Month Archives: November 2013

Assessing risk for the November 2013 security updates

Tuesday, November 12, 2013

Today we released eight security bulletins addressing 19 CVE’s. Three bulletins have a maximum severity rating of Critical while the other five have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Likely first 30 days impact Platform mitigations and key notes MS13-090(ActiveX killbit) Victim browses to a malicious webpage.

• Attack Vector
• Rating
• Risk Asessment

Authenticity and the November 2013 Security Updates

Tuesday, November 12, 2013

If you haven’t had a chance to see the movie Gravity, I highly recommend you take the time to check it out. The plot moves a bit slowly at times, but director Alfonso Cuaron’s work portrayal of zero gravity is worth the ticket price alone. Add in stellar acting and you end up with an epic movie that really makes you miss the shuttle program.

• Internet Explorer (IE)
• Malicious Software Removal Tool (MSRT)
• Microsoft Office
• Microsoft Windows
• Security Advisory
• Security Bulletin

Introducing Enhanced Mitigation Experience Toolkit (EMET) 4.1

Tuesday, November 12, 2013

In June 2013, we released EMET 4.0 and customer response has been fantastic. Many customers across the world now include EMET as part of their defense-in-depth strategy and appreciate how EMET helps businesses prevent attackers from gaining access to computers systems. Today, we’re releasing a new version, EMET 4.1, with updates that simplify configuration and accelerate deployment.

• EMET
• Mitigation

Security Advisory 2868725: Recommendation to disable RC4

Tuesday, November 12, 2013

In light of recent research into practical attacks on biases in the RC4 stream cipher, Microsoft is recommending that customers enable TLS1.2 in their services and take steps to retire and deprecate RC4 as used in their TLS implementations. Microsoft recommends TLS1.2 with AES-GCM as a more secure alternative which will provide similar performance.

• Schannel

Security Advisory 2880823: Recommendation to discontinue use of SHA-1

Tuesday, November 12, 2013

Microsoft is recommending that customers and CA’s stop using SHA-1 for cryptographic applications, including use in SSL/TLS and code signing. Microsoft Security Advisory 2880823 has been released along with the policy announcement that Microsoft will stop recognizing the validity of SHA-1 based certificates after 2016. Background Secure Hashing Algorithm 1 (SHA-1) is a message digest algorithm published in 1995 as part of NIST’s Secure Hash Standard.

Technical details of the targeted attack using IE vulnerability CVE-2013-3918

Tuesday, November 12, 2013

Over the weekend we became aware of an active attack relying on an unknown remote code execution vulnerability of a legacy ActiveX component used by Internet Explorer. We are releasing this blog to confirm one more time that the code execution vulnerability will be fixed in today’s UpdateTuesday release and to clarify some details about the second vulnerability reported.

• 0day
• CVE-2013-3918
• EMET
• IE
• InformationCardSigninHelper
• MS13-090
• Zero-Day Exploit

ActiveX Control issue being addressed in Update Tuesday

Monday, November 11, 2013

Late last Friday, November 8, 2013, a vulnerability, CVE-2013-3918, affecting an Internet Explorer ActiveX Control was publically disclosed. We have confirmed that this vulnerability is an issue already scheduled to be addressed in “Bulletin 3”, which will be released as MS13-090, as listed in the November Advanced Notification Service (ANS). The security update will be distributed to customers tomorrow via Windows Update at approximately 10:00 AM PDT.

• ActiveX
• Internet Explorer (IE)
• Security
• Workarounds
• Zero-Day Exploit

2013 年 11 月 13 日のセキュリティ リリース予定 (月例)

Thursday, November 07, 2013

2013 年 11 月の月例セキュリティ リリースの事前通知を公開しました。 2013 年 11 月 13 日に公開を予定している新規月例

• セキュリティ情報
• 事前通知

Clarification on Security Advisory 2896666 and the ANS for the November 2013 Security Bulletin Release

Thursday, November 07, 2013

Today, we’re providing advance notification for the release of eight bulletins, three Critical and five Important, for November 2013. The Critical updates address vulnerabilities in Internet Explorer and Microsoft Windows, and the Important updates address issues in Windows and Office. While this release won’t include an update for the issue first described in Security Advisory 2896666, we’d like to tell you a bit more about it.

• Advisory
• ANS
• Internet Explorer (IE)
• Microsoft Office
• Windows

Software defense: safe unlinking and reference count hardening

Wednesday, November 06, 2013

Object lifetime management vulnerabilities represent a very common class of memory safety vulnerability. These vulnerabilities come in many shapes and sizes, and are typically quite difficult to mitigate generically. Vulnerabilities of this type result commonly from incorrect accounting with respect to reference counts describing active users of an object, or improper handling of certain object states or error conditions.