbps) High Quality WMV (2.5 Mbps) Zune Video (WMV)

This month’s release addresses 31 total vulnerabilities with 15 rated as “1” on our Exploitability Index, meaning there is a high likelihood that reliable exploit code may be developed in the next 30 days.

Some of these vulnerabilities are already publicly known. For example, CVE-2009-1532 addresses the first IE 8 vulnerability. This vulnerability in a pre-release version of IE 8 was first revealed in March 2009 at CanSecWest in the Pwn2Own contest. In the final release, a mitigation was put in to place to protect against ASLR+DEP .NET bypass used in the contest, so right now, there is no known way to attack this issue in the default configuration of IE 8 on Windows Vista (see the write up in our Security Research & Defense blog for details). Regardless, MS09-019 addresses the underlying vulnerability which is rated as Critical on Windows XP and Windows Vista but due to IE 8’s built in mitigations, it only rates as a “3” for Windows Vista on the Exploitability Index while Windows XP is rated as “1”.

The IE 8 vulnerability does not affect Windows 7 RC (build 7100) but does affect Windows 7 Beta. Updates for beta versions of Windows 7 will be available via KB969897.

Customers running Windows 2000 domains should pay particular attention to MS09-018 as CVE-2009-1138 affects Windows 2000 domain controllers and LDAP server. This is a remote code execution vulnerability that is reachable over the network. While this vulnerability was privately disclosed, we give it a “1” on the Exploitability Index.Finally, the three Office related updates (Excel, Word and Works Converters) all have an aggregate severity rating of Critical due to the Office 2000 platform. All other affected platforms are rated as Important. If you are still on the Office 2000 platform, please note that it reaches the end of its product lifecycle on July 14, 2009. That is the last day we would release security updates for Office 2000 if there are any to release at that time.

As always, check the Security Research and Defense blog for additional technical information on these updates.  If you have questions or would like more information about this month’s release, please plan to attend our regularly scheduled security bulletin webcast tomorrow, Wednesday, June 10, 2009, at 11:00 a.m. PDT (UTC –7). Click HERE to register. 

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

May 10, 2009: Updated to correct third party ActiveX control company names.

Advance Notification for the June 2009 Security Bulletin Release

Today, we published our Advance Notification indicating that next Tuesday, June 9 at 10:00 a.m. PDT (UTC -8), we will be releasing a total of 10 security bulletins consisting of:

·         Six updates affecting Windows. Two Critical, three Important, and one Moderate.

·         One Critical update affecting Internet Explorer.

·         One Critical update affecting Word.

·         One Critical update affecting Excel.

·         One Critical update affecting Office.

You may have noticed that we are not announcing an update for the DirectShow vulnerability addressed in Security Advisory 971778. Our security teams are working hard on a security update that addresses this issue to protect customers, but we do not yet have an update that has reached the appropriate level of quality for broad distribution. We continue to monitor the situation closely and suggest customers follow the guidance provided in the advisory. This includes the “Fix It For Me” solution in the associated Knowledge Base article, which provides a quick and easy workaround to protect customers from possible attacks. If this doesn’t work in your environment, please reference the KB article for several other possible workarounds.

In addition to the new bulletins, we will also release updates for the remaining affected products in security bulletin MS09-017. In May, we released this bulletin with updates for the Windows platform due to active attacks and available updates for the entire platform to protect customers immediately. Updates for affected versions of Office for Mac and Microsoft Works had not yet reached the quality bar for release but will be ready to go on Tuesday. For more information on this decision, please reference last month’s MSRC and SRD blogs.

On release day, look for additional information on both this blog and the Security Research and Defense blog.  If you have questions or would like more information about this month’s release, please plan to attend our regularly scheduled security bulletin webcast on Wednesday, June 10, 2009, at 11:00 a.m. PDT (UTC –7). Click HERE to register.  

As always, this preliminary information is subject to change.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

We’ve just released Microsoft Security Advisory 971778 today. This discusses a new vulnerability in Microsoft DirectShow affecting Windows 2000, Windows XP and Windows Server 2003 that is under limited attack. The advisory outlines information about the vulnerability and steps customers can take to protect themselves while we’re working on a security update to address the issue.

