Microsoft Security Newsletter
Phil Cross  
Hello to you all, and especially to those readers who said hello at the Windows 7, Windows Server 2008 Release 2 (R2) and Exchange Server 2010 launch at Wembley. The suggestion that I look much older than my picture has made me update my photo for this month’s edition, but I’m thick-skinned so it’s ok!

You probably expect me to talk about Windows 7 and the new security features, but I’ve talked about them before. Instead, I would like to talk about something that does not get as much press in the launch season: one of the ‘less shiny’ back-room processes that make Windows 7 a terrific operating system and, if used properly, can really help your organisation. It’s called the Microsoft Security Development Lifecycle (SDL).

Microsoft has been talking to developers about the SDL for years, and they understand its importance, but business owners have traditionally not given them the time to do it right. Now decision-makers are starting to see where the SDL makes sense to them, too. If you want proof, check out the Microsoft SDL: Return on Investment white paper. You’ll see how important it is to give developers the time and resources they need to code securely.

The SDL team has also released some new tools which they share with us in our Security Tip of the Month, ‘Using BinScope Binary Analyzer to Improve Code Security’. There’s also a lot of information on Cloud Computing in this month’s Security Guidance section.

Before you read on, I must say a couple of general things about Windows 7 (after all, I have been running it for nine months now). It may be time to think about moving off Windows XP. In the past, some of you may have wanted to move to a more secure operating system, but application compatibility has kept you locked in place. Windows 7 has the solution: better drivers (many are already available) and the ability to run Windows XP in a virtual machine called Windows XP Mode on Windows 7. Both really help tear down those barriers.

Thanks for reading. Ed Gibson has been extremely busy travelling so I have given him a month off from writing an article, if you’re looking for it. He will be back next month.



Phil Cross
philcr@microsoft.com
twitter.com/philcr
+44 (0) 118 909 3306
Top Stories


This is an interesting article by Colin Chaplin, a member of our community who specialises in security. Read what he thinks about the way our Government handles its secure communications (just don’t mention ‘CD’s in the post’).
By building on the same security principles used to manage risks to Microsoft software development and operating environments, the Online Services Security and Compliance (OSSC) team at Microsoft has created an online Information Security Programme – one that results in continuous improvements to security for the Microsoft cloud computing environment. Find out what cloud computing at Microsoft means today.
Learn about the U.S. Government’s vision for cloud computing, beginning with Apps.gov, an online marketplace where federal agencies can find and buy cloud-based IT services. If anyone has any pointers to the UK government position on cloud computing please let me know.
Learn how to meet data-security standards for the payment-card industry (PCI) using Microsoft products and technologies.
Security Guidance


Download this Microsoft verification tool to analyse binaries on a project-wide level to ensure that they comply with the Microsoft SDL requirements and recommendations.
As software becomes more vulnerable to attacks, it is important that your team is equipped with tools that can help them write more secure code. Learn how to use BinScope to quickly and easily verify that your code complies with the requirements of the Microsoft SDL.
MiniFuzz is a simple ‘fuzzer’ for easing the adoption of fuzz testing by non-security people who are unfamiliar with file-fuzzing tools or have never used them in software development.
Take a tour of the capabilities of the Microsoft cloud platform by building and running a simple service using the platform software development kit (SDK). The demos highlight some of the features of the platform including service management, storage and an integrated developer experience.
Windows Azure Storage provides scalable, secure and performance-efficient storage services for the cloud through familiar and easy-to-use programming interfaces. The Windows Azure Blob provides a simple interface for storing named files along with metadata for a file. Learn about the Windows Azure Blob programming interface and the advanced ‘blob’ concepts.
Get familiar with the encryption algorithms and practices used to create cryptographic schemes for your cloud applications. Learn more about symmetric and asymmetric encryption algorithms, the SHA256 hash encryption algorithms, and how to implement these in a simple application.
Technical content includes hands-on labs, presentations and demos to help you learn how to use and develop for the Windows Azure platform including Windows Azure, SQL Azure and .NET Services.
Explore ways to secure the .NET Services Bus and learn about helper classes and utilities to automate many of the details.
This Month's Security Bulletins

Critical:

- MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)

- MS09-051: Vulnerabilities in Windows Media Runtime Could Allow Remote Code Execution (975682)

- MS09-052: Vulnerability in Windows Media Player Could Allow Remote Code Execution (974112)

- MS09-054: Cumulative Security Update for Internet Explorer (974455)

- MS09-055: Cumulative Security Update of ActiveX Kill Bits (973525)

- MS09-060: Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution (973965)

- MS09-061: Vulnerabilities in the Microsoft .NET Common Language Runtime Could Allow Remote Code Execution (974378)

- MS09-062: Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488) 

Important:

- MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254) 

- MS09-056: Vulnerabilities in Windows CryptoAPI Could Allow Spoofing (974571) 

- MS09-057: Vulnerability in Indexing Service Could Allow Remote Code Execution (969059)

- MS09-058: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (971486)

- MS09-059: Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (975467)

Security Bulletin Overview for September 2009

- Microsoft Security Response Center (MSRC) Blog Post 

- Windows Media Video (WMV)

- Windows Media Audio (WMA)

- iPod Video (MP4)

- MP3 Audio

- High Quality WMV (2.5 Mbps)
The Business of Security

By Andreas Wuchner, IT Manager and Risk, Compliance and Security Professional, Deutsche Bank
In today’s IT-security market, more and more people are fighting for the same positions. What skills are companies looking for? How can you improve your chances and set yourself apart? With over a decade of hiring IT security and risk professionals, IT Manager Andreas Wuchner shares the insights he has gained into everything from certification to communication skills.
Is there a topic you would like us to discuss? Send an e-mail to secaware@microsoft.com 
Microsoft Product Lifecycle Information

Find information about your particular products on the Microsoft Product Lifecycle website.

