Security Research & Defense

Information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, security research, tools and guidance

Browse by Tags

Related Posts
  • Blog Post: Vulnerabilities in DNS Server Could Allow Remote Code Execution

    Today we released MS11-058 to address two vulnerabilities in the Microsoft DNS Service. One of the two issues, CVE-2011-1966, could potentially allow an attacker who successfully exploited the vulnerability to run arbitrary code on Windows Server 2008 and Windows Server 2008 R2 DNS servers having a particular...
  • Blog Post: MS10-065: Exploitability of the IIS FastCGI request header vulnerability

    This month, Microsoft released an update for IIS that addresses three vulnerabilities. The blog post focuses on one of these: the Request Header Buffer Overflow Vulnerability (CVE-2010-2730), which affects IIS version 7.5 and has a maximum security impact of Remote Code Execution (RCE). Below we provide...
  • Blog Post: MS09-048: TCP/IP vulnerabilities

    This month we released MS09-048 which addresses three vulnerabilities in the Windows TCP/IP stack. One of the vulnerabilities, CVE-2009-1925, is rated Critical due to the risk of Remote Code Execution (RCE). The other two vulnerabilities are Denial of Service (DoS) issues (due to memory exhaustion) without...
  • Blog Post: Assessing the risk of the August security updates

    Today we released 13 security bulletins . Two have a maximum severity rating of Critical, nine have a maximum severity rating of Important, and two have a maximum severity rating of Moderate. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment...
  • Blog Post: More information about the December 2011 ASP.Net vulnerability

    Today, we released Security Advisory 2659883 alerting customers to a newly disclosed denial-of-service vulnerability affecting several vendors’ web application platforms, including Microsoft’s ASP.NET. This blog post will cover the following: Impact of the vulnerability How to know...
  • Blog Post: MS12-083: Addressing a missing certificate revocation check in IP-HTTPS

    MS12-083 is being released to address a Security Feature Bypass, a class of vulnerability for which we do not frequently release security updates. This is the third such instance, with MS12-001 and MS12-032 previously having addressed Security Feature bypasses. The security feature being bypassed in...
  • Blog Post: Extended Protection for Authentication

    This month, Microsoft is releasing several non-security updates that implement Extended Protection for Authentication as a mechanism to help safeguard authentication credentials on the Windows platform. These new updates are not security bulletins, but non-security updates that allow web clients using...
  • Blog Post: Details on the New TLS Advisory

    Security Advisory 977377: Vulnerability in TLS Could Allow Spoofing In August of 2009, researchers at PhoneFactor discovered a vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. As the issue is present in the actual TLS/SSL-standard, not only our implementation...
  • Blog Post: Weaknesses in MS-CHAPv2 authentication

    MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol and is described in RFC2759. A recent presentation by Moxie Marlinspike [1] has revealed a breakthrough which reduces the security of MS-CHAPv2 to a single DES encryption (2^56) regardless of the password length. Today...
  • Blog Post: MS10-006 and MS10-012: SMB security bulletins

    Today we released two bulletins to address vulnerabilities in SMB. MS10-006 addresses two vulnerabilities in the SMBv1 client implementation, and MS10-012 addresses four vulnerabilities in the SMB server implementation. In this blog entry, we want to help you understand the vulnerabilities and better...
  • Blog Post: MS10-030: Malicious Mail server vulnerability

    Today we released the fix for CVE-2010-0816 in MS10-030 . This vulnerability affects Outlook Express, Windows Mail, and Windows Live Mail. We recommend that you install the update as soon as possible, but realize that some customers may need to prioritize which updates they install first. While the vulnerability...
  • Blog Post: MS09-050: Exploit timeline for the SMB2 RCE vulnerability

    This month we are releasing update MS09-050 to address the SMBv2 RCE vulnerability (CVE-2009-3103). Due to the fact that public exploit code exists for this vulnerability, we felt it would be good to summarize the exploit landscape at the time of release, so customers can use this information to prioritize...
  • Blog Post: Is SSL broken? – More about Security Bulletin MS12-006 (previously known as Security Advisory 2588513)

    On January 10 th , Microsoft released MS12-006 in response to a new vulnerability discovered in September in SSL 3.0 and TLS 1.0 . Here we would like to give further information about the technique used to exploit this vulnerability and workaround options Microsoft has released if you discover a compatibility...
  • Blog Post: MS08-036: PGM? What is PGM?

    This morning we released MS08-036 to fix two denial-of-service vulnerabilities in the Windows implementation of the Pragmatic General Multicast (PGM) protocol ( RFC 3208 ). You probably have never heard of PGM. Only one engineer on our team had ever heard of it and he previously worked as a tester on...
  • Blog Post: MS09-019 (CVE-2009-1140): Benefits of IE Protected Mode, additional Network Protocol Lockdown workaround

    Benefits of IE Protected Mode One of the vulnerabilities addressed in MS09-019 , CVE-2009-1140, involves navigating to a local file via a UNC path, ex: \\127.0.0.1\c$. This roundabout way of navigating to a file is necessary to execute local content such that it runs in the Internet Explorer Internet...
  • Blog Post: Notes on exploitability of the recent Windows BROWSER protocol issue

    Earlier this week a PoC exploit for a vulnerability in the BROWSER protocol was released on Full Disclosure. There has been some discussion regarding whether this issue can result in Remote Code Execution (RCE) or is only a Denial of Service (DoS). This blog post provides details on the exploitability...
  • Blog Post: MS08-068: SMB credential reflection defense

    Today Microsoft released a security update, MS08-068 , which addresses an NTLM reflection vulnerability in the SMB protocol. The vulnerability is rated Important on most operating systems, except Vista and Windows Server 2008 where it has a rating of Moderate. This blog post is intended to explain why...
  • Blog Post: MS12-074: Addressing a vulnerability in WPAD’s PAC file handling

    Today we released MS12-074 , addressing a Critical class vulnerability in the .NET Framework that could potentially allow remote code execution with no user interaction. This particular CVE, CVE-2012-4776, could allow an attacker on a local network to host a malicious WPAD PAC file containing script...
  • Blog Post: MS10-054: Exploitability Details for the SMB Server Update

    This month Microsoft released an update for Windows to address three vulnerabilities in the SMB Server component. Two of the vulnerabilities are remote denial-of-service (DoS) attacks, while one (CVE-2010-2550) has the potential for remote code execution (RCE). This blog post provides more details on...
  • Blog Post: MS13-018: Hard to let go

    MS13-018 addresses a potential denial-of-service condition in the Windows TCP/IP stack. This vulnerability could be leveraged by an attacker in certain circumstances to exhaust a server’s non paged pool, preventing it from making new TCP connections. The vulnerability is as follows: A Windows...
  • Blog Post: MS09-026: How a developer can know if their RPC interface is affected

    Today we are releasing MS09-026 which fixes a vulnerability in the Microsoft Windows RPC (Remote Procedure Call) NDR20 marshalling engine. This component is responsible for preparing data to be sent over the network and then translating it back to what the server or client application uses. NDR20 is...
  • Blog Post: MS12-054: Not all remote, pre-auth vulnerabilities are equally appetizing for worms..

    We released security update MS12-054 to address four privately reported issues in Windows networking components failing to properly handle malformed Remote Administration Protocol (RAP) responses. The most severe of these issues, CVE-2012-1851, is a format string vulnerability in the printer spooler...
  • Blog Post: MS10-020: SMB Client Update

    Today Microsoft released MS10-020 , which addresses several vulnerabilities in the Windows SMB client. This blog post provides additional details to help prioritize installation of the update, and understand the attack vectors and mitigations that apply. Client-side vulnerabilities The first thing...
  • Blog Post: MS08-037 : More entropy for the DNS resolver

    We released security bulletin MS08-020 two months ago to improve the DNS transaction ID entropy. You can read more about the MS08-020 algorithm change in this blog entry . Increasing the entropy makes it more difficult for attackers to spoof DNS replies. Today, we released MS08-037 to further increase...
  • Blog Post: MS09-013 and MS09-014: NTLM Credential Reflection Updates for HTTP clients

    This month we are taking another step towards blocking NTLM reflection attacks by releasing MS09-014 for Internet Explorer and MS09-013 for Windows. This is the third update related to NTLM credential reflection we have released, and I thought it would be good to go into a bit more detail on why this...