Sep 28, 2010

Out of Band Release to Address Microsoft Security Advisory 2416728

Out of Band Release to Address Microsoft Security Advisory 2416728:
Hello -

Today we provided advance notification to customers that we will release an out-of-band security update to address the vulnerability discussed in Security Advisory 2416728. The update is scheduled for release tomorrow, Tuesday, September 28, 2010 at approximately 10:00 AM PDT. The bulletin has a severity rating of Important and addresses a publicly disclosed vulnerability in ASP.NET that affects all versions of the .NET Framework when used on Windows Server operating systems. Windows desktop systems are listed as affected, but consumers are not vulnerable unless they are running a Web server from their computer.

Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers as we have seen limited attacks and continued attempts to bypass current defenses and workarounds.

The security update is fully tested and ready for release, but will be made available initially only on the Microsoft Download Center. This enables us to get the update out as quickly as possible, allowing administrators with enterprise installations, or end users who want to install this security update manually, the ability to test and update their systems immediately. We strongly encourage these customers to visit the Download Center, download the update, test it in their environment and deploy it as soon as possible.

The update will also be released through Windows Update and Windows Server Update Services within the next few days as we test to make sure distribution will be successful through these channels. This approach allows us to release sooner to customers who may choose to deploy it manually without delaying for broader distribution.

For customers using Automatic Update, this Security Update will automatically be applied once it is released broadly. Once the Security Update is applied, customers are protected against known attacks related to Security Advisory 2416728.

We will also hold a special edition webcast for the bulletin release on Tuesday, September 28, 2010 at 1:00 PM PDT, where we will present information on the bulletin and take customer questions. If you are interested in attending the webcast, click here to sign up.


Dave Forstrom

Director, Trustworthy Computing

Sep 20, 2010

Google Authenticators -- Moving security beyond passwords

Hey look... Google Authenticators!

Moving security beyond passwords: "
Posted by Travis McCoy, Product Manager, Google Security Team

Entering your username and password on a standard website gives you access to everything from your email and bank accounts to your favorite social networking site. Your passwords possess a lot of power, so it's critical to keep them from falling into the wrong hands. Unfortunately, we often find that passwords are the weakest link in the security chain. Keeping track of many passwords is a pain, and unfortunately accounts are regularly compromised when passwords are too weak, are reused across websites, or when people are tricked into sharing their password with someone untrustworthy. These are difficult industry problems to solve, and when re-thinking the traditional username/password design, we wanted to do more.

As we explained today on our Google Enterprise Blog, we've developed an option to add two-step verification to Google Apps accounts. When signing in, Google will send a verification code to your phone, or let you generate one yourself using an application on your Android, BlackBerry or iPhone device. Entering this code, in addition to a normal password, gives us a strong indication that the person signing in is actually you. This new feature significantly improves the security of your Google Account, as it requires not only something you know: your username and password, but also something that only you should have: your phone. Even if someone has stolen your password, they'll need more than that to access your account.

Building the technology and infrastructure to support this kind of feature has taken careful thought. We wanted to develop a security feature that would be easy to use and not get in your way. Along those lines, we're offering a variety of sign in options, along with the ability to indicate when you're using a computer you trust and don't want to be asked for a verification code from that machine in the future. Making this service available to millions of users at no cost took a great deal of coordination across Google’s specialized infrastructure, from building a scalable SMS and voice call system to developing open source mobile applications for your smart phone. The result is a feature we hope you'll find simple to manage and that makes it easy to better protect your account.

We look forward to gathering feedback about this feature and making it available to all of our users in the coming months.

If you'd like to learn more about about staying safe online, see our ongoing security blog series or visit

Sep 12, 2010

Google Family Safety Center

Announcing our new Family Safety Center: "posted by Kate Hammond, Marketing Manager

Helping your children use the Internet safely is similar to teaching them to navigate the offline world. There are parts of the real world that you wouldn’t let your children explore unsupervised—and that goes for the online world as well. But while most of us remember being taught to cross the road and not talk to strangers, we probably weren’t taught how much personal information we should share online or how to handle cyberbullies.

Therefore, it’s no surprise when parents and teachers tell us they want to learn more about how to help their kids use the Internet safely and responsibly.

Today, we’re launching our new Family Safety Center; a one-stop shop about staying safe online. We’ve included advice from leading child safety organizations around the world, tips and ideas from parents here at Google, as well as information on how to use the safety tools and controls built into Google products.

For day-to-day practical tips we asked some of our parents at Google to share their own ideas. Tactics they use range from limiting screen time and preventing computers in kids’ bedrooms to ad hoc checks on their browser history and social networking profiles. Everyone has different ideas and there’s no right or wrong answer, but hopefully some of these will resonate and inspire you. See more videos and let us know your own thoughts on our YouTube channel.

To answer some of the toughest questions most important to parents, such as accessing inappropriate content and meeting strangers online, we went straight to the people that know best; the organizations that advocate and promote child safety and digital literacy. Organizations that we’ve partnered with around the world include the U.S. Federal Trade Commission’s OnGuard Online initiative, the Canadian Centre for Child Protection, the Australian Communications and Media Authority, U.K.’s ChildNet, and New Zealand’s NetSafe.

The new Safety Center also provides information on the safety tools built into Google products. SafeSearch and YouTube Safety Mode can help you control what content your children stumble across. Sharing controls in YouTube, Picasa, Blogger and others ensure your videos, photos and blogs are shared only with the right people. And in response to popular requests, we’ve added a section on managing geolocation features on mobiles.

With kids growing up in an age where digital know-how is essential, it’s increasingly important to ensure that they’re developing healthy, safe and responsible online habits. And we’re thinking every day about how we can help parents and teachers to do just that.