Skip to main content
MSRC

2010

MS10-049: An inside look at CVE-2009-3555, the TLS renegotiation vulnerability

Tuesday, August 10, 2010

This issue was identified by security researchers Marsh Ray and Steve Dispensa. The vulnerability exists because certain Transport Layer Security (TLS)/Secure Sockets Layer (SSL) protected protocols assume that data received after a TLS renegotiation is sent by the same client as before the renegotiation. Renegotiation is TLS functionality that allows either peer to change the parameters of the secure session.

Read More

MS10-054: Exploitability Details for the SMB Server Update

Tuesday, August 10, 2010

This month Microsoft released an update for Windows to address three vulnerabilities in the SMB Server component. Two of the vulnerabilities are remote denial-of-service (DoS) attacks, while one (CVE-2010-2550) has the potential for remote code execution (RCE). This blog post provides more details on the exploitability of CVE-2010-2550, and outlines why the risk of reliable RCE is low.

Read More

Update on the publicly disclosed Win32k.sys EoP Vulnerability

Tuesday, August 10, 2010

Hi everyone, Yesterday we tweeted to let customers know that we were investigating a publicly disclosed vulnerability in the Windows Kernel-mode drivers (win32k.sys) affecting all supported operating systems. We are not aware of attacks that try to use the reported vulnerability or of any customer impact at this time. Today we have more information, as well as a planned course of action.

Read More

August 2010 Bulletin Release Advance Notification

Thursday, August 05, 2010

Hello; I’m Angela Gunn and I’m new to the Response Communications team. Today we’re releasing our advance notification for the August security bulletin release, which is scheduled for Tuesday, August 10. This month’s release is composed of 14 bulletins addressing 34 vulnerabilities in Windows, Microsoft Office, Internet Explorer, SQLMSXML, and Silverlight.

Read More

August 2010 Out-of-Band Security Release Webcast Q&A

Tuesday, August 03, 2010

Hello - During today’s webcast our team of technical experts answered over fifty questions regarding the August 2010 Out-of-Band Security Release update questions. Click hereto review the entire list of questions and answers from today’s Out-of-Band webcast Q&A page. Also, here is the link to the Q&A index page for your review - in case you wanted to view any of the past 12 webcast Q&A’s.

Read More

MS10-046 Released Out-of-Band Today

Monday, August 02, 2010

Hello, As we announced on Friday, today we released Security Bulletin MS10-046 out-of-band to address a vulnerability in Windows. This security update addresses a vulnerability in the handling of shortcuts that affects all currently supported versions of Windows XP, Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2. As our colleagues over in the MMPC have noted, several families of malware have been attempting to attack this vulnerability.

Read More