December, 2006

  • New report of a Windows vulnerability

    Hi everyone, As usual the holiday season is a busy time for everyone including those of us here in the MSRC. I hope that everyone has finished their holiday shopping so they can enjoy the long weekend. This is Mike Reavey by the way in case anyone was wondering. Aside from discussing the holidays, the reason I am dropping in on the blog is that right now we are closely monitoring developments related to a public posting of proof of concept code targeting an issue with the Client Server Run...
  • New Report of A Word Zero Day

    Hi All, Scott Deacon here, well a busy week extends into a busy weekend for the MSRC!! We are investigating reports of another new vulnerability in Microsoft Word – initial investigation has shown that this is a different issue to that reported in Microsoft Security Advisory 929433 . Our initial investigation has discovered that Word 2000, Word 2002, Word 2003 and the Word Viewer 2003 are affected, but Word 2007 is NOT affected by the vulnerability. From the initial reports and...
  • Update on Current Word Vulnerability Reports

    Hey everyone, Alexandra Huft here. I wanted to try and summarize/clarify for everyone the three current Word Zero-Day issues that have been reported to Microsoft. First, I wanted everyone to know that we’re actively investigating and monitoring all of these issues through our Software Security Incident Response Process and we are working on developing and testing security updates for the three issues, which we’ll release as part of our release process once they’ve reached an appropriate level...
  • Public Proof of Concept Code for ASX File Format Isssue

    Hey everyone this is Alexandra Huft I wanted to let you know that we’re aware of proof-of-concept code published publicly affecting Windows Media ASX file format. We are currently investigating this report. We are not currently aware of attempts to exploit this vulnerability. The ASX file format is an XML-based media file format which is processed by Windows Media Player. An attacker could construct a malformed ASX file and use it to cause Media Player to overrun a heap-allocated buffer...
  • Information on accidental posting of pre-release security updates for Office for Mac

    We’ve seen some question s from customers about some security updates that posted for a while today for Office for Mac that they didn’t see any security bulletins for. I wanted to let you know that these weren’t security updates related to this month’s release or the two Word issues we’ve written about in Security Advisory 929433 and on our weblog : those investigations are still underway and we’ll release updates for those issues once we’ve met the appropriate quality bar. The updates posted...
  • What “very limited, targeted attacks” Means

    Hi, this is Christopher Budd. We’ve gotten some question from customers about what we mean when we say we’re aware of “very limited, targeted attacks” in a security advisory. I wanted to take a moment and help give some clarity. When we talk about “very limited, targeted attacks” we specifically mean this in contrast to attacks that affect a broad number of customers randomly. Unlike these broad, random attacks, these very limited, targeted attacks are carried out against a very small number...
  • Microsoft Security Advisory (929433) Posted

    Hey everyone this is Alexandra Huft I wanted to let people know that we just posted Microsoft Security Advisory (929433) which involves Microsoft Word. We are currently investigating a report of a proof of concept which may allow an attacker to execute code on a user’s machine by convincing them to open a specially-crafted Word document. We are aware of limited attacks attempting to use the vulnerability reported. I will keep everyone up to date as new or additional information becomes...
  • Update on accidental posting of pre-release security updates for Office for Mac

    We wanted to follow up with Office for Mac users on what to do if you installed the pre-release security updates released on Tuesday. Because the Office for Mac update that was erroneously released had additional, non-security fixes, the Office for Mac team would like to distribute a new update to its customers that includes all the fixes unrelated to security. We are planning to release the new update by the end of next week. Customers who downloaded the pre-release security update for Office...
  • December 2006 Advanced Notification

    Hello, This is Christopher Budd and I'm posting here today to let you know that we've posted our Advanced Notification for the December 2006 Microsoft Monthly Security Bulletin Release. Next Tuesday, on December 12, 2006 at approximately 10:00 am PT we are slated to release six new security bulletins: Five Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security...
  • December 2006 Monthly Security Bulletin Release

    Hello, this is Christopher Budd. I wanted to let you know that as part of our standard monthly bulletin release process we’ve released our security bulletins for December 2006. · Microsoft Windows ( MS06-072 ) · maximum severity rating of Critical · vulnerabilities could allow an attacker to remotely take complete control of an affected system. · Microsoft Visual Studios 2005 ( MS06-073 ) · maximum severity rating of Critical · vulnerabilities could allow an attacker...