June Advance Notification Service and 10 Immutable Laws Revisited

Before we get into this month’s release, we wanted to alert you to updates to a document that’s been central to much of how Microsoft thinks about security. Ten years ago, Microsoft penned the “Ten Immutable Laws of Security,” which debuted on TechNet. It was written before the rise of – among other technologies and trends – cloud computing, social networking, widespread smartphone adoption, and Windows XP, to name but a few landmarks along the way. Did a decade of change mutate the Immutables? How can understanding the Laws lead to smarter security for everyone from corporations to home users? We invite you to read “Ten Immutable Laws of Security 2.0” and see for yourself.

As for this month’s bulletins, today we’re providing Advance Notification Service information on 16 bulletins (nine Critical in severity, seven Important) addressing 34 vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, .NET, SQL, Visual Studio, Silverlight and ISA.  All bulletins will be released on Tuesday, June 14, at approximately 10am PDT. Come back to this blog on Tuesday for our official risk and impact analysis, along with deployment guidance and a video overview of the release.

One of the issues we start to address in this release is “cookiejacking,” which allows an attacker to steal cookies from a user’s computer and access websites the user has logged into. The Internet Explorer bulletin will address one of the known vectors to the cookie folder. Given the prevalence of other types of social engineering methods in use by criminals, which provide access to much more than cookies, we believe this issue poses lower risk to customers. Further, based on a signature that has been released to millions of Microsoft Security Essentials and Forefront customers, the Microsoft Malware Protection Center (MMPC) has not detected attempts to use this technique.

We’re also preparing for our monthly technical webcast, which is scheduled for 11am PDT on Wednesday, 15 June. Your hosts this month will be Jerry Bryant and Jonathan Ness, and they’ll be discussing each of the bulletins and taking your questions live on the air. Register in advance for the webcast here.

As always, we encourage you to follow our Twitter feed at @msftsecresponse for the latest news from the Microsoft Security Response Center.

Thanks –

Angela Gunn
Trustworthy Computing.