Microsoft Security Response Center Blog

Security Advisory 3010060 released

Tuesday, October 21, 2014

Today, we released Security Advisory 3010060to provide additional protections regarding limited, targeted attacks directed at Microsoft Windows customers. A cyberattacker could cause remote code execution if someone is tricked into opening a maliciously-crafted PowerPoint document that contains an infected Object Linking and Embedding (OLE) file. As part of this Security Advisory, we have included an easy, one-click Fix itsolution to address the known cyberattack.

• EMET
• Fix It
• Microsoft Office
• Security Advisory
• Windows

Assessing Risk for the October 2014 Security Updates

Tuesday, October 14, 2014

Today we released eight security bulletins addressing 24 unique CVE’s. Three bulletins have a maximum severity rating of Critical, and five have a maximum severity rating of Important. This table is designed to help you prioritize the deployment of updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max exploitability Platform mitigations and key notes MS14-058(Kernel mode drivers [win32k.

More Details About CVE-2014-4073 Elevation of Privilege Vulnerability

Tuesday, October 14, 2014

Today Microsoft shipped MS14-057 to the .NET Framework in order to resolve an Elevation of Privilege vulnerability in the ClickOnce deployment service. While this update fixes this service, developers using Managed Distributed Component Object Model (a .NET wrapped around DCOM) need to take immediate action to ensure their applications are secure.

October 2014 Updates

Tuesday, October 14, 2014

Today, as part of Update Tuesday, we released eight securityupdates – three rated Critical and five rated Important - to address 24 Common Vulnerabilities & Exposures (CVEs) in Windows, Office, .NET Framework, .ASP.NET, and Internet Explorer (IE). We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first.

• Internet Explorer (IE)
• Microsoft Windows
• Security Bulletin
• Security bulletin release

Advance Notification Service for the October 2014 Security Bulletin Release

Thursday, October 09, 2014

Today, we provide advance notification for the release of nine Security Bulletins. Three of these updates are rated Critical, five are rated as Important, and one is rated Moderate in severity. These updates are for Microsoft Windows, Internet Explorer, Office, .NET Framework, and ASP.NET. As per our usual process, we’ve scheduled the Security Bulletin release for the second Tuesday of the month, October 14, 2014, at approximately 10 a.

• .NET Framework
• ANS
• Asp.Net
• Internet Explorer (IE)
• Microsoft Windows

BlueHat v14 is almost here

Monday, October 06, 2014

It’s that time of year and BlueHat v14 is almost upon us. As always, BlueHat is an opportunity for us to bring the brightest minds in security together, both internal and external, to discuss and tackle some of the hardest problems facing the industry today. Through this conference, our engineering teams get deep technical information and education on the latest threats from proven industry experts.

• BlueHat Security Briefings
• BlueHat v14
• Bountyprograms
• EcoStrat
• Security Ecosystem
• Security Research

Bug Bounty Evolution: Online Services

Tuesday, September 23, 2014

Today marks the next evolution in bounty programs at Microsoft as we launch the Microsoft Online Services Bug Bounty program starting with Office 365. In our mobile first, cloud first world, this is an exciting and logical evolution to our existing bug bounty programs. Office 365 is the first of our online services groups to launch a bounty for vulnerabilities found in their services and we will bring others into the program as we go forward.

• Azure Bug Bounty
• Bounty
• Bountyprograms
• CVD
• O365 Bug Bounty
• Online Services Bug Bounty
• Security Engineering
• Security Research

September 2014 Security Bulletin Release Webcast and Q&A

Friday, September 12, 2014

Today we’re publishing the September 2014 Security Bulletin Webcast Questions & Answers page. We fielded four questions on various topics during the webcast, with specific bulletin questions focusing primarily on Internet Explorer (MS14-052) and a question about the Windows Update client. We invite you to join us for the next scheduled webcast on Wednesday, October 8, 2014, at 11 a.

• .NET
• Internet Explorer (IE)
• Lync
• Scheduler
• Security Bulletin Webcast
• Security Update Webcast Q & A

Assessing risk for the September 2014 security updates

Tuesday, September 09, 2014

Today we released four security bulletins addressing 42 unique CVE’s. One bulletin has a maximum severity rating of Critical and the other three have maximum severity Important. This table is designed to help you prioritize the deployment of updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploitability Index Rating Platform mitigations and key notes MS14-052(Internet Explorer) Victim browses to a malicious webpage.

• Attack Vector
• Risk Asessment

The September 2014 Security Updates

Tuesday, September 09, 2014

Today, as a part of our regular Update Tuesday process, we released four security bulletins – one rated Critical and three rated Important in severity – to address 42 Common Vulnerabilities & Exposures (CVEs) in Microsoft Windows, Internet Explorer, .NET Framework, and Lync Server. We encourage you to apply all of these updates, but for those who need to prioritize, we recommend focusing on the Critical update first.

• Internet Explorer (IE)
• Microsoft Windows
• Monthly bulletin release
• Security Bulletin
• Security Update