Microsoft Security Response Center Blog Alerts

Revision Note: V1.0 (March 10, 2015): Advisory published.
Summary: Microsoft is announcing the reissuance of an update for all supported editions of Windows 7 and Windows Server 2008 R2 to add support for SHA-2 signing and verification functionality. This update supersedes the 2949927 update that was rescinded on October 17, 2014 to address issues that some customers experienced after installation. As with the original release, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT, and Windows RT 8.1 do not require this update as SHA-2 signing and verification functionality is already included in these operating systems. This update is not available for Windows Server 2003, Windows Vista, or Windows Server 2008.

Revision Note: V1.0 (February 10, 2015): Advisory published.
Summary: Microsoft is announcing the availability of an update for supported editions of Windows 7, Windows 8, Windows Server 2008R2 and Windows Server 2012 that expands the Audit Process Creation policy to include the command information passed to every process. This is a new feature that provides valuable information to help administrators monitor, troubleshoot, and investigate security-related activities on their networks. For more information, see Microsoft Knowledge Base Article 3004375.

Revision Note: V2.0 (November 11, 2014): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of a vulnerability. We have issued Microsoft Security Bulletin MS14-064 to address this issue. For more information about this issue, including download links for an available security update, please review the security bulletin. The vulnerability addressed is the Windows OLE Remote Code Execution Vulnerability – CVE-2014-6352.

Revision Note: V2.0 (October 17, 2014): Removed Download Center links for Microsoft security update 2949927. Microsoft recommends that customers experiencing issues uninstall this update. Microsoft is investigating behavior associated with this update, and will update the advisory when more information becomes available.
Summary: Microsoft is announcing the availability of an update for all supported editions of Windows 7 and Windows Server 2008 R2 to add support for SHA-2 signing and verification functionality. Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT, and Windows RT 8.1 do not require this update as SHA-2 signing and verification functionality is already included in these operating systems. This update is not available for Windows Server 2003, Windows Vista, or Windows Server 2008

Revision Note: V1.0 (October 14, 2014): Advisory published.
Summary: Microsoft is announcing the availability of an update for supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, and Windows RT for the Microsoft Extensible Authentication Protocol (EAP) implementation that enables the use of Transport Layer Security (TLS) 1.1 or 1.2 through the modification of the system registry. For more information, see Microsoft Knowledge Base Article 2977292.

Revision Note: V2.0 (September 9, 2014): Advisory rereleased to announce the offering of the security update via Microsoft Update, in addition to the Download-Center-only option that was provided when this advisory was originally released.
Summary: Microsoft is announcing the availability of an update for Microsoft ASP.NET to address a vulnerability in ASP.NET view state that exists when Machine Authentication Code (MAC) validation is disabled through configuration settings. The vulnerability could allow elevation of privilege and affects all supported versions of Microsoft .NET Framework except .NET Framework 3.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1.

Revision Note: V1.4 (July 29, 2014): Revised advisory to announce that Microsoft no longer plans to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. It remains available as an opt-in feature. See the Advisory FAQ section for more information.
Summary: Microsoft is announcing the availability of an update for all supported releases of Microsoft Windows to change how signatures are verified for binaries signed with the Windows Authenticode signature format. The change is included with Security Bulletin MS13-098, but will only be enabled on an opt-in basis. When enabled, the new default behavior for Windows Authenticode signature verification will no longer allow extraneous information in the WIN_CERTIFICATE structure, and Windows will no longer recognize non-compliant binaries as signed.

Revision Note: V2.0 (July 17, 2014): Advisory revised to announce the availability of update 2982792 for supported editions of Windows Server 2003. For more information, see the Suggested Actions section of this advisory.
Summary: Microsoft is aware of improperly issued SSL certificates that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. The SSL certificates were improperly issued by the National Informatics Centre (NIC), which operates subordinate CAs under root CAs operated by the Government of India Controller of Certifying Authorities (CCA), which are CAs present in the Trusted Root Certification Authorities Store. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.

Revision Note: V1.0 (June 17, 2014): Advisory published
Summary: Microsoft is releasing this security advisory to inform customers that an update to the Microsoft Malware Protection Engine addresses a security vulnerability that was reported to Microsoft. The vulnerability could allow denial of service if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could prevent the Microsoft Malware Protection Engine from monitoring affected systems until the specially crafted file is manually removed and the service is restarted.

Revision Note: V3.0 (June 10, 2014): Revised advisory to rerelease the 2862973 update for Windows 8 and Windows Server 2012. This rerelease only applies to systems running Windows Embedded 8 and Windows Server 2012 for Embedded Systems. See the Advisory FAQ for more information.
Summary: Microsoft is announcing the availability of an update for supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT that restricts the use of certificates with MD5 hashes. This restriction is limited to certificates issued under roots in the Microsoft root certificate program. Usage of MD5 hash algorithm in certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.