Home arrow Microsoft
MSRC
  • April 2014 Security Bulletin Webcast and Q&A

    Today we published the April 2013 Security Bulletin Webcast Questions & Answers page. We answered 13 questions in total, with the majority focusing on the update for Internet Explorer (MS14-018) and the Windows 8.1 Update (KB2919355). Two questions that were not answered on air have been included on the Q&A page.

    Here is the video replay.

    For those of you following the ongoing investigation around the industry-wide issue known as “Heartbleed,” please refer to this post on the Microsoft Security Blog for the status of our investigation.

    We invite you to join us for the next scheduled webcast on Wednesday, May 14, 2014, at 11 a.m. PDT (UTC -7), when we will go into detail about the May bulletin release and answer your bulletin deployment questions live on the air.

    You can register to attend the webcast at the link below:

    Date: Wednesday, May 14, 2014
    Time: 11:00 a.m. PDT (UTC -7)
    Register:
    Attendee Registration

    I look forward to seeing you next month.

    Thanks,
    Dustin Childs
    Group Manager, Response Communications
    Microsoft Trustworthy Computing



  • The April 2014 Security Updates

    T. S. Elliot once said, “What we call the beginning is often the end. And to make an end is to make a beginning. The end is where we start from.” So as we put one season to bed, let’s start another by looking at the April security updates. Today, we release four bulletins to address 11 CVEs in Microsoft Windows, Internet Explorer and Microsoft Office. The update for Microsoft Word addresses the issues described in Microsoft Security Advisory 2953095. For those who prioritize, we recommend this bulletin as well as the update for Internet Explorer be on the top of your list.

    We would be remiss if we did not mention another end; the end of support for Windows XP and Office 2003. The updates provided by MS14-018 and MS14-019 will be the final security updates for Windows XP; MS14-017 and MS14-020 are the final update for Office 2003. For those who haven’t migrated yet, I recommend visiting the Microsoft Security Blog, where my colleague Tim Rains provides guidance for consumers and small businesses who may have questions about how end of support affects them. Enterprise administrators will also find this a worthwhile read.

    Here’s an overview of all the updates released this month:

    Click to enlarge


    Our top priorities for this month are MS14-018 and MS14-017, which address issues in Internet Explorer and Microsoft Word respectively.

    MS14-018 | Cumulative Update for Internet Explorer

    This security update resolves six privately reported vulnerabilities in Internet Explorer. These vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. While the issues addressed by this bulletin are very straightforward, I wanted to specifically call your attention to the updates for Internet Explorer 11 on Windows 8.1 and Windows Server 2012 R2. For these platforms, the update is not cumulative – it only addresses this issues described in this bulletin. You also have the option of installing KB2919355, which is a cumulative update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2. In addition to previous updates for these operating systems, it includes enhancements such as improved Internet Explorer 11 compatibility for enterprise applications, usability improvements, extended mobile device management, and improved hardware support. Additionally, for Windows Server 2012 R2, it includes support for clustering configurations for hosters. For more information about this update, see Microsoft Knowledge Base Article 2919355.

    Similarly, customers running Internet Explorer 11 on Windows 7 and Windows Server 2008 R2 also can choose a cumulative update: KB2929437. In addition to previous updates for Internet Explorer 11 on these operating systems, it includes enhancements such as improved Internet Explorer 11 compatibility for enterprise applications. If you install this cumulative update, you will not need to install the KB2936068 update offered through MS14-018. There may also be some who overlook the update for Internet Explorer 10. For this version of the browser, the update is non-security. The issues addressed by this bulletin do not impact Internet Explorer 10, but the update does include non-security related changes. For more information about the non-security-related fixes that are included in this update, seeMicrosoft Knowledge Base Article 2936068.

    MS14-017 | Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution

    This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft Word. The most severe of these vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Office software. This security update also addresses the vulnerability first described in Microsoft Security Advisory 2953095. If you have installed the Fix it provided through this advisory, you should remove it once you apply the update to ensure RTF files open correctly.

    Finally, we are revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-09 For more information about this update, including download links, see Microsoft Knowledge Base Article 2942844.

    Watch the bulletin overview video below for a brief summary of today's releases.

    For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Web page.

    William Peteroy and I will host the monthly bulletin webcast, scheduled for Wednesday, April 9, 2014, at 11 a.m. PDT. I invite you to register here, and tune in to learn more about this month’s security bulletins and advisories.

    For all the latest information, you can also follow us at @MSFTSecResponse.

    Please join me in wishing Windows XP and Office 2003 a fond farewell as they head towards the sunset of their lives. I look forward to hearing your questions about this month’s release in our webcast tomorrow.

    Thanks,
    Dustin Childs

    Group Manager, Response Communications
    Microsoft Trustworthy Computing



  • Advance Notification Service for the April 2014 Security Bulletin Release

    Today we provide advance notification for the release of four bulletins, two rated Critical and two rated Important in severity. These updates address issues in Microsoft Windows, Office and Internet Explorer.