Our investigation has shown that the vulnerable code was removed as part of our work building Windows Vista. This means that Windows Vista and versions of Windows since Windows Vista (Windows Server 2008, Windows 7) are not vulnerable.

The vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn’t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we’ve verified that it is possible to direct calls to DirectShow specifically, even if Apple’s QuickTime (which is not vulnerable) is installed.

Our investigation has found three workarounds that you can implement to protect yourself and we’ve documented these in the security advisory.  In addition, we’ve got more technical details on the workarounds and the issue over at the Security Research and Defense (SRD) blog.

Most importantly, we have found one workaround in particular that is simple and effective and protects against the vulnerability with limited impact. In fact, this particular workaround is simple enough that we’ve been able to give you a way to automatically implement the workaround with the click of a button. Our Customer Service and Support (CSS) group has a new capability called “Fix it” that can automatically apply simple solutions to your system. We’ve gone ahead and built a “Fix it” that implements the “Disable the parsing of QuickTime content in quartz.dll” registry change workaround. We have also built a "Fix it" that will undo the workaround automatically.

To automatically implement the workaround, go to the KB article for the advisory. In the KB article, there’s a section titled “Fix it for me”. Click on the “Fix this problem” button under "Enable Workaround" in that section. You will then be offered an installer package from the Microsoft website. After you’ve confirmed that you trust the source of this package, run it on your system. The package will automatically set the appropriate registry keys on your system to implement the workaround. When you want to undo the workaround, click on the "Fix this problem" button under "Disable Workaround" in the same section.

We’re also sharing information about this vulnerability and the limited attacks that we’ve seen with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) program to provide information that they can use to provide broader protections to customers.

As always, we’ll continue monitoring the situation and providing more information through the security advisory and the MSRC weblog.

Thanks

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights*

I wanted to let you know that we have just posted Microsoft Security Advisory (971492).

This advisory contains information regarding public reports of a vulnerability in Microsoft Internet Information Services (IIS) that could allow Elevation of Privilege.  Products affected are IIS 5.0, IIS 5.1, and IIS 6.0. The advisory contains guidance and workarounds that customers can use to help protect themselves. We will continue to monitor the situation and post updates to the advisory and the MSRC Blog as we become aware of any important new information.

At this time, we are not aware of any known attacks that attempt to use this vulnerability.

An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication.

Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

To better help understand the issue, Microsoft security experts have provided additional technical details on the Microsoft Security Research & Defense blog.

We have activated our Software Security Incident Response Process (SSIRP) and we are continuing to investigate this issue.  In addition, we are actively working with partners in the Microsoft Active Protections Program (MAPP) and the Microsoft Security Response Alliance (MSRA) program to provide information that they can use to provide broader protections to customers. 

Christopher Budd

 *This posting is provided "AS IS" with no warranties, and confers no rights.*

In the May 2009 security bulletin webcast, we addressed several questions relating to MS09-017 in addition to questions about WSUS and MBSA. For those questions that came in after we concluded the webcast, we have provided answers in the published Q&A which you can find here:
http://blogs.technet.com/msrc/pages/monthly-security-bulletin-webcast-q-a-May-2009.aspx

Also, here is the link to the Q&A index page in case you want to view previous months:
http://blogs.technet.com/msrc/pages/microsoft-security-bulletin-webcast-q-a-index-page.aspx

Here is the video of the session that includes our detailed look at the bulletin and the live questions and answers session:

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) Large Preview Image (PNG) Small Preview Image (PNG) iPod Video (MP4) MP3 Audio Streaming WMV (512kbps) High Quality WMV (2.5 Mbps) Zune Video (WMV)

As always, customers experiencing issues installing any of the updates this month should contact our Customer Service and Support group:

Customers in the U.S. and Canada can receive technical support from Microsoft Customer Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Please join us for our next live webcast on June 10, 2009 at 11:00 am PDT (UTC –7). Follow this link to pre-register:
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032395225

Hope to see you then!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Summary of Microsoft’s monthly security bulletin release for May 2009.

