Order Now!
Windows 7 for XP ProfessionalsUpdating Support Skills from XP to Windows 7by Bink.nu's Raymond Comvalius
There are 92 guest(s) online.
There are 0 member(s) online.
MSRC Blog: Today we are providing advance notification to customers that we will be releasing two bulletins this month affecting Windows and Microsoft Office products. Both bulletins are rated Important and address a total of 8 vulnerabilities.
We recommend that customers review the Advance Notification webpage and prepare to deploy these bulletins as soon as possible. To provide additional guidance for deployment prioritization, customers should note that both bulletins will address issues that would require a user to open a specially crafted file. There are no network based attack vectors.
We’re also continuing to monitor the situation with Security Advisory 981169, the VBScript issue disclosed on Monday. There are no known attacks but we encourage customers to review the advisory and apply the suggested workarounds where possible. Customers that are running Windows 7, Windows Server 2008, Windows Server 2008 R2, and Windows Vista are not affected.
As always, we will be hosting a public webcast where we will go in to details about the bulletins for March and where customers can ask questions. We will have a room full of engineers on hand to answer those questions live during the webcast. Here are the details:
MSRC blog:
In our continuing investigation in to the restart issues related to MS10-015 that a limited number of customers are experiencing, we have determined that malware on the system can cause the behavior. We are not yet ruling out other potential causes at this time and are still investigating. Please review our blog post from yesterday for additional information.
One of the key components when investigating issues like this are obtaining memory dumps from computers experiencing the problem. In order to get the information we need to fully analyze the issue, some of our support engineers have actually driven to customer locations and picked up affected systems so we can get the needed crash data directly and help inform our investigation. For more information about memory dumps, please see: http://support.microsoft.com/kb/254649.
We encourage customers to follow our “Protect Your PC” best practices and always have up to date anti-virus software running on their systems to help prevent malware infections. For customers who do not have anti-virus software, you can either scan your system using our online tool at http://safety.live.com or you can install Microsoft Security Essentials for free.
This can be a difficult issue to solve once a computer is in an un-bootable state so we encourage customers who feel they have been impacted by this to contact our Customer Service and Support group by either going to https://consumersecuritysupport.microsoft.com or by calling 1-866-PCSafety (1-866-727-2338). International customers can find local support contact numbers here: http://support.microsoft.com/common/international.aspx.
MSRC Blog:
I am writing to let you know that we are aware that after installing the February security updates a limited number of users are experiencing issues restarting their computers. Our initial analysis suggests that the issue occurs after installing MS10-015 (KB977165). However, we have not confirmed that the issue is specific to MS10-015 or if it is an interoperability problem with another component or third-party software. Our teams are working to resolve this as quickly as possible. We also stopped offering this update through Windows Update as soon as we discovered the restart issues. However, those using enterprise deployment systems such as SMS or WSUS will still see and be able to deploy these packages.
As you may recall from previous blog posts, MS10-015 is an Elevation of Privilege that would require the attacker to have valid credentials in order to be able to leverage the vulnerability in an attack. Several other updates in this release were identified as having a high priority for deployment and we continue to encourage customers to thoroughly test the updates and deploy them immediately. At this time, we are not aware of any issues with the other updates that were released this month and we continue to encourage customers to install them as soon as possible in order to help ensure that they protected from the vulnerabilities they address.
While we work to address this issue, customers who choose not to install the update can implement the workaround outlined in the bulletin. CVE-2010-0232 was publicly disclosed and we previously issued Security Advisory 979682 in response. Customers can disable the NTVDM subsystem as a workaround and we have provided an automated method of doing that with a Microsoft Fix It that you can find here: http://support.microsoft.com/kb/979682.
Customers who are experiencing issues after installing any of our security updates can get help resolving the issues by either going to https://consumersecuritysupport.microsoft.com or by calling 1-866-PCSafety (1-866-727-2338). International customers can find local support contact numbers here: http://support.microsoft.com/common/international.aspx.