- See a list of supported service packs: Microsoft provides free software updates for security and non-security issues for all supported service packs.
Security Events and Training


Security in the cloud must combine the capabilities of the outward-looking web (such as reach and customer interaction) with the inward-looking requirements of an organisation (including data retention, security and employee productivity). This learning path will show you how to flexibly deploy an application on-premise or in the cloud, or both, and how you can help the business attain its goals of flexibility, usability and security.
Learn about Windows 7 core platform-security improvements at this free, on-line event. It includes sessions and demonstrations about secure messaging, secure collaboration, information protection and identity-and-access management.
Upcoming Security Webcasts (available on demand if date has passed)


Search for upcoming security webcasts. All webcasts are available on-demand if the date and time has passed.
For IT Professionals
- TechNet Webcast: Improving the Wireless Network Infrastructure at Microsoft (Level 300) 
Tuesday, 10 November 2009, 5.30 p.m.

- TechNet Webcast: Microsoft Secure Collaboration Solution (Level 200) 
Available on-demand.

- TechNet Webcast: Thrive Live! A Technical Framework for Data Governance (Level 200) 
Available on-demand.

- TechNet Webcast: Identity and Access Management Solution (Level 200) 
Thursday, 29 October 2009, 8.00 p.m.

- TechNet Webcast: Microsoft Information Protection Solution (Level 200) 
Tuesday, 3 November 2009, 9.00 p.m.

- TechNet Webcast: Technical Overview: System Center Configuration Manager 2007 SP2 and R3 (Level 200) 
Tuesday, 3 November 2009, 8.00 p.m.

- TechNet Webcast: Microsoft Secure Messaging Solution (Level 200) 
Thursday, 5 November 2009, 9.00 p.m.

- TechNet Webcast: Microsoft Secure Endpoint Solution (Level 200) 
Tuesday, 10 November 2009, 8.00 p.m.

- TechNet Webcast: Information About Microsoft November Security Bulletins (Level 200) 
Wednesday, 11 November 2009, 7.00 p.m.

For Developers
Now On Demand
- TechNet Webcast: Securing Virtual Environments (Level 300) 
Learn how to keep offline, virtualized servers up-to-date and safe from attack.

Security Newsletter
Volume 6, No. 10

October 2009
In This Issue:
Top Stories
Security Guidance
This Month's Security Bulletins
The Business of Security
Microsoft Product Lifecycle Information
Security Events and Training
Upcoming Security Webcasts (available on demand if date has passed)
Security Programme Guide
Microsoft SDL – Developer Starter Kit
Security Awareness Materials
Guidance, samples and templates for creating a security-awareness programme in your organisation.
Learn Security On the Job
Learning Paths for Security - Microsoft Training References and Resources
Upcoming Chats
Security Blogs
Trustworthy Computing Security/Privacy Blogs RSS
Michael Howard RSS
Eric Lippert RSS
Eric Fitzgerald RSS
MSRC Blog RSS
ACE Team RSS
Windows Security RSS
Solution Accelerators - Security a Compliance  RSS
Kai Axford RSS
Security Vulnerability Research & Defence  RSS
Security Development Lifecycle (SDL) RSS
Security Newsgroups
General Security Issues/Questions
Open with Newsreader
Virus Issues/Questions 
Open with Newsreader
ISA Server
Open with Newsreader
Window Vista: Security
Open with Newsreader
SQL Server: Security
Open with Newsreader
Windows Server: Security
Open with Newsreader
Community Web sites
IT Pro Security Community
Additional Security Resources
Security Help and Support for IT Professionals
TechNet Troubleshooting and Support Page
Microsoft Security Glossary
Security TechCenter
MSDN Security Developer Centre 
Sign-up for the Microsoft Security Notification Service
Security Bulletin Search Page
Home Users: Protect Your PC
MCSE / MCSA: Security Certifications
Subscribe to TechNet
Subscribe to MSDN
Register for the UK TechNet Newsletter
Register for the UK MSDN Flash Newsletter
To cancel your subscription to this newsletter, reply to this message with the word UNSUBSCRIBE in the Subject line. Alternatively you can manage all your subscriptions to Microsoft newsletters via 'Manage My Subscriptions' in the Microsoft Profile Centre. In order to access the Microsoft Profile Centre you will need a Windows Live ID.

Read legal information about this communication 

This communication was sent by Microsoft Limited, Microsoft Campus, Thames Valley Park, Reading, RG6 1WG.
Sign up for other newsletters | Unsubscribe | Update your profile
© 2009 Microsoft Corporation  Terms of Use | Trademarks | Privacy Statement
Microsoft