Skip to main content
MSRC

2009

Monthly Security Bulletin Webcast Q&A - November 2009

Thursday, November 12, 2009

Hosts: Adrian Stone, Senior Security Program Manager Lead Jerry Bryant, Senior Security Program Manager Lead Website: TechNet/security Chat Topic: November 2009 Security Bulletin Date: Wednesday, November 11, 2009** Q: It looks like MS09-063 is only vulnerable to attacks via the local subnet, so is a Vista computer connected via Wi-Fi with the network configured as public, vulnerable?

Read More

Details on the License Logging Service vulnerability

Tuesday, November 10, 2009

Today, we released MS09-064 which addresses a vulnerability in the License Logging Service. In this post, we provide some background on the service and the severity of the underlying vulnerability. Background License Logging Service (LLS) is a feature that was originally designed to help customers manage licenses for Microsoft server products licensed in the Server Client Access License (CAL) model.

Read More

Font Directory Entry Parsing Vulnerability In win32k.sys

Tuesday, November 10, 2009

MS09-065 addresses a vulnerability (CVE-2009-2514) in the font parsing subsystem of win32k.sys. If not addressed, this vulnerability could allow an attacker to bluescreen (DoS) the machine (best case scenario) or run code of his/her choice, possibly in the context of the kernel (worst case scenario). In this blog entry, I’ll attempt to answer a few questions regarding the vulnerability addressed in this month’s win32k.

Read More

November 2009 Security Bulletin Release

Tuesday, November 10, 2009

Summary of Microsoft’s Security Bulletin Release for November 2009 Today, we released six security bulletins addressing a total of 15 vulnerabilities. Four affect Windows and Windows Server and two affect Microsoft Office products (Excel and Word). As we do every month, we have prepared our Risk & Impact and our Deployment Priority guidance to help customers assess risk to their environments and prioritize the deployment of this month’s updates.

Read More

Vulnerability in Web Services on Devices (WSD) API

Tuesday, November 10, 2009

MS09-063 addresses a critical vulnerability (CVE-2009-2512) in the Web Services on Devices (WSD) API. Web Services on Devices allows a computer to discover and access a remote device and its associated services across a network. It supports device discovery, description, control, and eventing. The WSD API functionality is implemented in the WSDApi.

Read More

Know thy Enemy

Friday, November 06, 2009

I recently attended BlueHat for the second time and spoke about the SMS vulnerabilities Collin Mulliner and I discovered and exploited this summer. BlueHat is an interesting speaking venue because the audience consists entirely of Microsoft employees. Some people might think security researchers speaking at Microsoft is like speaking before the enemy, but that is not the case (an actual example of that would have been when I talked about exploit sales at CERT a few years ago).

Read More