Tuesday, December 09, 2008
Hi, This is Christopher Budd. I wanted to let you know that we’ve just released our security bulletins for December. The new bulletins for this month are: · MS08-070: Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349) which is rated “Critical” · MS08-071: Vulnerabilities in GDI Could Allow Remote Code Execution (956802) which is rated “Critical”
Tuesday, December 09, 2008
Today Microsoft released a security update, MS08-075, that fixes a vulnerability in Windows Explorer in Vista and Server 2008 that was exposed through the search-ms protocol handler. This is a remote unauthenticated vulnerability that requires user interaction, so we wanted to give you a bit more information about protocol handlers and how you can reduce your attack surface by turning off any protocol handlers you don’t intend to use.
Tuesday, December 09, 2008
Today we released MS08-076, which addresses two flaws in the Windows Media components: Windows Media Player, Windows Media Format Runtime, and Windows Media Services. Viewed separately, the issues are not that severe and the aggregate severity rating is Important at most. However, if the two issues are combined the impact can be quite severe, with the potential for Remote Code Execution.
Tuesday, December 09, 2008
In this part, we would like to talk more about CVE-2008-3010: ISATAP vulnerability in Windows Media components. As described in the bulletin MS08-076, Windows Media components (Windows Media Player, Windows Media Format Runtime, and Windows Media Services) treat an ISATAP server address as an intranet zone address, and thus may leak NTLM credentials.
Thursday, December 04, 2008
Hello, Bill here. I wanted to let you know that we just posted our Advance Notification for next week’s bulletin release which will occur on Tuesday, Dec. 9, 2008 around 10 a.m. Pacific Standard Time. It is important to remember that while the information posted below is intended to help with your planning, because it is preliminary information, it is subject to change.
Tuesday, November 25, 2008
Hi, this is Bill Sisk A while back we discussed the fact that we’re likely to see new pieces of malware over the coming weeks that exploit the vulnerability resolved in MS08-067. Recently we’ve received a string of reports from customers that have yet to apply the update and are infected by malware.
Thursday, November 20, 2008
Hello everyone, Celene Temkin here from the MSRC Ecosystem Strategy Team. BlueHat v8: C3P0wned ended a month ago and the success of the con lives on in the outstanding training and networking done between Microsoft employees and external speakers and guests. I’m happy to say the speaker video interviews, podcasts, anecdotes and archives are live on the BlueHat TechNet Page.
Friday, November 14, 2008
Register now for the December 2008Security Bulletin Webcast Security Bulletin Webcast Q&A Index Hosts: Christopher Budd, Security Response Communications Lead Adrian Stone, Lead Security Program Manager (MSRC) Website: TechNet/security Chat Topic: November 2008 Security Bulletin Date: Wednesday, November 11, 2008 Q: Along with the expected updates, my Windows Server Update Services (WSUS) servers picked up KB948110, an update for SQL Server 2000 Service Pack 4, during the same sync on Wednesday morning.
Friday, November 14, 2008
Hi, During this month’s webcast we were able to address 12 questions in the time allotted. The questions were spread fairly evenly across both bulletins. We also fielded questions regarding the Exploitability Index and the MS08-067 form the October Out-of-Band Release. Here is the link to the full Q&A so you can see all of the answers that were provided for these great questions:
Wednesday, November 12, 2008
Handle: Silver Surfer IRL: Mike Reavey Rank: Director, MSRC Likes: Warm weather, Battlestar Galactica, and responsibly reported vulnerabilities Dislikes: Rain, Rain without end, Clouds with potential for rain, reality TV, and unpatched vulns Hey folks – We’ve just released the November Security Bulletins and that also marks the one-month point after the release of the initial Exploitability Index in October.