    The update provided through MS14-017 fully addresses the Microsoft Word issue first described in Security Advisory 2953095. This advisory also included a Fix it to disable opening rich-text format (RTF) files within Microsoft Word. Once the security update is applied, you should disable the Fix it to ensure RTF files will again render normally. At this time, we are still only aware of limited, targeted attacks directed at Microsoft Word 2010. The update will fully address all affected versions.

    This Tuesday‘s release will offer the last security updates made available for Windows XP and Office 2003. Both of these products go out of support on April 8, 2014. If you are unsure about the impact this may have on your environment, I recommend you read the recent blog from Trustworthy Computing’s Tim Rains, which discusses some of the threats to Windows XP and provides guidance for small businesses and consumers.

    As per our usual process, we’ve scheduled the security bulletin release for the second Tuesday of the month, April 8, 2014, at approximately 10:00 a.m. PDT. Revisit this blog then for analysis of the risk and impact, as well as deployment guidance, together with a brief video overview of the month’s updates. Until then, please review the ANS summary page for more information to help you prepare for security bulletin testing and deployment.

    Finally, you can stay on top of the MSRC team’s recent activities by following us on Twitter at @MSFTSecResponse.

    Thank you,
    Dustin Childs

    Group Manager, Response Communications
    Microsoft Trustworthy Computing



  • The Next Leap Forward in Cyber Defense: Taking Action to Help Defeat Adversaries

    It is often said that attackers have an advantage, because the defenders have to protect every part of their systems all the time, while the attacker only has to find one way in.

    This argument oversimplifies the security landscape and the real strength that defenders can achieve if they work together. While it’s true that it is difficult to defend against an adversary that targets a single victim, this isn’t the way most malicious actors work. It is easier and cheaper for malicious actors to reuse techniques, infrastructure and tools. Most malicious actors build capabilities that work across many targets and modify and reuse them.

    This is where the industry has the most opportunity to evolve. Industry collaboration and information sharing is part of the solution, but the real key is finding a way to coordinate action. When an attack targeting dozens, hundreds, or thousands of systems occurs, identifying a similar aspect of that attack can begin to unravel it everywhere. The fact that attackers use the same or similar methodologies in many places can actually put them at a disadvantage.

    Think of how different animals in the wild respond to attacks. Some respond as individuals and scatter in all directions. This allows predators to focus their attack on an individual and give chase. Yet this same attack unravels against animals who respond by forming a circle and standing their ground as a group. As long as they stick together, the predators are at a disadvantage – unable to separate and run down an individual.

    This kind of coordinated defense, and more crucially action, is the key to our industry taking the next big leap in the fight against cyber-attacks. It’s not enough to share threat indicators such as yara signatures, IP addresses and malware hashes. What we really want to do is move defenders to take action that defends them and undermines an adversary’s attack. As an industry, we have to come together and decide on a set of standards or principles by which we’re going to not just share information, but use it.

    So why hasn’t the industry moved towards actionable information sharing? In my opinion, we need to advance the current class of information sharing tools, processes, and technologies. Think of the Traffic Light Protocol. TLP tells us how sensitive the information is, and whether we can share it. What it doesn’t say is whether it’s ok to incorporate an IP address into a network defense system, or to ping the address, or to try and have the address taken down.

    As an industry, we must work to design and adopt technologies and programs that facilitate a two-way conversation and enable actionable information sharing. This should be the start of partnerships, not where things end. Our tools can no longer just be streams of after-the-fact data that flow from one place to another in varied forms and formats. Appropriate action needs to be part of the dialog, and part of us working together.

    Part of this transformation is happening today at Microsoft with our Microsoft Active Protections Program (MAPP). While MAPP initially started as an information-sharing effort amongst security vendors, it’s moving to a place where it provides a set of guidance for defenders to protect themselves. To truly evolve to the next level, it will mean shifting from sharing information one way to taking coordinated action. The Microsoft Malware Protection Center (MMPC) has recently talked about the concept and called for a coordinated malware eradication approach at this blog post.

    When we get to that point, it won’t just be security vendors who are working to keep everyone safe. It will be the networks, the service providers, the government entities, the retailers, the banks, all enterprises of the world pulling together and sharing actionable threat information necessary for defeating the adversaries — consistently and permanently.

    This will take a greater degree of trust than just information sharing. But to take that next big leap in enhancing our defense against cyber-attacks, it’s where we must begin.

    Chris Betz
    Senior Director
    Microsoft Security Response Center (MSRC)



  • Microsoft Releases Security Advisory 2953095

    Today we released Security Advisory 2953095 to notify customers of a vulnerability in Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. An attacker could cause remote code execution if someone was convinced to open a specially crafted Rich Text Format (RTF) file or a specially crafted mail in Microsoft Outlook while using Microsoft Word as the email viewer.

