MSRC

  • Update on Current Word Vulnerability Reports

    Hey everyone, Alexandra Huft here. I wanted to try and summarize/clarify for everyone the three current Word Zero-Day issues that have been reported to Microsoft. First, I wanted everyone to know that we’re actively investigating and monitoring all of these issues through our Software Security Incident Response Process and we are working on developing and testing security updates for the three issues, which we’ll release as part of our release process once they’ve reached an appropriate level...
  • Update on accidental posting of pre-release security updates for Office for Mac

    We wanted to follow up with Office for Mac users on what to do if you installed the pre-release security updates released on Tuesday. Because the Office for Mac update that was erroneously released had additional, non-security fixes, the Office for Mac team would like to distribute a new update to its customers that includes all the fixes unrelated to security. We are planning to release the new update by the end of next week. Customers who downloaded the pre-release security update for Office...
  • Follow up information on weblog posting about PoC published for MS Office 2003 PowerPoint

    Hi everyone. Brian and Jonathan, software security engineers from the SWI team here. Alexandra Huft from the MSRC team asked us to write a guest blog entry giving an update into the technical investigation of the PowerPoint 2003 proof-of-concept code published a few weeks ago which was previously blogged about here ( http://blogs.technet.com/msrc/archive/2006/10/12/poc-published-for-ms-office-2003-powerpoint.aspx ). The short story is that this issue turned out to not be exploitable for remote...
  • PoC published for MS Office 2003 PowerPoint

    Hey everyone this is Alexandra Huft, I wanted to let you know that we’ve been made aware of proof of concept code published publicly affecting Microsoft Office 2003 PowerPoint. We are currently investigating this report. The reported proof of concept may allow an attacker to execute code on a user’s machine by convincing them to open a specially-crafted PowerPoint file. We are not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. As part of...
  • Information on re-release of MS06-061

    ¡Hola everyone!, Ben Richeson here. I just want to take a quick moment here to introduce myself as one of the newest members to the MSRC as well as to post (my first blog entry!) about an update to MS06-061 . Today, MS06-061 has been re-released to re-offer a revised version of the security update to customers with Windows 2000 Service Pack 4 only. While the original version of MS06-061 for Windows 2000 did fully protect against the vulnerabilities discussed in the bulletin, it did not correctly...
  • Information on Reports of IE 7 Vulnerability

    Hi, this is Christopher Budd. We’ve gotten some questions here today about public reports claiming there’s a new vulnerability in Internet Explorer 7. This is an issue that we have under investigation and so we have some technical information we can share about the issue. These reports are technically inaccurate: the issue concerned in these reports is not in Internet Explorer 7 (or any other version) at all. Rather, it is in a different Windows component, specifically a component in...
  • IE Address Bar Issue

    Hello, This is Christopher Budd. I wanted to take a moment and let people know some information about a new public report about a possible vulnerability in Internet Explorer we’ve received today. As soon as we learned of the report we started an investigation into the issue and we have some information we can share on this. First, this is an issue with how URLs are displayed in the address bar. Specifically, we’ve seen that this occurs in a pop-up window after a user clicks a specially...
  • ADODB.Connection POC Published.

    Hi Everyone Scott here from the MSRC operations team with a real quick update, I wanted to let everyone know that we are fully aware of the recent Proof of Concept (POC) code posting regarding ADODB.Connection. We have initiated our Software Security Incident Response Process to investigate this issue. Once we have completed the investigation and understand if there is a threat to customers we will take the appropriate action to protect and provide guidance – as required. As always we are working...
  • Information on New Address Bar Issue

    Hello, This is Christopher Budd. We’ve gotten some questions from customers about a new public claim of a spoofing vulnerability affecting IE 7. Because Microsoft had previously determined that this actually isn’t a security vulnerability, there has been some confusion over these new reports. So, I wanted to take a moment and explain what’s going on here to help people understand the issue. The newly reported issue is actually a repeat of an issue reported in 2004. This report highlighted...
  • Microsoft Security Advisory (927892) Posted

    Hello, Ben Richeson here. I wanted to let you know that we just posted Microsoft Security Advisory (927892) about our investigation of public reports of a vulnerability in the XMLHTTP 4.0 ActiveX Control, part of Microsoft XML Core Services 4.0 on Windows. We are aware of limited attacks that are attempting to use the reported vulnerability. We're tracking this issue through our Software Security Incident Response Process and there is information in the advisory with steps that customers can...