msrc-blog

An Overview of KB2871997 An Overview of KB2871997 Microsoft recently released KB2871997 for Windows 7, Windows 8, Windows Server 2008R2, and Windows Server 2012. This blog will give an overview of the feature changes, their impact, and some important configuration changes that can be made in conjunction with the update to further improve system security.

Today we provide advance notification for the release of seven Bulletins, two rated Critical and five rated Important in severity. These Updates are for Microsoft Windows, Microsoft Office and Internet Explorer. The Update for Internet Explorer addresses CVE-2014-1770, which we have not seen used in any active attacks. Also, in case you missed it, last month we released Security Advisory 2871997 to further enhance credentials management and protections on Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 2012.

Microsoft is committed to promoting a safer, more trusted Internet and providing monthly security updates is one of the ways our customers keep their devices and connections to the Internet more secure. Packaging updates together into a monthly bulletin cycle stems from customer feedback and offers a predictable way to help protect them against newly discovered threats.

Today we published the May 2014 Security Bulletin Webcast Questions & Answers page. We answered 17 questions in total, with the majority focusing on the update for SharePoint (MS14-022), Group Policy (MS14-025) and Internet Explorer (MS14-029). Here is the video replay: We invite you to join us for the next scheduled webcast on Wednesday, June 11, 2014, at 11 a.

Today, we released an update to address a vulnerability in Group Policy Preferences (MS14-025). Group Policy Preferences was an addition made to Group Policy to extend its capabilities. Among other things, Group Policy Preferences allows an administrator to configure: Local administrator accounts (name of the account, account password, etc) Configure a service or scheduled task (allowed to specify alternate credentials to run as) Mount network drives when a user logs in (allowed to specify alternate credentials to connect with) Group Policy Preferences are distributed just like normal group policy: An XML file containing the settings is written to the SYSVOL share of the domain controllers, and computers periodically query the SYSVOL share (authenticating to it using their computer account) for updates to the group policy.

Today, we released eight security bulletins – two rated Critical and six rated Important – to address 13 Common Vulnerability & Exposures (CVEs) in .NET Framework, Office, SharePoint, Internet Explorer, and Windows. We encourage you to apply all of these updates, but for those who need to prioritize their deployment planning, we recommend focusing on MS14-024, MS14-025 and MS14-029.

Dynamically loading libraries in an application can lead to vulnerabilities if not secured properly. In this blog post we talk about loading a library using LoadLibraryEx() API and make use of options to make it safe. Know the defaults: The library file name passed to LoadLibrary() / LoadLibraryEx() call need not contain an extension.

Today we released eight security bulletins addressing 13 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other six have a maximum severity rating of Important. The table is designed to help you prioritize the deployment of updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max exploit-ability Likely first 30 days impact Platform mitigations and key notes MS14-029(Internet Explorer) Victim browses to a malicious webpage.

Today we provide Advance Notification Service (ANS) for the release of eight bulletins, two rated Critical and six rated Important in severity. These updates will address vulnerabilities for .NET Framework, Office, Internet Explorer, and Windows. As we do every month, we’ve scheduled the security bulletin release for the second Tuesday of the month, May 13, 2014, at approximately 10:00 a.

At approximately 10 a.m. PDT, we will release an out-of-band security update to address the issue affecting Internet Explorer (IE) that was first discussed in Security Advisory 2963983. This update is fully tested and ready for release for all affected versions of the browser. The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically.