MS10-042 resolves a publicly disclosed and actively exploited vulnerability discussed in Security Advisory 2219475. The update addresses an issue in the Windows Help and Support Center feature included in Windows XP and Windows Server 2003. Even though this issue affects Server 2003, we have not found an attack vector on that platform so the severity rating is Low. Windows XP customers should install this update as soon as possible.

MS10-043 resolves a publicly disclosed vulnerability in the Canonical Display Driver (cdd.dll). Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause a Denial of Service (DoS). Note that this bulletin affects only 64-bit versions of Windows 7 and Windows Server 2008 R2 with Windows Aero enabled. Aero is not installed by default on Server 2008 R2. We are not aware of any active attacks against this issue.

MS10-044 resolves two privately reported vulnerabilities in Microsoft Office Access ActiveX Controls. This issue could allow remote code execution if a customer with Access installed opened a specially crafted Office file, or viewed a Web page that instantiated Access ActiveX controls. This security update is rated Critical for supported editions of Microsoft Office Access 2003 and Microsoft Office Access 2007.

MS10-045 This security update resolves another privately reported vulnerability that could allow remote code execution if a customer opened an attachment in a specially crafted e-mail message using an affected version of Outlook -- Microsoft Outlook 2002, Microsoft Office Outlook 2003, or Microsoft Office Outlook 2007.

The following video provides an overview of these four bulletins:

Both Windows vulnerabilities and one Office vulnerability have Critical severity ratings, while the second Office vulnerability carries an Important severity rating.

As always, Microsoft recommends that customers test and deploy all security updates as soon as possible. We recommend that deployment priority be given to MS10-042 and MS10-045.

For a more in-depth look at these issues, our Security Research & Defense (SRD) team has taken a closer look at both these bulletins on its blog.

We also include one bulletin re-release, MS10-024, in this cycle. The re-release will address the issue previously noted in KB976323, in which the installation of the bulletin reset user-configured settings for SMTP servers on Windows Server 2008-based systems with Internet Information Services (IIS) installed. Users who have previously installed MS01-024 will not be offered the re-released update.

Today also marks the end of support for Windows XP Service Pack 2. Customers who have not migrated from this version are encouraged to upgrade immediately, either to Service Pack 3 or to Windows 7. In addition, after today's bulletin release, we will no longer provide support for all Windows 2000 products as we have reached the end of extended support.

More information about the security updates can be found on the Microsoft Security Bulletin summary webpage.  Our Exploitability Index provides additional information to help customers prioritize deployment of the monthly security bulletins.

Please join the monthly technical webcast to learn more about the May 2010 security bulletin release. The webcast is scheduled for Wednesday, July 14, 2010 at 11:00 a.m. PDT (UTC -7). Registration is available here.

Reminder: You can follow the team for late breaking news and updates on the threat landscape here: @MSFTSecResponse.

Thanks!

Jerry Bryant
Group Manager, Response Communications

• Two bulletins, both with a severity rating of Critical, affect Windows.
• Two of the bulletins affect Microsoft Office; of those, one carries a Critical severity rating and one is rated Important.

As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.

We will close out two Security Advisories this month.

• We are closing Security Advisory 2028859 (Vulnerability in Canonical Display Driver Could Allow Remote Code Execution) in the July bulletins.
• We are also closing Security Advisory 2219475 (Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution) with a comprehensive update that addresses the issue currently under attack.

Please join Adrian Stone and me for a public webcast on Wednesday. We'll go into detail about the bulletins and answer questions live on the air. Register at the link below:

Date: Wednesday, July 14
Time: 11:00 a.m. PDT (UTC -7)
Registration: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032454299

Also, July marks the end of Microsoft support for the Windows 2000 and Windows XP SP2 platforms. Customers should actively seek out either a supported operating system or the latest service pack in order to keep receiving necessary security updates.

Thanks,

Jerry Bryant
Group Manager, Response Communications

Follow us on Twitter: @MSFTSecResponse

Updated July 9, 2010 to correct transposition concerning number of critical bulletins for Windows (accurately, two) and MS Office (accurately, one).

Today, as part of our regular monthly security bulletin release cycle, we released 10 bulletins to address 34 total vulnerabilities in Windows, Microsoft Office (including SharePoint), Internet Explorer (IE), Internet Information Services (IIS), and the .NET Framework. Only three of these bulletins get our maximum severity rating of Critical. The rest are rated Important. However, we encourage customers to test and deploy all applicable security updates as soon as possible.

