Microsoft Security Response Center Blog

Assessing risk for the September 2013 security updates

Tuesday, September 10, 2013

Today we released thirteen security bulletins addressing 47 CVE’s. Four bulletins have a maximum severity rating of Critical while the other ten have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Likely first 30 days impact Platform mitigations and key notes MS13-069(Internet Explorer) Victim browses to a malicious webpage.

Read More

• Attack Vector
• Rating
• Risk Asessment

Lovely tokens and the September 2013 security updates

Tuesday, September 10, 2013

Helen Hunt Jackson famously wrote, “By all lovely tokens September is here, with summer’s best of weather and autumn’s best of cheer.” I share Helen’s clear adoration for this time of year. As a sports fan, there are so many “lovely tokens” to enjoy. The baseball pennant race is heating up, college and pro football are underway, and various soccer leagues (real football to the rest of the world) continue.

Read More

• Internet Explorer (IE)
• Microsoft Office
• Microsoft Windows
• Security Bulletin
• SharePoint
• Update Tuesday

MS13-068: A difficult-to-exploit double free in Outlook

Tuesday, September 10, 2013

MS13-068 addresses a memory corruption vulnerability accessible by simply previewing a message in the Outlook Preview Pane. As such, we’ve rated this security vulnerability as Critical and we encourage customers to deploy the security update. However, in this case, we believe this particular vulnerability will be difficult to exploit for code execution.

Read More

• Exploitability
• Rating
• Risk Asessment

Advance Notification Service for September 2013 Security Bulletin Release

Thursday, September 05, 2013

In celebration of kids heading back to school, today we’re providing advance notification for the release of 14 bulletins, four Critical and 10 Important, for September 2013. The Critical updates address issues in Internet Explorer, Outlook, SharePoint and Windows. As always, we’ve scheduled the bulletin release for the second Tuesday of the month, Sept.

Read More

• ANS
• Internet Explorer (IE)
• Outlook
• Security bulletin release
• SharePoint
• Windows

August 2013 Security Bulletin Webcast, Q&A, and Slide Deck

Monday, August 19, 2013

Today we’re publishing the August 2013 Security Bulletin Webcast Questions & Answers page. We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Exchange Server (MS13-061) and Windows Kernel (MS13-063). There were 3 additional questions during the webcast that we were unable to answer on air, and we have also answered those on the Q&A page.

Read More

• Bulletins
• Customer Questions
• Exploitability
• Exploitability Index
• Internet Explorer (IE)
• Malicious Software Removal Tool (MSRT)
• Microsoft Active Protections Program (MAPP)
• Microsoft Office
• Microsoft Windows
• Mitigations
• Monthly bulletin release
• Q&A
• Security Bulletin
• Security bulletin release
• Security Bulletin Webcast
• Security Bulletins
• Security Update
• Security Update Webcast
• Security Update Webcast Q & A
• Update Tuesday
• Webcast

Assessing risk for the August 2013 security updates

Tuesday, August 13, 2013

Today we released eight security bulletins addressing 23 CVE’s. Three bulletins have a maximum severity rating of Critical while the other five have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Index Likely first 30 days impact Platform mitigations and key notes MS13-059(Internet Explorer) Victim browses to a malicious webpage.

Read More

• Attack Vector
• Mitigation
• Rating
• Risk Asessment

Cryptographic Improvements in Microsoft Windows

Tuesday, August 13, 2013

You might remember that in June 2013 we released Security Advisory 2854544 announcing additional options for enterprise customers to manage their digital certificate handling configuration on the Windows platform. The particular functionality announced in Security Advisory 2854544 was first built into Windows 8, Windows Server 2012, and Windows RT and then back-ported to other operating systems.

Read More

• PKI

Leaving Las Vegas and the August 2013 security updates

Tuesday, August 13, 2013

Two weeks ago I, along with 7,500 of my closest friends, attended the Black Hat security conference in Las Vegas, NV. I can’t speak for everyone, but I certainly had a great – if not exhausting – time while there. While there were a lot of great talks, a personal highlight for me each year is the chance to meet and talk with the various people who attend.

Read More

• Internet Explorer (IE)
• Microsoft Windows
• Security Bulletins

Mitigating the LdrHotPatchRoutine DEP/ASLR bypass with MS13-063

Monday, August 12, 2013

Today we released MS13-063 which includes a defense in depth change to address an exploitation technique that could be used to bypass two important platform mitigations: Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). As we’ve described in the past, these mitigations play an important role in making it more difficult and costly for attackers to exploit vulnerabilities.

Read More

• Defense-in-depth
• DEP
• Exploitation
• Mitigation

Advance Notification Service for August 2013 Security Bulletin Release

Thursday, August 08, 2013

Today we’re providing advance notification for the release of eight bulletins, three Critical and five Important, for August 2013. The Critical updates address vulnerabilities in Microsoft Windows, Internet Explorer and Exchange. As usual, we’ve scheduled the bulletin release for the second Tuesday of the month, August 13, 2013, at approximately 10:00 a.

Read More

• ANS
• Security Update