Microsoft Security Response Center Blog

Assessing the risk of the October security updates

Tuesday, October 12, 2010

Today we released sixteen security bulletins. Four have a maximum severity rating of Critical, ten have a maximum severity rating of Important, and two have a maximum severity rating of Moderate. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max exploit-ability Likely first 30 days impact Platform mitigations and key notes MS10-071 (IE) Victim browses to a malicious webpage.

Read More

• Exploitability
• Mitigations
• Rating
• Risk Asessment

MS10-086: Disk Clustering Vulnerability

Tuesday, October 12, 2010

This morning we released security bulletin MS10-086 to address a vulnerability in Windows failover disk clustering. Exposure to this vulnerability will only occur if Failover Clustering is installed. Failover Clustering is supported on Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Hyper-V, and Windows Server 2008 R2 Storage Server editions.

Read More

• Disk Clustering
• Moderate

Note on Bulletin Severity for MS10-081 and MS10-074

Tuesday, October 12, 2010

Today we released MS10-081 (Important severity) and MS10-074 (Moderate severity), each providing an update for a single vulnerability. In this blog post we are going to cover some additional details on the severity of these vulnerabilities that may factor into how you prioritize the deployment of this month’s updates. Neither of the two vulnerabilities covered by MS10-081 and MS10-074 have attack vectors through Microsoft software.

Read More

• Rating

October 2010 Security Bulletin Release

Monday, October 11, 2010

Hello - Today, as part of our regular monthly security bulletin release process, we are releasing 16 comprehensive updates addressing 49 vulnerabilities affecting Windows, Internet Explorer (IE), Microsoft Office, and the .NET Framework. This release represents our commitment to provide predictable, high-quality updates as part of the service our customers get when they buy Microsoft products.

Read More

• Monthly bulletin release
• Security Bulletin
• Security Update Webcast

The Rapidly Evolving Exploitation Playground

Thursday, October 07, 2010

Hey there, Vincenzo and Fermin here! Next week we will be giving two talks at BlueHat. Vincenzo will be talking with Tim Kornau, Ralf Philipp Weinmann, and Thomas Dullien, about return-oriented programming and how to automate the creation of ROP payloads. Also, Fermin and Andrew Roths will be talking about EMET and how it can prevent the successful exploitation of vulnerabilities.

Read More

• BlueHat Security Briefings
• Community-based Defense
• Security Conference Engagement
• Security Engineering
• Security Research

Advance Notification Service for October 2010 Security Bulletin

Wednesday, October 06, 2010

Hello - As part of our predictable monthly update process, we have released our Advance Notification Service (ANS) for the October Security Bulletins, which are scheduled for release Tuesday, October 12, 2010. ANS is a service that only Microsoft provides to assist customers in planning for the upcoming security bulletin release.

Read More

• Security Bulletin

Microsoft Releases MS10-070 to all distribution channels

Thursday, September 30, 2010

Hi everyone - Today we released out-of-band Security Update MS10-070through the remainder of our standard distribution channels, including Windows Update and Windows Server Update Services. We have completed our testing of these channels and confirmed the update can be successfully downloaded. Customers are strongly encouraged to download the Security Update, test it in their environments and deploy it as quickly as possible.

Read More

• Security Update

Q&A from the September 2010 Out-of-Band Security Release webcast

Thursday, September 30, 2010

Hello, Below you will find the webcast we conducted earlier this week as part of the MS10-070 Security Update which was released Out-of-Band. We have also published the questions and answers from that webcast and linked them here. The response for this webcast was amazing; however, due to time constraints, we were unable to answer all of the questions that were asked during the live webcast.

Read More

• OOB
• Security Advisory
• Security Bulletin
• Security Update
• Security Update Webcast
• Video

MS10-070 Released Out-of-Band Today

Tuesday, September 28, 2010

Hello, As we announced yesterday, today we released Security Bulletin MS10-070 out-of-band to address a vulnerability in ASP.NET. The bulletin and the blog by Scott Guthrie, corporate vice president of Microsoft’s .NET Developer Platform are available for more information. This security update addresses a vulnerability affecting all versions of the .

Read More

• Security Update
• Security Update Webcast

Out of Band Release to Address Microsoft Security Advisory 2416728

Sunday, September 26, 2010

Hello - Today we provided advance notification to customers that we will release an out-of-band security update to address the vulnerability discussed in Security Advisory 2416728. The update is scheduled for release tomorrow, Tuesday, September 28, 2010 at approximately 10:00 AM PDT. The bulletin has a severity rating of Important and addresses a publicly disclosed vulnerability in ASP.

Read More

• Security Update
• Security Update Webcast