The Spykiller

For those who couldn’t attend the live webcast, today we’re publishing the May 2013 Security Bulletin Webcast Questions & Answers page.  We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Internet Explorer (MS13-037 and MS13-038) and Visio (MS13-044). 

We invite our customers to join us for the next public webcast on Wednesday, June 12, 2013, at 11 a.m. PDT (UTC -7), when we will go into detail about the June bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, June 12, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register: Attendee Registration

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Today, we are releasing 10 bulletins, addressing 33 vulnerabilities in Microsoft products. Before we get into the details, we wanted to first let our enterprise customers know about a change in how we’re communicating technical details within our security advisories. Starting today, customers will be able to clearly identify key security updates within advisories. For further details, please visit Knowledge Base article 2849195.

Let’s talk about the updates that we released today. Ten bulletins were released, two Critical and eight Important, addressing 33 vulnerabilities in Internet Explorer, Microsoft Windows, Microsoft Office, Server and Tools, and .NET Framework. For those who need to prioritize deployment, we recommend focusing on MS13-037, MS13-038 and MS13-039 first. As always, customers should deploy all security updates as soon as possible. Our Bulletin Deployment Priority guidance is below to further assist in deployment planning (click for larger view).

MS13-037 | Cumulative Security Update for Internet Explorer
This security update resolves 11 issues in Internet Explorer that could allow remote code execution if a customer views a specially crafted Web page using the browser. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current administrator. This security update is rated Critical for all versions of Internet Explorer, on all supported releases of Microsoft Windows. These issues were privately disclosed and we have not detected any attacks or customer impact.

MS13-038 | Security Update for Internet Explorer
This security update permanently addresses the Internet Explorer 8 issue described in Security Advisory 2847140 to help ensure customers are protected. This security update is rated Critical for Internet Explorer 8 on Windows clients and Moderate for Internet Explorer 8 on Windows servers.  There is no severity rating for Internet Explorer 9. This issue was publicly disclosed and there are limited known targeted attacks. 

MS13-039 | Vulnerability in HTTP.sys Could Allow Denial of Service
This security update resolves one issue in Microsoft Windows that could allow denial of service if an attacker sends a specially crafted HTTP packet to an affected Windows server or client. The security update is rated Important for supported editions of Windows 8 and Windows Server 2012. This issue was privately disclosed and we have not detected any attacks or customer impact.

Watch the bulletin overview video below for a brief summary of today’s releases.

Our risk and impact graph shows an aggregate view of this month’s Severity and Exploitability Index
(click for larger view).

For more information about this month’s security updates, visit the Microsoft Bulletin Summary Web page.

Jonathan Ness and I will host the monthly technical webcast, scheduled for Wednesday, May 15, 2013, at 11 a.m. PT. I invite you to register here, and tune in to learn more about the May Security Bulletins and Advisories.

For the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

I look forward to hearing your questions about today’s release in our webcast tomorrow.

Thank you,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Today we’re providing Advance Notification of 10 bulletins for release on Tuesday, May 14, 2013. This release brings two Critical and eight Important-class bulletins, which address 33 unique vulnerabilities. The Critical-rated bulletins address issues in Microsoft Windows and Internet Explorer. Of note, we are working to have the Internet Explorer Security Update address the issue described in Security Advisory 2847140, supplementing the currently available Fix it.  The Important-rated bulletins address issues in Microsoft Windows, Microsoft Office, Server and Tools, and .NET Framework.

As always, we will publish the bulletins on the second Tuesday of the month, at approximately 10 a.m. PST. Please revisit this blog at that time for our official risk and impact analysis, along with deployment guidance and a brief video overview of the month’s highlights. Until then, you should review the ANS Summary Page for more information and prepare for bulleting testing and deployment as soon as possible to help ensure a smooth update process.

For the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thank you,

Dustin Childs
Group Manager
Microsoft Trustworthy Computing

We have updated Security Advisory 2847140 to include an easy, one-click Fix it to address the known attack vectors. The Fix it is available to all customers and helps prevent known attacks that leverage the vulnerability to execute code and should not affect your ability to browse the Web. Additionally, applying the Fix it does not require a reboot. We encourage all customers using Internet Explorer 8 to apply this Fix it to help protect their systems. Internet Explorer 6, 7, 9 and 10 are not affected.

The Fix it is an effort to help protect as many customers as possible, as quickly as possible. We continue to work on a security update to address this issue and we’re closely monitoring the threat landscape. Tomorrow, please visit our monthly Advance Notification Service (ANS) blog for details on the Security Updates being released in May’s Security Bulletin cycle.

Thank you,
Dustin Childs
Group Manager, Response Communications
Trustworthy Computing

Today, we released Security Advisory 2847140 regarding an issue that impacts Internet Explorer 8. Internet Explorer 6, 7, 9 and 10 are not affected by the vulnerability. This issue allows remote code execution if users browse to a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message.

Internet Explorer 9 and 10 are not affected by this issue, so upgrading to these versions will help protect you from this issue.

While we are actively working to develop a security update to address this issue, we encourage customers using affected versions of Internet Explorer to deploy the following workarounds and mitigations included in the advisory to help protect themselves:

• Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
  This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones
  This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.

We also always encourage people to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. We also encourage folks to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders. Additional information can be found at www.microsoft.com/protect.

We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect customers.

