Security Research & Defense
Information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, security research, tools and guidance
Postings are provided "AS IS" with no warranties, and confers no rights.
Get alerts when we update our blog!
Attack Surface Reduction
Internet Explorer (IE)
License Logging Service
safe for initialization
safe for scripting
Windows Media components
Browse by Tags
Security Research & Defense
Preventing the exploitation of user mode heap corruption vulnerabilities
Over the past few months we have discussed a few different defense in depth mitigations (like GS [ pt 1 , pt2 ], SEHOP , and DEP [ pt 1 , pt 2 ]) which are designed to make it harder for attackers to successfully exploit memory safety vulnerabilities in software. In addition to the mitigations that we...
4 Aug 2009
Microsoft's continuing work on digital certificates
Over the past several months, Microsoft has made changes both to our own internal PKI practices and to the Windows Update channel (client-side and server-side) PKI handling. You’ve likely already read about those changes on the MSRC blog , the Microsoft Update blog , and in the associated KB articles...
10 Jul 2012
New Internet Explorer vulnerability affecting all versions of IE
Today we released Security Advisory 2488013 to notify customers of a new publicly-disclosed vulnerability in Internet Explorer (IE). This vulnerability affects all versions of IE. Exploiting this vulnerability could lead to unauthorized remote code execution inside the iexplore.exe process. Proof...
23 Dec 2010
Internet Explorer Mitigations for ATL Data Stream Vulnerabilities
IE security update MS09-034 implements two defense-in-depth measures intended to mitigate the threat of attacks which attempt to exploit the Microsoft Active Template Library (ATL) vulnerabilities described in Security Advisory 973882 and MS09-034 . We would like to explain these mitigations in more...
28 Jul 2009
New attack surface reduction feature in GDI+
MS09-062 fixes several vulnerabilities in GDI+ related to image parsing. It also includes a feature which allows administrators to disable parsing for each of the different image formats. This feature was publicly released early this year in an optional GDI+ update available on the Microsoft Download...
12 Oct 2009
Software defense: mitigating common exploitation techniques
In our previous posts in this series, we described various mitigation improvements that attempt to prevent the exploitation of specific classes of memory safety vulnerabilities such as those that involve stack corruption , heap corruption , and unsafe list management and reference count mismanagement...
12 Dec 2013
MS11-050: IE9 is better
Today, we released MS11-050, a cumulative security update for Internet Explorer to address several vulnerabilities in IE9. The following table lists the CVEs included in MS11-050, and whether each affects IE8 or IE9. CVE Rating IE8 IE9 CVE-2011-1246 Moderate Yes...
14 Jun 2011
MS10-007: Additional information and recommendations for developers
Today we are releasing MS10-007 to address a URL validation issue generally applicable to the ShellExecute API. How would a malicious user leverage this vulnerability? This issue involves how ShellExecute handles strings that appear to be legitimate URLs, but are malformed such that they result...
9 Feb 2010
SEHOP per-process opt-in support in Windows 7
In a previous blog post we discussed the technical details of Structured Exception Handler Overwrite Protection (SEHOP) which is an exploit mitigation feature that was first introduced in Windows Vista SP1 and Windows Server 2008 RTM. SEHOP prevents attackers from being able to use the Structured Exception...
21 Nov 2009
MS10-048 an explanation of the Defense in Depth fixes
Today we released several fixes on MS10-048 affecting the win32k.sys kernel component. The most severe vulnerability allows a local user to perform an authenticated elevation of privileges, with no possible remote vector. This update also includes several “Defense in Depth” measures...
10 Aug 2010
MS09-014: Addressing the Safari Carpet Bomb vulnerability
Following up on Security Advisory 953818 , today we released MS09-014 , rated as Moderate, which addresses aspects of the Safari Carpet Bomb vulnerability. On a Windows operating system this vulnerability allows an attacker, through Safari, to drop arbitrary files on a user’s desktop. As of Safari 3...
14 Apr 2009
Introducing EMET v3
We are pleased to announce the release of a new version of our Enhanced Mitigation Experience Toolkit (EMET) - EMET 3.0 . EMET it is a free utility that helps prevent vulnerabilities in software from being successfully exploited for code execution. It does so by opt-ing in software to the latest security...
15 May 2012
Safe Unlinking in the Kernel Pool
The heap in user mode has a number of different measures built in to make exploiting heap overrun vulnerabilities more challenging. Similar checks have been in debug versions of the kernel pool for some time to aid driver debugging. Windows 7 RC is the first version of Windows with some of these integrity...
26 May 2009
Understanding DEP as a mitigation technology part 1
We have mentioned DEP in several recent blog posts ( 1 , 2 , 3 , and 4 ). This blog post will answer: What is DEP? How can you enable DEP? What are the risks in enabling different modes of DEP? This is the first of a two-part blog series on DEP as a mitigation technology. What is DEP...
12 Jun 2009
MS09-019 (CVE-2009-1140): Benefits of IE Protected Mode, additional Network Protocol Lockdown workaround
Benefits of IE Protected Mode One of the vulnerabilities addressed in MS09-019 , CVE-2009-1140, involves navigating to a local file via a UNC path, ex: \\127.0.0.1\c$. This roundabout way of navigating to a file is necessary to execute local content such that it runs in the Internet Explorer Internet...
9 Jun 2009
MS12-027: Enhanced protections regarding ActiveX controls in Microsoft Office documents
Security Update MS12-027 addresses a code execution vulnerability in MSCOMCTL.OCX, the Windows Common Controls ActiveX control. By default, this component is included with all 32-bit versions of Microsoft Office. We’d like to cover the following topics in this blog post: Limited, targeted...
10 Apr 2012
Understanding DEP as a mitigation technology part 2
In our previous blog post , we explained how DEP works and how to determine if / how a process opted-in to DEP. Now we will demonstrate how DEP can be used to mitigate the risk of a real-world attack. We published a security advisory in February describing an Excel vulnerability in fully-patched Excel...
12 Jun 2009
New version of EMET is now available
Today we are pleased to announce a new version of the Enhanced Mitigation Experience Toolkit (EMET) with brand new features and mitigations. Users can click here to download the tool free of charge. The Enhanced Mitigation Experience Toolkit enables and implements different techniques to make successful...
18 May 2011
More information on the impact of MS12-001
Today we released MS12-001, which addresses an issue that can enable an attacker to bypass a defense in depth feature known as SafeSEH. This bypass is limited in scope to applications that make use of binaries that were built with Microsoft Visual C++ .NET 2003 RTM. Binaries that have been built with...
10 Jan 2012
Assessing the risk of the September Critical security bulletins
This morning we released five security bulletins , all of them having a bulletin maximum severity rating of Critical and two having a bulletin maximum exploitability index rating of "1" (Consistent exploit code likely). We wanted to just say a few words about each bulletin to help you prioritize your...
8 Sep 2009
On the effectiveness of DEP and ASLR
DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) have proven themselves to be important and effective countermeasures against the types of exploits that we see in the wild today. Of course, any useful mitigation technology will attract scrutiny, and over the past year there...
8 Dec 2010
Mitigating the LdrHotPatchRoutine DEP/ASLR bypass with MS13-063
Today we released MS13-063 which includes a defense in depth change to address an exploitation technique that could be used to bypass two important platform mitigations: Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). As we’ve described in the past , these mitigations...
12 Aug 2013
Mitigating Software Vulnerabilities
How can you protect yourself, your business, and your customers when faced with an unknown or unpatched software vulnerability? This question can be difficult to answer but it is nevertheless worthy of thoughtful consideration. One particularly noteworthy answer to this question is provided in the form...
12 Jul 2011
MS12-060: Addressing a vulnerability in MSCOMCTL.OCX's TabStrip control
Today we released MS12-060 , addressing a potential remote code execution vulnerability in MSCOMCTL.OCX, the binary included with a number of Microsoft products to provide a set of common ActiveX controls. Limited, targeted attacks exploiting CVE-2012-1856 MS12-060 is on the list of high priority...
14 Aug 2012
© 2014 Microsoft Corporation.
Privacy & Cookies