Home arrow Microsoft
MSRC
  • Security Bulletin MS14-068 released

    Today, we released an out-of-band security update to address a vulnerability in Kerberos which could allow Elevation of Privilege. This update is for all supported versions of Windows Server and includes a defense-in-depth update for all supported versions of Windows.

    We strongly encourage customers to apply this update as soon as possible by following the directions in Security Bulletin MS14-068.

    Tracey Pretorius, Director
    Response Communications



  • Out-of-band release for Security Bulletin MS14-068

    On Tuesday, November 18, 2014, at approximately 10 a.m. PST, we will release an out-of-band security update to address a vulnerability in Windows.

    We strongly encourage customers to apply this update as soon as possible, following the directions in the security bulletin.

    More information about this bulletin can be found at Microsoft’sBulletin Summary page.

    Tracey Pretorius, Director
    Response Communications



  • November 2014 Updates

    Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

    We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

    For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

    We re-released one security advisory this month:

    In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

    For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

    Tracey Pretorius, Director
    Response Communications



  • Advance Notification Service for the November 2014 Security Bulletin Release

    Today, we provide advance notification for the release of 16 Security Bulletins. Five of these updates are rated Critical, nine are rated as Important, and two are rated Moderate in severity. These updates are for Microsoft Windows, Internet Explorer, Office, Exchange, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

    As per our monthly process, we've scheduled the Security Bulletin release for the second Tuesday of the month, November 11, 2014, at approximately 10 a.m. PST. At that time, we'll provide deployment guidance. Until then, please review the ANS summary page for more information to help you prepare for Security Bulletin testing and deployment.

    We also want to let you know about anew waywe willdeliver our Security Bulletins. To streamline the way customers receive our security updates, we are directing customers to resources that will be available on the MSRC blog on Update Tuesday.

    Follow us on Twitter at @MSFTSecResponse.

    Tracey Pretorius, Director
    Response Communications



  • Security Advisory 3009008 revised

    Today, we revised Security Advisory 3009008 to provide an easy, one-click Fix it for customers to disable SSL 3.0 in all supported versions of Internet Explorer (IE).

    We are committed to helping protect our customers and providing the best possible encryption to protect their data. To do this, we’re working to disable fallback to SSL 3.0 in IE, and disable SSL 3.0 by default in IE, and across Microsoft online services, over the coming months.

    Millions of people and thousands of organizations around the world rely on our products and services every day, and while the number of systems that rely on SSL 3.0 exclusively is very small, we recognize that, particularly for enterprises, disabling the protocol may cause some impact. That’s why we’re taking a planned approach to this issue and providing customers with advance notice.

    We encourage everyone to use the workarounds and Fix it provided in Security Advisory 3009008 to investigate their websites, services and third-party applications now, and begin preparing for this change.

    If you are currently using older versions of IE, such as IE 6, we recommend you upgrade to a newer browser as soon as possible, in addition to using the Fix it released today. IE 11 is our latest and most secure browser and customers who upgrade will continue to benefit from additional security features.

    Please visitour Azure and Office 365 blogs for more detailed plans.

    We’re taking ongoing steps to help ensure customers are protected on the Internet, and we’ll continue to provide updates on this journey over the coming months.

    Tracey Pretorius
    Director, Response Communications

    UPDATE October 19, 2014: Today, we published guidance on how to disable SSL 3.0 in Azure Websites, Roles, and Virtual Machines. For more information, please visit the Azure blog.

    Original post October 14, 2014: Security Advisory 3009008 released
    Today, we released Security Advisory 3009008 to address a vulnerability in Secure Sockets Layer (SSL) 3.0 which could allow information disclosure. This is an industry-wide vulnerability that affects the protocol itself, and is not specific to Microsoft’s implementation of SSL or the Windows operating system.

    This advisory provides guidance for customers so that they can disable SSL 3.0 in the browser. Customers should be aware that once they disable SSL 3.0, if they visit a website that supports only SSL 3.0 and does not support newer encryption protocols, they will receive a connection error message and will not be able to connect to that website.



  • Security Advisory 3010060 released

    Today, we released Security Advisory 3010060 to provide additional protections regarding limited, targeted attacks directed at Microsoft Windows customers. A cyberattacker couldcause remote code execution if someone is tricked into opening a maliciously-crafted PowerPoint document that contains an infectedObject Linking and Embedding (OLE) file.

    As part of this Security Advisory, we have included an easy, one-click Fix it solution to address the known cyberattack. Please review the "Suggested Actions" section of the Security Advisory for additional guidance. Applying the Fix it does not require a reboot. We suggest customersapply this Fix it to help protect their systems.

    The Enhanced Mitigation Experience Toolkit (EMET) also helps to defend against this cyberattack when configured to work with Microsoft Office software. The necessary configuration steps for EMET, are provided in the "Suggested Actions" section of the Security Advisory.

    We also encourage you to follow the "Protect Your Computer" guidance by enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. In addition, we recommend that individualsavoid clicking suspicious links, or opening email messages from unfamiliar senders. More information can be found at www.microsoft.com/protect.

    We continue to work on a security update to address this cyberattack. We're monitoring the threat landscape very closely and will continue to take appropriate action to help protect our global customers.

    Tracey Pretorius
    Director, Response Communications



  • October 2014 Updates

    Today, as part of Update Tuesday, we released eight security updates – three rated Critical and five rated Important - to address 24 Common Vulnerabilities & Exposures (CVEs) in Windows, Office, .NET Framework, .ASP.NET, and Internet Explorer (IE). We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first.

    Here’s an overview slide and video of the security updates released today:

    For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary Web page. If you are not familiar with how we calculate XI, a full description is found here.

    We released three security advisories this month:

    We also revised Security Bulletin MS14-042: Vulnerability in Microsoft Service Bus Could Allow Denial of Service (2972621) and Security Advisory 2755801: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer.

    Today, Microsoft also announced upcoming updates to the out-of-date ActiveX control blocking feature. Beginning November 11, 2014, the out-of-date ActiveX control blocking feature will automatically be expanded to block outdated versions of Silverlight, in addition to outdated versions of Java. It is also being expanded to support Internet Explorer 9 on Windows Vista SP2 and Windows Server 2008 SP2. For more information on this, please visit the IEBlog.

    Watch our bulletin webcast tomorrow, Wednesday, October 15, 2014, at 11 a.m. PDT.

    For all the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

    Thanks,
    Tracey Pretorius, Director,
    Response Communications




Angelo Castigliola     View Photos of Angelo (8)
    Send Angelo a Message
Sec and Sec-Tech Newsletter
Email:





Upcoming Events