Skip to main content

MS08-078 Released

Hello, Mike here,

Today we released security update MS08-078, protecting customers from active attacks against Internet Explorer. This update will be applied automatically to hundreds of millions of customers through automatic updates over the next few days. And, for our enterprise customers - with multiple systems within their networks – this update can be deployed through all standard security update management systems including, SCCM, SMS, WSUS, and Windows Update as of 10AM PST today.

As with all security updates from Microsoft, we have verified that this update meets the quality, deployment and application compatibility criteria. It is a high-quality update, ready for broad release, and we encourage customers to test and deploy this update as quickly as possible.

Given the extremely short fix timeline and the attention on this issue I wanted to share some of the work going on behind the scenes as we readied this update for release.

We initially learned the details on these attacks in the early morning hours of December 9th, and immediately activated off our Emergency Response process (SSIRP) to monitor the threat environment, fast track the product development and testing and to deliver guidance to customers. By the next day, we published Security Advisory 961051 - this advisory listed workarounds that blocked all known attacks. Over the course of the next eight days, this advisory was updated five times, adding newer workarounds and mitigations. In total, over eight different options were available to customers to block attacks. While all of these workarounds are listed in the advisory, the Security Vulnerability Research and Defense blog contained even more context around the how the workarounds blocked the attacks, and why they were effective.

In addition to these workarounds, we were able to share detailed information with our partners in the Microsoft Active Protections Program (MAPP) and Microsoft Security Response Alliance (MSRA), allowing protections to be created for over 24 different security partners’ products. This is further validation of our commitment to ‘community based defense’ and means customers that hadn’t yet applied the workarounds, and maybe weren’t even using Microsoft products, were also protected from known attacks.

Along with this information sharing, we also continually monitored the threat environment, noting when the attacks began to change in nature and scope. In fact, the folks in our MMPC published a detailed blogs both last Thursday and over the weekend discussing this changing threat environment to ensure customers were aware of the evolving risk.

And early yesterday we gave our worldwide customers a heads-up that an update was planned for release this morning.

Finally, after rigorous development and testing, we released the update to customers. Some customers that follow us closely, might know that saying “the update” is a bit misleading, as it is actually over 300 distinct updates for over six versions of Internet Explorer that apply to over 50 different languages. And despite this huge number of distinct updates, they’re all being offered to customers automatically, regardless of their specific Internet Explorer configuration.

Even with that, the release Emergency Response process isn’t over. There is additional support to customers and additional refinement of our product development efforts. The MSRC and development teams will incorporate learning back into the Security Development Lifecycle. And The MSRC and our Customer Support teams are standing by ready to assist. There are two special webcasts today, open to anyone, and are standing by ready to answer questions, and you may register by clicking on the links below:

· December 17, 2008 1:00 PM Pacific Time

· December 18,2008 11:00 AM Pacific Time

We will continue to monitor the environment, ensuring customers are able to apply the update successfully, and that attacks are blunted.


Mike Reavey

Director, MSRC

*This posting is provided “AS IS” with no warranties, and confers no rights.*