Today, as part of our regular monthly security bulletin release cycle, we released 10 bulletins to address 34 total vulnerabilities in Windows, Microsoft Office (including SharePoint), Internet Explorer (IE), Internet Information Services (IIS), and the .NET Framework. Only three of these bulletins get our maximum severity rating of Critical. The rest are rated Important. However, we encourage customers to test and deploy all applicable security updates as soon as possible.

The three Critical bulletins get our highest deployment priority this month. Those are:

• MS10-033 is a remote code execution vulnerability in both Quartz.dll and Asycfilt.dll and is rated Critical on all supported versions of Windows. Specially crafted media files could trigger the vulnerability when a user visits a web page or opens a malicious file.
• MS10-034 is a cumulative update for ActiveX Kill Bits and is Critical on Windows 2000, XP, Vista, and Windows 7. There are two Microsoft controls we are applying Kill Bits for. Those are the Internet Explorer 8 Developer Tools control, and the Data Analyzer ActiveX control. The latter control is not installed by default. In addition, there are Kill Bits for four third-party controls. Please review the bulletin for additional details.
• MS10-035 is a cumulative update for Internet Explorer. Of the six vulnerabilities addressed in the bulletin, only one, an information disclosure vulnerability, is publicly known. This issue was identified in Security Advisory 980088. We remain unaware of any active attacks against this vulnerability.

In the video below, Adrian Stone and I go in to some detail on the three priority bulletins and explain why each should be at the top of your list to install:

Also, included below is the aggregate risk and impact slide for June. Note that we do not typically give an Exploitability Index rating for ActiveX Kill Bits but as stated, this update should be a high priority.

Here is our overall deployment priority information:

There are additional subtleties with specific bulletins that I want to discuss here to eliminate potential confusion:

• MS10-032 is an elevation of privilege issue in the affected Microsoft products. There is a potential remote vector if applications fail to properly request the length of the buffer when calling the affected API. All Microsoft applications make this call properly but there may be applications out there that do not. Regardless, installing this update addresses the issue for all vectors. See our Security Research & Defense (SRD) blog for more details on this one.
• MS10-036 is a COM validation update. The issue could result in an attack through ActiveX in Office applications. This is not a new attack vector but the underlying vulnerability is and the bulletin addresses it. For additional clarification, I want to point out that Office XP does not have the architecture needed for the update. However, for customers running Office XP on Windows XP or newer operating systems, we have made a shim available that protects against the vulnerability. The shim can be installed via a Microsoft FixIt which can be downloaded from KB983235.
• MS10-039 is a SharePoint related update, closing out Security Advisory 983438 which addressed an elevation of privilege vulnerability. We are not currently aware of any attacks against this issue.

As usual, our SRD team has written several blog posts that go in to details on some of this month's bulletins and I encourage customers to review those for additional insight: http://blogs.technet.com/b/srd.

If you have questions about the June bulletins, please attend our public webcast tomorrow which I will be hosting with Adrian Stone from the MSRC. We will go in to additional details on each bulletin and along with a room full of subject matter experts attempt to address all of your questions. Here's how to register:

When: Wednesday June 10, 2010 at 11:00 a.m. PDT (UTC -7)
Registration: https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032395226

I hope you can join us then.

Thanks!

Jerry Bryant
Group Manager, Response Communications

Follow us on Twitter: @MSFTSecResponse

Hi everyone,

As mentioned in our ANS blog post last week, today we are releasing 13 bulletins addressing 26 vulnerabilities. 11 bulletins affect Windows and 2 affect older versions of Microsoft Office.

In the post on Thursday, we mentioned that bulletins in the ANS listed as 1, 2, 3, and 6 were going to top our deployment priority list this month. We have also added MS10-015 (#12) to that list. It addresses Security Advisory 979682. We are aware of publicly available Proof-of-Concept code for this issue, but are not aware of any active attacks at this time. Here is the mapping from the bulletin numbers in the ANS to the released bulletin ID’s:

ANS Bulletin Number	Actual Bulletin Number
1	MS10-006
2	MS10-007
3	MS10-008
4	MS10-009
5	MS10-012
6	MS10-013
7	MS10-003
8	MS10-004
9	MS10-010
10	MS10-011
11	MS10-014
12	MS10-015
13	MS10-005

As always, it is recommended that customers deploy all security updates as soon as possible. Of the bulletins released this month, customers should prioritize and deploy MS10-006, MS10-007, MS10-008, MS10-013, and MS10-015, given Critical severity ratings and/or Exploitability Index ratings of 1 (“Consistent Exploit Code Likely”).

MS10-013, which addresses a Critical vulnerability in DirectShow, should be at the top of your list for testing and deployment. This issue is Critical on all supported versions of Windows except Itanium based server products and has an Exploitability Index rating of 1. To exploit the vulnerability, an attacker could host a malicious AVI file on a website and convince a user to visit the site, or send the file via email and convince the a user to open it.

MS10-006 is also Critical on all versions of Windows, except Windows Vista and Windows Server 2008, and addresses 2 vulnerabilities in SMB Client. One of the vulnerabilities has an Exploitability Index rating of 1. In the simplest scenario, a system connecting to a network file share is an SMB Client. The issue occurs during the client/server negotiation phase of the connection. In order to exploit this issue, an attacker would need to host a malicious server and convince a client system to connect to it. An attacker could also try to perform a man-in-the-middle attack by responding to SMB requests from clients. From our analysis of this issue, we expect attempts to exploit it would be more likely to result in a Denial of Service than in Remote Code Execution.

MS10-007 addresses a Critical vulnerability in Windows Shell Handler that affects Windows 2000, Windows XP, and Windows Server 2003. The attack vector is through a specially crafted link that appears to the ShellExecute API to be a valid link. This issue has not been publicly exposed but we give it an Exploitability Index rating of 1, so we urge customers on affected platforms to install it as soon as possible.

MS10-008 is the last one I will give some additional detail on. This is a cumulative update for ActiveX Killbits and is also Critical. You will notice in our Severity & Exploitability Index chart that we did not give this an Exploitability rating. That is because a Killbit is not an update that addresses the underlying vulnerability. It is a registry setting that keeps the vulnerable ActiveX control from running in Internet Explorer. We will give these an Exploitability rating of 1 if we are aware of active exploitation but in this case, we are not.

You can find more detailed information about these bulletins in several blog posts by our Security Research & Defense team at http://blogs.technet.com/srd.

With that, here are the Severity and Exploitability Index and Deployment Priority slides:

In the following video, Adrian Stone and I talk a little more about this month’s top priority bulletins:

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV)

I would also encourage you to attend out public webcast tomorrow where we will go in to detail on all 13 bulletins. Here is the registration information:

Date: Wednesday, Feb 10
Time: 11:00 a.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032427679

Hope you can join us!

Jerry Bryant
Sr. Security Communications Manager – Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Today we updated Security Advisory 979352 to let customers know that we are aware that exploit code for the vulnerability used in recent attacks against IE 6 users, has now been made public. Information on which versions of Internet Explorer are vulnerable and what customers can do to protect themselves is included in the updated Security Advisory.< ?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

Our teams are continuing to work on an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out-of-band.

Additionally our Security Research & Defense team has written up a blog with additional technical details on the exploit, the vulnerability, mitigations and workarounds.

We continue to recommend customers review the information in the Advisory, implement the workarounds and mitigations, consider updating to Internet Explorer 8 which includes important protections not present in IE 6, and follow the information on our Protect Your PC website.

Thanks,

Jerry Bryant

Senior Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Microsoft remains committed to taking the appropriate action to help protect our customers. We released Security Advisory 979352 to provide customers with actionable guidance and tools to help with  protections against exploit of this vulnerability. Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time. Our teams are currently working to develop an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out of band.

It is important to note that complex attacks targeting specific corporate networks are becoming more prevalent in the threat landscape, therefore organizations should follow defense-in-depth best practices, and deploy multiple layers of protection to improve their security posture. In addition, Protected Mode in IE 7 on Windows Vista and later significantly reduces the ability of an attacker to impact data on a user’s machine. Customers should also enable Data Execution Prevention (DEP) which helps mitigate online attacks. DEP is enabled by default in IE 8 but must be manually enabled in prior versions.

Customers can also set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones or configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. You can find details on implementing these settings in the advisory.

Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-727-2338 (PCSAFETY).  Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov. Customers should follow the guidance in the advisory and our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software (learn more by visiting the Protect Your PC web site). International customers can find their Regional Customer Service Representative http://support.microsoft.com/common/international.aspx.

We are also working with our Microsoft Active Protections Program (MAPP), the Microsoft Security Response Alliance (MSRA), authorities and other industry partners to help provide broader protections for customers. Together with our partners, we will continue to monitor the threat landscape and will take action against any web sites that seek to exploit this vulnerability.

The Security Advisory will be updated with any new developments so if you are not already subscribed to our comprehensive alerts, please do so in order to be alerted by email when new information is added.

-Mike Reavey

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hi Everyone,

We hope that 2010 is off to a good start for you. For our first bulletin release of the New Year, we have one Critical bulletin affecting all versions of Windows. The bulletin, MS10-001, addresses one vulnerability in the Embedded OpenType Font Engine and is Critical on Windows 2000. For all other versions of Windows, the vulnerability gets a Low rating.

We’ve given the bulletin an aggregate rating of “2” on our Exploitability Index. This applies to Windows 2000 systems. All other systems are rated “3”. The vulnerable code is present on newer operating systems but through the Security Development Lifecycle (SDL), there are several mitigations in place that help prevent the likelihood of exploitation. Our Security Research & Defense (SRD) team has a great write up on this in their blog. We do recommend that customers evaluate and deploy this update as soon as possible. Especially those on Windows 2000.

The following risk and impact slide reflects the aggregate severity and exploitability index rating for this bulletin:

As you can see from our Deployment Priority slide, we give this a “2” based on the lower exploitability index rating and the Low severity and mitigations on most of the affected platforms:

We also want to mention that we re-released MS09-035, an Active Template Library (ATL) bulletin that was released out-of-band in July 2009. Today, we added Windows Embedded CE 6.0 to the affected products list. I want to be clear that this rerelease affects only developers and OEMs building applications on top of Windows Embedded CE 6.0 or producing devices that use the operating system. For end users, no action is required. The vulnerable components were found during our ongoing investigation around ATL and we determined there are no known attack vectors. The update package, KB974616, will only be offered through the Microsoft Download Center.

Additionally, we released Security Advisory 979267 to increase awareness among customers regarding reports of vulnerabilities in Adobe Flash Player 6 which shipped with Windows XP. Given support ended in 2006 for Adobe Flash Player 6, Microsoft and Adobe recommend that customers uninstall this version and/or update to the latest version of Adobe’s Flash Player. Customers should note that Adobe addressed these vulnerabilities in newer versions of its software.

There are multiple ways to remove Adobe Flash Player 6 on Windows XP systems. For directions on the manual steps required to remove Adobe Flash Player 6 visit http://kb2.adobe.com/cps/127/tn_12727.html. Adobe also provides an uninstaller tool that removes all versions of the Flash player which you can find here: http://kb2.adobe.com/cps/141/tn_14157.html. NOTE: the uninstaller tool removes all versions of Flash and is not specific to Adobe Flash Player 6.

Please view the following video for more information about the updates we released today:

More viewing and listening options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV)

Today, we also added Win32/Rimecud to our Malicious Software Removal Tool (MSRT). This is a prevalent family of Worms that spread through fixed and removable drives in addition to Instant Messaging software.

For our live webcast tomorrow, I will be joined by Dustin Childs, security program manager with the Microsoft Security Response Center (MSRC), who manages many of the Windows security updates from initial report to releasing the update. We will go into the full details of this month’s bulletin release and encourage you to bring your questions where Dustin and I will cover them live on the air. Here are the registration details:

Date: Wednesday Jan 13
Time: 11:00 a.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032427677

On a final note, I want to call out that this year we will reach end of life on three Windows products/Service Packs:

• Windows XP Service Pack 2 will no longer be supported as of July 13, 2010. Many customers are still on this version so we encourage upgrading to Service Pack 3 or to Windows 7 as soon as possible.
• Windows Vista RTM will no longer be supported as of April 13, 2010. Service Pack 1 will still be supported until July 12, 2011 but we recommend customers update to Service Pack 2 or Windows 7 at this time.
• Extended support for Windows 2000 will also be retired on July 13, 2010. At that time, we will no longer provide security or any other updated for Windows 2000.

It is important that customers stay current with the latest updates and Service Packs. For information on our support lifecycle policies and lifecycle information by product, please visit www.microsoft.com/lifecycle.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

As noted in our Advance Notification (ANS) last Thursday, for the December bulletin release we issued six security bulletins addressing 12 vulnerabilities. Affected products include Windows, Internet Explorer (IE) and Microsoft Office products.

In the ANS, we also noted that the bulletin for IE (MS09-072) is at the top of our deployment priority list this month. As you can see from our Severity and Exploitability Index slide (also referred to as the Risk and Impact slide), MS09-072 is the only bulletin this month that has both a Critical severity rating and our maximum Exploitability Index rating of 1. Of note, each of the five vulnerabilities addressed in this bulletin are Critical and each also have an Exploitability Index rating of 1. One of the vulnerabilities was the subject of Security Advisory 977981 due to public disclosure and affects IE 6 and IE 7 so customers running those versions should install this update as soon as possible.

The update for Active Directory Federation Services, MS09-070, is lower on the deployment list even though it has an Exploitability Index of 1. This is because an attacker would have to have valid logon credentials for the affected server in order to carry out an attack which gives this a severity rating of Important. The second critical vulnerability affecting Windows, MS09-071, is also lower in our deployment priority as indicated in the slide below. This is mainly due to an Exploitability Index rating of 2 which means that we do not expect to see reliable exploit code for the critical vulnerability within the first 30 days from bulletin release.

To follow up on something I mentioned in the ANS blog post, here is the promised table that maps the bulletin ID’s to the numbered bulletins from the ANS document that customers have asked us for:

Bulletin ID	Maps to bulletin number in the ANS
MS09-069	Bulletin 5
MS09-070	Bulletin 6
MS09-071	Bulletin 1
MS09-072	Bulletin 4
MS09-073	Bulletin 2
MS09-074	Bulletin 3

This month we also released two new advisories. The first one, 954157, concerns a Defense in Depth (DiD) update for the Indeo Codec. This update will go out through the Automatic Update system and applies to Windows XP and Windows Server 2003. The update blocks the codec from being used in IE and Windows Media Player in the Internet Zone and offers similar attack surface reduction as that built in to Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2. For those not running any applications that use the Indeo Codec, you can unregister it to reduce overall attack surface which we recommend as a best practice, and have the exact same attack surface reduction as on Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2

The other advisory, 974926, is the summary advisory for the work we have done around Extended Protection for Authentication. My colleague, MSRC program manager Maarten Van Horenbeeck, has written an extensive post on this subject on our Security Research & Defense blog.

Finally, we re-released MS08-037 for Windows 2000 SP4 systems. This is an Important class update that could result in spoofing. All Windows 2000 SP4 users should re-install the update to be fully protected from this issue.

As we do every month, Adrian Stone and I provide a quick overview of today’s updates in the video below.

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV)

We also encourage all customers to join us tomorrow for our live webcast where we will go in to details on all of these bulletins and answer your questions while on the air. Registration information:

Date: Wednesday Dec. 9
Time: 11:00 a.m. PST (UTC -8)
Registration and event link: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032407802

Thank you!

Jerry Bryant

Additional Blog Resources:

• SRD Blog: Assessing the risk of the December security bulletins
• SRD Blog: Extended Protection for Authentication
• MMPC Blog: MSRT slices the Hamweq for Christmas

*This posting is provided "AS IS" with no warranties, and confers no rights*

Today, we released six security bulletins addressing a total of 15 vulnerabilities. Four affect Windows and Windows Server and two affect Microsoft Office products (Excel and Word).

As we do every month, we have prepared our Risk & Impact and our Deployment Priority guidance to help customers assess risk to their environments and prioritize the deployment of this month’s updates. Risk & Impact is a snapshot of the cumulative severity and exploitability index ratings for each bulletin. This month, MS09-065 is the only bulletin with a critical severity rating and an Exploitability Index rating of 1 (“Consistent Exploit Code Likely”). This bulletin provides updates for three vulnerabilities in Windows Kernel-Mode Drivers. We recommend customers prioritize and deploy this update immediately.

