Skip to main content
MSRC

Microsoft Security Response Center Blog

Questions about Timing and Microsoft Security Advisory 972890

Thursday, July 09, 2009

Hi everyone, Mike Reavey here. You’ve probably seen in Jerry’s Advance Notification posting today announcing that we’re on track to release an update to address the issue discussed in Microsoft Security Advisory 972890. We’ve gotten some questions from customers about when we got the first report of this vulnerability and how long the investigation has taken relative to the outbreak of attacks against this vulnerability.

Read More

July 2009 Advance Notification

Wednesday, July 08, 2009

Advance Notification for the July 2009 Security Bulletin Release Our Advance Notification was published today and indicates that next Tuesday, July 14 at 10:00 a.m. PDT (UTC -8), we will be releasing a total of 6 security bulletins consisting of: · Three Critical updates affecting Windows. · One Important update affecting Publisher.

Read More

Microsoft Security Advisory 972890 Released

Monday, July 06, 2009

I wanted to let you know that we have just posted Microsoft Security Advisory 972890 that discusses new, limited attacks against a Microsoft Video ActiveX Control affecting Windows XP and Windows Server 2003. Specifically, we’re aware of a code execution vulnerability within this control that can enable an attacker to run code as the logged-on user if they browse to a malicious site.

Read More

Securing our Legacy

Friday, June 19, 2009

Hi, this is Scott Stender from iSEC Partners. I recently had the privilege of speaking at Microsoft’s BlueHat event in Brussels on the topic of securing legacy systems. With all of the recent coverage on the need to secure our networked systems – national, corporate, and individual alike – I felt that the BlueHat event was a good time to shine the spotlight on those little-loved, perhaps little-known systems that keep our plugged-in society working.

Read More

Stainless steel bridge

Monday, June 15, 2009

Hi! Manuel Caballero here. I had the pleasure of penetration testing (pen-testing) the previous versions of Microsoft Silverlight, and now, for the last three weeks, I’ve been playing around with the beta version of Silverlight 3. When I say, “the pleasure”, I really mean it. Playing with Silverlight means to play with a plug-in that, from a security point of view, was born being already mature.

Read More

Monthly Security Bulletin Webcast Q&A - June 2009

Friday, June 12, 2009

Hosts: Adrian Stone, Senior Security Program Manager Lead Jerry Bryant, Senior Security Program Manager Lead Website: TechNet/security Chat Topic: June 2009 Security Bulletin Date: Wednesday, June 10, 2009 Q: For security update for Microsoft Excel 2000 ( KB969683), is Microsoft Office Excel 2000 Service Pack 3 the only version that is vulnerable, or is that the only version of Office that is supported and therefore the only one that the security update will work for?

Read More

Security Bulletin Webcast Video, Questions and Answers – June 2009

Friday, June 12, 2009

During the security bulletin webcast for June 2009, we answered a wide array of questions around the 10 bulletins we released. Of primary interest to customers, based on the number of questions we received on the topic, is the RPC issue addressed by MS09-026. As this issue affects third party products that utilize RPC in Windows, customers wanted to know if there is a way to tell if their third party product was vulnerable.

Read More

Understanding DEP as a mitigation technology part 2

Friday, June 12, 2009

In our previous blog post, we explained how DEP works and how to determine if / how a process opted-in to DEP. Now we will demonstrate how DEP can be used to mitigate the risk of a real-world attack. We published a security advisory in February describing an Excel vulnerability in fully-patched Excel being used in limited targeted attacks.

Read More