Microsoft Security Newsletter – March 2012

	Editor's Note: In last month's newsletter, we incorrectly attributed the Security Tip of the Month to Dan Griffin, the author of our Security Tip for January. February's tip of the month, "Threat Modeling and Agile Development Practices" was written by Chas Jeffries, Security Architect, Microsoft Services. Thanks, Chas, for the great, informative article! NOTE FROM THE EDITOR March's Security Newsletter is here! Have you ever wondered how many security updates you have deployed in the last ten years, or how many pieces of malware you have protected your organization from? As part of Trustworthy Computing's ten-year milestone, we recently released a special edition of the Security Intelligence Report (SIR) called, "The evolution of malware and the threat landscape - a 10-year review," that contains some very interesting new data. Figures (clockwise from top left): relative severity of vulnerabilities disclosed since 2002 across the entire industry; average number of CVEs per MSRC security bulletin since the first half of 2005; worms, trojan downloaders and droppers, and password stealers and monitoring tools categories since 2006 In addition to the special edition of the SIR, we have also released a new case study that highlights how one of the largest Internet service providers (ISPs) in Europe, TeliaSonera, helps maintain one of the consistently cleanest networks in the world. If you help manage security for your organization's network, you will want to check this out. Also, we have released an interactive Trustworthy Computing timeline featuring new video content that looks back at how the security world has changed over the past ten years, and that includes interviews with high profile security experts from the industry. Best regards, Tim Rains, Director, Microsoft Trustworthy Computing Microsoft and Financial Services Industry Leaders Target Zeus Botnets Microsoft's Digital Crimes Unit, in collaboration with key partners, recently executed a coordinated global action against some of the worst known cybercrime operations fueling online fraud and identity theft today. Explore how, with this legal and technical action, a number of the most harmful botnets using the Zeus family of malware worldwide have been disrupted in an unprecedented, proactive cross-industry operation against this cybercriminal organization. Building Global Trust Online Volume 2: Policymaker Guide to Privacy, Safety, and Security Find overviews of key issues, a summary of Microsoft's response to these issues, and a list of helpful resources and links for further reading and support. New topics discussed in Volume 2 include supply chain security, privacy by default, digital citizenship, combatting online fraud, and accessible technologies. Security Tip of the Month: How to Get Started with Threat Modeling Threat modeling allows software architects to identify and mitigate potential security issues early, when issues are relatively easy and cost-effective to resolve. If you aren't familiar with threat modeling, one easy way to get started is with the Elevation of Privilege (EoP) card game. Designed by Microsoft to help those new to threat modeling engage with the practice in a fun and educational way, EoP enables you to learn about spoofing, tampering, repudiation, denial of service, and other threats while earning points to challenge your fellow developers. You can often find EoP decks at Microsoft and third-party events like the RSA Security Conference, but you can also download the game anytime by visiting www.microsoft.com/security/sdl/adopt/eop.aspx. Why not grab a copy today and explore? IT Infrastructure Threat Modeling Guide Learn how to develop IT infrastructure threat modeling processes for your environment and prioritize your IT infrastructure security investments. Leveraging the existing Microsoft Security Development Lifecycle (SDL) threat modeling process, this guide provides an easy-to-understand method that enables you to develop threat models specific to your infrastructure. SDL Threat Modeling Tool Download this free tool designed to make threat modeling easier for developers of all skill levels—then learn how to kick off the threat modeling process, analyze threats, track dependencies, and more with Getting Started with the SDL Threat Modeling Tool. Reinvigorating your Threat Modeling Process Familiarize yourself with some approaches to threat modeling that can be employed by development teams of any size. Microsoft Baseline Security Analyzer (MBSA) Download a free tool to help you improve your security management process by detecting common security misconfigurations and missing security updates on your computer systems. Microsoft Security Assessment Tool (MSAT) Demo Watch an in-depth demonstration on how to use MSAT to build your business risk profile, create an assessment of the current security state of your business IT infrastructure, and review specific guidance to strengthen the security of your organization. Click here to learn more and download the tool. March 2012 Edition IN THIS ISSUE • Top Stories • Security Guidance • Community/MVP Update • Cloud Security Corner • This Month's Security Bulletins • Microsoft Product Lifecycle Information • Security Events and Training • Upcoming Security Webcasts SECURITY PROGRAM GUIDE • Microsoft SDL - Developer Starter Kit • Security Awareness Materials SECURITY BLOGS • Trustworthy Computing Security/Privacy Blogs • Microsoft Security Blog • MSRC Blog • ACE Team • Windows Security • Forefront Team • Solution Accelerators - Security & Compliance • Security Vulnerability Research & Defense • Security Development Lifecycle (SDL) ADDITIONAL SECURITY RESOURCES • Security Help and Support for IT Professionals • TechNet Troubleshooting and Support Page • Microsoft Security Glossary • TechNet Security Center • MSDN Security Developer Center • Sign-Up for the Microsoft Security Notification Service • Security Bulletin Search Page • Microsoft Security Center • Home Users: Protect Your PC • MCSE/MCSA: Security Certifications • Subscribe to TechNet • Register for TechNet Flash IT Newsletter

Security Management: The Scary New Hacking Trend Your datacenter relies on privileged identities to function. That isn't going to change. However, failure to protect these accounts will leave your private data exposed. Get some tips on how you can mitigate the risks of falling prey to a disturbing new trend in hacking. New Videos from the Cloud Fundamentals Series Learn about industry collaborations, cloud-based security frameworks, cloud standards programs, and more with the latest videos from the Trustworthy Computing Cloud Fundamentals Series: Compliance in the Cloud – Explore the complexities of compliance in the cloud. Secure Development in the Cloud – Gain valuable insight on the importance of securely developing platforms and applications in the cloud. Privacy, Part 1: Microsoft's Approach – Get a brief overview of Microsoft's commitment to cloud privacy, and an introduction to the concepts of transparency, choice, and responsibility. Privacy, Part 2: Privacy by Design – Watch as Brendon Lynch, Microsoft Chief Privacy Officer, describes how Microsoft strives to ensure strong privacy policies and standards within Microsoft online services and products. Critical: MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387) Important: MS12-017: Vulnerability in DNS Server Could Allow Denial of Service (2647170) MS12-018: Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653) MS12-021: Vulnerability in Visual Studio Could Allow Elevation of Privilege (2651019) MS12-022: Vulnerability in Expression Design Could Allow Remote Code Execution (2651018) Moderate: MS12-019: Vulnerability in DirectWrite Could Allow Denial of Service (2665364) Security Bulletin Overview for March 2012 Microsoft Security Response Center (MSRC) Blog Post Monthly Security Bulletin Webcast Q&A Windows Media Video (WMV) iPod Video (MP4)

Windows XP End of Support: April 8, 2014 On April 8, 2014, security patches and hotfixes for all versions of Windows XP will no longer be available. This means that, after this date, PCs running Windows XP will be vulnerable to security threats. In addition, many third party software providers are not planning to extend support for their applications running on Windows XP, which translates to even more complexity, risk, and ultimately, added management cost for your IT department if you are still managing Windows XP environments. The average operating system deployment project takes 18-24 months. Start your migration today with valuable step-by-step guides and other tools to help you migrate from Windows XP to Windows 7. Find information about your particular products on the Microsoft Product Lifecycle Web site. See a List of supported service packs: Microsoft provides free software updates for security and non-security issues for all supported service packs. Security Development Conference 2012 May 15-16, 2012 – Washington, D.C. Register today for the inaugural Security Development Conference 2012 (SDC 2012). Hosted by Microsoft, this event will bring together professionals from a variety of organizations to learn from security experts, build networks, and learn how to evolve their own SDL principles into practices. SDC 2012 will include information for leaders in security engineering, business decision makers, and management who are responsible for accelerating the adoption and effectiveness of SDL practices within their own organizations. For IT Professionals TechNet Webcast: Information about Microsoft Security Bulletins for April (Level 200) Wednesday, April 11, 2012 11:00 AM Pacific Time For Developers MSDN Webcast: HackReady.Phone, Episode 2: Working with Internal and External Data in Windows Phone (Level 200) Thursday, April 05, 2012 10:00 AM Pacific Time For Decision Makers Business Insights Webcast: You Can't Hack Yourself Secure (Level 100) Thursday, April 12, 2012 10:00 AM Pacific Time Now on Demand MSDN Webcast: Security Talk: Threat Model Express (Level 200) Take a proactive, one-day approach to security in the design and architecture of web applications. In this Security Talk webcast, your will learn how to create a threat model for web applications using an organization's most valuable resource: its people. MSDN Webcast: Security Talk: Fending Off Attacks by Reducing an Application's Attack Surface (Level 300) The attack surface of an application is the set of ways in which an adversary can enter your software and potentially cause damage. The larger the attack surface, the more insecure the software. Get best practices for minimizing code exposed to untrusted users and protecting against vulnerabilities and threats that you don't know about.

This is a monthly newsletter for IT professionals and developers—bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter. © 2012 Microsoft Corporation. All rights reserved. Microsoft, MSDN, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Microsoft respects your privacy. To learn more please read our online Privacy Statement. If you would prefer to no longer receive this newsletter, please click here. To set your contact preferences for other Microsoft communications click here. Microsoft Corporation One Microsoft Way Redmond, WA 98052 USA

2012 Microsoft Corporation Sign up for this newsletter | Update your profile | Terms of Use | Trademarks