Today we’re providing advance notification for an out-of-band security update to address the publicly disclosed issue described in Security Advisory 2659883. The release is scheduled for tomorrow, December 29, at approximately 10 a.m. PST.

The bulletin has a severity rating of Critical and addresses a publicly disclosed vulnerability in ASP.NET that affects all versions of the .NET Framework. While we’re currently unaware of any attacks targeting ASP.NET, we encourage all customers to test and deploy the update when it is available.

We will also hold a special edition webcast on Thursday, December 29 at 1 p.m. PST. Click here to register.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,

Dave Forstrom

Director

Microsoft Trustworthy Computing

As a follow-up to Friday’s blog post, today we released Security Advisory 2641690 to notify customers that we revoked the trust of DigiCert Sdn.Bhd in an update that moves two Intermediate Certificate Authorities (CA) certificates to the Microsoft Untrusted Certificate Store.

We made this decision after Entrust, Inc., a CA in the Microsoft Root Certificate Program, notified us that one of its subordinate CAs issued 22 certificates with weak 512 bit keys, a violation of Microsoft’s Root Certificate Program requirements. At this time, there is no indication that the certificates were issued fraudulently but with this update, we are proactively protecting customers from potential issues.

There is no action for customers who have enabled Automatic Updates as the update, which applies to all supported versions of Microsoft Windows, will be downloaded and installed automatically.

The two certificates include:

• Digisign Server ID – (Enrich) issued by Entrust.net Certification Authority (2048)
• Digisign Server ID (Enrich) issued by GTE CyberTrust Global Root

DigiCert Sdn. Bhd (Digicert Malaysia) is a Malaysian subordinate CA under Entrust and Verizon (GTE CyberTrust), and is not related to DigiCert Inc., which is a member of the Windows Root Certificate Program.

For more information, please see Security Advisory 2641690.

Thanks --
Jerry Bryant
Group Manager, Response Communications
Trustworthy Computing Group

Today we released Security Advisory 2639568 to provide customer guidance for the Windows kernel issue related to the Duqu malware. I would like to provide you information on how to protect your system(s), how we are addressing the issue, and insight into our threat landscape monitoring capabilities.

The security advisory provides a workaround that can be applied to any Windows system. To make it easy for customers to install, we have released a Fix it that will allow one-click installation of the workaround and an easy way for enterprises to deploy.

To further protect customers, we provided our partners in the Microsoft Active Protections Program (MAPP) detailed information on how to build detection for their security products. This means that within hours, anti-malware firms will roll out new signatures that detect and block attempts to exploit this vulnerability. Therefore we encourage customers to ensure their antivirus software is up-to-date.

Additionally, our engineering teams determined the root cause of this vulnerability, and we are working to produce a high-quality security update to address it. At this time, we plan to release the security update through our security bulletin process, although it will not be ready for this month’s bulletin release.

Finally, given our ability to detect exploit attempts for this issue, we are able to closely monitor the threat landscape and will notify customers if we see any indication of increased risk. As previously stated, the risk for customers remains low. However, that is subject to change so we encourage customers to either apply the workaround or ensure their anti-malware vendor has added new signatures based on the information we’ve provided them to ensure protections are in place for this issue.

Thanks --
Jerry Bryant
Group Manager, Response Communications
Trustworthy Computing Group

We are not aware of a way to exploit this issue in other protocols or components, and we have no reports of exploitation in the wild at this time; our investigation continues, but our research so far indicates that customers are at minimal risk. To successfully exploit this issue, the would-be attacker must meet several conditions:

• The targeted user must be in an active HTTPS session;
• The malicious code the attacker needs to decrypt the HTTPS traffic must be injected and run in the user’s browser session; and,
• The attacker’s malicious code must be treated as from the same origin as the HTTPS server in order to it to be allowed to piggyback the existing HTTPS connection.

In addition, due to the fashion in which this man-in-the-middle exploit operates, a would-be attacker would need a fairly high-bandwidth connection to the target.  Later versions of TLS (1.1 and 1.2) are not susceptible to this approach; our Security Advisory gives guidance on how to enable TLS 1.1 and 1.2 for customers who believe themselves to be at significant risk from this issue.

For further information on the nature of the issue, please see “Is SSL broken? – More about Security Advisory 2588513” on the SRD blog.

If you haven’t done so already, we suggest that you register for our security alerts (via email or RSS) on the Microsoft Technical Security Notifications page.

Thanks --
Jerry Bryant
Group Manager, Response Communications
Trustworthy Computing Group

Today, as part of our usual monthly bulletin cadence, we are providing our Advance Notification Service for February's security bulletins. This month, we'll release 12 bulletins, three of them rated Critical and nine rated Important, addressing issues in Microsoft Windows, Internet Explorer, Office, Visual Studio, and IIS. 22 issues will be addressed.

As part of this month's update, we'll be addressing issues related to two recent Security Advisories, 2490606 (a public vulnerability affecting the Windows Graphics Rendering Engine) and 2488013 (a public vulnerability affecting Internet Explorer). Additionally, we will be addressing an issue affecting FTP service in IIS 7.0 and 7.5.

The bulletin release is once again slated for the second Tuesday of the month -- February 9th at 10:00 a.m. PST. Come back to this blog then for our official risk and impact analysis, as well as deployment guidance.

The monthly technical webcast next week will be hosted by Jerry Bryant and Jonathan Ness. We invite you to tune in and learn more about the new security bulletin releases as well as other announcements to be made on Tuesday. That webcast is scheduled for Wednesday, February 9, 2011 at 11:00 a.m. PST (UTC -8), and the registration form can be found here.

Thank you,

Angela Gunn
Trustworthy Computing

The vulnerability lies in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler, which is used by applications to render certain kinds of documents. The impact of an attack on the vulnerability would be similar to that of server-side cross-site-scripting (XSS) vulnerabilities.  For instance, an attacker could construct an HTML link designed to trigger a malicious script and somehow convince the targeted user to click it. When the user clicked that link, the malicious script would run on the user's computer for the rest of the current Internet Explorer session.  Such a script might collect user information (eg., email), spoof content displayed in the browser, or otherwise interfere with the user's experience.

The workaround we are recommending customers apply locks down the MHTML protocol and effectively addresses the issue on the client system where it exists. We are providing a Microsoft Fix-it package to further automate installation.

In our collaboration with other service providers, we are looking for possible ways that they can take steps to provide protection on the server side. Our Security Research & Defense team has written a blog post that discusses some possible options. However, due to the nature of the issue, the only workaround Microsoft can officially recommend is what we have identified in the advisory. We will continue to work closely with others in the industry and appreciate the collaboration we have had to date.

We have initiated our Software Security Incident Response Process (SSIRP) to manage this issue. We're also in communication with other service providers to explain how the issue might affect third-party Web sites and to collaborate on developing a variety of further solutions that address the varied needs of all parts of the Internet ecosystem - large sites, small sites, and all those who visit them.

Meanwhile, we are working on a security update to address this vulnerability and we are monitoring the threat landscape very closely. If the situation changes, we'll post updates here on the MSRC blog.

Thanks -

Angela Gunn
Trustworthy Computing

Today we released Security Advisory 2488013 to address a public vulnerability that could affect customers using Internet Explorer 6, 7 and 8 if they visit a website hosting malicious code. Currently the impact of this vulnerability is limited and we are not aware of any affected customers or active attacks targeting customers.

Internet Explorer Protected Mode on Windows Vista and later versions of Windows helps to limit the impact of the currently known proof-of-concept exploits. Protected Mode is on by default in the Internet and Restricted sites zones in Internet Explorer 7 and 8 and prompts users before allowing software to install, run or modify sensitive system components.

The Security Advisory includes additional workarounds and mitigations that will help protect customers. Our Security and Research team has written a detailed blog post on the more technical aspects.

We initiated our Software Security Incident Response Process (SSIRP) to manage this issue and are sharing detailed information through the Microsoft Active Protections Program (MAPP). Our 70 global MAPP partners, including leading providers of anti-virus and anti-malware products, provide protections for an estimated one billion customers worldwide. With our partners, Microsoft is actively working to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability. If your protection provider is in our MAPP program, you can contact them concerning the status of providing protections for this issue as it is likely that updated malware signatures in these products will offer further protection.

We are working to develop a security update to address this attack against our customers. The issue does not currently meet the criteria for an out-of-band release. However, we are monitoring the threat landscape very closely and if the situation changes, we will post updates here on the MSRC blog.

As always, we encourage Internet users to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at Home.

Thanks,

Carlene Chmaj

Microsoft Trustworthy Computing, Senior Response Communications Manager

First, for December we're releasing 17 updates addressing 40 vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint and Exchange. Of the 17, two bulletins are rated Critical, 14 are rated Important, and one is rated Moderate. As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.

Looking back over 2010, that brings the total bulletin count to 106, which is more bulletins than we have released in previous years. This is partly due to vulnerability reports in Microsoft products increasing slightly, as indicated by our latest Security Intelligence Report. This isn't really surprising when you think about product life cycles and the nature of vulnerability research. Microsoft supports products for up to ten years. (One of our most popular operating systems from the turn of the century, XP SP2, reached its end-of-support life in mid-2010, in fact.) Vulnerability research methodologies, on the other hand, change and improve constantly. Older products meeting newer attack methods, coupled with overall growth in the vulnerability marketplace, result in more vulnerability reports. Meanwhile, the percentage of vulnerabilities reported to us cooperatively continues to remain high at around 80 percent; in other words, for most vulnerabilities we're able to release a comprehensive security update before the issue is broadly known.

At the end of the day, Microsoft's primary focus is to release reliable, high-quality updates to our customers.  Feedback from customers indicate that this is the most important factor in minimizing disruption and allowing them to deploy our updates quickly - even more important than the overall number of security updates. 

Back to this month's bulletins. We're addressing two issues this month that have attracted interest recently. First, we will be closing the last Stuxnet-related issues this month. This is a local Elevation of Privilege vulnerability and we've seen no evidence of its use in active exploits aside from the Stuxnet malware. We're also addressing the Internet Explorer vulnerability described in Security Advisory 2458511. Over the past month, Microsoft and our MAPP partners actively monitored the threat landscape surrounding this vulnerability and the total number of exploit attempts we monitored remained pretty low. Furthermore, customers running Internet Explorer 8 remained protected by default due to the extra protection provided by Data Execution Prevention (DEP). On that note, I want to point you to a new post on the Security Research & Defense team blog describing the effectiveness of DEP and ASLR against the types of exploits we see in the wild today.  

We encourage customers to review this month's bulletins and to prioritize their installation according to the needs of their environment.  (And, of course, for most home users these updates will be installed automatically.)  If you have questions, join us next Wednesday (December 15) when Jonathan Ness and Jerry Bryant will host a live webcast covering the December bulletins. They'll go into detail about the release and answer your bulletin-related questions live on the air. Register at the link below:

Date: Wednesday, December 15
Time: 11:00 a.m. PST (UTC -8)
Registration: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID= 1032454441

Thanks,

Mike Reavey
Director, MSRC

First, for December we're releasing 17 updates addressing 40 vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint and Exchange. Of the 17, two bulletins are rated Critical, 14 are rated Important, and one is rated Moderate. As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.

Looking back over 2010, that brings the total bulletin count to 106, which is more bulletins than we have released in previous years. This is partly due to vulnerability reports in Microsoft products increasing slightly, as indicated by our latest Security Intelligence Report. This isn't really surprising when you think about product life cycles and the nature of vulnerability research. Microsoft supports products for up to ten years. (One of our most popular operating systems from the turn of the century, XP SP2, reached its end-of-support life in mid-2010, in fact.) Vulnerability research methodologies, on the other hand, change and improve constantly. Older products meeting newer attack methods, coupled with overall growth in the vulnerability marketplace, result in more vulnerability reports. Meanwhile, the percentage of vulnerabilities reported to us cooperatively continues to remain high at around 80 percent; in other words, for most vulnerabilities we're able to release a comprehensive security update before the issue is broadly known.

At the end of the day, Microsoft's primary focus is to release reliable, high-quality updates to our customers.  Feedback from customers indicate that this is the most important factor in minimizing disruption and allowing them to deploy our updates quickly - even more important than the overall number of security updates. 

Back to this month's bulletins. We're addressing two issues this month that have attracted interest recently. First, we will be closing the last Stuxnet-related issues this month. This is a local Elevation of Privilege vulnerability and we've seen no evidence of its use in active exploits aside from the Stuxnet malware. We're also addressing the Internet Explorer vulnerability described in Security Advisory 2458511. Over the past month, Microsoft and our MAPP partners actively monitored the threat landscape surrounding this vulnerability and the total number of exploit attempts we monitored remained pretty low. Furthermore, customers running Internet Explorer 8 remained protected by default due to the extra protection provided by Data Execution Prevention (DEP). On that note, I want to point you to a new post on the Security Research & Defense team blog describing the effectiveness of DEP and ASLR against the types of exploits we see in the wild today.  

We encourage customers to review this month's bulletins and to prioritize their installation according to the needs of their environment.  (And, of course, for most home users these updates will be installed automatically.)  If you have questions, join us next Wednesday (December 15) when Jonathan Ness and Jerry Bryant will host a live webcast covering the December bulletins. They'll go into detail about the release and answer your bulletin-related questions live on the air. Register at the link below:

Date: Wednesday, December 15
Time: 11:00 a.m. PST (UTC -8)
Registration: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID= 1032454441

Thanks,

Mike Reavey
Director, MSRC

Today we released Security Advisory 2458511 to address a new vulnerability that could impact Internet Explorer users if they visit a website hosting malicious code. As of now, the impact of this vulnerability is extremely limited and we are not aware of any affected customers. The exploit code was discovered on a single website which is no longer hosting the malicious code. When a website is discovered to host malicious software, we work through legal channels to take the site down. These kinds of attempts to exploit systems and the people using technology are the activity of criminals. Microsoft takes this very seriously and where possible, we will take legal action against those responsible.

Internet Explorer 9 Beta users are not affected by this issue and any customers who wish to upgrade their browser to this version can do so freely at www.microsoft.com/ie. Impacted versions include Internet Explorer 6, 7 and 8, although our ongoing investigation confirms that default installations of Internet Explorer 8 are unlikely to be exploited by this issue. This is due to the defense in depth protections offered from Data Execution Prevention (DEP), which is enabled by default in Internet Explorer 8 on all supported Windows platforms. For supported versions of Windows running earlier versions of Internet Explorer, please review this blog post from our Security Research & Defense team describing how to enable DEP.

The Security Advisory also details a workaround that customers can apply that will protect all affected versions of IE from this issue. We are working to put have a Microsoft Fix it in place for easy implementation of the workaround. Our Security Research & Defense team has also provided a detailed write up on how the workaround protects against the vulnerability.

We have initiated our Software Security Incident Response Process (SSIRP) to manage this issue and are sharing detailed information through the Microsoft Active Protections Program (MAPP). Our 70 global MAPP partners, including leading providers of anti-virus and anti-malware products, provide protections for an estimated one billion customers worldwide. If your protection provider is in our MAPP program, you can contact them concerning the status of providing protections for this issue as it is likely that updated malware signatures in these products will offer further protection. For customers of Microsoft Security Essentials and our Forefront security products, new signatures will be published today offering additional protection. Internet Explorer 8 also includes SmartScreen technology which helps provide protection against many types of socially engineered malware and phishing attacks, and which earlier this year reached the milestone of blocking over 1 billion attempts to download malware. In certain circumstances, SmartScreen may also help to protect customers in this case.

We are working to develop a security update to address this attack against our customers. The issue does not meet the criteria for an out-of-band release. However, we are monitoring the threat landscape very closely and if the situation changes, we will post updates here on the MSRC blog.

As always, we encourage Internet users to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at: www.microsoft.com/protect.

Thank you,

Jerry Bryant
Group Manager, Response Communications
Trustworthy Computing Group

Edited to add: The Fix it is available now from the Knowledge Base article for this Advisory.