Today we released MS13-063 which includes a defense in depth change to address an exploitation technique that could be used to bypass two important platform mitigations: Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). As we’ve described in the past, these mitigations play an important role in making it more difficult and costly for attackers to exploit vulnerabilities.

Two weeks ago I, along with 7,500 of my closest friends, attended the Black Hat security conference in Las Vegas, NV. I can’t speak for everyone, but I certainly had a great – if not exhausting – time while there. While there were a lot of great talks, a personal highlight for me each year is the chance to meet and talk with the various people who attend.

You might remember that in June 2013 we released Security Advisory 2854544 announcing additional options for enterprise customers to manage their digital certificate handling configuration on the Windows platform. The particular functionality announced in Security Advisory 2854544 was first built into Windows 8, Windows Server 2012, and Windows RT and then back-ported to other operating systems.

Today we released eight security bulletins addressing 23 CVE’s. Three bulletins have a maximum severity rating of Critical while the other five have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Index Likely first 30 days impact Platform mitigations and key notes MS13-059(Internet Explorer) Victim browses to a malicious webpage.

Today we’re publishing the August 2013 Security Bulletin Webcast Questions & Answers page. We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Exchange Server (MS13-061) and Windows Kernel (MS13-063). There were 3 additional questions during the webcast that we were unable to answer on air, and we have also answered those on the Q&A page.

In celebration of kids heading back to school, today we’re providing advance notification for the release of 14 bulletins, four Critical and 10 Important, for September 2013. The Critical updates address issues in Internet Explorer, Outlook, SharePoint and Windows. As always, we’ve scheduled the bulletin release for the second Tuesday of the month, Sept.

MS13-068 addresses a memory corruption vulnerability accessible by simply previewing a message in the Outlook Preview Pane. As such, we’ve rated this security vulnerability as Critical and we encourage customers to deploy the security update. However, in this case, we believe this particular vulnerability will be difficult to exploit for code execution.

Helen Hunt Jackson famously wrote, “By all lovely tokens September is here, with summer’s best of weather and autumn’s best of cheer.” I share Helen’s clear adoration for this time of year. As a sports fan, there are so many “lovely tokens” to enjoy. The baseball pennant race is heating up, college and pro football are underway, and various soccer leagues (real football to the rest of the world) continue.

Today we released thirteen security bulletins addressing 47 CVE’s. Four bulletins have a maximum severity rating of Critical while the other ten have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Likely first 30 days impact Platform mitigations and key notes MS13-069(Internet Explorer) Victim browses to a malicious webpage.

Today we’re publishing the September 2013 Security Bulletin Webcast Questions & Answers page. The majority of questions focused on Office bulletins, especially SharePoint Server (MS13-067). We received multiple Office related questions that were very similar in nature, so the questions have been merged, as applicable, with consolidated answers provided. We were able to answer six questions on air, and those we did not have time for have been included on the Q&A page.

Today we released Security Advisory 2887505 regarding an issue that affects Internet Explorer. There are only reports of a limited number of targeted attacks specifically directed at Internet Explorer 8 and 9, although the issue could potentially affect all supported versions. This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type.

Today, we released a Fix it workaround tool to address a new IE vulnerability that had been actively exploited in extremely limited, targeted attacks. This Fix it makes a minor modification to mshtml.dll when it is loaded in memory to address the vulnerability. This Fix it workaround tool is linked fromSecurity Advisory 2887505 that describes this issue.

Software Defense is a broad topic requiring a multipronged approach including: - the processes and tooling associated with secure development (that we try and encapsulate within the Microsoft SDL), - core OS countermeasures that make exploitation of a given vulnerability more difficult for an attacker, - steps to secure the hardware on which the software runs,

Introduction One of the oldest forms of memory safety exploitation is that of stack corruption vulnerabilities, with several early high-profile exploits being of this type. It seems fitting therefore to kick off this Software Defense series by looking at the status of software defense today with respect to this age-old problem.

Today we’re providing advance notification for the release of eight bulletins, four Critical and four Important, for October 2013. The Critical updates address vulnerabilities in Internet Explorer, .NET Framework and Windows. The Critical update for Internet Explorer will be a cumulative update which will address the publicly disclosed issue described in Security Advisory 2887505.

