June 2005 - Posts
June 14, 2005
Today Microsoft released the following Security Bulletin(s).
Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.
Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.
Bulletin Summary:
http://www.microsoft.com/technet/security/Bulletin/ms05-Jun.mspx
Critical Bulletins:
Cumulative Security Update for Internet Explorer (883939)
http://www.microsoft.com/technet/security/Bulletin/ms05-025.mspx
Vulnerability in HTML Help Could Allow Remote Code Execution (896358)
http://www.microsoft.com/technet/security/Bulletin/ms05-026.mspx
Vulnerability in Server Message Block Could Allow Remote Code Execution (896422)
http://www.microsoft.com/technet/security/Bulletin/ms05-027.mspx
Important Bulletins:
Vulnerability in Web Client Service Could Allow Remote Code Execution (896426)
http://www.microsoft.com/technet/security/Bulletin/ms05-028.mspx
Vulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks (895179)
http://www.microsoft.com/technet/security/Bulletin/ms05-029.mspx
Cumulative Security Update in Outlook Express (897715)
http://www.microsoft.com/technet/security/Bulletin/ms05-018.mspx
Cumulative Security Update in Outlook Express (897715)
http://www.microsoft.com/technet/security/Bulletin/ms05-030.mspx
Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (898458)
http://www.microsoft.com/technet/security/Bulletin/ms05-031.mspx
Moderate Bulletins:
Vulnerability in Microsoft Agent Could Allow Spoofing (890046)
http://www.microsoft.com/technet/security/Bulletin/ms05-032.mspx
Vulnerability in Telnet Client Could Allow Information Disclosure (896428)
http://www.microsoft.com/technet/security/Bulletin/ms05-033.mspx
Cumulative Security Update for ISA Server 2000 (899753)
http://www.microsoft.com/technet/security/Bulletin/ms05-034.mspx
Re-Released Bulletins:
SQL Server Installation Process May Leave Passwords on System (Q263968)
http://www.microsoft.com/technet/security/Bulletin/ms02-032.mspx
ASP.NET Path Validation Vulnerability (887219)
http://www.microsoft.com/technet/security/Bulletin/ms05-004.mspx
Vulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks (895179)
http://www.microsoft.com/technet/security/Bulletin/ms05-029.mspx
This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.
If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.
One of the topics that is requested year after year at our global MVP Summits (event where MVPs from all around the world come to Redmond for a few days) is how do we do security at Microsoft. It should be no surprise that Microsoft has one of the most attacked networks in the world. Well, we don't keep too many secrets about how we do security. Searching our Download Center, you will find numerous white papers on lots of different security topics showing you how we did it. Here are some examples:
Detailed discussion on how Microsoft IT introduced Domain Isolation to the Microsoft global enterprise network.
http://www.microsoft.com/downloads/details.aspx?familyid=a97ddc48-a364-4756-bb3c-91da274118fe&displaylang=en
Overview of why and how Microsoft IT proactively deployed Windows XP Service Pack 2. Windows XP Service Pack 2 is a critical security release that addresses Internet-based security threats.
http://www.microsoft.com/downloads/details.aspx?familyid=36648245-6eac-458e-87bd-046a16f3d385&displaylang=en
Overview discussion on what the Microsoft Corporate Security group does to prevent malicious or unauthorized use of digital assets at Microsoft.
http://www.microsoft.com/downloads/details.aspx?familyid=e959f26c-1f5c-4331-b1fb-6c720795704d&displaylang=en
If you are a software developer and you are interested in making sure that your application is robust and secure, this is a MUST see & utilize resource!
The Microsoft PAG ( patterns & practices ) folks have put online a resource that provides a view into their present and future deliverables around security engineering to application scenarios. The additional benefit is that the content is provided as a wiki so that the community can annotate, elaborate and contribute.
The security wiki is brought to you by the same folks who brought you "Improving Web Applicaton Security" and "Building Secure ASP.NET Applications" which are both great resources in their own right.
In their own words "This is where we think out loud. Here you’ll find emerging practices, guidance for application scenarios, security engineering, threat modeling, technical guidance and more. We’re looking for your experience, input and feedback to make this a useful resource for application security."
I've had the pleasure of working with the PAG folks on this effort.. I hope that you will also take this opportunity to contribute to making this security wiki a living, working resource that will improve the state of software security.
Check it out @ http://Channel9.Msdn.Com/Security
The topics discussed include everything from ApplicationSecurityMethodology to WebServerSecurity. The products and technologies cover everything from NETFrameworkSecurityHub to ASPNET2SecurityHub. Some of the resources that are provided include SecurityChecklists (These are awesome, BTW!) to information about the SecurityBlocks.
Announced by Steve Ballmer at Tech-Ed today and now live on www.microsoft.com:
Windows Server Update Services (WSUS). Final release of WSUS went live today.
Microsoft Update (MU): Microsoft Update replaces Windows Update. In addition to Windows XP, MU now updates: Windows XP, Windows 2000 SP3, Windows Server 2003, Office XP, Office 2003, SQL Server 2000 SP4 and Exchange 2000.