To better demonstrate the affected products and important aspects of MS09-065, I am including a more detailed overview slide (below). As you can see, only one of the three vulnerabilities (CVE-2009-2514) is critical. That vulnerability only affects Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 (it does not affect Windows Vista or Windows Server 2008 so if you are using either of these platforms, you can lower the deployment priority to a two). The vulnerability was publicly disclosed and could be used to create a malicious web page which could potentially exploit vulnerable systems just by visiting the website. The other two vulnerabilities are Elevation of Privilege (EoP) which would require the attacker to have valid logon credentials in order to be able to exploit.

The following deployment priority guidance is based on a combination of severity rating, exploitability index rating, available mitigations and workarounds and range of affected products. All customers should perform their own prioritization assessment as each environment is different and other factors may apply. Microsoft recommends that all security updates be deployed as soon as possible.

· MS09-063 affects Windows Vista and Windows Server 2008. There is a potential for unauthenticated remote code execution (RCE) but only from the local subnet. Attacks cannot originate from outside of the network. This mitigation along with the exploitability index rating of 2 lowers the deployment priority. Obviously, this is still a critical bulletin so customers should deploy as soon as possible.

· MS09-064 affects only Windows 2000 Server SP4. This one also has the potential for unauthenticated RCE between systems running the License Logging Service. This service is enabled by default on Windows 2000 Server so this deployment priority should be moved up for customers who have Windows 2000 servers on public-facing networks.

· MS09-067 and MS09-068 both have similar attack vectors. A user would have to open a maliciously crafted Excel or Word file developed to exploit these vulnerabilities. Users of Office XP or later will be prompted to Open, Save, or Cancel before opening a document. These mitigations lower the severity and deployment priority. However, users should never open file attachments they receive in emails from unknown sources and should always question attachments from known sources if they are unexpected.

Adrian Stone from the Microsoft Security Response Center (MSRC) and I give a brief overview of this month’s bulletin release in the video below.

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV)

For more in-depth technical detail on MS09-063, MS09-064 and MS09-065, please visit our Security Research & Defense team blog at this link.

We also re-released MS09-045 and MS09-051. The former was re-released to add detection for users who may be running JScript 5.7 on Windows 2000 Service Pack 4 machines and the latter is a re-release of the update for Audio Compression Manager on Microsoft Windows 2000 Service Pack 4 to fix a detection issue.

As always, we encourage all customers to join us for our live security bulletin webcast which we conduct every month after release. Adrian and I will go in to detail on each bulletin and, along with a room full of subject matter experts, answer all of your questions live. So if you can, please join us tomorrow, Nov 11 at 11:00 a.m. PDT (UTC -8). You can register for the webcast at this link.

The last item I want to mention this month is that the Microsoft Malware Protection Center (MMPC) team has added Win32/fakevimes and Win32/privacycenter to the Windows Malicious Software Removal Tool (MSRT) this month. Please check their blog post for more information.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

This month, we released 13 new bulletins which address 33 vulnerabilities in Windows, Internet Explorer and Microsoft Office. Since we published this information in our advance notification (ANS) last Thursday, we have been asked “is this the most bulletins Microsoft has ever released”? The short answer to that question is yes. However, we have, on several occasions, released between 10 and 12 bulletins so this is business as usual. All of our updates go through extensive quality testing and when they reach the bar for broad distribution, we schedule them for release.

As we noted in the ANS last week, two of the updates address open Security Advisories. MS09-050 addresses the SMBv2 issue in Security Advisory 975497 and MS09-053 addresses the IIS issue discussed in Security Advisory 975191.

Another issue being addressed this month that has received some public attention has to do with security certificates used for authentication. The vulnerabilities being addressed by Security Bulletin MS09-056 could allow spoofing if an attacker gains access to the certificate used by the end user for authentication. We are aware that a rogue certificate was distributed in a public forum but we are not aware of any attempts to use this to attack users.

Below is the severity summary and exploitability index for the 13 new bulletins. We also refer to this as the overall risk and impact summary. As you can see, eight of the bulletins have a rating of Critical. Of those eight, six have an exploitability index rating of 1, which means we believe it is highly likely that we will see exploit code in the wild within the first 30 days from the date of release.

