Skip to main content
MSRC

Security Research & Defense

MS09-013 and MS09-014: NTLM Credential Reflection Updates for HTTP clients

Tuesday, April 14, 2009

This month we are taking another step towards blocking NTLM reflection attacks by releasing MS09-014 for Internet Explorer and MS09-013 for Windows. This is the third update related to NTLM credential reflection we have released, and I thought it would be good to go into a bit more detail on why this update was needed, how it relates to the previous updates (MS08-068 and MS08-076), and the severity of the issue.

Read More

MS09-014: Addressing the Safari Carpet Bomb vulnerability

Tuesday, April 14, 2009

Following up on Security Advisory 953818, today we released MS09-014, rated as Moderate, which addresses aspects of the Safari Carpet Bomb vulnerability. On a Windows operating system this vulnerability allows an attacker, through Safari, to drop arbitrary files on a user’s desktop. As of Safari 3.1.2 Apple has removed this behavior from Safari.

Read More

Prioritizing the deployment of the April security bulletins

Tuesday, April 14, 2009

We just released eight security bulletins, five of which are rated Critical on at least one platform. We built a reference table of bulletin severity rating, exploitability index rating, and attack vectors. This table is sorted first by bulletin severity, next by exploitability index rating, and then by bulletin number. We hope it helps you choose an order of bulletins to start your prioritization and testing if you can’t deploy them all out immediately.

Read More

The History of the !exploitable Crash Analyzer

Wednesday, April 08, 2009

At the CanSecWest conference earlier this month we made our first public release of the !exploitable Crash Analyzer. While an upcoming white paper and the CanSecWest slide deck go into detail on the technology involved, we thought it might be useful to explore the history of the tool. Roots in Fuzzing The technology and research that eventually became the !

Read More

The MSHTML Host Security FAQ: Part II of II

Friday, April 03, 2009

MSHTML, a.k.a. Trident, is the Internet Explorer browser rendering engine. MSHTML is a great solution for rendering HTML content, either in the context of a web browser, or simply to display rich UI in an application. You are likely not even aware of some of the many ways MSHTML is hosted within Windows and third party applications.

Read More

Investigating the new PowerPoint issue

Thursday, April 02, 2009

This afternoon, we posted Security Advisory 969136 describing a new vulnerability in PowerPoint while parsing the legacy binary file format. Unfortunately, we discovered this vulnerability being used to deploy malware in targeted attacks. We expect this blog post will: Help you protect your organization from being exploited, and Help you analyze suspicious PowerPoint files.

Read More

New EMF gdiplus.dll crash not exploitable for code execution

Thursday, March 26, 2009

Yesterday we noticed a blog post and securityfocus article about a potential new vulnerability in Microsoft GDI+ when parsing a specially-crafted EMF file. You might have heard about it referred to as ‘GpFont.SetData()’. We wanted to address some speculation about this EMF parsing bug. First, our initial investigation shows that it is not exploitable for code execution.

Read More

Released build of Internet Explorer 8 blocks Dowd/Sotirov ASLR+DEP .NET bypass

Monday, March 23, 2009

Last summer at BlackHat Vegas, Alexander Sotirov and Mark Dowd outlined several clever ways to bypass the Windows Vista defense-in-depth protection combination of DEP and ASLR in attacks targeting Internet Explorer. One approach they presented allowed attackers to use .NET framework DLL’s to allocate executable pages of memory at predictable locations within the iexplore.

Read More

Enhanced GS in Visual Studio 2010

Friday, March 20, 2009

In a previous post we noted some stack-based vulnerabilities, such as MS08-067, that GS was not designed to mitigate due to the degree of control available to an attacker. However, other vulnerabilities such as the ANI parsing vulnerability in MS07-017 would have been mitigated if the GS cookie protection had been applied more broadly.

Read More