Home arrow Microsoft
MSRC
  • September 2014 Security Bulletin Release Webcast and Q&A

    Today we’re publishing the September 2014 Security Bulletin Webcast Questions & Answers page.  We fielded four questions on various topics during the webcast, with specific bulletin questions focusing primarily on Internet Explorer (MS14-052) and a question about the Windows Update client.  

    We invite you to join us for the next scheduled webcast on Wednesday, October 8, 2014, at 11 a.m. PDT (UTC -7), when we will go into detail about the October bulletin release and answer your bulletin deployment questions live on the air. 

    Thanks,

    Dustin Childs

    Group Manager, Response Communications Microsoft Trustworthy Computing



  • The September 2014 Security Updates

    Today, as a part of our regular Update Tuesday process, we released four security bulletins – one rated Critical and three rated Important in severity – to address 42 Common Vulnerabilities & Exposures (CVEs) in Microsoft Windows, Internet Explorer, .NET Framework, and Lync Server. We encourage you to apply all of these updates, but for those who need to prioritize, we recommend focusing on the Critical update first.

    Below is a graphical overview of this release and a brief video summarizing the updates released today:

    The top deployment priority for our customers this month is the update for Internet Explorer, which addresses 37 CVEs. In case you missed it, the August update for Internet Explorer also included new functionality to block out-of-date ActiveX controls. This functionality will be enabled with today’s update. You can see what these notifications will look like by reviewing this TechNet article. Administrative Templates are also available for those who wish to manage these settings through Group Policy.

    In addition to this month’s security bulletins, we have revised three Security Advisories. Security Advisory 2871997 – Update to Improve Credentials Protection and Management was revised to announce an update for supported editions of Windows 7 and Windows Server 2008 R2. The update adds additional protection for users’ credentials when logging into a Windows 7 or Windows Sever 2008 R2 system by ensuring that credentials are cleaned up immediately instead of waiting until a Kerberos TGT (Ticket Granting Ticket) has been obtained. Security Advisory 2905247 – Insecure ASP.Net Site Configuration Could Allow Remote Code Execution was revised to offer the update via Microsoft Update, in addition to the Download-Center-only option, which was provided when this advisory was originally released. If you have already installed this update, you do not need to take any action. Finally, we also revised Security Advisory 2755801: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer.

    For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by each CVE, visit the Microsoft Bulletin Summary Web page. If you are not familiar with how we calculate the Exploitability Index (XI), a full description is found here.

    Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, September 10, 2014, at 11 a.m. PDT.

    For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

    Thanks, 
    Dustin Childs
    Group Manager, Response Communications
    Microsoft Trustworthy Computing



  • Advance Notification Service for the September 2014 Security Bulletin Release

    Today, we provide advance notification for the release of four Security Bulletins. One of these updates is rated Critical and three are rated as Important in severity. These updates are for Microsoft Windows, Internet Explorer, .NET Framework and Lync.

    As a reminder, we are now using a new format for our Security Bulletin Webcast, scheduled on Wednesday, September 10, at 11 a.m. PDT. You are no longer required to register, download the Live Meeting client, or dial in to a separate number. A link to the Webcast will be included in our blog next Tuesday.

    As per our usual process, we’ve scheduled the Security Bulletin release for the second Tuesday of the month, September 9, 2014, at approximately 10 a.m. PDT. Revisit this blog then for analysis of the relative impact, as well as deployment guidance, together with a brief video overview of the month’s updates. Until then, please review the ANS summary page for more information to help you prepare for Security Bulletin testing and deployment.

    You can follow us on Twitter at @MSFTSecResponse

    Thank you,
    Dustin Childs
    Group Manager, Response Communications
    Microsoft Trustworthy Computing



  • Security Bulletin MS14-045 rereleased

    Every month for many years, we’ve released a number of updates focused on the continuous improvement of customers’ experiences with our technology. Historically, these updates happened at different times during the month, with the security-specific ones occurring on the second Tuesday of each month. Recently, to further streamline, we decided to include more of our non-security updates together with our security updates and begin the global release to customers on the second Tuesday of each month.

    This month we had our first roll out with additional non-security updates. A small number of customers experienced problems with a few of the updates. As soon as we became aware of some problems, we began a review and then immediately pulled the problematic updates, making these unavailable to download. We then began working on a plan to rerelease the affected updates.

    Today, we rereleased Security Bulletin MS14-045 to address kernel-mode driver issues, which you can learn more about through a review of the information contained here.

