As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing 13 security bulletins, two of which are rated Critical in severity, nine Important and two Moderate.

These bulletins will increase protection by addressing 22 unique vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on the two critical updates:

• MS11-057 (Internet Explorer). This security update resolves five privately reported vulnerabilities and two publicly disclosed vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. Microsoft is not aware of any attacks leveraging the vulnerabilities addressed in this bulletin.
• MS11-058 (DNS Server). This security update resolves two privately reported vulnerabilities in Windows DNS server. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a specially crafted Naming Authority Pointer (NAPTR) query to a DNS server. Servers that do not have the DNS role enabled are not at risk.

In this video, Jerry Bryant discusses this month's bulletins in further detail, focusing on these two bulletins:

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page. In addition, the SRD blog today has more information on MS11-058’s Exploitability Index rating and on the month’s deployment priorities.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Jerry Bryant and Jonathan Ness. I invite you to tune in and learn more about the June security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, August 10, 2011 at 11 a.m. PDT, and you can register here.

For all the latest information, please also follow the MSRC team on Twitter at @MSFTSecResponse.

Thank you,

Angela Gunn
Trustworthy Computing.

This week we released a special Security Intelligence Reportthat showcases some of the data we amassed in the wake of the big Rustock botnet takedown in the spring of 2010. The new SIR also delves into the diplomacy, secrecy and intellectual property law that all played important roles in the successful international effort that led to the takedown of the Rustock botnet on March 16. This was Microsoft’s second global botnet takedown effort, after Waledac in February, 2011.

In addition, as part of our normal monthly bulletin cadence, we’re providing our Advance Notification Service for July’s security bulletins today. This month we'll release four bulletins, one of them rated Critical and three rated Important, addressing issues in Microsoft Windows and Office. We'll close 22 vulnerabilities with those bulletins.

The bulletin release is once again slated for the second Tuesday of the month – July 12th at 10:00 a.m. PDT. Come back to this blog then for our official risk and impact analysis, as well as deployment guidance and a brief video overview of the month's highlights.

The monthly technical webcast next week will be hosted once again by Jerry Bryant and Dustin Childs. We invite you to tune in and learn more about the new security bulletin releases as well as other announcements to be made on Tuesday. That webcast is scheduled for Wednesday, July 13, 2011 at 11:00 a.m. PDT (UTC -7), and the registration form can be found here.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thank you,

Angela Gunn
Trustworthy Computing.

Today we published the April Security Bulletin Webcast Questions & Answers page. We fielded 14 questions on various topics during the webcast, including bulletins released, deployment tools, and update detection tools. There were two questions during the webcast that we were unable to answer and we have included those questions and answers on the QA page.

I also want to provide some clarity regarding our announcement that SMS 2003 with SUIT is retiring this month. SMS 2.0 and the SUIT add-on that can be installed on either SMS 2.0 or SMS 2003 are going out of support this month. SMS 2003 is not scheduled to go out of support until 2015. Customers who currently use SMS 2003 with SUIT should plan to use SCCM 2007 or SMS 2003 with ITMU starting next month. 

We invite our customers to join us for the next public webcast on Wednesday, May 11th at 11am PDT (-8 UTC), when we will go into detail about the April bulletin release and answer questions live on the air.

Customers can register to attend at the link below:

Date: Wednesday, March 9, 2011
Time: 11:00 a.m. PST (UTC -8)
Register: Attendee Registration

 " "

Thanks -

Jerry Bryant

Group Manager, Response Communications
Trustworthy Computing Group

Today, as part of our monthly security bulletin release, we have three bulletins addressing four vulnerabilities in Microsoft Windows and Microsoft Office. One bulletin is rated Critical, and this is the bulletin we recommend for priority deployment:

• MS11-015. This bulletin resolves one Critical-level and one Important-level vulnerability affecting certain media files in all versions of Microsoft Windows. It has an Exploitability Index rating of 1. Due to the nature of the affected software, this bulletin carries a Critical-level severity rating for all affected client systems, but only an Important-level rating for Windows Server 2008 R2 for x64. Other versions of Windows Server - 2003, 2008 and 2008 R2 - are unaffected. For both the Critical- and Important-level vulnerabilities, an attacker would have to convince a user to open a maliciously crafted file for an attack to work.

Our other two bulletins are somewhat similar in nature, both addressing the DLL-preloading issue described in Security Advisory 2269637, and both carrying an Important-level severity rating and an Exploitability Index rating of 1.

