MSRC looks back at ten years, and the February 2012 bulletins

Ever wondered where Update Tuesday bulletins come from, or what it’s like around Microsoft when a serious information-security situation arises? Or wondered who precisely is responsible for getting your monthly bulletin releases out the door?

Update Tuesday, which brings us here today, is one of the most prominent results of that famous Bill Gates memo that put security at the center of Microsoft’s development and support efforts — just over 10 years ago. We Trustworthy Computing folk tend to look more to the future than to the past, but on the 10-year anniversary a few of us sat down to talk about incident response, the security ecosystem, and how Microsoft collaborates with the industry:

  • MSRC senior security program manager Dustin Childs explains why, in MSRC, “the second-Tuesday cycle is what we live for” and gives a glimpse at how the Microsoft response process handled MS08-067 – the case that became Conficker.
  • MSRC senior director Mike Reavey on never making the same hard decision twice in incident response.
  • MSRC security program manager Leigh Honeywell on coming to Microsoft from the open-source community and becoming an Internet firefighter.
  • EcoStrat senior security strategist Katie Moussouris on the crucial need to reach out to researchers, and the process of convincing Microsoft to pay out a quarter of a million dollars in the BlueHat Prize.
  • EcoStrat senior security manager Maarten van Horenbeeck on how keeping trusted industry partners in the loop on bulletins and advisories protects the entire ecosystem…quietly.
  • And, for a look at how we appear to a longtime observer, we set up a Skype chat with tech evangelist Ryan Naraine to get his perspective on how our process affects the broader ecosystem.

Meanwhile, as I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing nine security bulletins. Four of those are rated Critical in severity, with the remaining five classified as Important.

The bulletins will address 21 vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on two critical updates:

  • MS12-010 (Internet Explorer): Cumulative Security Update for Internet Explorer. This bulletin addresses two Critical, one Important and one Moderate issues affecting all versions of Internet Explorer. The most severe of these could allow for remote code execution, if an attacker were to convince a user to visit a maliciously constructed Web page. All of these issues were cooperatively disclosed to Microsoft, and we know of no active exploitation in the wild. We recommend that customers read through the bulletin information concerning MS12-010 and apply it as soon as possible.
  • MS12-013 (C Runtime Library): Vulnerabilities in C Run-Time Library Could Allow Remote Code Execution. This bulletin addresses an issue that could arise if a would-be attacker sent a malicious media file to a targeted user, or convinced the user to visit a Web page hosting such a file. The issue was cooperatively disclosed to Microsoft, and we know of no active exploitation in the wild. As with MS12-010, though, we recommend that customers read through the bulletin information and apply it as soon as possible.

In this video, Yunsun Wee discusses this month’s bulletins in further detail.

Below is this month’s deployment priority guidance, to further assist customers in their deployment planning (click for larger view).

Deployment Priority


Our risk and impact graph shows an aggregate view of February’s severity and exploitability index (click for larger view).

Exploitability Index

You can find more information about this month’s security updates on the Microsoft Security Bulletin Summary web page.

As usual, our colleagues in SRD have prepared blog posts that delve more deeply into technical aspects of this month’s releases. In addition to a chart delving into this month’s deployment priorities, SRD unpacks the details of MS12-013 and takes a longer look at MS12-014, which touches Indeo – a multimedia codec predating no small percentage of the people reading this sentence.

Per our usual process we’ll offer the monthly technical webcast on Wednesday, hosted by Pete Voss and Jonathan Ness. They’ll talk over the February bulletins, discuss changes on the horizon for Technet, and answer some questions we’ve been receiving about the support lifecycle for Vista. The webcast is scheduled for tomorrow, February 15, 2012, at 11 A.M. PST. Click here to register, and as always we look forward to taking your questions live during the webcast.

Angela Gunn
Trustworthy Computing.