ASP.NET security update is live!

Today we released MS11-100, addressing a newly disclosed denial-of-service vulnerability affecting several vendors’ Web application platforms, including Microsoft’s ASP.NET. Yesterday, we posted an SRD blog describing the vulnerability and the detection and workaround opportunities. With this blog post, we’d like to update you on the following topics: Why is this bulletin rated “Critical” for a…

0

Assessing the risk of the June Security Bulletins

Today we released ten security bulletins.  Three have a maximum severity rating of Critical and seven have a maximum severity rating of Important.  We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Index Rating Likely first…

0

Bulletin severity for October bulletins

Bulletin severity is an interesting topic to many blog readers.  We often hear that you think a bulletin should be rated higher or lower.  Sometimes we even hear one person suggesting a higher rating and another suggesting a lower rating for the same issue.  J  This post is not to advocate for or against the…

0

MS08-049 : When kind of authentication is needed?

MS08-049 is an update for the Windows Event System service to correct an authenticated elevation-of-privilege vulnerability. We received a question via email yesterday about the type of authentication needed to exploit CVE-2008-1456. Our security bulletin was a little ambiguous with one reference to “logon credentials” and another to “domain credentials”. The email question was from…

0

MS08-023: Same bug, four different security bulletin ratings

Security bulletin MS08-023 addressed two ActiveX control vulnerabilities, one in a Visual Studio ActiveX control and another in a Yahoo!’s Music Jukebox ActiveX control.  The security update sets the killbit for both controls.  For more about how the killbit works, see the excellent three-part series (1, 2, 3) from early February in this blog. One interesting…

0