Today, as part of our regular monthly security bulletin release cycle, we released 10 bulletins to address 34 total vulnerabilities in Windows, Microsoft Office (including SharePoint), Internet Explorer (IE), Internet Information Services (IIS), and the .NET Framework. Only three of these bulletins get our maximum severity rating of Critical. The rest are rated Important. However, we encourage customers to test and deploy all applicable security updates as soon as possible.

The three Critical bulletins get our highest deployment priority this month. Those are:

• MS10-033 is a remote code execution vulnerability in both Quartz.dll and Asycfilt.dll and is rated Critical on all supported versions of Windows. Specially crafted media files could trigger the vulnerability when a user visits a web page or opens a malicious file.
• MS10-034 is a cumulative update for ActiveX Kill Bits and is Critical on Windows 2000, XP, Vista, and Windows 7. There are two Microsoft controls we are applying Kill Bits for. Those are the Internet Explorer 8 Developer Tools control, and the Data Analyzer ActiveX control. The latter control is not installed by default. In addition, there are Kill Bits for four third-party controls. Please review the bulletin for additional details.
• MS10-035 is a cumulative update for Internet Explorer. Of the six vulnerabilities addressed in the bulletin, only one, an information disclosure vulnerability, is publicly known. This issue was identified in Security Advisory 980088. We remain unaware of any active attacks against this vulnerability.

In the video below, Adrian Stone and I go in to some detail on the three priority bulletins and explain why each should be at the top of your list to install:

Also, included below is the aggregate risk and impact slide for June. Note that we do not typically give an Exploitability Index rating for ActiveX Kill Bits but as stated, this update should be a high priority.

Here is our overall deployment priority information:

There are additional subtleties with specific bulletins that I want to discuss here to eliminate potential confusion:

• MS10-032 is an elevation of privilege issue in the affected Microsoft products. There is a potential remote vector if applications fail to properly request the length of the buffer when calling the affected API. All Microsoft applications make this call properly but there may be applications out there that do not. Regardless, installing this update addresses the issue for all vectors. See our Security Research & Defense (SRD) blog for more details on this one.
• MS10-036 is a COM validation update. The issue could result in an attack through ActiveX in Office applications. This is not a new attack vector but the underlying vulnerability is and the bulletin addresses it. For additional clarification, I want to point out that Office XP does not have the architecture needed for the update. However, for customers running Office XP on Windows XP or newer operating systems, we have made a shim available that protects against the vulnerability. The shim can be installed via a Microsoft FixIt which can be downloaded from KB983235.
• MS10-039 is a SharePoint related update, closing out Security Advisory 983438 which addressed an elevation of privilege vulnerability. We are not currently aware of any attacks against this issue.

As usual, our SRD team has written several blog posts that go in to details on some of this month's bulletins and I encourage customers to review those for additional insight: http://blogs.technet.com/b/srd.

If you have questions about the June bulletins, please attend our public webcast tomorrow which I will be hosting with Adrian Stone from the MSRC. We will go in to additional details on each bulletin and along with a room full of subject matter experts attempt to address all of your questions. Here's how to register:

When: Wednesday June 10, 2010 at 11:00 a.m. PDT (UTC -7)
Registration: https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032395226

I hope you can join us then.

Thanks!

Jerry Bryant
Group Manager, Response Communications

Follow us on Twitter: @MSFTSecResponse

Today we published our advance notification for the June security bulletin release, scheduled for release next Tuesday, June 8. This month’s release includes ten bulletins addressing 34 vulnerabilities.

• Six of the bulletins affect Windows; of those, two carry a Critical severity rating and four are rated Important.
• Two bulletins, both with a severity rating of Important, affect Microsoft Office.
• One bulletin, again with a severity rating of Important, affects both Windows and Office.  
• One bulletin, with a severity rating of Critical, affects Internet Explorer.

As ever, we recommend that customers prepare for the testing and deployment of these bulletins as soon as possible.

We will also be acting on two Security Advisories this month.

• We are closing Security Advisory 983438 (Vulnerability in Microsoft SharePoint Could Allow Elevation of Privilege) with the June bulletins.
• We are also addressing Security Advisory 980088 (Vulnerability in Internet Explorer Could Allow Information Disclosure).

Please join Adrian Stone and me for a public webcast on Wednesday next week where we will go into detail about the bulletins and answer questions live on the air. Register at the link below:

Date: Wednesday June 9
Time: 11:00 a.m. PDT (UTC –7)
Registration: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032427727

Finally, we remind Windows 2000 and Windows XP SP2 customers once again that all support for these platforms will end after July 13, 2010 – that is, next month. Customers should upgrade to either a supported operating system or the latest service pack in order to keep receiving necessary security updates.

Thanks,

Jerry Bryant
Group Manager, Response Communications

Follow us on Twitter: @MSFTSecResponse

Last week Adrian Stone and I conducted a webcast to cover the Internet Explorer out-of-band security bulletin release. We only spent a short period of timing on the presentation and then spent the rest of the time answering customer questions which you can read here.

There were some interesting questions and hopefully those who attended came away with a better understanding about how to better protect themselves from emerging threats. One resource we referred customers to several times is a new blog post by the Microsoft Malware Protection Center (MMPC) where they chart attacks against CVE2010-0806 by local:

http://blogs.technet.com/mmpc/archive/2010/03/30/active-exploitation-of-cve-2010-0806.aspx

To be clear, this data comes from attempted exploits of the vulnerability against customers who are protected by Microsoft security products such as Microsoft Security Essentials and Microsoft Forefront Client Security, etc. In these cases, the exploit failed because mitigating signatures are in place (see article for details). One of the questions we got in the webcast was:

“If my malware protection is updated and covers this vulnerability, am I covered throughout the normal update cycle?”

This would only be true for known exploits and not the vulnerability itself. Once we find a new exploit, the MMPC can develop and deploy a signature for it. Applying the update addresses the vulnerability itself and is why we recommend that as the priority in addition to upgrading to the latest version of Internet Explorer (IE8) if you have not done so already.

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV)

Our next regularly scheduled bulletin release is Tuesday April 13, so that means we will be conducting another public webcast on April 14. We invite you to attend that webcast and bring any questions you have regarding the April release and we will try to answer them all live on the air. Here is the registration information:

Date: Wednesday April 14
Time: 11:00 a.m. PDT (UTC –8)
Registration: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032427721

Thanks!

Jerry Bryant
Group Manager, Response Communications

Follow us on Twitter: @MSFTSecResponse

*This posting is provided "AS IS" with no warranties, and confers no rights*

Today we released MS10-018 out-of-band due to increases in attacks against Internet Explorer 6 and Internet Explorer 7 using the vulnerability discussed in Security Advisory 981374. I want to reiterate that Internet Explorer 8 is not affected by this issue so customers using this version are not affected by these attacks and we continue to encourage customers to upgrade to the newer version because it provides more security and protection.

MS10-018 is a typical cumulative update for Internet Explorer and was originally going to be released during the normal update cycle on the 13^th of April. The Internet Explorer team accelerated testing of this update due to the growing attacks against the publicly disclosed vulnerability (CVE-2010-0806), and the update has reached the appropriate quality bar for distribution to customers. Releasing the update early provides Internet Explorer 6 and 7 customers protection against the active attacks and provides users of all versions of Internet Explorer protection against nine other vulnerabilities. I clarify this in the following video:

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV)

Here is a simplified view of the ten vulnerabilities and their aggregate severity on Internet Explorer 6, 7, and 8:

* Vulnerability under active attack.

This table demonstrates what we have been saying about the improved security and protection offered in Internet Explorer 8 and why we continue to encourage customers to upgrade.

Since we announced yesterday that we would be releasing this bulletin out-of-band, we have been asked if it addresses the vulnerability that was used in the “pwn2own” contest at the CanSecWest security conference last week. We are still investigating that issue at this time so we do not have an update available. In accordance with the contest rules, the vulnerabilities used are responsibly disclosed so that the respective vendors can produce updates to protect their customers before the vulnerabilities can be used by criminals. Microsoft continues to encourage responsible disclosure and we are a sponsor of the CanSecWest conference because we believe in working closely with security researchers to protect customers and the entire computing ecosystem.

If you can, please join Adrian Stone and I today for a live webcast where we will cover the details of this bulletin and take customer questions live. Here is the registration information:

Date: Tuesday March 30, 2010
Time: 1:00 p.m. PST (UTC -8)
Registration: https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032448112

Jerry Bryant
Group Manager – Response Communications

*This posting is provided "AS IS" with no warranties, and confers no rights*

< ?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> 

Please join us Tuesday, March 30 at 1:00 p.m. PST (UTC -8) for a public webcast where we will present information on the bulletin and take customer questions. Registration information:

Date: Tuesday March 30, 2010
Time: 1:00 p.m. PST (UTC -8)
Registration: https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032448112

More information about the upcoming security bulletin can be found Microsoft’s Advance Notification Service (ANS) webpage.

