Thursday, February 05, 2009
Hello, Bill here. I wanted to let you know that we just posted our Advance Notification for next week’s bulletin release which will occur on Tuesday, Feb. 10, 2009 around 10 a.m. Pacific Standard Time. It is important to remember that while the information posted below is intended to help with your planning, because it is preliminary information, it is subject to change.
Wednesday, February 04, 2009
It used to be easy to be in the security industry. All you had to do is develop products that needed to say “nay” or “yay” on a given content and “bless” it to be secure or not. That is so 2007… As we have been witnessing during a turbulent 2008 (and yes – it actually started in 2007…) nowadays the ability to decide whether a given content (note the distinction between content and file…) is malicious or not is much more complicated.
Monday, February 02, 2009
Microsoft has been talking about community-based defense for some time now. This week, I want to provide a personal dimension to the campaign, and give an update on recent activities. Curiously, as I started to write this post, a couple of phrases popped up, which despite being somewhat trite, seemed appropriate – “change is constant” and “the more things change the more they stay the same.
Monday, February 02, 2009
The original Security Vulnerability Research & Defense (SVRD) blog was launched in 2007, with the intent of providing more information about vulnerabilities in Microsoft software, mitigations and workarounds and active attacks. The blog is now expanding its focus a bit (and changing its name slightly), to include postings contributed by the Microsoft Security Engineering Center (MSEC) Security Science team.
Monday, February 02, 2009
One of the responsibilities of Microsoft’s Security Engineering Center is to investigate defense in depth techniques that can be used to make it harder for attackers to successfully exploit a software vulnerability. These techniques are commonly referred to as exploit mitigations and have been delivered to users in the form of features like /GS, Data Execution Prevention (DEP), and Address Space Layout Randomization (ASLR).
Friday, January 30, 2009
On MondayIE8 RC1 was released. Here are some of the most interesting improvements and bug fixes to the XSS Filter feature: Some byte sequences enabled the filter to be bypassed, depending on system locale URLs containing certain byte sequences bypassed the Beta 2 filter implementation in some locales. For example, with a Chinese locale system, URLs of the following format would bypass the filter:
Thursday, January 29, 2009
Handle: C-Lizzle IRL: Celene Temkin Rank: Program Manager 2 & BlueHat Project Manager Likes: Culinary warfare, BlueHat hackers and responsible disclosure Dislikes: Acts of hubris, MySpace, orange mocha Frappaccinos! Goodbye 2008- Hello 2009! Over the past year we, the MSRC EcoStrat team and all-up TwC Security have been a lot of places, seen a lot of people, and picked up a lot of t-shirts J.
Wednesday, January 28, 2009
Periodically we get reports into the MSRC of stack exhaustion in client-side applications such as Internet Explorer, Word, etc. These are valid stability bugs that, fortunately, do not lead to an exploitable condition by itself (no potential for elevation of privilege). We wanted to clarify the distinction between stack exhaustion and stack buffer overflow.
Thursday, January 22, 2009
Hi, Bill here, In response to continued customer questions on how to protect and defend themselves against the Conficker Worm, I wanted to let you know the Microsoft Malware Protection Center has published a Threat Research and Response Blog that centralizes Microsoft’s guidance. This will help you understand the nature of the threat and enable you to formulate a defense in depth strategy based on the aspects of your unique environments.
Thursday, January 22, 2009
** Handle:** Security Blanki IRL: Sarah Blankinship Rank: Senior Security Strategist Lead Likes: Vuln wrangling, teams of rivals, global climate change - the hotter the better Dislikes: Slack jawed gawkers (girls are geeks too!), customers @ risk, egos As we head into this new year, predictions abound in the security ecosystem for 2009.
