Microsoft Security Response Center Blog

Further Insight into Security Advisory 979352 and the Threat Landscape

Sunday, January 17, 2010

Hi All, We wanted to provide you some insight into the vulnerability reported in Microsoft Security Advisory 979352, which is related to our ongoing investigation into the recently publicized attacks against Google and other large corporate networks. We understand that there is a lot of noise about this topic right now and we know that our customers are receiving a lot of information about this situation from a variety of sources, so we want to provide some additional insight.

Advisory 979352 Updated

Friday, January 15, 2010

Hello, Today we updated Security Advisory 979352 to let customers know that we are aware that exploit code for the vulnerability used in recent attacks against IE 6 users, has now been made public. Information on which versions of Internet Explorer are vulnerable and what customers can do to protect themselves is included in the updated Security Advisory.

• Exploitability
• Internet Explorer (IE)
• Security Advisory

Assessing risk of IE 0day vulnerability

Friday, January 15, 2010

Yesterday, the MSRC released Microsoft Security Advisory 979352 alerting customers to limited, sophisticated attacks targeting Internet Explorer 6 customers. Today, samples of that exploit were made publicly available. Before we get into the details I want to make one thing perfectly clear. The attacks we have seen to date, including the exploit released publicly, only affect customers using Internet Explorer 6.

• Attack
• DEP
• Exploitability
• Mitigations
• MSHTML
• Risk Asessment
• Zero-Day Exploit

January Security Bulletin Webcast

Friday, January 15, 2010

Hello again. To close out our January security bulletin release, we have posted the questions and answers from Wednesday’s webcast and embedded the video below. Since we only had one bulletin, the presentation was pretty short and most of the questions were concerning the Adobe Flash Player advisory we released.

Monthly Security Bulletin Webcast Q&A - January, 2010

Friday, January 15, 2010

Hosts: Dustin Childs, Security Program Manager Jerry Bryant, Senior Security Program Manager Lead Website: TechNet/security Chat Topic: January 2010 Security Bulletins Date: Wednesday, January 13, 2010 Q: Will installing the latest version of Adobe Flash Player uninstall Adobe Flash Player 6, or am I required to use the removal tool first before installing?

• Pages
• Security Bulletin
• Security Update
• Security Update Webcast
• Security Update Webcast Q & A

Security Advisory 979352 Released

Thursday, January 14, 2010

Based upon our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks. Today, Microsoft issued guidance to help customers mitigate a Remote Code Execution (RCE) vulnerability in Internet Explorer. Additionally, we are cooperating with Google and other companies, as well as authorities and other industry partners.

• Defense-in-depth
• Exploitability
• Internet Explorer (IE)
• Security Advisory
• Workarounds
• Zero-Day Exploit

January 2010 Security Bulletin Release

Tuesday, January 12, 2010

Summary of Microsoft’s Security Bulletin Release for January 2010 Hi Everyone, We hope that 2010 is off to a good start for you. For our first bulletin release of the New Year, we have one Critical bulletin affecting all versions of Windows. The bulletin, MS10-001, addresses one vulnerability in the Embedded OpenType Font Engine and is Critical on Windows 2000.

• Exploitability
• Malicious Software Removal Tool (MSRT)
• Microsoft Windows
• Risk Assessment
• Security Advisory
• Security Bulletin
• Security Development Lifecycle (SDL)
• Security Update
• Video

MS10-001: Font file decompression vulnerability

Tuesday, January 12, 2010

MS10-001 addresses a vulnerability (CVE-2010-0018 ) in the LZCOMP de-compressor for Microtype Express Fonts. This blog aims to answer some questions regarding the updates we’ve made in this area. What is the issue? t2embed.dll improperly performs bounds-checking on lengths which are decoded from the LZCOMP bit-stream. This made it possible for a copy loop to violate the intended working buffer.

• Exploitability
• Font
• Mitigations
• Rating
• Risk Asessment
• Workarounds

January 2010 Bulletin Release Advance Notification

Thursday, January 07, 2010

Advance Notification for the January 2010 Security Bulletin Release It may be a new year but here in the Microsoft Security Response Center, it is business as usual. This month we have one bulletin addressing a single vulnerability in Windows. The vulnerability is critical on Windows 2000 and low for all other platforms.

• Security Bulletin
• Security Update

Results of Investigation into Holiday IIS Claim

Tuesday, December 29, 2009

We’ve completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS. What we have seen is that there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It’s this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server.