#microsoft

Today we announced the upcoming Mitigation Bypass Bounty, the BlueHat Bonus for Defense, and the Internet Explorer 11 Preview Bug Bounty program. It’s very exciting to finally take the wraps off of these initiatives and we are anticipating some great submissions from the security research community! These programs will allow us to reward great work by researchers and improve the security of our software – all to the benefit of our customers.

Over the years, we’ve put a lot of work into helping secure the computing ecosystem and limiting the number of issues in our products. The security researcher community is critical to these efforts, as they help us find vulnerabilities in our software that we may have missed. Now we’re taking it even further.

We are pleased to announce that the final release of version 4.0 of the Enhanced Mitigation Experience Toolkit , best known as EMET, is now finally available for download. You can download it from http://www.microsoft.com/en-us/download/details.aspx?id=39273. We already mentioned some of the new features introduced in EMET 4: Certificate Trust , mitigations improvement hardening , and the Early Warning Program.

The global adoption of computing continues to draw attackers toward ever-richer targets. The latest data from the Microsoft Security Intelligence Report shows that although industry-wide vulnerability disclosures are down (and computer defenses are improved), exploit activity has actually increased in many parts of the world. See the Microsoft Security Intelligent Report (SIR) v14 for more details.

Today we’re publishing the June 2013 Security Bulletin Webcast Questions & Answers page. We fielded three questions during the webcast, with specific questions focusing primarily on Windows Print Spooler (MS13-050), Microsoft Office (MS13-051), and the security advisory addressing digital certificates (SA2854544). There was one question we were unable to field on the air which we answered on the Q&A page.

It was just over one year ago, May 28, 2012, to be exact, that I transitioned from running active MSRC cases and writing bulletins to my current role managing software security incidents. A lot has changed in that year*- _and I’ve dealt with some interesting issues during my tenure* - _but our goal of providing the best customer protections possible remains a constant.

MS13-051 addresses a security vulnerability in Microsoft Office 2003 and Office for Mac. Newer versions of Microsoft Office for Windows are not affected by this vulnerability, but the newest version of Office for Mac (2011) is affected. We have seen this vulnerability exploited in targeted 0day attacks in the wild. In this blog we’ll cover the following aspects:

Today we’re providing Advance Notification of five bulletins for release on Tuesday, June 11, 2013. This release brings one Critical- and four Important-class bulletins. The Critical-rated bulletin addresses issues in Internet Explorer, and the Important-rated bulletins address issues in Microsoft Windows and Office. We will publish the bulletins on the second Tuesday of the month, at approximately 10 a.

There is much to say about the use of Java in both consumer and enterprise environments. Like any other platforms, it has both devoted supporters and fervent critics. But for most, Java is a requirement, a means to an end. In the past few years, Java as a platform has been the target of numerous malware attacks, which exploit a number of Java runtime vulnerabilities on the target machines.

For those who couldn’t attend the live webcast, today we’re publishing the May 2013 Security Bulletin Webcast Questions & Answers page. We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Internet Explorer (MS13-037 and MS13-038) and Visio (MS13-044). We invite our customers to join us for the next public webcast on Wednesday, June 12, 2013, at 11 a.