Decrease in Critical Issues and Bulletins

As far as individual issues, Critical-class CVEs accounted for less than a third of the issues we addressed in bulletin releases for the first time since we began our monthly bulletin-release cadence in 2004. And in absolute numbers, Critical-class CVEs are at their lowest levels since 2005. The fact that we’re seeing lower percentages of Critical issues and bulletins year-over-year demonstrates progress made by the product groups in creating more secure software.

With this regularly scheduled monthly release, our bulletin count for 2011 is 99, with 13 released today. Of those, we determined 10 to be Important-class bulletins, with only three classified as Critical in severity. In 2011, Critical-class bulletins represented just 32 percent of all bulletins – the lowest percentage since we began our monthly bulletin-release cadence in 2004 and, again, the lowest absolute number since 2005. Interestingly, for the second half of the year the numbers are even lower, with under 20 percent of bulletins released in the last six months rated Critical in severity.

Even though there are fewer Critical-class security updates year-over-year, we know that any update has the potential to be disruptive for customers. And so we work hard to make our update process as smooth and transparent as possible for customers – with no surprises. As part of that commitment, in 2011 we were able to address reported security issues effectively without resorting to emergency releases outside of the regular scheduled monthly releases. We understand the disruption that these “out-of-cycle” releases create for customers, and we take the decision to release an update out of cycle very seriously. Effective coordination with product teams, greater use of threat telemetry, the ability to release workarounds, and the ability to release defenses through partners like those in Microsoft’s Active Protection Program (MAPP) have all helped us to release all our 2011 bulletins in the usual monthly process. We’re glad about that, even though we will always reserve the right to release out-of-cycle if the situation merits it.

We also know that a large part of addressing security issues effectively and quickly is dependent on how we work with the community that finds and reports vulnerabilities to us. In 2011, over 80 percent of the issues we addressed were disclosed in a coordinated process. During the second half of the year that rose to over 85 percent. We believe that reporting vulnerabilities in a coordinated manner helps better protect customers and the broader Internet ecosystem and we’re glad that so many in the industry share this sentiment.

However, we didn’t rest on just those numbers.  We continued our work with the community, and in the summer of 2011 we made a series of announcements culminating in the kickoff of our first-ever Blue Hat Prize, which will award over a quarter of a million dollars to researchers breaking ground on defensive technologies. This initiative encourages researchers to bring to life mitigations that could potentially address entire classes of vulnerabilities. It’s a big project and we’re incredibly excited about the contest entrants we’ve seen so far. We’ll have more information on the Blue Hat Prize in 2012...we don’t want to spoil the excitement for anyone just yet.

Defensive Technology at Play
2011 also brought strong examples of how defensive technologies can increase the security of the software people use every day. For example, two of the more exciting developments of the year here at the MSRC centered on new and improved mitigations for older versions of Windows and Office. After announcing it in December, we launched Office File Validation (OFV) in April. OFV extends our “Gatekeeper” technology -- effective at detecting and blocking potentially dangerous binary-format files from opening in Office 2010 -- to the 2007 and 2003 editions of Microsoft Office.  Since release, approximately 200 million machines have added OFV to their protection arsenal.

And in February, we made an unprecedented change to how Autorun behaves when you insert a USB key on Windows XP and Vista systems. The change reduced the number of infections that rely on Autorun by 59 percent on Windows XP machines and by 74 percent on Windows Vista machines, in comparison to 2010, with a 68 percent year-to-year overall decline in infections for all PCs running all versions of Windows. That’s a staggering change for the better.

As we approach 2012, we’ll continue to deliver the best-tested, highest-quality bulletins possible while facing the security challenges the new year poses. Whatever’s ahead, we’ll continue to work internally, and with the researchers and partners, to find new approaches to security response while keeping customer protection, as always, as our first priority.

Thanks --

Mike Reavey
Senior Director, MSRC

These bulletins will increase protection by addressing 19 unique vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on these critical updates:

• MS11-092 – Windows Media: Vulnerability In Windows Media Could Allow Remote Code Execution
• MS11-087 – Windows: Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution

Why 13 bulletins and not 14, as we stated in the ANS announcement on Thursday? After that announcement, we discovered an apps-compatibility issue between one bulletin-candidate and a major third-party vendor. We’re currently working with that vendor to address the issue on their platform, after which we’ll issue the bulletin as appropriate. As ever, we’d much rather withdraw a potential bulletin than ship something that might inconvenience customers, however limited that inconvenience in scope. The issue addressed in that bulletin, which we have been monitoring and against which we have seen no active attacks in the wild, was discussed in Security Advisory 2588513.

In the video below, Jerry Bryant discusses this month's bulletins in further detail.

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Jerry Bryant and Jonathan Ness. I invite you to tune in and learn more about the December security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, December 14, 2011 at 11 A.M. PST. Click here to register.

Thanks,
Angela Gunn
Trustworthy Computing.

