As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing 13 security bulletins, two of which are rated Critical in severity, nine Important and two Moderate.

These bulletins will increase protection by addressing 22 unique vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on the two critical updates:

• MS11-057 (Internet Explorer). This security update resolves five privately reported vulnerabilities and two publicly disclosed vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. Microsoft is not aware of any attacks leveraging the vulnerabilities addressed in this bulletin.
• MS11-058 (DNS Server). This security update resolves two privately reported vulnerabilities in Windows DNS server. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a specially crafted Naming Authority Pointer (NAPTR) query to a DNS server. Servers that do not have the DNS role enabled are not at risk.

In this video, Jerry Bryant discusses this month's bulletins in further detail, focusing on these two bulletins:

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page. In addition, the SRD blog today has more information on MS11-058’s Exploitability Index rating and on the month’s deployment priorities.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Jerry Bryant and Jonathan Ness. I invite you to tune in and learn more about the June security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, August 10, 2011 at 11 a.m. PDT, and you can register here.

For all the latest information, please also follow the MSRC team on Twitter at @MSFTSecResponse.

Thank you,

Angela Gunn
Trustworthy Computing.

The initial results are encouraging. As of May 2011, the number of infections found by the Malicious Software Removal Tool (MSRT) per scanned computer declined by 59 percent on Windows XP machines and by 74 percent on Windows Vista machines in comparison to the 2010 infection rates on those platforms. (Windows 7 had the updated Autorun settings built in by default.) For more details and statistics regarding the drop in Autorun-abusing malware infections, please see the Microsoft Malware Protection Center (MMPC) blog.

As we previously mentioned in the Advance Notification blog on Thursday, today we are releasing 16 security bulletins, nine of which are rated Critical, and seven of which are rated Important. There are four Critical-level updates that we want to call out as top priorities for our customers in June:

• MS11-042 (DFS). This bulletin resolves two privately reported issues affecting all versions of Windows.
• MS11-043 (SMB Client). This bulletin resolves one privately reported issue affecting all versions of SMB Client on Windows.
• MS11-050 (Internet Explorer). This security bulletin resolves 11 privately reported issues in Internet Explorer.
• MS11-052 (Windows). This bulletin resolves one privately reported issue in Windows and is also Critical.

We recommend that customers apply these and all other updates as soon as possible.

In this video, Jerry Bryant discusses this month's bulletins in further detail, focusing on these four bulletins:

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view):

The Security Research & Defense team has further information on deployment priorities for today’s bulletins on their blog.

Meanwhile, our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view):

Since we’ve started specifying separate Exploitability Index ratings for the current and the earlier versions of products affected by each vulnerability, it’s easier to see how individual vulnerabilities affect newer products versus older ones. We assign Exploitability Index ratings solely to Critical- and Important-severity vulnerabilities, and there are 32 of those this month (the others are Moderate-level issues in MS11-050). Of those, 14 vulnerabilities have a lower Exploitability Index rating for the latest-and-greatest version of the software than for the older version, or the latest version isn’t affected at all. The remaining CVEs have no difference in severity between the versions.

More information about this month's security updates can be found on the Microsoft Security Bulletin Summary web page. Also this month, Microsoft is increasing MSRT detection capabilities for three worm families -- Win32/Rorpian, Win32/Yimfoca and Win32/Nugel. Please see today’s MMPC blog for more information.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, June 15, hosted by Jerry Bryant and Jonathan Ness. We invite you to tune in and learn more about the June security bulletins, as well as other announcements made today. The webcast is scheduled at 11 a.m. PDT, and the registration can be found here.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse. Also feel free to tweet the hash tag #MSFTSecWebcast and ask any questions you may have regarding the bulletins before Wednesday at 11am PDT. We’ll answer as many questions as possible live during the webcast.

Thanks,

Angela Gunn
Trustworthy Computing.

As for this month’s bulletins, today we’re providing Advance Notification Service information on 16 bulletins (nine Critical in severity, seven Important) addressing 34 vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, .NET, SQL, Visual Studio, Silverlight and ISA.  All bulletins will be released on Tuesday, June 14, at approximately 10am PDT. Come back to this blog on Tuesday for our official risk and impact analysis, along with deployment guidance and a video overview of the release.

