March, 2006

  • Security advisory posted, and RSA thoughts.

    Hi everyone, Stepto here. (I'm giving up on the "Stephen Toulouse here" after many people I met at RSA greeted me as "Stepto", but as a side note since I created the blog under "Stepto" please remember that posts made by individuals on the MSRC are made by themselves and not me.) I wanted to check in real quick and make everyone aware of a security advisory that we have posted for a recent update to Internet Explorer that is not security related, but we still wanted to make sure people were aware...
  • March 2006 Advanced Notification

    Hey folks, Mike Reavey here, I wanted to take a quick second to make sure everyone saw the Advance Notification for the Security Bulletin release for March. This coming Tuesday, the 14th, we’re planning to release two security bulletins, and they are being released for Windows for Office. The maximum total severity rating for this month is Critical, so please update systems as soon as possible when they are available on Tuesday. The updates can be deployed and detected with MBSA, Microsoft Update...
  • March 2006 Bulletin Release

    ‘I want my two… bulletins’. For some reason an unrelenting paperboy’s quest for two dollars seems to echo in my mind today. It seems so small yet it is so important. Well today the MSRC released two new bulletins. One for Office and the other for Windows, more info below. The Windows one addresses an issue you may have been following via our advisories, 914457. BTW, this is Craig Gehre, the Release Manager for the MSRC (Don’t you get sick of team blogs saying "Jane here, blah blah blah…"?). We also...
  • Publicly disclosed vulnerability in Internet Explorer

    Hi everyone, Lennart Wistrand here. You may have heard about an IE crashing vulnerability that was unfortunately publicly posted before the weekend. We just wanted to make a quick note here that, as always, we’re investigating it. So far we’ve determined that visiting a page that exploits it could cause IE to fail. We’re going to continue to look into this but remind you that safe browsing practices can help here, like only visiting trusted websites, etc. If you think you might be impacted though...
  • New publicly disclosed vulnerability in Internet Explorer

    Hi, It’s Lennart again. Wanted to let you know that today we saw another public posting around a vulnerability in Internet Explorer. This one is different than the crash bug I wrote about earlier. The public posting speaks about createTextRange() and a way that this could be utilized to get code to run when visiting a specially crafted Web page. We’re still investigating, but we have confirmed this vulnerability and I am writing a Microsoft Security Advisory on this. But we wanted to make sure customers...
  • Recent exploits regarding the Internet Explorer HTML handling vulnerability.

    Hi everyone, Stepto here. Today the MSRC became aware of public reports of attacks on some PC users utilizing the vulnerability that Lennart posted about in Internet Explorer . Here's what we know. The attacks are limited in scope for now and are being carried out by malicious Web sites exploiting a vulnerability in the method by which Internet Explorer handles HTML rendering. To be clear, and as our advisory states, the vulnerability affects currently supported versions of Windows 2000, Windows...
  • Update regarding recent Internet Explorer attacks

    Hi gang, Stepto here again. The MSRC in combination with our internal and external partner teams have been working through the weekend looking at the recent attacks involving the IE vulnerability I mentioned previously. So far we’re still seeing only limited attacks. But our anti-malware team, as always, is on the case and has uploaded removal information for the attacks to date to Windows Live Safety Center . I want to reiterate that the IE team has the update in process right now and if warranted...
  • Third party solutions to the Internet Explorer CreateTextRange vulnerability

    Hi everyone, Mike Reavey here. I wanted to make everyone aware of some recent developments regarding the “Create TextRange” IE vulnerability. First off we're still not seeing increased spread of attacks, and in fact have been very active in taking down sites as they come up with law enforcement. But attacks are still occurring so we certainly still recommend up to date AV software and our safe browsing guidance while we work on the update, and have updated the security advisory with a list of VIA...
  • An update on the IE ActiveX change from Mike Nash

    Hi there. Mike Nash from the STU. Earlier this year, during our response to the WMF zero exploit with an out-of-band band security update, I wrote a blog entry explaining the details of how we got to the decision to release that update early. I received a lot of feedback from customers around the world that the blog entry and the internal insights into our decision-making process in that situation was very helpful and that we should make it a consistent practice for issues that have widespread impact...