To help with deployment planning, we started publishing our guidance (beginning last month) on which bulletins should be considered first for deployment. Obviously one size does not fit all and each customer will need to consider their own unique situations in addition to this guidance. Our approach is to take a combination of the severity, the exploitability index rating, the range of products affected, and potential mitigations to group these in to a priority 1, 2 or 3. Our Security Research & Defense team, who represent some of the best security researchers in the world, play a key role in this every month as well.

Most of this month’s updates require a restart, so please refer to the bulletins when you’re planning your deployment to ensure you’re fully protected. We want to specifically note that MS09-050 requires a restart but will not prompt you to do so if you install the update manually.

As we do every month, Adrian Stone and I provide a high-level overview of this month’s bulletin release in the following video:

Other listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV)

This month we are also re-releasing MS08-069, vulnerability in Microsoft XML Core Services could allow remote code execution (955218) to add detection for Windows 7 and Windows Server 2008 R2. This component does not ship with these platforms but many applications install it in order to use its functionality.

Finally, you may also notice a change in the severity rating since the advance notification for several versions of Windows in the .NET bulletin (MS09-061). We have elevated the severity of these products from Important to Critical. We do not typically make changes after the advance notification goes out but during our ongoing investigation to protect customers, we determined that this was the appropriate rating for these products when certain versions of the .NET Framework are installed on them.

We encourage all customers to join us tomorrow when Adrian and I will go in to detail on each bulletin and, along with a room full of subject matter experts, answer all of your questions live. So if you can, please join us at 11:00 a.m. PDT (UTC -7). You can register for the webcast at this link.

Thanks!

Jerry Bryant

Update – Resource links:

• Assessing the risk of the October security bulletins – Security Research & Defense blog
• MS09-051: A note on the affected platforms – Security Research & Defense blog
• MS09-050: Exploit timeline for SMB2 RCE vulnerability – Security Research & Defense blog
• MS09-054: Extra info on the attack surface for the IE security bulletin – Security Research & Defense blog
• MS09-061: More information about the .NET security bulletin – Security Research & Defense blog
• Scanti-ly Clad – Another Rogue Stripped by MSRT – Microsoft Malware Protection Center blog

Update (10/13) Changed the number of vulnerabilities addressed to 33 from 34. CVE-2009-2493 was counted in both MS09-055 and MS09-060.

*This posting is provided "AS IS" with no warranties, and confers no rights*

As we mentioned in the webcast, The MS09-048 bulletin has been updated to call out Windows XP in the affected products list with a severity rating of low for the two Denial-of-Service vulnerabilities (the third, Remote Code Execution vulnerability, does not affect XP). As stated in the bulletin, in the default configuration, Windows XP is not affected by any of the issues addressed by the bulletin. However, we heard from enterprise customers that custom configurations that put XP in a vulnerable state are in use so we updated the bulletin for clarity. Does this mean there will be an update for Windows XP? No and I will use the text from the bulletin to explain why:

If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925. Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks.

Concerning MS09-048 and Windows 2000, the scenario is very similar to Windows XP in that an attack requires a sustained flood of specially crafted TCP packets and the system will recover once the flood stops. Keeping Windows 2000 servers behind a NAT or reverse proxy can help to reduce risk.

In the last blog post I called out MS09-045 and MS09-047 as the highest priorities for deployment and while MS09-048 has received a lot of attention, we want to continue to stress getting those updates installed to all users.

This month we are leaving the Q and A out of the video because we have posted those questions to the blog and to keep the overall duration of the video down. If you like it this way or if you prefer us to leave that portion in, head over to the TechNet Edge site where we host the videos and leave your feedback there.

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio Streaming WMV (512kbps) High Quality WMV (2.5 Mbps) Zune Video (WMV)

Following the webcast we got feedback that folks liked the new deployment priority slide as well as the new detail slides for each bulletin. We appreciate the feedback and will keep looking for ways to improve the content.

Please plan on joining us for our next regularly scheduled webcast on October 13 at 11:00 a.m. Click HERE to register.

Thanks!

Jerry Bryant