Microsoft Security Newsletter - April 2013
Trustworthy Computing | April 2013
Microsoft Security Newsletter
Welcome to April’s Security Newsletter!
This month’s newsletter theme focuses on the importance of secure development. With the rapid evolution of technology, more and more governments, organizations, and individuals are relying on computing for everyday tasks. Software has been integrated into a wide range of devices and infrastructure including ATMs, medical equipment, power grids, media center consoles, and mobile devices. As technology becomes more and more woven into the fabric of society, the need to minimize the number and severity of vulnerabilities in software is increasingly important.
Next month (on May 14th and 15th), we will host the second annual
http://www.
securitydevelopmentconference.
com/
Security Development Conference . This year’s conference is in San Francisco and it will bring together some of the best and brightest information security professionals from a variety of industries. Attendees will learn about proven security development practices through interactions with peers, luminaries, and other organizations. Sessions will cover the latest security development techniques and processes that can reduce risk and help protect organizations in this rapidly evolving technology landscape. The conference span two days, offering over
http://www.
securitydevelopmentconference.
com/topic/list
20 sessions in three tracks : Engineering for Secure Data, Security Development Lifecycle & Data Security, and Business Risk & Data Security. This year’s keynote speakers include Scott Charney, Corporate VP Trustworthy Computing, Microsoft; Howard Schmidt, Executive Director, SAFECode and former cyber security advisor to the president Edna M Conway, Chief Security Strategist Global Supply Chain, Cisco Systems; Brad Arkin, Senior Director of Security Adobe Secure Software, Engineering Team (ASSET). If you are interested in advancing your organization’s security development practices then I strongly encourage you to check out the conference.
http://www.
securitydevelopmentconference.
com/registration
Register today with this special code—IND@SDC#12—
exclusively for our newsletter subscribers and save $300.00 off current registration prices. I hope to see many of you there.
Best regards,
Tim Rains, Director
Microsoft
Trustworthy
Computing
Top Stories
http://blogs.technet.com/b/
security/archive/2013/04/17/
volume-14-of-the-microsoft-
security-intelligence-report-
released-hundreds-of-pages-of-
new-security-intelligence-now-
available.aspx
Microsoft Security Intelligence Report Volume 14 Now Available
Volume 14 of the Microsoft Security Intelligence Report (SIR) offers an in-depth perspective on software vulnerabilities and exploits, malware, potentially unwanted software, and malicious websites based on detailed trend analyses over the past several years, with a focus on the second half of 2012.
http://download.microsoft.com/
download/E/0/F/E0F59BE7-E553-
4888-9220-1C79CBD14B4F/
Microsoft_Security_
Intelligence_Report_Volume_14_
English.pdf
Download the full report , read
http://download.microsoft.com/
download/E/0/F/E0F59BE7-E553-
4888-9220-1C79CBD14B4F/
Microsoft_Security_
Intelligence_Report_Volume_14_
Key_Findings_Summary_English.
pdf
key findings , and check out the featured article on
http://download.microsoft.com/
download/E/0/F/E0F59BE7-E553-
4888-9220-1C79CBD14B4F/
Microsoft_Security_
Intelligence_Report_Volume_14_
Running_Unprotected_English.
pdf
Measuring Benefits of Real-Time Security Software .
http://blogs.technet.com/b/
security/archive/2013/04/17/
malicious-websites-now-the-
top-threat-to-the-enterprise.
aspx
Malicious Websites Now the Top Threat to the Enterprise
New data published in volume 14 of the Microsoft SIRs shows that seven out of the top 10 threats affecting enterprises were known to be delivered through malicious websites. Explore this new trend and learn what you can do to protect your enterprise from this growing threat.
http://blogs.technet.com/b/
srd/archive/2013/04/18/
introducing-emet-v4-beta.aspx
Introducing EMET v4 Beta
The Enhanced Mitigation Experience Toolkit (EMET) is a free utility that helps prevent memory corruption vulnerabilities in software from being successfully exploited for code execution. Improvements in v4 are designed to enable EMET to be an effective mitigation layer for a wider variety of potential software exploit scenarios, to provide stronger protections against scenarios where EMET protection already exists, and to provide a way to respond to 0 day exploits as soon as possible.