One of the issues we start to address in this release is “cookiejacking,” which allows an attacker to steal cookies from a user’s computer and access websites the user has logged into. The Internet Explorer bulletin will address one of the known vectors to the cookie folder. Given the prevalence of other types of social engineering methods in use by criminals, which provide access to much more than cookies, we believe this issue poses lower risk to customers. Further, based on a signature that has been released to millions of Microsoft Security Essentials and Forefront customers, the Microsoft Malware Protection Center (MMPC) has not detected attempts to use this technique.

We’re also preparing for our monthly technical webcast, which is scheduled for 11am PDT on Wednesday, 15 June. Your hosts this month will be Jerry Bryant and Jonathan Ness, and they’ll be discussing each of the bulletins and taking your questions live on the air. Register in advance for the webcast here.

As always, we encourage you to follow our Twitter feed at @msftsecresponse for the latest news from the Microsoft Security Response Center.

Thanks –

Angela Gunn
Trustworthy Computing.

Today, as part of our monthly security bulletin release, we have 12 bulletins addressing 22 vulnerabilities in Microsoft Windows, Office, Internet Explorer, and IIS (Internet Information Services). Three bulletins are rated Critical, and these are the bulletins we recommend for priority deployment:  

o    MS11-003. This bulletin resolves three critical-level and moderate-level vulnerabilities affecting all versions of Internet Explorer. Due to existing mitigations, this bulletin is only rated at Moderate severity for all versions of Windows Server, has an Exploitability Index rating of 1, and will deprecate Security Advisory 2488013.

o    MS11-006. This bulletin addresses one Critical-level vulnerability affecting Windows XP, Vista, Server 2003, and Server 2008. Newer versions of our operating system are unaffected. The vulnerability involves Windows Shell Graphics and could if exploited lead to remote code execution. This has an Exploitability Index rating of 1 and will deprecate Security Advisory 2490606 which we released on January 4^th. Since that time, we have not seen any attacks against this issue.

o    MS11-007. This bulletin addresses one privately reported vulnerability affecting all supported versions of Windows and involving the OpenType Compact Font Driver. It's rated Critical for Windows Vista, Windows 7, Server 2008 and Server 2008 R2; it's rated Important for Windows XP and Server 2003.  This issue has an Exploitability Index rating of 2.

In this video, Jerry Bryant discusses this month's bulletins in further detail:

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

More information about this month's security updates can be found on the Microsoft Security Bulletin summary web page. 

As mentioned, we are addressing Security Advisory 2488013 as part of the regularly scheduled Internet Explorer cumulative update. This Security Advisory and the zero-day disclosure on which it was predicated caused discussion in the security community, and some observers thought that we might be forced to release an out-of-band bulletin to protect customers. However, out-of-band releases are disruptive to customers and we try to avoid them where possible. Based on our capabilities to closely monitor the threat landscape, we were able to determine that attempts to attack this vulnerability were very low. With that information, we were able to extensively test a bulletin to be released as part of our regular bulletin cadence. The MMPC (Microsoft Malware Protection Center) blog has details about the telemetry we used to guide us. There we contrast this issue with telemetry from an out-of-band release last year to demonstrate why one was not needed here.

Also this month, we're updating Security Advisory 967940, "Update for Windows Autorun," to change how earlier versions of Windows handle security when reading "non-shiny" storage media. ("Shiny" storage media would include CD-ROMs and DVDs.) Windows 7 already disables Autorun for devices such as USB thumb drives, which prevents malware lurking on such drives from loading itself onto computers without user interaction. With the change to the Advisory, earlier versions of Windows that receive their updates automatically via Windows Update "AutoUpdate" will now gain that security-conscious functionality as well. We believe this is a huge step towards combating one of the most prevalent infection vectors used by malware such as Conficker.

Finally, we're excited to announce that changes are coming to the system we use for publishing our bulletins and security advisories - changes that will bring better integration with the wealth of other content on Technet and a richer experience for customers. We are expecting the changes to go live in the June 2011 timeframe. The main impact to customers will be a URL change from microsoft.com/technet/security to technet.microsoft.com/security. We are planning to have both the old and new sites available simultaneously for a period of time and will be providing more details in March.

Please join the monthly technical webcast with your hosts, Jerry Bryant and Jonathan Ness, to learn more about all the February 2011 security bulletins. The webcast is scheduled for Wednesday, February 9, 2011 at 11:00 a.m. PST (UTC -8). Registration is available here.

For all the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,

Angela Gunn
Trustworthy Computing.

Today we published the December 2010 Security Bulletin Webcast Questions & Answers page. We fielded 17 questions, most concerning the Internet Explorer update and the re-releases of bulletins this month. We invite our customers to join us for the next public webcast on Wednesday, January 12 at 11am PST (-8 UTC), when we will go into detail about the December bulletin release and answer questions live on the air.

Customers can register to attend at the link below:

Date: Wednesday, January 12, 2011
Time: 11:00 a.m. PST (UTC -8)
Register: Attendee Registration

Thanks -

Jerry Bryant

Group Manager, Response Communications
Trustworthy Computing Group

First, for December we're releasing 17 updates addressing 40 vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint and Exchange. Of the 17, two bulletins are rated Critical, 14 are rated Important, and one is rated Moderate. As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.

Looking back over 2010, that brings the total bulletin count to 106, which is more bulletins than we have released in previous years. This is partly due to vulnerability reports in Microsoft products increasing slightly, as indicated by our latest Security Intelligence Report. This isn't really surprising when you think about product life cycles and the nature of vulnerability research. Microsoft supports products for up to ten years. (One of our most popular operating systems from the turn of the century, XP SP2, reached its end-of-support life in mid-2010, in fact.) Vulnerability research methodologies, on the other hand, change and improve constantly. Older products meeting newer attack methods, coupled with overall growth in the vulnerability marketplace, result in more vulnerability reports. Meanwhile, the percentage of vulnerabilities reported to us cooperatively continues to remain high at around 80 percent; in other words, for most vulnerabilities we're able to release a comprehensive security update before the issue is broadly known.

At the end of the day, Microsoft's primary focus is to release reliable, high-quality updates to our customers.  Feedback from customers indicate that this is the most important factor in minimizing disruption and allowing them to deploy our updates quickly - even more important than the overall number of security updates. 

Back to this month's bulletins. We're addressing two issues this month that have attracted interest recently. First, we will be closing the last Stuxnet-related issues this month. This is a local Elevation of Privilege vulnerability and we've seen no evidence of its use in active exploits aside from the Stuxnet malware. We're also addressing the Internet Explorer vulnerability described in Security Advisory 2458511. Over the past month, Microsoft and our MAPP partners actively monitored the threat landscape surrounding this vulnerability and the total number of exploit attempts we monitored remained pretty low. Furthermore, customers running Internet Explorer 8 remained protected by default due to the extra protection provided by Data Execution Prevention (DEP). On that note, I want to point you to a new post on the Security Research & Defense team blog describing the effectiveness of DEP and ASLR against the types of exploits we see in the wild today.  

We encourage customers to review this month's bulletins and to prioritize their installation according to the needs of their environment.  (And, of course, for most home users these updates will be installed automatically.)  If you have questions, join us next Wednesday (December 15) when Jonathan Ness and Jerry Bryant will host a live webcast covering the December bulletins. They'll go into detail about the release and answer your bulletin-related questions live on the air. Register at the link below:

Date: Wednesday, December 15
Time: 11:00 a.m. PST (UTC -8)
Registration: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID= 1032454441

Thanks,

Mike Reavey
Director, MSRC

First, for December we're releasing 17 updates addressing 40 vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint and Exchange. Of the 17, two bulletins are rated Critical, 14 are rated Important, and one is rated Moderate. As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.

Looking back over 2010, that brings the total bulletin count to 106, which is more bulletins than we have released in previous years. This is partly due to vulnerability reports in Microsoft products increasing slightly, as indicated by our latest Security Intelligence Report. This isn't really surprising when you think about product life cycles and the nature of vulnerability research. Microsoft supports products for up to ten years. (One of our most popular operating systems from the turn of the century, XP SP2, reached its end-of-support life in mid-2010, in fact.) Vulnerability research methodologies, on the other hand, change and improve constantly. Older products meeting newer attack methods, coupled with overall growth in the vulnerability marketplace, result in more vulnerability reports. Meanwhile, the percentage of vulnerabilities reported to us cooperatively continues to remain high at around 80 percent; in other words, for most vulnerabilities we're able to release a comprehensive security update before the issue is broadly known.

At the end of the day, Microsoft's primary focus is to release reliable, high-quality updates to our customers.  Feedback from customers indicate that this is the most important factor in minimizing disruption and allowing them to deploy our updates quickly - even more important than the overall number of security updates. 