Today we released one security bulletin, MS09-017, affecting our PowerPoint products. This update addresses several vulnerabilities including the issue described in Microsoft Security Advisory 969136. In that advisory, we noted that we were aware of limited, targeted attacks.

The security of our customers is important to us and due to these active attacks, we have released the updates for one product line (all versions of Microsoft Office for Windows) so that the majority of our customers can protect their systems. We are able to do this because the updates were ready within the predictable release cycle for the entire product line. Updates for the additional products (Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, Open XML File Format Converter for Mac, Microsoft Works 8.5 and Microsoft Works 9.0) will be released when testing is complete and we can ensure high quality. When ready, we will revise the bulletin and notify customers.

Risk and Impact

To help with risk assessment and impact analysis, Microsoft provides detailed information in the vulnerability information section of the bulletin as well as the Exploitability Index. The aggregate severity of the bulletin is critical and we give it a 1 on the Exploitability Index which means consistent exploit code is likely (and indeed already in the wild for one vulnerability in this update). Of the 14 vulnerabilities being addressed, there are some things to note:

• We are only (currently) aware of active attacks against CVE-2009-0556.
• We are not aware (currently) of any active or reliable exploits of CVE-2009-0556 against affected versions of Office for Mac.
• Microsoft Office 2007, Microsoft Office 2008 for Mac, Microsoft Office PowerPoint Viewers, and Microsoft Works versions 8.5 and 9.0 do not contain the CVE-2009-0556 vulnerability.
• When we released Microsoft Security Advisory 969136 on April 2, 2009, both the Security Research & Defense and the Microsoft Malware Protection Center (MMPC) teams posted analysis to their blogs. This information provides valuable insight in to the active exploits.
• The bulletin is rated critical only for Microsoft Office PowerPoint 2000 SP3. All other versions have an aggregate rating of important.
• The only vulnerability that affects all products in the affected products list is CVE-2009-0224. This vulnerability was responsibly disclosed, is rated critical on Microsoft Office PowerPoint 2000 SP3 and important for all the other affected products.

Mitigations and Workarounds

For mitigations and workarounds, I will simply reiterate the information previously stated in the Security Research & Defense blog:

There are a couple workarounds you can apply in your environment to protect yourself from potential attacks. If your environment has mostly already migrated to using PPTX, you can temporarily disable the binary file format in your organization using the FileBlock registry configuration described in the MS09-017 security bulletin. Alternatively, you can temporarily force all legacy PowerPoint files to open in the Microsoft Isolated Conversion Environment (MOICE). The steps to enable MOICE are listed in the MS09-017 security bulletin.

More Information

In the following 8 minute video, I sit down with Adrian Stone from the MSRC to cover this release in a little more detail:

More viewing & listening options: Windows Media Video (WMV) Windows Media Audio (WMA) Large Preview Image (PNG) Small Preview Image (PNG) iPod Video (MP4) MP3 Audio Streaming WMV (512kbps) High Quality WMV (2.5 Mbps) Zune Video (WMV)

As always, our friends in the MSRC have provided further analysis in the Security Research and Defense blog so have a look at that and if you have questions, please join us for our regular live webcast tomorrow (Wednesday May 13, 2009) at 11:00 am PDT (UTC –7). Click HERE to register.

On the malware front, the Microsoft Malware Protection Center (MMPC) has added two new items to the Malicious Software Removal Tool (MSRT): Win32/Winwebsec and Win32/FakePowav.B. Customers can download the Malicious Software Removal Tool (MSRT) here. Additional details can also be found on the Microsoft Malware Protection Center blog.

Support

Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Thanks,

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

Summary of the May 2009 Advance Notification for the 5/12/2009 security bulletin release.

Today we are letting customers know that next week we will be releasing one security bulletin affecting Microsoft Office PowerPoint with an aggregate severity rating of critical. Customers should review the Advance Notification and prepare appropriately for deployment.

The update should not require a restart unless the updated files are in use at the time they are installed. Customers can also detect systems requiring the update using the Microsoft Baseline Security Analyzer. Note that since this is an Office related update, it will not be available via Windows Update but will be available through the Microsoft Update service.

