Assessing the risk of the December security bulletins

This morning we released six security bulletins, three Critical and three Important, addressing 12 CVE’s. Please apply the Internet Explorer update right away as it poses the most risk of all the bulletins due to severity and exploitability.The Internet Explorer update addresses the vulnerability described by Security Advisory 977981. We hope that the table and…

0

Extended Protection for Authentication

This month, Microsoft is releasing several non-security updates that implement Extended Protection for Authentication as a mechanism to help safeguard authentication credentials on the Windows platform. These new updates are not security bulletins, but non-security updates that allow web clients using the Windows HTTP Services, IIS web servers and applications based on the HTTP Protocol…

0

SEHOP per-process opt-in support in Windows 7

In a previous blog post we discussed the technical details of Structured Exception Handler Overwrite Protection (SEHOP) which is an exploit mitigation feature that was first introduced in Windows Vista SP1 and Windows Server 2008 RTM. SEHOP prevents attackers from being able to use the Structured Exception Handler (SEH) overwrite exploitation technique when attempting to…

0

Font Directory Entry Parsing Vulnerability In win32k.sys

MS09-065 addresses a vulnerability (CVE-2009-2514) in the font parsing subsystem of win32k.sys.  If not addressed, this vulnerability could allow an attacker to bluescreen (DoS) the machine (best case scenario) or run code of his/her choice, possibly in the context of the kernel (worst case scenario).    In this blog entry, I’ll attempt to answer a…

0

Vulnerability in Web Services on Devices (WSD) API

MS09-063 addresses a critical vulnerability (CVE-2009-2512) in the Web Services on Devices (WSD) API. Web Services on Devices allows a computer to discover and access a remote device and its associated services across a network. It supports device discovery, description, control, and eventing. The WSD API functionality is implemented in the WSDApi.dll module in Windows,…

0

Details on the License Logging Service vulnerability

Today, we released MS09-064 which addresses a vulnerability in the License Logging Service.  In this post, we provide some background on the service and the severity of the underlying vulnerability.   Background License Logging Service (LLS) is a feature that was originally designed to help customers manage licenses for Microsoft server products licensed in the…

0

Announcing the release of the Enhanced Mitigation Evaluation Toolkit

*** UPDATE: Version 2.0 of EMET is now available.  Click here to read more about it. ***   Even as you read this, people around the world are hunting for vulnerabilities in software applications.  Odds are some of them will be successful.  Depending on their motives and what they find, your software and systems may be…

0

Assessing the risk of the October security bulletins

This morning we released 13 security bulletins, our largest release of 2009.  Altogether, these bulletins address 34 separate CVEs.  We’d like to use this blog post to help you prioritize your deployment of the updates. Prioritization Criteria We’ve provided a prioritized list of bulletins in the table below.  The prioritization is based on the following…

0

MS09-056: Addressing the X.509 CryptoAPI ASN.1 security vulnerabilities

MS09-056 addresses two vulnerabilities that affect how the Windows CryptoAPI parses X.509 digital certificates. Applications on the Windows platform as well as Windows components such as the WinHTTP API can call into the CryptoAPI which provides cryptographic services to validate digital certificates. Internet Explorer, for instance, uses the CryptoAPI to parse and validate the certificate…

0

MS09-051: A note on the affected platforms

MS09-051 addresses a vulnerability (CVE-2009-0555) in the speech codec of Microsoft Window Media Component. Users of Windows XP/Windows Vista/Windows Server 2003/Windows Server 2008* are affected by this vulnerability. However, for Win2k users, the story is more complex and we would like to go into more detail in this blog. *Windows Server 2008 Core installation is…

0