Security Guidance
http://technet.microsoft.com/
security/dn133753.aspx
Security Tip of the Month: The Security Response Readiness Assessment
Learn how to use Microsoft’s free
http://www.microsoft.com/
security/msrc/collaboration/
security-response-assessment.
aspx
Security Response Readiness Assessment tool to help you evaluate the effectiveness of your software security response processes and identify areas for improvement.
http://www.microsoft.com/
download/details.aspx?id=29884
Microsoft Security Development Lifecycle (SDL) Process Guidance – Version 5.2
In order to provide transparency on its internal software security development process, Microsoft makes its SDL process guidance available to the public. The Microsoft SDL guidance illustrates the way Microsoft applies the SDL to its products and technologies, including security and privacy requirements and recommendations for secure software development at Microsoft. It addresses Waterfall and Spiral development, Agile development, web applications, and line of business applications—and is available as both
http://msdn.microsoft.com/
library/cc307891.aspx
online guidance in the MSDN Library or as a
http://www.microsoft.com/
download/details.aspx?id=29884
download .
http://www.microsoft.com/
download/details.aspx?id=12379
Simplified Implementation of the Microsoft SDL
Not familiar with the Microsoft SDL? Read this overview of the core concepts of the SDL process and the individual security activities that should be performed. You can also review this helpful list of
http://www.microsoft.com/
security/sdl/resources/faq.
aspx
frequently asked questions .
http://www.microsoft.com/
security/sdl/video/
videoplayer.aspx?t=SDL+Tools+
Overview
Microsoft SDL Tools Overview
Quickly learn why development teams should download the SDL Implementation guidance and see how the Microsoft SDL toolset is meant to work together to help a company implement all the phases of the Microsoft SDL from requirements to software release. Want to learn more about each tool? Visit the
http://www.microsoft.com/
security/sdl/adopt/tools.aspx
Microsoft SDL Tools page and click through the lifecycle to explore the tools associated with each phase.
http://www.microsoft.com/
download/details.aspx?id=35823
The SDL Chronicles
The SDL Chronicles bring together the most compelling evidence of the positive benefits of adopting secure development processes. The document includes a report on the importance and value of strategic security development for several sectors of the U.S. economy as well as three case studies.
http://social.msdn.microsoft.
com/Forums/en-US/sdlprocess/
threads
Microsoft SDL Forum
Looking for assistance or additional guidance for the Microsoft SDL process? Check out the Microsoft SDL Forum for answers to common (and not so common) questions, or post a question of your own.
http://www.microsoft.com/
security/sdl/adopt/mcs.aspx
Microsoft Services and the
http://www.microsoft.com/
security/sdl/adopt/pronetwork.
aspx
SDL Pro Network also offer training, consulting, and tools services designed to help you adopt the SDL process and make security and privacy an integral part of your software development.
Cloud Security Corner
http://www.microsoft.com/
download/details.aspx?id=10162
Security Considerations for Client and Cloud Applications
The increasing importance of "client and cloud" computing raises a number of important concerns about security. Understand how Microsoft addresses potential security vulnerabilities during the development of "client and cloud" applications using the SDL.
This Month’s Security Bulletins
Microsoft Security Bulletin Summary for April 2013
Critical
-MS13-028:2817183
http://technet.microsoft.com/
en-us/security/bulletin/MS13-
028
Cumulative Security Update for Internet Explorer
-MS13-029:2828223
http://technet.microsoft.com/
en-us/security/bulletin/MS13-
029
Vulnerability in Remote Desktop Client Could Allow Remote Code Execution
Important
-MS13-030:2827663
http://technet.microsoft.com/
en-us/security/bulletin/MS13-
030
Vulnerability in SharePoint Could Allow Information Disclosure
-MS13-031:2813170
http://technet.microsoft.com/
en-us/security/bulletin/MS13-
031
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
-MS13-032:2830914
http://technet.microsoft.com/
en-us/security/bulletin/MS13-
032
Vulnerability in Active Directory Could Lead to Denial of Service
-MS13-033:2820917
http://technet.microsoft.com/
en-us/security/bulletin/MS13-
033
Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege
-MS13-034:2823482
http://technet.microsoft.com/
en-us/security/bulletin/MS13-
034
Vulnerability in Microsoft Antimalware Client Could Allow Elevation of Privilege
-MS13-035:2821818
http://technet.microsoft.com/
en-us/security/bulletin/MS13-
035
Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege
-MS13-036:2829996
http://technet.microsoft.com/
en-us/security/bulletin/MS13-
036
Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege
April 2013 Security Bulletin Resources:
-
http://blogs.technet.com/b/
msrc/archive/2013/04/09/out-
with-the-old-in-with-the-
april-2013-security-updates.