Today Microsoft released 13 bulletins addressing 26 vulnerabilities. 11 bulletins affect Windows and 2 affect older versions of Microsoft Office.
ID
Bulletin Title and Executive Summary
Maximum Severity Rating and Vulnerability Impact
Restart Requirement
Affected Software
MS10-006
Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251) This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a malicious SMB server.
Critical Remote Code Execution
Requires restart
Microsoft Windows
MS10-007
Vulnerability in Windows Shell Handler Could Allow Remote Code Execution (975713) This security update resolves a privately reported vulnerability in Microsoft Windows 2000, Windows XP, and Windows Server 2003. Other versions of Windows are not impacted by this security update. The vulnerability could allow remote code execution if an application, such as a Web browser, passes specially crafted data to the ShellExecute API function through the Windows Shell Handler.
MS10-008
Cumulative Security Update of ActiveX Kill Bits (978262) This security update addresses a privately reported vulnerability for Microsoft software. This security update is rated Critical for all supported editions of Microsoft Windows 2000 and Windows XP, Important for all supported editions of Windows Vista and Windows 7, Moderate for all supported editions of Windows Server 2003, and Low for all supported editions of Windows Server 2008 and Windows Server 2008 R2. The vulnerability could allow remote code execution if a user views a specially crafted Web page that instantiates an ActiveX control with Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for four third-party ActiveX controls.
May require restart
MS10-009
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (974145) This security update resolves four privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if specially crafted packets are sent to a computer with IPv6 enabled. An attacker could try to exploit the vulnerability by creating specially crafted ICMPv6 packets and sending the packets to a system with IPv6 enabled. This vulnerability may only be exploited if the attacker is on-link.
MS10-013
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (977935) This security update resolves a privately reported vulnerability in Microsoft DirectShow. The vulnerability could allow remote code execution if a user opened a specially crafted AVI file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
MS10-003
Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution (978214) This security update resolves a privately reported vulnerability in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Important Remote Code Execution
Microsoft Office
MS10-004
Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (975416) This security update resolves six privately reported vulnerabilities in Microsoft Office PowerPoint. The vulnerabilities could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
MS10-010
Vulnerability in Windows Server 2008 Hyper-V Could Allow Denial of Service (977894) This security update resolves a privately reported vulnerability in Windows Server 2008 Hyper-V and Windows Server 2008 R2 Hyper-V. The vulnerability could allow denial of service if a malformed sequence of machine instructions is run by an authenticated user in one of the guest virtual machines hosted by the Hyper-V server. An attacker must have valid logon credentials and be able to log on locally into a guest virtual machine to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
Important Denial of Service
MS10-011
Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (978037) This security update resolves a privately reported vulnerability in Microsoft Windows Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows 2000, Windows XP, and Windows Server 2003. Other versions of Windows are not affected. The vulnerability could allow elevation of privilege if an attacker logs on to the system and starts a specially crafted application designed to continue running after the attacker logs out. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited by anonymous users.
Important Elevation of Privilege
MS10-012
Vulnerabilities in SMB Server Could Allow Remote Code Execution (971468) This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities.
MS10-014
Vulnerability in Kerberos Could Allow Denial of Service (977290) This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow a denial of service if a specially crafted ticket renewal request is sent to the Windows Kerberos domain from an authenticated user on a trusted non-Windows Kerberos realm. The denial of service could persist until the domain controller is restarted.
MS10-015
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165) This security update resolves one publicly disclosed and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on to the system and then ran a specially crafted application. To exploit either vulnerability, an attacker must have valid logon credentials and be able to log on locally. The vulnerabilities could not be exploited remotely or by anonymous users.
