As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing 13 security bulletins, two of which are rated Critical in severity, nine Important and two Moderate.

These bulletins will increase protection by addressing 22 unique vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on the two critical updates:

• MS11-057 (Internet Explorer). This security update resolves five privately reported vulnerabilities and two publicly disclosed vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. Microsoft is not aware of any attacks leveraging the vulnerabilities addressed in this bulletin.
• MS11-058 (DNS Server). This security update resolves two privately reported vulnerabilities in Windows DNS server. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a specially crafted Naming Authority Pointer (NAPTR) query to a DNS server. Servers that do not have the DNS role enabled are not at risk.

In this video, Jerry Bryant discusses this month's bulletins in further detail, focusing on these two bulletins:

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page. In addition, the SRD blog today has more information on MS11-058’s Exploitability Index rating and on the month’s deployment priorities.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Jerry Bryant and Jonathan Ness. I invite you to tune in and learn more about the June security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, August 10, 2011 at 11 a.m. PDT, and you can register here.

For all the latest information, please also follow the MSRC team on Twitter at @MSFTSecResponse.

Thank you,

Angela Gunn
Trustworthy Computing.

This week we released a special Security Intelligence Reportthat showcases some of the data we amassed in the wake of the big Rustock botnet takedown in the spring of 2010. The new SIR also delves into the diplomacy, secrecy and intellectual property law that all played important roles in the successful international effort that led to the takedown of the Rustock botnet on March 16. This was Microsoft’s second global botnet takedown effort, after Waledac in February, 2011.

In addition, as part of our normal monthly bulletin cadence, we’re providing our Advance Notification Service for July’s security bulletins today. This month we'll release four bulletins, one of them rated Critical and three rated Important, addressing issues in Microsoft Windows and Office. We'll close 22 vulnerabilities with those bulletins.

The bulletin release is once again slated for the second Tuesday of the month – July 12th at 10:00 a.m. PDT. Come back to this blog then for our official risk and impact analysis, as well as deployment guidance and a brief video overview of the month's highlights.

The monthly technical webcast next week will be hosted once again by Jerry Bryant and Dustin Childs. We invite you to tune in and learn more about the new security bulletin releases as well as other announcements to be made on Tuesday. That webcast is scheduled for Wednesday, July 13, 2011 at 11:00 a.m. PDT (UTC -7), and the registration form can be found here.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thank you,

Angela Gunn
Trustworthy Computing.

Today we published the May Security Bulletin Webcast Questions & Answers page. We fielded twelve questions on various topics during the webcast, including bulletins released and the Malicious Software Removal Tool.  There were two questions during the webcast that we were unable to answer and we have included those questions and answers on the QA page.

We invite our customers to join us for the next public webcast on Wednesday, June 15th at 11am PDT (-8 UTC), when we will go into detail about the June bulletin release and answer questions live on the air.

Customers can register to attend at the link below:

Date: Wednesday, June 15, 2011
Time: 11:00 a.m. PDT (UTC -8)
Register: Attendee Registration

Thanks -

Jerry Bryant

Group Manager, Response Communications
Trustworthy Computing Group

Today, as part of our monthly security bulletin release, we have three bulletins addressing four vulnerabilities in Microsoft Windows and Microsoft Office. One bulletin is rated Critical, and this is the bulletin we recommend for priority deployment:

• MS11-015. This bulletin resolves one Critical-level and one Important-level vulnerability affecting certain media files in all versions of Microsoft Windows. It has an Exploitability Index rating of 1. Due to the nature of the affected software, this bulletin carries a Critical-level severity rating for all affected client systems, but only an Important-level rating for Windows Server 2008 R2 for x64. Other versions of Windows Server - 2003, 2008 and 2008 R2 - are unaffected. For both the Critical- and Important-level vulnerabilities, an attacker would have to convince a user to open a maliciously crafted file for an attack to work.

Our other two bulletins are somewhat similar in nature, both addressing the DLL-preloading issue described in Security Advisory 2269637, and both carrying an Important-level severity rating and an Exploitability Index rating of 1.

• MS11-016 is a DLL-preloading issue affecting Microsoft Groove 2007 Service Pack 2, which makes this an Office bulletin. Versions 2007 and 2010 of Groove are unaffected, as is Microsoft SharePoint Workspace 2010.
• MS11-017 is also a DLL-preloading issue, in this instance in Microsoft Windows Remote Client Desktop. This security update is rated Important for Remote Desktop Connection 5.2 Client, Remote Desktop Connection 6.0 Client, Remote Desktop Connection 6.1 Client, and Remote Desktop Connection 7.0 Client.

We continue to address DLL-preloading issues as they are discovered; however, it's important to note that we have not seen exploitation of these issues in the wild.

In this video, Jerry Bryant discusses this month's bulletins in further detail, focusing on MS11-015:

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

More information about this month's security updates can be found on the Microsoft Security Bulletin summary web page.

As we often do in the wake of a Service Pack release, we've gotten deployment questions about Windows 7 SP1. To assist customers in that process, our TechNet site has posted an SP1 deployment guide to aid you in testing and deployment. You'll also find release notes and links to handy information -- for example, a spreadsheet that contains a list of all the hotfixes and security updates that are included in the Service Pack -- as well as information on new features and functionality.

We'd also like to update you on Security Advisory 2501696, which describes an MHTML-related vulnerability in Microsoft Windows. Microsoft is actively monitoring the threat landscape in conjunction with our Microsoft Active Protections Program (MAPP) partners. We are currently working to provide a solution through our monthly security update release process and will continue to monitor the issue as we prepare that.

Finally, we mentioned previously that changes are coming to the system we use for publishing our bulletins and security advisories. We still expect those changes to go live in June of this year. The main impact to customers will be a URL change from microsoft.com/technet/security to technet.microsoft.com/security. We are planning to have both the old and new sites available simultaneously for a period of time.

Please join the monthly technical webcast with your hosts, Jerry Bryant and Dustin Childs, to learn more about the March 2011 security bulletins. The webcast is scheduled for Wednesday, March 9, 2011 at 11:00 a.m. PST (UTC -8). Registration is available here.

For all the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,

Angela Gunn
Trustworthy Computing.

Today, as part of our usual monthly bulletin cadence, we are providing our Advance Notification Service for March's security bulletins. This month we'll release three bulletins, one of them rated Critical and two rated Important, addressing issues in Microsoft Windows and Office. We'll close four vulnerabilities with those bulletins.

The bulletin release is once again slated for the second Tuesday of the month -- March 8th at 10:00 a.m. PST. Come back to this blog then for our official risk and impact analysis, as well as deployment guidance and a brief video overview of the month's highlights.

The monthly technical webcast next week will be hosted by Jerry Bryant and Dustin Childs. We invite you to tune in and learn more about the new security bulletin releases as well as other announcements to be made on Tuesday. That webcast is scheduled for Wednesday, March 9, 2011 at 11:00 a.m. PST (UTC -8), and the registration form can be found here.

Thank you,

Angela Gunn
Trustworthy Computing.

Today, as part of our monthly security bulletin release, we have 12 bulletins addressing 22 vulnerabilities in Microsoft Windows, Office, Internet Explorer, and IIS (Internet Information Services). Three bulletins are rated Critical, and these are the bulletins we recommend for priority deployment:  

o    MS11-003. This bulletin resolves three critical-level and moderate-level vulnerabilities affecting all versions of Internet Explorer. Due to existing mitigations, this bulletin is only rated at Moderate severity for all versions of Windows Server, has an Exploitability Index rating of 1, and will deprecate Security Advisory 2488013.

o    MS11-006. This bulletin addresses one Critical-level vulnerability affecting Windows XP, Vista, Server 2003, and Server 2008. Newer versions of our operating system are unaffected. The vulnerability involves Windows Shell Graphics and could if exploited lead to remote code execution. This has an Exploitability Index rating of 1 and will deprecate Security Advisory 2490606 which we released on January 4^th. Since that time, we have not seen any attacks against this issue.

o    MS11-007. This bulletin addresses one privately reported vulnerability affecting all supported versions of Windows and involving the OpenType Compact Font Driver. It's rated Critical for Windows Vista, Windows 7, Server 2008 and Server 2008 R2; it's rated Important for Windows XP and Server 2003.  This issue has an Exploitability Index rating of 2.

In this video, Jerry Bryant discusses this month's bulletins in further detail:

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

More information about this month's security updates can be found on the Microsoft Security Bulletin summary web page. 

As mentioned, we are addressing Security Advisory 2488013 as part of the regularly scheduled Internet Explorer cumulative update. This Security Advisory and the zero-day disclosure on which it was predicated caused discussion in the security community, and some observers thought that we might be forced to release an out-of-band bulletin to protect customers. However, out-of-band releases are disruptive to customers and we try to avoid them where possible. Based on our capabilities to closely monitor the threat landscape, we were able to determine that attempts to attack this vulnerability were very low. With that information, we were able to extensively test a bulletin to be released as part of our regular bulletin cadence. The MMPC (Microsoft Malware Protection Center) blog has details about the telemetry we used to guide us. There we contrast this issue with telemetry from an out-of-band release last year to demonstrate why one was not needed here.

Also this month, we're updating Security Advisory 967940, "Update for Windows Autorun," to change how earlier versions of Windows handle security when reading "non-shiny" storage media. ("Shiny" storage media would include CD-ROMs and DVDs.) Windows 7 already disables Autorun for devices such as USB thumb drives, which prevents malware lurking on such drives from loading itself onto computers without user interaction. With the change to the Advisory, earlier versions of Windows that receive their updates automatically via Windows Update "AutoUpdate" will now gain that security-conscious functionality as well. We believe this is a huge step towards combating one of the most prevalent infection vectors used by malware such as Conficker.

Finally, we're excited to announce that changes are coming to the system we use for publishing our bulletins and security advisories - changes that will bring better integration with the wealth of other content on Technet and a richer experience for customers. We are expecting the changes to go live in the June 2011 timeframe. The main impact to customers will be a URL change from microsoft.com/technet/security to technet.microsoft.com/security. We are planning to have both the old and new sites available simultaneously for a period of time and will be providing more details in March.

Please join the monthly technical webcast with your hosts, Jerry Bryant and Jonathan Ness, to learn more about all the February 2011 security bulletins. The webcast is scheduled for Wednesday, February 9, 2011 at 11:00 a.m. PST (UTC -8). Registration is available here.

For all the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,

Angela Gunn
Trustworthy Computing.

Why was Word 2010 largely unaffected?

During development of Office 2010, the Office Team and members of the Microsoft Engineering Center (MSEC) organization, performed a number of actions to increase protections for file parsing code. These actions are what helped protect Word 2010 users from the vulnerabilities mitigated by Security Bulletin MS 10-079. These actions included:

• Designing and implementing the File Validation feature, which is included in Word, Excel, PowerPoint and Publisher (.doc, .xls, .ppt and .pub file formats). File Validation verifies the contents of the file as it is being read, and if it detects an issue, opens the file in Protected View (see below). To view more information on this, you can view this Security video.
• Designing and implementing the Protected View feature. Protected View provides a read-only mode that disables most editing functions when a file is opened. In Protected View, the user can review the contents of a file obtained from a potentially unsafe location (such as the Internet or as an email attachment) without endangering their system. For more information see Protected View. 
• Executing in excess of 800 million iterations of file fuzzing tests against Office parsing code, including the parsers for .doc files. The Office Team built a distributed file fuzzing framework that enabled the Office team to efficiently run multiple fuzzing tests against the file parsers included in Office 2010. This framework, along with related improvements made in Office Security Engineering, was presented at the BlueHat Security Briefings in October 2009.

File fuzzing is a good but imperfect testing technique that is continuously being improved. The existence of an issue in Word 2010 indicates a need for further improvements during development of the next version of Office, which members of the Microsoft Security Engineering Center and Office Team are pursuing.

