Last week Adrian Stone and I conducted a webcast to cover the Internet Explorer out-of-band security bulletin release. We only spent a short period of timing on the presentation and then spent the rest of the time answering customer questions which you can read here.

There were some interesting questions and hopefully those who attended came away with a better understanding about how to better protect themselves from emerging threats. One resource we referred customers to several times is a new blog post by the Microsoft Malware Protection Center (MMPC) where they chart attacks against CVE2010-0806 by local:

http://blogs.technet.com/mmpc/archive/2010/03/30/active-exploitation-of-cve-2010-0806.aspx

To be clear, this data comes from attempted exploits of the vulnerability against customers who are protected by Microsoft security products such as Microsoft Security Essentials and Microsoft Forefront Client Security, etc. In these cases, the exploit failed because mitigating signatures are in place (see article for details). One of the questions we got in the webcast was:

“If my malware protection is updated and covers this vulnerability, am I covered throughout the normal update cycle?”

This would only be true for known exploits and not the vulnerability itself. Once we find a new exploit, the MMPC can develop and deploy a signature for it. Applying the update addresses the vulnerability itself and is why we recommend that as the priority in addition to upgrading to the latest version of Internet Explorer (IE8) if you have not done so already.

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV)

Our next regularly scheduled bulletin release is Tuesday April 13, so that means we will be conducting another public webcast on April 14. We invite you to attend that webcast and bring any questions you have regarding the April release and we will try to answer them all live on the air. Here is the registration information:

Date: Wednesday April 14
Time: 11:00 a.m. PDT (UTC –8)
Registration: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032427721

Thanks!

Jerry Bryant
Group Manager, Response Communications

Follow us on Twitter: @MSFTSecResponse

*This posting is provided "AS IS" with no warranties, and confers no rights*

Today we released MS10-018 out-of-band due to increases in attacks against Internet Explorer 6 and Internet Explorer 7 using the vulnerability discussed in Security Advisory 981374. I want to reiterate that Internet Explorer 8 is not affected by this issue so customers using this version are not affected by these attacks and we continue to encourage customers to upgrade to the newer version because it provides more security and protection.

MS10-018 is a typical cumulative update for Internet Explorer and was originally going to be released during the normal update cycle on the 13^th of April. The Internet Explorer team accelerated testing of this update due to the growing attacks against the publicly disclosed vulnerability (CVE-2010-0806), and the update has reached the appropriate quality bar for distribution to customers. Releasing the update early provides Internet Explorer 6 and 7 customers protection against the active attacks and provides users of all versions of Internet Explorer protection against nine other vulnerabilities. I clarify this in the following video:

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV)

Here is a simplified view of the ten vulnerabilities and their aggregate severity on Internet Explorer 6, 7, and 8:

* Vulnerability under active attack.

This table demonstrates what we have been saying about the improved security and protection offered in Internet Explorer 8 and why we continue to encourage customers to upgrade.

Since we announced yesterday that we would be releasing this bulletin out-of-band, we have been asked if it addresses the vulnerability that was used in the “pwn2own” contest at the CanSecWest security conference last week. We are still investigating that issue at this time so we do not have an update available. In accordance with the contest rules, the vulnerabilities used are responsibly disclosed so that the respective vendors can produce updates to protect their customers before the vulnerabilities can be used by criminals. Microsoft continues to encourage responsible disclosure and we are a sponsor of the CanSecWest conference because we believe in working closely with security researchers to protect customers and the entire computing ecosystem.

If you can, please join Adrian Stone and I today for a live webcast where we will cover the details of this bulletin and take customer questions live. Here is the registration information:

Date: Tuesday March 30, 2010
Time: 1:00 p.m. PST (UTC -8)
Registration: https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032448112

Jerry Bryant
Group Manager – Response Communications

*This posting is provided "AS IS" with no warranties, and confers no rights*

Today we published the Questions & Answers from the March 2010 Security Bulleting webcast. We answered a total of 13 questions concerning the March bulletins and open Security Advisories. No particular themes emerged from the questions but there were some good ones so please review them.

The video covers the core part of the presentation Adrian Stone and I gave during the webcast. We talk about the two bulletins for March, a bulletin re-release and Security Advisory 981374.

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV)

Please join us for our next scheduled webcast where Adrian and I, along with a room full of subject matter experts, will present on the Security Bulletins for April and try to answer all your questions live.

Date: Wednesday, April 14
Time: 11:00 a.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032427721

Thanks!

