Skip to main content
MSRC

Exploitability

Stack overflow (stack exhaustion) not the same as stack buffer overflow

Wednesday, January 28, 2009

Periodically we get reports into the MSRC of stack exhaustion in client-side applications such as Internet Explorer, Word, etc. These are valid stability bugs that, fortunately, do not lead to an exploitable condition by itself (no potential for elevation of privilege). We wanted to clarify the distinction between stack exhaustion and stack buffer overflow.

MS09-001: Prioritizing the deployment of the SMB bulletin

Friday, January 09, 2009

This month we released an update for SMB that addresses three vulnerabilities. This blog post provides additional information that might help prioritize the deployment of this update, and help explain the risk for code execution. In the bulletin you will see that the cumulative severity rating is Critical for Windows 2000, XP and Server 2003 systems, while Vista and Server 2008 have cumulative severity ratings of Moderate.

Windows Media Player crash not exploitable for code execution

Monday, December 29, 2008

On Christmas Day, the MSRC opened a case tracking a Bugtraq-posted POC describing a “malformed WAV,SND,MID file which can lead to a remote integer overflow”. By Saturday evening, we saw reputable internet sources claiming this bug could lead to executing arbitrary code on the system. We investigated right away and found that this bug cannot be leveraged for arbitrary code execution.

More detail about MS08-067, the out-of-band netapi32.dll security update

Thursday, October 23, 2008

Today Microsoft released a security update that fixes a remote code execution vulnerability in the Windows Server Service. This is a serious vulnerability and we have seen targeted attacks using this vulnerability to compromise fully-patched Windows XP and Windows Server 2003 computers so we have released the fix “out of band” (not on the regular Patch Tuesday).

Bulletin severity for October bulletins

Tuesday, October 14, 2008

Bulletin severity is an interesting topic to many blog readers. We often hear that you think a bulletin should be rated higher or lower. Sometimes we even hear one person suggesting a higher rating and another suggesting a lower rating for the same issue. J This post is not to advocate for or against the MSRC rating system but we’d just like you to understand what we were thinking for each bulletin.

MS08-065 : Exploitable for remote code execution?

Tuesday, October 14, 2008

Today, we released MS08-065 to fix an issue in MSMQ. You’ll notice that the bulletin was rated “Important” and indicates that remote code execution is possible. However, we would like to show you that in practice the severity of the fixed issue is limited only to information disclosure. If the MSMQ service were installed by default on any affected Windows configuration, we would have rated this one Critical.