Skip to main content

Attack Vector

MS09-012: Fixing “Token Kidnapping”

Tuesday, April 14, 2009

This morning we released MS09-012, an update to address the publicly-disclosed issue commonly referred to as Token Kidnapping ( This vulnerability allows escalation from the Network Service account to the Local System account. Normally malicious users are not running as Network Service, except for a very few programs like IIS, where arbitrary code can be executed within a service running as Network Service.

MS09-014: Addressing the Safari Carpet Bomb vulnerability

Tuesday, April 14, 2009

Following up on Security Advisory 953818, today we released MS09-014, rated as Moderate, which addresses aspects of the Safari Carpet Bomb vulnerability. On a Windows operating system this vulnerability allows an attacker, through Safari, to drop arbitrary files on a user’s desktop. As of Safari 3.1.2 Apple has removed this behavior from Safari.

Prioritizing the deployment of the April security bulletins

Tuesday, April 14, 2009

We just released eight security bulletins, five of which are rated Critical on at least one platform. We built a reference table of bulletin severity rating, exploitability index rating, and attack vectors. This table is sorted first by bulletin severity, next by exploitability index rating, and then by bulletin number. We hope it helps you choose an order of bulletins to start your prioritization and testing if you can’t deploy them all out immediately.

State of the Union

Thursday, October 16, 2008

I spent a lot of time trying to think about what to write for a BlueHat pre-conference blog entry and had a pretty hard time focusing on one topic. To handle this, I decided to comment on the state of security. While I’ve found plenty of things to be excited about with security, including improved awareness, ~~~~enhanced vendor responsiveness to issues (although some still lag behind), increasing global awareness of security concerns, etc.

Service isolation explanation

Monday, October 13, 2008

The past few days, we have had service isolation on our minds here in Redmond after the POC code posting last week from Cesar Cerrudo. Nazim Lala from the IIS team posted a great blog entry about the fix and why it is taking so long to release it. I expect it to be close to the amount of code churn as XP SP2.

Why there won't be a security update for WkImgSrv.dll

Thursday, June 05, 2008

Recently, there was a public post in milw0rm (, talking about an issue in the ActiveX control of Microsoft Works 7 WkImgSrv.dll. The PoC claims that it would achieve remote code execution. McAfee Avert Labs Blog also had a post about this ( At first glance the issue sounds serious, right?