| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 5 Jan 2006 15:49:11 -0500 From: Stan Bubrouski <stan.bubrouski@...il.com> To: "Geoff.Shatz@...elps.com" <Geoff.Shatz@...elps.com> Cc: patchmanagement@...tserv.patchmanagement.org, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: MS Patch Release for WMF Issue I can confirm the patch appears on Windows Update for my win2k SP4 machine. -sb On 1/5/06, Geoff.Shatz@...elps.com <Geoff.Shatz@...elps.com> wrote: > Looks as if MS is issuing a fix out of band for the WMF issue. Should be available at 5:00 PM EST today. > > ________________________________________________________________________________________________________________ > > ******************************************************************** > Title: Microsoft Security Response Center Bulletin Notification > Issued: January 05, 2006 > ******************************************************************** > > Summary > ======= > Important Information for Thursday 5 January 2006 > > Microsoft announced that it would release a security update to help > protect customers from exploitations of a vulnerability in the > Windows Meta File (WMF) area of code in the Windows operating system > on Tuesday, January 2, 2006, in response to malicious and criminal > attacks on computer users that were discovered last week. > > Microsoft will release the update today on Thursday, January 5, 2006, > earlier than planned. > > Microsoft originally planned to release the update on Tuesday, > January 10, 2006 as part of its regular monthly release of security > bulletins, once testing for quality and application compatibility > was complete. However, testing has been completed earlier than > anticipated and the update is ready for release. > > In addition, Microsoft is releasing the update early in response to > strong customer sentiment that the release should be made available > as soon as possible. > > Microsoft's monitoring of attack data continues to indicate that the > attacks are limited and are being mitigated both by Microsoft's > efforts to shut down malicious Web sites and with up-to-date > signatures form anti-virus companies. > > The security update will be available at 2:00 pm PT as MS06-001. > > Enterprise customers who are using Windows Server Update Services > will receive the update automatically. In additional the update is > supported Microsoft Baseline Security Analyzer 2.0, Systems > Management Server, and Software Update Services. Enterprise > customers can also manually download the update from the Download > Center. > > Microsoft will hold a special Web cast on Friday, January 6, 2006, > to provide technical details on the MS06-001 and to answer questions. > Registration details will be available at > http://www.microsoft.com/technet/security/default.mspx. > > Microsoft will also be releasing additional security updates on > Tuesday, January 10, 2006 as part of its regularly scheduled release > of security updates. > > What is this alert? > > As part of the monthly security bulletin release cycle, Microsoft > provides advance notification to our customers on the number of new > security updates being released, the products affected, the > aggregate maximum severity and information about detection tools > relevant to the update. This is intended to help our customers plan > for the deployment of these security updates more effectively. > > In addition, to help customers prioritize monthly security updates > with any non-security updates released on Microsoft Update, Windows > Update, Windows Server Update Services and Software Update Services > on the same day as the monthly security bulletins, we also provide: > > . Information about the release of updated versions of the > Microsoft Windows Malicious Software Removal Tool. > . Information about the release of NON-SECURITY, High Priority > updates on Microsoft Update (MU), Windows Update (WU), Windows > Server Update Services (WSUS) and Software Update Services (SUS). > Note that this information will pertain ONLY to updates on Windows > Update and only about High Priority, non-security updates being > released on the same day as security updates. Information will NOT > be provided about Non-security updates released on other days. > > On 10 January 2006 Microsoft is planning to release: > > Security Updates > . 1 Microsoft Security Bulletin affecting Microsoft Windows. The > highest Maximum Severity rating for these is Critical. These updates > may require a restart. These updates will be detectable using the > Microsoft Baseline Security Analyzer (MBSA). > . 1 Microsoft Security Bulletin affecting Microsoft Exchange and > Microsoft Office. The highest Maximum Severity rating for these is > Critical. These updates may require a restart. These updates will be > detectable using the Microsoft Baseline Security Analyzer (MBSA). > > Microsoft Windows Malicious Software Removal Tool > . Microsoft is planning to release an updated version of the > Microsoft Windows Malicious Software Removal Tool on Windows Update, > Microsoft Update, Windows Server Update Services and the Download > Center. > Note that this tool will NOT be distributed using Software Update > Services (SUS). > > Non-security High Priority updates on MU, WU, WSUS and SUS > . Microsoft is planning to release 1 NON-SECURITY High-Priority > Update on Windows Update (WU) and Software Update Services (SUS). > . Microsoft is planning release 3 NON-SECURITY High-Priority > Updates on Microsoft Update (MU) and Windows Server Update Services > (WSUS) > > Although we do not anticipate any changes, the number of bulletins, > products affected, restart information and severities are subject to > change until released. > > Microsoft will host a webcast next week to address customer > questions on these bulletins. For more information on this webcast > please see below: > . TechNet Webcast: Information about Microsoft's Security > Bulletins (Level 100) > . Wednesday, January 11, 2006 11:00 AM (GMT-08:00) Pacific Time > (US & Canada > http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1 > 032287360&EventCategory=4&culture=en-US&CountryCode=US > At this time no additional information on these bulletins such as > details regarding severity or details regarding the vulnerability > will be made available until 10 January 2006. > > > ******************************************************************** > > Support: > ======== > Technical support is available from Microsoft Product Support > Services at 1-866-PC SAFETY (1-866-727-2338). There is no > charge for support calls associated with security updates. > International customers can get support from their local Microsoft > subsidiaries. Phone numbers for international support can be found > at: http://support.microsoft.com/common/international.aspx > > Microsoft Support Lifecycle for Business and Developer Software > =============================================================== > The Microsoft Support Lifecycle policy provides consistent and > predictable guidelines for product support availability at the > time that the product is released. Under this policy, Microsoft > will offer a minimum of ten years of support. This includes five > years of Mainstream Support and five years of Extended Support for > Business and Developer products. Microsoft will continue to provide > security update support, at a supported Service Pack level, for a > minimum of ten years through the Extended support phase. For more > information about the Microsoft Support Lifecycle, visit > http://support.microsoft.com/lifecycle/ or contact your Technical > Account Manager. > > Additional Resources: > ===================== > * Microsoft has created a free monthly e-mail newsletter containing > valuable information to help you protect your network. This > newsletter provides practical security tips, topical security > guidance, useful resources and links, pointers to helpful > community resources, and a forum for you to provide feedback > and ask security-related questions. > You can sign up for the newsletter at: > > http://www.microsoft.com/technet/security/secnews/default.mspx > > * Microsoft has created a free e-mail notification service that > serves as a supplement to the Security Notification Service > (this e-mail). The Microsoft Security Notification Service: > Comprehensive Version. It provides timely notification of any > minor changes or revisions to previously released Microsoft > Security Bulletins and Security Advisories. This new service > provides notifications that are written for IT professionals and > contain technical information about the revisions to security > bulletins. To register visit the following Web site: > > http://www.microsoft.com/technet/security/bulletin/notify.mspx > > * Protect your PC: Microsoft has provided information on how you > can help protect your PC at the following locations: > > http://www.microsoft.com/security/protect/ > > If you receive an e-mail that claims to be distributing a > Microsoft security update, it is a hoax that may be distributing a > virus. Microsoft does not distribute security updates via e-mail. > You can learn more about Microsoft's software distribution > policies here: > > http://www.microsoft.com/technet/security/topics/policy/swdist.mspx > > > ******************************************************************** > THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS > PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT > DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING > THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR > PURPOSE. > IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE > LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, > INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL > DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN > ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. > SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY > FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING > LIMITATION MAY NOT APPLY. > ******************************************************************** > > -----BEGIN PGP SIGNATURE----- > Version: PGP 8.1 > > iQIVAwUBQ715XhCvwTv3q93mAQJxRw/+PYqufqRzj36bSkAhpmT0y9C58037hti1 > WpGeHvqShVfQwUTOohAZSPprshYrwdngZmip2LHx7QrqjbD0GEYxgfeReLXAtbTQ > PBAUhiikAWoKbcopt6ij1nD/v0yJVzWcHVu0o0I8BLEYBqJdXzfVqAUeiSgCQjKd > kaR7ZtP0wAGrfXsvaOfp0sHodenFohAMm6MCm8uSvExilY8O7VyUR5Jl/1jSe5+p > rqb848+7njcvrDdfY1Y0P3L3/Qgn+64YSg/yrnBxXAO3IFyEMySxLK2augvLSlCK > JkVlVqIcJE0ZG9llKiNJSCjTa+BFD4hbQ0WtD8/hV2R9BGmv4wNzeIhMFu4eP28r > Fi/5RKPVshV05REpZK2S0OHb2roDtHqiGBQnR5xBCC8K7vjJSWA88py6wO79/X2n > pvtNj8G2XSJa6xz9n9NvDusc+dimlxP5Vrvphv6A314r7ecOVnZ/8KQnGEpzbUXz > M5TCSgKJIGyWYQxyhpFdp0VucuiDSAqi5SRONua8UHIVi4P6CBHwmJMWckJD/U/F > mBlkZknho0c3gNLhOd4Tdo+6Rke21Bn8rFxEWW+T6PXf2oHrhqbkxxMDkZp8Z0vZ > gHJRTTyu3AakuyOK6r2Olmykr1zAsLOwBQa/ZVEvLo3fuDXON1SnC3JFNbLd4VM4 > wAIxCmFDh5o= > =0+U2 > -----END PGP SIGNATURE----- > > > To cancel your subscription to this newsletter, reply to this message with the word UNSUBSCRIBE in the Subject line. You can also unsubscribe at the Microsoft.com web site <http://www.microsoft.com/misc/unsubscribe.htm>. You can manage all your Microsoft.com communication preferences at this site. > > Legal Information <http://www.microsoft.com/info/legalinfo/default.mspx>. > > This newsletter was sent by the Microsoft Corporation > 1 Microsoft Way > Redmond, Washington, USA > 98052 > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists