Skip to main content
MSRC

Month Archives: August 2008

MS08-042 : Understanding and detecting a specific Word vulnerability

Tuesday, August 12, 2008

A few weeks ago we posted a blog entry titled “How to parse the .doc file format”. Today’s blog post will show you how to use that information to check whether a .doc file is specially crafted to exploit MS08-042, one of the vulnerabilities addressed by today’s security updates. This particular vulnerability is being exploited out in the real world so we believe the benefits of releasing more information about it to help the defenders outweighs the risk of attackers learning more about the already-public vulnerability.

Read More

MS08-043 : How to prevent this information disclosure vulnerability

Tuesday, August 12, 2008

In this month’s update for Excel we addressed an interesting CVE (CVE-2008-3003) – the first vulnerability to affect the new Open XML file format (but it doesn’t result in code execution). This is an information disclosure vulnerability that can arise when a user makes a data connection from Excel to a remote data source and checks a checkbox to have Excel NOT save the password used in that connection to the file.

Read More

MS08-050 : Locking an ActiveX control to specific applications.

Tuesday, August 12, 2008

MS08-050 concerns an ActiveX control that can be maliciously scripted to leak out personal information such as email addresses. There appeared to be no need for the control to have this behaviour so giving it a Kill-Bit seemed the correct approach to take. During the extensive testing that each security update undergoes, however, it became apparent that the Kill-Bit wasn’t ideal as it partially broke the Remote Assistance application.

Read More

Leaving Las Vegas: A Black Hat Salute

Friday, August 08, 2008

Handle: The Crushman IRL: Andrew Cushman Rank: Security Director Likes: Cranberry juice (thanks Jay!) Dislikes: Super helpful hotel desk clerks (thanks Raoul?) What can I say? Once again, Black Hat did not disappoint. And that’s not just post-party speak. The conversations were good, the input was invaluable, and the support for the new programs we launched—well, it’s been overwhelming.

Read More

August 2008 Advance Notification

Thursday, August 07, 2008

Hello, This is Christopher Budd. While some of us are down at Black Hat this week, meeting with customers and researchers and announcing exciting new programs, today is also the Thursday before the second Tuesday in August. That means we’ve just posted this month’s Advance Notification for next week’s bulletin release, which will occur on Tuesday, August 12, 2008 around 10 a.

Read More

Threats in a Blender, and Other Raisons d'être

Thursday, August 07, 2008

Handle: k8e IRL: Katie Moussouris Rank: Senior Security Program Manager Likes: Cool vulns (responsibly disclosed of course), girls with soldering irons, Spanish tapas, quantum teleportation Dislikes: Rudeness, socks-n-sandals, licorice There are times when one must look toward the best interests of the customers above any competitive strategies. Security is one of those themes that has the power to unite teams across company boundaries.

Read More

DNS: An Example of Ecosystem Partnerships

Wednesday, August 06, 2008

Handle: Zot IRL: Zot O’Connor Rank: Program Manager 2 Likes: Taking on the enemy with partners, Automating processes, good scotch and bourbon Dislikes: Poor reporting, FUD, miscreants, dangling participles My name is Zot O’Connor and I am a computer genius. Really, the Seattle Post-Intelligencer says so . Okay, not directly, but I was one of the group of “computer geniuses” converging on our campus back in March because of this DNS issue.

Read More

Helping Secure the Planet: New Strategic Initiatives from Microsoft

Wednesday, August 06, 2008

Handle: Silver Surfer IRL: Mike Reavey Rank: Director, MSRC Likes: Warm weather, Battlestar Galactica, and responsibly reported vulnerabilities Dislikes: Rain, Rain without end, Clouds with potential for rain, reality TV, and unpatched vulns Tomorrow, Steve Adegbite, Katie Moussouris and I will give the first ever Microsoft Security Response Center (MSRC) talk at Black Hat, Las Vegas.

Read More

Predicting the Future - Microsoft Launches an “Exploitability Index”

Tuesday, August 05, 2008

Handle: Silver Surfer IRL: Mike Reavey Rank: Director, MSRC Likes: Warm weather, Battlestar Galactica, and responsibly reported vulnerabilities Dislikes: Rain, Rain without end, Clouds with potential for rain, reality TV, and unpatched vulns Hey all – Mike Reavey here. I’ve been with the Microsoft Security Response Center (MSRC) for over five years now, and working in security for over a decade.

Read More