Security Research & Defense

Information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, security research, tools and guidance

Browse by Tags

Related Posts
  • Blog Post: Protection strategies for the Security Advisory 2963983 IE 0day

    We’ve received a number of customer inquiries about the workaround steps documented in Security Advisory 2963983 published on Saturday evening. We hope this blog post answers those questions. Steps you can take to stay safe The security advisory lists several options customers can take to...
  • Blog Post: More information on the December 2011 ActiveX Kill Bits bulletin (MS11-090)

    This month we released MS11-090 to address a vulnerability in the Microsoft Time component (CVE-2011-3397), which features the deprecated time behavior that is still supported in IE6. We would like to provide further information about this issue and help explain why a “binary behavior kill bit”...
  • Blog Post: MS08-050 : Locking an ActiveX control to specific applications.

    MS08-050 concerns an ActiveX control that can be maliciously scripted to leak out personal information such as email addresses. There appeared to be no need for the control to have this behaviour so giving it a Kill-Bit seemed the correct approach to take. During the extensive testing that each security...
  • Blog Post: ATL vulnerability developer deep dive

    This morning we released MS09-035 to address ATL vulnerabilities in Visual Studio. This blog post will help you answer the following questions: What are the ATL vulnerabilities? Which versions of ATL are vulnerable? How can I tell if my ActiveX control is affected? How can I fix a vulnerable...
  • Blog Post: New vulnerability in quartz.dll Quicktime parsing

    Recently, we found a remote code execution vulnerability in Microsoft’s DirectShow platform (quartz.dll) when processing the QuickTime format. We have released advisory 971778 providing guidance to help protect customers. We’d like to go into more detail in this blog to help you understand: Which...
  • Blog Post: MS09-019 (CVE-2009-1532): The "pwn2own" vulnerability

    IE8 behavior notes MS09-019 contains the fix for the IE8 vulnerability responsibly disclosed by Nils at the CanSecWest pwn2own competition (CVE-2009-1532). Nils exploited this vulnerability on an IE8 build that did allow .NET assemblies to load in the Internet Zone. The final, released build of...
  • Blog Post: Assessing the risk of the June Security Bulletins

    Today we released ten security bulletins . Three have a maximum severity rating of Critical and seven have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most...
  • Blog Post: The MSHTML Host Security FAQ: Part II of II

    MSHTML, a.k.a. Trident, is the Internet Explorer browser rendering engine. MSHTML is a great solution for rendering HTML content, either in the context of a web browser, or simply to display rich UI in an application. You are likely not even aware of some of the many ways MSHTML is hosted within Windows...
  • Blog Post: Overview of the out-of-band release

    Today we released Security Advisory 973882 and with it, two out-of-band security bulletins. These updates are MS09-034 (an Internet Explorer update) and MS09-035 (a Visual Studio update). At this time for customers who have applied MS09-032 we are not aware of any “in the wild” exploits that leverage...
  • Blog Post: More information on MS11-087

    Today, we released MS11-087 addressing an issue in the font parsing subsystem of win32k.sys, CVE-2011-3402. The bulletin received a Critical rating due to a potential browser-based attack vector. We have not seen the browser-based attack vector exploited in the wild. The bulletin includes a workaround...
  • Blog Post: Font Directory Entry Parsing Vulnerability In win32k.sys

    MS09-065 addresses a vulnerability (CVE-2009-2514) in the font parsing subsystem of win32k.sys. If not addressed, this vulnerability could allow an attacker to bluescreen (DoS) the machine (best case scenario) or run code of his/her choice, possibly in the context of the kernel (worst case scenario)...
  • Blog Post: Reports of DEP being bypassed

    Yesterday we heard reports of a commercially available exploit that bypasses DEP. This exploit was made available to a limited number of major security vendors (Antivirus, IDS, and IPS vendors) and government CERT agencies. We wanted to use this opportunity to give an overview of current customer risk...
  • Blog Post: New vulnerability affecting Internet Explorer 8 users

    Today, the MSRC released Security Advisory 2794220 alerting customers to limited, targeted attacks affecting customers using Internet Explorer 6, 7, and 8. Internet Explorer 9 and Internet Explorer 10 users are safe. More information about the vulnerability and exploit In this particular vulnerability...
  • Blog Post: New Internet Explorer vulnerability affecting all versions of IE