MS10-005
Vulnerability in Microsoft Paint Could Allow Remote Code Execution (978706) This security update resolves a privately reported vulnerability in Microsoft Paint. The vulnerability could allow remote code execution if a user viewed a specially crafted JPEG image file using Microsoft Paint. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Moderate Remote Code Execution
Bulletin 1
- Affected Software:
- Microsoft Windows 2000 Service Pack 4
- Windows XP Service Pack 2 and Windows XP Service Pack 3
- Windows XP Professional x64 Edition Service Pack 2
- Windows Server 2003 Service Pack 2
- Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2003 with SP2 for Itanium-based Systems
- Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
- Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
- Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 (Windows Server 2008 Server Core installation affected)
- Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 (Windows Server 2008 Server Core installation affected)
- Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
- Windows 7 for 32-bit Systems
- Windows 7 for x64-based Systems
- Windows Server 2008 R2 for x64-based Systems(Windows Server 2008 R2 Server Core installation affected)
- Windows Server 2008 R2 for Itanium-based Systems
- Impact: Remote Code Execution
Bulletin 2
Bulletin 3
- Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 (Windows Server 2008 Server Core installation not affected)
- Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 (Windows Server 2008 Server Core installation not affected)
- Windows Server 2008 R2 for x64-based Systems (Windows Server 2008 R2 Server Core installation not affected)
Bulletin 4
Bulletin 6
- Microsoft Windows 2000 Service Pack 4 - Windows XP Service Pack 2 and Windows XP Service Pack 3
Important Security Bulletins:
Bulletin 7
- Microsoft Office XP Service Pack 3
- Microsoft Office 2004 for Mac
Bulletin 8
- Microsoft Office PowerPoint 2002 Service Pack 3
- Microsoft Office PowerPoint 2003 Service Pack 3
Bulletin 9
- Windows Server 2008 R2 for x64-based Systems (Windows Server 2008 R2 Server Core installation affected)
- Impact: Denial of Service
Bulletin 10
- Impact: Elevation of Privilege
Bulletin 5
Bulletin 11
- Microsoft Windows 2000 Server Service Pack 4
Bulletin 12
Moderate Security Bulletins:
Bulletin 13
Other Information:
Microsoft Windows Malicious Software Removal Tool:
Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.
Open security advisories
A summary of the three open Security Advisories so customers know what to expect on Tuesday:
· Advisory 980088, Vulnerability in Internet Explorer Could Allow Information Disclosure: this advisory was released yesterday (Feb 3). We do not have an update for this issue planned for the normal February bulletin release. However, this vulnerability only affects versions of windows older than Vista in their default configuration, and there is a “Fix It” available so customers in non-default configurations can protect themselves.
· Advisory 979682, Vulnerability in Windows Kernel Could Allow Elevation of Privilege: we are on track to release an update for this issue next Tuesday.
· Advisory 977544, Vulnerability in SMB Could Allow Denial of Service: we are still working on an update for this issue so it will not be addressed in the February bulletins. As a reminder, this issue cannot be used to allow an attacker to take control of a system remotely, but instead results in a system becoming unresponsive due to resource consumption.
We are not aware of any attacks on these vulnerabilities and continue to encourage customers to implement the mitigations and workarounds outlined in the advisories.
Windows versions end of support:
Important information about Windows versions that are reaching the end of their product lifecycle. Customers using these versions should consider upgrading before support for these products end as, once they do, we will no longer provide security updates:
Not on Windows Update yet…
It is on Windows Update now
Security Bulletin: http://www.microsoft.com/technet/security/bulletin/MS10-002.mspx
KB978207
Client
Cumulative Security Update for Internet Explorer 8 in Windows 7 (KB978207)
Cumulative Security Update for Internet Explorer 8 in Windows 7 x64 Edition (KB978207)
Cumulative Security Update for Internet Explorer 8 in Windows Vista (KB978207)
Cumulative Security Update for Internet Explorer 7 in Windows Vista (KB978207)
Cumulative Security Update for Internet Explorer 7 in Windows Vista x64 Edition (KB978207)
Cumulative Security Update for Internet Explorer 8 in Windows Vista x64 Edition (KB978207)
Cumulative Security Update for Internet Explorer 8 for Windows XP (KB978207)
Cumulative Security Update for Internet Explorer 7 for Windows XP (KB978207)
Cumulative Security Update for Internet Explorer 6 for Windows XP (KB978207)
Cumulative Security Update for Internet Explorer 8 for Windows XP x64 Edition (KB978207)
Cumulative Security Update for Internet Explorer 6 for Windows XP x64 Edition (KB978207)
Update for Internet Explorer 6 SP1 (KB978207) Windows 2000
Cumulative Security Update for Internet Explorer 5.01 Service Pack 4 (KB978207) Windows 2000
Server
Cumulative Security Update for Internet Explorer 7 for Windows Server 2003 (KB978207)
Cumulative Security Update for Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems (KB978207)
Cumulative Security Update for Internet Explorer 8 in Windows Server 2008 R2 x64 Edition (KB978207)
Cumulative Security Update for Internet Explorer 8 in Windows Server 2008 x64 Edition (KB978207)
Cumulative Security Update for Internet Explorer 7 for Windows Server 2003 64-bit Itanium Edition (KB978207)
Cumulative Security Update for Internet Explorer 8 for Windows Server 2003 (KB978207)
Cumulative Security Update for Internet Explorer 7 for Windows XP x64 Edition (KB978207)
Cumulative Security Update for Internet Explorer 7 in Windows Server 2008 x64 Edition (KB978207)
Cumulative Security Update for Internet Explorer 8 for Windows Server 2003 x64 Edition (KB978207)
Cumulative Security Update for Internet Explorer 7 in Windows Server 2008 (KB978207)
Cumulative Security Update for Internet Explorer 7 for Windows Server 2003 x64 Edition (KB978207)
Cumulative Security Update for Internet Explorer 8 in Windows Server 2008 R2 for Itanium-based Systems (KB978207)
Cumulative Security Update for Internet Explorer 8 in Windows Server 2008 (KB978207)
Cumulative Security Update for Internet Explorer for Windows Server 2003 (KB978207)
Cumulative Security Update for Internet Explorer for Windows Server 2003 64-bit Itanium Edition (KB978207)
Cumulative Security Update for Internet Explorer for Windows Server 2003 x64 Edition (KB978207)
Microsoft Security Bulletin Advance Notification issued: January 20, 2010Microsoft Security Bulletins to be issued: January 21, 2010
This is an advance notification of one out-of-band security bulletin that Microsoft is intending to release on January 21, 2010. The bulletin will be for Internet Explorer to address limited attacks against customers of Internet Explorer 6, as well as fixes for vulnerabilities rated Critical that are not currently under active attack.
This bulletin advance notification will be replaced with the January bulletin summary on January 21, 2010. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.
To receive automatic notifications whenever Microsoft Security Bulletins are issued, subscribe to Microsoft Technical Security Notifications.
Microsoft will host a webcast to address customer questions on the out-of-band bulletin on January 21, 2010, at 1:00 PM Pacific Time (US & Canada). Register now for the January 21, 1:00 PM Webcast. Afterwards, the Webcast is available on-demand. For more information, see Microsoft Security Bulletin Summaries and Webcast...............Full Story At Source
We wanted to provide you some insight into the vulnerability reported in Microsoft Security Advisory 979352, which is related to our ongoing investigation into the recently publicized attacks against Google and other large corporate networks. We understand that there is a lot of noise about this topic right now and we know that our customers are receiving a lot of information about this situation from a variety of sources, so we want to provide some additional insight.
First, we will provide an update on the threat landscape – there has been a lot of speculation, so we’ll share detailed information on what Microsoft is seeing in terms of attacks across all of our monitoring systems. Second, we’ll highlight what customers should do to protect themselves. Finally, I will provide an update on the continuing work at Microsoft to respond to this situation and help protect our customers.
In terms of the threat landscape, we are only seeing very limited number of targeted attacks against a small subset of corporations. The attacks that we have seen to date, including public proof-of-concept exploit code, are only effective against Internet Explorer 6. Based on a rigorous analysis of multiple sources, we are not aware of any successful attacks against IE7 and IE8 at this time. This is likely due to improved security protections provided by newer versions of Internet Explorer and Windows as described in our recent Security Research and Defense Blog. In summary, we are not seeing any widespread attacks by any means, and thus far we are not seeing attacks focused on consumers.