Thanks,

Jerry Bryant
Group Manager – Response Communications

*This posting is provided "AS IS" with no warranties, and confers no rights*

I’m writing to let you know that we have updated Security Advisory 981374 with new workaround information. We are aware that exploit code has been made public for this issue. As with our last update, Internet Explorer 8 remains unaffected by the vulnerability addressed in the advisory and we continue to encourage all customers to upgrade to this version.

On Wednesday we added a workaround to the advisory that helps to mitigate the vulnerability by disabling the peer factory class through the modification of a registry key. With today’s update, we have added a Microsoft Fix It to automate this workaround for Windows XP and Windows Server 2003 customers. As always, customers should test this thoroughly before deploying as certain functionality that depends on the peer factory class, such as printing from Internet Explorer and the use of web folders, may be affected.

We have seen speculation that Microsoft might release an update for this issue out-of-band. I can tell you that we are working hard to produce an update which is now in testing. This is a critical and time intensive step of the process as the update must be tested against affected versions of Internet Explorer on all supported versions of Windows. Additionally, each supported language version needs to be tested as well as testing against thousands of third party applications. We never rule out the possibility of an out-of-band update. When the update is ready for broad distribution, we will make that decision based on customer needs.

Please review the advisory for more information. We will keep you posted as additional information becomes available.

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Today we released Security Advisory 981374 addressing a publicly disclosed vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8 is not affected by this issue. Customers using Internet Explorer 6 or 7 should upgrade to Internet Explorer 8 immediately to benefit from the improved security features and defense in depth protections. Additionally, Internet Explorer 5.01 on Windows 2000 is not affected.

< ?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> 

At this time, we are aware of targeted attacks seeking to exploit this vulnerability against Internet Explorer 6. Internet Explorer Protected Mode in Internet Explorer 7 running on Windows Vista helps to mitigate the impact of this issue. Additionally, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. Please review the Security Advisory for additional workarounds which include modifying the Access Control List (ACL) on iepeers.dll (the affected component), setting the Internet and local Intranet security zones to "high", configuring Internet Explorer to prompt before running Active Scripting, and enabling Data Execution Prevention (DEP) where possible which makes it difficult to successfully exploit the vulnerability.

As always, we are investigating this issue and will take appropriate action to protect customers when we have finalized a solution. This may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-727-2338 (PCSAFETY).  Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov. Customers should follow the guidance in the advisory and our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software (learn more by visiting the Protect Your PC web site). International customers can find their Regional Customer Service Representative http://support.microsoft.com/common/international.aspx.

We are also working with our Microsoft Active Protections Program (MAPP), the Microsoft Security Response Alliance (MSRA), authorities and other industry partners to help provide broader protections for customers. Together with our partners, we will continue to monitor the threat landscape and will take action against any web sites that seek to exploit this vulnerability.

The Security Advisory will be updated with any new developments so if you are not already subscribed to our comprehensive alerts, please do so in order to be alerted by email when new information is added.

Please review the advisory for additional details and if the situation changes, we will provide an update here on the MSRC blog.

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

On Friday 2/26/2010, an issue was posted publicly that could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box. We are not aware of any attacks seeking to exploit this issue at this time and in the current state of our investigation, we have determined that users running Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, are not affected by this issue.

The issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as “unsafe file types”. These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system. To help customers better understand unsafe file types, we have published a white paper on the topic which you can find by clicking this link.

Once we have completed our investigation, we will take appropriate action to protect customers. To minimize risk to computer users, Microsoft continues to encourage responsible disclosure. Reporting vulnerabilities directly to vendors without further disclosure helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of – and work to exploit – a vulnerability. Responsible disclosure protects the computer ecosystem and individual computer users from harm.

Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country.  Those in the United States can contact Customer Service and Support at no charge (for computer security related issues) using the PC Safety hotline at 1-866-727-2338 (PCSAFETY). Customers outside of the United States can visit http://support.microsoft.com/international to find local support information.

We continue to encourage customers to follow the “Protect Your Computer” guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at: www.microsoft.com/protect.

We will provide more information on this issue as it becomes available.

Thanks,

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Today we updated Security Advisory 979352 to let customers know that we are aware that exploit code for the vulnerability used in recent attacks against IE 6 users, has now been made public. Information on which versions of Internet Explorer are vulnerable and what customers can do to protect themselves is included in the updated Security Advisory.< ?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

Our teams are continuing to work on an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out-of-band.

Additionally our Security Research & Defense team has written up a blog with additional technical details on the exploit, the vulnerability, mitigations and workarounds.

We continue to recommend customers review the information in the Advisory, implement the workarounds and mitigations, consider updating to Internet Explorer 8 which includes important protections not present in IE 6, and follow the information on our Protect Your PC website.

Thanks,

Jerry Bryant

Senior Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*