Mohammad Akif

Hello, my name is Mohammad Akif and I am the National Security and Privacy Lead at Microsoft Canada. I wanted to give you advanced notice of two critical security bulletins that were recently released.

Microsoft has issued an Advance Notification Service (ANS) for two out-of-band security bulletins to be released Tuesday, July 28. Microsoft intends to release both security updates through systems such as Microsoft Update, Windows Update and Windows Server Update Services.

While this release is to address a single, overall issue, in order to provide the broadest protections possible to customers, we’ll be releasing two separate security bulletins:

1. One Security Bulletin for Visual Studio - Vulnerabilities in Visual Studio Active Template Libraries Could Allow Remote Code Execution (969706)

Developers who have built components and controls using ATL should download this update and recompile their components and controls following the guidance provided in the following MSDN article.

2. One Security Bulletin for Internet Explorer - Cumulative Security Update for Internet Explorer (972260)

Recommendation: The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually.

While we can't go into specifics about the issue, we can say that the Visual Studio bulletin addresses an issue that can affect certain types of applications. The Internet Explorer bulletin provides defense-in-depth changes to Internet Explorer to help provide additional protections for the issues addressed by the Visual Studio bulletin. The Internet Explorer update addresses vulnerabilities rated as Critical that are unrelated to the Visual Studio bulletin that were privately and responsibly reported.

Customers who are up to date on their security updates are protected from known attacks related to this out-of-band release.

Microsoft will host a webcast to address customer questions on July 28, 2009, 1:00–2:00 PM PT (U.S. & Canada). An encore webcast will be available July 28, 2009, 4:00–5:00 PM PT (US & Canada). Customers may register now by clicking on the respective links above. The webcast will also be available on-demand after July 28, 2009.

Additional Resources

For the latest information on this and other security updates please read the Microsoft Security Response Center blog.

Best regards,

Mohammad Akif,

National Security and Privacy Lead
Microsoft Canada