aspx
Microsoft Security Response Center (MSRC) Blog Post
-
Security Bulletin Quick Overview (MP4) –
http://content1.catalog.video.
msn.com/e2/ds/410e1cdf-c2b8-
4b51-81f8-0ea41e50166f.mp4
3000k |
http://content4.catalog.video.
msn.com/e2/ds/4de18e15-824d-
40ae-a1e9-36c79c9db787.mp4
600k |
http://content2.catalog.video.
msn.com/e2/ds/9fcddac3-53ae-
4395-bba8-3fa939c646fd.mp4
400k
-
Security Bulletin Webcast (MP4) –
http://content3.catalog.video.
msn.com/e2/ds/9dc275f9-e40e-
45f6-9e1e-da97129839b7.mp4
3000k |
http://content4.catalog.video.
msn.com/e2/ds/f6cd4fd8-49a3-
419f-9ca8-ca69167f074d.mp4
600k |
http://content5.catalog.video.
msn.com/e2/ds/14d5597a-5563-
41e1-90ca-5f827c72f17e.mp4
400k
-
http://blogs.technet.com/b/
msrc/p/april-2013-security-
bulletin-q-a.aspx
Security Bulletin Webcast Q&A
Security Events and Training
http://www.
securitydevelopmentconference.
com/
Security Development Conference
May 14–15, 2013 – San Francisco, CA
Hear from leading security experts, grow your professional network, and learn how to implement or accelerate the adoption of secure development practices within your organization. This year’s conference is focused on "Proven Practices, Reduced Risk," and will feature an event keynote from Trustworthy Computing Corporate Vice President Scott Charney supported by tracks on Engineering for Secure Data, Security Development Lifecycle & Data Security, and Business Risk & Data Security. Seating is limited;
https://microsoft.eventcore.
com/SDC/RegistrationSelect.
aspx
register today to secure your spot.
https://msevents.microsoft.
com/CUI/EventDetail.aspx?
EventID=1032538728&culture=en-
us
TechNet Webcast: Information about the May 2013 Security Bulletin Release
Wednesday, May 15, 2013
Join this webcast for a brief overview of the technical details of May’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.
http://northamerica.msteched.
com/
TechEd North America 2013
June 3-6, 2013 – New Orleans, LA
Learn how you can achieve your business goals while still protecting your assets and infrastructure. With the Architecture & Trustworthy Computing and Windows Client, Access & Management tracks at this year’s TechEd, you’ll learn how to provide consistent and secure user experiences for corporate- or employee-owned devices, while also helping to safeguard corporate data and resources through policy compliance and optimized application delivery. Learn how to leverage Microsoft identity and access management solutions for corporate boundary control and information protection, manage a user’s identity across the datacenter and the cloud, provide secure remote access, and define the resources they have access to, based on who they are, what they are accessing, and from what device.
https://msevents.microsoft.
com/CUI/EventDetail.aspx?
EventID=1032538945
Windows Intune: Manage and Secure Your PCs and Mobile Devices from the Cloud
Tuesday, June 11, 2013
Deploying patches and software updates while validating your environments security status is important, to not only protect this environment but ensure the devices are operating correctly.Learn how Windows Intune helps organizations keep their PCs and mobile devices well-managed and more secure from virtually anywhere with cloud-based management tools. Can’t make it on June 11th? Join the
https://msevents.microsoft.
com/CUI/EventDetail.aspx?
EventID=1032538946
June 25 th session instead.
https://msevents.microsoft.
com/CUI/EventDetail.aspx?
EventID=1032538733
TechNet Webcast: Information about the June 2013 Security Bulletin Release
Wednesday, June 12, 2013
Join this webcast for a brief overview of the technical details of June’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.
Essential Tools
-
http://technet.microsoft.com/
security/bulletin
Microsoft Security Bulletins
-
http://technet.microsoft.com/
security/advisory
Microsoft Security Advisories
-
http://technet.microsoft.com/
solutionaccelerators/cc835245.
aspx
<span style="background