Microsoft Security RC Blog

Hello,

Today we published the Questions & Answers from the March 2010 Security Bulleting webcast. We answered a total of 13 questions concerning the March bulletins and open Security Advisories. No particular themes emerged from the questions but there were some good ones so please review them.

The video covers the core part of the presentation Adrian Stone and I gave during the webcast. We talk about the two bulletins for March, a bulletin re-release and Security Advisory 981374.

More listening and viewing options:

• Windows Media Video (WMV)
• Windows Media Audio (WMA)
• iPod Video (MP4)
• MP3 Audio
• High Quality WMV (2.5 Mbps)
• Zune Video (WMV)

Please join us for our next scheduled webcast where Adrian and I, along with a room full of subject matter experts, will present on the Security Bulletins for April and try to answer all your questions live.

Date: Wednesday, April 14
Time: 11:00 a.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032427721

Thanks!

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hi everyone,

I’m writing to let you know that we have updated Security Advisory 981374 with new workaround information. We are aware that exploit code has been made public for this issue. As with our last update, Internet Explorer 8 remains unaffected by the vulnerability addressed in the advisory and we continue to encourage all customers to upgrade to this version.

On Wednesday we added a workaround to the advisory that helps to mitigate the vulnerability by disabling the peer factory class through the modification of a registry key. With today’s update, we have added a Microsoft Fix It to automate this workaround for Windows XP and Windows Server 2003 customers. As always, customers should test this thoroughly before deploying as certain functionality that depends on the peer factory class, such as printing from Internet Explorer and the use of web folders, may be affected.

We have seen speculation that Microsoft might release an update for this issue out-of-band. I can tell you that we are working hard to produce an update which is now in testing. This is a critical and time intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows. Additionally, each supported language version needs to be tested as well as testing against thousands of third party applications. We never rule out the possibility of an out-of-band update. When the update is ready for broad distribution, we will make that decision based on customer needs.

Please review the advisory for more information. We will keep you posted as additional information becomes available.

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Today we are releasing two Important security bulletins addressing eight vulnerabilities in Windows and Microsoft Office. Both bulletins have an aggregate Exploitability Index rating of “1” so we recommend that customers deploy these updates as soon as possible. The Microsoft Exploitability Index provides additional information to help customers prioritize deployment of monthly security bulletins. A summary of today’s security updates can be found on the Microsoft Security Bulletin webpage.

MS10-016 addresses one vulnerability in Windows Movie Maker. Both Windows XP and Windows Vista ship with affected versions (2.1 and 6.0 respectively). Version 2.6 is also vulnerable and can be freely downloaded and installed from the web. Customers who install 2.6 on any supported platform, including Windows 7, will be offered the update. In order to take advantage of the vulnerability, a user would need to open a specially crafted Movie Maker project file. These are files with the .mswmm file extension.

The MS10-016 bulletin also calls out Microsoft Producer 2003 in the affected products list. Producer 2003 is a free download with limited distribution. At this time, we are not offering an update for Producer 2003. Our standard approach is to produce updates that can be deployed automatically for all affected products at the same time but Producer 2003 does not offer a means for automatic update. Based on our investigation, we determined that the best way to protect the vast majority of customers was to release an update addressing the components that shipped with Windows. While we continue to investigate Producer 2003, we recommend that customers either uninstall the application or apply an available Microsoft Fix It to disassociate the project file type from the application to add an extra layer of security.

MS10-017 affects all currently supported versions of Microsoft Office Excel. It also affects Office 2004 and Office 2008 for Mac, the Open XML File Format Converter for Mac, supported versions of Excel viewer and SharePoint 2007. As with most Office vulnerabilities, a user would have to open a specially crafted file in order to be exploited.

Since both of today’s bulletins require user interaction, we give them both a “2” on our deployment priority scale:

Our Severity and Exploitability Index slide offers additional guidance to help customers prioritize this month’s bulletins:

In the following video, Adrian Stone and I give a brief overview of today’s bulletins:

More listening and viewing options:

• Windows Media Video (WMV)
• Windows Media Audio (WMA)
• iPod Video (MP4)
• MP3 Audio
• High Quality WMV (2.5 Mbps)
• Zune Video (WMV)

Today we also re-released MS09-033 to add Virtual Server 2005 to the affected products list. Customers who have already installed the update for affected products do not have any additional actions.

Additionally, we continue to to monitor the threat landscape around Security Advisory 981169 regarding a vulnerability in VBScript that could allow remote code execution. We are not currently aware of any active attacks but encourage customers to review the advisory and apply the suggested workarounds where possible. Customers that are running Windows 7, Windows Server 2008, Windows Server 2008 R2, and Windows Vista are not affected.

Please join us tomorrow for a public webcast where Adrian Stone and I will go in to detail on these bulletins and answer customer questions with the help of the engineers who worked to produce them so please plan to join us.

Date: Wednesday, March 10
Time: 11:00 a.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032427711

Thanks!