That said, we remain vigilant about this threat evolving and want to be sure our customers take appropriate action to protect themselves. That is why we continue to recommend that customers using IE6 or IE7, upgrade to IE8 as soon as possible to benefit from the improved security protections it offers. Customers who are using Windows XP SP2 should be sure to upgrade to both IE8 and enable Data Execution Protection (DEP), or upgrade to Windows XP SP3 which enables DEP by default, as soon as possible. Additionally customers should consider implementing the workarounds and mitigations provided in the ...................Continue At Source
MSRC blog: Based upon our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks. Today, Microsoft issued guidance to help customers mitigate a Remote Code Execution (RCE) vulnerability in Internet Explorer. Additionally, we are cooperating with Google and other companies, as well as authorities and other industry partners.
Microsoft remains committed to taking the appropriate action to help protect our customers. We released Security Advisory 979352 to provide customers with actionable guidance and tools to help with protections against exploit of this vulnerability. Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time. Our teams are currently working to develop an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out of band.
It is important to note that complex attacks targeting specific corporate networks are becoming more prevalent in the threat landscape, therefore organizations should follow defense-in-depth best practices, and deploy multiple layers of protection to improve their security posture. In addition, Protected Mode in IE 7 on Windows Vista and later significantly reduces the ability of an attacker to impact data on a user’s machine. Customers should also enable Data Execution Prevention (DEP) which helps mitigate online attacks. DEP is enabled by default in IE 8 but must be manually enabled in prior versions.
Customers can also set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones or configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. You can find details on implementing these settings in the advisory.
Impact: Remote Code Execution
Affected Software:
Patch will be released next Tuesday
MSRC Blog: We’ve completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS.
What we have seen is that there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It’s this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server.
The key in this is the last point: for the scenario to work, the IIS server must already be configured to allow both “write” and “execute” privileges on the same directory. This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack.
However, customers who are using IIS 6.0 in the default configuration or following our recommended best practices don’t need to worry about this issue. If, however, you are running IIS in a configuration that allows both “write” and “execute” privileges on the same directory like this scenario requires, you should review our best practices and make changes to better secure your system from the threats that configuration can enable. Once again, here’s a list of best practices resources:
· IIS 6.0 Security Best Practices
· Securing Sites with Web Site Permissions
· IIS 6.0 Operations Guide
· Improving Web Application Security: Threats and Countermeasures
The IIS folks are evaluating a change to bring the behavior of IIS 6.0 in line with the other versions. In the meantime, they’ve put more information up about this on their weblog.
The Microsoft Security Response Center (MSRC) Results of Investigation into Holiday IIS Claim
Forefront TMG 2010 TechNet documentation is now live with Forefront TMG Release to Web content. This release of the documentation culminates a customer- and solutions-focused effort undertaken by the Forefront TMG User Assistance team since the release of ISA Server 2006, resulting in a new content structure, new content, and the streamlining of previously-available content.
The new content structure focuses on Forefront TMG’s core value to your business: protecting IT environments from Internet-based threats, while providing both internal and remote users fast and secure access to the Internet and to internal applications and data. The Planning and Design, Deployment, and Operations guides are synched to guide the Forefront TMG administrator through system deployment in various topologies, enabling access through Forefront TMG, and setting up the protection of organizational resources from Internet-based threats.
More information at source
Fraunhofer SIT has presented a method for discovering the BitLocker drive encryption PIN under Windows. The method even works where TPM is used to protect the boot process. The trick? An attacker with access to the target computer simply boots from a USB flash drive and replaces the BitLocker bootloader with a substitute bootloader which mimics the BitLocker PIN query process but saves the PINs entered by the user to disk in unencrypted form.