• MS11-016 is a DLL-preloading issue affecting Microsoft Groove 2007 Service Pack 2, which makes this an Office bulletin. Versions 2007 and 2010 of Groove are unaffected, as is Microsoft SharePoint Workspace 2010.
• MS11-017 is also a DLL-preloading issue, in this instance in Microsoft Windows Remote Client Desktop. This security update is rated Important for Remote Desktop Connection 5.2 Client, Remote Desktop Connection 6.0 Client, Remote Desktop Connection 6.1 Client, and Remote Desktop Connection 7.0 Client.

We continue to address DLL-preloading issues as they are discovered; however, it's important to note that we have not seen exploitation of these issues in the wild.

In this video, Jerry Bryant discusses this month's bulletins in further detail, focusing on MS11-015:

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

More information about this month's security updates can be found on the Microsoft Security Bulletin summary web page.

As we often do in the wake of a Service Pack release, we've gotten deployment questions about Windows 7 SP1. To assist customers in that process, our TechNet site has posted an SP1 deployment guide to aid you in testing and deployment. You'll also find release notes and links to handy information -- for example, a spreadsheet that contains a list of all the hotfixes and security updates that are included in the Service Pack -- as well as information on new features and functionality.

We'd also like to update you on Security Advisory 2501696, which describes an MHTML-related vulnerability in Microsoft Windows. Microsoft is actively monitoring the threat landscape in conjunction with our Microsoft Active Protections Program (MAPP) partners. We are currently working to provide a solution through our monthly security update release process and will continue to monitor the issue as we prepare that.

Finally, we mentioned previously that changes are coming to the system we use for publishing our bulletins and security advisories. We still expect those changes to go live in June of this year. The main impact to customers will be a URL change from microsoft.com/technet/security to technet.microsoft.com/security. We are planning to have both the old and new sites available simultaneously for a period of time.

Please join the monthly technical webcast with your hosts, Jerry Bryant and Dustin Childs, to learn more about the March 2011 security bulletins. The webcast is scheduled for Wednesday, March 9, 2011 at 11:00 a.m. PST (UTC -8). Registration is available here.

For all the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,

Angela Gunn
Trustworthy Computing.

Today, as part of our usual monthly bulletin cadence, we are providing our Advance Notification Service for March's security bulletins. This month we'll release three bulletins, one of them rated Critical and two rated Important, addressing issues in Microsoft Windows and Office. We'll close four vulnerabilities with those bulletins.

The bulletin release is once again slated for the second Tuesday of the month -- March 8th at 10:00 a.m. PST. Come back to this blog then for our official risk and impact analysis, as well as deployment guidance and a brief video overview of the month's highlights.

The monthly technical webcast next week will be hosted by Jerry Bryant and Dustin Childs. We invite you to tune in and learn more about the new security bulletin releases as well as other announcements to be made on Tuesday. That webcast is scheduled for Wednesday, March 9, 2011 at 11:00 a.m. PST (UTC -8), and the registration form can be found here.

Thank you,

Angela Gunn
Trustworthy Computing.

Today, as part of our monthly security bulletin release, we have 12 bulletins addressing 22 vulnerabilities in Microsoft Windows, Office, Internet Explorer, and IIS (Internet Information Services). Three bulletins are rated Critical, and these are the bulletins we recommend for priority deployment:  

o    MS11-003. This bulletin resolves three critical-level and moderate-level vulnerabilities affecting all versions of Internet Explorer. Due to existing mitigations, this bulletin is only rated at Moderate severity for all versions of Windows Server, has an Exploitability Index rating of 1, and will deprecate Security Advisory 2488013.

o    MS11-006. This bulletin addresses one Critical-level vulnerability affecting Windows XP, Vista, Server 2003, and Server 2008. Newer versions of our operating system are unaffected. The vulnerability involves Windows Shell Graphics and could if exploited lead to remote code execution. This has an Exploitability Index rating of 1 and will deprecate Security Advisory 2490606 which we released on January 4^th. Since that time, we have not seen any attacks against this issue.

o    MS11-007. This bulletin addresses one privately reported vulnerability affecting all supported versions of Windows and involving the OpenType Compact Font Driver. It's rated Critical for Windows Vista, Windows 7, Server 2008 and Server 2008 R2; it's rated Important for Windows XP and Server 2003.  This issue has an Exploitability Index rating of 2.

In this video, Jerry Bryant discusses this month's bulletins in further detail:

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

More information about this month's security updates can be found on the Microsoft Security Bulletin summary web page. 