We are also planning to release at least one high priority, non-security update and additional detections to the Microsoft Windows Malicious Software Removal Tool.

After the bulletin is released, look for additional information on both this blog and the Security Research and Defense blog.  If you have questions or would like more information about this month’s release, please plan to attend our regularly scheduled security bulletin webcast on Wednesday, May 13, 2009, at 11:00 am PDT (UTC –7). Click HERE to register.  

As always, this preliminary information is subject to change.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

Customers have heard us say over the years that the threat environment is an ever-evolving one. That means that one of our jobs in working to keep customers safe is to continually monitor the threat environment and make changes to adapt to it.

Today, we’re announcing modifications in Windows that adapts to recent changes in the threat environment. Specifically, we’re announcing changes to the behavior in AutoPlay so that it will no longer enable an AutoRun task for devices that are not removable optical media (CD/DVD.).  However, the AutoRun task will still be enabled for media like CD-ROM. There are more details on the change over at the Windows 7 blog as well as at the Security Research and Defense (SRD) blog.

The reason we’re making this change is that we’ve seen an increase, since the start of 2009, in malicious software abusing the current default AutoRun settings to propagate through removable media like USB devices. The best known malicious software abusing AutoRun is Conficker, but it’s not alone in that regard: there is other malicious software that abuses this feature. You can get more details on this change and others in the threat environment from the Microsoft Malware Protection Center’s blog.

Because we’ve seen such a marked increase in malicious software abusing AutoRun to propagate, we’ve decided that it makes sense to adjust the balance between security and usability around removable media. We’ve tried to be very measured in this adjustment to maximize both customer convenience and protection. Since non-writable media such as CD-ROMs generally aren’t avenues for malicious software propagation (because they’re not writable) we felt it made sense to keep the current behavior around AutoPlay for these devices and make this change only for generic mass storage class devices.

This change will be present in the Release Candidate build of Windows 7. In addition, we are planning to release an update in the future for Windows Vista and Windows XP that will implement this new behavior.

Thanks.

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hi,

Hello again,

This is Jerry Bryant letting you know that we have published the security bulletin webcast video. As you know, on Tuesday, we published a quick overview of the 8 bulletins we released on that day. Yesterday we conducted a live, public webcast, where we went in to more detail on each bulletin. The recording from that webcast is embedded below. Usually we include the questions and answers portion along with this but this month we will point you to the transcript which should be published here by tomorrow.

More viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio Streaming WMV (512kbps) High Quality WMV (2.5 Mbps) Zune Video (WMV)

As always, we encourage you to register for and attend our monthly bulletin webcasts by going to http://www.microsoft.com/technet/security/current.aspx where you will find the registration links and other valuable security update information.

Thanks!

Jerry Bryant

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Hello everyone,

As you can see from the April 2009 release summary, we addressed the Token Kidnapping issue with bulletin MS09-012.  This issue allowed an attacker to gain full control of a server if the attacker can first run malicious code on the server as a lesser privileged user.

This issue was originally presented by Cesar Cerrudo in March of 2008 at Hack in the Box (Dubai) 2008.  In April of 2008, we released an advisory to inform customers of actions they could take to protect themselves.  We also updated the advisory in October of 2008, alerting customers to the availability of proof-of-concept code that demonstrates how to attack systems using token kidnapping techniques. Today we’ve released an update that protects from these issues without having to deploy workarounds.  This release has been a long time in the making, so I wanted to take a moment and provide some insight into what it took to resolve this issue for customers.

First, what is Token Kidnapping? This is an elevation of privilege vulnerability that could allow an attacker to go from authenticated user to LocalSystem privileges.  An attacker can escalate their privileges on a system if they can control the SeImpersonatePrivilege token.  An attacker would need to be executing code in the context of a Windows service to use this exploit.  For a more detailed look at the issue, refer to the SRD blog found here.

