Skip to main content
MSRC

Month Archives: April 2011

Assessing the risk of the April security updates

Tuesday, April 12, 2011

Today we released 17 security bulletins. Nine have a maximum severity rating of Critical and eight have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Index Likely first 30 days impact Platform mitigations and key notes MS11-018(IE) Victim browses to a malicious webpage.

Read More

MS11-018 addresses the IE8 pwn2own vulnerability

Tuesday, April 12, 2011

Today Microsoft released MS11-018 addressing one of the three vulnerabilities that were used to win the Pwn2Own contest last month at CanSecWest 2011. It took three vulnerabilities to successfully compromise IE8 and meet all the requirements of the organizers. The vulnerability we are fixing today, a use-after-free which does not affect IE9, was the primary vulnerability used to gain code execution.

Read More

MS11-019 and MS11-020: April SMB Updates

Tuesday, April 12, 2011

This month we released updates for the SMB client and server components (MS11-019 and MS11-020 respectively). These bulletins address three externally-reported issues, but also include fixes for several issues that Microsoft identified internally. This blog post provides background on these issues and the work done internally at Microsoft to improve SMB security.

Read More

MS11-034: Addressing vulnerabilities in the win32k subsystem

Tuesday, April 12, 2011

Today we released security bulletin MS11-034 to address vulnerabilities in the win32k subsystem. This update addresses externally reported issues as well as several internally found vulnerabilities that were discovered as part of our variant investigation. The bulletin may appear to address an alarmingly large number of issues. However, if you dig into the issues themselves, you’ll find that the 30 vulnerabilities addressed in this update really just share three separate vulnerability root causes: insufficient validation or locking of win32k objects after a user-mode callback.

Read More

Advance Notification Service for the April 2011 Bulletin Release

Thursday, April 07, 2011

Hello everyone, My name is Pete Voss, and I’m a senior response communications manager with Microsoft Trustworthy Computing. I’ll be joining the rest of the team on the MSRC blog and @MSFTSecResponse Twitter handle to help provide you with the latest information and guidance for Microsoft security. Today, we’re providing advanced notification on the release of 17 security bulletins, nine rated Critical and eight rated Important.

Read More