Microsoft Security Bulletins and Advisories
“To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release.”
Microsoft says that Security Advisories flag security problems with Microsoft products. They are released as issues are found. Security Bulletins are issued monthly as a update for the issues found that month. The Advisory updates only the component mentioned in the Advisory. Bulletins update the whole OS or a packaged bundle, like the .Net runtime. Advisories are targeted to programmers who can update the single subroutine mentioned in the advisory. So it is a way to issue the fix ahead of the bulletin. But it is not always going to help people who are using apps written by 3rd parties until the 3rd parties update those. Microsoft keeps older versions of its run-time components in Windows to support apps that have not been updated to use the newer components.
Two Advisories Sent this Month
Let’s look at two advisories sent this month. The first came on Jan 10 and the second Jan 27. These address items at the component level, such as a .dll. It takes manual steps to fix those.
Microsoft Security Advisory 4010983: Denial of Service
The first advisory is about ASP.NET Core MVC 1.1.0. The Core release of ASP.Net MVC does several items, including letting .Net code run on Mac and Linux, since Visual Studio 2015.
Microsoft just says this vulnerability could lead to a “denial of service” without providing any details of that.
This fix, requires developers to update to MVC 1.1.1 and make changes to their apps. So it is not something that the Windows administrator can do. The developer has to open their code and then update the version number in their configuration file. They need Visual Studio to do that.
* Microsoft Security Advisory 4010983
- Title: Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of
- Reason for Revision: V1.0 (January 27, 2017): Advisory
- Originally posted: January 27, 2017
- Updated: N/A
- Version: 1.0
Microsoft Security Advisory 3214296: Elevated Privileges
This one warns of an issue with Microsoft.IdentityModel.Tokens 5.1.0, which grants users access to specific items. It warns the hackers could use this module to give users elevated access. But that is only when these identity tokens are signed symmetrically. It does not affect asymmetrically signed tokens.
The good news is identity providers, like Verisign, and those who issue certificates used to sign code, are not using symmetrical signatures. Symmetrical means the algorithm used by the sender is the same as that of the recipient, applied in reverse. So there is no 3rd party verifying the integrity of that as there is with asymmetrical signatures. So the component could be subject to spoofing. But that would not be easy. And Microsoft certainly does not gives instructions to hackers on how they can do that.
There is an update for this one: version 5.1.1. But it has to be recompiled in Microsoft .Net code using Visual Studio. So it is an app issue and not one that can be fixed by an OS update, at least not until that OS update is sent out. So this is relevant only for IT shops writing their own code, just as with the advisory mentioned above.
* Microsoft Security Advisory 3214296
- Title: Vulnerabilities in Identity Model Extensions Token Signing
- Reason for Revision: V1.0 (January 10, 2017): Advisory
- Originally posted: January 10, 2017
- Updated: N/A
- Version: 1.0