MSRC | Microsoft Security Response Center

Information on accidental posting of pre-release security updates for Office for Mac

Tuesday, December 12, 2006

We’ve seen some questions from customers about some security updates that posted for a while today for Office for Mac that they didn’t see any security bulletins for. I wanted to let you know that these weren’t security updates related to this month’s release or the two Word issues we’ve written about in Security Advisory 929433 and on our weblog: those investigations are still underway and we’ll release updates for those issues once we’ve met the appropriate quality bar.

New Report of A Word Zero Day

Sunday, December 10, 2006

Hi All, Scott Deacon here, well a busy week extends into a busy weekend for the MSRC!! We are investigating reports of another new vulnerability in Microsoft Word – initial investigation has shown that this is a different issue to that reported in Microsoft Security Advisory 929433. Our initial investigation has discovered that Word 2000, Word 2002, Word 2003 and the Word Viewer 2003 are affected, but Word 2007 is NOT affected by the vulnerability.

December 2006 Advanced Notification

Thursday, December 07, 2006

Hello, This is Christopher Budd and I’m posting here today to let you know that we’ve posted our Advanced Notification for the December 2006 Microsoft Monthly Security Bulletin Release. Next Tuesday, on December 12, 2006 at approximately 10:00 am PT we are slated to release six new security bulletins: Five Microsoft Security Bulletins affecting Microsoft Windows.

Public Proof of Concept Code for ASX File Format Isssue

Thursday, December 07, 2006

Hey everyone this is Alexandra Huft I wanted to let you know that we’re aware of proof-of-concept code published publicly affecting Windows Media ASX file format. We are currently investigating this report. We are not currently aware of attempts to exploit this vulnerability. The ASX file format is an XML-based media file format which is processed by Windows Media Player.

What “very limited, targeted attacks” Means

Thursday, December 07, 2006

Hi, this is Christopher Budd. We’ve gotten some question from customers about what we mean when we say we’re aware of “very limited, targeted attacks” in a security advisory. I wanted to take a moment and help give some clarity. When we talk about “very limited, targeted attacks” we specifically mean this in contrast to attacks that affect a broad number of customers randomly.

Microsoft Security Advisory (929433) Posted

Tuesday, December 05, 2006

Hey everyone this is Alexandra Huft I wanted to let people know that we just posted Microsoft Security Advisory (929433) which involves Microsoft Word. We are currently investigating a report of a proof of concept which may allow an attacker to execute code on a user’s machine by convincing them to open a specially-crafted Word document.

MS06-071 Available Through SUS 1.0

Tuesday, November 21, 2006

Hello, This is Christopher Budd. I wanted to follow up our posting on the November 2006 Monthly Bulletin release to let folks know that MS06-071 has been made available for SUS 1.0. Those of you who are SUS 1.0 administrators should begin to see those updates show up for your approval.

Microsoft Security Advisory (928604) Posted

Thursday, November 16, 2006

Hello, This is Adrian Stone. I wanted to let you know that we just posted Microsoft Security Advisory (928604). Microsoft is aware of public proof of concept code targeting the vulnerability addressed by security update MS06-070. At this time Microsoft has not seen any indications of active exploitation of the vulnerability.

November 2006 Monthly Security Bulletin Release

Tuesday, November 14, 2006

Hey folks - Mike Reavey here. I wanted to let you know we’ve released our security bulletins for the month of November 2006 here today. We’re releasing six new security bulletins today: · Microsoft Windows (MS06-066) · maximum severity rating of Important · vulnerabilities could allow an attacker to remotely take complete control of an affected system.

Follow up information on weblog posting about PoC published for MS Office 2003 PowerPoint

Friday, November 10, 2006

Hi everyone. Brian and Jonathan, software security engineers from the SWI team here. Alexandra Huft from the MSRC team asked us to write a guest blog entry giving an update into the technical investigation of the PowerPoint 2003 proof-of-concept code published a few weeks ago which was previously blogged about here (http://blogs.