Skip to main content
MSRC

Exploitability

Out-of-Band Security Bulletin Webcast Q&A - January 21, 2010

Friday, January 22, 2010

Hosts: Adrian Stone, Senior Security Program Manager Lead Jerry Bryant, Senior Security Communications Manager Lead Website: TechNet/security Chat Topic: January 2010 Out-of-Band Security Bulletin Date: Thursday, January 21, 2010 Q: I understand the severity for workstaitons. Is the severity lower for servers in terms of this vulnerability, since most servers (except Terminal Servers) do not use IE?

Advisory 979352 Updated

Friday, January 15, 2010

Hello, Today we updated Security Advisory 979352 to let customers know that we are aware that exploit code for the vulnerability used in recent attacks against IE 6 users, has now been made public. Information on which versions of Internet Explorer are vulnerable and what customers can do to protect themselves is included in the updated Security Advisory.

Assessing risk of IE 0day vulnerability

Friday, January 15, 2010

Yesterday, the MSRC released Microsoft Security Advisory 979352 alerting customers to limited, sophisticated attacks targeting Internet Explorer 6 customers. Today, samples of that exploit were made publicly available. Before we get into the details I want to make one thing perfectly clear. The attacks we have seen to date, including the exploit released publicly, only affect customers using Internet Explorer 6.

Security Advisory 979352 Released

Thursday, January 14, 2010

Based upon our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks. Today, Microsoft issued guidance to help customers mitigate a Remote Code Execution (RCE) vulnerability in Internet Explorer. Additionally, we are cooperating with Google and other companies, as well as authorities and other industry partners.

January 2010 Security Bulletin Release

Tuesday, January 12, 2010

Summary of Microsoft’s Security Bulletin Release for January 2010 Hi Everyone, We hope that 2010 is off to a good start for you. For our first bulletin release of the New Year, we have one Critical bulletin affecting all versions of Windows. The bulletin, MS10-001, addresses one vulnerability in the Embedded OpenType Font Engine and is Critical on Windows 2000.

MS10-001: Font file decompression vulnerability

Tuesday, January 12, 2010

MS10-001 addresses a vulnerability (CVE-2010-0018 ) in the LZCOMP de-compressor for Microtype Express Fonts. This blog aims to answer some questions regarding the updates we’ve made in this area. What is the issue? t2embed.dll improperly performs bounds-checking on lengths which are decoded from the LZCOMP bit-stream. This made it possible for a copy loop to violate the intended working buffer.

G’day mate, howsitgoing?

Monday, December 14, 2009

Handle: Avatar IRL: Karl Hanmore Rank: Senior Security Strategist (aka Sergeant Grunt) Likes: Getting the job done, bringing the fight to the bad guys, good single malt whiskey Dislikes: Cowards, talkers not doers, red tape, humidity G’day, or should I say howdy, y’all. As the newest member of the Microsoft EcoStrat team, I figured I would do a quick self-introduction before getting down to work.

Assessing the risk of the December security bulletins

Tuesday, December 08, 2009

This morning we released six security bulletins, three Critical and three Important, addressing 12 CVE’s. Please apply the Internet Explorer update right away as it poses the most risk of all the bulletins due to severity and exploitability. The Internet Explorer update addresses the vulnerability described by Security Advisory 977981. We hope that the table and commentary below will help you prioritize the deployment of the other updates appropriately.

December 2009 Security Bulletin Release

Tuesday, December 08, 2009

Summary of Microsoft’s Security Bulletin Release for December 2009 As noted in our Advance Notification (ANS) last Thursday, for the December bulletin release we issued six security bulletins addressing 12 vulnerabilities. Affected products include Windows, Internet Explorer (IE) and Microsoft Office products. In the ANS, we also noted that the bulletin for IE (MS09-072) is at the top of our deployment priority list this month.