    As part of the security advisory, we have included an easy, one-click Fix it to address the known attack vectors. The Fix it is available to all customers and helps prevent known attacks that leverage the vulnerability to execute code. Additionally, applying the Fix it does not require a reboot. We encourage all customers using Microsoft Word to apply this Fix it to help protect their systems.

    The Enhanced Mitigation Experience Toolkit (EMET) also helps to defend against this vulnerability when configured to work with Microsoft Office software. If you are using EMET 4.1 with the recommended settings, this configuration is already enabled and no additional steps are required.

    We also encourage you to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. In addition, we encourage everyone to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders. More information can be found at www.microsoft.com/protect.

    We continue to work on a security update to address this issue. We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect our global customers.

    Thank you,
    Dustin Childs
    Group Manager, Response Communications
    Trustworthy Computing



  • March 2014 Security Bulletin Webcast and Q&A

    Today we published the March 2014 Security Bulletin Webcast Questions & Answers page.We answered eight questions in total, with the majority focusing on the updates for Windows (MS14-016) and Internet Explorer (MS14-012). One question that was not answered on air has been included on the Q&A page.

    Here is the video replay.

    We invite you to join us for the next scheduled webcast on Wednesday, April 9, 2014, at 11 a.m. PDT (UTC -7), when we will go into detail about the April bulletin release and answer your bulletin deployment questions live on the air.

    You can register to attend the webcast at the link below:

    Date: Wednesday, April 9, 2014
    Time: 11:00 a.m. PDT (UTC -7)
    Register:
    Attendee Registration

    I look forward to seeing you next month.

    Thanks,
    Dustin Childs
    Group Manager, Response Communications
    Microsoft Trustworthy Computing



  • The March 2014 Security Updates

    This month we release five bulletins to address 23 unique CVEs in Microsoft Windows, Internet Explorer and Silverlight. If you need to prioritize, the update for Internet Explorer addresses the issue first described in Security Advisory 2934088, so it should be at the top of your list. While that update does warrant your attention, I want to also call out another impactful update.

    MS14-014 provides an update to address a security feature bypass in Silverlight. The issue wasn’t publicly known and it isn’t under active attack, however it can impact your security in ways that aren’t always obvious. Specifically, the update removes an avenue attackers could use to bypassASLR protections. Fixes like this one increase the cost of exploitation to an attacker, who must now find a different way to make their code execution exploit reliable. Picasso said, “The hidden harmony is better than the obvious” - Shutting down an ASLR bypass could be considered one of the most harmonious things to do to help increase customer security.

    Let’s not forget the other updates we released today. This month we release two Critical and three Important bulletins. Here’s an overview of this month’s release:

    Click to enlarge


    Our top deployment priority this month is MS14-012, which address 18 issues in Internet Explorer.

    MS14-012 | Cumulative Security Update for Internet Explorer
    This cumulative update addresses one public and 17 privately disclosed issues in Internet Explorer. These issues could allow remote code execution if a user views a specially crafted webpage using an affected version of Internet Explorer. We are aware of targeted attacks using CVE-2014-0322 against Internet Explorer 10. This issue was first described in
    Security Advisory 2934088, which included a Fix it for the issue. We should also note that the observed attacks performed a check for the presence of the Enhanced Mitigation Experience Toolkit (EMET) and did not proceed if it was detected. This update also addresses CVE-2014-0324, which is a privately reported issue that has been seen in a very limited, targeted attack against Internet Explorer 8. Thanks to a previously released ASLR bypass update, the attack seen in the wild would not work against a fully updated system running Windows Vista and above. The SRD blog goes into more detail about how shutting down that bypass helped. For all issues addressed by this update, successful exploitation could allow an attacker to gain the same user rights as the local user. Customers with automatic updates enabled will not need to take action, as they will be updated automatically.

    We are also revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB14-08. For more information about this update, including download links, see Microsoft Knowledge Base Article 2938527. Also, for those of you who may be interested, KB864199 provides a list of the non-security updates released today. This list includes the latest update for the Malicious Software Removal Tool (MSRT), which now includes detections for the Wysotot and Spacekito malware families.

    Watch the bulletin overview video below for a brief summary of today's releases.

    For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by CVE, visit the Microsoft Bulletin Summary Webpage.

    My colleagues Andrew Gross and Pete Voss will host the monthly bulletin webcast and answer your questions about this month’s release. As usual, the webcast is scheduled for Wednesday, March 12, 2014, at 11 a.m. PDT. Please register here, and tune in to learn more about this month’s security bulletins and advisories.

    For all the latest information, you can also follow us at @MSFTSecResponse.

    If you happen to be at the CanSecWest conference in Vancouver, B.C, please swing by our booth (number 4) to say hello!

    Thanks,
    Dustin Childs
    Group Manager, Response Communications
    Microsoft Trustworthy Computing




Angelo Castigliola     View Photos of Angelo (8)
    Send Angelo a Message
Sec and Sec-Tech Newsletter
Email:





Upcoming Events