- Joined
- Jun 27, 2006
- Location
- Chicago, IL
Hi everyone,
With this month's bulletin release, I want to highlight the great work done through our partnerships in the Link Removed due to 404 Error represents our commitment to community based defense and a shared sense of responsibility to help protect the computing ecosystem. In July of this year, the Stuxnet malware emerged onto the threat landscape and resulted in the release of an out-of-band security update, Link Removed due to 404 Error, to address a zero-day vulnerability the malware used to compromise systems. Additionally, we updated theLink Removed - Invalid URLLink Removed - Invalid URL in August to remove Stuxnet and we are able to report that according to our telemetry, the threat has gone way down from the spike we saw in early August.
Since that time, Microsoft and partners in our MAPP program have continued to investigate this extremely complex malware. Today, we are releasing Link Removed due to 404 Error to address another vulnerability first discovered and reported to us by Kaspersky Lab and then later by Symantec. This vulnerability in the Print Spooler Service is rated Critical for Windows XP and Important on all other affected platforms and is used by Stuxnet to spread to systems inside the network where the Print Spooler service is exposed without authentication.
In addition, Microsoft researchers uncovered two additional Elevation of Privilege (EoP) vulnerabilities (one of which was also reported to us by Kaspersky, and later independently confirmed by Symantec) used by the malware to gain full control of the infected system. One of these EoP vulnerabilities affects Windows XP and the other affects Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. These are local EoP issues which means that an attacker, in this case Stuxnet, already has permission to run code on the system or has compromised the system through some other means. We are currently working to address both issues in a future bulletin.
We want to thank both Kaspersky Lab and Symantec for their collaboration in uncovering these vulnerabilities and for coordinating with us to protect customers. This is what community based defense is all about.
As we look at our other high priority bulletins for this month, I would like to emphasize the fact that there are no critical bulletins for Windows 7 or Windows Server 2008 R2. This is due to security enhancements such as additional heap mitigations built into the newer operating systems. Additionally, this month's Office bulletin does not affect Office 2010. I will also state that we are still investigating and working on updates for public issues that do affect these platforms. We want customers to know that we continue to work hard to address these issues and that our efforts to produce comprehensive updates and release them in a predictable manner is something that comes "in the box" when you buy our software.
As you can see from our aggregate severity and exploitability index chart below, there are two bulletins that are both Critical and have an exploitability index rating of 1. The first is Link Removed due to 404 Error that I discussed above and the second, Link Removed due to 404 Error, involves a vulnerability in the MPEG-4 codec affecting supported versions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This issue can be exploited if a user opens a specially crafted media file or receives streaming content from the web.
Link Removed due to 404 Error
The remaining bulletins are given a 2 or a 3 in our deployment priority list. This guidance is intended to help customers prioritize bulletin deployment and is based on several factors including severity, exploitability, breadth of platforms, and available mitigations and workarounds. Since every environment is different, we do recommend that customers evaluate accordingly and apply the updates as soon as possible.
Link Removed due to 404 Error
In the video below, Adrian Stone and I give an overview of this month’s bulletin release and discuss why we have prioritized the bulletins the way we did.
Please join Adrian and me tomorrow, September 15, at 11:00 a.m. PDT (UTC -7) for a public webcast where we will go into more details about these bulletins. We will also have a room full of subject matter experts standing by to help answer all of your questions during the session. You can register here:
Link Removed - Invalid URL
We will also release two security advisories this month:
Thanks!
Jerry Bryant
Group Manager, Response Communications
Link Removed due to 404 Error
More...
With this month's bulletin release, I want to highlight the great work done through our partnerships in the Link Removed due to 404 Error represents our commitment to community based defense and a shared sense of responsibility to help protect the computing ecosystem. In July of this year, the Stuxnet malware emerged onto the threat landscape and resulted in the release of an out-of-band security update, Link Removed due to 404 Error, to address a zero-day vulnerability the malware used to compromise systems. Additionally, we updated theLink Removed - Invalid URLLink Removed - Invalid URL in August to remove Stuxnet and we are able to report that according to our telemetry, the threat has gone way down from the spike we saw in early August.
Since that time, Microsoft and partners in our MAPP program have continued to investigate this extremely complex malware. Today, we are releasing Link Removed due to 404 Error to address another vulnerability first discovered and reported to us by Kaspersky Lab and then later by Symantec. This vulnerability in the Print Spooler Service is rated Critical for Windows XP and Important on all other affected platforms and is used by Stuxnet to spread to systems inside the network where the Print Spooler service is exposed without authentication.
In addition, Microsoft researchers uncovered two additional Elevation of Privilege (EoP) vulnerabilities (one of which was also reported to us by Kaspersky, and later independently confirmed by Symantec) used by the malware to gain full control of the infected system. One of these EoP vulnerabilities affects Windows XP and the other affects Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. These are local EoP issues which means that an attacker, in this case Stuxnet, already has permission to run code on the system or has compromised the system through some other means. We are currently working to address both issues in a future bulletin.
We want to thank both Kaspersky Lab and Symantec for their collaboration in uncovering these vulnerabilities and for coordinating with us to protect customers. This is what community based defense is all about.
As we look at our other high priority bulletins for this month, I would like to emphasize the fact that there are no critical bulletins for Windows 7 or Windows Server 2008 R2. This is due to security enhancements such as additional heap mitigations built into the newer operating systems. Additionally, this month's Office bulletin does not affect Office 2010. I will also state that we are still investigating and working on updates for public issues that do affect these platforms. We want customers to know that we continue to work hard to address these issues and that our efforts to produce comprehensive updates and release them in a predictable manner is something that comes "in the box" when you buy our software.
As you can see from our aggregate severity and exploitability index chart below, there are two bulletins that are both Critical and have an exploitability index rating of 1. The first is Link Removed due to 404 Error that I discussed above and the second, Link Removed due to 404 Error, involves a vulnerability in the MPEG-4 codec affecting supported versions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This issue can be exploited if a user opens a specially crafted media file or receives streaming content from the web.
Link Removed due to 404 Error
The remaining bulletins are given a 2 or a 3 in our deployment priority list. This guidance is intended to help customers prioritize bulletin deployment and is based on several factors including severity, exploitability, breadth of platforms, and available mitigations and workarounds. Since every environment is different, we do recommend that customers evaluate accordingly and apply the updates as soon as possible.
Link Removed due to 404 Error
In the video below, Adrian Stone and I give an overview of this month’s bulletin release and discuss why we have prioritized the bulletins the way we did.
Please join Adrian and me tomorrow, September 15, at 11:00 a.m. PDT (UTC -7) for a public webcast where we will go into more details about these bulletins. We will also have a room full of subject matter experts standing by to help answer all of your questions during the session. You can register here:
Link Removed - Invalid URL
We will also release two security advisories this month:
- Link Removed due to 404 Error, which describes a vulnerability affecting Outlook Web Access (OWA) that may affect Microsoft Exchange customers to gain elevation of privilege. An attacker who successfully exploited this vulnerability could hijack an authenticated OWA session.
- Link Removed due to 404 Error, is an updated Advisory enabling Outlook Express and Windows Mail to opt in to Extended Protection for Authentication.
Thanks!
Jerry Bryant
Group Manager, Response Communications
Link Removed due to 404 Error
More...
