Monday, October 12, 2009
MS09-062 fixes several vulnerabilities in GDI+ related to image parsing. It also includes a feature which allows administrators to disable parsing for each of the different image formats. This feature was publicly released early this year in an optional GDI+ update available on the Microsoft Download Center, but is now being release as part of this bulletin.
Friday, September 18, 2009
We’d like to give everyone an update on the situation surrounding the new Microsoft Server Message Block Version 2 (SMBv2) vulnerability affecting Windows Vista and Windows Server 2008. Easy way to disable SMBv2 First exploit for code execution released to small number of companies Mitigations that help prevent attacks Status of fixes Easy way to disable SMBv2
Monday, September 14, 2009
In July, we released a beta Office file format viewer application called OffVis as a downloadable tool. We are pleased today to announce an updated version of OffVis and a 30 minute training video to help you understand the legacy Office binary file format. OffVis 1.1 The community response to the release of the OffVis tool on July 31st has been great.
Friday, September 11, 2009
Back in April we talked about the Windows 7 improvements in AutoPlay that disables certain functionality which has been abused by malware (like Conficker). We also mentioned that these changes will be backported to down level platforms. On August 25th this functionality was made available for Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008, please visit the following KB article for more information and how to download the updates http://support.
Tuesday, September 08, 2009
This morning we released five security bulletins, all of them having a bulletin maximum severity rating of Critical and two having a bulletin maximum exploitability index rating of “1” (Consistent exploit code likely). We wanted to just say a few words about each bulletin to help you prioritize your deployment this month.
Tuesday, September 08, 2009
This month we released MS09-048 which addresses three vulnerabilities in the Windows TCP/IP stack. One of the vulnerabilities, CVE-2009-1925, is rated Critical due to the risk of Remote Code Execution (RCE). The other two vulnerabilities are Denial of Service (DoS) issues (due to memory exhaustion) without the risk of RCE.
Wednesday, September 02, 2009
We’ve gotten some questions about a reported issue with SQL Server exposing plaintext user passwords. We investigated the issue and found that attackers would need administrative control of a SQL Server to extract passwords from it. We checked with the security researchers who reported the issue and they confirmed that this is an information disclosure issue requiring the attacker to first have administrative control of the installation.
Tuesday, September 01, 2009
This afternoon, the MSRC posted a security advisory describing a newly-disclosed vulnerability in the IIS FTP service that could potentially grant remote code execution to untrusted users. You can find the advisory here. Vulnerability summary The vulnerability is a stack overflow in the FTP service when listing a long, specially-crafted directory name.
Tuesday, August 11, 2009
We have released MS09-036 to address an anonymous denial of service (DoS) vulnerability in ASP.NET. We’d like to go into more detail in this blog to help you understand: Which configurations are at risk? What could happen if my configuration is impacted? How can I protect myself? Which configurations are at risk?
Tuesday, August 11, 2009
MS09-035 was released July 28 to address vulnerabilities in the Visual Studio Active Template Library (ATL). A related security update, MS09-034, included a defense-in-depth Internet Explorer mitigation to help protect against attacks in vulnerable components. This morning, we released security bulletin MS09-037 to addresses the ATL vulnerabilities in several Windows components.
