Skip to main content
MSRC

Mitigations

CVE-2013-3893: Fix it workaround available

Tuesday, September 17, 2013

Today, we released a Fix it workaround tool to address a new IE vulnerability that had been actively exploited in extremely limited, targeted attacks. This Fix it makes a minor modification to mshtml.dll when it is loaded in memory to address the vulnerability. This Fix it workaround tool is linked fromSecurity Advisory 2887505 that describes this issue.

August 2013 Security Bulletin Webcast, Q&A, and Slide Deck

Monday, August 19, 2013

Today we’re publishing the August 2013 Security Bulletin Webcast Questions & Answers page. We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Exchange Server (MS13-061) and Windows Kernel (MS13-063). There were 3 additional questions during the webcast that we were unable to answer on air, and we have also answered those on the Q&A page.

Heart of Blue Gold – Announcing New Bounty Programs

Wednesday, June 19, 2013

Our Philosophy At the heart of our community outreach programs, we’ve always had the same philosophy: help increase the win-win between Microsoft’s customers and the security research community. We have evolved and deepened our relationships with this community since the earliest days of Microsoft’s outreach. In the early 2000’s, Microsoft had to go through what I call “the five stages of vulnerability response grief.

New Bounty Program Details

Wednesday, June 19, 2013

Today we announced the upcoming Mitigation Bypass Bounty, the BlueHat Bonus for Defense, and the Internet Explorer 11 Preview Bug Bounty program. It’s very exciting to finally take the wraps off of these initiatives and we are anticipating some great submissions from the security research community! These programs will allow us to reward great work by researchers and improve the security of our software – all to the benefit of our customers.

Java: A Fix it for when you cannot let go

Wednesday, May 29, 2013

There is much to say about the use of Java in both consumer and enterprise environments. Like any other platforms, it has both devoted supporters and fervent critics. But for most, Java is a requirement, a means to an end. In the past few years, Java as a platform has been the target of numerous malware attacks, which exploit a number of Java runtime vulnerabilities on the target machines.

Assessing risk for the May 2013 security updates

Tuesday, May 14, 2013

Today we released ten security bulletins addressing 33 CVE’s. Two of the bulletins have a maximum severity rating of Critical, and eight have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Likely first 30 days impact Platform mitigations and key notes MS13-038(Internet Explorer 8) Victim browses to a malicious webpage.

Defending Websites from XSS attacks with ModSecurity 2.7.3 and OWASP Core Rule Set 2.2.7

Sunday, April 28, 2013

Even though cross-site scripting vulnerabilities have a 15-year history, they remain a big problem in the web security space. According to our research, there are hundreds of new issues discovered each month, and at least a few of them are being used in high-severity attacks. The general problem of cross-site scripting has no easy solution.

Introducing EMET v4 Beta

Thursday, April 18, 2013

Great news! Today we are proud to announce a beta release of the next version of the Enhanced Mitigation Experience Toolkit (EMET) – EMET 4.0. Download it here: http://www.microsoft.com/en-us/download/details.aspx?id=38761 EMET is a free utility that helps prevent memory corruption vulnerabilities in software from being successfully exploited for code execution. It does so by opt-ing in software to the latest security mitigation techniques.

Assessing risk for the April 2013 security updates

Tuesday, April 09, 2013

Today we released nine security bulletins addressing 13 CVE’s. Two of the bulletins have a maximum severity rating of Critical, and seven have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Index Likely first 30 days impact Platform mitigations and key notes MS13-028(Internet Explorer) Victim browses to a malicious webpage.