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hi everyone,

As mentioned in our ANS blog post last week, today we are releasing 13 bulletins addressing 26 vulnerabilities. 11 bulletins affect Windows and 2 affect older versions of Microsoft Office.

In the post on Thursday, we mentioned that bulletins in the ANS listed as 1, 2, 3, and 6 were going to top our deployment priority list this month. We have also added MS10-015 (#12) to that list. It addresses Security Advisory 979682. We are aware of publicly available Proof-of-Concept code for this issue, but are not aware of any active attacks at this time. Here is the mapping from the bulletin numbers in the ANS to the released bulletin ID’s:

ANS Bulletin Number	Actual Bulletin Number
1	MS10-006
2	MS10-007
3	MS10-008
4	MS10-009
5	MS10-012
6	MS10-013
7	MS10-003
8	MS10-004
9	MS10-010
10	MS10-011
11	MS10-014
12	MS10-015
13	MS10-005

As always, it is recommended that customers deploy all security updates as soon as possible. Of the bulletins released this month, customers should prioritize and deploy MS10-006, MS10-007, MS10-008, MS10-013, and MS10-015, given Critical severity ratings and/or Exploitability Index ratings of 1 (“Consistent Exploit Code Likely”).

MS10-013, which addresses a Critical vulnerability in DirectShow, should be at the top of your list for testing and deployment. This issue is Critical on all supported versions of Windows except Itanium based server products and has an Exploitability Index rating of 1. To exploit the vulnerability, an attacker could host a malicious AVI file on a website and convince a user to visit the site, or send the file via email and convince the a user to open it.

MS10-006 is also Critical on all versions of Windows, except Windows Vista and Windows Server 2008, and addresses 2 vulnerabilities in SMB Client. One of the vulnerabilities has an Exploitability Index rating of 1. In the simplest scenario, a system connecting to a network file share is an SMB Client. The issue occurs during the client/server negotiation phase of the connection. In order to exploit this issue, an attacker would need to host a malicious server and convince a client system to connect to it. An attacker could also try to perform a man-in-the-middle attack by responding to SMB requests from clients. From our analysis of this issue, we expect attempts to exploit it would be more likely to result in a Denial of Service than in Remote Code Execution.

MS10-007 addresses a Critical vulnerability in Windows Shell Handler that affects Windows 2000, Windows XP, and Windows Server 2003. The attack vector is through a specially crafted link that appears to the ShellExecute API to be a valid link. This issue has not been publicly exposed but we give it an Exploitability Index rating of 1, so we urge customers on affected platforms to install it as soon as possible.

MS10-008 is the last one I will give some additional detail on. This is a cumulative update for ActiveX Killbits and is also Critical. You will notice in our Severity & Exploitability Index chart that we did not give this an Exploitability rating. That is because a Killbit is not an update that addresses the underlying vulnerability. It is a registry setting that keeps the vulnerable ActiveX control from running in Internet Explorer. We will give these an Exploitability rating of 1 if we are aware of active exploitation but in this case, we are not.

You can find more detailed information about these bulletins in several blog posts by our Security Research & Defense team at http://blogs.technet.com/srd.

With that, here are the Severity and Exploitability Index and Deployment Priority slides:

In the following video, Adrian Stone and I talk a little more about this month’s top priority bulletins:

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV)

I would also encourage you to attend out public webcast tomorrow where we will go in to detail on all 13 bulletins. Here is the registration information:

Date: Wednesday, Feb 10
Time: 11:00 a.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032427679

Hope you can join us!

Jerry Bryant
Sr. Security Communications Manager – Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

To help customers plan and prioritize for this month’s security updates, we wanted to let you know that we will be releasing 6 bulletins (three critical and three important) addressing 15 vulnerabilities, affecting Windows and Microsoft Office products. Customers should plan a restart for the Windows bulletins. The Office bulletins may not require a restart if the components being updated are not in use. More information about the upcoming security updates can be found on the TechNet Web site.

The target release day is next Tuesday Nov. 10 at 10:00 a.m. PST (UTC -8). At that time we will post more detailed information about the bulletins here and on our Security Research & Defense (SRD) blog. We will also include our Risk and Impact guidance, our Deployment Priority guidance, and an overview video discussing these materials. For more detailed information concerning the upcoming bulletins, please review the ANS page here.

