Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: December 2009 Security Bulletin Release


08 Dec 2009   #1

 
December 2009 Security Bulletin Release

Quote:
Summary of Microsoft’s Security Bulletin Release for December 2009

As noted in our Advance Notification (ANS) last Thursday, for the December bulletin release we issued six security bulletins addressing 12 vulnerabilities. Affected products include Windows, Internet Explorer (IE) and Microsoft Office products.

In the ANS, we also noted that the bulletin for IE (MS09-072) is at the top of our deployment priority list this month. As you can see from our Severity and Exploitability Index slide (also referred to as the Risk and Impact slide), MS09-072 is the only bulletin this month that has both a Critical severity rating and our maximum Exploitability Index rating of 1. Of note, each of the five vulnerabilities addressed in this bulletin are Critical and each also have an Exploitability Index rating of 1. One of the vulnerabilities was the subject of Security Advisory 977981 due to public disclosure and affects IE 6 and IE 7 so customers running those versions should install this update as soon as possible.



The update for Active Directory Federation Services, MS09-070, is lower on the deployment list even though it has an Exploitability Index of 1. This is because an attacker would have to have valid logon credentials for the affected server in order to carry out an attack which gives this a severity rating of Important. The second critical vulnerability affecting Windows, MS09-071, is also lower in our deployment priority as indicated in the slide below. This is mainly due to an Exploitability Index rating of 2 which means that we do not expect to see reliable exploit code for the critical vulnerability within the first 30 days from bulletin release.



To follow up on something I mentioned in the ANS blog post, here is the promised table that maps the bulletin ID’s to the numbered bulletins from the ANS document that customers have asked us for: Bulletin ID

Maps to bulletin number in the ANS

MS09-069

Bulletin 5

MS09-070

Bulletin 6

MS09-071

Bulletin 1

MS09-072

Bulletin 4

MS09-073

Bulletin 2

MS09-074

Bulletin 3



This month we also released two new advisories. The first one, 954157, concerns a Defense in Depth (DiD) update for the Indeo Codec. This update will go out through the Automatic Update system and applies to Windows XP and Windows Server 2003. The update blocks the codec from being used in IE and Windows Media Player in the Internet Zone and offers similar attack surface reduction as that built in to Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2. For those not running any applications that use the Indeo Codec, you can unregister it to reduce overall attack surface which we recommend as a best practice, and have the exact same attack surface reduction as on Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2

The other advisory, 974926, is the summary advisory for the work we have done around Extended Protection for Authentication. My colleague, MSRC program manager Maarten Van Horenbeeck, has written an extensive post on this subject on our Security Research & Defense blog.

Finally, we re-released MS08-037 for Windows 2000 SP4 systems. This is an Important class update that could result in spoofing. All Windows 2000 SP4 users should re-install the update to be fully protected from this issue.

As we do every month, Adrian Stone and I provide a quick overview of today’s updates in the video below.

More listening and viewing options:
We also encourage all customers to join us tomorrow for our live webcast where we will go in to details on all of these bulletins and answer your questions while on the air. Registration information:

Date: Wednesday Dec. 9
Time: 11:00 a.m. PST (UTC -8)
Registration and event link: http://msevents.microsoft.com/CUI/Ev...tID=1032407802

Thank you!

Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

More...

My System SpecsSystem Spec
.

Reply

 December 2009 Security Bulletin Release




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 03:51 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33