DougForce.Name

Hosts: Steve Gibson with Leo Laporte

Google's privacy policy changes, Region's lost 401k data, pcAnywhere source stolen years ago, your questions, and more.

Download or subscribe to this show at twit.tv/sn.

We invite you to read, add to, and amend our show notes.

For 16kpbs versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Audio bandwidth is provided by Winamp, subscribe to TWiT and all your favorite podcasts with the ultimate media player, download it for free at Winamp.com.

Running time: 1:37:05

Hosts: Steve Gibson with Leo Laporte

Forcing laptop decryption, GPS tracking now requires a warrant, DNS poisoning, and more.

Download or subscribe to this show at twit.tv/sn.

We invite you to read, add to, and amend our show notes.

For 16kpbs versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Audio bandwidth is provided by Winamp, subscribe to TWiT and all your favorite podcasts with the ultimate media player, download it for free at Winamp.com.

Running time: 1:20:53

Hosts: Steve Gibson with Leo Laporte

Zappos customer data breach, Slow Motion DDoS, your questions, and more.

Download or subscribe to this show at twit.tv/sn.

We invite you to read, add to, and amend our show notes.

For 16kpbs versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Audio bandwidth is provided by Winamp, subscribe to TWiT and all your favorite podcasts with the ultimate media player, download it for free at Winamp.com.

Running time: 1:40:56

Hello,

Today we published the January Security Bulletin Webcast Questions & Answers page. We fielded nine questions on various topics during the webcast, including bulletins released, deployment tools, and update detection tools. There were two questions during the webcast that we were unable to answer and we have included those questions and answers on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, February 15 at 11am PST (UTC -8), when we will go into detail about the February bulletin release and answer questions live on the air.

Customers can register to attend at the link below:
Date: Wednesday, February 15, 2012
Time: 11:00 a.m. PST (UTC -8)
Register: Attendee Registration

Thanks,
Angela Gunn
Trustworthy Computing

Hello. As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing seven security bulletins, one of which is rated Critical in severity, with the remaining six classified as Important.

These bulletins will address eight vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on the sole critical update:

• MS12-004 (Windows Media Player): Vulnerabilities in Windows Media Player Could Cause Remote Code Execution. This bulletin – the only one in January’s set to include multiple CVEs – addresses two issues that could arise if a would-be attacker sent a malicious MIDI or DirectShow file to a targeted user. Both of these issues were cooperatively disclosed to Microsoft, and we know of no active exploitation in the wild. Still, we recommend that customers read through the bulletin information concerning MS12-004 and apply it as soon as possible.

In the video at the bottom of this post, Pete Voss discusses this month's bulletins in further detail.

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page.

As you may remember, last month we announced a bulletin addressing the SSL issue we described in Security Advisory 2588513. Days before release, we noted a compatibility problem that might have affected certain users of third-party products, and decided to hold that bulletin until we could complete further investigation. We’re-releasing that bulletin today as MS12-006; we’re also providing further information and guidance to customers with a Knowledge Base article and a Fix-it that will be useful in certain installation circumstances.

As usual, our colleagues in SRD have prepared blog posts that delve more deeply into technical details of this month’s releases. In addition to a discussion of this month’s deployment priorities, SRD has a post examining some of the finer points of MS12-001, which addresses an Important-class issue affecting the SafeSEH security mitigation, and an overview of the aforementioned MS12-004.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Pete Voss and Dustin Childs. I invite you to tune in and learn more about the January security bulletins, as well as other announcements made today. The webcast is scheduled for tomorrow, January 11, 2012, at 11 A.M. PST. Click here to register.

Thanks,
Angela Gunn
Trustworthy Computing.

Hosts: Steve Gibson with Leo Laporte

Simple Secure Wifi isn't very secure, password recovering charger, WPA cracker, and more.

Download or subscribe to this show at twit.tv/sn.

We invite you to read, add to, and amend our show notes.

For 16kpbs versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Audio bandwidth is provided by Winamp, subscribe to TWiT and all your favorite podcasts with the ultimate media player, download it for free at Winamp.com.

Running time: 1:23:32

Hello. Today we’re releasing our advance notification for the January security bulletin release, which is scheduled for Tuesday, January 10. This month’s release includes seven bulletins addressing eight vulnerabilities in Microsoft Windows and Microsoft Developer Tools And Software. As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.

We’ll release all seven bulletins on Tuesday, January 10 at approximately 10 a.m. PST. Revisit this blog on Tuesday for our official risk and impact analysis, along with deployment guidance and a video overview of the release.

In addition, eagle-eyed readers of the summary page will notice an unusual vulnerability classification, “Security Feature Bypass,” for one of our Important-severity bulletins. SFB-class issues in themselves can’t be leveraged by an attacker; rather, a would-be attacker would use them to facilitate use of another exploit. For those interested in learning more, we expect the SRD blog to publish a detailed analysis of the matter on Tuesday.

Please join Dustin Childs and Pete Voss for a webcast on Wednesday. They’ll go into detail about the bulletins and answer questions live on the air. See below for registration information.

Date: Wednesday, January 11
Time: 11:00 a.m. PST (UTC -8)
Click Here To Register

Thanks,
Angela Gunn
Trustworthy Computing

Hosts: Steve Gibson with Leo Laporte

Microsoft's Out-Of-Cycle patch, FISA constitutionality, your questions, and more.

Download or subscribe to this show at twit.tv/sn.

We invite you to read, add to, and amend our show notes.

For 16kpbs versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Audio bandwidth is provided by Winamp, subscribe to TWiT and all your favorite podcasts with the ultimate media player, download it for free at Winamp.com.

Running time: 1:43:24

Hello,

Today we published the December 2011 Out-of-Band Security Bulletin Webcast Questions & Answers page. We fielded 41 questions on the subject of MS11-100 . There were four questions during the webcast that we were unable to answer and we have included those questions and answers on the Q&A page.

We invite our customers to join us for the next public webcast scheduled for Wednesday, January 11, 2012 at 11 a.m. PST (UTC -8), when we will go into detail about the January 2012 bulletin release and answer questions live on the air.

Customers can register to attend at the link below:
Date: Wednesday, January 11, 2012
Time: 11:00 a.m. PDT (UTC -8)
Register: Attendee Registration

Thanks,
Pete Voss
Sr. Response Communications Manager
Microsoft Trustworthy Computing

Hosts:              Jonathan Ness, Security Development Manager, MSRC

                          Pete Voss, Sr. Response Communications Manager, Trustworthy Computing

Website:         TechNet/Security

Chat Topic:     December 2011 Out-Of-Band Security Bulletin Release

Date:               Thursday, December 29, 2011

Q: How are Denial of Service, Tampering, Information Disclosure orSpoofing issues rated?
A: The Exploitability Index only attempts to rate vulnerabilities that can be leveraged for code execution. Vulnerabilities that could allow denial of service, tampering, information disclosure or spoofing will receive an Exploitability Index rating of "3." The notes for that particular CVE will also reflect the nature of the vulnerability.

Q: One angle I'm interested in is those Microsoft products that might use forms authentication, such as Exchange 2010 or TMG 2010. If we're using forms authentication there, does that mean we're vulnerable?
A: Any products that are using ASP.NET forms authentication will be secured with this update. This includes SharePoint and Exchange, when they are using ASP.NET forms authentication. If these products are using a Forms Authentication module other than the one provided by ASP.NET, then the issue addressed in this bulletin does not apply to you. 

Q: Why does Windows Update on Windows 2008 servers show this update, but the check-box next to it is un-checked? What is the difference between patches that are checked by default and those that are not checked?
A: In the case of "Important Updates", an update that is in the "PENDING" state will be unchecked when you view it in Windows Update. This means it is already queued for downloading. You can manually override this to start the download manually by checking the box next to the update. 

Q: Please confirm that if an IIS instance is installed that we are at risk for one of the CVE's and therefore we should patch ASAP. The assumption is that the server has IIS without .NET components.
A: By default, IIS is not installed with .NET and by default, .NET is not installed by ASP.NET. Customers would first need to have installed .NET framework with ASP.NET in order to be vulnerable to the vulnerabilities documented by MS11-100.

Q: What level of testing or specific tests is recommended for applications using ASP.NET? Is it highly likely that the hashing change will impact applications using the framework?
A: Microsoft recommends that customers test this update before deploying. There is a change in how forms authentication occurs and will require updates to be deployed at the same time across server environments. Click here for more about forms authentication.  

Q: Can sample DoS requests be provided to allow us to understand what the DOS signature may look like so we can test the patch as well as monitor our production environments until the patching is completed?
A: For more technical information regarding MS11-100, please see the SRD blog, where we have shared a short signature detecting this issue.

Q: Is this critical to environments where there are no Internet-facing systems? And what if there is no IIS installed on the workstation -- is it atrisk?
A: Exploitation requires ASP.NET installed and to be exposed to input from unauthenticated users. Typically this is through IIS. If workstations do not have ASP.NET or IIS installed, then those systems are not exposed. 

Q: In the Critical Elevation of Privilege can the attacker elevate is privilege only if they have the username without having the password? Can we have machines with the fix and without the fix working with each other?
A: Yes, the attacker only needs the username to carry out the attack. The fix involves changing the format of the forms authentication ticket, so that unpatched and patched machines cannot work with each other. So after patching you cannot have machines with the fix and without it working together, unless you set a configuration setting on the patched machines. For details, please read the FAQ for this CVE for more information on applying updates to web farms.

Q: For CVE-2011-3414, is there a requirement of authentication to exploit the DoS vulnerability successfully?
A: No, CVE-2011-3414 is anunauthenticated Denial of Service.

Q: What could be a potential impact on server running IIS with custom code? In short, can this update impact server or service to go down after installation? Do you have any suggestions on installation on web servers running custom code?
A: This update is specifically for ASP.NET, but the issue that was disclosed is an industry-wide issue concerning hash collisions. So, it is possible for your custom code to be affected, but you will need to investigate what kind of hash-tables your custom code uses and if it operates on untrusted user data.

Q: Is there a client-side patch that will protect users that fall for phishing attacks and visit websites that have not patched?
A: As clients are not affected by server-sided vulnerability, the security update does need to be installed on the server. 

Q: If the main target is Internet facing systems with IIS & ASP.NET installed, should I concentrate on patching my webservers first before patching client systems?
A: Prioritization for this update would be specific to users’ environments, but servers that are internet-facing and accept input from unauthenticated or untrusted user-provided content are most affected and should be prioritized. Likewise, clients are typically not in a web server role, and so systems that are running a web server role should be prioritized. 

Q: What steps can I take to reproduce and see if/how my site is affected, and so I can confirm the issue is gone after applying the patch?
A: For the protection of customers, Microsoft does not disclose proof of concept code (POC). The technical details of this issue are however public.

Q: If Microsoft .NET Framework is installed on an IIS Server, does this mean that ASP.NET is also installed but possibly not enabled?
A: Whether you have the .NET Framework (and ASP.NET) installed on a machine will depend upon the specific OS platform. Windows Server 2008, Windows Server 2008 SP2, Windows Server 2008 R2 and Windows Server 2008 R2 SP1 all ship with the .NET Framework 2.0 or higher, which includes ASP.NET, and you should install the corresponding patches listed in the security bulletin. If you are using an older Server OS such as Windows Server 2003 SP2 x86, then that platform includes .NET Framework 1.1 SP1, and you should install the corresponding patch listed in the security bulletin. 

Q: From a desktop browsing experience, this update will patch Windows XP, Vista and 7. If machines do not have IIS installed and enabled, as well as ASP.NET enabled, is the criticality of this update reduced? For example if the user goes to an internet site, would their desktop PC be vulnerable? It seems to be mostly if you have IIS and ASP.net installed and acting as a web server.
A: If you have a client machine with no ASP.NET installed, then your desktop PC would not be vulnerable to the particular security issues that are being addressed in this update.

Q: ASP.Net has been identified for the DoS. How about classic ASP/ISAPI applications? Is it just a .Net hash-table issue? And has the Microsoft Foundation Class / ATL / Visual Basic 6.0 been checked?
A: This is an industry-wide issue that could affect a broad spectrum of technologies. Since ASP.NET was at the greatest risk because of the public disclosure, we have focused our efforts so far on making sure we secure ASP.NET. We are actively investigating other technologies where this could be vulnerable and so far we do not think that classic ASP is vulnerable. Information on other affected technologies will be revealed as the issue develops.

Q: So just to be clear, Exchange 2010 Outlook Web Access isn't vulnerable to the privilege of escalation? Just to the DOS?
A: OWA 2010 can be configured for forms-based authentication. Based on this, it should be considered vulnerable. If there is any doubt, Microsoft KB Article 2638420 discusses parameters you can check for to verify if an application is using forms auth. Specifically, to determine whether your application uses forms authentication,
examine the System.web file. Applications that use forms authentication use the following entry in System.web file: <authentication mode="Forms">

Q: What tools are available to remotely scan systems to see if they’re vulnerable -- that is, that IIS and ASP are installed and active?
A: The Detection and Deployment Tools and Guidance section in the security bulletin provides information on how to identify systems to which this update applies. If you want to identify whether a system has IIS installed with ASP.NET enabled, the answer depends on the operating system that each system is running.

Q: Are only webservers vulnerable? We have limited personnel this weekend for QA and deployment. Are we pretty much covered if we just deploy to systems in our DMZ this weekend and then rest of the enterprise next week?
A: Prioritization for this update would be specific to users’ environments, but servers that are internet-facing and accept input from unauthenticated or untrusted user provided content may be at greater risk than internal servers. 

Q: Sites that disallow "application/x-www-form-urlencoded” or “multipart/form-data” HTTP content types are not vulnerable. Is this set to disallow by default? How do we verify if it is set to disallow?
A: No, application/x-www-form-urlencoded or multipart/form-data are not disallowed by default. Customers will need to explicitly disallow these. Customers can do this by using IIS request filtering. 

Q: Forms authorization login from TMG/ISA doesn't use ASP.NET. Is it still vulnerable?
A: TMG is not exposed and is not related to the ASP.NET issue described in the bulletin.

Q: Do you suggest immediate patching of all servers (internal/external) or just of externally available servers and allow internal servers to be patched during the next patching cycle?
A: Once again, prioritization for this update would be specific to each user’s environment, but servers that are internet-facing and accept input from unauthenticated or untrusted user provided content may be at greater risk than internal servers. 

Q: Is the critical CVE related to forms authentication only an issue if the site is configured to support forms authentication without cookies? Or, are all forms authentication implementations impacted?
A: No, this issue applies to all types of ASP.NET forms authentication, cookie and cookie-less.

Q: For CVE 2011-3414, does the patch change the size of request header accepted, place controls on the amount of CPU that can be used, or change the hashing functions used?
A:The security update addresses this issue by limiting the number of inputs ASP.NET accepts from clients.

Q: Does this patch limit the number of parameters passed in the post request? If so, what is the new limit? I am trying to determine what application problems may arise after applying the update.
A: The security update addresses this issue by limiting the number of inputs ASP.NET accepts from clients. If you are interested in changing the number of parameters passed in the post request, please see the section of the bulletin titled Workarounds for Collisions in HashTable May Cause DoS Vulnerability - CVE-2011-3414. 

Q: Can the normally scheduled January bulletins be installed independently of the critical one?
A: Yes, Future security updates can be installed independently of this issue. Microsoft does recommend all customers always read security updates to ensure they fully understand any known issues that may be documented in the security bulletin.

Q: Is the attack vector based on the server or the client? Do we concentrate on server or desktop side first?
A: The vulnerabilities in the bulletins are primarily focused on systems operating in a Web server role that use ASP.NET. Clients are typically not in a web server role.

Q: Could you provide more detail around the 3rd mitigation factor -- specifically the account registration procedure?
A: I am assuming this question is about the first mitigating factor for CVE-2011-3416: forms authentication bypass. Essentially, to pull off an Elevation of Privilege attack, the attacker would need a valid account on the system they are trying to compromise and the user name of the target of the attack.

Q: Can an ASP.NET site (e.g. SharePoint 2010 site) using authentication (NTLM/Kerberos) come under the DoS attack as described in CVE-2011-3414 by an unauthenticated user?
A: NTLM/Kerberos authentication changes the attack vector of the vulnerability. An ASP.NET site can come under a DOS attack – however, the attacker would then need to be authenticated. 

Q: Will this affect -- or will I need to be aware of -- this update impacting ASP.NET session and machine key settings in IIS for a load balanced environment, where all machine keys are matches to make sure sessions are the same across a server farm?
A: This update changes the way in which forms authentication tickets are created, so all servers would need to use the old or the new ticket format in order to maintain compatibility. Please refer to Knowledge Base Article 2659968 for deployment guidance for this update.

Q: What about servers that have IP address access limitations? Since we are resource-limited, we'd like to skip these servers that are only allowing certain IPs to access IIS.
A: As we’ve mentioned, prioritization for this update would be specific to users environments, but servers that are Internet-facing and can accept input from unauthenticated or untrusted user provided content may be at greater risk than internal servers. Servers that have additional protections may reduce the potential attack risk of these vulnerabilities. Customers are encouraged to analyze their own environments.

Q: We have ASP.NET prohibited in in our Web Service Extensions -- IIS 6. Are we still vulnerable?
A: No. If ASP.NET is not enabled, you are not vulnerable.

Q: The Section Workarounds for Collisions in HashTable May Cause DoS Vulnerability - CVE-2011-3414 in the bulletin is confusing. Is it required to put this script and then install the update? 
A: Workaround refers to a setting or configuration change that does not correct the underlying vulnerability, but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality. Customers are always encouraged to apply the security update. The workarounds are not a prerequisite for installing the security update.

Q: If TMG is not affected then, if TMG is protecting an Exchange 2010 server and the TMG is handling the forum authorization, would the patch for an Exchange server be necessary?
A: Although firewall solutions could protect systems behind the firewall it is important to understand the types of traffic that that FW may proxy to servers behind it. Systems behind the firewall are still vulnerable to internal attacks and have vulnerable code and should be updated to be properly protected.

Q: Is AppSettings.MaxHttpCollectionKeys the new parameter that contains the maximum number of form entries?
A: Yes it is.

Q: For ASP.NET on Internet-facing systems requiring authentication, does an attacker have to have a valid user name AND the valid password to carry out an attack?
A: No. The only requirement is to have the target's username, and *any* valid account on the system.

Q: Will any forms authentication tickets generated before the patch is applied be rendered invalid once the patch is applied? 
A: Yes. The change in the forms authentication ticket format will render all pre-patch tickets invalid once the update is applied.

Q: Our ASP.NET application requires large file uploads and requires our <httpRuntime maxRequestLength="200”/> to be set to 102400. How will we be able to handle that and not remain vulnerable?
A: The maxRequestLength setting is just a workaround. You will not need to worry about this after applying the security update and can remove any previously set workaround configurations.

Q: These updates run on Windows clients whether or not IIS or ASP is installed. Are the updates not effective in this case?
A: By default, IIS is not installed with .NET and by default, .NET is not installed by ASP.NET. Customers would first need to installed .NET framework with ASP.NET in order to be vulnerable to the vulnerabilities documented in MS11-100.

Q: Will there be changes to WSUS to only show the patch needed when ASP.NET is installed?
A: Updates that shipped in the security bulletin today are updates for the .NET Framework component. As such, the detection logic for these updates scans for different versions of the .NET Framework and offers the appropriate patch. The patches will be offered as long as the .NET Framework (which contains ASP.NET) is installed and irrespective of whether ASP.NET is registered and in use or not.

Q: For CVE-2011-3414, would one machine perform a denial of service based on the hash algorithms the server hosting the page has to consume?
A: Yes, one machine could effectively perform a denial of service, should it launch the correct type of attack.

Q: How much of live client-side authentication is vulnerable? Or is it server-side only (patch your servers, and client side is only vulnerable to the redirected site)?
A: The LiveID authentication system is not forms-based.  Therefore, the forms-based authentication vulnerabilities do not affect LiveID.  Further, it is all server-side and at this point we have applied the security update to our LiveID servers.

Hello,

Today we released Security Update MS11-100 to address the issue described in Security Advisory 2659883.

The security update has a severity rating of Critical and resolves a publicly disclosed remote unauthenticated Denial of Service issue in ASP.NET versions 1.1 and above on all supported versions of .NET Framework. Of note, the new method of hash collision attacks used to exploit this vulnerability is an industry-wide issue affecting various Web platforms, including ASP.NET.

While we have seen no attacks attempting to exploit this vulnerability, we encourage affected customers to test and deploy the update as soon as possible. Consumers are not vulnerable unless they are running a Web server from their computer. More technical details can be found at the Security Research & Defense Blog.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,
Dave Forstrom
Director
Microsoft Trustworthy Computing

Hello,

Today we’re providing advance notification for an out-of-band security update to address the publicly disclosed issue described in Security Advisory 2659883. The release is scheduled for tomorrow, December 29, at approximately 10 a.m. PST.

The bulletin has a severity rating of Critical and addresses a publicly disclosed vulnerability in ASP.NET that affects all versions of the .NET Framework. While we’re currently unaware of any attacks targeting ASP.NET, we encourage all customers to test and deploy the update when it is available.

We will also hold a special edition webcast on Thursday, December 29 at 1 p.m. PST. Click here to register.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,

Dave Forstrom

Director

Microsoft Trustworthy Computing

Hosts: Steve Gibson with Leo Laporte

Firefox 9, SOPA, Sci-Fi movie and book recommendations, and more.

Download or subscribe to this show at twit.tv/sn.

We invite you to read, add to, and amend our show notes.

For 16kpbs versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Audio bandwidth is provided by Winamp, subscribe to TWiT and all your favorite podcasts with the ultimate media player, download it for free at Winamp.com.

Running time: 1:41:28

Hello,

Today we published Security Advisory 2659883 to provide a workaround to help protect ASP.NET customers from a publicly disclosed vulnerability that affects various Web platforms industry-wide. We are not aware of any attacks using this vulnerability, which affects all supported versions of .NET Framework, however we recommend customers use the mitigation and workaround described in the Advisory to help protect sites against this new method to exploit hash tables.

Our teams are working around the clock worldwide to develop a security update of appropriate quality to address this issue. Meanwhile, our Security Research & Defense team has written a blog post to explain how to know if you are vulnerable and detect exploitation, as well as background on the workaround. We are also working closely with our Microsoft Active Protections Program (MAPP) to help our partners build protections when and where possible. We will continue to update customers with new information as it becomes available.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thanks,
Dave Forstrom
Director
Microsoft Trustworthy Computing

Hosts: Steve Gibson with Tom Merritt

Background updates of IE, more on Carrier IQ, your questions, and more.

Download or subscribe to this show at twit.tv/sn.

We invite you to read, add to, and amend our show notes.

For 16kpbs versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Audio bandwidth is provided by Winamp, subscribe to TWiT and all your favorite podcasts with the ultimate media player, download it for free at Winamp.com.

Running time: 1:37:11

Hello,

Today we published the December Security Bulletin Webcast Questions & Answers page. We fielded six questions on various topics during the webcast, including bulletins released, deployment tools, and update detection tools.

For more details on this month’s bulletins, click here to view the slide deck used in the webcast. See below to view the webcast.

We invite our customers to join us for the next public webcast on Wednesday, January 11, 2012 at 11am PST (UTC -8), when we will go into detail about the January bulletin release and answer questions live on the air.

Customers can register to attend at the link below:
Date: Wednesday, January 11, 2012
Time: 11:00 a.m. PST (UTC -8)
Register: Attendee Registration

Thanks,
Jerry Bryant
Group Manager, Response Communications
Microsoft Trustworthy Computing

Hosts:             Jonathan Ness, Security Development Manager, MSRC
                        Jerry Bryant, Group Manager, Trustworthy Computing Communications

Website:         TechNet/Security

Chat Topic:     December 2011 Security Bulletin Release

Date:               Wednesday, December 14, 2011 

Q: Some of my users had issues with text being deleted from Word documents. Is this an issue with the Office security bulletin? 
A: We are not aware of any issues ofwords being removed from the document. If this continues, please contact support at 1-866-PC-SAFETY.

Q: You said that MS11-090 only applied to Windows XP and Windows Server 2003, but my WSUS is showing it needed for my Windows 7 and Windows Server 2008 & 2008 R2 machines.
A: The MS11-090 bulletin is a Cumulative Security Update of ActiveX Kill Bits. It addresses a new CVE that only affects Windows XP and Windows Server 2003, but also contains kill bits for various third party software, and affects a broader set of platforms than just Windows XP and Server 2003. 

Q: Will raising the Excel macro security level to high and ensuring that all macro code is digitally signed mitigate the Excel risks for this month?
A: The December Excel update fixes a vulnerability in the document parsing functionality in excel. This functionality is invoked when an Excel document is loaded into the Excel Application. While limiting macros execution in Excel is good security practice, it will not help you if trying to use it to mitigate the issue addressed by the December Excel update.

Q: Is there a link to the work-around fix for the Duqu-type open font vulnerability that you discussed?
A: The Workaround section for the CVE-2011-3402 in the MS11-087 bulletin explains how to apply and undo the workaround, and it also contains links to Fix It related to these operations.

Q: Once Office File Validation updates are installed, we have had some instances of Excel and Word documents opening very slowly across our network. You mentioned that Office File Validation can help reduce attack vectors. Can you share any information on the effects of installing Office File Validation?
A: We released a fix to increase the performance of opening across the network.The fix is documented in KB2570623.

Q: On my WSUS server, I searched MS11-088 and KB2596511 was found but KB2647540 was not found. As the Detection & Deployment indicates through the Download Center, should KB2596511 be approved through WSUS and KB2647540 be manually applied? Is KB2596511 complete on WSUS?
A: KB2647540 is currently only available via the Download Center. The update will also be provided through our other standard distribution methods once testing has been completed to ensure distribution will be successful through these channels. 

Hosts: Steve Gibson with Leo Laporte

Microsoft, Adobe, and Carrier IQ security news, and more.

Download or subscribe to this show at twit.tv/sn.

We invite you to read, add to, and amend our show notes.

For 16kpbs versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Audio bandwidth is provided by Winamp, subscribe to TWiT and all your favorite podcasts with the ultimate media player, download it for free at Winamp.com.

Running time: 1:42:10

Hi everyone – Mike Reavey here. Today, we’re releasing our December set of security updates. As we do every month, we're providing a heads-up on what’s coming in this month’s release as well as offering links to more information so you can plan your deployment. However, since this is the last set of regular monthly security updates this year, I thought I’d take a minute to look back at some of the discoveries the MSRC made in the process of issuing the year’s bulletins.

Decrease in Critical Issues and Bulletins

As far as individual issues, Critical-class CVEs accounted for less than a third of the issues we addressed in bulletin releases for the first time since we began our monthly bulletin-release cadence in 2004. And in absolute numbers, Critical-class CVEs are at their lowest levels since 2005. The fact that we’re seeing lower percentages of Critical issues and bulletins year-over-year demonstrates progress made by the product groups in creating more secure software.

With this regularly scheduled monthly release, our bulletin count for 2011 is 99, with 13 released today. Of those, we determined 10 to be Important-class bulletins, with only three classified as Critical in severity. In 2011, Critical-class bulletins represented just 32 percent of all bulletins – the lowest percentage since we began our monthly bulletin-release cadence in 2004 and, again, the lowest absolute number since 2005. Interestingly, for the second half of the year the numbers are even lower, with under 20 percent of bulletins released in the last six months rated Critical in severity.

Even though there are fewer Critical-class security updates year-over-year, we know that any update has the potential to be disruptive for customers. And so we work hard to make our update process as smooth and transparent as possible for customers – with no surprises. As part of that commitment, in 2011 we were able to address reported security issues effectively without resorting to emergency releases outside of the regular scheduled monthly releases. We understand the disruption that these “out-of-cycle” releases create for customers, and we take the decision to release an update out of cycle very seriously. Effective coordination with product teams, greater use of threat telemetry, the ability to release workarounds, and the ability to release defenses through partners like those in Microsoft’s Active Protection Program (MAPP) have all helped us to release all our 2011 bulletins in the usual monthly process. We’re glad about that, even though we will always reserve the right to release out-of-cycle if the situation merits it.

We also know that a large part of addressing security issues effectively and quickly is dependent on how we work with the community that finds and reports vulnerabilities to us. In 2011, over 80 percent of the issues we addressed were disclosed in a coordinated process. During the second half of the year that rose to over 85 percent. We believe that reporting vulnerabilities in a coordinated manner helps better protect customers and the broader Internet ecosystem and we’re glad that so many in the industry share this sentiment.

However, we didn’t rest on just those numbers.  We continued our work with the community, and in the summer of 2011 we made a series of announcements culminating in the kickoff of our first-ever Blue Hat Prize, which will award over a quarter of a million dollars to researchers breaking ground on defensive technologies. This initiative encourages researchers to bring to life mitigations that could potentially address entire classes of vulnerabilities. It’s a big project and we’re incredibly excited about the contest entrants we’ve seen so far. We’ll have more information on the Blue Hat Prize in 2012...we don’t want to spoil the excitement for anyone just yet.

Defensive Technology at Play
2011 also brought strong examples of how defensive technologies can increase the security of the software people use every day. For example, two of the more exciting developments of the year here at the MSRC centered on new and improved mitigations for older versions of Windows and Office. After announcing it in December, we launched Office File Validation (OFV) in April. OFV extends our “Gatekeeper” technology -- effective at detecting and blocking potentially dangerous binary-format files from opening in Office 2010 -- to the 2007 and 2003 editions of Microsoft Office.  Since release, approximately 200 million machines have added OFV to their protection arsenal.

And in February, we made an unprecedented change to how Autorun behaves when you insert a USB key on Windows XP and Vista systems. The change reduced the number of infections that rely on Autorun by 59 percent on Windows XP machines and by 74 percent on Windows Vista machines, in comparison to 2010, with a 68 percent year-to-year overall decline in infections for all PCs running all versions of Windows. That’s a staggering change for the better.

As we approach 2012, we’ll continue to deliver the best-tested, highest-quality bulletins possible while facing the security challenges the new year poses. Whatever’s ahead, we’ll continue to work internally, and with the researchers and partners, to find new approaches to security response while keeping customer protection, as always, as our first priority.

Thanks --

Mike Reavey
Senior Director, MSRC

Hello. As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing 13 security bulletins, three of which are rated Critical in severity, and 10 Important.

These bulletins will increase protection by addressing 19 unique vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on these critical updates:

• MS11-092 – Windows Media: Vulnerability In Windows Media Could Allow Remote Code Execution
• MS11-087 – Windows: Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution

Why 13 bulletins and not 14, as we stated in the ANS announcement on Thursday? After that announcement, we discovered an apps-compatibility issue between one bulletin-candidate and a major third-party vendor. We’re currently working with that vendor to address the issue on their platform, after which we’ll issue the bulletin as appropriate. As ever, we’d much rather withdraw a potential bulletin than ship something that might inconvenience customers, however limited that inconvenience in scope. The issue addressed in that bulletin, which we have been monitoring and against which we have seen no active attacks in the wild, was discussed in Security Advisory 2588513.

In the video below, Jerry Bryant discusses this month's bulletins in further detail.

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

You can find more information about this month's security updates on the Microsoft Security Bulletin Summary web page.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Jerry Bryant and Jonathan Ness. I invite you to tune in and learn more about the December security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, December 14, 2011 at 11 A.M. PST. Click here to register.

Thanks,
Angela Gunn
Trustworthy Computing.