Thursday, August 25, 2011

Microsoft Security Newsletter - August 2011


NOTE FROM THE EDITOR

Tim Rains
Welcome to the August edition of the Microsoft Security Newsletter. First, I want to welcome our subscribers from the United Kingdom. Moving forward, you will be receiving this global security newsletter instead of the regional one that you might have seen in the past. You've been upgraded!

Next, I was fortunate enough to have attended the Black Hat security conference in Las Vegas earlier this month. At the conference we announced the Microsoft BlueHat Prize, the first and largest incentive ever offered for defensive computer security technology. The Microsoft BlueHat Prize contest challenges security researchers to design a run-time mitigation technology designed to prevent the exploitation of memory safety vulnerabilities. The solution considered to be the most innovative by the Microsoft BlueHat Prize board will be presented the grand prize of US $200,000. Learn more and get answers to common questions about this contest with the BlueHat Prize Q&A.

We also released a new report from the Microsoft Security Response Center (MSRC) called "Building a Safer, More Trusted Internet Through Information Sharing." This report provides you with an update on the progress of key MSRC initiatives, along with new data on vulnerability counts and the like. For me, some of the most interesting data in the report is that related to the exploitability index that gets included in security bulletins from Microsoft. If you haven't been taking advantage of the Microsoft Exploitability Index as part of your security update deployment methodology, the data in this new report will help you get an idea of its potential value to your organization. For example, you can use the exploitability index to help manage risk associated with Microsoft security bulletins, and it could help you with deployment decisions and you could potentially reduce the number of reboots you need to perform in your environment.


August 2011 Edition

IN THIS ISSUE

Top Stories
Security Guidance
Community/MVP Update
Cloud Security Corner
This Month's Security Bulletins
Microsoft Product Lifecycle Information
Security Events and Training
Upcoming Security Webcasts

Lastly, I recently started blogging again. If you are interested in reading more about the threat landscape, secure development, and related topics, make sure to visit http://blogs.technet.com/security

Best regards,
Tim Rains, Director, Product Management, Microsoft Trustworthy Computing

Follow the Microsoft Security Response team on Twitter @MSFTSecResponse for the latest information on the threat landscape.


What is Security Science?
Explore the proactive work that Microsoft's Trustworthy Computing group is conducting to help provide more secure, private, and reliable computing experiences for the individuals and companies who power today's computing ecosystem.

Global Cyber Supply Chain Management
Microsoft recently published two white papers that expand on the principles outlined by Scott Charney, Microsoft's corporate vice president of Trustworthy Computing, in his recent keynote address at the East-West Institute's Second Worldwide Cybersecurity Summit in London:

Cybersecurity Report: 84% Believe Risk is Higher than One Year Ago
Gain valuable insight into how experts from around the world view the cybersecurity challenge and learn about the practical steps they pursue for everything from securing the undersea cables that carry over 99% of intercontinental Internet traffic to ensuring emergency communications after disasters.

Security Tip of the Month: Lync Edge Server Security
While Microsoft Lync Server 2010 uses many standard security measures, you can configure it for additional levels of protection. Get guidance on enforcing network isolation, designing firewall rules, bracing for denial of service (DoS) attacks, and more.

Microsoft Security Compliance Manager
Assess, configure, and manage all your organization's security baselines in one centralized location. The Security Compliance Manager (SCM) tool provides security configuration recommendations from Microsoft, centralized security baseline management features, a baseline portfolio, customization capabilities, and security baseline export flexibility to accelerate your organization's ability to efficiently manage the security and compliance process for the most widely used Microsoft products.

Data Classification Toolkit for Windows Server 2008 R2
Get the help you need to properly identify, classify, and protect data across targeted file servers in your organization with the Data Classification Toolkit for Windows Server 2008 R2. This toolkit also provides classification and rule examples to help you build and deploy policies to protect critical information in a cost-effective manner.

SDL Threat Modeling Tool 3.1.8
A core element the Microsoft Security Development Lifecycle (SDL), this tool helps development teams define a product's default and maximum attack surface during the design phase and helps reduce the likelihood for exploitation. Download it today and get additional guidance on threat modeling with the Microsoft SDL Starter Kit.

MiniFuzz File Fuzzing Tool
Download this basic testing tool to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected and potentially insecure application behaviors.


Why Do Security Research?
By Chris Wysopal, Chief Technology Officer and Co-Founder, Veracode
Get insight into one chief technology officer's evolving motivations for conducting security research and learn why security research is important for the health of your IT organization—and the computing industry as a whole.


An Architect's Perspective on Planning and Staffing for Private Cloud Operations
With the introduction of private cloud, skill sets around infrastructure and operations will still be needed, but the number of infrastructure and operations specialists is expected to be lower. Here's a look at some of the new positions.

Key Cloud Migration Decisions
When deciding whether or not to migrate existing functionality to the cloud, the decision criteria are more complex than for new builds. Most legacy applications have implicit assumptions about operating systems, hardware, geography, latency, throughput, scalability, governance, access rights, monitoring and other aspects that must be carefully addressed before deploying to the public cloud. Find tips to help you more carefully consider your options and make an informed decision about migration.

Critical:
• MS11-057: Cumulative Security Update for Internet Explorer (2559049)
• MS11-058: Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485)

Important:
• MS11-059: Vulnerability in Data Access Components Could Allow Remote Code Execution (2560656)
• MS11-060: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (2560978)
• MS11-061: Vulnerability in Remote Desktop Web Access Could Allow Elevation of Privilege (2546250)
• MS11-062: Vulnerability in Remote Access Service NDISTAPI Driver Could Allow Elevation of Privilege (2566454)
• MS11-063: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2567680)
• MS11-064: Vulnerabilities in TCP/IP Stack Could Allow Denial of Service (2563894)
• MS11-065: Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (2570222)
• MS11-066: Vulnerability in Microsoft Chart Control Could Allow Information Disclosure (2567943)
• MS11-067: Vulnerability in Microsoft Report Viewer Could Allow Information Disclosure (2578230)

Moderate:
• MS11-068: Vulnerability in Windows Kernel Could Allow Denial of Service (2556532)
• MS11-069: Vulnerability in .NET Framework Could Allow Information Disclosure (2567951)

Security Bulletin Overview for August 2011
SECURITY PROGRAM GUIDE

Microsoft SDL - Developer Starter Kit
Security Awareness Materials
Learn Security On the Job
SECURITY BLOGS

Trustworthy Computing Security/Privacy Blogs RSS
Microsoft Security Blog RSS
Michael Howard RSS
Eric Lippert RSS
Eric Fitzgerald RSS
MSRC Blog RSS
ACE Team RSS
Windows Security RSS
Forefront Team RSS
Solution Accelerators - Security & Compliance RSS
Security Vulnerability Research & Defense RSS
Security Development Lifecycle (SDL) RSS
UPCOMING CHATS

View a listing of upcoming technical chats
COMMUNITY WEBSITES

IT Pro Security Community
ADDITIONAL SECURITY RESOURCES

Security Help and Support for IT Professionals
TechNet Troubleshooting and Support Page
Microsoft Security Glossary
TechNet Security Center
MSDN Security Developer Center
Sign-Up for the Microsoft Security Notification Service
Security Bulletin Search Page
Microsoft Security Center
Home Users: Protect Your PC
MCSE/MCSA: Security Certifications
Subscribe to TechNet
Register for TechNet Flash IT Newsletter

Windows XP End of Support: April 8, 2014
On April 8, 2014, security patches and hotfixes for all versions of Windows XP will no longer be available. This means that, after this date, PCs running Windows XP will be vulnerable to security threats. In addition, many third party software providers are not planning to extend support for their applications running on Windows XP, which translates to even more complexity, risk, and ultimately, added management cost for your IT department if you are still managing Windows XP environments. Explore your options with this blog post from the Springboard Series and download the Windows XP End Of Support Countdown Gadget to help remind you about this important milestone.

Find information about your particular products on the Microsoft Product Lifecycle Web site.

Security Talk Series: From End to Edge and Beyond

Join hosts Yuri Diogenes and Tom Shinder for insight into the latest trends in computer and network security, and get valuable tips and guidance from Microsoft and industry experts: New episodes of this Security Talk series will be airing monthly; visit the series' blog to stay informed.

For IT Professionals
Interactive Security Webcast Calendar
Upcoming security webcasts in a dynamic, interactive format.

This is a monthly newsletter for IT professionals and developers—bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.

© 2011 Microsoft Corporation. All rights reserved. Microsoft, MSDN, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

To cancel your subscription to this newsletter, reply to this message with the word UNSUBSCRIBE in the Subject line. You can also unsubscribe at http://www.microsoft.com/info/unsubscribe.htm. You can manage all your Microsoft.com communication preferences at this site.

Legal Information.

This newsletter was sent by the Microsoft Corporation
Microsoft Corporation
One Microsoft Way
Redmond, WA, 98052, USA



Sign up for this newsletter | Unsubscribe | Update your profile
2011 Microsoft Corporation Terms of Use | Trademarks | Privacy Statement

Your cOmment"s Here! Hover Your cUrsOr to leave a cOmment.


Subscribe to: Post Comments (Atom)