Thank you,
Dustin Childs
Group Manager, Response Communications
Trustworthy Computing

 Portuguese (Brazil), Русский

Today we released a new update to replace KB2823324, which was originally made available through MS13-036. As we previously discussed, we stopped distributing this update when we learned some customers were having issues. The new update, KB2840149, still addresses the Moderate security issue described in MS13-036, and should not cause these issues. If you have automatic updates enabled, you won’t need to take any actions. For those manually updating, we encourage you to apply this update at your earliest convenience.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Today we’re publishing the April 2013 Security Bulletin Webcast Questions & Answers page.  We fielded nine questions during the webcast, with almost half of those focused on the Remote Desktop Client bulletin (MS13-024).  One question that was not answered on air has been included on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, May 15, 2013, at 11 a.m. PDT (UTC -7), when we will go into detail about the May bulletin release and answer questions live on the air.

Customers can register to attend the webcast at the link below:

Date: Wednesday, May 15, 2013
Time: 11:00 a.m. PDT (UTC -7)
Register: Attendee Registration

Thanks,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

Portuguese (Brazil), Русский 

We are aware that some of our customers may be experiencing difficulties after applying security update 2823324, which we provided in security bulletin MS13-036 on Tuesday, April 9. We’ve determined that the update, when paired with certain third-party software, can cause system errors. As a precaution, we stopped pushing 2823324 as an update when we began investigating the error reports, and have since removed it from the download center.

Contrary to some reports, the system errors do not result in any data loss nor affect all Windows customers. However, all customers who have installed security update 2823324 should follow the guidance that we have provided in KB2839011 to uninstall it.

Update 2823324 addresses a Moderate-level vulnerability that requires an attacker to have physical computer access to exploit. The other security update provided in security bulletin MS13-036, 2808735, continues to be available for download for all affected platforms and is being pushed via updates to help protect customers against other issues - the bulletin no longer contains the affected update.

Dustin Childs
Group Manager,Response Communications
Microsoft Trustworthy Computing

Windows XP was originally released on August 24, 2001. Since that time, high-speed Internet connections and wireless networking have gone from being a rarity to the norm, and Internet usage has grown from 360 million to almost two-and-a-half billion users. Thanks to programs like Skype, we now make video calls with regularity, and social media has grown from a curiosity to a part of our everyday lives. But through it all, Windows XP keeps chugging along. With its longevity and wide user base, Windows XP has served its customers faithfully over the years, but all good things must come to an end, and Windows XP is no exception.

In just 52 shorts weeks, support for the Windows XP will come to an end. I won’t go into the benefits of upgrading platforms here - you can read about these in Tim Rains’ blog "The Countdown Begins" - but I will highlight that this means there will be no more security updates for Windows XP after April 2014. Of course, Windows XP leaving support doesn’t mean bad guys will stop trying to exploit it; however, the absence of new security updates will make it easier for attacks to succeed. We talk a lot about mitigating risks through our security updates, and with Windows XP retiring, the best mitigation will be to upgrade to a modern Windows operating system.

And since we are talking about going out with the old, let’s talk about what’s new today. We are releasing nine bulletins, two Critical-class and seven Important-class, addressing 14 vulnerabilities in Tools Microsoft Windows, Internet Explorer, Microsoft Antimalware Client, Office, and Server Software. For those who need to prioritize deployment, we recommend focusing on MS13-028 and MS13-029 first.

MS13-028 (Microsoft Internet Explorer)
This security update resolves two issues in Internet Explorer, both of which could allow remote code execution if a customer views a specially crafted webpage using the browser. An attacker who successfully exploited these vulnerabilities could gain the same rights as the current user. Both of these issues were privately disclosed and we have not detected any attacks or customer impact.

MS13-029 (Windows Remote Desktop Client)
This security update resolves an issue in the Windows Remote Desktop Client ActiveX control. The vulnerability could allow remote code execution if an attacker convinces a customer to view a website containing specially crafted content that exploits the vulnerability. This issue was privately reported and we have not detected any attacks or customer impact.

Please watch the bulletin overview video below for a quick summary of today’s releases.

As always, we urge you deploy all security updates as soon as possible. Our deployment priority guidance is below to further assist in deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month’s severity and exploitability index (click for larger view).

For more information about this month’s security updates, visit the Microsoft Security Bulletin summary webpage.

Jonathan Ness and I will host the monthly technical webcast, scheduled for Wednesday, April 9, 2013, at 11 a.m. PDT. I invite you to register here, and tune in to learn more about the April security bulletins and advisories.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

It’s been great strolling down memory lane, recalling a time when mobile phones where used for phone calls, but I look forward to hearing your questions during our future webcast via the "Internet."
Thank you,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

In celebration of spring’s onset, today we’re providing advance notification for the April 2013 release of nine bulletins; two Critical and seven Important. The Critical bulletins address vulnerabilities in Microsoft Windows and Internet Explorer, and the seven Important-rated bulletins will address issues in Microsoft Windows, Office, Antimalware Software, and Server Software.

As always, we’ll publish the bulletins on the second Tuesday of the month, April 9, 2013 at approximately 10 a.m. PDT. We encourage you to revisit this blog at that time for our risk and impact analysis, as well as deployment guidance and a brief video overview of the month’s updates. Until then, we recommend you review the ANS summary page for more information to help you prepare for bulletin testing and deployment.

For all the latest information, follow the MSRC team on Twitter at @MSFTSecResponse.

Thank you,
Dustin Childs
Group Manager
Microsoft Trustworthy Computing