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hi everyone,

Today we released Security Advisory 981374 addressing a publicly disclosed vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8 is not affected by this issue. Customers using Internet Explorer 6 or 7 should upgrade to Internet Explorer 8 immediately to benefit from the improved security features and defense in depth protections. Additionally, Internet Explorer 5.01 on Windows 2000 is not affected.

 

At this time, we are aware of targeted attacks seeking to exploit this vulnerability against Internet Explorer 6. Internet Explorer Protected Mode in Internet Explorer 7 running on Windows Vista helps to mitigate the impact of this issue. Additionally, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. Please review the Security Advisory for additional workarounds which include modifying the Access Control List (ACL) on iepeers.dll (the affected component), setting the Internet and local Intranet security zones to "high", configuring Internet Explorer to prompt before running Active Scripting, and enabling Data Execution Prevention (DEP) where possible which makes it difficult to successfully exploit the vulnerability.

 

As always, we are investigating this issue and will take appropriate action to protect customers when we have finalized a solution. This may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-727-2338 (PCSAFETY).  Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov. Customers should follow the guidance in the advisory and our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software (learn more by visiting the Protect Your PC web site). International customers can find their Regional Customer Service Representative http://support.microsoft.com/common/international.aspx.

We are also working with our Microsoft Active Protections Program (MAPP), the Microsoft Security Response Alliance (MSRA), authorities and other industry partners to help provide broader protections for customers. Together with our partners, we will continue to monitor the threat landscape and will take action against any web sites that seek to exploit this vulnerability.

The Security Advisory will be updated with any new developments so if you are not already subscribed to our comprehensive alerts, please do so in order to be alerted by email when new information is added.

Please review the advisory for additional details and if the situation changes, we will provide an update here on the MSRC blog.

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Today we are providing advance notification to customers that we will be releasing two bulletins this month affecting Windows and Microsoft Office products. Both bulletins are rated Important and address a total of 8 vulnerabilities.

We recommend that customers review the Advance Notification webpage and prepare to deploy these bulletins as soon as possible. To provide additional guidance for deployment prioritization, customers should note that both bulletins will address issues that would require a user to open a specially crafted file. There are no network based attack vectors.

We’re also continuing to monitor the situation with Security Advisory 981169, the VBScript issue disclosed on Monday. There are no known attacks but we encourage customers to review the advisory and apply the suggested workarounds where possible. Customers that are running Windows 7, Windows Server 2008, Windows Server 2008 R2, and Windows Vista are not affected.

As always, we will be hosting a public webcast where we will go in to details about the bulletins for March and where customers can ask questions. We will have a room full of engineers on hand to answer those questions live during the webcast. Here are the details:

Date: Wednesday, March 10
Time: 11:00 a.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032427711

A couple of months ago, I started including information about products that are reaching the end of their product lifecycle. It is extremely important for customers to move to supported platforms because after the dates below, those products/service packs, will no longer receive security updates.

• Windows XP Service Pack 2 will no longer be supported after July 13, 2010. Many customers are still on this version, so we encourage upgrading to Service Pack 3 or to Windows 7 as soon as possible.
• Windows Vista RTM will no longer be supported after April 13, 2010. Service Pack 1 will still be supported until July 12, 2011 but we recommend customers update to Service Pack 2 or Windows 7 at this time.
• Extended support for Windows 2000 will also be retired as of July 13, 2010. After that time, we will no longer provide security or any other updates for Windows 2000.

Hope to see you at the webcast!

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hi,

I am writing to let you know that we have revised the installation packages for MS10-015 with new logic that prevents the security update from being installed on systems if certain abnormal conditions exist. Such conditions could be the result of an infection with a computer virus such as the Alureon rootkit. If these conditions are detected, the update will not be installed and the result will be a standard Windows Update error. If a user receives this error, they should go to the following landing page for additional help:

http://www.microsoft.com/security/updates/015

At this time, we have resumed offering the update to all affected systems via Automatic Updates.

We have also released a Microsoft Fix It as a standalone scanning tool that reports on the compatibility of a system with the MS10-015 update. The scanning tool can also be deployed through enterprise deployment systems allowing administrators to detect compatibility with the update before deploying broadly. The Fix It and deployment information are available at Microsoft Knowledge Base Article 980966.

Customers who believe they have experienced a restart issue after installing MS10-015, are encouraged to visit our Customer Service and Support page at https://consumersecuritysupport.microsoft.com or call 1-866-PCSafety (1-866-727-2338). International customers can find local support contact numbers here: http://support.microsoft.com/common/international.aspx.

Update: note that the update will not be re-offered to those who have already successfully installed the update.

Thanks,

Jerry Bryant
Sr. Security Communications Manager Lead 

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hello again,

Today we released Security Advisory 981169 to address the VBScript issue involving Windows Help files that we blogged about yesterday. To reiterate what we said in that post, we are not aware of any active attacks at this time and the following operating systems are not affected by this issue: Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista.

Our investigation is ongoing. Users on older versions of Windows should review the Security Advisory for mitigations and workarounds for this issue. Additionally, our Security Research & Defense team provides a detailed analysis of the issue and the available workarounds on their blog. User education is a key factor in this scenario given the amount of user interaction required to reach the vulnerability.

Our teams are working to address the issue and once we complete our investigation, we will take appropriate action to protect customers. This may include releasing an update out-of-band. We will provide further updates as they become available.

Thanks,

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hi everyone,

On Friday 2/26/2010, an issue was posted publicly that could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box. We are not aware of any attacks seeking to exploit this issue at this time and in the current state of our investigation, we have determined that users running Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, are not affected by this issue.

The issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as “unsafe file types”. These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system. To help customers better understand unsafe file types, we have published a white paper on the topic which you can find by clicking this link.

Once we have completed our investigation, we will take appropriate action to protect customers. To minimize risk to computer users, Microsoft continues to encourage responsible disclosure. Reporting vulnerabilities directly to vendors without further disclosure helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of – and work to exploit – a vulnerability. Responsible disclosure protects the computer ecosystem and individual computer users from harm.

Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country.  Those in the United States can contact Customer Service and Support at no charge (for computer security related issues) using the PC Safety hotline at 1-866-727-2338 (PCSAFETY). Customers outside of the United States can visit http://support.microsoft.com/international to find local support information.

We continue to encourage customers to follow the “Protect Your Computer” guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at: www.microsoft.com/protect.

We will provide more information on this issue as it becomes available.

Thanks,

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hi,

We wanted to provide you with an update on our ongoing investigation into the “blue screen” issues affecting a limited number of customers who installed MS10-015.  We have been working around the clock with our customers, partners and several teams at Microsoft to determine the cause of these issues.  Our investigation has concluded that the reboot occurs because the system is infected with malware, specifically the Alureon rootkit.  We were able to reach this conclusion after the comprehensive analysis of memory dumps obtained from multiple customer machines and extensive testing against third party applications and software.  The restarts are the result of modifications the Alureon rootkit makes to Windows Kernel binaries, which places these systems in an unstable state.  In every investigated incident, we have not found quality issues with security update MS10-015.  Our guidance remains the same: customers should continue to deploy this month’s security updates and make sure their systems are up-to-date with the latest anti-virus software.

Customers continue to emphasize the importance of quality updates, and that high quality updates encourages quicker deployment.  While the issue customers are experiencing with MS10-015 was caused by a malware infection and not a problem with the security update, we wanted to use this event as an opportunity to explain why this issue was not caught during testing, and how we respond to reported issues in our security updates.

This issue was not caught as part of our testing because oftentimes when malware is present, infected systems are put in an unstable state.   These types of infections often leave the machine in such an unstable state that it cannot be reliably tested.   This is because Malware writers use unsupported and potentially destabilizing methods for compromising machines because they want to keep their malware hidden from anti-malware software. In the particular case of Alureon, malware writers modified Windows behavior by attempting to access a specific memory location, instead of letting the operating system determine the address which usually happens when an executable is loaded.  The chain of events in this case was a machine became infected, during which the malware made assumptions as to the layout of the Windows code on the machine.  Subsequently MS10-015 was downloaded and installed, during which the location of Windows code changed.  On the next reboot the malware code crashed attempting to call a specific address in Windows code which was no longer the intended OS function.

Microsoft has taken steps to deter tampering with the Windows Kernel using technologies like Kernel Patch Protection (sometimes referred to as PatchGuard) and Kernel Mode Code Signing (KMCS), both of which are enabled in 64-bit systems.  These technologies make it possible to detect when integrity checks fail. The different versions of Alureon that we have investigated only infect 32-bit systems and would fail to infect 64-bit systems. That said, it is important to note that running as a standard user instead of using an administrator account is a best practice that in most cases will prevent kernel mode malware from infecting a system. Similarly, keeping anti-virus signatures current will also prevent most malware from infections. Additionally, since we have determined that 64-bit systems are not affected, we are opening Automatic Updates for these platforms.

Customers who are interested in additional technical details of what the Windows Kernel is can learn more here.

Even after security updates are released, the Microsoft Security Response Center’s job is not done.  In conjunction with Microsoft Customer Service and Support (CSS), we monitor forums and track customer calls to ensure we respond to reported issues as quickly as possible.  On Wednesday, February 10th, we became aware of reports regarding Windows XP SP2 and SP3 systems becoming unable to restart successfully after the installation of MS10-015. The reports were first identified by the MSRC’s monitoring of various online community support forums, a spike in support call volume and telemetry from our Consumer Security Support Center.  After reviewing the information we had available, we stopped offering Automatic Update distribution of MS10-015 in order to minimize the potential for widespread customer impact while we investigated these reports.  Even though we have stopped distribution through Automatic Update, we have seen a large number of deployments as customers can still deploy the update through Windows Update, WSUS or SMS.

In this situation, our teams needed to get information directly from the affected systems in order to understand the cause.  Because we had so few reports and needed to examine the state of the affected systems, the CSS team even drove to customer locations to retrieve machines for analysis.

