Krebs On Security
Adobe, Microsoft and Oracle today each issued security updates to fix serious vulnerabilities in their products. Adobe released patches for AIR, Acrobat, Flash and Reader, while Microsoft pushed out fixes to shore up at least a half dozen security weaknesses in Windows and Office. Oracle released an update for Java that fixes at least three dozen security holes in the widely-used program.
On Tuesday, January 14, 2014, Microsoft is planning to release four bulletins.
All bulletins this month are rated Important in severity and address vulnerabilities in Microsoft Windows, Office, and Dynamics AX. The update provided in MS14-002 fully addresses the issue first described in Security Advisory 2914486. We have only seen this issue used in conjunction with a PDF exploit in targeted attacks and not on its own. This only impacts customers using Windows XP or Server 2003 as more recent Windows versions are not affected.
As always, we’ve scheduled the security bulletin release for the second Tuesday of the month, January 14, 2014, at approximately 10:00 a.m. PST.
Avoiding Vulnerable Passwords—and Rules, Too
The free online research tool, launched Dec. 5, is called Telepathwords. Users can visit the project website and test the strength of their passwords—current ones, past ones, or ones they’re considering using.
“The system doesn’t ask the user to learn anything up-front or follow any specific rules,” Schechter says. “Rather, as you type each key of your intended password, it displays the characters it thinks you’re most likely to type next. If it succeeds in predicting one or more characters of the rest of your password, the evidence that these characters are predictable will be right in front of your eyes.”
Read the complete article: http://research.microsoft.com/en-us/news/features/telepathwords-120513.aspx
Tuesday, December 10, 2013, Microsoft is planning to release 11 bulletins, five Critical and six Important.
The Critical updates address vulnerabilities in Internet Explorer, Windows, Microsoft Exchange and GDI+. The Critical update for GDI+ fully addresses the publicly disclosed issue described in Security Advisory 2896666.
This release won’t include an update for the issue described in Security Advisory 2914486. We’re still working to develop a security update and we’ll release it when ready. Until then, we recommend folks review the advisory and apply the suggested workaround on their Windows XP and Windows Server 2003 systems. Customers with more recent versions of Windows are not affected by this issue.
Microsoft Research Connections Team
Kinect Sign Language Translator – part 1
There are more than 20 million people in China who are hard of hearing, and an estimated 360 million such people around the world, so this project has immense potential to generate positive social impact worldwide.
Kinect Sign Language Translator – part 2
This is an advance notification of security bulletins that Microsoft is intending to release on November 12, 2013.
This bulletin advance notification will be replaced with the November bulletin summary on November 12, 2013. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.
November Bulletins: Three Critical, Five Important.
Security Bulletin Severity Rating System
Clarification on Security Advisory 2896666 and the ANS for the November 2013 Security Bulletin Release
Dustin C. Childs
Internet Explorer 11 (IE11) is available worldwide in 95 languages for download today. We will begin automatically updating Windows 7 customers to IE11 in the weeks ahead, starting today with customers running the IE11 Developer and Release Previews. With this final release, IE11 brings the same leading standards support–with improved performance, security, privacy, and reliability that consumers enjoy on Windows 8.1—to Windows 7 customers.
Security Advisory 2896666
We are aware of targeted attacks, largely in the Middle East and South Asia. The current versions of Microsoft Windows and Office are not affected by this issue. The exploit requires user interaction as the attack is disguised as an email requesting potential targets to open a specially crafted Word attachment. If the attachment is opened or previewed, it attempts to exploit the vulnerability using a malformed graphics image embedded in the document. An attacker who successfully exploited the vulnerability could gain the same user rights as the logged on user.
While we are actively working to develop a security update to address this issue, we encourage our customers concerned with the risk associated with this vulnerability, to deploy the following Fix it from the advisory:
- Apply the Microsoft Fix it solution, “Disable the TIFF Codec” that prevents exploitation of the issue
See Microsoft Knowledge Base Article 2896666 to use the automated Microsoft Fix it solution to enable this workaround.
- Deploy the Enhanced Mitigation Experience Toolkit (EMET)
This will help prevent exploitation by providing mitigations to protect against the issue and should not affect usability of any programs. An easy guide for EMET installation and configuration is available in KB2458544.
As a best practice, we always encourage customers to follow the “Protect Your Computer” guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. We also encourage customers to exercise caution when visiting websites and avoid clicking suspicious links or opening email messages from unfamiliar senders. Additional information can be found at www.microsoft.com/protect.
We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect customers.
Tags: Vulnerability-Windows-Microsoft Office products
Microsoft Security Advisory (2896666)
Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution
Published: Tuesday, November 05, 2013
Microsoft is investigating private reports of a vulnerability in the Microsoft Graphics component that affects Microsoft Windows, Microsoft Office, and Microsoft Lync. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Microsoft Office products.
The vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images. An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. For information about protections released by MAPP partners, see MAPP Partners with Updated Protections.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
Tags: Vulnerability-Windows-Microsoft Office products
Microsoft released eight bulletins – four Critical and four Important – which address 26 unique CVEs in Microsoft Windows, Internet Explorer, SharePoint, .NET Framework, Office, and Silverlight. For those who need to prioritize their deployment planning, Microsoft recommends focusing on MS13-080, MS13-081, and MS13-083.
MS13-080 — Cumulative Security Update for Internet Explorer (2879017)
MS13-081 — Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2870008)
MS13-082 — Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2878890)
MS13-083 — Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2864058)
MS13-084 — Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2885089)
MS13-085 — Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2885080)
MS13-086 — Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2885084)
MS13-087 — Vulnerability in Silverlight Could Allow Information Disclosure (2890788)