Today we published the Questions & Answers from the August 2010 Security Bulleting webcast. We answered a total of 17 questions concerning the March bulletins and open Security Advisories. No particular themes emerged from the questions but there were some good ones so please review them.

The video covers the core part of the presentation Adrian Stone and I gave during the webcast. We talk about the 14 bulletins for August and Security Advisory 2264072.

Please join us for our next scheduled webcast where Adrian and I, along with a room full of subject matter experts, will present on the Security Bulletins for September and try to answer all your questions live.

Date: Wednesday, September 15, 2010
Time: 11:00 a.m. PDT
Registration: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032454433&EventCategory=4&culture=en-US&CountryCode=US  

Thanks!

Jerry Bryant
Group Manager, Response Communications

Hello –

During today's webcast our team of technical experts answered over fifty questions regarding the August 2010 Out-of-Band Security Release update questions.   Click here to review the entire list of questions and answers from today's Out-of-Band webcast Q&A page.

Also, here is the link to the Q&A index page for your review -  in case you wanted to view any of the past 12 webcast Q&A's.

As always, customers experiencing issues with the installation of today's security update should contact our Customer Service and Support group:

• Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
• International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

We look forward to your joining us during our regular monthly webcast on August 10, 2010.  Click here to register

Thanks!

Christopher Budd

Sr. Security Response Communications

As we announced on Friday, today we released Security Bulletin MS10-046 out-of-band to address a vulnerability in Windows. This security update addresses a vulnerability in the handling of shortcuts that affects all currently supported versions of Windows XP, Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2. As our colleagues over in the MMPC have noted, several families of malware have been attempting to attack this vulnerability. The security update protects against attempts to exploit this issue.

For customers using automatic updates, this update will automatically be applied once it is released. Customers not using automatic updates should download, test and deploy this update as quickly as possible.

As we do with every bulletin release, we will be hosting a webcast to address your questions today at 1PM Pacific Time. Register now.

Thanks,

Christopher Budd

Sr. Security Response Communications Manager at Microsoft

MS10-042 resolves a publicly disclosed and actively exploited vulnerability discussed in Security Advisory 2219475. The update addresses an issue in the Windows Help and Support Center feature included in Windows XP and Windows Server 2003. Even though this issue affects Server 2003, we have not found an attack vector on that platform so the severity rating is Low. Windows XP customers should install this update as soon as possible.

MS10-043 resolves a publicly disclosed vulnerability in the Canonical Display Driver (cdd.dll). Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause a Denial of Service (DoS). Note that this bulletin affects only 64-bit versions of Windows 7 and Windows Server 2008 R2 with Windows Aero enabled. Aero is not installed by default on Server 2008 R2. We are not aware of any active attacks against this issue.

MS10-044 resolves two privately reported vulnerabilities in Microsoft Office Access ActiveX Controls. This issue could allow remote code execution if a customer with Access installed opened a specially crafted Office file, or viewed a Web page that instantiated Access ActiveX controls. This security update is rated Critical for supported editions of Microsoft Office Access 2003 and Microsoft Office Access 2007.

MS10-045 This security update resolves another privately reported vulnerability that could allow remote code execution if a customer opened an attachment in a specially crafted e-mail message using an affected version of Outlook -- Microsoft Outlook 2002, Microsoft Office Outlook 2003, or Microsoft Office Outlook 2007.

The following video provides an overview of these four bulletins:

Both Windows vulnerabilities and one Office vulnerability have Critical severity ratings, while the second Office vulnerability carries an Important severity rating.

As always, Microsoft recommends that customers test and deploy all security updates as soon as possible. We recommend that deployment priority be given to MS10-042 and MS10-045.

For a more in-depth look at these issues, our Security Research & Defense (SRD) team has taken a closer look at both these bulletins on its blog.

We also include one bulletin re-release, MS10-024, in this cycle. The re-release will address the issue previously noted in KB976323, in which the installation of the bulletin reset user-configured settings for SMTP servers on Windows Server 2008-based systems with Internet Information Services (IIS) installed. Users who have previously installed MS01-024 will not be offered the re-released update.

Today also marks the end of support for Windows XP Service Pack 2. Customers who have not migrated from this version are encouraged to upgrade immediately, either to Service Pack 3 or to Windows 7. In addition, after today's bulletin release, we will no longer provide support for all Windows 2000 products as we have reached the end of extended support.

More information about the security updates can be found on the Microsoft Security Bulletin summary webpage.  Our Exploitability Index provides additional information to help customers prioritize deployment of the monthly security bulletins.

Please join the monthly technical webcast to learn more about the May 2010 security bulletin release. The webcast is scheduled for Wednesday, July 14, 2010 at 11:00 a.m. PDT (UTC -7). Registration is available here.

Reminder: You can follow the team for late breaking news and updates on the threat landscape here: @MSFTSecResponse.

Thanks!

Jerry Bryant
Group Manager, Response Communications

• Two bulletins, both with a severity rating of Critical, affect Windows.
• Two of the bulletins affect Microsoft Office; of those, one carries a Critical severity rating and one is rated Important.

As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.

We will close out two Security Advisories this month.

• We are closing Security Advisory 2028859 (Vulnerability in Canonical Display Driver Could Allow Remote Code Execution) in the July bulletins.
• We are also closing Security Advisory 2219475 (Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution) with a comprehensive update that addresses the issue currently under attack.

Please join Adrian Stone and me for a public webcast on Wednesday. We'll go into detail about the bulletins and answer questions live on the air. Register at the link below:

Date: Wednesday, July 14
Time: 11:00 a.m. PDT (UTC -7)
Registration: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032454299

Also, July marks the end of Microsoft support for the Windows 2000 and Windows XP SP2 platforms. Customers should actively seek out either a supported operating system or the latest service pack in order to keep receiving necessary security updates.

Thanks,

Jerry Bryant
Group Manager, Response Communications

Follow us on Twitter: @MSFTSecResponse

Updated July 9, 2010 to correct transposition concerning number of critical bulletins for Windows (accurately, two) and MS Office (accurately, one).

Today, as part of our regular monthly security bulletin release cycle, we released 10 bulletins to address 34 total vulnerabilities in Windows, Microsoft Office (including SharePoint), Internet Explorer (IE), Internet Information Services (IIS), and the .NET Framework. Only three of these bulletins get our maximum severity rating of Critical. The rest are rated Important. However, we encourage customers to test and deploy all applicable security updates as soon as possible.

The three Critical bulletins get our highest deployment priority this month. Those are:

• MS10-033 is a remote code execution vulnerability in both Quartz.dll and Asycfilt.dll and is rated Critical on all supported versions of Windows. Specially crafted media files could trigger the vulnerability when a user visits a web page or opens a malicious file.
• MS10-034 is a cumulative update for ActiveX Kill Bits and is Critical on Windows 2000, XP, Vista, and Windows 7. There are two Microsoft controls we are applying Kill Bits for. Those are the Internet Explorer 8 Developer Tools control, and the Data Analyzer ActiveX control. The latter control is not installed by default. In addition, there are Kill Bits for four third-party controls. Please review the bulletin for additional details.
• MS10-035 is a cumulative update for Internet Explorer. Of the six vulnerabilities addressed in the bulletin, only one, an information disclosure vulnerability, is publicly known. This issue was identified in Security Advisory 980088. We remain unaware of any active attacks against this vulnerability.

In the video below, Adrian Stone and I go in to some detail on the three priority bulletins and explain why each should be at the top of your list to install:

Also, included below is the aggregate risk and impact slide for June. Note that we do not typically give an Exploitability Index rating for ActiveX Kill Bits but as stated, this update should be a high priority.

Here is our overall deployment priority information:

There are additional subtleties with specific bulletins that I want to discuss here to eliminate potential confusion:

• MS10-032 is an elevation of privilege issue in the affected Microsoft products. There is a potential remote vector if applications fail to properly request the length of the buffer when calling the affected API. All Microsoft applications make this call properly but there may be applications out there that do not. Regardless, installing this update addresses the issue for all vectors. See our Security Research & Defense (SRD) blog for more details on this one.
• MS10-036 is a COM validation update. The issue could result in an attack through ActiveX in Office applications. This is not a new attack vector but the underlying vulnerability is and the bulletin addresses it. For additional clarification, I want to point out that Office XP does not have the architecture needed for the update. However, for customers running Office XP on Windows XP or newer operating systems, we have made a shim available that protects against the vulnerability. The shim can be installed via a Microsoft FixIt which can be downloaded from KB983235.
• MS10-039 is a SharePoint related update, closing out Security Advisory 983438 which addressed an elevation of privilege vulnerability. We are not currently aware of any attacks against this issue.

