Security Research & Defense | Microsoft Security Response Center

Why there won't be a security update for WkImgSrv.dll

Thursday, June 05, 2008

Recently, there was a public post in milw0rm (http://www.milw0rm.com/exploits/5530), talking about an issue in the ActiveX control of Microsoft Works 7 WkImgSrv.dll. The PoC claims that it would achieve remote code execution. McAfee Avert Labs Blog also had a post about this (http://www.avertlabs.com/research/blog/index.php/2008/04/17/potential-microsoft-works-activex-0-day-surfaces/). At first glance the issue sounds serious, right?

SQL Injection Attack

Thursday, May 29, 2008

(Special thanks to Neil Carpenter for helping out on this blog post) Recent Trends Beginning late last year, a number of websites were defaced to include malicious HTML <script> tags in text that was stored in a SQL database and used to generate dynamic web pages. These attacks began to accelerate in the first quarter of 2008 and are continuing to affect vulnerable web applications.

MS08-026: How to prevent Word from loading RTF files

Tuesday, May 13, 2008

This month we released an update for Microsoft Word that fixed issues relating to loading RTF files (CVE-2008-1091) and HTML files (CVE-2008-1434). Office applications like Microsoft Word can load a large variety of different file formats, and some people may want to reduce their attack surface by disabling the formats they don’t typically use.

MS08-020 : How predictable is the DNS transaction ID?

Wednesday, April 09, 2008

Today we released MS08-020 to address a weakness in the Transaction ID (TXID) generation algorithm in the DNS client resolver. The TXID is a 16-bit entity that is primarily used as a synchronization mechanism between DNS servers/clients; in fact, you can think of it as an Initial Sequence Number (ISN) for DNS query/response exchanges.

DNS
Spoofing

MS08-023: Same bug, four different security bulletin ratings

Wednesday, April 09, 2008

Security bulletin MS08-023 addressed two ActiveX control vulnerabilities, one in a Visual Studio ActiveX control and another in a Yahoo!’s Music Jukebox ActiveX control. The security update sets the killbit for both controls. For more about how the killbit works, see the excellent three-part series (1, 2, 3) from early February in this blog.

MS08-025: Win32k vulnerabilities

Wednesday, April 09, 2008

MS08-025 addresses several vulnerabilities in win32k.sys where you can execute arbitrary code in kernel mode. These bugs can only be exploited locally and there is no remote vector we are aware of. One of these vulnerabilities deals on how we can bypass some of the ProbeForWrite and ProbeForRead checks when using user supplied memory pointers.

MS08-014 : The Case of the Uninitialized Stack Variable Vulnerability

Tuesday, March 11, 2008

MS08-014, CVE 2008-0081, addresses a vulnerability in Excel whose root cause is an uninitialized stack variable. You probably have seen these types of compiler warnings before: C:\temp>cl stack.cpp Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.21022.08 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. stack.cpp c:\temp\stack.cpp(49) : warning C4700: uninitialized local variable 'pNoInit' used .

MS08-015: Protocol Handler and its Default Security Zone

Tuesday, March 11, 2008

MS08-015, CVE-2008-0110, addresses a vulnerability in Microsoft Outlook’s implementation of “mailto” URI handling. The attack can be launched via IE or other applications which invoke the “mailto” protocol. Applications can register pluggable protocol handlers to handle a custom Uniform Resource Locator (URL) protocol scheme. Here “mailto” is one example of the various protocol handles that can be registered.

The Kill-Bit FAQ: Part 3 of 3

Friday, February 08, 2008

It is very common for Microsoft security bulletins to include “Kill-Bits” to disable individual ActiveX controls / COM objects. Here is the final part of our three-part Kill-Bit FAQ. The Kill-Bit FAQ – Part 3 of 3 Are there issues that could complicate the implementation of a Kill-Bit based fix?

The Kill-Bit FAQ: Part 2 of 3

Thursday, February 07, 2008

It is very common for Microsoft security bulletins to include “Kill-Bits” to disable individual ActiveX controls / COM objects. Here is the second part of our three-part Kill-Bit FAQ. The Kill-Bit FAQ – Part 2 of 3 How do ActiveX Controls, OLE Controls, and COM Objects relate? An ActiveX control is an OLE control that is intended to be used inside a web browser.