The three Critical bulletins get our highest deployment priority this month. Those are:

• MS10-033 is a remote code execution vulnerability in both Quartz.dll and Asycfilt.dll and is rated Critical on all supported versions of Windows. Specially crafted media files could trigger the vulnerability when a user visits a web page or opens a malicious file.
• MS10-034 is a cumulative update for ActiveX Kill Bits and is Critical on Windows 2000, XP, Vista, and Windows 7. There are two Microsoft controls we are applying Kill Bits for. Those are the Internet Explorer 8 Developer Tools control, and the Data Analyzer ActiveX control. The latter control is not installed by default. In addition, there are Kill Bits for four third-party controls. Please review the bulletin for additional details.
• MS10-035 is a cumulative update for Internet Explorer. Of the six vulnerabilities addressed in the bulletin, only one, an information disclosure vulnerability, is publicly known. This issue was identified in Security Advisory 980088. We remain unaware of any active attacks against this vulnerability.

In the video below, Adrian Stone and I go in to some detail on the three priority bulletins and explain why each should be at the top of your list to install:

Also, included below is the aggregate risk and impact slide for June. Note that we do not typically give an Exploitability Index rating for ActiveX Kill Bits but as stated, this update should be a high priority.

Here is our overall deployment priority information:

There are additional subtleties with specific bulletins that I want to discuss here to eliminate potential confusion:

• MS10-032 is an elevation of privilege issue in the affected Microsoft products. There is a potential remote vector if applications fail to properly request the length of the buffer when calling the affected API. All Microsoft applications make this call properly but there may be applications out there that do not. Regardless, installing this update addresses the issue for all vectors. See our Security Research & Defense (SRD) blog for more details on this one.
• MS10-036 is a COM validation update. The issue could result in an attack through ActiveX in Office applications. This is not a new attack vector but the underlying vulnerability is and the bulletin addresses it. For additional clarification, I want to point out that Office XP does not have the architecture needed for the update. However, for customers running Office XP on Windows XP or newer operating systems, we have made a shim available that protects against the vulnerability. The shim can be installed via a Microsoft FixIt which can be downloaded from KB983235.
• MS10-039 is a SharePoint related update, closing out Security Advisory 983438 which addressed an elevation of privilege vulnerability. We are not currently aware of any attacks against this issue.

As usual, our SRD team has written several blog posts that go in to details on some of this month's bulletins and I encourage customers to review those for additional insight: http://blogs.technet.com/b/srd.

If you have questions about the June bulletins, please attend our public webcast tomorrow which I will be hosting with Adrian Stone from the MSRC. We will go in to additional details on each bulletin and along with a room full of subject matter experts attempt to address all of your questions. Here's how to register:

When: Wednesday June 10, 2010 at 11:00 a.m. PDT (UTC -7)
Registration: https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032395226

I hope you can join us then.

Thanks!

Jerry Bryant
Group Manager, Response Communications

Follow us on Twitter: @MSFTSecResponse

Today we published our advance notification for the June security bulletin release, scheduled for release next Tuesday, June 8. This month’s release includes ten bulletins addressing 34 vulnerabilities.

• Six of the bulletins affect Windows; of those, two carry a Critical severity rating and four are rated Important.
• Two bulletins, both with a severity rating of Important, affect Microsoft Office.
• One bulletin, again with a severity rating of Important, affects both Windows and Office.  
• One bulletin, with a severity rating of Critical, affects Internet Explorer.

As ever, we recommend that customers prepare for the testing and deployment of these bulletins as soon as possible.

We will also be acting on two Security Advisories this month.

• We are closing Security Advisory 983438 (Vulnerability in Microsoft SharePoint Could Allow Elevation of Privilege) with the June bulletins.
• We are also addressing Security Advisory 980088 (Vulnerability in Internet Explorer Could Allow Information Disclosure).

Please join Adrian Stone and me for a public webcast on Wednesday next week where we will go into detail about the bulletins and answer questions live on the air. Register at the link below:

Date: Wednesday June 9
Time: 11:00 a.m. PDT (UTC –7)
Registration: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032427727

Finally, we remind Windows 2000 and Windows XP SP2 customers once again that all support for these platforms will end after July 13, 2010 – that is, next month. Customers should upgrade to either a supported operating system or the latest service pack in order to keep receiving necessary security updates.

Thanks,

Jerry Bryant
Group Manager, Response Communications

Follow us on Twitter: @MSFTSecResponse

Today we published our advance notification for the May security bulletin release letting customers know that next Tuesday, May 11, we will release two Critical bulletins addressing two vulnerabilities - one in Windows and one in Office. Windows 7 and Windows Server 2008 R2 customers will be offered the Windows related update but they are not vulnerable in their default configurations. More information on this will be provided on Tuesday.

Concerning the recent Security Advisory for SharePoint, 983438, we will not be releasing an update for that with the May bulletins. Our teams are still working on an update for that issue. In the meantime, we recommend customers review the advisory and apply the workarounds.

On a side note, I want to also continue reminding customers of Windows 2000 and Windows XP SP2 that all support for these platforms will end after July 13, 2010. Customers should upgrade to either a supported operating system or the latest service pack in order to keep receiving security updates.

We recommend that customers prepare for the testing and deployment of both bulletins as soon as possible. Finally, please join Adrian Stone and me for a public webcast next week where we will go in to details about the bulletins and answer questions live on the air. Here’s how to register:

Date: Wednesday May 12
Time: 11:00 a.m. PDT (UTC –8)
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032427724

Thanks,

Jerry Bryant
Group Manager, Response Communications< ?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

Follow us on Twitter: @MSFTSecResponse

*This posting is provided "AS IS" with no warranties, and confers no rights*

Customers running SharePoint Server 2007 or SharePoint Services 3.0 are encouraged to review and apply the mitigations and workarounds discussed in the Security Advisory. These include restricting access to the SharePoint help.aspx XML files and enabling the Internet Explorer 8 XSS filter in the intranet zone.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

As always, Microsoft strives to work with security researchers to address vulnerabilities in our software. This helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of – and work to exploit – a vulnerability. Responsible disclosure protects the computer ecosystem and individual computer users from harm.

Anyone believed to have been affected by this issue can visit: http://support.microsoft.com and should contact the national law enforcement agency in their country. 

We will continue to share updates on this blog and through our Twitter feed (@msftsecresponse).

Thanks,

Jerry Bryant
Group Manager, Response Communications

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Our ANS (Advance Notification Service) went out today informing customers that next Tuesday we will release 11 bulletins addressing 25 vulnerabilities in Windows, Microsoft Office, and Microsoft Exchange. We recommend that customers review the ANS summary page and prepare to test and deploy the bulletins as quickly as possible.

I also want to point out to customers that we will be closing the following open Security Advisories with next week’s updates:

·         Microsoft Security Advisory (981169) - Vulnerability in VBScript Could Allow Remote Code Execution.

·         Microsoft Security Advisory (977544) - Vulnerability in SMB Could Allow Denial of Service

Please join Adrian Stone and me for a public webcast next week where we will go in to details about the bulletins and answer questions live on the air. Here’s how to register:

Date: Wednesday April 14
Time: 11:00 a.m. PDT (UTC –8)
Registration: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032427721

I would also like to remind you all that it is extremely important for customers to move to supported platforms because after the dates below, those products/service packs will no longer receive security updates.

• Windows XP Service Pack 2 will no longer be supported after July 13, 2010. Many customers are still on this version, so we encourage upgrading to Service Pack 3 or to Windows 7 as soon as possible.
• Extended support for Windows 2000 will also be retired as of July 13, 2010. After that time, we will no longer provide security or any other updates for Windows 2000.
• Windows Vista RTM will no longer be supported after the April 13, 2010 bulletin release. Service Pack 1 will still be supported until July 12, 2011 but we recommend customers update to Service Pack 2 or Windows 7 at this time.

Thank you,

Jerry Bryant
Group Manager, Response Communications

Follow us on Twitter: @MSFTSecResponse

*This posting is provided "AS IS" with no warranties, and confers no rights*

Hi everyone,

As mentioned in our ANS blog post last week, today we are releasing 13 bulletins addressing 26 vulnerabilities. 11 bulletins affect Windows and 2 affect older versions of Microsoft Office.

In the post on Thursday, we mentioned that bulletins in the ANS listed as 1, 2, 3, and 6 were going to top our deployment priority list this month. We have also added MS10-015 (#12) to that list. It addresses Security Advisory 979682. We are aware of publicly available Proof-of-Concept code for this issue, but are not aware of any active attacks at this time. Here is the mapping from the bulletin numbers in the ANS to the released bulletin ID’s:

ANS Bulletin Number	Actual Bulletin Number
1	MS10-006
2	MS10-007
3	MS10-008
4	MS10-009
5	MS10-012
6	MS10-013
7	MS10-003
8	MS10-004
9	MS10-010
10	MS10-011
11	MS10-014
12	MS10-015
13	MS10-005

As always, it is recommended that customers deploy all security updates as soon as possible. Of the bulletins released this month, customers should prioritize and deploy MS10-006, MS10-007, MS10-008, MS10-013, and MS10-015, given Critical severity ratings and/or Exploitability Index ratings of 1 (“Consistent Exploit Code Likely”).

MS10-013, which addresses a Critical vulnerability in DirectShow, should be at the top of your list for testing and deployment. This issue is Critical on all supported versions of Windows except Itanium based server products and has an Exploitability Index rating of 1. To exploit the vulnerability, an attacker could host a malicious AVI file on a website and convince a user to visit the site, or send the file via email and convince the a user to open it.

