MSRC | Microsoft Security Response Center

Update on Current Word Vulnerability Reports

Friday, December 15, 2006

Hey everyone, Alexandra Huft here. I wanted to try and summarize/clarify for everyone the three current Word Zero-Day issues that have been reported to Microsoft. First, I wanted everyone to know that we’re actively investigating and monitoring all of these issues through our Software Security Incident Response Process and we are working on developing and testing security updates for the three issues, which we’ll release as part of our release process once they’ve reached an appropriate level of quality.

December 2006 Monthly Security Bulletin Release

Tuesday, December 12, 2006

Hello, this is Christopher Budd. I wanted to let you know that as part of our standard monthly bulletin release process we’ve released our security bulletins for December 2006. · Microsoft Windows ( MS06-072) · maximum severity rating of Critical** · vulnerabilities could allow an attacker to remotely take complete control of an affected system.

Information on accidental posting of pre-release security updates for Office for Mac

Tuesday, December 12, 2006

We’ve seen some questions from customers about some security updates that posted for a while today for Office for Mac that they didn’t see any security bulletins for. I wanted to let you know that these weren’t security updates related to this month’s release or the two Word issues we’ve written about in Security Advisory 929433 and on our weblog: those investigations are still underway and we’ll release updates for those issues once we’ve met the appropriate quality bar.

New Report of A Word Zero Day

Sunday, December 10, 2006

Hi All, Scott Deacon here, well a busy week extends into a busy weekend for the MSRC!! We are investigating reports of another new vulnerability in Microsoft Word – initial investigation has shown that this is a different issue to that reported in Microsoft Security Advisory 929433. Our initial investigation has discovered that Word 2000, Word 2002, Word 2003 and the Word Viewer 2003 are affected, but Word 2007 is NOT affected by the vulnerability.

December 2006 Advanced Notification

Thursday, December 07, 2006

Hello, This is Christopher Budd and I’m posting here today to let you know that we’ve posted our Advanced Notification for the December 2006 Microsoft Monthly Security Bulletin Release. Next Tuesday, on December 12, 2006 at approximately 10:00 am PT we are slated to release six new security bulletins: Five Microsoft Security Bulletins affecting Microsoft Windows.

Public Proof of Concept Code for ASX File Format Isssue

Thursday, December 07, 2006

Hey everyone this is Alexandra Huft I wanted to let you know that we’re aware of proof-of-concept code published publicly affecting Windows Media ASX file format. We are currently investigating this report. We are not currently aware of attempts to exploit this vulnerability. The ASX file format is an XML-based media file format which is processed by Windows Media Player.

What “very limited, targeted attacks” Means

Thursday, December 07, 2006

Hi, this is Christopher Budd. We’ve gotten some question from customers about what we mean when we say we’re aware of “very limited, targeted attacks” in a security advisory. I wanted to take a moment and help give some clarity. When we talk about “very limited, targeted attacks” we specifically mean this in contrast to attacks that affect a broad number of customers randomly.

Microsoft Security Advisory (929433) Posted

Tuesday, December 05, 2006

Hey everyone this is Alexandra Huft I wanted to let people know that we just posted Microsoft Security Advisory (929433) which involves Microsoft Word. We are currently investigating a report of a proof of concept which may allow an attacker to execute code on a user’s machine by convincing them to open a specially-crafted Word document.

MS06-071 Available Through SUS 1.0

Tuesday, November 21, 2006

Hello, This is Christopher Budd. I wanted to follow up our posting on the November 2006 Monthly Bulletin release to let folks know that MS06-071 has been made available for SUS 1.0. Those of you who are SUS 1.0 administrators should begin to see those updates show up for your approval.

Microsoft Security Advisory (928604) Posted

Thursday, November 16, 2006

Hello, This is Adrian Stone. I wanted to let you know that we just posted Microsoft Security Advisory (928604). Microsoft is aware of public proof of concept code targeting the vulnerability addressed by security update MS06-070. At this time Microsoft has not seen any indications of active exploitation of the vulnerability.