    Today we released Security Advisory 2488013 to notify customers of a new publicly-disclosed vulnerability in Internet Explorer (IE). This vulnerability affects all versions of IE. Exploiting this vulnerability could lead to unauthorized remote code execution inside the iexplore.exe process. Proof...
  • Blog Post: Internet Explorer Mitigations for ATL Data Stream Vulnerabilities

    IE security update MS09-034 implements two defense-in-depth measures intended to mitigate the threat of attacks which attempt to exploit the Microsoft Active Template Library (ATL) vulnerabilities described in Security Advisory 973882 and MS09-034 . We would like to explain these mitigations in more...
  • Blog Post: Behavior of ActiveX controls embedded in Office documents

    The Microsoft Office applications (Word, Excel, PowerPoint, etc) have built-in ActiveX control support. ActiveX support allows a richer experience when interacting with an Office document. For example, a document author could use the Safe-For-Initialization Office Web Components (OWC) ActiveX control...
  • Blog Post: MS11-018 addresses the IE8 pwn2own vulnerability

    Today Microsoft released MS11-018 addressing one of the three vulnerabilities that were used to win the Pwn2Own contest last month at CanSecWest 2011. It took three vulnerabilities to successfully compromise IE8 and meet all the requirements of the organizers. The vulnerability we are fixing today...
  • Blog Post: Clarification on the various workarounds from the recent IE advisory

    Today Microsoft revised the Workarounds section of Security Advisory 961051 . We wanted to share more detail about the vulnerability and explain the additional workarounds here to help you protect your computers. Information about the vulnerability The vulnerability is caused by memory corruption...
  • Blog Post: MS11-050: IE9 is better

    Today, we released MS11-050, a cumulative security update for Internet Explorer to address several vulnerabilities in IE9. The following table lists the CVEs included in MS11-050, and whether each affects IE8 or IE9. CVE Rating IE8 IE9 CVE-2011-1246 Moderate Yes...
  • Blog Post: IE 8 XSS Filter Architecture / Implementation

    Recently we announced the Internet Explorer 8 XSS Filter and talked a bit about its design philosophy . This post will describe the filter’s architecture and implementation in more detail. Design Goals The Internet Explorer 8 XSS Filter is intended to mitigate reflected / “Type-1” XSS vulnerabilities...
  • Blog Post: The MSHTML Host Security FAQ: Part I of II

    MSHTML, a.k.a. Trident, is the Internet Explorer browser rendering engine. MSHTML is a great solution for rendering HTML content, either in the context of a web browser, or simply to display rich UI in an application. You are likely not even aware of some of the many ways MSHTML is hosted within Windows...
  • Blog Post: MSVIDCTL (MS09-032) and the ATL vulnerability

    Today we have released Security Advisory 973882 that describes vulnerabilities in the Microsoft Active Template Library (ATL), as well as security updates for Internet Explorer ( MS09-034 ) and Visual Studio ( MS09-035 ). The Visual Studio update addresses several vulnerabilities in the public versions...
  • Blog Post: Running in the wild, not for so long

    Over the weekend we received a report from our partners about a possible unpatched Internet Explorer vulnerability being exploited in the wild. The exploit code uses a memory corruption bug triggered from a webpage but it deeply leverages a Flash SWF file in order to achieve reliable exploitation and...
  • Blog Post: The Kill-Bit FAQ: Part 1 of 3

    It is very common for Microsoft security bulletins to include “Kill-Bits” to disable individual ActiveX controls / COM objects. Here is the first part of a three-part FAQ we have developed to answer some questions around the Kill-Bit and related functionality. The Kill-Bit FAQ – Part 1 of 3 What...
  • Blog Post: MS09-014: Addressing the Safari Carpet Bomb vulnerability

    Following up on Security Advisory 953818 , today we released MS09-014 , rated as Moderate, which addresses aspects of the Safari Carpet Bomb vulnerability. On a Windows operating system this vulnerability allows an attacker, through Safari, to drop arbitrary files on a user’s desktop. As of Safari 3...