Wednesday, April 20, 2011

Microsoft Security Newsletter – April 2011


NOTE FROM THE EDITOR

Tim RainsWelcome to April's Security Newsletter.

The theme of this month's newsletter is security for small and midsized business. One of the things these businesses need to be concerned with is the security of the applications they use. The long term trend that we have observed is that most (~85%) security vulnerability disclosures across the software industry are in applications versus operating systems or web browsers (~15% combined). Since many small and medium-sized businesses take advantage of applications written primarily for consumers, these businesses should demand that the security of those applications be as good as applications written for enterprises.
Chart


April 2011 Edition

IN THIS ISSUE

Top Stories
Security Guidance
Community/MVP Update
Cloud Security Corner
This Month's Security Bulletins
Microsoft Product Lifecycle Information
Security Events and Training
Upcoming Security Webcasts
COMMUNITY WEBSITES

IT Pro Security Community
In a new report we just released called The SDL Progress Report, we tested the 41 most popular consumer applications running on Windows to see if they were taking advantage of the security mitigations built into the platform. The news is mixed: while 71% of the applications surveyed fully enabled support for Data Execution Prevention (DEP), only 34% of the applications fully enabled support for Address space layout randomization (ASLR). These are important exploit mitigations that can be valuable tools in helping to mitigate risks posed by both known and unknown vulnerabilities. Please check out the report and draw your own conclusions.

Another useful new piece of content is the second edition of the Microsoft Security Update Guide. The big delta between the second edition of the Security Update Guide and the first edition is the inclusion of a bunch of guidance on how to test security updates before deploying them. This includes guidance from Microsoft internal practices as well as guidance from customers that have solid test processes. This is something many people have asked us for over the years.

Best regards,
Tim Rains, Director, Product Management, Microsoft Trustworthy Computing

Follow the Microsoft Security Response team on Twitter @MSFTSecResponse for the latest information on the threat landscape.


Windows Intune Now Available - Get Started With A 30-Day Trial
Windows Intune helps simplify how businesses manage and secure PCs using Windows cloud services and the Windows 7 operating system. Download a free 30-day trial to see how Windows Intune can better enable your computers and users to operate at peak performance from virtually anywhere. The visit the Windows Intune Resource Zone on TechNet for technical guidance to help you get the most out of your trial.

Sign Up for Solution Accelerator Notifications
Looking for tools and guidance that help build your organization's security and compliance infrastructure? Microsoft Solution Accelerators provide tested guidance and automated tools to help you plan, securely deploy, and manage new Microsoft technologies—easier, faster, and at less cost. To stay up-to-date, subscribe to the Solution Accelerators Newsletter.

Inside Security Compliance Manager with Chase Carpenter
When we hear about a disaster like the earthquake in Japan, many of us try to think of ways we can help. Read this Security Tips & Talk blog post for valuable tips you can pass on to your end users to help them avoid online donation scams.

Security Tip of the Month: 5 Security Tips for Windows Intune
Learn how to use Attack Surface Analyzer, a free tool from Microsoft, to better understand the aggregate attack surface change that may result from the introduction of line-of-business (LOB) applications to the Windows platform.

Microsoft Security Update Guide, Second Edition
The Microsoft Security Update Guide Second Edition is a valuable source of in-depth information and guidance that helps IT professionals deploy Microsoft security updates and create a safer, more secure computing and Internet environment.

Windows Security Survival Guide
Many companies invest a good amount of money trying to protect their resources by adding more software to provide additional layers of protection, and by enhancing policies and procedures to enforce security. Get a better understanding of the core principles of Windows Security and how to take advantage of Windows operating system security capabilities to achieve your company's security goals.

Security and Compliance in the Cloud, Part 1
Join Jim Reavis of the Cloud Security Alliance, Pete Boden of Microsoft and Allan A. Friedman of the Brookings Institution to see what you need to consider as you move to data and applications to the cloud. Watch Part 2 of the discussion for additional insights and tips for organizations of all sizes.

Windows Azure: Understanding Security Account Management in Windows Azure
Cloud computing relieves some of the security burden, but you still have an active role in managing access, securing communications and ensuring data protection. Learn what you need to know about account management, certificate management, and employee transitions.

SQL Server: Protect Data at All Costs
Maintaining high availability to corporate data stores managed with SQL Server is an essential element of any data management strategy. Get tips on how to work through the requirements and limitations, align your strategy to those requirements, and test the effectiveness of your approach.


Denis BatrankovSecurity MVP Spotlight: Denis Batrankov
Enterprise Security MVP Denis Batrankov has worked in the security industry for 18 years, starting as a programmer and security administrator and eventually landing in his current role as Solution Architect for HP TippingPoint. Denis specializes in practical ways to protect corporate IT systems against emerging IT threats and enjoys delivering information about the various tools available to today's IT professional from firewalls and intrusion prevention systems to security scanners, deep packet inspections, and Web filtering.

From Denis Batrankov:
  • Why Now is the Time to Review Corporate Email Security
    Many IT professional assume that internal employees use corporate email to do their jobs. But is this a reality? This article explores considerations that can help you keep corporate email effective and help maintain safe email habits for your employees and your customers or partners.
Miha PihlerSecurity MVP Spotlight: Miha Pihler
Miha Pihler (MCSE, MCT, CISSP) currently works as independent Security Consultant. Pihler has many years of experience in security field and holds many of the most prestigious qualifications. He is a respected and recognized speaker with a wealth of experience. He has worked on the deployment of firewalls for some of the largest organizations in Slovenia, set up of public key infrastructure (PKI) and designed secure authentication systems.

From Miha Pihler:
  • Simple Firewall Best Practices for Small and Midsize Businesses
    All servers require regular maintenance, and their firewalls are no exception. Firewalls involve daily maintenance tasks such as reviewing logs, checking for any alerts, and changing policies—and less frequent tasks such as reviewing policies. Explore several important considerations as well as suggested best practices for effectively maintaining firewalls.

How to Collaborate Securely with Business Partners through SharePoint Online
Explore the process of using SharePoint Online as a secure collaboration tool for use with not only business partners, but also different business units within your own organization.

Critical:
•MS11-018: Cumulative Security Update for Internet Explorer (2497640)
•MS11-019: Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455)
•MS11-020: Vulnerability in SMB Server Could Allow Remote Code Execution (2508429)
•MS11-027: Cumulative Security Update of ActiveX Kill Bits (2508272)
•MS11-028: Vulnerability in .NET Framework Could Allow Remote Code Execution (2484015)
•MS11-029: Vulnerability in GDI+ Could Allow Remote Code Execution (2489979)
•MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)
•MS11-031: Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution (2514666)
•MS11-032: Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2507618)

Important:
•MS11-021: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2489279)
•MS11-022: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2489283)
•MS11-023: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489293)
•MS11-024: Vulnerability in Windows Fax Cover Page Editor Could Allow Remote Code Execution (2527308)
•MS11-025: Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212)
•MS11-026: Vulnerability in MHTML Could Allow Information Disclosure (2503658)
•MS11-033: Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2485663)
•MS11-034: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2506223)

Security Bulletin Overview for April 2011
SECURITY PROGRAM GUIDE

Microsoft SDL - Developer Starter Kit
Security Awareness Materials
Learn Security On the Job
SECURITY BLOGS

Trustworthy Computing Security/Privacy Blogs RSS
Michael Howard RSS
Eric Lippert RSS
Eric Fitzgerald RSS
MSRC Blog RSS
ACE Team RSS
Windows Security RSS
Forefront Team RSS
Solution Accelerators - Security & Compliance RSS
Security Vulnerability Research & Defense RSS
Security Development Lifecycle (SDL) RSS
UPCOMING CHATS

View a listing of upcoming technical chats
ADDITIONAL SECURITY RESOURCES

Security Help and Support for IT Professionals
TechNet Troubleshooting and Support Page
Microsoft Security Glossary
TechNet Security Center
MSDN Security Developer Center
Sign-Up for the Microsoft Security Notification Service
Security Bulletin Search Page
Microsoft Security Center
Home Users: Protect Your PC
MCSE/MCSA: Security Certifications
Subscribe to TechNet
Register for TechNet Flash IT Newsletter

Reminder: Windows Vista Service Pack 1 End of Support
Windows Vista Service Pack 1 will reach the end of support on July 12, 2011. From that date onward, Microsoft will no longer provide support or free security updates for Windows Vista SP1. In order to stay secure and continue support, you must upgrade to Service Pack 2 (SP2).

Find information about your particular products on the Microsoft Product Lifecycle Web site.

Tech•Ed North America 2011: Security, Identity, Access & More

May 16-19, 2011 - Atlanta, GA
Join us in Atlanta for Tech•Ed 2011 and take advantage of over 1,000 learning opportunities. Check out the Security, Identity and Access track, which provides guidance and technical detail on Microsoft Forefront products, identity-based access technologies, Windows security technologies, and more. Visit our content catalog to see which sessions and pre-conference seminars interest you. Register now.

Windows Azure Security Essentials: Secure Networking using Windows Azure Connect
Dive deep into Windows Azure Connect, a new mechanism for establishing, managing and securing IP-level connectivity between on-premises and Windows Azure resources. In this MSDN Channel 9 webcast, you'll learn about potential usage scenarios, the different components of Windows Azure Connect, how to join your cloud-based virtual machines to Active Directory, and more.

For IT Professionals Now on Demand

Business Insights Webcast: The Cloud's Silver Lining: Identity Management (Level 100)
Identity management with Microsoft Forefront Identity Manager (FIM), Active Directory Federation Services (AD FS), and Microsoft Forefront Unified Access Gateway (Forefront UAG) is a key component to realizing the value of the cloud (Microsoft Office 365, Business Productivity Online Standard Suite (BPOS), and using software as a service (SaaS) vendors. If you are planning to migrate applications to the cloud, learn how to first address provisioning and Single Sign-On (SSO) to enable a seamless transition.

Interactive Security Webcast Calendar
Upcoming security webcasts in a dynamic, interactive format.

This is a monthly newsletter for IT professionals and developers—bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.

© 2011 Microsoft Corporation. All rights reserved. Microsoft, MSDN, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

To cancel your subscription to this newsletter, reply to this message with the word UNSUBSCRIBE in the Subject line. You can also unsubscribe at http://www.microsoft.com/info/unsubscribe.htm. You can manage all your Microsoft.com communication preferences at this site.

Legal Information.

This newsletter was sent by the Microsoft Corporation
Microsoft Corporation
One Microsoft Way
Redmond, WA, 98052, USA



Sign up for this newsletter | Unsubscribe | Update your profile
2011 Microsoft Corporation Terms of Use | Trademarks | Privacy Statement

Your cOmment"s Here! Hover Your cUrsOr to leave a cOmment.


Subscribe to: Post Comments (Atom)