As usual, our SRD team has written several blog posts that go in to details on some of this month's bulletins and I encourage customers to review those for additional insight: http://blogs.technet.com/b/srd.

If you have questions about the June bulletins, please attend our public webcast tomorrow which I will be hosting with Adrian Stone from the MSRC. We will go in to additional details on each bulletin and along with a room full of subject matter experts attempt to address all of your questions. Here's how to register:

When: Wednesday June 10, 2010 at 11:00 a.m. PDT (UTC -7)
Registration: https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032395226

I hope you can join us then.

Thanks!

Jerry Bryant
Group Manager, Response Communications

Follow us on Twitter: @MSFTSecResponse

Today we published our advance notification for the June security bulletin release, scheduled for release next Tuesday, June 8. This month’s release includes ten bulletins addressing 34 vulnerabilities.

• Six of the bulletins affect Windows; of those, two carry a Critical severity rating and four are rated Important.
• Two bulletins, both with a severity rating of Important, affect Microsoft Office.
• One bulletin, again with a severity rating of Important, affects both Windows and Office.  
• One bulletin, with a severity rating of Critical, affects Internet Explorer.

As ever, we recommend that customers prepare for the testing and deployment of these bulletins as soon as possible.

We will also be acting on two Security Advisories this month.

• We are closing Security Advisory 983438 (Vulnerability in Microsoft SharePoint Could Allow Elevation of Privilege) with the June bulletins.
• We are also addressing Security Advisory 980088 (Vulnerability in Internet Explorer Could Allow Information Disclosure).

Please join Adrian Stone and me for a public webcast on Wednesday next week where we will go into detail about the bulletins and answer questions live on the air. Register at the link below:

Date: Wednesday June 9
Time: 11:00 a.m. PDT (UTC –7)
Registration: https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032427727

Finally, we remind Windows 2000 and Windows XP SP2 customers once again that all support for these platforms will end after July 13, 2010 – that is, next month. Customers should upgrade to either a supported operating system or the latest service pack in order to keep receiving necessary security updates.

Thanks,

Jerry Bryant
Group Manager, Response Communications

Follow us on Twitter: @MSFTSecResponse

Today we published our advance notification for the May security bulletin release letting customers know that next Tuesday, May 11, we will release two Critical bulletins addressing two vulnerabilities - one in Windows and one in Office. Windows 7 and Windows Server 2008 R2 customers will be offered the Windows related update but they are not vulnerable in their default configurations. More information on this will be provided on Tuesday.

Concerning the recent Security Advisory for SharePoint, 983438, we will not be releasing an update for that with the May bulletins. Our teams are still working on an update for that issue. In the meantime, we recommend customers review the advisory and apply the workarounds.

On a side note, I want to also continue reminding customers of Windows 2000 and Windows XP SP2 that all support for these platforms will end after July 13, 2010. Customers should upgrade to either a supported operating system or the latest service pack in order to keep receiving security updates.

We recommend that customers prepare for the testing and deployment of both bulletins as soon as possible. Finally, please join Adrian Stone and me for a public webcast next week where we will go in to details about the bulletins and answer questions live on the air. Here’s how to register:

Date: Wednesday May 12
Time: 11:00 a.m. PDT (UTC –8)
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032427724

Thanks,

Jerry Bryant
Group Manager, Response Communications< ?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

Follow us on Twitter: @MSFTSecResponse

*This posting is provided "AS IS" with no warranties, and confers no rights*

Again, this only affects those with Windows 2000 Servers in a non-default configuration with Windows Media Services installed.  All customers with this configurartion are advised to install this re-released update.

Thanks,

Carlene Chmaj (that’s pronounced ‘Shmay’ for you non-Polish speaking folk)

*This posting is provided "AS IS" with no warranties, and confers no rights*