As you know, we work closely with our MAPP partners to share information on issues as they arise, thus extending protections to the greatest possible number of computers on the Internet. As of our most recent Security Advisory, we’ve started a new process of listing the partners who have confirmed that they released protection within 96 hours after the advisory release on a special Web page.   Naturally not every Advisory applies to every partner, so we do not expect them all to report protections in place for every individual Advisory.   

Meanwhile, in a minor procedural note, those of you who prefer to print out the bulletins and have missed that functionality in recent months will be pleased to hear it’s back. Look for the small grey printer icon at the upper right corner of the bulletin.

Today we’re releasing our advance notification for the December security bulletin release, which is scheduled for Tuesday, December 13. This month’s release comprises 14 bulletins addressing 20 vulnerabilities in Microsoft Windows, Office, Internet Explorer, Microsoft Publisher, and Windows Media Player. All 14 bulletins will be released on Tuesday, December 13 at around 10 a.m. PST. Revisit this blog on Tuesday for our official risk and impact analysis, along with deployment guidance and a video overview of the release. We’ll also be looking at some interesting trends in bulletin releases over the course of 2011, with insight on those from MSRC Senior Director Mike Reavey.

As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.

Please join Jonathan Ness and Jerry Bryant for our public webcast on Wednesday. They’ll go into detail about the bulletins and answer questions live on the air. Register at the link below:

Date: Wednesday, December 14
Time: 11:00 a.m. PST (UTC –8)
Registration:  https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032487961&culture=en-us

Thanks,

Angela Gunn
Trustworthy Computing.

Follow us on Twitter: @MSFTSecResponse

Today we released Security Advisory 2416728 describing a publicly disclosed vulnerability in ASP.NET that affects all versions of the .NET Framework. At this time we are not aware of any attacks using this vulnerability and we encourage customers to review the advisory for mitigations and workarounds. Our Security Research & Defense team has written a blog post to explain how the workarounds work and have provided a script to help administrators determine if they have ASP.NET applications in vulnerable configurations.

We are continuing to investigate this issue and will update customers with new information as it becomes available as well as the MSRC blog. We are also working closely with our Microsoft Active Protections Program (MAPP) to help our partners build protections when and where possible.

We continue to encourage security researchers to coordinate vulnerability disclosure with software vendors. We believe public disclosure before a comprehensive update can be produced only leads to customer risk through criminal activity.

Thank you,

Jerry Bryant
Group Manager, Response Communications

With this month's bulletin release, I want to highlight the great work done through our partnerships in the Microsoft Active Protections Program (MAPP). MAPP represents our commitment to community based defense and a shared sense of responsibility to help protect the computing ecosystem. In July of this year, the Stuxnet malware emerged onto the threat landscape and resulted in the release of an out-of-band security update, MS10-046, to address a zero-day vulnerability the malware used to compromise systems. Additionally, we updated the Microsoft Malicious Software Removal Tool (MSRT) in August to remove Stuxnet and we are able to report that according to our telemetry, the threat has gone way down from the spike we saw in early August. 

Since that time, Microsoft and partners in our MAPP program have continued to investigate this extremely complex malware. Today, we are releasing MS10-061 to address another vulnerability first discovered and reported to us by Kaspersky Lab and then later by Symantec. This vulnerability in the Print Spooler Service is rated Critical for Windows XP and Important on all other affected platforms and is used by Stuxnet to spread to systems inside the network where the Print Spooler service is exposed without authentication.

In addition, Microsoft researchers uncovered two additional Elevation of Privilege (EoP) vulnerabilities (one of which was also reported to us by Kaspersky, and later independently confirmed by Symantec) used by the malware to gain full control of the infected system. One of these EoP vulnerabilities affects Windows XP and the other affects Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. These are local EoP issues which means that an attacker, in this case Stuxnet, already has permission to run code on the system or has compromised the system through some other means. We are currently working to address both issues in a future bulletin.

