Home arrow Microsoft
MSRC
  • Security Bulletin MS14-045 rereleased

    Every month for many years, we’ve released a number of updates focused on the continuous improvement of customers’ experiences with our technology. Historically, these updates happened at different times during the month, with the security-specific ones occurring on the second Tuesday of each month. Recently, to further streamline, we decided to include more of our non-security updates together with our security updates and begin the global release to customers on the second Tuesday of each month.

    This month we had our first roll out with additional non-security updates. A small number of customers experienced problems with a few of the updates. As soon as we became aware of some problems, we began a review and then immediately pulled the problematic updates, making these unavailable to download. We then began working on a plan to rerelease the affected updates.

    Today, we rereleased Security Bulletin MS14-045 to address kernel-mode driver issues, which you can learn more about through a review of the information contained here.

    We encourage customers to install the security update as soon as possible. Customers with automatic updates enabled do not need to take any action. If you don’t have Windows Update enabled, we encourage you to do so now. If you’re not sure whether you’ve enabled Windows Update, you can check here. For organizations, your IT Group, the team or person administering the network, would be the best place to check.

    Tracey Pretorius, Director
    Microsoft Trustworthy Computing

    UPDATE September 2, 2014: Today, we rereleased the August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2.

    Customers with Windows Updates enabled, and who have selected to receive optional updates automatically, do not need to take any action. Customers who have not selected to receive optional updates automatically, will need to go to Windows Update to install it.

    For more information on this release, please visit the Windows blog.



  • August 2014 Security Bulletin Webcast and Q&A

    Today, we published the August 2014 Security Bulletin webcast questions and answers page along with the webcast replay. We answered ten questions on air, with the majority focusing on the update for Internet Explorer.

    Here is the video replay:

    We are aware of some issues related to the recent updates andare working on a fix. For more information please read KB 2982791.

    We invite you to join us for the next scheduled webcast on Wednesday, September 10, 2014, at 11 a.m. PDT (UTC -7), when we will go into detail about theSeptember 2014bulletin release and answer your bulletin deployment questions live on air. There’s no longer a need to register before this event to attend. You can find details on how to view the webcast and get a calendar reminder here.

    I look forward toconnecting withyou next month.

    Thanks,
    Dustin Childs
    Group Manager, Response Communications
    Microsoft Trustworthy Computing



  • August 2014 Security Updates

    Today, as part of Update Tuesday, we released nine security updates – two rated Critical and seven rated Important – to address 37 Common Vulnerabilities & Exposures (CVEs) in SQL Server, OneNote, SharePoint, .NET, Windows and Internet Explorer (IE). We encourage you to apply all of these updates, but for those who need to prioritize their deployment planning, we recommend focusing on the Critical updates first.

    Here’s an overview slide and video of the security updates released today:

    Click to enlarge

    Microsoft also revised Security Advisory 2755801: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer.

    For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by each CVE, visit the Microsoft Bulletin Summary Web page. If you are not familiar with how we calculate the Exploitability Index (XI), a full description is found here.

    You may notice a revision in the XI this month, which aims to better characterize the actual risk to a customer on the day the security update is released. Customers will see new wording for the rating, including a new rating of “0” for “Exploitation Detected.” More information about XI can be found here: http://technet.microsoft.com/en-us/security/cc998259.aspx.

    Last week, Microsoft announced some other news that relates to Update Tuesday:

    • On August 5, Windows published a Windows blog post discussing its non-security update strategy moving forward, which is now on a monthly cadence as part of Update Tuesday.
    • On August 6, IE announced in its IE Blog that it would begin blocking out-of-date ActiveX controls. This feature will be part of the August IE Cumulative Security Update, but no out-of-date ActiveX controls will be blocked for 30 days in order to give customers time to test and manage their environments.
    • On August 7, .NET and IE announced that Microsoft will support only the most recent versions of .NET and IE for each supported operating system.

    Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, August 13, 2014, at 11 a.m. PDT.

    For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

    Thanks,

    Dustin Childs

    Group Manager, Response Communications
    Microsoft Trustworthy Computing



  • Advance Notification Service for the August 2014 Security Bulletin Release

    Today, we provide advance notification for the release of nine Security Bulletins. Two of these are rated Critical, and the remaining seven are rated Important in severity. These Updates are for SQL Server, SharePoint, OneNote, .NET, Microsoft Windows, and Internet Explorer.

    As per our usual process, we’ve scheduled the Security Bulletin release for the second Tuesday of the month, August 12, 2014, at approximately 10 a.m. PDT. Revisit this blog then for analysis of the relative impact, as well as deployment guidance, together with a brief video overview of the month’s Updates.

    We will also plan to have our Security Bulletin Webcast, scheduled on Wednesday, August 13, at 11 a.m. PDT, on our Trustworthy Computing UStream Channel. Until then, please review the ANS summary page for more information to help you prepare for Security Bulletin testing and deployment. Don’t forget, you can also follow us on Twitter at @MSFTSecResponse.

    Thank you,

    Dustin Childs Group Manager,

    Response Communications Microsoft Trustworthy Computing



  • General Availability for Enhanced Mitigation Experience Toolkit (EMET) 5.0

    Today, we are excited to announce the general availability of Enhanced Mitigation Experience Toolkit (EMET) 5.0. EMET is a free tool, designed to help customers with their defense in depth strategies against cyberattacks, by helping block and terminate the most common techniques adversaries might use in comprising systems. EMET 5.0 further helps to protect with two new mitigations, and with new capabilities giving customers additional flexibility on their deployments.

