Leaving Las Vegas and the August 2013 security updates
Two weeks ago I, along with 7,500 of my closest friends, attended the Black Hat security conference in Las Vegas, NV. I can’t speak for everyone, but I certainly had a great – if not exhausting – time while there. While there were a lot of great talks, a personal highlight for me each year is the chance to meet and talk with the various people who attend. It was even more fun for me this time around, as we had some great new programs here at Microsoft to talk about.
First, a lot of people were very interested to hear about the latest regarding our new bounty programs. The Internet Explorer 11 Preview bounty program has ended, but the Mitigation Bypass Bounty and BlueHat Bonus continue. On July 29, we also released our annual MSRC Progress Report, which included details of enhancements to our existing MAPP programs. Finally, we built and launched a series of fun challenges, dubbed the “BlueHat Challenges,” around reverse engineering, vulnerability discovery and Web browser manipulation attacks.
In just the first two weeks, we have already had more than 720 people participate, with 120 participants completing at least one level and 10 participants completing all levels of at least one track. The BlueHat Challenge is still open and we encourage each of you test your security prowess. You can even get a custom Xbox avatar item if you complete a track!
*Update as of Aug 14: We’re now up to 962 participants, with 181 at level 2 or better. At total of 20 have finished at least one track, and one adventurous individual has completed two tracks. Keep it up!
With all this talk of security, let me move on to our monthly bulletins. Today we released eight security updates – three Critical and five Important, addressing 23 vulnerabilities in Microsoft Windows, Internet Explorer and Exchange. For those who need to prioritize deployment, we recommend focusing on MS13-059 and MS13-060 first. As always, customers should deploy all security updates as soon as possible. Our Bulletin Deployment Priority guidance is below, to further assist in deployment planning.
MS13-059 | Cumulative Security Update for Internet Explorer
This security update resolves eleven privately disclosed issues in Internet Explorer, for which we have not detected any attacks or customer impact. All issues could allow remote code execution if a customer views a specially-crafted webpage using the browser. An attacker who successfully exploited these vulnerabilities could gain the same rights as the current user. This security update is rated Critical for all versions of Internet Explorer.
MS13-060 | Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution
This security update resolves one issue in Windows that could allow remote code execution if a customer views a specially-crafted document or web page. An attacker who successfully exploited these vulnerabilities could gain the same rights as the logged-on user. This security update is rated Critical for Windows XP and Windows Server 2003. This issue was privately disclosed and we have not detected any attacks or customer impact.
Security Advisory 2861855 – Updates to Improve Remote Desktop Protocol Network-level Authentication
This update adds defense-in-depth measures to the Network Level Authentication (NLA) technology within the Remote Desktop Protocol in Microsoft Windows.
Security Advisory 2862973 – Update for Deprecation of MD5 Hashing Algorithm for Microsoft Root Certificate Program
This update impacts applications and services using certificates with the MD5 hashing algorithm. This restriction is limited to certificates issued under roots in the Microsoft root certificate program. This will apply only to certificates utilized for server authentication, code signing and time stamping. These applications and services will no longer trust certificates utilizing MD5 and we will release this change via Microsoft Update in February 2014.
Finally, we have two bulletin re-releases this month affecting MS13-052 and MS13-057. Both of these re-releases address certain application compatibility issues discovered after the bulletins were initially released. We recommend all customers apply the new updates that apply to their systems. Folks that have automatic updating enabled will not need to take any action.
Watch the bulletin overview video below for a brief summary of today’s releases.
Our Bulletin Deployment Priority graph provides an overview of this month’s priority releases (click for larger view).
Our risk and impact graph shows an aggregate view of this month’s Severity and Exploitability Index (click for larger view).
For more information about this month’s security updates, visit the Microsoft Bulletin Summary Web page.
Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, August 14, 2013, at 11 a.m. PDT. I invite you to register here, and tune in to learn more about this month’s security bulletins and advisories.
For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.
If we had the chance to chat at Black Hat, it was great talking to you. If we didn’t, I look forward to seeing you at a future conference and hearing your questions about this month’s release in our webcast tomorrow.
Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing