Gadgets, certificate housekeeping and the July 2012 bulletins

Before we dive into the July security updates, let’s change up the normal order and take a look at the two Security Advisories we are releasing today. One takes an exciting step into the future, while the other prepares us to take an equally important step away from the past.

Security Advisory 2719662

Today we’re releasing Security Advisory 2719662, which allows system administrators to disable the Windows Sidebar and Gadgets on supported versions of Windows Vista and Windows 7 with one Fix it click. As many of you are aware, Windows 8 will deprecate the Sidebar and Gadgets, and Gadget developers are already shifting their efforts to the online Windows Store. Meanwhile, we’ve discovered that some Vista and Win7 gadgets don’t adhere to secure coding practices and should be regarded as causing risk to the systems on which they’re run. With time running out for the Sidebar and Gadgets and with developers already moving on, we’ve chosen to deprecate the Windows Gadget Gallery effective immediately, and to provide a Fix it to help sysadmins disable Gadgets and the Sidebar across their enterprises.

Security Advisory 2728973

As we mentioned last month, we’re preparing a defense-in-depth change to how Windows deals with certificates that have RSA keys of less than 1024 bits in length. (Experts have for some time recommended that those using RSA keys choose a key length of at least 2048 bits.) Once we release this update in August, we will treat all of these certificates less than 2048 1024 bits as invalid, even if they are currently valid and signed by a trusted certificate authority. We’re reminding you now to allow everyone time to make necessary adjustments. You can find further information on this change in last month’s Public Key Infrastructure (PKI) blog post.

Meanwhile, in the course of normal certificate-related housekeeping this month, we spotted a number of digital certificates that don’t meet our standard for security practices. Though we have no indication that those had been compromised or misused in any fashion, as a precautionary measure we’ve revoked them. A subset of those was in addition found to have code signing permissions, which has earned them a place in the Untrusted Certificate Store. For more information please see Security Advisory 2728973. For details, please see the SRD blog, which posts today on this topic. And finally, but also on the housekeeping front, we once again encourage customers to review KB 2677070, which provides an automated process that quickly and automatically and updates Disallowed Certificate Trust Lists on Windows Vista and Windows 7 clients. We released that KB last month and are re-offering it this week as a Critical-class, non-security update.

Security Updates

For Update Tuesday we’re also releasing nine security bulletins – three Critical-class and six Important – addressing 16 issues in Microsoft Windows, Internet Explorer, Visual Basic for Applications, and Microsoft Office. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing on the three critical updates first:

MS12-043 (Microsoft XML Core Services): This security update addresses one issue affecting all supported versions of Windows. The bulletin has a Critical severity rating and the issue can result in remote code execution. The bulletin addresses the Windows issue described in last month’s Security Advisory 2719615. We recommend that customers read the bulletin information and apply it as soon as possible. Customers using Microsoft Office should also familiarize themselves with this bulletin. The SRD blog has further details.

MS12-045 (Microsoft Data Access Components [MDAC]): This security update addresses one Critical-class Windows issue that could result in remote code execution. The issue exists in all versions of Windows, and users of any version of Internet Explorer would potentially be vulnerable to it; however, we received word of this issue through private disclosure and we have no evidence that it is publically known or under exploit in the wild. Still, we recommend that customers read the bulletin information and apply it as soon as possible.

MS12-044 (Internet Explorer): This security update addresses two Critical-class, remote-code-execution issues affecting Internet Explorer. As with the MDAC issue, these two vulnerabilities were privately disclosed to us and we have no indication that they’re under exploit in the wild. As with the others, recommend that customers read the bulletin information and apply it as soon as possible. We have by the way increased our Internet Explorer resources to the point where we will be able to release an update during any month instead of on our previous, bi-monthly cadence. We look forward to your feedback on the change.

The other six bulletins are all Important-class issues touching on Windows, Visual Basic for Applications, and Office, including SharePoint and Office for Mac. Please watch the video below for an overview of this month’s bulletins.

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

In addition, the SRD blog today delves into some of the thinking behind the deployment prioritization this month.

Our risk and impact graph provides an aggregate view of this month’s severity and exploitability index (click for larger view).

You can find more information about this month’s security updates on the Microsoft Security Bulletin Summary web page. Thanks for reading and we hope to see a number of you at Black Hat in two weeks.

Yunsun Wee
Microsoft Trustworthy Computing