- Joined
- Jun 27, 2006
- Location
- Chicago, IL
Ever wondered where Update Tuesday bulletins come from, or what it’s like around Microsoft when a serious information-security situation arises? Or wondered who precisely is responsible for getting your monthly bulletin releases out the door?
Update Tuesday, which brings us here today, is one of the most prominent results of that famous Bill Gates memo that put security at the center of Microsoft’s development and support efforts -- just over 10 years ago. We Trustworthy Computing folk tend to look more to the future than to the past, but on the 10-year anniversary a few of us sat down to talk about incident response, the security ecosystem, and how Microsoft collaborates with the industry:
The bulletins will address 21 vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on two critical updates:
Below is this month’s deployment priority guidance, to further assist customers in their deployment planning (click for larger view).
Link Removed due to 404 Error
Our risk and impact graph shows an aggregate view of February’s severity and exploitability index (click for larger view).
Link Removed due to 404 Error
You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page.
As usual, our colleagues in SRD have prepared blog posts that delve more deeply into technical aspects of this month’s releases. In addition to a chart delving into this month’s deployment priorities, SRD unpacks the details of MS12-013 and takes a longer look at MS12-014, which touches Indeo – a multimedia codec predating no small percentage of the people reading this sentence.
Per our usual process we’ll offer the monthly technical webcast on Wednesday, hosted by Pete Voss and Jonathan Ness. They’ll talk over the February bulletins, discuss changes on the horizon for Technet, and answer some questions we’ve been receiving about the support lifecycle for Vista. The webcast is scheduled for tomorrow, February 15, 2012, at 11 A.M. PST. Link Removed - Invalid URL, and as always we look forward to taking your questions live during the webcast.
Thanks,
Angela Gunn
Trustworthy Computing.
Link Removed due to 404 Error
More...
Update Tuesday, which brings us here today, is one of the most prominent results of that famous Bill Gates memo that put security at the center of Microsoft’s development and support efforts -- just over 10 years ago. We Trustworthy Computing folk tend to look more to the future than to the past, but on the 10-year anniversary a few of us sat down to talk about incident response, the security ecosystem, and how Microsoft collaborates with the industry:
- MSRC senior security program manager Link Removed due to 404 Error explains why, in MSRC, “the second-Tuesday cycle is what we live for” and gives a glimpse at how the Microsoft response process handled MS08-067 – the case that became Conficker.
- MSRC senior director Link Removed due to 404 Error on never making the same hard decision twice.
- MSRC security program manager Link Removed due to 404 Erroron coming to Microsoft from the open-source community and becoming an Internet firefighter.
- EcoStrat senior security strategist Link Removed due to 404 Error on the crucial need to reach out to researchers, and the process of convincing Microsoft to pay out a quarter of a million dollars in the BlueHat Prize.
- EcoStrat senior security manager Link Removed due to 404 Error on how keeping trusted industry partners in the loop on bulletins and advisories protects the entire ecosystem…quietly.
- And, for a look at how we appear to a longtime observer, we set up a Skype chat with tech evangelist Link Removed due to 404 Error to get his perspective on how our process affects the broader ecosystem.
The bulletins will address 21 vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on two critical updates:
- MS12-010 (Internet Explorer): Cumulative Security Update for Internet Explorer. This bulletin addresses two Critical, one Important and one Moderate issues affecting all versions of Internet Explorer. The most severe of these could allow for remote code execution, if an attacker were to convince a user to visit a maliciously constructed Web page. All of these issues were cooperatively disclosed to Microsoft, and we know of no active exploitation in the wild. We recommend that customers read through the bulletin information concerning MS12-010 and apply it as soon as possible.
- MS12-013 (C Runtime Library): Vulnerabilities in C Run-Time Library Could Allow Remote Code Execution. This bulletin addresses an issue that could arise if a would-be attacker sent a malicious media file to a targeted user, or convinced the user to visit a Web page hosting such a file. The issue was cooperatively disclosed to Microsoft, and we know of no active exploitation in the wild. As with MS12-010, though, we recommend that customers read through the bulletin information and apply it as soon as possible.
Below is this month’s deployment priority guidance, to further assist customers in their deployment planning (click for larger view).
Link Removed due to 404 Error
Our risk and impact graph shows an aggregate view of February’s severity and exploitability index (click for larger view).
Link Removed due to 404 Error
You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page.
As usual, our colleagues in SRD have prepared blog posts that delve more deeply into technical aspects of this month’s releases. In addition to a chart delving into this month’s deployment priorities, SRD unpacks the details of MS12-013 and takes a longer look at MS12-014, which touches Indeo – a multimedia codec predating no small percentage of the people reading this sentence.
Per our usual process we’ll offer the monthly technical webcast on Wednesday, hosted by Pete Voss and Jonathan Ness. They’ll talk over the February bulletins, discuss changes on the horizon for Technet, and answer some questions we’ve been receiving about the support lifecycle for Vista. The webcast is scheduled for tomorrow, February 15, 2012, at 11 A.M. PST. Link Removed - Invalid URL, and as always we look forward to taking your questions live during the webcast.
Thanks,
Angela Gunn
Trustworthy Computing.
Link Removed due to 404 Error
More...
