MSRC

Advance Notification Service for the January 2014 Security Bulletin Release

Thursday, January 09, 2014

Today we provide advance notification for the release of four bulletins for January 2014. All bulletins this month are rated Important in severity and address vulnerabilities in Microsoft Windows, Office, and Dynamics AX. The update provided in MS14-002 fully addresses the issue first described in Security Advisory 2914486. We have only seen this issue used in conjunction with a PDF exploit in targeted attacks and not on its own.

• ANS
• Microsoft Office
• Microsoft Windows
• Security Bulletins

Predictions for 2014 and the December 2013 Security Bulletin Webcast, Q&A, and Slide Deck

Monday, December 16, 2013

Today we’re publishing the December 2013 Security Bulletin Webcast Questions & Answers page. We answered 17 questions in total, with the majority of questions focusing on the Graphics Component bulletin (MS13-096), Security Advisory 2915720 and Security Advisory 2905247. We also wanted to note a new blog on the Microsoft Security Blog site on the top cyber threat predications for 2014.

• Bulletin Webcast
• Customer Questions
• Q&A

Omphaloskepsis and the December 2013 Security Update Release

Tuesday, December 10, 2013

There are times when we get too close to a topic. We familiarize ourselves with every aspect and nuance, but fail to recognize not everyone else has done the same. Whether you consider this myopia, navel-gazing, or human nature, the effect is the same. I recognized this during the recent webcast when someone asked the question – “What’s the difference between a security advisory and a security bulletin?

• Microsoft Exchange
• Microsoft Office
• Microsoft Windows
• Monthly bulletin release
• Risk Assessment
• Security Bulletin
• Security Update

Security Advisory 2916652 released, Certificate Trust List updated

Monday, December 09, 2013

Microsoft is updating the Certificate Trust List (CTL) for all supported releases of Microsoft Windows to remove the trust of a mis-issued third-party digital certificate, which could be used to spoof content and perform phishing or man-in-the-middle attacks against web properties. With this action, customers will be automatically be protected against this issue.

• Advisory

Advance Notification Service for December 2013 Security Bulletin Release

Thursday, December 05, 2013

Today we’re providing advance notification for the release of 11 bulletins, five Critical and six Important, for December 2013. The Critical updates address vulnerabilities in Internet Explorer, Windows, Microsoft Exchange and GDI+. The Critical update for GDI+ fully addresses the publicly disclosed issue described in Security Advisory 2896666. This release won’t include an update for the issue described in Security Advisory 2914486.

• ANS
• Internet Explorer (IE)
• Microsoft Exchange
• Microsoft Office
• Microsoft Windows
• Security Bulletins

Microsoft Releases Security Advisory 2914486

Wednesday, November 27, 2013

Today we released Security Advisory 2914486 regarding a local elevation of privilege (EoP) issue that affects customers using Microsoft Windows XP and Server 2003. Windows Vista and later are not affected by this local EoP issue. A member of the Microsoft Active Protections Program (MAPP) found this issue being used on systems compromised by a third-party remote code execution vulnerability.

• Advisory
• Attack
• Microsoft Windows
• Security
• Security Advisory

Security and policy surrounding bring your own devices (BYOD)

Tuesday, November 26, 2013

As the proliferation of devices continues to capture the imagination of consumers, and has ignited what is referred to as bring your own device (BYOD) revolution, many IT departments across the globe are now facing increased security considerations. While organizations encourage BYOD for cost savings and productivity, it is also important to have robust security policies supporting BYOD.

MBSA 2.3 and the November 2013 Security Bulletin Webcast, Q&A, and Slide Deck

Friday, November 15, 2013

Today we’re publishing the November 2013 Security Bulletin Webcast Questions & Answers page. The majority of questions focused on the ActiveX Kill Bits bulletin (MS13-090) and the advisories. We also answered a few general questions that were not specific to any of this month’s updates, but that may be of interest.

• ActiveX
• Advisory
• Bulletins
• Internet Explorer (IE)
• Killbit
• Microsoft Office
• Microsoft Windows
• Monthly bulletin release
• Q&A
• Security bulletin release
• Security Bulletin Webcast
• Security Bulletins
• Security Update
• Security Update Webcast
• Security Update Webcast Q & A
• Update Tuesday
• Webcast
• Webcast Q&A

Authenticity and the November 2013 Security Updates

Tuesday, November 12, 2013

If you haven’t had a chance to see the movie Gravity, I highly recommend you take the time to check it out. The plot moves a bit slowly at times, but director Alfonso Cuaron’s work portrayal of zero gravity is worth the ticket price alone. Add in stellar acting and you end up with an epic movie that really makes you miss the shuttle program.

• Internet Explorer (IE)
• Malicious Software Removal Tool (MSRT)
• Microsoft Office
• Microsoft Windows
• Security Advisory
• Security Bulletin

ActiveX Control issue being addressed in Update Tuesday

Monday, November 11, 2013

Late last Friday, November 8, 2013, a vulnerability, CVE-2013-3918, affecting an Internet Explorer ActiveX Control was publically disclosed. We have confirmed that this vulnerability is an issue already scheduled to be addressed in “Bulletin 3”, which will be released as MS13-090, as listed in the November Advanced Notification Service (ANS). The security update will be distributed to customers tomorrow via Windows Update at approximately 10:00 AM PDT.

• ActiveX
• Internet Explorer (IE)
• Security
• Workarounds
• Zero-Day Exploit