Sunday, September 26, 2010
Hello - Today we provided advance notification to customers that we will release an out-of-band security update to address the vulnerability discussed in Security Advisory 2416728. The update is scheduled for release tomorrow, Tuesday, September 28, 2010 at approximately 10:00 AM PDT. The bulletin has a severity rating of Important and addresses a publicly disclosed vulnerability in ASP.
Friday, September 24, 2010
Hi everyone - We’ve updated Microsoft Security Advisory2416728 to include a step in the workaround requiring the blocking of requests that specify the application error path on the querystring. This can be done using URLScan, a free tool for Internet Information Services (IIS) that can selectively block requests based on rules defined by the administrator.
Monday, September 20, 2010
Hi everyone - We’ve just updated Microsoft Security Advisory 2416728 as we’ve begun to see limited attacks with the ASP.NET vulnerability. We have added questions and answers and encourage customers to review this information and evaluate it for their environment. We have also added additional technical questions and answers to the Security and Defense blog, which has previously discussed the issue.
Friday, September 17, 2010
Hello, Today we published the Questions & Answers from the September 2010 Security Bulleting webcast. During the webcast, we answered 10 questions concerning the September bulletins, including inquiries about bulletin, MS10-061, involving the Stuxnet vulnerability. We also were asked about the Enhanced Mitigation Experience Toolkit 2.0 (EMET) as well as questions regarding the bulletin MS10-065 affecting IIS and its FastCGI vulnerability.
Friday, September 17, 2010
Hi everyone, Today we released Security Advisory 2416728 describing a publicly disclosed vulnerability in ASP.NET that affects all versions of the .NET Framework. At this time we are not aware of any attacks using this vulnerability and we encourage customers to review the advisory for mitigations and workarounds. Our Security Research & Defense team has written a blog post to explain how the workarounds work and have provided a script to help administrators determine if they have ASP.
Monday, September 13, 2010
Hi everyone, With this month’s bulletin release, I want to highlight the great work done through our partnerships in the Microsoft Active Protections Program (MAPP). MAPP represents our commitment to community based defense and a shared sense of responsibility to help protect the computing ecosystem. In July of this year, the Stuxnet malware emerged onto the threat landscape and resulted in the release of an out-of-band security update, MS10-046, to address a zero-day vulnerability the malware used to compromise systems.
Thursday, September 09, 2010
Hello - Today we’re releasing our Advance Notification Service (ANS) for the September Security Bulletins, which are scheduled for release Tuesday, September 14, 2010. This is a service we provide to help enterprises plan and prepare for the upcoming security bulletin release. This month we will be releasing 9 bulletins addressing 13 11 vulnerabilities affecting Windows, Internet Information Services (IIS), and Microsoft Office.
Tuesday, August 31, 2010
Hi everyone, Since we released Security Advisory 2269637 on August 23, we’ve continued to conduct an investigation not only into our own affected products, but also into how we can best help to protect customers given DLL preloading also affects some third-party applications. We’d like to provide an update on our investigation.
Saturday, August 21, 2010
Overview Today we released MicrosoftSecurity Advisory 2269637. This is different from other Microsoft Security Advisories because it’s not talking about specific vulnerabilities in Microsoft products. Rather, this is our official guidance in response to security research that has outlined a new, remote vector for a well-known class of vulnerabilities, known as DLL preloading or “binary planting” attacks.
Thursday, August 12, 2010
Hello, Today we published the Questions & Answers from the August 2010 Security Bulleting webcast. We answered a total of 17 questions concerning the March bulletins and open Security Advisories. No particular themes emerged from the questions but there were some good ones so please review them. The video covers the core part of the presentation Adrian Stone and I gave during the webcast.