We want to thank both Kaspersky Lab and Symantec for their collaboration in uncovering these vulnerabilities and for coordinating with us to protect customers. This is what community based defense is all about.

As we look at our other high priority bulletins for this month, I would like to emphasize the fact that there are no critical bulletins for Windows 7 or Windows Server 2008 R2. This is due to security enhancements such as additional heap mitigations built into the newer operating systems. Additionally, this month's Office bulletin does not affect Office 2010. I will also state that we are still investigating and working on updates for public issues that do affect these platforms. We want customers to know that we continue to work hard to address these issues and that our efforts to produce comprehensive updates and release them in a predictable manner is something that comes "in the box" when you buy our software.

As you can see from our aggregate severity and exploitability index chart below, there are two bulletins that are both Critical and have an exploitability index rating of 1. The first is MS10-061 that I discussed above and the second, MS10-062, involves a vulnerability in the MPEG-4 codec affecting supported versions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This issue can be exploited if a user opens a specially crafted media file or receives streaming content from the web.

The remaining bulletins are given a 2 or a 3 in our deployment priority list. This guidance is intended to help customers prioritize bulletin deployment and is based on several factors including severity, exploitability, breadth of platforms, and available mitigations and workarounds. Since every environment is different, we do recommend that customers evaluate accordingly and apply the updates as soon as possible.

In the video below, Adrian Stone and I give an overview of this month’s bulletin release and discuss why we have prioritized the bulletins the way we did. 

Please join Adrian and me tomorrow, September 15, at 11:00 a.m. PDT (UTC -7) for a public webcast where we will go into more details about these bulletins. We will also have a room full of subject matter experts standing by to help answer all of your questions during the session. You can register here:

https://msevents.microsoft.com/CUI/Register.aspx?culture=en-US&EventID=1032454433

We will also release two security advisories this month:

• Security Advisory 2401593, which describes a vulnerability affecting Outlook Web Access (OWA) that may affect Microsoft Exchange customers to gain elevation of privilege. An attacker who successfully exploited this vulnerability could hijack an authenticated OWA session.

• Security Advisory 973811, is an updated Advisory enabling Outlook Express and Windows Mail to opt in to Extended Protection for Authentication.

Finally, this month, we also released an update for the User Profile Hive Cleanup Service. This is an optional tool for Windows 2000, Windows XP and Windows Server 2003 that simplifies user management. The tool is not formally supported by Microsoft, but as it's a common tool to many system administrators, we released a new version to address a security vulnerability reported by a security researcher. More information can be found on the UPHClean blog.

Thanks!

Jerry Bryant
Group Manager, Response Communications

We all know Black Hat can be a tough crowd, and wearing the blue badge can at times amplify that - making the positive response really pleasant. But it wasn't altogether unexpected.  Each of the then-new programs-the Microsoft Active Protections Program (MAPP), Microsoft Exploitability Index and Microsoft Vulnerability Research (MSVR)-were fueled by, and designed to address, customer needs.  And recognizing the collaborative nature of two of the programs, we'd spent months getting feedback and support within the community, from customers to vendors to researchers, to get into a position to make the announcements that day. 

Today, the MSRC released its second annual progress report on those programs-"Building a Safer, More Trusted Internet through Information Sharing"-and we're excited to share the results.

Some highlights:

• MAPP now has 65 members worldwide, providing protections for hundreds of millions of customers.
• MSVR identified and privately coordinated vulnerabilities with 32 and 19 vendors in the first and second years of operations respectively.
• Of the 349 Exploitability Index ratings provided for vulnerabilities resolved by Microsoft, there has been only one revision, which involved a reduction in risk assessment severity.