This past weekend, we worked with the Microsoft Malware Protection Center (MMPC) on the systems that were delivered to Redmond last Friday, and confirmed that all of the affected systems had the Alureon Rootkit installed. The Windows Engineering team then began working to build a test matrix to determine if the malware was related to the reports we have been receiving.  To ensure we had identified the root cause of the issue, Windows Engineering tested machines using the test process covering all 32 bit versions of Windows.  While this issue could impact any 32bit Windows system that was infected with the malware, since reports are predominately on 32bit versions of Windows XP this test process is described at a high level focusing on that version in the below table:

 

Phase

Actions

Result on Test Machines

Debug Phase 1

• Install Supported Versions of Windows XP
• Install all previous updates to bring the Windows Kernel prior to the version updated by MS10-015 to version 5.1.2600.5857.
• Install the Alureon Root Kit.
• Install MS10-015 / KB977165 Kernel Version 5.1.2600.5913

The system enters a repeated reboot / blue screen

Debug Phase 2

• Install Supported Versions of Windows XP
• Install all previous updates to bring the Windows Kernel to version 5.1.2600.5857
• Install all previous updates to bring the Windows Kernel to Current Version prior to the version updated by MS10-015.
• Install the Alureon Root Kit.

Successful boot

Debug Phase 3

• Install Windows XP SP3

• Install all previous updates to bring the Windows Kernel to version 5.1.2600.5857

• Install  the MS10-015 security update the Kernel version to version 5.1.2600.5913
• Install the Alureon Root Kit.

Successful boot

Debug Phase 4

• Install Supported Versions of Windows XP

• Install all previous updates to bring the Windows Kernel to version 5.1.2600.5857

• Install MS10-015 to bring the Windows Kernel to version 5.1.2600.5913
• Install the Alureon Root Kit.
• Uninstall KB977165 setting the Kernel to version 5.1.2600.5857

The machine goes into a rolling reboot

 

As indicated in the table, the presence of Alureon does not allow for a successful boot of the compromised system. The Windows Engineering team continued testing different configurations, as well as retesting several third party applications, leading to our firm conclusion that the blue screen issue is the result of the Alureon rootkit.

A malware compromise of this type is serious, and if customers cannot confirm removal of the Alureon rootkit using their chosen anti-virus/anti-malware software, the most secure recommendation is for the owner of the system to back up important files and completely restore the system from a cleanly formatted disk.

For instructions on how to back up your files in Windows, visit here:
http://windows.microsoft.com/en-US/windows-vista/Back-up-your-files

For instructions on how to reinstall Windows, visit here:
http://windows.microsoft.com/en-us/windows/help/install-reinstall-uninstall

Customers who believe they are experiencing this reboot issue after installing MS10-015, or require support removing it or repairing their systems, are encouraged to contact their Customer Service and Support group by either going to https://consumersecuritysupport.microsoft.com or by calling 1-866-PCSafety (1-866-727-2338). International customers can find local support contact numbers here: http://support.microsoft.com/common/international.aspx.

While we cannot predict how malware writers will author or modify their code, we are committed to finding new ways to detect issues like this on infected systems.  We’re also working on a simpler solution to detect and remove Alureon from affected systems which should be released in a few weeks, as are several other third party vendors.

We will keep you updated here on the MSRC Blog as we have more data and information on the malware and automatic remediation tools.

Mike Reavey

Director, MSRC

 

*This posting is provided "AS IS" with no warranties, and confers no rights.*

In our continuing investigation in to the restart issues related to MS10-015 that a limited number of customers are experiencing, we have determined that malware on the system can cause the behavior. We are not yet ruling out other potential causes at this time and are still investigating. Please review our blog post from yesterday for additional information.

One of the key components when investigating issues like this are obtaining memory dumps from computers experiencing the problem. In order to get the information we need to fully analyze the issue, some of our support engineers have actually driven to customer locations and picked up affected systems so we can get the needed crash data directly and help inform our investigation. For more information about memory dumps, please see: http://support.microsoft.com/kb/254649.

We encourage customers to follow our “Protect Your PC” best practices and always have up to date anti-virus software running on their systems to help prevent malware infections. For customers who do not have anti-virus software, you can either scan your system using our online tool at http://safety.live.com or you can install Microsoft Security Essentials for free.

This can be a difficult issue to solve once a computer is in an un-bootable state so we encourage customers who feel they have been impacted by this to contact our Customer Service and Support group by either going to https://consumersecuritysupport.microsoft.com or by calling 1-866-PCSafety (1-866-727-2338). International customers can find local support contact numbers here: http://support.microsoft.com/common/international.aspx.

Keep an eye on this blog for more updates as we have them.

Thanks,

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hi everyone,

As we do every month following our public webcast, we have posted the questions and answers (which you can find here) and the recorded webcast below.

This month there were no particular themes that emerged in the questions. They ranged from wanting clarification of what it means when we say something is “public” to questions like “Will applying Enable_SSL_Renegotiate_Workaround.js cause IIS 7 to break SSL VPN connections?” You can find the answers to these and many other questions at the link above.