Fall is a season traditionally associated with a harvest after planting the seeds and tending the crops. Today I’m proud to announce the names of six very smart people who have helped us make our products more secure by participating in our new bounty programs. When we launched our bounty programs in June this year, we had a few strategic goals in mind:

This month we release eight bulletins – four Critical and four Important - which address 25* unique CVEs in Microsoft Windows, Internet Explorer, SharePoint, .NET Framework, Office, and Silverlight. For those who need to prioritize their deployment planning, we recommend focusing on MS13-080, MS13-081, and MS13-083. Our Bulletin Deployment Priority graph provides an overview of this month’s priority releases (click for larger view).

Back in June of this year, we announced three new bounty programs that will pay researchers for techniques that bypass built-in OS mitigations and protections, for defenses that stop those bypasses and for vulnerabilities in Internet Explorer 11 Preview. This past Friday, we provided some additional details about the results of the IE11 Preview bounty program, which covered the first 30 days of the preview period.

Today we released MS13-080 which addresses nine CVEs in Internet Explorer. This bulletin fixes multiple security issues, including two critical vulnerabilities that haven been actively exploited in limited targeted attacks, which we will discuss in details in this blog entry. CVE-2013-3893: the final patch after Fix it workaround Previously, Microsoft released Security Advisory 2887505 and made available the Fix it workaround 51001 to provide earlier protection to all customers for an actively exploited security issue that was reported to us.

Congratulations to James Forshaw for coming up with a new exploitation technique to get our first ever $100,000 bounty. A security vulnerability researcher with Context Information Security, James already came in hot with design level bugs he found during the IE11 Preview Bug Bounty, and we’re thrilled to give him even more money for helping us improve our platform-wide security by leaps.

Today we released eight security bulletins addressing 25 CVE’s. Four bulletins have a maximum severity rating of Critical while the other four have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Likely first 30 days impact Platform mitigations and key notes MS13-080(Internet Explorer) Victim browses to a malicious webpage.

Today we’re publishing the October 2013 Security Bulletin Webcast Questions & Answers page. We fielded 11 questions during the webcast, with specific bulletin questions focusing primarily on the SharePoint (MS13-084) and Kernel-Mode Drivers (MS13-081) bulletins. There was one additional question that we were unable to answer on air, and we have included a response to that question on the Q&A page.

On October 1, 2003, Microsoft announced it would move to a monthly security bulletin cadence. Today, marks 10 years since that first monthly security update. We looked at many ways to improve our security preparedness and patch timing was the number one customer request. Your feedback was clear and we delivered a predictable schedule.

By way of introduction, I am Chris Betz, the leader of the Microsoft Security Response Center (MSRC). I’m stepping in to fill the shoes of Mike Reavey, who has moved on to become the General Manager of Secure Operations, still within Trustworthy Computing. Since joining the MSRC, I’ve spent time immersed in learning the business, meeting our global team of security research and response professionals and many of the other teams we frequently interact with here at Microsoft.

Heap corruption vulnerabilities are the most common type of vulnerability that Microsoft addresses through security updates today. These vulnerabilities typically occur as a result of programming mistakes that make it possible to write beyond the bounds of a heap buffer (a spatial issue) or to place a heap allocated object in an unexpected state such as by using the object after it has been freed (a temporal issue).

Those who know me personally or follow me on Twitter are familiar with my obsession with karaoke. I do it as often as I can rope people into going with me, never forcing anyone to sing, though invariably everyone does – or at least sings from the sidelines to the songs they know.

Today we released Security Advisory 2896666 regarding an issue that affects customers using Microsoft Windows Vista and Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync. We are aware of targeted attacks, largely in the Middle East and South Asia. The current versions of Microsoft Windows and Office are not affected by this issue.

Recently we become aware of a vulnerability of a Microsoft graphics component that is actively exploited in targeted attacks using crafted Word documents sent by email. Today we are releasing Security Advisory 2896666 which includes a proactive Fix it workaround for blocking this attack while we are working on the final update.

Object lifetime management vulnerabilities represent a very common class of memory safety vulnerability. These vulnerabilities come in many shapes and sizes, and are typically quite difficult to mitigate generically. Vulnerabilities of this type result commonly from incorrect accounting with respect to reference counts describing active users of an object, or improper handling of certain object states or error conditions.