Microsoft Security Bulletins and Advisories

Microsoft publishes security bulletins and advisories here. Those warn of vulnerabilities in Microsoft products.  You can sign up for updates via RSS or email here. They say:

“To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release.”

Microsoft says that Security Advisories flag security problems with Microsoft products. They are released as issues are found. Security Bulletins are issued monthly as a update for the issues found that month. The Advisory updates only the component mentioned in the Advisory.  Bulletins update the whole OS or a packaged bundle, like the .Net runtime. Advisories are targeted to programmers who can update the single subroutine mentioned in the advisory. So it is a way to issue the fix ahead of the bulletin. But it is not always going to help people who are using apps written by 3rd parties until the 3rd parties update those. Microsoft keeps older versions of its run-time components in Windows to support apps that have not been updated to use the newer components.

Two Advisories Sent this Month
Let’s look at two advisories sent this month. The first came on Jan 10 and the second Jan 27. These address items at the component level, such as a .dll.  It takes manual steps to fix those.

Microsoft Security Advisory 4010983:  Denial of Service
The first advisory is about ASP.NET Core MVC 1.1.0. The Core release of ASP.Net MVC does several items, including letting .Net code run on Mac and Linux, since Visual Studio 2015.

security bulletins and advisories

Microsoft just says this vulnerability could lead to a “denial of service” without providing any details of that.

This fix, requires developers to update to MVC 1.1.1 and make changes to their apps.  So it is not something that the Windows administrator can do. The developer has to open their code and then update the version number in their configuration file. They need Visual Studio to do that.

* Microsoft Security Advisory 4010983
 - Title: Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of
 - https://technet.microsoft.com/library/security/4010983.aspx
 - Reason for Revision: V1.0 (January 27, 2017): Advisory
 - Originally posted: January 27, 2017
 - Updated: N/A
 - Version: 1.0

Microsoft Security Advisory 3214296: Elevated Privileges
This one warns of an issue with Microsoft.IdentityModel.Tokens 5.1.0, which grants users access to specific items. It warns the hackers could use this module to give users elevated access. But that is only when these identity tokens are signed symmetrically. It does not affect asymmetrically signed tokens.

The good news is identity providers, like Verisign, and those who issue certificates used to sign code, are not using symmetrical signatures. Symmetrical means the algorithm used by the sender is the same as that of the recipient, applied in reverse. So there is no 3rd party verifying the integrity of that as there is with asymmetrical signatures. So the component could be subject to spoofing. But that would not be easy. And Microsoft certainly does not gives instructions to hackers on how they can do that.

There is an update for this one: version 5.1.1. But it has to be recompiled in Microsoft .Net code using Visual Studio. So it is an app issue and not one that can be fixed by an OS update, at least not until that OS update is sent out. So this is relevant only for IT shops writing their own code, just as with the advisory mentioned above.

* Microsoft Security Advisory 3214296
 - Title: Vulnerabilities in Identity Model Extensions Token Signing
 - https://technet.microsoft.com/library/security/3214296.aspx
 - Reason for Revision: V1.0 (January 10, 2017): Advisory
 - Originally posted: January 10, 2017
 - Updated: N/A
 - Version: 1.0

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal