Thursday, February 4, 2010

February 2010 Bulletin Release Advance Notification

Today we released February bulletin information through our Advance Notification Service (ANS). This month, we will be releasing 13 bulletins - five rated Critical, seven rated Important, and one rated Moderate - addressing 26 vulnerabilities. Eleven of the bulletins affect Windows and the remaining two affect Office. More information about the upcoming security updates can be found on the Advance Notification Service (ANS) webpage.

As we started to do in December, we want to give customers a peek at what our deployment guidance will be next Tuesday. This month, we will be giving four of the bulletins a deployment priority rating of 1. In the ANS, those are bulletins 1, 2, 3, and 6. We recommend that customers test and deploy all security updates as soon as possible but you should prioritize these first.

To further help customers prioritize, I have pulled the Windows information from the ANS into a summary table so depending on the version you are running, you can see how many bulletins you need to prepare for:

Version

Critical

Important

Moderate

Low

Total

Windows 2000

5

3

1

0

9

Windows XP

5

2

1

0

8

Windows Server 2003

4

3

2

0

9

Windows Vista

3

3

0

0

6

Windows Server 2008

3

4

0

1

8

Windows 7

3

2

0

0

5

Windows Server 2008 R2

3

1

0

1

5

The Office related bulletins are both rated Important and would require user action to be exploited (usually in the form of convincing a user to open a specially crafted file). The vulnerabilities only affect older versions of Office so customers on Office 2007 or Office 2008 for Mac will have not actions this month.

We encourage customers to upgrade to the latest versions of both Windows and Office. As this bulletin release shows, the latest versions are less impacted overall due to the improved security protections built in to these products.

I also want to give a summary of the three open Security Advisories so customers know what to expect on Tuesday:

· Advisory 980088, Vulnerability in Internet Explorer Could Allow Information Disclosure: this advisory was released yesterday (Feb 3). We do not have an update for this issue planned for the normal February bulletin release. However, this vulnerability only affects versions of windows older than Vista in their default configuration, and there is a “Fix It” available so customers in non-default configurations can protect themselves.

· Advisory 979682, Vulnerability in Windows Kernel Could Allow Elevation of Privilege: we are on track to release an update for this issue next Tuesday.

· Advisory 977544, Vulnerability in SMB Could Allow Denial of Service: we are still working on an update for this issue so it will not be addressed in the February bulletins. As a reminder, this issue cannot be used to allow an attacker to take control of a system remotely, but instead results in a system becoming unresponsive due to resource consumption.

We are not aware of any attacks on these vulnerabilities and continue to encourage customers to implement the mitigations and workarounds outlined in the advisories.

Last month I started including important information about Windows versions that are reaching the end of their product lifecycle. Customers using these versions should consider upgrading before support for these products end as, once they do, we will no longer provide security updates:

  • Windows XP Service Pack 2 will no longer be supported as of July 13, 2010. Many customers are still on this version, so we encourage upgrading to Service Pack 3 or to Windows 7 as soon as possible.
  • Windows Vista RTM will no longer be supported as of April 13, 2010. Service Pack 1 will still be supported until July 12, 2011 but we recommend customers update to Service Pack 2 or Windows 7 at this time.
  • Extended support for Windows 2000 will also be retired on July 13, 2010. At that time, we will no longer provide security or any other updates for Windows 2000.

Finally, please plan to join Adrian Stone and myself next week for our regular live webcast where we will go in to detail on each bulletin to give you even more information and guidance:

Date: Wednesday, Feb 10
Time: 11:00 a.m. PST (UTC -8)
Registration:
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032427679

Hope to see you there!

Jerry Bryant
Sr. Security Communications Manager – Lead

*This posting is provided "AS IS" with no warranties, and confers no rights.*



url ref : http://blogs.technet.com/msrc/archive/2010/02/04/february-2010-bulletin-release-advance-notification.aspx

No comments: