Microsoft Security Response Center Blog Alerts

Revision Note: V5.0 (February 9, 2016): Rereleased advisory to announce the release of update 3126593 to enable the Restricted Admin mode for Credential Security Support Provider (CredSSP) by default. See Updates Related to this Advisory for details.
Summary: Microsoft is announcing the availability of updates for supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1 that improve credential protection and domain authentication controls to reduce credential theft.

Revision Note: V1.0 (January 12, 2016): Advisory published.
Summary: Microsoft is announcing the availability of an update to improve interoperability between Schannel-based TLS clients and 3rd-party TLS servers that enable RFC5077-based resumption and that send the NewSessionTicket message in the abbreviated TLS handshake. The update addresses an issue in schannel.dll that could cause RFC5077 session ticket-based resumption to fail and subsequently cause WinInet-based clients (for example, Internet Explorer and Microsoft Edge) to perform a fallback to a lower TLS protocol version than the one that would have been negotiated otherwise. This improvement is part of ongoing efforts to bolster the effectiveness of encryption in Windows.

Revision Note: V1.0 (January 12, 2016): Advisory published.
Summary: Microsoft is releasing a new set of ActiveX kill bits with this advisory. These ActiveX kill bits are included in the Internet Explorer cumulative update released on January 12, 2016.

Revision Note: V53.0 (January 5, 2016): Added the 3133431 update to the Current Update section.
Summary: Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer on all supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10; the update is also available for Adobe Flash Player in Microsoft Edge on all supported editions of Windows 10. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

Revision Note: V1.1 (December 8, 2015): Advisory updated to include more information about disabling DES by default in Windows 7 and Windows Server 2008 R2 and later operating systems. The update allows DES to be used between client and server to address scenarios in which DES is still required for application compatibility reasons.
Summary: Microsoft is announcing the availability of an update to harden scenarios in which Data Encryption Standard (DES) encryption keys are used with accounts to ensure that domain users, services, and computers that support other encryption types are not vulnerable to credential theft or elevation of privilege attacks. DES is considered a weak cipher due to well-known brute force and faster than brute force attacks. The cryptographic algorithm has also been removed from the standard [RFC 6649]. To further protect our users, Microsoft has disabled DES by default in Windows 7 and Windows Server 2008 R2 and later operating systems. However, this update does allow DES to be used between client and server to address scenarios in which DES is still required for application compatibility reasons. The improvement is part of ongoing efforts to bolster the effectiveness of encryption in Windows and still support legacy line-of-business (LOB) applications.

Revision Note: V1.0 (December 8, 2015): Advisory published.
Summary: Microsoft is aware of an SSL/TLS digital certificate for *.xboxlive.com for which the private keys were inadvertently disclosed. The certificate could be used in attempts to perform man-in-the-middle attacks. It cannot be used to issue other certificates, impersonate other domains, or sign code. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.

Revision Note: V1.0 (November 30, 2015): Advisory published.
Summary: Microsoft is aware of unconstrained digital certificates from Dell Inc. for which the private keys were inadvertently disclosed. One of these unconstrained certificates could be used to issue other certificates, impersonate other domains, or sign code. In addition, these certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against Dell customers. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.

Revision Note: V1.0 (November 10, 2015): Advisory published.
Summary: Microsoft is announcing the availability of a security update for Windows Hyper-V to protect against a denial of service condition that can be triggered with certain central processing unit (CPU) chipsets. Although the weakness resides in the chipset, Microsoft is issuing this security update to protect customers. The update prevents guests on a Hyper-V system from triggering a weakness in the CPU that could allow instructions from a Hyper-V guest to place its Hyper-V host’s CPU into an unresponsive state, leading to a denial of service condition for the guest operating systems running on the affected host. Successful exploitation of the CPU weakness would require kernel-mode code execution privileges on the guest operating system.

Revision Note: V2.0 (October 13, 2015): Advisory revised to broaden the affected software list to include Windows 10 systems that are running .NET Framework 3.5 applications and systems with .NET Framework 4.6 installed that are running .NET Framework 4.5/4.5.1/4.5.2 applications, and to provide customers running these configurations with steps for manually disabling RC4 in TLS. See the Affected Software and Suggested Actions sections of this advisory for more information.
Summary: On May 13, 2014, Microsoft announced the availability of an update for Microsoft .NET Framework that disables RC4 in Transport Layer Security (TLS) through the modification of the system registry. Use of RC4 in TLS could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions.

Revision Note: V2.0 (October 13, 2015): Advisory revised to notify customers that an update is available that modifies the Code Integrity component in Windows to extend trust removal for the four digital certificates addressed by this advisory to also preclude kernel-mode code signing.
Summary: Microsoft is aware of four digital certificates that were inadvertently disclosed by D-Link Corporation that could be used in attempts to spoof content. The disclosed end-entity certificates cannot be used to issue other certificates or impersonate other domains, but could be used to sign code. This issue affects all supported releases of Microsoft Windows.