As always, Adrian Stone and I will be hosting a webcast to cover the bulletins in greater detail the day after bulletins release. So please join us on Wednesday Nov. 11 at 11:00 a.m. PST (UTC -8) and bring any questions you have about the bulletins. We will have a room full of subject matter experts on hand to answer them. To register for the webcast, please follow this link.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

To clarify what the bulletin states, if you do not have any Windows 2000 SP4 clients on your network then you do not need to apply the SQL Server update that corresponds to the version of SQL Server you are running. In this case, you would only need to apply the update for the client operating systems on your network. This is because on platforms newer than Windows 2000 SP4, the operating system will use its own version of the affected component (gdiplus.dll) rather than the one distributed by the RSClientPrint ActiveX control through SQL Server Reporting Services.

In the video below, Adrian Stone and I go in to details on each bulletin to cover the vulnerabilities, affected platforms, attack vectors, and mitigations:

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio High Quality WMV (2.5 Mbps) Zune Video (WMV)

Next month we will host our live security bulletin webcast on November 11 at 11:00 am Pacific time (UTC -7). To register for that webcast, please follow this link.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

As we mentioned in the webcast, The MS09-048 bulletin has been updated to call out Windows XP in the affected products list with a severity rating of low for the two Denial-of-Service vulnerabilities (the third, Remote Code Execution vulnerability, does not affect XP). As stated in the bulletin, in the default configuration, Windows XP is not affected by any of the issues addressed by the bulletin. However, we heard from enterprise customers that custom configurations that put XP in a vulnerable state are in use so we updated the bulletin for clarity. Does this mean there will be an update for Windows XP? No and I will use the text from the bulletin to explain why:

If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925. Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks.

Concerning MS09-048 and Windows 2000, the scenario is very similar to Windows XP in that an attack requires a sustained flood of specially crafted TCP packets and the system will recover once the flood stops. Keeping Windows 2000 servers behind a NAT or reverse proxy can help to reduce risk.

In the last blog post I called out MS09-045 and MS09-047 as the highest priorities for deployment and while MS09-048 has received a lot of attention, we want to continue to stress getting those updates installed to all users.

This month we are leaving the Q and A out of the video because we have posted those questions to the blog and to keep the overall duration of the video down. If you like it this way or if you prefer us to leave that portion in, head over to the TechNet Edge site where we host the videos and leave your feedback there.

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio Streaming WMV (512kbps) High Quality WMV (2.5 Mbps) Zune Video (WMV)

Following the webcast we got feedback that folks liked the new deployment priority slide as well as the new detail slides for each bulletin. We appreciate the feedback and will keep looking for ways to improve the content.

Please plan on joining us for our next regularly scheduled webcast on October 13 at 11:00 a.m. Click HERE to register.

Thanks!

Jerry Bryant

It is apparent that there is still a bit of confusion around the Active Template Library (ATL) issue and how current updates relate to work we have already done to provide mitigations, protections and guidance to customers. To try and provide some clarity:

• Security Advisory 972890: This advisory was released in response to active attacks against the Microsoft Video ActiveX Control in order to provide guidance and mitigations (including a Microsoft Fix it solution) to customers while we worked towards an update for the underlying issue.
• MS09-032 – Cumulative Update of ActiveX Kill Bits (973346): This bulletin provided an official kill bit update to replace the Microsoft Fix it solution provided by Security Advisory 972890. The update addresses additional kill bits and is also available through Microsoft update technologies such as Windows Update, Microsoft Update, and Windows Software Update Services (WSUS). This kill bit blocked the ability to instantiate the Microsoft Video ActiveX Control in Internet Explorer to mitigate against known attacks.
• MS09-034 – Cumulative Security Update for Internet Explorer (972260): This bulletin provided a defense-in-depth update that helps mitigate known attack vectors within Internet Explorer. To be clear, Internet Explorer is not vulnerable to these attacks but the vulnerable components can be reached through Internet Explorer. Installing this update mitigates that threat.
• MS09-035 – Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706): This update is specifically geared towards developers of components and controls who use ATL. The update addresses the underlying issue in our Visual Studio development tools. Developers who use ATL should install this update and recompile their components and controls following the guidance in this MSDN article.
• MS09-037 – Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908): This bulletin provides updates for vulnerable components and controls that shipped with Windows products. These are Microsoft components and controls were built using ATL. Among the updates in this bulletin is a binary level update that addresses the vulnerability in the Microsoft Video ActiveX Control that has seen some active attacks. So we previously released a kill bit update to provide immediate protection for customers and are addressing the underlying vulnerability with this update.
• Security Advisory 973882: This advisory provides information on our ongoing investigation in to the ATL issue and serves as a single source for all related information.

To be even clearer, not every ActiveX control is vulnerable and we have an ongoing investigation into this issue. We will continue to provide updates via Security Advisory 973882 and Security Bulletins as necessary.

Of course this is not the only issue we addressed this month and customers had quite a few questions during the webcast that we provided answers and guidance for. Please review the text version of the Q&A here>>.

Here is the video of the webcast that includes the bulletin by bulletin presentation and the complete Q&A session:

More viewing and listening options: Windows Media Video (WMV) Windows Media Audio (WMA) Large Preview Image (PNG) Small Preview Image (PNG) iPod Video (MP4) MP3 Audio Streaming WMV (512kbps) High Quality WMV (2.5 Mbps) Zune Video (WMV)

Please plan to join us for the next regularly scheduled webcast on September 9, 2009 at 11:00 a.m. (UTC-7) where we will again cover any new bulletins and address your questions in real time. Click here to register >>.

Finally, please visit our Security Research & Defense blog where you will find some great deep dive articles full of analysis and guidance on these and many other security issues. You may also find our new blog aggregator useful for getting a consolidated view of all of our Trustworthy Computing blogs.

Thanks,

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

There were several questions about MS09-028 and MS09-032. These security updates addressed two open security advisories (971778 and 972890 respectively). One common question was “if I installed the Fix it workaround in the advisory, do I need to uninstall it before installing the update in the bulletin?”. The answer to that question is no, you can install the security update right on top of the Fix it workaround.

Another area where we were asked for clarification was if the cumulative security update of ActiveX Kill Bits contained the kill bit for the OWC advisory (973472). Good question. The kill bit provided in the advisory is not part of MS09-032. The issue discussed in the advisory is still under investigation and when that is complete, we will take appropriate action to protect customers. Meanwhile, we encourage all customers to evaluate and apply the workaround as quickly as possible.

With that, here is the complete list of questions and answers and I invite you to view the video below from today’s webcast.

More viewing and listening options: Windows Media Video (WMV) Windows Media Audio (WMA) Large Preview Image (PNG) Small Preview Image (PNG) iPod Video (MP4) MP3 Audio Streaming WMV (512kbps) Zune Video (WMV)

Please join us August 12th for our next regularly scheduled webcast following the August bulletin release where we will again have a room full of subject matter experts to answer all of your questions.

Thanks!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights.*

The complete list of questions and answers from the webcast is now posted here:
http://blogs.technet.com/msrc/pages/monthly-security-bulletin-webcast-q-a-june-2009.aspx

Also, here is the link to the Q&A index page in case you want to view previous months:
http://blogs.technet.com/msrc/pages/microsoft-security-bulletin-webcast-q-a-index-page.aspx

The video of this month’s webcast is just over an hour long as we had 10 bulletins and a couple of advisories to cover. The Q&A portion starts at around 39 minutes in if you want to skip to that portion.

More listening and viewing options: Windows Media Video (WMV) Windows Media Audio (WMA) Large Preview Image (PNG) Small Preview Image (PNG) iPod Video (MP4) MP3 Audio Streaming WMV (512kbps) High Quality WMV (2.5 Mbps) Zune Video (WMV)

Every month in the webcast, we cover an aggregate severity and exploitability index ratings slide that we think is useful as a quick reference when doing a risk assessment. Here is that slide for your reference in case you were not able to attend the webcast or print the slides out during the webcast:

Finally, there are two additional items I want to mention that we covered in the webcast this month:

First, we put out a call for feedback on the Exploitability Index. The index provides customers with guidance on the likelihood of functioning exploit code being developed in the first 30 days for vulnerabilities addressed in our bulletins. This index has been available now for 9 months and we want to get your feedback on it positive or negative and how you use it in your risk assessments. To submit your feedback, simply email it to msrcteam@microsoft.com.

The second thing we covered that I wanted to mention here is that Office Update is retiring. Starting August 1, 2009, we will discontinue support for Office Update and the Office Update Inventory Tool. At that time, to continue receiving updates for Office products, you will need to use Microsoft Update. For more information see the FAQ (http://office.microsoft.com/en-us/downloads/FX010402221033.aspx).

As always, customers experiencing issues installing any of the updates this month should contact our Customer Service and Support group:

Customers in the U.S. and Canada can receive technical support from Microsoft Customer Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Please join us for our next live webcast on July 14, 2009 at 11:00 am PDT (UTC –7). Follow this link to pre-register:
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032407482 

Hope to see you then!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights.*