Tuesday, October 14, 2008
Today, we released MS08-065 to fix an issue in MSMQ. You’ll notice that the bulletin was rated “Important” and indicates that remote code execution is possible. However, we would like to show you that in practice the severity of the fixed issue is limited only to information disclosure. If the MSMQ service were installed by default on any affected Windows configuration, we would have rated this one Critical.
Tuesday, October 14, 2008
The driver afd.sys is responsible for handling socket connections. MS08-066 addresses several vulnerabilities in afd.sys that could allow an attacker to execute arbitrary code in kernel mode. These vulnerabilities can only be exploited locally and there is no remote vector from our investigations. One of these vulnerabilities involves a ProbeForRead / ProbeForWrite bypass when using user supplied memory pointers and lengths.
Monday, October 13, 2008
The past few days, we have had service isolation on our minds here in Redmond after the POC code posting last week from Cesar Cerrudo. Nazim Lala from the IIS team posted a great blog entry about the fix and why it is taking so long to release it. I expect it to be close to the amount of code churn as XP SP2.
Tuesday, September 09, 2008
You may have noticed that the MS08-052 bulletin has a workaround that’s a little different than you’re probably used to seeing in our bulletins. That’s because gdiplus.dll, on all OSes after Windows 2000, is stored in something called the Windows Side By Side Cache (WinSxS). The purpose of the WinSxS cache is to keep old versions of assemblies around in case an application requires a specific version, and doesn’t want newer versions.
Tuesday, September 09, 2008
One of our blogging goals is to give you a peek “behind the scenes” into our security response process. We thought you might be interested in the story behind MS08-055, this month’s OneNote bulletin. In March, a security researcher sent in a report of an information disclosure vulnerability that affected OneNote 2007, a part of Office 2007.
Tuesday, August 19, 2008
Recently we announced the Internet Explorer 8 XSS Filter and talked a bit about its design philosophy. This post will describe the filter’s architecture and implementation in more detail. Design Goals The Internet Explorer 8 XSS Filter is intended to mitigate reflected / “Type-1” XSS vulnerabilities in a way that does not “break the web.
Wednesday, August 13, 2008
MS08-049 is an update for the Windows Event System service to correct an authenticated elevation-of-privilege vulnerability. We received a question via email yesterday about the type of authentication needed to exploit CVE-2008-1456. Our security bulletin was a little ambiguous with one reference to “logon credentials” and another to “domain credentials”. The email question was from an IT security manager who wondered whether his hardened servers could be compromised remotely.
Tuesday, August 12, 2008
MS08-041 fixes a vulnerability in the Microsoft Access Snapshot Viewer ActiveX control. It’s an interesting vulnerability so we wanted to go into more detail about platforms at reduced risk and also more about the servicing strategy for this vulnerability. Windows Vista at reduced risk? We first heard about this vulnerability from customers sending in reports of active attacks.
Tuesday, August 12, 2008
A few weeks ago we posted a blog entry titled “How to parse the .doc file format”. Today’s blog post will show you how to use that information to check whether a .doc file is specially crafted to exploit MS08-042, one of the vulnerabilities addressed by today’s security updates. This particular vulnerability is being exploited out in the real world so we believe the benefits of releasing more information about it to help the defenders outweighs the risk of attackers learning more about the already-public vulnerability.
Tuesday, August 12, 2008
In this month’s update for Excel we addressed an interesting CVE (CVE-2008-3003) – the first vulnerability to affect the new Open XML file format (but it doesn’t result in code execution). This is an information disclosure vulnerability that can arise when a user makes a data connection from Excel to a remote data source and checks a checkbox to have Excel NOT save the password used in that connection to the file.
