Microsoft Security Newsletter – January 2012

	NOTE FROM THE EDITOR Welcome to the first Microsoft Security Newsletter of 2012! Happy birthday Trustworthy Computing! This month marks the 10-year anniversary of the industry-changing email memo that Bill Gates sent to all Microsoft employees, identifying Trustworthy Computing as the highest priority for the company and for the industry. Six months after sending that email, Bill then published the Trustworthy Computing memo. I remember those days vividly. At the time, we released security updates weekly on an ad-hoc basis without the automatic update technologies and deployment tools we have in the industry today. Administrators used to spend a lot of time and effort trying to figure out if they had products in their environments that needed to be updated and what versions were affected. Since then, Windows Update, Microsoft Update, and the automatic update client have revolutionized the way that software gets serviced in the world. Microsoft and other software vendors now provide predictable and transparent release processes for security updates and much improved guidance. Things have improved greatly since Bill published the Trustworthy Computing memo. Of course, there is a lot of work left to do and Microsoft is as committed as ever to working to help protect customers from disruptions caused by criminal attacks. If you are interested in a walk down memory lane to commemorate this important anniversary, please visit the recently-refreshed Trustworthy Computing website. Best regards, Tim Rains, Director, Product Management, Microsoft Trustworthy Computing January 2012 Edition IN THIS ISSUE • Top Stories • Security Guidance • Community/MVP Update • The Business of Security • Cloud Security Corner • This Month's Security Bulletins • Microsoft Product Lifecycle Information • Security Events and Training • Upcoming Security Webcasts

At 10-Year Milestone, Microsoft's Trustworthy Computing Initiative More Important than Ever Today, with more than two billion people on the Internet, computing has become part of the fabric of our everyday lives. As the landscape continues to change, the 10-year milestone of Microsoft's Trustworthy Computing initiative provides an opportunity to reflect on the past and prepare for the future. Learn about the history of the initiative and read how Microsoft has reaffirmed its commitment to Trustworthy Computing for the next decade. The Threat Landscape in India: More Active Than First Thought The threat landscape in India has turned out to be more active than initially suspected. India has had a relatively low malware infection rate for some time, which seemed subdued for a region that has such a large high tech industry. But with the new data we recently released in Volume 11 of the Microsoft Security Intelligence Report, the plot thickens. Patch Management on Business-Critical Servers By Dan Griffin, Microsoft MVP - Enterprise Security and Tom Jones, Software Architect, JW Secure Software system security has come to depend on customer information technology (IT) organizations closely monitoring patches for vulnerabilities, and on the ability of those organizations to test and deploy the patches before they can be exploited. Discover best practices that can help you better manage and deploy patches, avoid downtime, and extend operating time without reboots. Microsoft Security Update Guide, Second Edition Designed to help IT professionals manage organizational risk and develop a repeatable, effective deployment mechanism for security updates, the Microsoft Security Update Guide offers a convenient glossary of terms, an overview of the Microsoft Security Bulletin process, and a stage-by-stage review of Microsoft Security Updates This second edition includes additional content describing how Microsoft tests security updates before they are released, revised advice and guidance on testing updates in your own environment, and an expanded and updated resources section. Getting Started with Microsoft Security Compliance Manager (SCM) Security Compliance Manager is a free tool from the Microsoft that enables you to quickly configure and manage your desktops, traditional datacenters, and private cloud using Group Policy and System Center Configuration Manager. Download SCM and learn how to use it today with helpful resources like our technical overview, answers to frequently asked questions, and baseline download help. Virtual Machine Servicing Tool (VMST) 3.0 Familiarize yourself with this free downloadable tool that can help you reduce IT costs by making it easier to update offline virtual machines, templates, and virtual hard disks with the latest operating system and application patches--without introducing vulnerabilities into your IT infrastructure. Windows Server Update Services (WSUS) Troubleshooting Survival Guide While troubleshooting a technology such as WSUS, you need to identify where the issue is located (client or server) in order to correctly collect and analyze the data you need to properly troubleshoot an issue. This TechNet Wiki article offers a troubleshooting framework for WSUS and a place for you to share your own troubleshooting scenarios and techniques for WSUS with the community. Secure Credential Storage What's the most secure way to store a secret? Read this Microsoft Security Development Lifecycle (SDL) blog post for the answer. Ten Years of Trustworthy Computing at Microsoft By Raffaele Rialdi, Microsoft MVP - Developer Security Increased awareness of the importance of application security over the last ten years has led to an incredible number of Microsoft initiatives for developers--all of which are aimed at making it easier to implement security best practices. Explore one developer's insights on which initiatives have had the biggest impact on the Microsoft developer community. The Evolution of Elevation: Threat Modeling in a Microsoft World By Dana Epp, Microsoft MVP - Enterprise and Developer Security The concept of threat modeling is not new—you can't design a secure system until you understand the threats to it, and what weaknesses an adversary might exploit in the system. Check out one IT professional's take on threat modeling in a Microsoft world. Windows Intune Technology Tune-Up Sometimes enterprise-level security solutions can be too costly or complex for a small or midsize business to adopt. Windows Intune is a cloud service that helps you centrally manage and better secure your PCs through a simple web-based console. In this video, you'll hear from Microsoft Technical Fellow Mark Russinovich and a panel of IT professionals and cloud experts as they discuss best practices in PC management, the challenges of protecting and supporting remote users, and real life experience with Windows Intune. Want to learn more? Visit the Windows Intune Resource Zone on TechNet. Cloud Fundamentals: Cloud Transparency as an Element of Trust Get insight on cloud transparency as an element of trust from Mark Estberg, Senior Director of Microsoft Global Foundation Services and Tim Rains, Director of Product Management for Microsoft Trustworthy Computing. Learn even more—watch part two of this two-part video. Cloud Fundamentals: Cloud Computing and Business Agility There is a lot of discussion in the industry right now about the potential cost savings for organizations that leverage of cloud computing. In this video, John Howie, who helps to manage the security for Microsoft's cloud services, discusses another potential benefit of leveraging cloud computing: increased business agility. Cloud Fundamentals: Cloud Computing Requires Transparency When information technology departments evaluate potential uses of cloud computing for their organization, many of them quickly realize they no longer have the near omniscient visibility into the operations environment they have when hosting those same workloads inside their own premises. In this video, Mark Estberg, Senior Director in Microsoft's Global Foundation Services, describes the need for partnership between customers and cloud service providers. Critical: MS12-004: Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391) Important: MS12-001: Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615) MS12-002: Vulnerability in Windows Object Packager Could Allow Remote Code Execution (2603381) MS12-003: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2646524) MS12-005: Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2584146) MS12-006: Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584) MS12-007: Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664) Security Bulletin Overview for January 2012 Microsoft Security Response Center (MSRC) Blog Post Monthly Security Bulletin Webcast Q&A Windows Media Video (WMV) iPod Video (MP4) SECURITY PROGRAM GUIDE • Microsoft SDL - Developer Starter Kit • Security Awareness Materials SECURITY BLOGS • Trustworthy Computing Security/Privacy Blogs • Microsoft Security Blog • MSRC Blog • ACE Team • Windows Security • Forefront Team • Solution Accelerators - Security & Compliance • Security Vulnerability Research & Defense • Security Development Lifecycle (SDL) ADDITIONAL SECURITY RESOURCES • Security Help and Support for IT Professionals • TechNet Troubleshooting and Support Page • Microsoft Security Glossary • TechNet Security Center • MSDN Security Developer Center • Sign-Up for the Microsoft Security Notification Service • Security Bulletin Search Page • Microsoft Security Center • Home Users: Protect Your PC • MCSE/MCSA: Security Certifications • Subscribe to TechNet • Register for TechNet Flash IT Newsletter

Windows XP End of Support: April 8, 2014 On April 8, 2014, security patches and hotfixes for all versions of Windows XP will no longer be available. This means that, after this date, PCs running Windows XP will be vulnerable to security threats. In addition, many third party software providers are not planning to extend support for their applications running on Windows XP, which translates to even more complexity, risk, and ultimately, added management cost for your IT department if you are still managing Windows XP environments. Explore your options with this blog post from the Springboard Series and download the Windows XP End Of Support Countdown Gadget to help remind you about this important milestone. Find information about your particular products on the Microsoft Product Lifecycle Web site. See a List of supported service packs: Microsoft provides free software updates for security and non-security issues for all supported service packs. The Art of Identifying, Assessing and Mitigating Software Risk Threat modeling is a key and powerful component of software risk management that organizations can use to identify risks and make better security decisions throughout design, coding, testing, and deployment. This Webcast will demonstrate how to characterize your business and technology from an attacker's viewpoint and determine the myriad of threats to your enterprise or application. A Proactive Approach to Building a Successful Security Development Lifecycle A good offense starts with security as part of the whole development lifecycle and requires specialized security knowledge and tools that organizations can adopt quickly and with minimal disruption to their development process. Three industry leaders discuss why and how you can get your organization on the right path. For IT Professionals TechNet Webcast: IT Pro's Heaven: The Private Cloud (Level 200) Wednesday, January 25, 2012 10:00 AM Pacific Time TechNet Webcast: Information About Microsoft February Security Bulletins (Level 200) Wednesday, February 15, 2012 11:00 AM Pacific Time TechNet Webcast: Live! IT Time: Private Cloud Chat (Episode 4) (Level 200) February 29, 2012 10:00 AM Pacific Time For Decision Makers Identity and Authentication Management Options for Office 365 Thursday, January 19, 2012 10:00AM Pacific Time Two-Factor Authentication Considerations for Office 365 Tuesday, February 28, 2012 10:00 AM Pacific Time Mail Management Best Practices: Compliance Considerations and Office 365 Tuesday, March 20, 2012 10:00AM Pacific Time Now on Demand TechNet Webcast: Patch Management at Microsoft Using System Center Configuration Manager (Level 300) Attend this webcast to hear how Microsoft uses Microsoft System Center Configuration Manager to update close to 280,000 desktop clients. This session covers the architecture, the process, the SLAs, the technology, and the best practices. This session also addresses at a high level how Microsoft is preparing for System Center Configuration Manager 2012 and describes the client installation and team roles within the client update team at Microsoft.

This is a monthly newsletter for IT professionals and developers—bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter. © 2012 Microsoft Corporation. All rights reserved. Microsoft, MSDN, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Microsoft respects your privacy. To learn more please read our online Privacy Statement. If you would prefer to no longer receive this newsletter, please click here. To set your contact preferences for other Microsoft communications click here. Microsoft Corporation One Microsoft Way Redmond, WA 98052 USA

2012 Microsoft Corporation Sign up for this newsletter | Update your profile | Terms of Use | Trademarks