Assessing an IIS FTP 7.5 Unauthenticated Denial of Service Vulnerability

There has been some discussion around a publicly posted PoC code that exploits a vulnerability in IIS FTP 7.5, which ships with Windows 7 and Windows Server 2008 R2. Our engineering team is looking into the situation and has made a few preliminary observations that might clear up some confusion. We’ve observed three notable characteristics….

0

New Internet Explorer vulnerability affecting all versions of IE

Today we released Security Advisory 2488013 to notify customers of a new publicly-disclosed vulnerability in Internet Explorer (IE). This vulnerability affects all versions of IE. Exploiting this vulnerability could lead to unauthorized remote code execution inside the iexplore.exe process. Proof-of-concept exploit bypasses ASLR and DEP The Metasploit project recently published an exploit for this vulnerability…

0

Assessing the risk of the December security updates

Today we released seventeen security bulletins.  Two have a maximum severity rating of Critical, fourteen have a maximum severity rating of Important, and one has a maximum severity rating of Moderate.  We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.   Bulletin Most likely attack vector…

0

MS10-104: SharePoint 2007 Vulnerability

Today we released MS10-104 to address vulnerability CVE-2010-3964 in SharePoint 2007 server with an important severity rating. In this blog, we would like to cover some additional details of this vulnerability.   Is my SharePoint server affected by this vulnerability?   There are two types of installations for a SharePoint server: standalone and farm. A standalone…

0

MS10-105: Image Filters Update

This month we shipped a security update and bulletin (ms10-105) to address vulnerabilities in the .cgm, .tif, .fpx, and .pct image filters.  These filters are shipped with Microsoft Office to extend image rendering for applications.  Neither Office 2010 nor Office 2007 use filters to perform rendering by default.  Both use GDI+ instead.  Historically, if an…

0

On the effectiveness of DEP and ASLR

DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) have proven themselves to be important and effective countermeasures against the types of exploits that we see in the wild today.  Of course, any useful mitigation technology will attract scrutiny, and over the past year there has been an increasing amount of research and discussion…

0

Updated EMET Version 2.0.0.3 Released

It’s recently come to our attention that some Enhanced Mitigation Experience Toolkit (EMET) v2.0 users may have potential issues with the update functionality of specific applications from Adobe and Google.  As a result, today we released a new version of EMET that will help ensure these updaters work as expected when EMET is in place for…

0

DEP, EMET protect against attacks on the latest Internet Explorer vulnerability

Today we released Security Advisory 2458511 notifying customers of limited attacks leveraging an Internet Explorer vulnerability. The beta version of Internet Explorer 9 is not affected while Internet Explorer 6, 7, and 8 are affected. So far the attacks we have seen only target Internet Explorer versions 6 and 7 on Windows XP.  Attacks would…

0

Assessing the risk of the October security updates

Today we released sixteen security bulletins. Four have a maximum severity rating of Critical, ten have a maximum severity rating of Important, and two have a maximum severity rating of Moderate. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max…

0

Note on Bulletin Severity for MS10-081 and MS10-074

Today we released MS10-081 (Important severity) and MS10-074 (Moderate severity), each providing an update for a single vulnerability. In this blog post we are going to cover some additional details on the severity of these vulnerabilities that may factor into how you prioritize the deployment of this month’s updates. Neither of the two vulnerabilities covered…

0