Updated: 1 hour 59 min ago
Revision Note: V1.1 (February 28, 2014): Advisory revised to announce a detection change in the 2862152 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows Server 2012 R2, and Windows RT 8.1. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: Microsoft is announcing the availability of an update for all supported releases of Windows to address a vulnerability in how server connections are authenticated to clients in either DirectAccess or IPsec site-to-site tunnels.
Revision Note: V2.0 (February 27, 2014): Revised advisory to rerelease update 2871690. The rereleased update addresses an issue where specific third-party BIOS versions did not properly validate the signature of the original update. Customers who have already successfully installed the original update do not need to take any action. See the Advisory FAQ for more information.
Summary: Microsoft is announcing the availability of an update for Windows 8 and Windows Server 2012 that revokes the digital signatures for nine private, third-party UEFI (Unified Extensible Firmware Interface) modules that could be loaded during UEFI Secure Boot. When the update is applied, the affected UEFI modules will no longer be trusted and will no longer load on systems where UEFI Secure Boot is enabled. The affected UEFI modules consist of specific Microsoft-signed modules that are either not in compliance with our certification program or their authors have requested that the packages be revoked. At the time of this release, these UEFI modules are not known to be available publicly.
Revision Note: V20.0 (February 20, 2014): Added the 2934802 update to the Current Update section.
Summary: Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer on all supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10 and Internet Explorer 11.
Revision Note: V1.0 (February 19, 2014): Advisory published.
Summary: Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 10. Only Internet Explorer 9 and Internet Explorer 10 are affected by this vulnerability. Other supported versions of Internet Explorer are not affected. Applying the Microsoft Fix it solution, "MSHTML Shim Workaround," prevents the exploitation of this issue. See the Suggested Actions section of this advisory for more information.
Revision Note: V1.2 (February 11, 2014): Rereleased advisory as a reminder to customers that the dormant changes implemented with MS13-098 will be enabled on June 10, 2014. After this date, Windows will no longer recognize non-compliant binaries as signed. See the Recommendation and Suggested Actions sections of this advisory for more information.
Summary: Microsoft is announcing the availability of an update for all supported releases of Microsoft Windows to change how signatures are verified for binaries signed with the Windows Authenticode signature format. The change is included with Security Bulletin MS13-098, but will not be enabled until June 10, 2014. Once enabled, the new default behavior for Windows Authenticode signature verification will no longer allow extraneous information in the WIN_CERTIFICATE structure. Note that after June 10, 2014, Windows will no longer recognize non-compliant binaries as signed.
Revision Note: V2.0 (February 11, 2014): Revised advisory to announce that the 2862973 update for all affected releases of Microsoft Windows is now offered through automatic updating. Customers who previously applied the 2862973 update do not need to take any action.
Summary: Microsoft is announcing the availability of an update for supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 that restricts the use of certificates with MD5 hashes. This restriction is limited to certificates issued under roots in the Microsoft root certificate program. Usage of MD5 hash algorithm in certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.