Home arrow Microsoft
MSRC
  • Security Advisory 3010060 released

    Today, we released Security Advisory 3010060 to provide additional protections regarding limited, targeted attacks directed at Microsoft Windows customers. A cyberattacker couldcause remote code execution if someone is tricked into opening a maliciously-crafted PowerPoint document that contains an infectedObject Linking and Embedding (OLE) file.

    As part of this Security Advisory, we have included an easy, one-click Fix it solution to address the known cyberattack. Please review the "Suggested Actions" section of the Security Advisory for additional guidance. Applying the Fix it does not require a reboot. We suggest customersapply this Fix it to help protect their systems.

    The Enhanced Mitigation Experience Toolkit (EMET) also helps to defend against this cyberattack when configured to work with Microsoft Office software. The necessary configuration steps for EMET, are provided in the "Suggested Actions" section of the Security Advisory.

    We also encourage you to follow the "Protect Your Computer" guidance by enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. In addition, we recommend that individualsavoid clicking suspicious links, or opening email messages from unfamiliar senders. More information can be found at www.microsoft.com/protect.

    We continue to work on a security update to address this cyberattack. We're monitoring the threat landscape very closely and will continue to take appropriate action to help protect our global customers.

    Tracey Pretorius
    Director, Response Communications



  • Security Advisory 3009008 released

    Today, we released Security Advisory 3009008 to address a vulnerability in Secure Sockets Layer (SSL) 3.0 which could allow information disclosure. This is an industry-wide vulnerability that affects the protocol itself, and is not specific to Microsoft’s implementation of SSL or the Windows operating system.

    This advisory provides guidance for customers so that they can disable SSL 3.0 in the browser. Customers should be aware that once they disable SSL 3.0, if they visit a website that supports only SSL 3.0 and does not support newer encryption protocols, they will receive a connection error message and will not be able to connect to that website.


    Tracey Pretorius
    Director, Response Communications

    UPDATE October 19, 2014: Today we published guidance on how to disable SSL 3.0 in Azure Websites, Roles, and Virtual Machines. For more information, please visit the Azure blog.



  • October 2014 Updates

    Today, as part of Update Tuesday, we released eight security updates – three rated Critical and five rated Important - to address 24 Common Vulnerabilities & Exposures (CVEs) in Windows, Office, .NET Framework, .ASP.NET, and Internet Explorer (IE). We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first.

    Here’s an overview slide and video of the security updates released today:

    For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary Web page. If you are not familiar with how we calculate XI, a full description is found here.

    We released three security advisories this month:

    We also revised Security Bulletin MS14-042: Vulnerability in Microsoft Service Bus Could Allow Denial of Service (2972621) and Security Advisory 2755801: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer.

    Today, Microsoft also announced upcoming updates to the out-of-date ActiveX control blocking feature. Beginning November 11, 2014, the out-of-date ActiveX control blocking feature will automatically be expanded to block outdated versions of Silverlight, in addition to outdated versions of Java. It is also being expanded to support Internet Explorer 9 on Windows Vista SP2 and Windows Server 2008 SP2. For more information on this, please visit the IEBlog.

    Watch our bulletin webcast tomorrow, Wednesday, October 15, 2014, at 11 a.m. PDT.

    For all the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

    Thanks,
    Tracey Pretorius, Director,
    Response Communications



  • Advance Notification Service for the October 2014 Security Bulletin Release

    Today, we provide advance notification for the release of nine Security Bulletins. Three of these updates are rated Critical, five are rated as Important, and one is rated Moderate in severity. These updates are for Microsoft Windows, Internet Explorer, Office, .NET Framework, and ASP.NET.

    As per our usual process, we’ve scheduled the Security Bulletin release for the second Tuesday of the month, October 14, 2014, at approximately 10 a.m. PDT. Revisit this blog then for analysis of the relative impact, as well as deployment guidance, together with a brief video overview of the month’s updates. Until then, please review the ANS summary page for more information to help you prepare for Security Bulletin testing and deployment.

