UPDATE! Out of Band Security Bulletin Notification


Mohammad Akif

Hello, my name is Mohammad Akif and I am the National Security and Privacy Lead at Microsoft Canada. I wanted to give you advanced notice of two critical security bulletins that were recently released.

Microsoft has issued an Advance Notification Service (ANS) for two out-of-band security bulletins to be released Tuesday, July 28. Microsoft intends to release both security updates through systems such as Microsoft Update, Windows Update and Windows Server Update Services.

While this release is to address a single, overall issue, in order to provide the broadest protections possible to customers, we’ll be releasing two separate security bulletins:

1. One
Security Bulletin for Visual Studio
– Vulnerabilities in Visual Studio
Active Template Libraries Could Allow Remote Code Execution (969706)

Developers who have built components and controls using ATL should download
this update and recompile their components and controls following the guidance
provided in the following MSDN
article
.

2. One
Security Bulletin for Internet Explorer
– Cumulative Security Update for
Internet Explorer (972260)

Recommendation: The majority of customers have automatic updating enabled and
will not need to take any action because this security update will be downloaded
and installed automatically. Customers who have not enabled automatic updating
need to check for updates and install this update manually.

While we can’t go into specifics about the issue, we can say that the Visual
Studio bulletin addresses an issue that can affect certain types of
applications. The Internet Explorer bulletin provides defense-in-depth changes
to Internet Explorer to help provide additional protections for the issues
addressed by the Visual Studio bulletin. The Internet Explorer update addresses
vulnerabilities rated as Critical that are unrelated to the Visual Studio
bulletin that were privately and responsibly reported.

Customers who are up to date on their security updates are protected
from known attacks related to this out-of-band release.

Microsoft will host a webcast to address customer questions on July
28, 2009, 1:00–2:00 PM PT
(U.S. & Canada). An encore webcast will be
available July
28, 2009, 4:00–5:00 PM PT
(US & Canada). Customers may register now by
clicking on the respective links above. The webcast will also be available
on-demand after July 28, 2009.

Additional Resources

For the latest information on this and other security updates please read the
Microsoft Security Response Center
blog.

Best regards,

Mohammad Akif,

National Security and Privacy Lead

Microsoft Canada


Comments (0)