Hi Everyone,

We hope that 2010 is off to a good start for you. For our first bulletin release of the New Year, we have one Critical bulletin affecting all versions of Windows. The bulletin, MS10-001, addresses one vulnerability in the Embedded OpenType Font Engine and is Critical on Windows 2000. For all other versions of Windows, the vulnerability gets a Low rating.

We’ve given the bulletin an aggregate rating of “2” on our Exploitability Index. This applies to Windows 2000 systems. All other systems are rated “3”. The vulnerable code is present on newer operating systems but through the Security Development Lifecycle (SDL), there are several mitigations in place that help prevent the likelihood of exploitation. Our Security Research & Defense (SRD) team has a great write up on this in their blog. We do recommend that customers evaluate and deploy this update as soon as possible. Especially those on Windows 2000.

The following risk and impact slide reflects the aggregate severity and exploitability index rating for this bulletin:

As you can see from our Deployment Priority slide, we give this a “2” based on the lower exploitability index rating and the Low severity and mitigations on most of the affected platforms:

We also want to mention that we re-released MS09-035, an Active Template Library (ATL) bulletin that was released out-of-band in July 2009. Today, we added Windows Embedded CE 6.0 to the affected products list. I want to be clear that this rerelease affects only developers and OEMs building applications on top of Windows Embedded CE 6.0 or producing devices that use the operating system. For end users, no action is required. The vulnerable components were found during our ongoing investigation around ATL and we determined there are no known attack vectors. The update package, KB974616, will only be offered through the Microsoft Download Center.

Additionally, we released Security Advisory 979267 to increase awareness among customers regarding reports of vulnerabilities in Adobe Flash Player 6 which shipped with Windows XP. Given support ended in 2006 for Adobe Flash Player 6, Microsoft and Adobe recommend that customers uninstall this version and/or update to the latest version of Adobe’s Flash Player. Customers should note that Adobe addressed these vulnerabilities in newer versions of its software.

There are multiple ways to remove Adobe Flash Player 6 on Windows XP systems. For directions on the manual steps required to remove Adobe Flash Player 6 visit http://kb2.adobe.com/cps/127/tn_12727.html. Adobe also provides an uninstaller tool that removes all versions of the Flash player which you can find here: http://kb2.adobe.com/cps/141/tn_14157.html. NOTE: the uninstaller tool removes all versions of Flash and is not specific to Adobe Flash Player 6.

Please view the following video for more information about the updates we released today:

More viewing and listening options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV)

Today, we also added Win32/Rimecud to our Malicious Software Removal Tool (MSRT). This is a prevalent family of Worms that spread through fixed and removable drives in addition to Instant Messaging software.

For our live webcast tomorrow, I will be joined by Dustin Childs, security program manager with the Microsoft Security Response Center (MSRC), who manages many of the Windows security updates from initial report to releasing the update. We will go into the full details of this month’s bulletin release and encourage you to bring your questions where Dustin and I will cover them live on the air. Here are the registration details:

Date: Wednesday Jan 13
Time: 11:00 a.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032427677

On a final note, I want to call out that this year we will reach end of life on three Windows products/Service Packs:

• Windows XP Service Pack 2 will no longer be supported as of July 13, 2010. Many customers are still on this version so we encourage upgrading to Service Pack 3 or to Windows 7 as soon as possible.
• Windows Vista RTM will no longer be supported as of April 13, 2010. Service Pack 1 will still be supported until July 12, 2011 but we recommend customers update to Service Pack 2 or Windows 7 at this time.
• Extended support for Windows 2000 will also be retired on July 13, 2010. At that time, we will no longer provide security or any other updated for Windows 2000.

It is important that customers stay current with the latest updates and Service Packs. For information on our support lifecycle policies and lifecycle information by product, please visit www.microsoft.com/lifecycle.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

This month, we released 13 new bulletins which address 33 vulnerabilities in Windows, Internet Explorer and Microsoft Office. Since we published this information in our advance notification (ANS) last Thursday, we have been asked “is this the most bulletins Microsoft has ever released”? The short answer to that question is yes. However, we have, on several occasions, released between 10 and 12 bulletins so this is business as usual. All of our updates go through extensive quality testing and when they reach the bar for broad distribution, we schedule them for release.

As we noted in the ANS last week, two of the updates address open Security Advisories. MS09-050 addresses the SMBv2 issue in Security Advisory 975497 and MS09-053 addresses the IIS issue discussed in Security Advisory 975191.

