Thursday, April 06, 2006
Hi everyone, Stephen Toulouse here. As we do each month I wanted to post about the Advance Notification for the Security Bulletin release for April. This coming Tuesday, the 11th, we’re planning to release five security bulletins, 4 for Windows and 1 that affects both Windows and Office. One of the Windows bulletins will be the cumulative Internet Explorer update that will address the “CreateTextRange” vulnerability.
Wednesday, March 29, 2006
Hi there. Mike Nash from the STU. Earlier this year, during our response to the WMF zero exploit with an out-of-band band security update, I wrote a blog entry explaining the details of how we got to the decision to release that update early. I received a lot of feedback from customers around the world that the blog entry and the internal insights into our decision-making process in that situation was very helpful and that we should make it a consistent practice for issues that have widespread impact on customers and need more clarity.
Tuesday, March 28, 2006
Hi everyone, Mike Reavey here. I wanted to make everyone aware of some recent developments regarding the “Create TextRange” IE vulnerability. First off we’re still not seeing increased spread of attacks, and in fact have been very active in taking down sites as they come up with law enforcement. But attacks are still occurring so we certainly still recommend up to date AV software and our safe browsing guidance while we work on the update, and have updated the security advisory with a list of VIA partners that are currently providing protection.
Sunday, March 26, 2006
Hi gang, Stepto here again. The MSRC in combination with our internal and external partner teams have been working through the weekend looking at the recent attacks involving the IE vulnerability I mentioned previously. So far we’re still seeing only limited attacks. But our anti-malware team, as always, is on the case and has uploaded removal information for the attacks to date to Windows Live Safety Center.
Friday, March 24, 2006
Hi everyone, Stepto here. Today the MSRC became aware of public reports of attacks on some PC users utilizing the vulnerability that Lennart posted about in Internet Explorer. Here’s what we know. The attacks are limited in scope for now and are being carried out by malicious Web sites exploiting a vulnerability in the method by which Internet Explorer handles HTML rendering.
Wednesday, March 22, 2006
Hi, It’s Lennart again. Wanted to let you know that today we saw another public posting around a vulnerability in Internet Explorer. This one is different than the crash bug I wrote about earlier. The public posting speaks about createTextRange() and a way that this could be utilized to get code to run when visiting a specially crafted Web page.
Monday, March 20, 2006
Hi everyone, Lennart Wistrand here. You may have heard about an IE crashing vulnerability that was unfortunately publicly posted before the weekend. We just wanted to make a quick note here that, as always, we’re investigating it. So far we’ve determined that visiting a page that exploits it could cause IE to fail.
Tuesday, March 14, 2006
‘I want my two… bulletins’. For some reason an unrelenting paperboy’s quest for two dollars seems to echo in my mind today. It seems so small yet it is so important. Well today the MSRC released two new bulletins. One for Office and the other for Windows, more info below. The Windows one addresses an issue you may have been following via our advisories, 914457.
Thursday, March 09, 2006
Hey folks, Mike Reavey here, I wanted to take a quick second to make sure everyone saw the Advance Notification for the Security Bulletin release for March. This coming Tuesday, the 14th, we’re planning to release two security bulletins, and they are being released for Windows for Office. The maximum total severity rating for this month is Critical, so please update systems as soon as possible when they are available on Tuesday.
Tuesday, February 28, 2006
Hi everyone, Stepto here. (I’m giving up on the “Stephen Toulouse here” after many people I met at RSA greeted me as “Stepto”, but as a side note since I created the blog under “Stepto” please remember that posts made by individuals on the MSRC are made by themselves and not me.