Speaking of the success and impact of MAPP, we couldn't be more thrilled with the announcement today that Adobe Systems Incorporated will begin sharing early warning details on their vulnerabilities through MAPP beginning this fall. Two years ago, there was broad feedback throughout the industry-from analysts, customers, and partners-that MAPP was a game-changer, shifting competitive advantage away from the bad guys (criminals, attackers) to the good guys (protection providers, customers). For the first time, protection providers were able to operate together on a massive scale, developing and preparing protections for their customers to be made available upon release of Microsoft security vulnerabilities -- and ahead of the exploits developed by attackers. Today, we believe the same game has been raised a level with Adobe helping to advance protection time, giving an upper hand to the global network of defenders in the battle against online crime.

Many of you have already read Matt Thomlinson's introduction last week of our new policy of coordinated vulnerability disclosure and Katie Moussouris' expansion on the concept and the need for reframing the community's approach and mindset from the subjective language of "responsible" to the collaborative label of "coordinated." I don't intend to rehash that here, except to say that we look forward to continuing the dialogue on this new policy at Black Hat and beyond. This move didn't happen overnight as we believe it is reflective of a broader groundswell within the community that's been underway for some time. We're encouraged by the overwhelming volume of support behind the shift as evidenced in Katie's post and in interactions and response since then.

Even with more concerted attention on community-based defense and this growing sense of shared responsibility throughout the security community, attackers will still continue to case systems and applications looking for vulnerabilities. The stakes are high and criminals won't relent.  So today, we're also announcing the Enhanced Mitigation Experience Toolkit (EMET). 

EMET is a free tool that provides a way for IT professionals to add some of the latest security mitigations -- such as DEP, mandatory ASLR and export address table (EAT) filtering -- to software to protect against exploits of vulnerabilities.  It helps harden existing applications from current exploit techniques without requiring any recoding. Look for an SRD blog post in August announcing availability of the new toolkit on the Microsoft Download Center.

More details on each of these announcements can be found at our Black Hat Press Site: http://www.microsoft.com/presspass/events/blackhat/.

Every Black Hat is different, but year after year one of the highlights of the show for Microsoft is continuing the conversation with researchers, partners and customers, and then acting on it. This is a community that is bound together by a common purpose-that is to improve the security landscape. It used to be enough to expect others to make that happen; but today, no one is exempt from helping to ensure the safety of the Internet. We're in this together, and we're better together. If you're at the show, pay us a visit at the booth or say hello when you see us; in any case, we look forward to hearing from you and continuing this work together.

Dave Forstrom, Director, Microsoft Trustworthy Computing

We are aware of a publicly disclosed vulnerability affecting Windows XP and Windows Server 2003. We are not aware of any current exploitation of this issue and customers running Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2, are not vulnerable to this issue, or at risk of attack.

This issue was reported to us on June 5^th, 2010 by a Google security researcher and then made public less than four days later, on June 9^th, 2010.  Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk

One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause. While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented. In some cases, more time is required for a comprehensive update that cannot be bypassed, and does not cause quality problems. 

We recognize that researchers across the entire industry are a vital part of identifying issues and continually improving security, and we continue to ask researchers to work with us through responsible disclosure to help minimize the risk to customers while improving security.

We have initiated our emergency response process and will continue to monitor the threat landscape for any signs of attack against this issue. Our Microsoft Active Protections Program (MAPP) partners have detailed information about this vulnerability and are developing protections where possible.

Update: customers can follow guidance in Security Advisory 2219475 to protect against this issue.

Update 6/25/2010:
The security researcher who disclosed this vulnerability has expressed concerns regarding the inclusion of his employer’s name in relation to this vulnerability.  While there continues to be a difference of opinion, we have included both this researcher’s view and our view in this blog post. His point of view is that he reported the vulnerability not as an employee, but as an individual action by him as an independent researcher.

At Microsoft we do not believe that its feasible to disassociate the two.  We believe the actions of employees, when related to the work they are doing at a technology company, should reflect the policies of their employer. 

Despite these differences of opinion, we continue an open dialog with this researcher and ask the security researcher community to continue working with us to help protect customers.

Customers running SharePoint Server 2007 or SharePoint Services 3.0 are encouraged to review and apply the mitigations and workarounds discussed in the Security Advisory. These include restricting access to the SharePoint help.aspx XML files and enabling the Internet Explorer 8 XSS filter in the intranet zone.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

As always, Microsoft strives to work with security researchers to address vulnerabilities in our software. This helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of – and work to exploit – a vulnerability. Responsible disclosure protects the computer ecosystem and individual computer users from harm.

Anyone believed to have been affected by this issue can visit: http://support.microsoft.com and should contact the national law enforcement agency in their country. 

We will continue to share updates on this blog and through our Twitter feed (@msftsecresponse).

Thanks,

Jerry Bryant
Group Manager, Response Communications

*This posting is provided "AS IS" with no warranties, and confers no rights.*

This is Alan Wallace, senior communications manager for our security response communications team.  Today, Microsoft released Security Advisory 975191, to provide customer guidance and protection from a vulnerability that could allow remote code execution on affected systems running the FTP service in Microsoft Internet Information Services (IIS) 5.0, 5.1 and 6.0, and connected to the Internet.  While we have seen detailed exploit code published on the Internet for this vulnerability, we are not currently aware of active attacks that use this exploit code or of customer impact.

This vulnerability was not responsibly disclosed to Microsoft and may put customers at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

We’re currently investigating the issue as part of our Software Security Incident Response Process (SSIRP) and working to develop a security update.  This update will be released once it reaches an appropriate level of quality for broad distribution.

Affected products include Windows 2000, Windows XP, and Windows Server 2003.

Microsoft recommends customers review and implement the workarounds provided in the Advisory under the Workaround section.  More information on suggested actions can be found in Microsoft Knowledge Base Article 975191.

Additionally, we are actively working with partners in our Microsoft Active Protections Program (MAPP) as well as the Microsoft Security Response Alliance (MSRA) to share information that they can use to provide broader protections to customers.

For more technical details on the advisory, please see what our colleagues have written over on the Security Research and Defense blog.

As always, be sure to check back here on the MSRC blog or in the advisory for any additional information or updates that develop.

Thank you,

Alan

*This posting is provided "AS IS" with no warranties, and confers no rights*

This is Dave Forstrom, group manager for our security response communications team.  We have just posted Microsoft Security Advisory 973472, which highlights a vulnerability in Microsoft Office Web Components. Specifically, the vulnerability exists in the Spreadsheet ActiveX control and while we’ve only seen limited attacks, if exploited successfully, an attacker could gain the same user rights as the local user.

Products affected are Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, Microsoft Office XP Web Components Service Pack 3, Microsoft Office Web Components 2003 Service Pack 3, Microsoft Office 2003 Web Components for the  2007 Microsoft Office system Service Pack 1, Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2006, Internet Security and Acceleration Server 2006 Supportability Update, Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, Microsoft Office Small Business Accounting 2006.

We’re currently investigating the issue as part of our Software Security Incident Response Process (SSIRP) and working to develop a security update.  This update will be released once it reaches an appropriate level of quality for broad distribution.

Additionally, we are actively working with partners in our Microsoft Active Protections Program (MAPP) as well as the Microsoft Security Response Alliance (MSRA) to share information that they can use to provide broader protections to customers.

Although the Microsoft Office Web Components ActiveX control has been deprecated for some time now, we still recommend customers implement the workarounds as provided in the Advisory. This can be done either manually, using the instructions in the Workaround section, or automatically, using the solution found in Microsoft Knowledge Base Article 973472.

For more technical details on the Advisory, please see what our colleagues have written over on the Security Research & Defense blog.

As always, be sure to check back here on the MSRC blog or in the Advisory for any additional information or updates that develop.

Thanks,

Dave

*This posting is provided "AS IS" with no warranties, and confers no rights*