Security Research & Defense

Information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, security research, tools and guidance

Browse by Tags

Related Posts
  • Blog Post: Assessing the risk of the February Security Bulletins

    This morning, we released 13 security bulletins. Five have maximum severity rating of Critical, seven Important, and one Moderate. One security bulletin ( MS10-015 , ntvdm.dll) has exploit code already published, but we are not aware of any active attacks or customer impact. We hope that the table and...
  • Blog Post: Reports of DEP being bypassed

    Yesterday we heard reports of a commercially available exploit that bypasses DEP. This exploit was made available to a limited number of major security vendors (Antivirus, IDS, and IPS vendors) and government CERT agencies. We wanted to use this opportunity to give an overview of current customer risk...
  • Blog Post: Preventing the exploitation of user mode heap corruption vulnerabilities

    Over the past few months we have discussed a few different defense in depth mitigations (like GS [ pt 1 , pt2 ], SEHOP , and DEP [ pt 1 , pt 2 ]) which are designed to make it harder for attackers to successfully exploit memory safety vulnerabilities in software. In addition to the mitigations that we...
  • Blog Post: New EMF gdiplus.dll crash not exploitable for code execution

    Yesterday we noticed a blog post and securityfocus article about a potential new vulnerability in Microsoft GDI+ when parsing a specially-crafted EMF file. You might have heard about it referred to as ‘GpFont.SetData()’. We wanted to address some speculation about this EMF parsing bug. First, our...
  • Blog Post: New Internet Explorer vulnerability affecting all versions of IE

    Today we released Security Advisory 2488013 to notify customers of a new publicly-disclosed vulnerability in Internet Explorer (IE). This vulnerability affects all versions of IE. Exploiting this vulnerability could lead to unauthorized remote code execution inside the iexplore.exe process. Proof...
  • Blog Post: MS11-034: Addressing vulnerabilities in the win32k subsystem

    Today we released security bulletin MS11-034 to address vulnerabilities in the win32k subsystem. This update addresses externally reported issues as well as several internally found vulnerabilities that were discovered as part of our variant investigation. The bulletin may appear to address an alarmingly...
  • Blog Post: MIDI PoC not exploitable for code execution

    On Wednesday, a PoC was posted to milw0rm describing an “integer overflow” in Windows Media Player. We investigated the .mid file and found it to be a duplicate of a non-exploitable crash previously posted publicly on Bugtraq around Christmas, four months ago. We blogged about this same issue here: http...
  • Blog Post: MS10-065: Exploitability of the IIS FastCGI request header vulnerability

    This month, Microsoft released an update for IIS that addresses three vulnerabilities. The blog post focuses on one of these: the Request Header Buffer Overflow Vulnerability (CVE-2010-2730), which affects IIS version 7.5 and has a maximum security impact of Remote Code Execution (RCE). Below we provide...
  • Blog Post: Assessing the risk of the September security updates

    Today we released nine security bulletins . Four have a maximum severity rating of Critical with the other five having a maximum severity rating of Important. Furthermore, six of the nine bulletins either do not affect the latest version of our products or affect them with reduced severity. We hope that...
  • Blog Post: Assessing the risk of the December 2011 security updates

    Today we released thirteen security bulletins. Three have a maximum severity rating of Critical with the other ten having a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin ...
  • Blog Post: MS09-048: TCP/IP vulnerabilities

    This month we released MS09-048 which addresses three vulnerabilities in the Windows TCP/IP stack. One of the vulnerabilities, CVE-2009-1925, is rated Critical due to the risk of Remote Code Execution (RCE). The other two vulnerabilities are Denial of Service (DoS) issues (due to memory exhaustion) without...
  • Blog Post: Assessing the risk of the August security updates

    Today we released 13 security bulletins . Two have a maximum severity rating of Critical, nine have a maximum severity rating of Important, and two have a maximum severity rating of Moderate. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment...
  • Blog Post: MS10-001: Font file decompression vulnerability

    MS10-001 addresses a vulnerability (CVE-2010-0018 ) in the LZCOMP de-compressor for Microtype Express Fonts. This blog aims to answer some questions regarding the updates we’ve made in this area. What is the issue? t2embed.dll improperly performs bounds-checking on lengths which are decoded from the...
  • Blog Post: The History of the !exploitable Crash Analyzer

    At the CanSecWest conference earlier this month we made our first public release of the !exploitable Crash Analyzer . While an upcoming white paper and the CanSecWest slide deck go into detail on the technology involved, we thought it might be useful to explore the history of the tool. Roots in Fuzzing...
  • Blog Post: Prioritizing the deployment of the April security bulletins

    We just released eight security bulletins , five of which are rated Critical on at least one platform. We built a reference table of bulletin severity rating, exploitability index rating , and attack vectors. This table is sorted first by bulletin severity, next by exploitability index rating, and then...
  • Blog Post: Stack overflow (stack exhaustion) not the same as stack buffer overflow

    Periodically we get reports into the MSRC of stack exhaustion in client-side applications such as Internet Explorer, Word, etc. These are valid stability bugs that, fortunately, do not lead to an exploitable condition by itself (no potential for elevation of privilege). We wanted to clarify the distinction...
  • Blog Post: Assessing the risk of the June security updates

    Today we released 16 security bulletins. Nine have a maximum severity rating of Critical and seven have a maximum severity rating of Important. This release addresses several publicly disclosed vulnerabilities. We hope that the table below helps you prioritize the deployment of the updates appropriately...
  • Blog Post: Notes on exploitability of the recent Windows BROWSER protocol issue

    Earlier this week a PoC exploit for a vulnerability in the BROWSER protocol was released on Full Disclosure. There has been some discussion regarding whether this issue can result in Remote Code Execution (RCE) or is only a Denial of Service (DoS). This blog post provides details on the exploitability...
  • Blog Post: Assessing risk of IE 0day vulnerability

    Yesterday, the MSRC released Microsoft Security Advisory 979352 alerting customers to limited, sophisticated attacks targeting Internet Explorer 6 customers. Today, samples of that exploit were made publicly available. Before we get into the details I want to make one thing perfectly clear. The attacks...
  • Blog Post: Assessing risk for the December 2013 security updates

    Today we released eleven security bulletins addressing 24 CVE’s. Five bulletins have a maximum severity rating of Critical while the other six have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment...
  • Blog Post: Assessing the risk of the August security updates

    Today we released fourteen security bulletins . Eight have a maximum severity rating of Critical with the other six having a maximum severity rating of Important. Furthermore, six of the fourteen bulletins either do not affect the latest version of our products or affect them with reduced severity. We...
  • Blog Post: MS10-054: Exploitability Details for the SMB Server Update

    This month Microsoft released an update for Windows to address three vulnerabilities in the SMB Server component. Two of the vulnerabilities are remote denial-of-service (DoS) attacks, while one (CVE-2010-2550) has the potential for remote code execution (RCE). This blog post provides more details on...
  • Blog Post: DEP, EMET protect against attacks on the latest Internet Explorer vulnerability

    Today we released Security Advisory 2458511 notifying customers of limited attacks leveraging an Internet Explorer vulnerability. The beta version of Internet Explorer 9 is not affected while Internet Explorer 6, 7, and 8 are affected. So far the attacks we have seen only target Internet Explorer versions...
  • Blog Post: Assessing risk for the January 2012 security updates

    Today we released seven security bulletins. One has a maximum severity rating of Critical with the other six having a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most...
  • Blog Post: Assessing the risk of the December security bulletins

    This morning we released six security bulletins, three Critical and three Important, addressing 12 CVE’s. Please apply the Internet Explorer update right away as it poses the most risk of all the bulletins due to severity and exploitability. The Internet Explorer update addresses the vulnerability described...