Technical details of the targeted attack using IE vulnerability CVE-2013-3918

Over the weekend we became aware of an active attack relying on an unknown remote code execution vulnerability of a legacy ActiveX component used by Internet Explorer. We are releasing this blog to confirm one more time that the code execution vulnerability will be fixed in today’s UpdateTuesday release and to clarify some details about…

0

MS13-080 addresses two vulnerabilities under limited, targeted attacks

Today we released MS13-080 which addresses nine CVEs in Internet Explorer. This bulletin fixes multiple security issues, including two critical vulnerabilities that haven been actively exploited in limited targeted attacks, which we will discuss in details in this blog entry. CVE-2013-3893: the final patch after Fix it workaround Previously, Microsoft released Security Advisory 2887505 and…

0

New Bounty Program Details

Today we announced the upcoming Mitigation Bypass Bounty, the BlueHat Bonus for Defense, and the Internet Explorer 11 Preview Bug Bounty program.  It’s very exciting to finally take the wraps off of these initiatives and we are anticipating some great submissions from the security research community!  These programs will allow us to reward great work…

0

Assessing the risk of the June security updates

Today we released 16 security bulletins. Nine have a maximum severity rating of Critical and seven have a maximum severity rating of Important. This release addresses several publicly disclosed vulnerabilities. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin…

0

Assessing the risk of public issues currently being tracked by the MSRC

At Microsoft, as at most large software vendors, we are likely to have publicly known issues under investigation at any given time. This is what we do on the Security Research & Defense team. Recently we’ve seen confusion from folks trying to make sense of some of the current public issues. To help clear that…

0

Assessing the risk of the June Security Bulletins

Today we released ten security bulletins.  Three have a maximum severity rating of Critical and seven have a maximum severity rating of Important.  We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Index Rating Likely first…

0

MS10-035: Cross-Domain Information Disclosure Vulnerability

Today we released MS10-035, a security update with an Important severity update, addressing CVE-2010-0255. We’d like to talk briefly about that specific vulnerability and how we’ve addressed it.   Background information   This issue primarily impacts Internet Explorer running on Windows XP.  Attacks against Internet Explorer running on Windows Vista and newer platforms are mitigated…

0

Help keypress vulnerability in VBScript enabling Remote Code Execution

The MSRC Engineering team has been investigating reports of a vulnerability involving the use of VBScript and Windows Help files.   What is the impact and affected platforms? Our investigation has determined that Windows 7, Windows Server 2008, and Windows Vista are not impacted.  Only Windows 2000 and Windows XP are impacted by default.  Windows…

0