Back to this month's bulletins. We're addressing two issues this month that have attracted interest recently. First, we will be closing the last Stuxnet-related issues this month. This is a local Elevation of Privilege vulnerability and we've seen no evidence of its use in active exploits aside from the Stuxnet malware. We're also addressing the Internet Explorer vulnerability described in Security Advisory 2458511. Over the past month, Microsoft and our MAPP partners actively monitored the threat landscape surrounding this vulnerability and the total number of exploit attempts we monitored remained pretty low. Furthermore, customers running Internet Explorer 8 remained protected by default due to the extra protection provided by Data Execution Prevention (DEP). On that note, I want to point you to a new post on the Security Research & Defense team blog describing the effectiveness of DEP and ASLR against the types of exploits we see in the wild today.  

We encourage customers to review this month's bulletins and to prioritize their installation according to the needs of their environment.  (And, of course, for most home users these updates will be installed automatically.)  If you have questions, join us next Wednesday (December 15) when Jonathan Ness and Jerry Bryant will host a live webcast covering the December bulletins. They'll go into detail about the release and answer your bulletin-related questions live on the air. Register at the link below:

Date: Wednesday, December 15
Time: 11:00 a.m. PST (UTC -8)
Registration: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID= 1032454441

Thanks,

Mike Reavey
Director, MSRC

Today we released Security Advisory 2458511 to address a new vulnerability that could impact Internet Explorer users if they visit a website hosting malicious code. As of now, the impact of this vulnerability is extremely limited and we are not aware of any affected customers. The exploit code was discovered on a single website which is no longer hosting the malicious code. When a website is discovered to host malicious software, we work through legal channels to take the site down. These kinds of attempts to exploit systems and the people using technology are the activity of criminals. Microsoft takes this very seriously and where possible, we will take legal action against those responsible.

Internet Explorer 9 Beta users are not affected by this issue and any customers who wish to upgrade their browser to this version can do so freely at www.microsoft.com/ie. Impacted versions include Internet Explorer 6, 7 and 8, although our ongoing investigation confirms that default installations of Internet Explorer 8 are unlikely to be exploited by this issue. This is due to the defense in depth protections offered from Data Execution Prevention (DEP), which is enabled by default in Internet Explorer 8 on all supported Windows platforms. For supported versions of Windows running earlier versions of Internet Explorer, please review this blog post from our Security Research & Defense team describing how to enable DEP.

The Security Advisory also details a workaround that customers can apply that will protect all affected versions of IE from this issue. We are working to put have a Microsoft Fix it in place for easy implementation of the workaround. Our Security Research & Defense team has also provided a detailed write up on how the workaround protects against the vulnerability.

We have initiated our Software Security Incident Response Process (SSIRP) to manage this issue and are sharing detailed information through the Microsoft Active Protections Program (MAPP). Our 70 global MAPP partners, including leading providers of anti-virus and anti-malware products, provide protections for an estimated one billion customers worldwide. If your protection provider is in our MAPP program, you can contact them concerning the status of providing protections for this issue as it is likely that updated malware signatures in these products will offer further protection. For customers of Microsoft Security Essentials and our Forefront security products, new signatures will be published today offering additional protection. Internet Explorer 8 also includes SmartScreen technology which helps provide protection against many types of socially engineered malware and phishing attacks, and which earlier this year reached the milestone of blocking over 1 billion attempts to download malware. In certain circumstances, SmartScreen may also help to protect customers in this case.

We are working to develop a security update to address this attack against our customers. The issue does not meet the criteria for an out-of-band release. However, we are monitoring the threat landscape very closely and if the situation changes, we will post updates here on the MSRC blog.

As always, we encourage Internet users to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at: www.microsoft.com/protect.

Thank you,

Jerry Bryant
Group Manager, Response Communications
Trustworthy Computing Group

Edited to add: The Fix it is available now from the Knowledge Base article for this Advisory.

Today, as part of our regular monthly security bulletin release cycle, we released 10 bulletins to address 34 total vulnerabilities in Windows, Microsoft Office (including SharePoint), Internet Explorer (IE), Internet Information Services (IIS), and the .NET Framework. Only three of these bulletins get our maximum severity rating of Critical. The rest are rated Important. However, we encourage customers to test and deploy all applicable security updates as soon as possible.

The three Critical bulletins get our highest deployment priority this month. Those are:

• MS10-033 is a remote code execution vulnerability in both Quartz.dll and Asycfilt.dll and is rated Critical on all supported versions of Windows. Specially crafted media files could trigger the vulnerability when a user visits a web page or opens a malicious file.
• MS10-034 is a cumulative update for ActiveX Kill Bits and is Critical on Windows 2000, XP, Vista, and Windows 7. There are two Microsoft controls we are applying Kill Bits for. Those are the Internet Explorer 8 Developer Tools control, and the Data Analyzer ActiveX control. The latter control is not installed by default. In addition, there are Kill Bits for four third-party controls. Please review the bulletin for additional details.
• MS10-035 is a cumulative update for Internet Explorer. Of the six vulnerabilities addressed in the bulletin, only one, an information disclosure vulnerability, is publicly known. This issue was identified in Security Advisory 980088. We remain unaware of any active attacks against this vulnerability.

In the video below, Adrian Stone and I go in to some detail on the three priority bulletins and explain why each should be at the top of your list to install:

Also, included below is the aggregate risk and impact slide for June. Note that we do not typically give an Exploitability Index rating for ActiveX Kill Bits but as stated, this update should be a high priority.

Here is our overall deployment priority information:

There are additional subtleties with specific bulletins that I want to discuss here to eliminate potential confusion:

• MS10-032 is an elevation of privilege issue in the affected Microsoft products. There is a potential remote vector if applications fail to properly request the length of the buffer when calling the affected API. All Microsoft applications make this call properly but there may be applications out there that do not. Regardless, installing this update addresses the issue for all vectors. See our Security Research & Defense (SRD) blog for more details on this one.
• MS10-036 is a COM validation update. The issue could result in an attack through ActiveX in Office applications. This is not a new attack vector but the underlying vulnerability is and the bulletin addresses it. For additional clarification, I want to point out that Office XP does not have the architecture needed for the update. However, for customers running Office XP on Windows XP or newer operating systems, we have made a shim available that protects against the vulnerability. The shim can be installed via a Microsoft FixIt which can be downloaded from KB983235.
• MS10-039 is a SharePoint related update, closing out Security Advisory 983438 which addressed an elevation of privilege vulnerability. We are not currently aware of any attacks against this issue.

As usual, our SRD team has written several blog posts that go in to details on some of this month's bulletins and I encourage customers to review those for additional insight: http://blogs.technet.com/b/srd.

If you have questions about the June bulletins, please attend our public webcast tomorrow which I will be hosting with Adrian Stone from the MSRC. We will go in to additional details on each bulletin and along with a room full of subject matter experts attempt to address all of your questions. Here's how to register:

When: Wednesday June 10, 2010 at 11:00 a.m. PDT (UTC -7)
Registration: https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032395226

I hope you can join us then.

Thanks!

Jerry Bryant
Group Manager, Response Communications

Follow us on Twitter: @MSFTSecResponse

Today we published our advance notification for the June security bulletin release, scheduled for release next Tuesday, June 8. This month’s release includes ten bulletins addressing 34 vulnerabilities.

• Six of the bulletins affect Windows; of those, two carry a Critical severity rating and four are rated Important.
• Two bulletins, both with a severity rating of Important, affect Microsoft Office.
• One bulletin, again with a severity rating of Important, affects both Windows and Office.  
• One bulletin, with a severity rating of Critical, affects Internet Explorer.

As ever, we recommend that customers prepare for the testing and deployment of these bulletins as soon as possible.

We will also be acting on two Security Advisories this month.

• We are closing Security Advisory 983438 (Vulnerability in Microsoft SharePoint Could Allow Elevation of Privilege) with the June bulletins.
• We are also addressing Security Advisory 980088 (Vulnerability in Internet Explorer Could Allow Information Disclosure).

Please join Adrian Stone and me for a public webcast on Wednesday next week where we will go into detail about the bulletins and answer questions live on the air. Register at the link below:

Date: Wednesday June 9
Time: 11:00 a.m. PDT (UTC –7)
Registration: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032427727

Finally, we remind Windows 2000 and Windows XP SP2 customers once again that all support for these platforms will end after July 13, 2010 – that is, next month. Customers should upgrade to either a supported operating system or the latest service pack in order to keep receiving necessary security updates.

Thanks,

Jerry Bryant
Group Manager, Response Communications

Follow us on Twitter: @MSFTSecResponse