This case presented some interesting challenges in preparing the update to address the issue.  First, there are two updates included in this bulletin.  The first update addresses service isolation, while the second addresses processes running as service accounts.  In order to secure these items, we took the work we did in Windows Vista to provide additional service hardening and implemented it in older operating systems like Windows XP, and Windows Server 2003.  These changes are low-level and deeply engrained in the OS.  When making these types of changes, many of the applications that have been written in the 5 to 10 years since the OS was released could be impacted as we are changing infrastructure.  Typically, we only change code to this degree in a service pack release to ensure it receives the proper level of testing. 

However, given the security risk, and even though we provided workarounds, we wanted to secure customers automatically.  So we made the changes, and then did extensive testing to ensure this update is high-quality and did not impact existing implementations. For this bulletin, we ran over 600,000 different test scenarios, with over 6,000 variations tested in one configuration alone.  We also needed to ensure we were not breaking 3^rd-party applications by introducing this change.  As a result, 2,500 application compatibility tests were also run.  In addition to this testing, we selected over 1,000 systems within Microsoft to test the update before we released, and some key customers signed NDAs to do even more testing in their lab environments to make sure we didn’t break Line-of-Business application scenarios.  One thing we did notice is that some 3^rd-party applications may need to be updated to receive the same security benefits provides by this update.  To facilitate this, the update also provides an infrastructure to 3^rd-parties to isolate and secure their services.  In Windows XP and Windows Server 2003, all processes running under the context of a single account will have full control over each other.  This update provides 3^rd-parties the ability to isolate and secure their services that hold SYSTEM token and run under the NetworkService or LocalService accounts. For more information on the usage of this registry key, see Microsoft Knowledge Base Article 956572.

While this update took some time to complete, our hope is that the majority of customers are protected either through the guidance we released a year ago or the update we released today.  It is never an easy process to bring infrastructure from a newer OS to an older OS, but we considered this an important enough issue to do so.  As you would expect, it wasn’t always an easy road, so I would like to thank all of the folks internally and externally that helped bring this update to the worldwide community.  Specifically, I’d like to thank the following people who were key contributors in bringing this update to the world:

• Cesar Cerrudo, Argeniss Information Security
• Bruce Dang, MSRC Engineering
• Nick Finco, MSRC Engineering
• Anoop KV, Windows Serviceability
• Vikas Mittal, Windows Serviceability

And special thanks go out to all of the many developers and testers who help made this release possible.

Thanks,

Dustin

MSRC

Links to related articles:

Service isolation explanation, SRD blog entry, Jonathan Ness, October, 2008  

Token Kidnapping in Windows, Nazim’s IIS Security Blog, Nazim Lala, October, 2008

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Hi Everyone,

Jerry Bryant again. Here is the overview video for the April 2009 bulletins. Please join us tomorrow at 11:00 am PDT (UTC –7) for our bulletin webcast where we will cover this months updates in more detail and try to answer all of your bulletin related questions.

More viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) Large Preview Image (PNG) Small Preview Image (PNG) iPod Video (MP4) MP3 Audio Streaming WMV (512kbps) High Quality WMV (2.5 Mbps) Zune Video (WMV)

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights.*

We’ve seen some activity in the Conficker space in the past two days and this has caused some questions from customers. Specifically, there have been reports of two possible new variants of Conficker. Our colleagues over at the Microsoft Malware Protection Center (MMPC) have done a thorough analysis of both of these and have determined that there’s really only one new variant, which they’re calling Conficker.E. Most importantly, the signatures that protect against Conficker.A are also effective at protecting against Conficker.E. The other possible new variant is only a slightly modified version of Conficker.D and our Conficker.D signatures protect against it. Also, our virus encylopedia entry for Conficker.D has been updated to include information about this slightly modified version.

There’s more detailed information on Conficker.E on the MMPC blog and in the encyclopedia entry. But at a high level, this has similar propagation methods to Conficker.B (attempting to exploit MS08-067, attacking weak passwords on administrative shares and spreading via removable media like USB drives).  However, it also has instructions so that it will also delete itself on May 3, 2009.

The important thing is that our guidance for protecting yourself remains the same. If your systems and security software are fully updated, you don’t need to be concerned about Conficker.

As always, we’re continuing our work with the Conficker Working Group and will update you as we have new, important information.

Thanks.

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights*