Microsoft Security Newsletter

Microsoft Security Newsletter     Welcome to the latest Newsletter! This month’s newsletter focuses on the importance of keeping systems up to date. In terms of security vulnerability management, the industry has come a long way since 2003. In 2003, I worked on Microsoft’s customer-facing incident response team which, among other things, supported Microsoft security updates. Back in those days, security updates from Microsoft were released weekly. Feedback from many of our enterprise customers ushered in a bunch of improvements for how we released security updates, including offering services like Windows Update, Microsoft Update, Windows Server Update Services (WSUS), and Microsoft System Center Configuration Manager, and implementing a predictable monthly security update release cycle (affectionately nick-named “Patch Tuesday”) in October 2003. Since then, many of our customers have developed mature processes for managing vulnerabilities and the security updates that they receive from many of their vendors. I’ve told many customers over the years, if you aren’t getting security updates from all your vendors for all your software, you are likely not getting your money’s worth. The challenge that customers with mature security update processes have today is that, although their processes are now part of a smooth rhythm of business, they might not be keeping pace with attackers unless they have decreased the time to update their environments over the past year. In the first half of 2014, we saw purveyors of commercial exploit kits adding new exploits to their exploit kits about 30 days after the release of a security update. By the fourth quarter, they were adding new exploits to exploit kits within 10 days of the release of security updates and, in the first quarter of 2015, they were adding zero-day exploits to their kits; i.e. the time-to-exploit kit has been reduced from 30 days to zero days. Subsequently, given that these attackers dramatically accelerated their efforts in the past year, CISOs and infrastructure executives should assess whether they need to accelerate the speed of security update deployments in their environments. Some positive news is that, although industry vulnerability counts were higher than ever over the past year (data seen in Figure 1 below is from the Microsoft Security Intelligence Report volume 19), the exploitability of critically rated vulnerabilities for Microsoft products is down more than 70% since 2011 as seen in Figure 2 below. Figure 1: Industrywide vulnerability disclosures, from the second half of 2012 (2H12) to the first half of 2015 (1H15) Figure 2: Microsoft Remote Code execution CVEs by year Some more positive news is that Microsoft is trying to make security updating easier and faster for our enterprise customers. The new servicing options for Windows 10 give enterprise customers more flexibility than ever. You’ll find more details in this month’s newsletter! Best regards, Tim Rains, Chief Security Advisor Enterprise Cybersecurity Group, Microsoft Want to share this newsletter with a friend or colleague? Click here for the online edition and subscription options. Have feedback on how we can improve this newsletter? Email us at secnlfb@microsoft.com and share your ideas.   Top Stories   Microsoft Security Intelligence Report Volume 19 is now available Download hundreds of pages of new threat intelligence to help you better assess your current security posture. The latest version of the Security Intelligence Report includes threat data from the first half of 2015 as well as longer term trend data on the industry vulnerabilities, exploits, malware, and malicious websites that your organization. A Single, Unified Trust Center for the Microsoft Cloud Check out the new Microsoft Trust Center at www.microsoft.com/trustcenter, which now unifies the trust centers of Microsoft’s enterprise cloud services—Microsoft Azure, Microsoft Dynamics CRM Online, Microsoft Intune, and Microsoft Office 365. Find documentation on the adherence of Microsoft cloud services to international and regional standards, privacy and data protection policies and processes, and data transfer and location policies, as well as security features and functionality. Shields Up on Potentially Unwanted Applications in Your Enterprise Learn how a new opt-in feature for enterprise users in Windows can spot and stop a potentially unwanted application (PUA) in its tracks by blocking the application at the point of download and installation. Does Prevalence Matter? A Different Approach to Traditional Antimalware Test Scoring Most well-known antimalware tests today focus on broad-spectrum malware. In other words, tests include malware that is somewhat indiscriminate (isn't necessarily targeted), at least somewhat prevalent and sometimes very prevalent. Yet, when it comes to real customer impact, not all malware has the same distribution or prevalence. Find out how Microsoft is collaborating to create a more applicable scoring model.   Security Guidance Security Tip of the Month: Upgrade to a Modern Browser Microsoft is encouraging customers to upgrade to the latest, most secure version of Internet Explorer in order to continue receiving security updates and technical support. Starting January 12, 2016, support ends for older versions of Internet Explorer, so Windows 7 customers should upgrade to Internet Explorer 11 to remain supported. For a complete list of supported versions, please see the Internet Explorer Support Lifecycle Policy FAQ. Microsoft Edge for Windows 10 is our most secure browser yet, but customers using older versions of Windows should upgrade to the latest version of Internet Explorer. It’s easier to upgrade than ever before thanks to features like Enterprise Mode, which provides better backward compatibility for sites designed for older versions. Resources like the new Web Application Compatibility Lab Kit, a self-service lab that shows how to assess and fix web app compat issues, can also help make upgrading faster and easier than before. Finally, we have announced some significant product improvements that can reduce the costs of upgrading and managing a more secure Microsoft browser solution. With these moves, Microsoft is helping to build a more secure browser ecosystem. Windows 10 Servicing Options Explore the new servicing options—current branch (CB), current branch for business (CBB), and long-term servicing branch (LTSB)—available in Windows 10. Windows Update for Business Windows Update for Business enables you to keep the Windows 10-based devices in your organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. Learn how to implement and deploy a Windows Update for Business solution and how to maintain enrolled systems. Windows 10 Servicing Options Explore the new servicing options—current branch (CB), current branch for business (CBB), and long-term servicing branch (LTSB)—available in Windows 10. The Update Process for Office 365 ProPlus Unlike earlier versions of Office, individual security updates and other updates for Office 365 ProPlus aren’t available on Windows Update. Instead, every time updates are released—usually the second Tuesday of each month—Microsoft creates an updated version of Office 365 ProPlus and puts it on the Internet. This updated version contains all the updates for that month, in addition to all updates from previous months. Learn more about the update process, including how to apply updates, how to configure update settings, and end user update notifications. Update System Center 2012 Configuration Manager To update Configuration Manager, you can install a cumulative update or a service pack. Find out how to install updates and create collections for deploying updates.   This Month's Security Bulletins   December 2015 Security Bulletins Critical   • MS15-112: 3104517 Cumulative Security Update for Internet Explorer   • MS15-113: 3104519 Cumulative Security Update for Microsoft Edge   • MS15-114: 3100213 Security Update for Windows Journal to Address Remote Code Execution   • MS15-115: 3105864 Security Update for Microsoft Windows to Address Remote Code Execution Important   • MS15-116: 3104540 Security Update for Microsoft Office to Address Remote Code Execution   • MS15-117: 3101722 Security Update for NDIS to Address Elevation of Privilege   • MS15-118: 3104507 Security Update for .NET Framework to Address Elevation of Privilege   • MS15-119: 3104521 Security Update for Winsock to Address Elevation of Privilege   • MS15-120: 3102939 Security Update for IPSec to Address Denial of Service   • MS15-121: 3081320 Security Update for Schannel to Address Spoofing   • MS15-122: 3105256 Security Update for Kerberos to Address Security Feature Bypass   • MS15-123: 3105872 Security Update for Skype for Business and Microsoft Lync to Address Information Disclosure   December 2015 Security Bulletin Resources:   • November 2015 Security Update Release Summary • Malicious Software Removal Tool: November 2015 Update and blog summary   Security Events and Training   Microsoft Virtual Academy: Preparing Your Enterprise for Windows 10 as a Service Find out how Windows will evolve through servicing, and learn how you can make the most of servicing to get new features to your users faster.     Essential Tools   • Microsoft Security Bulletins   • Microsoft Security Advisories   • Microsoft Security Development Lifecycle Starter Kit   • Enhanced Mitigation Experience Toolkit   • Malicious Software Removal Tool   • Microsoft Baseline Security Analyzer Security Centers   • Security TechCenter   • Security Developer Center   • Microsoft Security Response Center   • Microsoft Malware Protection Center   • Microsoft Privacy   • Microsoft Security Product Solution Centers Additional Resources   • Microsoft Cybertrust Blog   • Microsoft Azure Security Blog   • Microsoft Security Intelligence Report   • Microsoft Security Development Lifecycle   • Malware Response Guide   • Security Troubleshooting and Support Resources     technet.microsoft.com/security       This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter. © 2015 Microsoft Corporation Terms of Use | Trademarks Microsoft respects your privacy. To learn more please read our online Privacy Statement. If you would prefer not to receive the Microsoft Security Newsletter from Microsoft and its family of companies please click here. These settings will not affect any other newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services. To set your contact preferences for other Microsoft communications click here. Microsoft Corporation One Microsoft Way Redmond, WA 98052 USA