Today we published the October Security Bulletin Webcast Questions & Answers page. We fielded eight questions across all bulletins. There was one question that we were unable to answer during the webcast due to time constraints, and we have included all questions and answers on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, November 9th at 11am PDT (UTC -7), when we will go into detail about the November bulletin release and answer questions live on the air.

Customers can register to attend at the link below:
Date: Wednesday, November 9th, 2011
Time: 11:00 a.m. PST (UTC -7)
Register: Attendee Registration

Thanks,
Jerry Bryant
Group Manager, Response Communications
Microsoft Trustworthy Computing

Today we published the September Security Bulletin Webcast Questions & Answers page. We fielded 15 questions primarily regarding the Diginotar Certificate compromise and the associated Security Advisory. There was one question that we were unable to answer during the webcast due to time constraints, and we have included all questions and answers on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, October 12th at 11 a.m. PDT (-8 UTC), when we will go into detail about the September bulletin release and answer questions live on the air.

Customers can register to attend at the link below:

Date: Wednesday, October 12, 2011
Time: 11:00 a.m. PDT (UTC -8)
Register: Attendee Registration

View this video as a WMV

<div><img alt="DCSIMG" id="DCSIMG" width="1" height="1" src="http://m.webtrends.com/dcsygm2gb10000kf9xm7kfvub_9p1t/njs.gif?dcsuri=/nojavascript&WT.js=No"/></div>

Thanks -

Jerry Bryant

Group Manager, Response Communications
Trustworthy Computing Group

Today we published the August Security Bulletin Webcast Questions & Answers page. We fielded six questions on various topics during the webcast, including bulletins released and the Malicious Software Removal Tool. There was one question that we were unable to answer during the webcast due to time constraints, and we have included all questions and answers on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, September 14th at 11 a.m. PDT (-8 UTC), when we will go into detail about the September bulletin release and answer questions live on the air.

Customers can register to attend at the link below:

Date: Wednesday, September 14, 2011
Time: 11:00 a.m. PDT (UTC -8)
Register: Attendee Registration

Thanks,

Jerry Bryant

Group Manager, Response Communications
Trustworthy Computing Group

As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing 13 security bulletins, two of which are rated Critical in severity, nine Important and two Moderate.

These bulletins will increase protection by addressing 22 unique vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on the two critical updates:

• MS11-057 (Internet Explorer). This security update resolves five privately reported vulnerabilities and two publicly disclosed vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. Microsoft is not aware of any attacks leveraging the vulnerabilities addressed in this bulletin.
• MS11-058 (DNS Server). This security update resolves two privately reported vulnerabilities in Windows DNS server. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a specially crafted Naming Authority Pointer (NAPTR) query to a DNS server. Servers that do not have the DNS role enabled are not at risk.

In this video, Jerry Bryant discusses this month's bulletins in further detail, focusing on these two bulletins:

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page. In addition, the SRD blog today has more information on MS11-058’s Exploitability Index rating and on the month’s deployment priorities.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Jerry Bryant and Jonathan Ness. I invite you to tune in and learn more about the June security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, August 10, 2011 at 11 a.m. PDT, and you can register here.

For all the latest information, please also follow the MSRC team on Twitter at @MSFTSecResponse.

Thank you,

Angela Gunn
Trustworthy Computing.

Over the years we’ve often talked about exploit mitigations – DEP, ASLR, SEHOP and so forth – as effective tools for improving computer security, reducing risk, preventing attacks, and minimizing operational disruption. Today we’re releasing a user’s guide to the toolbox: “Mitigating Software Vulnerabilities,” a white paper with practical information on choosing and enabling those mitigations. We hope this paper becomes an indispensable reference for developers, IT pros and end users looking for advice and answers concerning exploit mitigations. The paper, which is in PDF format, is available from the Download Center. For more insight, Matt Miller of the Microsoft Security Engineering Center has written about the paper on the SRD blog.

As I previously mentioned in the Advance Notification Blog on Thursday, today we are releasing four security bulletins, one of which is rated as Critical, and three of which are rated Important. These bulletins will increase protection by addressing 22 vulnerabilities in the following Microsoft products. We’ve marked one bulletin, MS11-053, as our highest deployment priority for the month:

• MS11-053 (Bluetooth Stack). This security bulletin resolves one privately reported vulnerability in the Windows Bluetooth Stack. This bulletin is rated Critical for Windows Vista and Windows 7 platforms. All prior versions of Windows are unaffected.

Despite its high deployment priority, we have assigned MS11-053 an Exploitability Index rating of 2. For more information on that decision, please see the SRD blog. We encourage all customers to apply this bulletin first, before deploying the rest of our July updates as soon as possible. Of note, consumers with Automatic Update enabled on their computers will not need to take any action; the tool ensures that the updates are applied and the systems protected.

The SRD blog also has insight from MSRC Engineering concerning MS11-056, an Important-level bulletin addressing five issues in Windows’ client/server runtime subsystem.

In this video, Jerry Bryant discusses this month's bulletins in further detail.

Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

More information about this month's security updates can be found on the Microsoft Security Bulletin summary web page.  

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Jerry Bryant and Dustin Childs. I invite you to tune in and learn more about the July security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, July 13, 2011 at 11 a.m. PDT, and the registration can be found here.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thank you,

Angela Gunn
Trustworthy Computing.

The initial results are encouraging. As of May 2011, the number of infections found by the Malicious Software Removal Tool (MSRT) per scanned computer declined by 59 percent on Windows XP machines and by 74 percent on Windows Vista machines in comparison to the 2010 infection rates on those platforms. (Windows 7 had the updated Autorun settings built in by default.) For more details and statistics regarding the drop in Autorun-abusing malware infections, please see the Microsoft Malware Protection Center (MMPC) blog.

As we previously mentioned in the Advance Notification blog on Thursday, today we are releasing 16 security bulletins, nine of which are rated Critical, and seven of which are rated Important. There are four Critical-level updates that we want to call out as top priorities for our customers in June:

• MS11-042 (DFS). This bulletin resolves two privately reported issues affecting all versions of Windows.
• MS11-043 (SMB Client). This bulletin resolves one privately reported issue affecting all versions of SMB Client on Windows.
• MS11-050 (Internet Explorer). This security bulletin resolves 11 privately reported issues in Internet Explorer.
• MS11-052 (Windows). This bulletin resolves one privately reported issue in Windows and is also Critical.

We recommend that customers apply these and all other updates as soon as possible.

In this video, Jerry Bryant discusses this month's bulletins in further detail, focusing on these four bulletins:

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view):

The Security Research & Defense team has further information on deployment priorities for today’s bulletins on their blog.

Meanwhile, our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view):

Since we’ve started specifying separate Exploitability Index ratings for the current and the earlier versions of products affected by each vulnerability, it’s easier to see how individual vulnerabilities affect newer products versus older ones. We assign Exploitability Index ratings solely to Critical- and Important-severity vulnerabilities, and there are 32 of those this month (the others are Moderate-level issues in MS11-050). Of those, 14 vulnerabilities have a lower Exploitability Index rating for the latest-and-greatest version of the software than for the older version, or the latest version isn’t affected at all. The remaining CVEs have no difference in severity between the versions.

More information about this month's security updates can be found on the Microsoft Security Bulletin Summary web page. Also this month, Microsoft is increasing MSRT detection capabilities for three worm families -- Win32/Rorpian, Win32/Yimfoca and Win32/Nugel. Please see today’s MMPC blog for more information.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, June 15, hosted by Jerry Bryant and Jonathan Ness. We invite you to tune in and learn more about the June security bulletins, as well as other announcements made today. The webcast is scheduled at 11 a.m. PDT, and the registration can be found here.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse. Also feel free to tweet the hash tag #MSFTSecWebcast and ask any questions you may have regarding the bulletins before Wednesday at 11am PDT. We’ll answer as many questions as possible live during the webcast.

Thanks,

Angela Gunn
Trustworthy Computing.

As for this month’s bulletins, today we’re providing Advance Notification Service information on 16 bulletins (nine Critical in severity, seven Important) addressing 34 vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, .NET, SQL, Visual Studio, Silverlight and ISA.  All bulletins will be released on Tuesday, June 14, at approximately 10am PDT. Come back to this blog on Tuesday for our official risk and impact analysis, along with deployment guidance and a video overview of the release.

One of the issues we start to address in this release is “cookiejacking,” which allows an attacker to steal cookies from a user’s computer and access websites the user has logged into. The Internet Explorer bulletin will address one of the known vectors to the cookie folder. Given the prevalence of other types of social engineering methods in use by criminals, which provide access to much more than cookies, we believe this issue poses lower risk to customers. Further, based on a signature that has been released to millions of Microsoft Security Essentials and Forefront customers, the Microsoft Malware Protection Center (MMPC) has not detected attempts to use this technique.

We’re also preparing for our monthly technical webcast, which is scheduled for 11am PDT on Wednesday, 15 June. Your hosts this month will be Jerry Bryant and Jonathan Ness, and they’ll be discussing each of the bulletins and taking your questions live on the air. Register in advance for the webcast here.

As always, we encourage you to follow our Twitter feed at @msftsecresponse for the latest news from the Microsoft Security Response Center.

Thanks –

Angela Gunn
Trustworthy Computing.

Today we published the May Security Bulletin Webcast Questions & Answers page. We fielded twelve questions on various topics during the webcast, including bulletins released and the Malicious Software Removal Tool.  There were two questions during the webcast that we were unable to answer and we have included those questions and answers on the QA page.

We invite our customers to join us for the next public webcast on Wednesday, June 15th at 11am PDT (-8 UTC), when we will go into detail about the June bulletin release and answer questions live on the air.

Customers can register to attend at the link below:

Date: Wednesday, June 15, 2011
Time: 11:00 a.m. PDT (UTC -8)
Register: Attendee Registration

Thanks -

Jerry Bryant

Group Manager, Response Communications
Trustworthy Computing Group