Skip to main content

Microsoft Security Response Center Blog

April 2008 Advance Notification

Thursday, April 03, 2008

Hello, Bill here. I wanted to let you know that we just posted our Advance Notification for next week’s bulletin release which will occur on Tuesday, April 8, 2008 around 10 a.m. Pacific Standard Time. It is important to remember that while the information posted below is intended to help with your planning, because it is preliminary information, it is subject to change.

Processing Power to the People

Monday, March 31, 2008

Hey everyone, h1kari here. Katie invited me to do a guest post on the BlueHat blog and so I thought I’d rant a little bit on some ideas I’ve had with how crypto best-practices relate to other areas of security that may hit closer to home for you guys. My current interests are in finding areas of computing that would be a lot more useful if they could only be run faster, so I’d like to hear from you about your experiences and what takes up all the idle time on your processors.

Saddle up for Web App Security, or XSSive Force

Monday, March 24, 2008

Bryan Sullivan here, making a guest appearance here away from my usual home on the SDL blog. It’s great to see BlueHat showing some love to the Web app sec community. I’m thrilled that BH is expanding on its tradition of inviting some of the best and brightest Web app sec minds by dedicating the entire morning to layer 7 issues.

UPDATE: MSRC Blog: Microsoft Security Advisory (950627)

Monday, March 24, 2008

Hi there, This is Mike of the MSRC, The case of the MDB attack vector The MSRC on Friday afternoon posted an advisory about limited, targeted attacks using JET database files, commonly referenced as file type MDB. Many of you probably remember that MDB files are on the unsafe file type list (http://support.

MSRC Blog: Microsoft Security Advisory (950627)

Friday, March 21, 2008

Hello, Bill here, I wanted to let you know that we have just posted Microsoft Security Advisory (950627). This advisory contains information about a very limited, targeted attack exploiting a vulnerability in Microsoft Jet Database Engine. Our initial investigation has shown that this vulnerability affects customers using Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007 and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1.

March 2008 MS08-014 Re-release

Wednesday, March 19, 2008

Hello, this is Tim Rains. Very quickly, I wanted to let you know that we’ve just re-released MS08-014 for Microsoft Office Excel 2003 Service Pack 2 and Service Pack 3 only. The original version released on March 11, 2008 did fully protect against the security issues discussed in the bulletin. However, after release we discovered that the security update caused a calculation error in Microsoft Excel 2003 when a Real Time Data source was used in a user-created Visual Basic for Applications solution (in other words a custom-built VBA function).

Going big and going home, or Your r00ts are showing.

Thursday, March 13, 2008

Welcome back to the BlueHat blog! Tuesday afternoon, as the taxi carrying Bruce Dang, Dave Dittrich, and I hurtled hurly-burly from Logan airport, I could almost hear my own “welcome back” to my home town of Boston. This was a homecoming heralded by screeching taxi brakes as we popped the most awesome (though surely less than legal) U-turn on Mem Drive into the driveway of the conference hotel hosting SOURCE Boston.

Update: March 2008 Monthly Release

Thursday, March 13, 2008

Bill here. I wanted to let you know that we have updated bulletin MS08-014 to provide additional information on a newly identified issue that causes Microsoft Excel 2003 calculations to return an incorrect result when a Real Time Data source is used. The issue affects a specific scenario and may not affect you.

March 2008 Monthly Release

Tuesday, March 11, 2008

Wow! It is already the 2nd Tuesday of the month, and with it comes the announcement of some new bulletins! This is Tami Gallupe, MSRC Release Manager, and I just wanted to let you know that we just posted our March 2008 Bulletins. We released four bulletins today, all are for Office and all have a maximum severity rating of Critical.

MS08-014 : The Case of the Uninitialized Stack Variable Vulnerability

Tuesday, March 11, 2008

MS08-014, CVE 2008-0081, addresses a vulnerability in Excel whose root cause is an uninitialized stack variable. You probably have seen these types of compiler warnings before: C:\temp>cl stack.cpp Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.21022.08 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. stack.cpp c:\temp\stack.cpp(49) : warning C4700: uninitialized local variable 'pNoInit' used .