Another issue being addressed this month that has received some public attention has to do with security certificates used for authentication. The vulnerabilities being addressed by Security Bulletin MS09-056 could allow spoofing if an attacker gains access to the certificate used by the end user for authentication. We are aware that a rogue certificate was distributed in a public forum but we are not aware of any attempts to use this to attack users.

Below is the severity summary and exploitability index for the 13 new bulletins. We also refer to this as the overall risk and impact summary. As you can see, eight of the bulletins have a rating of Critical. Of those eight, six have an exploitability index rating of 1, which means we believe it is highly likely that we will see exploit code in the wild within the first 30 days from the date of release.

To help with deployment planning, we started publishing our guidance (beginning last month) on which bulletins should be considered first for deployment. Obviously one size does not fit all and each customer will need to consider their own unique situations in addition to this guidance. Our approach is to take a combination of the severity, the exploitability index rating, the range of products affected, and potential mitigations to group these in to a priority 1, 2 or 3. Our Security Research & Defense team, who represent some of the best security researchers in the world, play a key role in this every month as well.

Most of this month’s updates require a restart, so please refer to the bulletins when you’re planning your deployment to ensure you’re fully protected. We want to specifically note that MS09-050 requires a restart but will not prompt you to do so if you install the update manually.

As we do every month, Adrian Stone and I provide a high-level overview of this month’s bulletin release in the following video:

Other listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV)

This month we are also re-releasing MS08-069, vulnerability in Microsoft XML Core Services could allow remote code execution (955218) to add detection for Windows 7 and Windows Server 2008 R2. This component does not ship with these platforms but many applications install it in order to use its functionality.

Finally, you may also notice a change in the severity rating since the advance notification for several versions of Windows in the .NET bulletin (MS09-061). We have elevated the severity of these products from Important to Critical. We do not typically make changes after the advance notification goes out but during our ongoing investigation to protect customers, we determined that this was the appropriate rating for these products when certain versions of the .NET Framework are installed on them.

We encourage all customers to join us tomorrow when Adrian and I will go in to detail on each bulletin and, along with a room full of subject matter experts, answer all of your questions live. So if you can, please join us at 11:00 a.m. PDT (UTC -7). You can register for the webcast at this link.

Thanks!

Jerry Bryant

Update – Resource links:

• Assessing the risk of the October security bulletins – Security Research & Defense blog
• MS09-051: A note on the affected platforms – Security Research & Defense blog
• MS09-050: Exploit timeline for SMB2 RCE vulnerability – Security Research & Defense blog
• MS09-054: Extra info on the attack surface for the IE security bulletin – Security Research & Defense blog
• MS09-061: More information about the .NET security bulletin – Security Research & Defense blog
• Scanti-ly Clad – Another Rogue Stripped by MSRT – Microsoft Malware Protection Center blog

Update (10/13) Changed the number of vulnerabilities addressed to 33 from 34. CVE-2009-2493 was counted in both MS09-055 and MS09-060.

*This posting is provided "AS IS" with no warranties, and confers no rights*

As we mentioned in the webcast, The MS09-048 bulletin has been updated to call out Windows XP in the affected products list with a severity rating of low for the two Denial-of-Service vulnerabilities (the third, Remote Code Execution vulnerability, does not affect XP). As stated in the bulletin, in the default configuration, Windows XP is not affected by any of the issues addressed by the bulletin. However, we heard from enterprise customers that custom configurations that put XP in a vulnerable state are in use so we updated the bulletin for clarity. Does this mean there will be an update for Windows XP? No and I will use the text from the bulletin to explain why:

If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925. Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks.

Concerning MS09-048 and Windows 2000, the scenario is very similar to Windows XP in that an attack requires a sustained flood of specially crafted TCP packets and the system will recover once the flood stops. Keeping Windows 2000 servers behind a NAT or reverse proxy can help to reduce risk.

In the last blog post I called out MS09-045 and MS09-047 as the highest priorities for deployment and while MS09-048 has received a lot of attention, we want to continue to stress getting those updates installed to all users.

This month we are leaving the Q and A out of the video because we have posted those questions to the blog and to keep the overall duration of the video down. If you like it this way or if you prefer us to leave that portion in, head over to the TechNet Edge site where we host the videos and leave your feedback there.

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio Streaming WMV (512kbps) High Quality WMV (2.5 Mbps) Zune Video (WMV)

Following the webcast we got feedback that folks liked the new deployment priority slide as well as the new detail slides for each bulletin. We appreciate the feedback and will keep looking for ways to improve the content.

Please plan on joining us for our next regularly scheduled webcast on October 13 at 11:00 a.m. Click HERE to register.

Thanks!

Jerry Bryant