    EMET helps to protect systems, even before new and undiscovered threats are formally addressed by security updates and antimalware software.

    This is what some customers have said about EMET:

    "EMET is not a policy-changing tool, but it might just be that additional piece of security software that is worth investing in.” – Wolfgang Kandek, Qualys, Windows EMET Tool Guards Against Java Exploits, 2014

    “(The Java- and plugin-blocking feature should) effectively stymie most of the historical attack methods related to Java and Flash. Those two applications have historically caused a lot of heartburn for security teams." – Andrew Storms, CloudPassage, Windows EMET Tool Guards Against Java Exploits, 2014

    Let’s take a look at some of the key new capabilities in EMET 5.0:

    Two new mitigations further expand EMET protections

    Enhanced with the feedback that we received from EMET 5.0 technical preview participants, two new mitigations become generally available today.

    First, the new Attack Surface Reduction (ASR) mitigation provides a mechanism to help block specific modules or plug-ins within an application, in certain conditions. For example, customers can now configure EMET to prevent their browser from loading Java plug-ins on external websites, while still continuing to allow Java plug-ins on their internal company websites.

    Second, the brand new Export Address Table Filtering Plus (EAF+) mitigation introduces two new methods for helping disrupt advanced attacks. For example, EAF+ adds a new “page guard” protection to help prevent memory read operations, commonly used as information leaks to build exploitations.

    Also, with 5.0, four EMET mitigations become available on 64-bit platforms. You can read more on that and find a deep dive of all the new features on our Security Research and Defense (SRD) Blog.

    New configuration options deliver additional flexibility

    EMET 5.0 offers new user interface (UI) options so that customers can configure how each mitigation applies to applications in their environment, taking into account their enterprise frameworks and requirements. For example, users can configure which specific memory addresses to protect with the HeapSpray Allocation mitigation using EMET 5.0. We continue to provide smart defaults for many of the most common applications used by our customers.

    Many enterprise IT professionals deploy EMET through Microsoft System Center Configuration Manager and apply Group Policies in Windows Active Directory to comply with enterprise account, user, and role policies. With version 5.0, propagating EMET configuration changes via Group Policy becomes even easier, as we have improved how EMET handles configuration changes, when applied in an enterprise network.

    The new Microsoft EMET Service is another feature our enterprise customers will find helpful in monitoring status and logs of any suspicious activity. With this new service, our customers can use industry standard processes, such as Server Manager Dashboard of Windows Server, for monitoring.

    Additionally, with EMET 5.0, we have improved the Certificate Trust feature, allowing users to turn on a setting, in order to block navigation to websites with untrusted, fraudulent certificates, helping protect from Man-In-The-Middle attacks.

    New default settings provide protections from the get-go

    EMET’s Deep Hooks capability helps protect the interactions between an application and the operating system. In EMET 5.0, Deep Hooks is turned on by default, helping provide stronger protections by default. Furthermore, this default setting is now compatible with a wider range of productivity, security and business software.

    Since we released EMET 5.0 Technical Preview in February this year, our customers and the community showed strong interest. Through user forums and Microsoft Premier Support Services, which assists enterprise EMET users, we received valuable feedback to shape the product roadmap ahead.

    In the same lines, we invite you to download EMET 5.0 and let us know what you think.

    Protect your enterprise. Deploy EMET today.

    Thanks,

    Chris Betz
    Senior Director, MSRC



  • July 2014 Security Bulletin Webcast and Q&A

    Today we published the July 2014 Security Bulletin webcast questions and answers page along with the webcast replay. We answered eight questions on air, with the majority focusing on the update for Internet Explorer. The transcript also includes a question we did not have time to answer on the air.

    Here is the video replay:

    We invite you to join us for the next scheduled webcast on Wednesday, August 13, 2014, at 11 a.m. PDT (UTC -7), when we will go into detail about the August bulletin release and answer your bulletin deployment questions live on the air. There’s no longer a need to register before this event to attend. You can find details on how to view the webcast and get a calendar reminder here.

    I look forward to seeing you next month.

    Thanks,
    Dustin Childs
    Group Manager, Response Communications
    Microsoft Trustworthy Computing



  • Security Advisory 2982792 released, Certificate Trust List updated

    Today, we are updating the Certificate Trust List (CTL) for all supported releases of Microsoft Windows to remove the trust of mis-issued third-party digital certificates. These certificates could be used to spoof content and perform phishing or man-in-the-middle attacks against web properties.

    With this update, most customers will be automatically protected against this issue and will not need to take any action. If you do not have automatic updates enabled, or if you are on Windows Server 2003, please see the Security Advisory 2982792 for recommended actions. Additionally, the Enhanced Mitigation Experience Toolkit (EMET) 4.1, and newer versions, help to mitigate man-in-the-middle attacks by detecting untrusted or improperly issued SSL certificates through the Certificate Trust feature.

    For more information, please see Microsoft Security Advisory 2982792.

    Thank you,
    Dustin Childs
    Group Manager, Response Communications




Angelo Castigliola     View Photos of Angelo (8)
    Send Angelo a Message
Sec and Sec-Tech Newsletter
Email:





Upcoming Events