We've also updated the advisory with new information regarding possible attack vectors. Finally, we have included a new workaround that customers can implement to help protect their environments: blocking the download of LNK and PIF files (note that these files can be transferred over WebDav, so be sure to account for this protocol if you implement this workaround).

As always, we encourage customers to review this new information and to evaluate it for their environment while our teams continue their work to develop a security update that addresses this vulnerability.

As always, we'll update the security advisory and this blog with new information as it becomes available.

Thanks,

Christopher Budd

Sr. Security Manager, Response Communications at Microsoft

Follow us on Twitter: @MSFTSecResponse

We are aware of a publicly disclosed vulnerability affecting Windows XP and Windows Server 2003. We are not aware of any current exploitation of this issue and customers running Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2, are not vulnerable to this issue, or at risk of attack.

This issue was reported to us on June 5^th, 2010 by a Google security researcher and then made public less than four days later, on June 9^th, 2010.  Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk

One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause. While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented. In some cases, more time is required for a comprehensive update that cannot be bypassed, and does not cause quality problems. 

We recognize that researchers across the entire industry are a vital part of identifying issues and continually improving security, and we continue to ask researchers to work with us through responsible disclosure to help minimize the risk to customers while improving security.

We have initiated our emergency response process and will continue to monitor the threat landscape for any signs of attack against this issue. Our Microsoft Active Protections Program (MAPP) partners have detailed information about this vulnerability and are developing protections where possible.

Update: customers can follow guidance in Security Advisory 2219475 to protect against this issue.

Update 6/25/2010:
The security researcher who disclosed this vulnerability has expressed concerns regarding the inclusion of his employer’s name in relation to this vulnerability.  While there continues to be a difference of opinion, we have included both this researcher’s view and our view in this blog post. His point of view is that he reported the vulnerability not as an employee, but as an individual action by him as an independent researcher.

At Microsoft we do not believe that its feasible to disassociate the two.  We believe the actions of employees, when related to the work they are doing at a technology company, should reflect the policies of their employer. 

Despite these differences of opinion, we continue an open dialog with this researcher and ask the security researcher community to continue working with us to help protect customers.

Customers running SharePoint Server 2007 or SharePoint Services 3.0 are encouraged to review and apply the mitigations and workarounds discussed in the Security Advisory. These include restricting access to the SharePoint help.aspx XML files and enabling the Internet Explorer 8 XSS filter in the intranet zone.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

As always, Microsoft strives to work with security researchers to address vulnerabilities in our software. This helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of – and work to exploit – a vulnerability. Responsible disclosure protects the computer ecosystem and individual computer users from harm.

Anyone believed to have been affected by this issue can visit: http://support.microsoft.com and should contact the national law enforcement agency in their country. 

We will continue to share updates on this blog and through our Twitter feed (@msftsecresponse).

Thanks,

Jerry Bryant
Group Manager, Response Communications

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Shortly after we released the update we received several reports that it did not protect against the vulnerability reported to us. At that time, we pulled the update and notified customers. The main reason for pulling the update was to save a reboot for customers who had not yet installed it. The original issue was missed due to focusing on a variant of the original report early in the investigation. We are addressing this issue and plan to re-release the update next week.

Once we are sure of the exact day the update will be ready for re-release, we will post that information to our Twitter account: @MSFTSecResponse. This will go out as a major revision to the bulletin so there will be no advance notification mailer going out but those who have subscribed to our comprehensive notification service will receive an email when it is released. Subscribe here.

In the meantime, we continue to encourage customers who have Windows Media Services installed on Windows 2000 Server to review the mitigations and workarounds in the bulletin and to apply firewall best practices to reduce exposure.

Thanks,

Jerry Bryant
Group Manager, Response Communications

*This posting is provided "AS IS" with no warranties, and confers no rights*

MS10-025 is a security update that only affects Windows 2000 Server customers who have installed Windows Media Services (this is a non-default configuration). Today we pulled the update because we found it does not address the underlying issue effectively. We are not aware of any active attacks seeking to exploit this issue and are targeting a re-release of the update for next week.

Customers should review the bulletin for mitigations and workarounds and those with internet facing systems with Windows Media Services installed should evaluate and use firewall best practices to limit their overall exposure. We will continue to share updates here on the blog as available.

I’m writing to let you know that we have updated Security Advisory 981374 with new workaround information. We are aware that exploit code has been made public for this issue. As with our last update, Internet Explorer 8 remains unaffected by the vulnerability addressed in the advisory and we continue to encourage all customers to upgrade to this version.

On Wednesday we added a workaround to the advisory that helps to mitigate the vulnerability by disabling the peer factory class through the modification of a registry key. With today’s update, we have added a Microsoft Fix It to automate this workaround for Windows XP and Windows Server 2003 customers. As always, customers should test this thoroughly before deploying as certain functionality that depends on the peer factory class, such as printing from Internet Explorer and the use of web folders, may be affected.

We have seen speculation that Microsoft might release an update for this issue out-of-band. I can tell you that we are working hard to produce an update which is now in testing. This is a critical and time intensive step of the process as the update must be tested against affected versions of Internet Explorer on all supported versions of Windows. Additionally, each supported language version needs to be tested as well as testing against thousands of third party applications. We never rule out the possibility of an out-of-band update. When the update is ready for broad distribution, we will make that decision based on customer needs.

Please review the advisory for more information. We will keep you posted as additional information becomes available.

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Today we released Security Advisory 981169 to address the VBScript issue involving Windows Help files that we blogged about yesterday. To reiterate what we said in that post, we are not aware of any active attacks at this time and the following operating systems are not affected by this issue: Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista.

Our investigation is ongoing. Users on older versions of Windows should review the Security Advisory for mitigations and workarounds for this issue. Additionally, our Security Research & Defense team provides a detailed analysis of the issue and the available workarounds on their blog. User education is a key factor in this scenario given the amount of user interaction required to reach the vulnerability.

Our teams are working to address the issue and once we complete our investigation, we will take appropriate action to protect customers. This may include releasing an update out-of-band. We will provide further updates as they become available.

Thanks,

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

One of the key components when investigating issues like this are obtaining memory dumps from computers experiencing the problem. In order to get the information we need to fully analyze the issue, some of our support engineers have actually driven to customer locations and picked up affected systems so we can get the needed crash data directly and help inform our investigation. For more information about memory dumps, please see: http://support.microsoft.com/kb/254649.

We encourage customers to follow our “Protect Your PC” best practices and always have up to date anti-virus software running on their systems to help prevent malware infections. For customers who do not have anti-virus software, you can either scan your system using our online tool at http://safety.live.com or you can install Microsoft Security Essentials for free.

This can be a difficult issue to solve once a computer is in an un-bootable state so we encourage customers who feel they have been impacted by this to contact our Customer Service and Support group by either going to https://consumersecuritysupport.microsoft.com or by calling 1-866-PCSafety (1-866-727-2338). International customers can find local support contact numbers here: http://support.microsoft.com/common/international.aspx.

Keep an eye on this blog for more updates as we have them.

Thanks,

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hi everyone,

As mentioned in our ANS blog post last week, today we are releasing 13 bulletins addressing 26 vulnerabilities. 11 bulletins affect Windows and 2 affect older versions of Microsoft Office.

In the post on Thursday, we mentioned that bulletins in the ANS listed as 1, 2, 3, and 6 were going to top our deployment priority list this month. We have also added MS10-015 (#12) to that list. It addresses Security Advisory 979682. We are aware of publicly available Proof-of-Concept code for this issue, but are not aware of any active attacks at this time. Here is the mapping from the bulletin numbers in the ANS to the released bulletin ID’s:

ANS Bulletin Number	Actual Bulletin Number
1	MS10-006
2	MS10-007
3	MS10-008
4	MS10-009
5	MS10-012
6	MS10-013
7	MS10-003
8	MS10-004
9	MS10-010
10	MS10-011
11	MS10-014
12	MS10-015
13	MS10-005

As always, it is recommended that customers deploy all security updates as soon as possible. Of the bulletins released this month, customers should prioritize and deploy MS10-006, MS10-007, MS10-008, MS10-013, and MS10-015, given Critical severity ratings and/or Exploitability Index ratings of 1 (“Consistent Exploit Code Likely”).

MS10-013, which addresses a Critical vulnerability in DirectShow, should be at the top of your list for testing and deployment. This issue is Critical on all supported versions of Windows except Itanium based server products and has an Exploitability Index rating of 1. To exploit the vulnerability, an attacker could host a malicious AVI file on a website and convince a user to visit the site, or send the file via email and convince the a user to open it.

MS10-006 is also Critical on all versions of Windows, except Windows Vista and Windows Server 2008, and addresses 2 vulnerabilities in SMB Client. One of the vulnerabilities has an Exploitability Index rating of 1. In the simplest scenario, a system connecting to a network file share is an SMB Client. The issue occurs during the client/server negotiation phase of the connection. In order to exploit this issue, an attacker would need to host a malicious server and convince a client system to connect to it. An attacker could also try to perform a man-in-the-middle attack by responding to SMB requests from clients. From our analysis of this issue, we expect attempts to exploit it would be more likely to result in a Denial of Service than in Remote Code Execution.

MS10-007 addresses a Critical vulnerability in Windows Shell Handler that affects Windows 2000, Windows XP, and Windows Server 2003. The attack vector is through a specially crafted link that appears to the ShellExecute API to be a valid link. This issue has not been publicly exposed but we give it an Exploitability Index rating of 1, so we urge customers on affected platforms to install it as soon as possible.

MS10-008 is the last one I will give some additional detail on. This is a cumulative update for ActiveX Killbits and is also Critical. You will notice in our Severity & Exploitability Index chart that we did not give this an Exploitability rating. That is because a Killbit is not an update that addresses the underlying vulnerability. It is a registry setting that keeps the vulnerable ActiveX control from running in Internet Explorer. We will give these an Exploitability rating of 1 if we are aware of active exploitation but in this case, we are not.

You can find more detailed information about these bulletins in several blog posts by our Security Research & Defense team at http://blogs.technet.com/srd.

With that, here are the Severity and Exploitability Index and Deployment Priority slides:

In the following video, Adrian Stone and I talk a little more about this month’s top priority bulletins:

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV)

I would also encourage you to attend out public webcast tomorrow where we will go in to detail on all 13 bulletins. Here is the registration information:

Date: Wednesday, Feb 10
Time: 11:00 a.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032427679

Hope you can join us!

Jerry Bryant
Sr. Security Communications Manager – Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*