Microsoft Security Response Center Blog Alerts

Revision Note: V2.0 (June 9, 2015): Added the 3062760 update to the Juniper VPN Client Update section.
Summary: Microsoft is announcing the availability of an update for the Juniper Networks Windows In-Box Junos Pulse Client for Windows 8.1 and Windows RT 8.1. The update addresses a vulnerability in the Juniper VPN client by updating the affected Juniper VPN client libraries contained in affected versions of Microsoft Windows.

Revision Note: V1.0 (May 1, 2015): V1.0 (May 1, 2015): Advisory published.
Summary: Microsoft is offering the Local Administrator Password Solution (LAPS) that provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords.

Revision Note: V3.0 (April 14, 2015): Revised advisory to announce with the release of security update 3038314 on April 14, 2015 SSL 3.0 is disabled by default in Internet Explorer 11, and to add instructions for how to undo the workarounds.
Summary: Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to the Windows operating system. All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability. Microsoft is not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.

Revision Note: V1.0 (April 14, 2015): Advisory published.
Summary: Microsoft is announcing the availability of a defense-in-depth update that improves the authentication used by the Public Key Cryptography User-to-User (PKU2U) security support provider (SSP) in Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The improvement is part of ongoing efforts to bolster the effectiveness of security controls in Windows.

Revision Note: V2.0 (March 26, 2015): Advisory rereleased to announce that the update for supported editions of Windows Server 2003 is now available. See Microsoft Knowledge Base Article 3050995 for more information and download links.
Summary: Microsoft is aware of improperly issued digital certificates coming from the subordinate CA, MCS Holdings, which could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. The improperly issued certificates cannot be used to issue other certificates, impersonate other domains, or sign code. This issue affects all supported releases of Microsoft Windows.

Revision Note: V2.0 (March 19, 2015): Advisory rereleased to announce that the update for supported editions of Windows Server 2003 is now available. See Knowledge Base Article 3046310 for more information and download links.
Summary: Microsoft is aware of an improperly issued SSL certificate for the domain “live.fi” that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.

Severity Rating: Important
Revision Note: V2.0 (March 10, 2015): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of a vulnerability. We have issued Microsoft Security Bulletin MS15-031 to address this issue. For more information about this issue, including download links for an available security update, please review the security bulletin. The vulnerability addressed is the Schannel Security Feature Bypass Vulnerability – CVE-2015-1637.

Revision Note: V1.0 (March 10, 2015): Advisory published.
Summary: Microsoft is announcing the reissuance of an update for all supported editions of Windows 7 and Windows Server 2008 R2 to add support for SHA-2 signing and verification functionality. This update supersedes the 2949927 update that was rescinded on October 17, 2014 to address issues that some customers experienced after installation. As with the original release, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT, and Windows RT 8.1 do not require this update as SHA-2 signing and verification functionality is already included in these operating systems. This update is not available for Windows Server 2003, Windows Vista, or Windows Server 2008.

Revision Note: V1.0 (February 10, 2015): Advisory published.
Summary: Microsoft is announcing the availability of an update for supported editions of Windows 7, Windows 8, Windows Server 2008R2 and Windows Server 2012 that expands the Audit Process Creation policy to include the command information passed to every process. This is a new feature that provides valuable information to help administrators monitor, troubleshoot, and investigate security-related activities on their networks. For more information, see Microsoft Knowledge Base Article 3004375.

Revision Note: V2.0 (November 11, 2014): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of a vulnerability. We have issued Microsoft Security Bulletin MS14-064 to address this issue. For more information about this issue, including download links for an available security update, please review the security bulletin. The vulnerability addressed is the Windows OLE Remote Code Execution Vulnerability – CVE-2014-6352.