msrc

January 2009 Monthly Bulletin Release

Tuesday, January 13, 2009

Happy New Year to everyone. As Bill noted in his posting on Thursday, we are releasing one new bulletin today, MS09-001. This bulletin is rated as ‘Critical’ for Windows 2000, Windows XP and Windows Server 2003 and is rated as ‘Moderate’ for Windows Vista and Windows Server 2008. My colleague Mark Wodrich has put together a posting over at the Security Vulnerability Research and Defense (SVRD) weblog which explains more about the vulnerability and the Exploitability Index rating.

January 2009 Advanced Notification

Thursday, January 08, 2009

Hello, Bill here. I wanted to let you know that we just posted our Advance Notification for next week’s bulletin release which will occur on Tuesday, Jan. 13, 2009 around 10 a.m. Pacific Standard Time. It is important to remember that while the information posted below is intended to help with your planning, because it is preliminary information, it is subject to change.

Monthly Security Bulletin Webcast Q&A - December 2008

Friday, January 02, 2009

Register now for the January 2009 Security Bulletin Webcast Security Bulletin Webcast Q&A Index Hosts: Christopher Budd, Security Response Communications Lead Adrian Stone, Lead Security Program Manager (MSRC) Website: TechNet/security Chat Topic: December 2008 Security Bulletin Date: Wednesday, December 10, 2008 Q: SANS reported a 0 day not patched in MS08-073; can we anticipate another “out of band” patch if and when Microsoft confirms the vulnerability?

• Pages
• Security Update Webcast Q & A

Security Bulletin Webcast Q&A - OOB December 2008

Friday, January 02, 2009

Register now for the January 2009 Security Bulletin Webcast Security Bulletin Webcast Q&A Index Hosts: Christopher Budd, Security Response Communications Lead Mike Reavey, Group Program Manager (MSRC) Website: TechNet/security Chat Topic: Microsoft out-of-band Security Bulletin (MS08-067) TechNet Webcast Date: Wednesday, December 17, 2008 and Thursday, December 18, 2008 Note: The below questions were submitted from webcast attendees and are not necessarily in the order they were addressed during webcast.

• Pages
• Security Update Webcast Q & A

Information on Microsoft Security Advisory 961509

Tuesday, December 30, 2008

Hi everyone. This is Maarten Van Horenbeeck. I just joined the Microsoft Security Response Center a few months ago, and am the program manager working on the issue described in Microsoft Security Advisory (961509), which we just released. Earlier today, two researchers presented at a security conference on a novel way of implementing collision attacks on digital certificates signed using the MD5 algorithm.

Questions about Vulnerability Claim in Windows Media Player

Monday, December 29, 2008

Happy holidays to everyone. While it’s been a snowy holiday season for us in the Pacific Northwest (some of us are still snowed in), the MSRC never closes and we are always working to help keep customers safe. In that vein, we’ve received some questions about a vulnerability report that was initially posted late on Christmas eve.

Tuesday 12/23 Update: Microsoft Security Advisory 961040

Tuesday, December 23, 2008

Hello, Bill here, I want to provide you with a quick update regarding our recently released security advisory. In the advisory we provide a workaround to help customers protect themselves from attackers trying to exploit this vulnerability. Customers have told us that it’s helpful when we provide information and guidance on how to automate the deployment of workarounds, so we have taken this a step further and worked with the SQL Engineering Team to providing Enterprise and Business Users a script that applies the workaround on all running instances of SQL Server on the local computer.

Microsoft Security Advisory 961040

Monday, December 22, 2008

Hello, Bill here, I wanted to let you know that we have just posted Microsoft Security Advisory (961040). This advisory contains information regarding public reports of a vulnerability in SQL Server that could allow for remote code execution. We are aware that exploit code has been published on the Internet; however, we are not aware of any attacks attempting to use the reported vulnerability.

MS08-078 Released

Wednesday, December 17, 2008

Hello, Mike here, Today we released security update MS08-078, protecting customers from active attacks against Internet Explorer. This update will be applied automatically to hundreds of millions of customers through automatic updates over the next few days. And, for our enterprise customers - with multiple systems within their networks – this update can be deployed through all standard security update management systems including, SCCM, SMS, WSUS, and Windows Update as of 10AM PST today.

Advance Notification for December 2008 Out-of-Band Release

Tuesday, December 16, 2008

Hi this is Christopher Budd, We’ve just published our Advance Notification for an out-of-band security bulletin release. We plan to release the security update tomorrow, Dec. 17, 2008 to address the vulnerability we’ve discussed in Microsoft Security Advisory 961051. Our target time, as always, is 10:00 a.m. Pacific Time. We’ll be holding two special webcasts to give you details and take your questions.