For more information on the collaboration between the Microsoft Office and MSEC teams, see the Channel 9 video entitled "Security Talk Series: Using the SDL in Office 2010".

What about Office 2007 and Office 2003 users?

A lot of the good work in Office 2010 was possible because that was work planned for and completed as part of the product's lifecycle. Generally, work at that level occurs on a major product release.  However, we have found a way to bring some of these protections to older versions of Office and today we are glad to report Microsoft has ported the File Validation functionality to Office 2007 and Office 2003. This functionality is expected to be available for download in CYQ1 2011. Once this enhancement is installed, Office 2007 and Office 2003 users will see two significant benefits:

• The File Validation functionality will now be available. This feature will verifies the contents of .doc, .xls, .ppt and .pub files as they are being read, and if it detects an issue, display a warning informing the user that there is a potential issue with the file.
• At some point in the future, Microsoft anticipates issuing "signature files" that provide new information for use by the File Validation functionality. These signature files will typically include information that File Validation can use to detect previously unknown vulnerabilities in files, and warn the user appropriately. It is anticipated that installing a signature update will be less disruptive than deploying a Security Bulletin, especially for large Office deployments.

Microsoft strongly encourages all Office 2007 and Office 2003 users to download and install this enhancement when it becomes available.

Bob Fruth, MSRC Security Program Manager

We're really excited to announce that Office File Validation, currently part of Office 2010, will soon be made available for Office 2003 and 2007.

During development of Office 2010, the Office Team, in conjunction with members of the Microsoft Engineering Center (MSEC) organization, performed a number of actions to increase protections for file parsing code.

First released in Office 2010, Office File Validation provides a check of file-format binary schema as each file is being read. If it detects an issue, it opens the file in Protected View. This helps prevent unknown binary file format attacks using Microsoft Office 97-2003 file formats for Word, Excel, Publisher, and PowerPoint. For more information, see the Security video below.

Today we are excited to announce Office File Validation will be made available for Office 2003 and 2007 in the first quarter of next year. We are announcing it now so customers can begin preparing to deploy it. In the coming weeks, we will be providing more information on deployment and configuration as well as giving a more definitive release date.

Thanks,

Carlene Chmaj
Microsoft Trustworthy Computing, Senior Response Communications Manager

We've assigned our highest deployment priority to the two Critical bulletins, though we recommend that customers deploy all updates as soon as possible.

• MS10-090 This bulletin resolves seven issues -- five Critical, two Moderate -- affecting all supported versions of Internet Explorer, on both Windows clients and Windows servers. Among its other updates, it addresses a vulnerability previously described in Security Advisory 2458511.
• MS10-091 This bulletin is Critical and addresses three vulnerabilities in Windows' OpenType Font driver. All three issues were privately reported and we are not aware of any active attacks using them.

As mentioned, the other 15 bulletins this month carry lower severity ratings - including MS10-092, the bulletin that closes out the last known vulnerability exploited by the Stuxnet malware. To assist in your planning and implementation of the bulletins, please consult this month's Deployment Priority chart (click for larger view).

Jerry Bryant, group manager for response communications, gives more information about the December bulletins in this overview video:

More information about this month's security updates can be found on the Microsoft Security Bulletin summary web page.  Our Exploitability Index provides additional information to help customers plan for deployment of these monthly security bulletins.

We are also releasing updated Malicious Software Removal Tool signatures this month. The MMPC blog goes into detail on QakBot, the subject of this month's update.

Finally, we invite everyone to join the monthly technical webcast to learn more about the December 2010 security bulletin release. The webcast is scheduled for Wednesday, December 15, 2010 at 11:00 a.m. PST (UTC -8). Registration is available here.

Remember, you can follow the MSRC team for late-breaking news and updates on the threat landscape on Twitter at @MSFTSecResponse.

Thanks,

Angela Gunn
Senior Marketing Communications Manager

With this month's bulletin release, I want to highlight the great work done through our partnerships in the Microsoft Active Protections Program (MAPP). MAPP represents our commitment to community based defense and a shared sense of responsibility to help protect the computing ecosystem. In July of this year, the Stuxnet malware emerged onto the threat landscape and resulted in the release of an out-of-band security update, MS10-046, to address a zero-day vulnerability the malware used to compromise systems. Additionally, we updated the Microsoft Malicious Software Removal Tool (MSRT) in August to remove Stuxnet and we are able to report that according to our telemetry, the threat has gone way down from the spike we saw in early August. 

Since that time, Microsoft and partners in our MAPP program have continued to investigate this extremely complex malware. Today, we are releasing MS10-061 to address another vulnerability first discovered and reported to us by Kaspersky Lab and then later by Symantec. This vulnerability in the Print Spooler Service is rated Critical for Windows XP and Important on all other affected platforms and is used by Stuxnet to spread to systems inside the network where the Print Spooler service is exposed without authentication.

In addition, Microsoft researchers uncovered two additional Elevation of Privilege (EoP) vulnerabilities (one of which was also reported to us by Kaspersky, and later independently confirmed by Symantec) used by the malware to gain full control of the infected system. One of these EoP vulnerabilities affects Windows XP and the other affects Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. These are local EoP issues which means that an attacker, in this case Stuxnet, already has permission to run code on the system or has compromised the system through some other means. We are currently working to address both issues in a future bulletin.

We want to thank both Kaspersky Lab and Symantec for their collaboration in uncovering these vulnerabilities and for coordinating with us to protect customers. This is what community based defense is all about.

As we look at our other high priority bulletins for this month, I would like to emphasize the fact that there are no critical bulletins for Windows 7 or Windows Server 2008 R2. This is due to security enhancements such as additional heap mitigations built into the newer operating systems. Additionally, this month's Office bulletin does not affect Office 2010. I will also state that we are still investigating and working on updates for public issues that do affect these platforms. We want customers to know that we continue to work hard to address these issues and that our efforts to produce comprehensive updates and release them in a predictable manner is something that comes "in the box" when you buy our software.

As you can see from our aggregate severity and exploitability index chart below, there are two bulletins that are both Critical and have an exploitability index rating of 1. The first is MS10-061 that I discussed above and the second, MS10-062, involves a vulnerability in the MPEG-4 codec affecting supported versions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This issue can be exploited if a user opens a specially crafted media file or receives streaming content from the web.

The remaining bulletins are given a 2 or a 3 in our deployment priority list. This guidance is intended to help customers prioritize bulletin deployment and is based on several factors including severity, exploitability, breadth of platforms, and available mitigations and workarounds. Since every environment is different, we do recommend that customers evaluate accordingly and apply the updates as soon as possible.

In the video below, Adrian Stone and I give an overview of this month’s bulletin release and discuss why we have prioritized the bulletins the way we did. 

Please join Adrian and me tomorrow, September 15, at 11:00 a.m. PDT (UTC -7) for a public webcast where we will go into more details about these bulletins. We will also have a room full of subject matter experts standing by to help answer all of your questions during the session. You can register here:

https://msevents.microsoft.com/CUI/Register.aspx?culture=en-US&EventID=1032454433

We will also release two security advisories this month:

• Security Advisory 2401593, which describes a vulnerability affecting Outlook Web Access (OWA) that may affect Microsoft Exchange customers to gain elevation of privilege. An attacker who successfully exploited this vulnerability could hijack an authenticated OWA session.

• Security Advisory 973811, is an updated Advisory enabling Outlook Express and Windows Mail to opt in to Extended Protection for Authentication.

Finally, this month, we also released an update for the User Profile Hive Cleanup Service. This is an optional tool for Windows 2000, Windows XP and Windows Server 2003 that simplifies user management. The tool is not formally supported by Microsoft, but as it's a common tool to many system administrators, we released a new version to address a security vulnerability reported by a security researcher. More information can be found on the UPHClean blog.

Thanks!

Jerry Bryant
Group Manager, Response Communications