More listening and viewing options:

• Windows Media Video (WMV)
• Windows Media Audio (WMA)
• iPod Video (MP4)
• MP3 Audio
• High Quality WMV (2.5 Mbps)
• Zune Video (WMV)

Earlier today I made a post about a potential issue with MS10-015. We are still investigating this but I wanted to provide some additional clarity on what I mean when I said we stopped offering the update via Windows Update. To be more precise, we basically turned off the Automatic Update system for this bulletin. This means that computers that have our recommended setting to automatically look for, download, and install high priority updates, will not pull this update down. They will still get all the other relevant updates. You can still go to Windows Update and manually select and install the update and you can still obtain the update package from the Download Center.

Please check back here for more updates on this issue as we will post additional information as it becomes available.

Thanks!

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hi everyone,

I am writing to let you know that we are aware that after installing the February security updates a limited number of users are experiencing issues restarting their computers. Our initial analysis suggests that the issue occurs after installing MS10-015 (KB977165). However, we have not confirmed that the issue is specific to MS10-015 or if it is an interoperability problem with another component or third-party software. Our teams are working to resolve this as quickly as possible. We also stopped offering this update through Windows Update as soon as we discovered the restart issues. However, those using enterprise deployment systems such as SMS or WSUS will still see and be able to deploy these packages.

As you may recall from previous blog posts, MS10-015 is an Elevation of Privilege that would require the attacker to have valid credentials in order to be able to leverage the vulnerability in an attack. Several other updates in this release were identified as having a high priority for deployment and we continue to encourage customers to thoroughly test the updates and deploy them immediately. At this time, we are not aware of any issues with the other updates that were released this month and we continue to encourage customers to install them as soon as possible in order to help ensure that they protected from the vulnerabilities they address.

While we work to address this issue, customers who choose not to install the update can implement the workaround outlined in the bulletin. CVE-2010-0232 was publicly disclosed and we previously issued Security Advisory 979682 in response. Customers can disable the NTVDM subsystem as a workaround and we have provided an automated method of doing that with a Microsoft Fix It that you can find here: http://support.microsoft.com/kb/979682.

Customers who are experiencing issues after installing any of our security updates can get help resolving the issues by either going to https://consumersecuritysupport.microsoft.com or by calling 1-866-PCSafety (1-866-727-2338). International customers can find local support contact numbers here: http://support.microsoft.com/common/international.aspx.

Thank you,

Jerry Bryant
Sr. Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

MSRC Bulletin Release Blog Post

Hi everyone,

As mentioned in our ANS blog post last week, today we are releasing 13 bulletins addressing 26 vulnerabilities. 11 bulletins affect Windows and 2 affect older versions of Microsoft Office.

In the post on Thursday, we mentioned that bulletins in the ANS listed as 1, 2, 3, and 6 were going to top our deployment priority list this month. We have also added MS10-015 (#12) to that list. It addresses Security Advisory 979682. We are aware of publicly available Proof-of-Concept code for this issue, but are not aware of any active attacks at this time. Here is the mapping from the bulletin numbers in the ANS to the released bulletin ID’s:

ANS Bulletin Number Actual Bulletin Number 1 MS10-006 2 MS10-007 3 MS10-008 4 MS10-009 5 MS10-012 6 MS10-013 7 MS10-003 8 MS10-004 9 MS10-010 10 MS10-011 11 MS10-014 12 MS10-015 13 MS10-005

As always, it is recommended that customers deploy all security updates as soon as possible. Of the bulletins released this month, customers should prioritize and deploy MS10-006, MS10-007, MS10-008, MS10-013, and MS10-015, given Critical severity ratings and/or Exploitability Index ratings of 1 (“Consistent Exploit Code Likely”).

MS10-013, which addresses a Critical vulnerability in DirectShow, should be at the top of your list for testing and deployment. This issue is Critical on all supported versions of Windows except Itanium based server products and has an Exploitability Index rating of 1. To exploit the vulnerability, an attacker could host a malicious AVI file on a website and convince a user to visit the site, or send the file via email and convince the a user to open it.

MS10-006 is also Critical on all versions of Windows, except Windows Vista and Windows Server 2008, and addresses 2 vulnerabilities in SMB Client. One of the vulnerabilities has an Exploitability Index rating of 1. In the simplest scenario, a system connecting to a network file share is an SMB Client. The issue occurs during the client/server negotiation phase of the connection. In order to exploit this issue, an attacker would need to host a malicious server and convince a client system to connect to it. An attacker could also try to perform a man-in-the-middle attack by responding to SMB requests from clients. From our analysis of this issue, we expect attempts to exploit it would be more likely to result in a Denial of Service than in Remote Code Execution.

MS10-007 addresses a Critical vulnerability in Windows Shell Handler that affects Windows 2000, Windows XP, and Windows Server 2003. The attack vector is through a specially crafted link that appears to the ShellExecute API to be a valid link. This issue has not been publicly exposed but we give it an Exploitability Index rating of 1, so we urge customers on affected platforms to install it as soon as possible.

MS10-008 is the last one I will give some additional detail on. This is a cumulative update for ActiveX Killbits and is also Critical. You will notice in our Severity & Exploitability Index chart that we did not give this an Exploitability rating. That is because a Killbit is not an update that addresses the underlying vulnerability. It is a registry setting that keeps the vulnerable ActiveX control from running in Internet Explorer. We will give these an Exploitability rating of 1 if we are aware of active exploitation but in this case, we are not.

