Microsoft Security Response Center Blog

Assessing risk for the June 2013 security updates

Tuesday, June 11, 2013

Today we released five security bulletins addressing 23 CVE’s. One bulletin has a maximum severity rating of Critical, and four have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability rating Likely first 30 days impact Platform mitigations and key notes MS13-047(Internet Explorer) Victim browses to a malicious webpage.

Read More

• Attack Vector
• Risk Asessment

Improved cryptography infrastructure and the June 2013 bulletins

Tuesday, June 11, 2013

It was just over one year ago, May 28, 2012, to be exact, that I transitioned from running active MSRC cases and writing bulletins to my current role managing software security incidents. A lot has changed in that year*- _and I’ve dealt with some interesting issues during my tenure* - _but our goal of providing the best customer protections possible remains a constant.

Read More

• Internet Explorer (IE)
• Microsoft Office
• Microsoft Windows
• Security Bulletins

MS13-051: Get Out of My Office!

Tuesday, June 11, 2013

MS13-051 addresses a security vulnerability in Microsoft Office 2003 and Office for Mac. Newer versions of Microsoft Office for Windows are not affected by this vulnerability, but the newest version of Office for Mac (2011) is affected. We have seen this vulnerability exploited in targeted 0day attacks in the wild. In this blog we’ll cover the following aspects:

Read More

• Attack
• Detection
• EMET

Advanced Notification Service for the June 2013 Security Bulletin Release

Thursday, June 06, 2013

Today we’re providing Advance Notification of five bulletins for release on Tuesday, June 11, 2013. This release brings one Critical- and four Important-class bulletins. The Critical-rated bulletin addresses issues in Internet Explorer, and the Important-rated bulletins address issues in Microsoft Windows and Office. We will publish the bulletins on the second Tuesday of the month, at approximately 10 a.

Read More

• ANS
• Internet Explorer (IE)
• Microsoft Office
• Microsoft Windows
• Security Bulletin

Java: A Fix it for when you cannot let go

Wednesday, May 29, 2013

There is much to say about the use of Java in both consumer and enterprise environments. Like any other platforms, it has both devoted supporters and fervent critics. But for most, Java is a requirement, a means to an end. In the past few years, Java as a platform has been the target of numerous malware attacks, which exploit a number of Java runtime vulnerabilities on the target machines.

Read More

• FixIt
• Mitigations

A few more days before EMET 4

Tuesday, May 28, 2013

On May 8th, we announced that EMET 4 would have been released today, May 28th. Since that day, we had additional feedback and we are working on a few things that are requiring a little bit more time than expected. This considered, we are not releasing EMET 4 today, and we will take a few more days to have everything prepared for the final release.

Read More

• EMET

May 2013 Security Bulletin Webcast, Q&A, and Slide Deck

Friday, May 17, 2013

For those who couldn’t attend the live webcast, today we’re publishing the May 2013 Security Bulletin Webcast Questions & Answers page. We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Internet Explorer (MS13-037 and MS13-038) and Visio (MS13-044). We invite our customers to join us for the next public webcast on Wednesday, June 12, 2013, at 11 a.

Read More

• Bulletins
• Internet Explorer (IE)
• Killbit
• Malicious Software Removal Tool (MSRT)
• Microsoft Office
• Monthly bulletin release
• Q&A
• Security Advisory
• Security Bulletin Webcast
• Security Bulletins
• Security Update Webcast
• Security Update Webcast Q & A
• Webcast
• Webcast Q&A

Assessing risk for the May 2013 security updates

Tuesday, May 14, 2013

Today we released ten security bulletins addressing 33 CVE’s. Two of the bulletins have a maximum severity rating of Critical, and eight have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Likely first 30 days impact Platform mitigations and key notes MS13-038(Internet Explorer 8) Victim browses to a malicious webpage.

Read More

• Mitigations
• Rating
• Risk Asessment

Microsoft Customer Protections for May 2013

Tuesday, May 14, 2013

Today, we are releasing 10 bulletins, addressing 33 vulnerabilities in Microsoft products. Before we get into the details, we wanted to first let our enterprise customers know about a change in how we’re communicating technical details within our security advisories. Starting today, customers will be able to clearly identify key security updates within advisories.

Read More

• Internet Explorer (IE)
• Microsoft Office
• Microsoft Windows
• Security Bulletin
• Security Bulletin Webcast

MS13-037 addressing Pwn2own vulnerabilities

Tuesday, May 14, 2013

MS13-037 addresses a number of vulnerabilities in Internet Explorer, several of which were reported to us by the TippingPoint Zero Day Initiative (ZDI) program. We’ve gotten questions from customers about the specific vulnerabilities purchased by ZDI from the CanSecWest pwn2own contest. We’d like to use this blog post to provide more background on the set of vulnerabilities required for an attacker to exploit modern-day browsers and the state of fixes for those specific vulnerabilities.

Read More

• CanSecWest
• Exploitation