MS10-006 is also Critical on all versions of Windows, except Windows Vista and Windows Server 2008, and addresses 2 vulnerabilities in SMB Client. One of the vulnerabilities has an Exploitability Index rating of 1. In the simplest scenario, a system connecting to a network file share is an SMB Client. The issue occurs during the client/server negotiation phase of the connection. In order to exploit this issue, an attacker would need to host a malicious server and convince a client system to connect to it. An attacker could also try to perform a man-in-the-middle attack by responding to SMB requests from clients. From our analysis of this issue, we expect attempts to exploit it would be more likely to result in a Denial of Service than in Remote Code Execution.

MS10-007 addresses a Critical vulnerability in Windows Shell Handler that affects Windows 2000, Windows XP, and Windows Server 2003. The attack vector is through a specially crafted link that appears to the ShellExecute API to be a valid link. This issue has not been publicly exposed but we give it an Exploitability Index rating of 1, so we urge customers on affected platforms to install it as soon as possible.

MS10-008 is the last one I will give some additional detail on. This is a cumulative update for ActiveX Killbits and is also Critical. You will notice in our Severity & Exploitability Index chart that we did not give this an Exploitability rating. That is because a Killbit is not an update that addresses the underlying vulnerability. It is a registry setting that keeps the vulnerable ActiveX control from running in Internet Explorer. We will give these an Exploitability rating of 1 if we are aware of active exploitation but in this case, we are not.

You can find more detailed information about these bulletins in several blog posts by our Security Research & Defense team at http://blogs.technet.com/srd.

With that, here are the Severity and Exploitability Index and Deployment Priority slides:

In the following video, Adrian Stone and I talk a little more about this month’s top priority bulletins:

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV)

I would also encourage you to attend out public webcast tomorrow where we will go in to detail on all 13 bulletins. Here is the registration information:

Date: Wednesday, Feb 10
Time: 11:00 a.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032427679

Hope you can join us!

Jerry Bryant
Sr. Security Communications Manager – Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

As we started to do in December, we want to give customers a peek at what our deployment guidance will be next Tuesday. This month, we will be giving four of the bulletins a deployment priority rating of 1. In the ANS, those are bulletins 1, 2, 3, and 6. We recommend that customers test and deploy all security updates as soon as possible but you should prioritize these first.

To further help customers prioritize, I have pulled the Windows information from the ANS into a summary table so depending on the version you are running, you can see how many bulletins you need to prepare for:

The Office related bulletins are both rated Important and would require user action to be exploited (usually in the form of convincing a user to open a specially crafted file). The vulnerabilities only affect older versions of Office so customers on Office 2007 or Office 2008 for Mac will have not actions this month.

We encourage customers to upgrade to the latest versions of both Windows and Office. As this bulletin release shows, the latest versions are less impacted overall due to the improved security protections built in to these products.

I also want to give a summary of the three open Security Advisories so customers know what to expect on Tuesday:

·             Advisory 980088, Vulnerability in Internet Explorer Could Allow Information Disclosure: this advisory was released yesterday (Feb 3). We do not have an update for this issue planned for the normal February bulletin release. However, this vulnerability only affects versions of windows older than Vista in their default configuration, and there is a “Fix It” available so customers in non-default configurations can protect themselves.

·             Advisory 979682, Vulnerability in Windows Kernel Could Allow Elevation of Privilege: we are on track to release an update for this issue next Tuesday.

·             Advisory 977544, Vulnerability in SMB Could Allow Denial of Service: we are still working on an update for this issue so it will not be addressed in the February bulletins. As a reminder, this issue cannot be used to allow an attacker to take control of a system remotely, but instead results in a system becoming unresponsive due to resource consumption.

We are not aware of any attacks on these vulnerabilities and continue to encourage customers to implement the mitigations and workarounds outlined in the advisories.

Last month I started including important information about Windows versions that are reaching the end of their product lifecycle. Customers using these versions should consider upgrading before support for these products end as, once they do, we will no longer provide security updates:

• Windows XP Service Pack 2 will no longer be supported as of July 13, 2010. Many customers are still on this version, so we encourage upgrading to Service Pack 3 or to Windows 7 as soon as possible.
• Windows Vista RTM will no longer be supported as of April 13, 2010. Service Pack 1 will still be supported until July 12, 2011 but we recommend customers update to Service Pack 2 or Windows 7 at this time.
• Extended support for Windows 2000 will also be retired on July 13, 2010. At that time, we will no longer provide security or any other updates for Windows 2000.

Finally, please plan to join Adrian Stone and myself next week for our regular live webcast where we will go in to detail on each bulletin to give you even more information and guidance:

Date: Wednesday, Feb 10
Time: 11:00 a.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032427679

Hope to see you there!

Jerry Bryant
Sr. Security Communications Manager – Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*