You can find more detailed information about these bulletins in several blog posts by our Security Research & Defense team at http://blogs.technet.com/srd.

With that, here are the Severity and Exploitability Index and Deployment Priority slides:

In the following video, Adrian Stone and I talk a little more about this month’s top priority bulletins:

More listening and viewing options:

• Windows Media Video (WMV)
• Windows Media Audio (WMA)
• iPod Video (MP4)
• MP3 Audio
• High Quality WMV (2.5 Mbps)
• Zune Video (WMV)

I would also encourage you to attend out public webcast tomorrow where we will go in to detail on all 13 bulletins. Here is the registration information:

Date: Wednesday, Feb 10
Time: 11:00 a.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032427679

Hope you can join us!

Jerry Bryant
Sr. Security Communications Manager – Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Today we released February bulletin information through our Advance Notification Service (ANS). This month, we will be releasing 13 bulletins - five rated Critical, seven rated Important, and one rated Moderate - addressing 26 vulnerabilities. Eleven of the bulletins affect Windows and the remaining two affect Office. More information about the upcoming security updates can be found on the Advance Notification Service (ANS) webpage.

As we started to do in December, we want to give customers a peek at what our deployment guidance will be next Tuesday. This month, we will be giving four of the bulletins a deployment priority rating of 1. In the ANS, those are bulletins 1, 2, 3, and 6. We recommend that customers test and deploy all security updates as soon as possible but you should prioritize these first.

To further help customers prioritize, I have pulled the Windows information from the ANS into a summary table so depending on the version you are running, you can see how many bulletins you need to prepare for:

Version

Critical

Important

Moderate

Low

Total

Windows 2000

5

3

1

0

9

Windows XP

5

2

1

0

8

Windows Server 2003

4

3

2

0

9

Windows Vista

3

3

0

0

6

Windows Server 2008

3

4

0

1

8

Windows 7

3

2

0

0

5

Windows Server 2008 R2

3

1

0

1

5

 

The Office related bulletins are both rated Important and would require user action to be exploited (usually in the form of convincing a user to open a specially crafted file). The vulnerabilities only affect older versions of Office so customers on Office 2007 or Office 2008 for Mac will have not actions this month.

We encourage customers to upgrade to the latest versions of both Windows and Office. As this bulletin release shows, the latest versions are less impacted overall due to the improved security protections built in to these products.

I also want to give a summary of the three open Security Advisories so customers know what to expect on Tuesday:

·             Advisory 980088, Vulnerability in Internet Explorer Could Allow Information Disclosure: this advisory was released yesterday (Feb 3). We do not have an update for this issue planned for the normal February bulletin release. However, this vulnerability only affects versions of windows older than Vista in their default configuration, and there is a “Fix It” available so customers in non-default configurations can protect themselves.

·             Advisory 979682, Vulnerability in Windows Kernel Could Allow Elevation of Privilege: we are on track to release an update for this issue next Tuesday.

·             Advisory 977544, Vulnerability in SMB Could Allow Denial of Service: we are still working on an update for this issue so it will not be addressed in the February bulletins. As a reminder, this issue cannot be used to allow an attacker to take control of a system remotely, but instead results in a system becoming unresponsive due to resource consumption.

We are not aware of any attacks on these vulnerabilities and continue to encourage customers to implement the mitigations and workarounds outlined in the advisories.

Last month I started including important information about Windows versions that are reaching the end of their product lifecycle. Customers using these versions should consider upgrading before support for these products end as, once they do, we will no longer provide security updates:

• Windows XP Service Pack 2 will no longer be supported as of July 13, 2010. Many customers are still on this version, so we encourage upgrading to Service Pack 3 or to Windows 7 as soon as possible.
• Windows Vista RTM will no longer be supported as of April 13, 2010. Service Pack 1 will still be supported until July 12, 2011 but we recommend customers update to Service Pack 2 or Windows 7 at this time.
• Extended support for Windows 2000 will also be retired on July 13, 2010. At that time, we will no longer provide security or any other updates for Windows 2000.

Finally, please plan to join Adrian Stone and myself next week for our regular live webcast where we will go in to detail on each bulletin to give you even more information and guidance:

Date: Wednesday, Feb 10
Time: 11:00 a.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032427679

Hope to see you there!

Jerry Bryant
Sr. Security Communications Manager – Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

 

Hi everyone,

Today we released Security Advisory 980088 to address a publicly disclosed vulnerability in Internet Explorer that may allow Information Disclosure for customers running on Windows XP or who have disabled Internet Explorer Protected Mode.  At this time we are not aware of any attacks seeking to use the vulnerability.

Customers running Internet Explorer 7 or Internet Explorer 8 in their default configuration on Windows Vista or later operating systems are not vulnerable to this issue as they benefit from Internet Explorer Protected Mode, which protects from this issue. Windows XP users, or users who have disabled Protected Mode, can help protect themselves by implementing Network Protocol Lockdown. We have created a Microsoft Fix It to automate this. The Fix It can be run on individual systems or enterprises can deploy it through their automated systems. 