    We encourage customers to install the security update as soon as possible. Customers with automatic updates enabled do not need to take any action. If you don’t have Windows Update enabled, we encourage you to do so now. If you’re not sure whether you’ve enabled Windows Update, you can check here. For organizations, your IT Group, the team or person administering the network, would be the best place to check.

    Tracey Pretorius, Director
    Microsoft Trustworthy Computing

    UPDATE September 2, 2014: Today, we rereleased the August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2.

    Customers with Windows Updates enabled, and who have selected to receive optional updates automatically, do not need to take any action. Customers who have not selected to receive optional updates automatically, will need to go to Windows Update to install it.

    For more information on this release, please visit the Windows blog.



  • August 2014 Security Bulletin Webcast and Q&A

    Today, we published the August 2014 Security Bulletin webcast questions and answers page along with the webcast replay. We answered ten questions on air, with the majority focusing on the update for Internet Explorer.

    Here is the video replay:

    We are aware of some issues related to the recent updates and are working on a fix. For more information please read KB 2982791.

    We invite you to join us for the next scheduled webcast on Wednesday, September 10, 2014, at 11 a.m. PDT (UTC -7), when we will go into detail about the September 2014 bulletin release and answer your bulletin deployment questions live on air. There’s no longer a need to register before this event to attend. You can find details on how to view the webcast and get a calendar reminder here.

    I look forward to connecting with you next month.

    Thanks,
    Dustin Childs
    Group Manager, Response Communications
    Microsoft Trustworthy Computing



  • August 2014 Security Updates

    Today, as part of Update Tuesday, we released nine security updates – two rated Critical and seven rated Important – to address 37 Common Vulnerabilities & Exposures (CVEs) in SQL Server, OneNote, SharePoint, .NET, Windows and Internet Explorer (IE). We encourage you to apply all of these updates, but for those who need to prioritize their deployment planning, we recommend focusing on the Critical updates first.

    Here’s an overview slide and video of the security updates released today:

    Click to enlarge

    Microsoft also revised Security Advisory 2755801: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer.

    For more information about this month’s security updates, including the detailed view of the Exploit Index broken down by each CVE, visit the Microsoft Bulletin Summary Web page. If you are not familiar with how we calculate the Exploitability Index (XI), a full description is found here.

    You may notice a revision in the XI this month, which aims to better characterize the actual risk to a customer on the day the security update is released. Customers will see new wording for the rating, including a new rating of “0” for “Exploitation Detected.” More information about XI can be found here:  http://technet.microsoft.com/en-us/security/cc998259.aspx.

    Last week, Microsoft announced some other news that relates to Update Tuesday:

    • On August 5, Windows published a Windows blog post discussing its non-security update strategy moving forward, which is now on a monthly cadence as part of Update Tuesday.
    • On August 6, IE announced in its IE Blog that it would begin blocking out-of-date ActiveX controls. This feature will be part of the August IE Cumulative Security Update, but no out-of-date ActiveX controls will be blocked for 30 days in order to give customers time to test and manage their environments.
    • On August 7, .NET and IE announced that Microsoft will support only the most recent versions of .NET and IE for each supported operating system.

    Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, August 13, 2014, at 11 a.m. PDT.

    For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

    Thanks, 

    Dustin Childs

    Group Manager, Response Communications
    Microsoft Trustworthy Computing



  • Advance Notification Service for the August 2014 Security Bulletin Release

    Today, we provide advance notification for the release of nine Security Bulletins. Two of these are rated Critical, and the remaining seven are rated Important in severity. These Updates are for SQL Server, SharePoint, OneNote, .NET, Microsoft Windows, and Internet Explorer.

    As per our usual process, we’ve scheduled the Security Bulletin release for the second Tuesday of the month, August 12, 2014, at approximately 10 a.m. PDT. Revisit this blog then for analysis of the relative impact, as well as deployment guidance, together with a brief video overview of the month’s Updates.

    We will also plan to have our Security Bulletin Webcast, scheduled on Wednesday, August 13, at 11 a.m. PDT, on our Trustworthy Computing UStream Channel. Until then, please review the ANS summary page for more information to help you prepare for Security Bulletin testing and deployment. Don’t forget, you can also follow us on Twitter at @MSFTSecResponse. 

    Thank you, 

    Dustin Childs Group Manager,

    Response Communications Microsoft Trustworthy Computing 




Angelo Castigliola     View Photos of Angelo (8)
    Send Angelo a Message
Sec and Sec-Tech Newsletter
Email:





Upcoming Events