As mentioned, we are addressing Security Advisory 2488013 as part of the regularly scheduled Internet Explorer cumulative update. This Security Advisory and the zero-day disclosure on which it was predicated caused discussion in the security community, and some observers thought that we might be forced to release an out-of-band bulletin to protect customers. However, out-of-band releases are disruptive to customers and we try to avoid them where possible. Based on our capabilities to closely monitor the threat landscape, we were able to determine that attempts to attack this vulnerability were very low. With that information, we were able to extensively test a bulletin to be released as part of our regular bulletin cadence. The MMPC (Microsoft Malware Protection Center) blog has details about the telemetry we used to guide us. There we contrast this issue with telemetry from an out-of-band release last year to demonstrate why one was not needed here.

Also this month, we're updating Security Advisory 967940, "Update for Windows Autorun," to change how earlier versions of Windows handle security when reading "non-shiny" storage media. ("Shiny" storage media would include CD-ROMs and DVDs.) Windows 7 already disables Autorun for devices such as USB thumb drives, which prevents malware lurking on such drives from loading itself onto computers without user interaction. With the change to the Advisory, earlier versions of Windows that receive their updates automatically via Windows Update "AutoUpdate" will now gain that security-conscious functionality as well. We believe this is a huge step towards combating one of the most prevalent infection vectors used by malware such as Conficker.

Finally, we're excited to announce that changes are coming to the system we use for publishing our bulletins and security advisories - changes that will bring better integration with the wealth of other content on Technet and a richer experience for customers. We are expecting the changes to go live in the June 2011 timeframe. The main impact to customers will be a URL change from microsoft.com/technet/security to technet.microsoft.com/security. We are planning to have both the old and new sites available simultaneously for a period of time and will be providing more details in March.

Please join the monthly technical webcast with your hosts, Jerry Bryant and Jonathan Ness, to learn more about all the February 2011 security bulletins. The webcast is scheduled for Wednesday, February 9, 2011 at 11:00 a.m. PST (UTC -8). Registration is available here.

For all the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,

Angela Gunn
Trustworthy Computing.

The vulnerability lies in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler, which is used by applications to render certain kinds of documents. The impact of an attack on the vulnerability would be similar to that of server-side cross-site-scripting (XSS) vulnerabilities.  For instance, an attacker could construct an HTML link designed to trigger a malicious script and somehow convince the targeted user to click it. When the user clicked that link, the malicious script would run on the user's computer for the rest of the current Internet Explorer session.  Such a script might collect user information (eg., email), spoof content displayed in the browser, or otherwise interfere with the user's experience.

The workaround we are recommending customers apply locks down the MHTML protocol and effectively addresses the issue on the client system where it exists. We are providing a Microsoft Fix-it package to further automate installation.

In our collaboration with other service providers, we are looking for possible ways that they can take steps to provide protection on the server side. Our Security Research & Defense team has written a blog post that discusses some possible options. However, due to the nature of the issue, the only workaround Microsoft can officially recommend is what we have identified in the advisory. We will continue to work closely with others in the industry and appreciate the collaboration we have had to date.

We have initiated our Software Security Incident Response Process (SSIRP) to manage this issue. We're also in communication with other service providers to explain how the issue might affect third-party Web sites and to collaborate on developing a variety of further solutions that address the varied needs of all parts of the Internet ecosystem - large sites, small sites, and all those who visit them.

Meanwhile, we are working on a security update to address this vulnerability and we are monitoring the threat landscape very closely. If the situation changes, we'll post updates here on the MSRC blog.

Thanks -

Angela Gunn
Trustworthy Computing

We've assigned our highest deployment priority to the two Critical bulletins, though we recommend that customers deploy all updates as soon as possible.

• MS10-090 This bulletin resolves seven issues -- five Critical, two Moderate -- affecting all supported versions of Internet Explorer, on both Windows clients and Windows servers. Among its other updates, it addresses a vulnerability previously described in Security Advisory 2458511.
• MS10-091 This bulletin is Critical and addresses three vulnerabilities in Windows' OpenType Font driver. All three issues were privately reported and we are not aware of any active attacks using them.

As mentioned, the other 15 bulletins this month carry lower severity ratings - including MS10-092, the bulletin that closes out the last known vulnerability exploited by the Stuxnet malware. To assist in your planning and implementation of the bulletins, please consult this month's Deployment Priority chart (click for larger view).

Jerry Bryant, group manager for response communications, gives more information about the December bulletins in this overview video:

More information about this month's security updates can be found on the Microsoft Security Bulletin summary web page.  Our Exploitability Index provides additional information to help customers plan for deployment of these monthly security bulletins.

We are also releasing updated Malicious Software Removal Tool signatures this month. The MMPC blog goes into detail on QakBot, the subject of this month's update.

Finally, we invite everyone to join the monthly technical webcast to learn more about the December 2010 security bulletin release. The webcast is scheduled for Wednesday, December 15, 2010 at 11:00 a.m. PST (UTC -8). Registration is available here.

Remember, you can follow the MSRC team for late-breaking news and updates on the threat landscape on Twitter at @MSFTSecResponse.

Thanks,

Angela Gunn
Senior Marketing Communications Manager

With this month's bulletin release, I want to highlight the great work done through our partnerships in the Microsoft Active Protections Program (MAPP). MAPP represents our commitment to community based defense and a shared sense of responsibility to help protect the computing ecosystem. In July of this year, the Stuxnet malware emerged onto the threat landscape and resulted in the release of an out-of-band security update, MS10-046, to address a zero-day vulnerability the malware used to compromise systems. Additionally, we updated the Microsoft Malicious Software Removal Tool (MSRT) in August to remove Stuxnet and we are able to report that according to our telemetry, the threat has gone way down from the spike we saw in early August. 

Since that time, Microsoft and partners in our MAPP program have continued to investigate this extremely complex malware. Today, we are releasing MS10-061 to address another vulnerability first discovered and reported to us by Kaspersky Lab and then later by Symantec. This vulnerability in the Print Spooler Service is rated Critical for Windows XP and Important on all other affected platforms and is used by Stuxnet to spread to systems inside the network where the Print Spooler service is exposed without authentication.

In addition, Microsoft researchers uncovered two additional Elevation of Privilege (EoP) vulnerabilities (one of which was also reported to us by Kaspersky, and later independently confirmed by Symantec) used by the malware to gain full control of the infected system. One of these EoP vulnerabilities affects Windows XP and the other affects Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. These are local EoP issues which means that an attacker, in this case Stuxnet, already has permission to run code on the system or has compromised the system through some other means. We are currently working to address both issues in a future bulletin.

We want to thank both Kaspersky Lab and Symantec for their collaboration in uncovering these vulnerabilities and for coordinating with us to protect customers. This is what community based defense is all about.

As we look at our other high priority bulletins for this month, I would like to emphasize the fact that there are no critical bulletins for Windows 7 or Windows Server 2008 R2. This is due to security enhancements such as additional heap mitigations built into the newer operating systems. Additionally, this month's Office bulletin does not affect Office 2010. I will also state that we are still investigating and working on updates for public issues that do affect these platforms. We want customers to know that we continue to work hard to address these issues and that our efforts to produce comprehensive updates and release them in a predictable manner is something that comes "in the box" when you buy our software.

As you can see from our aggregate severity and exploitability index chart below, there are two bulletins that are both Critical and have an exploitability index rating of 1. The first is MS10-061 that I discussed above and the second, MS10-062, involves a vulnerability in the MPEG-4 codec affecting supported versions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This issue can be exploited if a user opens a specially crafted media file or receives streaming content from the web.

The remaining bulletins are given a 2 or a 3 in our deployment priority list. This guidance is intended to help customers prioritize bulletin deployment and is based on several factors including severity, exploitability, breadth of platforms, and available mitigations and workarounds. Since every environment is different, we do recommend that customers evaluate accordingly and apply the updates as soon as possible.

In the video below, Adrian Stone and I give an overview of this month’s bulletin release and discuss why we have prioritized the bulletins the way we did. 

Please join Adrian and me tomorrow, September 15, at 11:00 a.m. PDT (UTC -7) for a public webcast where we will go into more details about these bulletins. We will also have a room full of subject matter experts standing by to help answer all of your questions during the session. You can register here:

https://msevents.microsoft.com/CUI/Register.aspx?culture=en-US&EventID=1032454433

We will also release two security advisories this month:

• Security Advisory 2401593, which describes a vulnerability affecting Outlook Web Access (OWA) that may affect Microsoft Exchange customers to gain elevation of privilege. An attacker who successfully exploited this vulnerability could hijack an authenticated OWA session.

• Security Advisory 973811, is an updated Advisory enabling Outlook Express and Windows Mail to opt in to Extended Protection for Authentication.

Finally, this month, we also released an update for the User Profile Hive Cleanup Service. This is an optional tool for Windows 2000, Windows XP and Windows Server 2003 that simplifies user management. The tool is not formally supported by Microsoft, but as it's a common tool to many system administrators, we released a new version to address a security vulnerability reported by a security researcher. More information can be found on the UPHClean blog.

Thanks!

Jerry Bryant
Group Manager, Response Communications