We are working to produce an update for this vulnerability and when that is complete, we will take appropriate action to protect customers, which may include releasing an update out-of-band.   As with any update, we have to balance overall quality and ensure application compatibility before we release it.

Microsoft is also working with our Microsoft Active Protections Program (MAPP)  partners to help provide broader protections for customers. Together with our partners, we will continue to monitor the threat landscape and will take action against any web sites that seek to exploit this vulnerability.

We continue to encourage customers to upgrade to Internet Explorer 8 to benefit from the increased protections provided in the newer version. In addition, customers should continue to follow our “Protect Your Computer” guidance at http://www.microsoft.com/protect.

Thanks!

Jerry Bryant
Sr. Security Communications Manager – Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hello everyone,

Yesterday Adrian Stone from the Microsoft Security Response Center (MSRC) and I hosted a live webcast to discuss Security Bulletin MS10-002 and Security Advisory 979682 in more detail with customers.

Below is the video of that presentation and you can find the question & answer transcript here. We spent over an hour answering customer questions during the webcast. They were all good. Below the video, I am including a set of links to resources we referred to during the presentation.

Thanks to all who attended!

More listening and viewing options:

• Windows Media Video (WMV)
• Windows Media Audio (WMA)
• iPod Video (MP4)
• MP3 Audio
• High Quality WMV (2.5 Mbps)
• Zune Video (WMV)

Resources:

Blogs

• Microsoft Security Response Center (MSRC) blog: http://blogs.technet.com/msrc
• Security Research & Defense blog: http://blogs.technet.com/srd
• Microsoft Malware Protection Center Blog: http://blogs.technet.com/mmpc/
• Internet Explore Team blog: http://blogs.msdn.com/ie

Bulletins, Advisories, Notifications & Newsletters

• Security Bulletins Summary:
  www.microsoft.com/technet/security/bulletin/summary.mspx
• Security Bulletins Search:
  www.microsoft.com/technet/security/current.aspx
• Security Advisories:
  www.microsoft.com/technet/security/advisory/
• Microsoft Technical Security Notifications:
  www.microsoft.com/technet/security/bulletin/notify.mspx
• Microsoft Security Newsletter:
  www.microsoft.com/technet/security/secnews/

Security Centers

• Microsoft Security Home Page:
  www.microsoft.com/security
• TechNet Security Center:
  www.microsoft.com/technet/security
• MSDN Security Developer Center:
  http://msdn.microsoft.com/en-us/security/default.aspx

Other Resources

• Update Management Process
  http://www.microsoft.com/technet/security/guidance/patchmanagement/secmod193.mspx
• Microsoft Active Protection Program Partners: http://www.microsoft.com/security/msrc/mapp/partners.mspx

Jerry Bryant
Senior Security Communications Manager Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Hello,

Today we released Security Bulletin MS10-002 out-of-band to address vulnerabilities in Internet Explorer. All customers using currently supported versions of Windows and Internet Explorer should apply this update as soon as possible. Once applied, customers are protected against the known attacks that have been widely publicized. For customers using automatic updates, this update will automatically be applied once it is released.

I also wanted to clarify some information that we included in our update to Security Advisory 979352 yesterday. We let customers know that there are other applications that may use mshtml.dll as a rendering engine and if those applications allow active scripting, they can be used as an attack vector. Customers who install today’s update are NOT vulnerable and are protected from all known attack vectors. These applications are NOT vulnerable and no security updates are needed for them. Installing today’s Internet Explorer update addresses the vulnerability across all applications.

As we noted in our blog post yesterday, this Internet Explorer security update was already planned for release in February. When the attack discussed in Security Advisory 979352 was first brought to our attention on Jan 11, we quickly released an advisory for customers three days later. As part of that investigation, we also determined that the vulnerability was the same as a vulnerability responsibly reported to us and confirmed in early September.

For a detailed review of today’s bulletin, please join Adrian Stone and I today for a live webcast where we will try to answer your questions in real time. Registration information:

Date: Thursday Jan 21
Time: 1:00 p.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032440627

Hope to see you there!

Jerry Bryant

 

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Today we released Security Advisory 979682 to address an Elevation of Privilege (EoP) vulnerability in the Windows kernel, affecting all currently supported versions of 32-bit Windows. 64-bit versions of Windows, including Windows Server 2008 R2, are not affected. The advisory provides customers with actionable guidance to help with protections against exploit of this vulnerability.

To exploit this vulnerability, an attacker must already have valid logon credentials and be able to log on to a system locally, meaning they must already have an account on the system. An attacker could then elevate their privileges to the administrative level and run programs of their choice on the system.

To help mitigate exploit of this vulnerability, customers who do not require NT Virtual DOS Mode (NTVDM) or support for 16-bit applications, can disable the NTVDM subsystem. Information on this workaround can be found in the Advisory.

We are not currently aware of any active attacks against this vulnerability and believe risk to customers, at this time, is limited. We continue to recommend customers review the mitigations and workarounds detailed in the Security Advisory.

We are also working with our Microsoft Active Protections Program (MAPP) partners to help provide broader protections for customers.

Our teams are continuing to work on an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out-of-band.

The Security Advisory will be updated with any new developments so if you are not already subscribed to our comprehensive alerts, please do so in order to be alerted by email when new information is added.

We will also keep customers apprised of any additional details and updates through the MSRC Blog.

Thanks,

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Today we issued our Advanced Notification Service (ANS) to advise customers that we will be releasing MS10-002 tomorrow, January 21st, 2010. We are planning to release the update as close to 10:00 a.m. PST (UTC -8) as possible.  This is a standard cumulative update, accelerated from our regularly scheduled February release, for Internet Explorer with an aggregate severity rating of Critical. It addresses the vulnerability related to recent attacks against Google and small subset of corporations, as well as several other vulnerabilities. Once applied, customers are protected against the known attacks that have been widely publicized. We recommend that customers install the update as soon as it is available.  For customers using automatic updates, this update will automatically be applied once it is released.

Today we also updated Security Advisory 979352 to include technical details addressing additional customer questions.

The updated Security Advisory includes guidance in relation to reports of proof of concept (POC) code that bypasses Data Execution Prevention (DEP) and additional information on the exploitability of, and mitigations and workarounds for, Microsoft products that use mshtml.dll.

Based on our comprehensive monitoring of the threat landscape, we continue to see only limited attacks. To date, the only successful attacks that we are aware of have been against Internet Explorer 6.

We continue to recommend that customers update to Internet Explorer 8 to benefit from the improved security protection it offers.

Additional Technical Details Related to Security Advisory 979352

Data Execution Prevention (DEP) Bypass

There is a report of a new exploit that bypasses Data Execution Prevention (DEP). We have analyzed the Proof-of-Concept (POC) exploit code and have found that Windows Vista and later versions of Windows offer more effective protections in blocking the exploit due to the improved security protection offered by Address Space Layout Randomization (ASLR).

On Windows XP, which does not benefit from the improved security protection provided by ASLR, attacks using the DEP bypass techniques are likely to be more effective.

The DEP bypass exploit is not, at this time, publicly available and we have not seen it used in attacks.

Additional details on the DEP bypass exploit are provided in a Security Research and Defense Blog published today.

Microsoft E-Mail Products That Render using mshtml.dll Protected by Default

There have been reports that supported versions of Outlook, Outlook Express and Windows Live Mail are affected by the vulnerability in Security Advisory 979352.

For customers using the default configuration of all supported versions of Outlook, Outlook Express and Windows Live Mail the risk of exploit using Outlook as an attack vector is low. We are unaware of active exploit against supported versions of Outlook, Outlook Express or Windows Live.

By default, Outlook, Outlook Express and Windows Live Mail open HTML e-mail messages in the Restricted sites zone, which helps mitigate attacks seeking to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used. Additionally, Outlook 2007 uses a different component to render HTML e-mail, removing the risk of the exploit.

If customers have modified their default configuration to not run in Restricted sites zone, their environments will be in a less secure, more vulnerable, state.

Other products may also use the HTML rendering engine for Internet Explorer and could expose this vulnerability.  Any successful attack would require bypassing the default security mechanisms used by each individual application. Therefore customers who use these default application configurations may have reduced risk from being exploited through additional vectors.

Office Applications with Active Scripting Enabled Potentially Vulnerable

We are also aware that the vulnerability can be exploited by including an ActiveX control in a Microsoft Access, Word, Excel, or PowerPoint file. Customers would have to open a malicious file to be at risk of exploitation.

To prevent exploitation, we recommend that customers disable ActiveX Controls in Microsoft Office.

Detailed information on how to disable ActiveX Controls is included in the Security Advisory.

To be clear, applying the update for Internet Explorer addresses the issue across all products that may use mshtml.dll. Customers should install the update to be protected.

We continue to monitor the situation and will keep customers apprised of any changes to the situation or threat landscape through the Microsoft Security Response Center Blog.

Please join us Thursday, January 21 at 1:00 p.m. PST (UTC – 8) for a public webcast where we will present information on the bulletin and take customer questions. Registration information:

Date: Thursday Jan 21
Time: 1:00 p.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032440627

Thanks,

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

We wanted to provide a quick update on the threat landscape and announce that we will release a security update out-of-band to help protect customers from this vulnerability.

Based on our comprehensive monitoring of the threat landscape we continue to see very limited, and in some cases, targeted attacks.  To date, the only successful attacks that we are aware of have been against Internet Explorer 6.  We continue to recommend customers update to Internet Explorer 8 to benefit from the improved security protection it offers.  We also recommend customers consider deploying the workarounds and mitigations provided in  Security Advisory 979352.

Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability.

We take the decision to go out-of-band very seriously given the impact to customers, but we believe releasing an update out-of-band update is the right decision at this time.  We will provide the specific timing of the release tomorrow.

As always, we’re continuing to investigate this situation, so customers should look for the latest updates here on the Microsoft Security Response Center blog.

Thank you,

George Stathakopoulos
General Manager
Trustworthy Computing Security

*This posting is provided "AS IS" with no warranties, and confers no rights*