Skip to main content

Month Archives: January 2009

XSS Filter Improvements in IE8 RC1

Friday, January 30, 2009

On MondayIE8 RC1 was released. Here are some of the most interesting improvements and bug fixes to the XSS Filter feature: Some byte sequences enabled the filter to be bypassed, depending on system locale URLs containing certain byte sequences bypassed the Beta 2 filter implementation in some locales. For example, with a Chinese locale system, URLs of the following format would bypass the filter:

Berlin: Far more than stellar pizza

Thursday, January 29, 2009

Handle: C-Lizzle IRL: Celene Temkin Rank: Program Manager 2 & BlueHat Project Manager Likes: Culinary warfare, BlueHat hackers and responsible disclosure Dislikes: Acts of hubris, MySpace, orange mocha Frappaccinos! Goodbye 2008- Hello 2009! Over the past year we, the MSRC EcoStrat team and all-up TwC Security have been a lot of places, seen a lot of people, and picked up a lot of t-shirts J.

Stack overflow (stack exhaustion) not the same as stack buffer overflow

Wednesday, January 28, 2009

Periodically we get reports into the MSRC of stack exhaustion in client-side applications such as Internet Explorer, Word, etc. These are valid stability bugs that, fortunately, do not lead to an exploitable condition by itself (no potential for elevation of privilege). We wanted to clarify the distinction between stack exhaustion and stack buffer overflow.

January 22, 2009: MS08-067 Conficker Worm Update

Thursday, January 22, 2009

Hi, Bill here, In response to continued customer questions on how to protect and defend themselves against the Conficker Worm, I wanted to let you know the Microsoft Malware Protection Center has published a Threat Research and Response Blog that centralizes Microsoft’s guidance. This will help you understand the nature of the threat and enable you to formulate a defense in depth strategy based on the aspects of your unique environments.


Thursday, January 22, 2009

小野寺です Microsoft MVP でもある まっちゃさんとはなずきんさん に声をかけていただいて久しぶりに、セキュリティ勉強

Monthly Security Bulletin Webcast Q&A - January 2009

Thursday, January 15, 2009

Register now for the January 2009 Security Bulletin Webcast Security Bulletin Webcast Q&A Index Hosts: Christopher Budd, Security Response Communications Lead Adrian Stone, Lead Security Program Manager (MSRC) Website: TechNet/security Chat Topic: January 2009Security Bulletin Date: Wednesday, January 14, 2009 Q: So just to clarify there is no known code in the wild and if there was to be how would it get injected into the environment?

Security Bulletin Webcast Questions and Answers - January 2009

Thursday, January 15, 2009

Hi, During this month’s webcast we were able to address 21 questions in the time allotted. We addressed several questions regarding MS09-001 and its relationship to previously released SMB bulletins. There were also questions regarding update deployment and attack vectors addressed. The remaining questions primarily concerned the Malicious Software Removal Tool (MSRT) update regarding the W32/Conficker worm.