    As a reminder, we are now using a new format for our Security Bulletin Webcast, scheduled on Wednesday, October 15, at 11 a.m. PDT. You are no longer required to register, download the Live Meeting client, or dial in to a separate number. A link to the Webcast will be included in our blog next Tuesday.

    You can follow us on Twitter at @MSFTSecResponse.

    Thank you,

    Tracey Pretorius, Director
    Response Communications



  • September 2014 Security Bulletin Release Webcast and Q&A

    Today we’re publishing the September 2014 Security Bulletin Webcast Questions & Answers page. We fielded four questions on various topics during the webcast, with specific bulletin questions focusing primarily on Internet Explorer (MS14-052) and a question about the Windows Update client.

    We invite you to join us for the next scheduled webcast on Wednesday, October 8, 2014, at 11 a.m. PDT (UTC -7), when we will go into detail about the October bulletin release and answer your bulletin deployment questions live on the air.

    Thanks,

    Dustin Childs

    Group Manager, Response Communications Microsoft Trustworthy Computing



  • The September 2014 Security Updates

    Today, as a part of our regular Update Tuesday process, we released four security bulletins – one rated Critical and three rated Important in severity – to address 42 Common Vulnerabilities & Exposures (CVEs) in Microsoft Windows, Internet Explorer, .NET Framework, and Lync Server. We encourage you to apply all of these updates, but for those who need to prioritize, we recommend focusing on the Critical update first.

    Below is a graphical overview of this release and a brief video summarizing the updates released today:

    The top deployment priority for our customers this month is the update for Internet Explorer, which addresses 37 CVEs. In case you missed it, the August update for Internet Explorer also included new functionality to block out-of-date ActiveX controls. This functionality will be enabled with today’s update. You can see what these notifications will look like by reviewing this TechNet article. Administrative Templates are also available for those who wish to manage these settings through Group Policy.

    In addition to this month’s security bulletins, we have revised three Security Advisories. Security Advisory 2871997 – Update to Improve Credentials Protection and Management was revised to announce an update for supported editions of Windows 7 and Windows Server 2008 R2. The update adds additional protection for users’ credentials when logging into a Windows 7 or Windows Sever 2008 R2 system by ensuring that credentials are cleaned up immediately instead of waiting until a Kerberos TGT (Ticket Granting Ticket) has been obtained. Security Advisory 2905247 – Insecure ASP.Net Site Configuration Could Allow Remote Code Execution was revised to offer the update via Microsoft Update, in addition to the Download-Center-only option, which was provided when this advisory was originally released. If you have already installed this update, you do not need to take any action. Finally, we also revised Security Advisory 2755801: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer.

    For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by each CVE, visit the Microsoft Bulletin Summary Web page. If you are not familiar with how we calculate the Exploitability Index (XI), a full description is found here.

    Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, September 10, 2014, at 11 a.m. PDT.

    For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

    Thanks,
    Dustin Childs
    Group Manager, Response Communications
    Microsoft Trustworthy Computing



  • Advance Notification Service for the September 2014 Security Bulletin Release

    Today, we provide advance notification for the release of four Security Bulletins. One of these updates is rated Critical and three are rated as Important in severity. These updates are for Microsoft Windows, Internet Explorer, .NET Framework and Lync.

    As a reminder, we are now using a new format for our Security Bulletin Webcast, scheduled on Wednesday, September 10, at 11 a.m. PDT. You are no longer required to register, download the Live Meeting client, or dial in to a separate number. A link to the Webcast will be included in our blog next Tuesday.

    As per our usual process, we’ve scheduled the Security Bulletin release for the second Tuesday of the month, September 9, 2014, at approximately 10 a.m. PDT. Revisit this blog then for analysis of the relative impact, as well as deployment guidance, together with a brief video overview of the month’s updates. Until then, please review the ANS summary page for more information to help you prepare for Security Bulletin testing and deployment.

    You can follow us on Twitter at @MSFTSecResponse.

    Thank you,
    Dustin Childs
    Group Manager, Response Communications
    Microsoft Trustworthy Computing




Angelo Castigliola     View Photos of Angelo (8)
    Send Angelo a Message
Sec and Sec-Tech Newsletter
Email:





Upcoming Events