Microsoft Security Newsletter - August 2011

	NOTE FROM THE EDITOR Welcome to the August edition of the Microsoft Security Newsletter. First, I want to welcome our subscribers from the United Kingdom. Moving forward, you will be receiving this global security newsletter instead of the regional one that you might have seen in the past. You've been upgraded! Next, I was fortunate enough to have attended the Black Hat security conference in Las Vegas earlier this month. At the conference we announced the Microsoft BlueHat Prize, the first and largest incentive ever offered for defensive computer security technology. The Microsoft BlueHat Prize contest challenges security researchers to design a run-time mitigation technology designed to prevent the exploitation of memory safety vulnerabilities. The solution considered to be the most innovative by the Microsoft BlueHat Prize board will be presented the grand prize of US $200,000. Learn more and get answers to common questions about this contest with the BlueHat Prize Q&A. We also released a new report from the Microsoft Security Response Center (MSRC) called "Building a Safer, More Trusted Internet Through Information Sharing." This report provides you with an update on the progress of key MSRC initiatives, along with new data on vulnerability counts and the like. For me, some of the most interesting data in the report is that related to the exploitability index that gets included in security bulletins from Microsoft. If you haven't been taking advantage of the Microsoft Exploitability Index as part of your security update deployment methodology, the data in this new report will help you get an idea of its potential value to your organization. For example, you can use the exploitability index to help manage risk associated with Microsoft security bulletins, and it could help you with deployment decisions and you could potentially reduce the number of reboots you need to perform in your environment. August 2011 Edition IN THIS ISSUE • Top Stories • Security Guidance • Community/MVP Update • Cloud Security Corner • This Month's Security Bulletins • Microsoft Product Lifecycle Information • Security Events and Training • Upcoming Security Webcasts

Lastly, I recently started blogging again. If you are interested in reading more about the threat landscape, secure development, and related topics, make sure to visit http://blogs.technet.com/security.  Best regards, Tim Rains, Director, Product Management, Microsoft Trustworthy Computing Follow the Microsoft Security Response team on Twitter @MSFTSecResponse for the latest information on the threat landscape. What is Security Science? Explore the proactive work that Microsoft's Trustworthy Computing group is conducting to help provide more secure, private, and reliable computing experiences for the individuals and companies who power today's computing ecosystem. Global Cyber Supply Chain Management Microsoft recently published two white papers that expand on the principles outlined by Scott Charney, Microsoft's corporate vice president of Trustworthy Computing, in his recent keynote address at the East-West Institute's Second Worldwide Cybersecurity Summit in London: "Cyber Supply Chain Risk Management: Toward a Global Vision of Transparency and Trust" presents a set of key principles to enable governments and vendors to manage supply chain risk more effectively, and articulates the need for broad agreement. "Toward A Trusted Supply Chain: A Risk-Based Approach to Managing Software Integrity" provides a framework for the pragmatic assessment of Software Integrity risk management practices in the product development process and online services operations. Cybersecurity Report: 84% Believe Risk is Higher than One Year Ago Gain valuable insight into how experts from around the world view the cybersecurity challenge and learn about the practical steps they pursue for everything from securing the undersea cables that carry over 99% of intercontinental Internet traffic to ensuring emergency communications after disasters. Security Tip of the Month: Lync Edge Server Security While Microsoft Lync Server 2010 uses many standard security measures, you can configure it for additional levels of protection. Get guidance on enforcing network isolation, designing firewall rules, bracing for denial of service (DoS) attacks, and more. Microsoft Security Compliance Manager Assess, configure, and manage all your organization's security baselines in one centralized location. The Security Compliance Manager (SCM) tool provides security configuration recommendations from Microsoft, centralized security baseline management features, a baseline portfolio, customization capabilities, and security baseline export flexibility to accelerate your organization's ability to efficiently manage the security and compliance process for the most widely used Microsoft products. Data Classification Toolkit for Windows Server 2008 R2 Get the help you need to properly identify, classify, and protect data across targeted file servers in your organization with the Data Classification Toolkit for Windows Server 2008 R2. This toolkit also provides classification and rule examples to help you build and deploy policies to protect critical information in a cost-effective manner. SDL Threat Modeling Tool 3.1.8 A core element the Microsoft Security Development Lifecycle (SDL), this tool helps development teams define a product's default and maximum attack surface during the design phase and helps reduce the likelihood for exploitation. Download it today and get additional guidance on threat modeling with the Microsoft SDL Starter Kit. MiniFuzz File Fuzzing Tool Download this basic testing tool to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected and potentially insecure application behaviors. Why Do Security Research? By Chris Wysopal, Chief Technology Officer and Co-Founder, Veracode Get insight into one chief technology officer's evolving motivations for conducting security research and learn why security research is important for the health of your IT organization—and the computing industry as a whole. An Architect's Perspective on Planning and Staffing for Private Cloud Operations With the introduction of private cloud, skill sets around infrastructure and operations will still be needed, but the number of infrastructure and operations specialists is expected to be lower. Here's a look at some of the new positions. Key Cloud Migration Decisions When deciding whether or not to migrate existing functionality to the cloud, the decision criteria are more complex than for new builds. Most legacy applications have implicit assumptions about operating systems, hardware, geography, latency, throughput, scalability, governance, access rights, monitoring and other aspects that must be carefully addressed before deploying to the public cloud. Find tips to help you more carefully consider your options and make an informed decision about migration. Critical: • MS11-057: Cumulative Security Update for Internet Explorer (2559049) • MS11-058: Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485) Important: • MS11-059: Vulnerability in Data Access Components Could Allow Remote Code Execution (2560656) • MS11-060: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (2560978) • MS11-061: Vulnerability in Remote Desktop Web Access Could Allow Elevation of Privilege (2546250) • MS11-062: Vulnerability in Remote Access Service NDISTAPI Driver Could Allow Elevation of Privilege (2566454) • MS11-063: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2567680) • MS11-064: Vulnerabilities in TCP/IP Stack Could Allow Denial of Service (2563894) • MS11-065: Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (2570222) • MS11-066: Vulnerability in Microsoft Chart Control Could Allow Information Disclosure (2567943) • MS11-067: Vulnerability in Microsoft Report Viewer Could Allow Information Disclosure (2578230) Moderate: • MS11-068: Vulnerability in Windows Kernel Could Allow Denial of Service (2556532) • MS11-069: Vulnerability in .NET Framework Could Allow Information Disclosure (2567951) Security Bulletin Overview for August 2011 Microsoft Security Response Center (MSRC) Blog Post Monthly Security Bulletin Webcast Q&A Windows Media Video (WMV) Windows Media Audio (WMA) SECURITY PROGRAM GUIDE • Microsoft SDL - Developer Starter Kit • Security Awareness Materials • Learn Security On the Job SECURITY BLOGS • Trustworthy Computing Security/Privacy Blogs • Microsoft Security Blog • Michael Howard • Eric Lippert • Eric Fitzgerald • MSRC Blog • ACE Team • Windows Security • Forefront Team • Solution Accelerators - Security & Compliance • Security Vulnerability Research & Defense • Security Development Lifecycle (SDL) UPCOMING CHATS • View a listing of upcoming technical chats COMMUNITY WEBSITES • IT Pro Security Community ADDITIONAL SECURITY RESOURCES • Security Help and Support for IT Professionals • TechNet Troubleshooting and Support Page • Microsoft Security Glossary • TechNet Security Center • MSDN Security Developer Center • Sign-Up for the Microsoft Security Notification Service • Security Bulletin Search Page • Microsoft Security Center • Home Users: Protect Your PC • MCSE/MCSA: Security Certifications • Subscribe to TechNet • Register for TechNet Flash IT Newsletter

Windows XP End of Support: April 8, 2014 On April 8, 2014, security patches and hotfixes for all versions of Windows XP will no longer be available. This means that, after this date, PCs running Windows XP will be vulnerable to security threats. In addition, many third party software providers are not planning to extend support for their applications running on Windows XP, which translates to even more complexity, risk, and ultimately, added management cost for your IT department if you are still managing Windows XP environments. Explore your options with this blog post from the Springboard Series and download the Windows XP End Of Support Countdown Gadget to help remind you about this important milestone. Find information about your particular products on the Microsoft Product Lifecycle Web site. See a List of Supported Service Packs: Microsoft provides free software updates for security and non-security issues for all supported service packs. Security Talk Series: From End to Edge and Beyond Join hosts Yuri Diogenes and Tom Shinder for insight into the latest trends in computer and network security, and get valuable tips and guidance from Microsoft and industry experts: Episode 6: Email security in the cloud Episode 5: Direct Access for anywhere access on the new cloud world Episode 4: Cloud computing snacks Episode 3: The private cloud and the Threats and Countermeasure Guide for Windows 7/Windows Server 2008 R2 Episode 2: Notes from the Microsoft security field Episode 1: Cloud security overview New episodes of this Security Talk series will be airing monthly; visit the series' blog to stay informed. For IT Professionals TechNet Webcast: Information about Microsoft Security Bulletins for September (Level 200) Wednesday, September 14, 2011 11:00 AM Pacific Time Talk TechNet with Keith Combs and Matt Hester: System Center Operations Manager with John Joyner (Level 200) Wednesday, August 31, 2011 9:00 AM Pacific Time Interactive Security Webcast Calendar Upcoming security webcasts in a dynamic, interactive format.

This is a monthly newsletter for IT professionals and developers—bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter. © 2011 Microsoft Corporation. All rights reserved. Microsoft, MSDN, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. To cancel your subscription to this newsletter, reply to this message with the word UNSUBSCRIBE in the Subject line. You can also unsubscribe at http://www.microsoft.com/info/unsubscribe.htm. You can manage all your Microsoft.com communication preferences at this site. Legal Information. This newsletter was sent by the Microsoft Corporation Microsoft Corporation One Microsoft Way Redmond, WA, 98052, USA

Sign up for this newsletter | Unsubscribe | Update your profile 2011 Microsoft Corporation Terms of Use | Trademarks | Privacy Statement