Although the BitLocker boot process carries out an integrity check on the system, and thereby the Windows installation, it does not check the bootloader itself – not that the actual attack described even gets as far as the Windows boot process. Consequently, according to the Fraunhofer SIT report, even if a Trusted Computing Module (TPM) is fitted, it fails to protect against such an attack.
Once the substitute bootloader has saved the victim's PIN to the hard drive, it rewrites the original bootloader to the MBR and restarts the system. The victim may indeed wonder why their computer is restarting, but then we've all seen computers suddenly decide to abort a boot and restart.
To get hold of the saved PIN, the attacker needs to gain access to the target computer for a second time, to once more boot up from a USB flash drive and then access the hard drive. The computer can then be rebooted and the PIN thus obtained used to open up BitLocker, allowing access to the protected Windows system.
Continue Attack on Windows BitLocker - The H Security News and Features
Download the report: Attacking the BitLocker Boot Process
Video Demo
Advance Notification for the December 2009 Security Bulletin Release
For December we are planning to release six new security bulletins addressing 12 vulnerabilities in Windows, Internet Explorer (IE) and Microsoft Office products. Three of the bulletins have a maximum severity rating of Critical and three have a maximum severity rating of Important. To help customers plan for their deployment of these updates, I want to specifically call out that they touch all supported versions of Windows and IE. On the Office side, the bulletins impact Project, Word and Works 8.5. All of the updates for Windows will require a restart so please plan accordingly.
We want to make customers aware that we will be addressing the vulnerability discussed in Security Advisory 977981 in the IE bulletin on Tuesday. We know that customers are concerned about this issue and we are also aware that Proof of Concept (PoC) code is available publicly.
Here is a preview of the guidance we will be releasing with the bulletins on Tuesday: The IE update maps to bulletin number 4 in the ANS and will be at the top of our deployment priority list. The other critical update affecting Windows (bulletin number 1) will have a lower Exploitability Index rating, so while the impact is higher with a critical severity rating, the lower risk will drop the deployment priority down a little. The final critical update affecting Microsoft Project (bulletin number 3), is only critical for Project 2000. The other affected versions are important. That coupled with a lower Exploitability Index will also drive it down on the deployment priority list. Customers have asked us to map the numbered bulletins in the ANS to the final bulletin ID’s after release so we will be doing that in the blog post here on Tuesday.
We are targeting the release of these bulletins for next Tuesday Dec. 8 at 10:00 a.m. PST (UTC -8). We will post more guidance at that time both here on the MSRC blog and on the Security Research & Defense (SRD) blog. Our guidance will include risk and impact information, our deployment priority list and deeper technical information on the bulletins form the SRD team. Until then, please review the ANS page here.
MSRC blog: We’ve received questions about public reports that customers might be experiencing system issues with the November Security Updates (which some are referring to “Black Screen” issues). We’ve investigated these reports and found that our November Security Updates are not making changes to the system that these reports say are responsible for these issues.
While these reports weren’t brought to us directly, from our research into them, it appears they’re saying that our security updates are making permission changes in the registry to the value for the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell key.
We’ve conducted a comprehensive review of the November Security Updates, the Windows Malicious Software Removal Tool, and the non-security updates we released through Windows Update in November. That investigation has shown that none of these updates make any changes to the permissions in the registry. Thus, we don’t believe the updates are related to the “black screen” behavior described in these reports.
We’ve also checked with our worldwide Customer Service and Support organization, and they’ve told us they’re not seeing “black screen” behavior as a broad customer issue. Because these reports were not brought to us directly, it’s impossible to know conclusively what might be causing a “black screen” in those limited instances where customers have seen it. However, we do know that “black screen” behavior is associated with some malware families such as Daonol.
This underscores the importance of our guidance to customers to contact our Customer Service and Support group any time they think they’re affected by malware or are experiencing issues with security updates. This enables us to determine what might be happening and take steps to help customers by documenting new malware families in our MMPC malware encyclopedia or documenting known issues in our security bulletins and the supporting Knowledge Base articles.