Skip to main content
MSRC

Month Archives: July 2009

Security Bulletin Webcast Video, Questions and Answers – July 2009

Wednesday, July 15, 2009

Today Adrian Stone and I conducted the security bulletin webcast for June covering the six bulletins we released yesterday and Security Advisory 973472 (vulnerability in Office Web Components). There were several questions about MS09-028 and MS09-032. These security updates addressed two open security advisories (971778 and 972890 respectively). One common question was “if I installed the Fix it workaround in the advisory, do I need to uninstall it before installing the update in the bulletin?

Read More

MS09-031: More information about the ISA issue

Tuesday, July 14, 2009

The ISA blog has a really great post this morning about MS09-031. It only affects a specific configuration and they outline it. If you have any questions about MS09-031, check out their blog. - Jonathan Ness, MSRC Engineering *Posting is provided “AS IS” with no warranties, and confers no rights.*

Read More

MS09-033: The Virtual PC vulnerability is not a VM breakout issue

Tuesday, July 14, 2009

MS09-033 fixed a vulnerability in Virtual PC and Virtual Server which involves elevation of privilege. I’d like to use this blog post to clarify what the security impact is of this vulnerability, to help you make an informed decision about how you prioritize the installation of this update. To be clear, we highly recommend that you install the update, but recognize that you may need to prioritize the work of deploying the update against other important work.

Read More

Microsoft Security Advisory 973472 Released

Monday, July 13, 2009

Hi Everyone, This is Dave Forstrom, group manager for our security response communications team. We have just posted Microsoft Security Advisory 973472, which highlights a vulnerability in Microsoft Office Web Components. Specifically, the vulnerability exists in the Spreadsheet ActiveX control and while we’ve only seen limited attacks, if exploited successfully, an attacker could gain the same user rights as the local user.

Read More

More information about the Office Web Components ActiveX vulnerability

Monday, July 13, 2009

We are aware of public attacks on the Internet exploiting a vulnerability in the Office Web Components Spreadsheet ActiveX control (OWC 10 and OWC11). Microsoft has released an advisory with further information available here. What’s the attacking vector? This vulnerability could be used for remote code execution in a “browse and get owned” scenario.

Read More