Year: 2008

Information regarding MD5 collisions problem

Today Microsoft released a security advisory (961509) regarding collisions in MD5 hashes on certificates. This specific problem affects the entire industry and is not a Microsoft specific vulnerability. Serious weaknesses in MD5 have been known for many years now; it is because of these weaknesses that MD5 is banned in new code under the Microsoft …

Information regarding MD5 collisions problem Read More »

Information on Microsoft Security Advisory 961509

Hi everyone. This is Maarten Van Horenbeeck. I just joined the Microsoft Security Response Center a few months ago, and am the program manager working on the issue described in Microsoft Security Advisory (961509), which we just released.   Earlier today, two researchers presented at a security conference on a novel way of implementing collision …

Information on Microsoft Security Advisory 961509 Read More »

Windows Media Player crash not exploitable for code execution

On Christmas Day, the MSRC opened a case tracking a Bugtraq-posted POC describing a “malformed WAV,SND,MID file which can lead to a remote integer overflow”. By Saturday evening, we saw reputable internet sources claiming this bug could lead to executing arbitrary code on the system. We investigated right away and found that this bug cannot …

Windows Media Player crash not exploitable for code execution Read More »

Questions about Vulnerability Claim in Windows Media Player

Happy holidays to everyone. While it’s been a snowy holiday season for us in the Pacific Northwest (some of us are still snowed in), the MSRC never closes and we are always working to help keep customers safe. In that vein, we’ve received some questions about a vulnerability report that was initially posted late on …

Questions about Vulnerability Claim in Windows Media Player Read More »

Tuesday 12/23 Update: Microsoft Security Advisory 961040

Hello, Bill here,   I want to provide you with a quick update regarding our recently released security advisory.   In the advisory we provide a workaround to help customers protect themselves from attackers trying to exploit this vulnerability.  Customers have told us that it’s helpful when we provide information and guidance on how to …

Tuesday 12/23 Update: Microsoft Security Advisory 961040 Read More »

Microsoft Security Advisory 961040

Hello, Bill here,   I wanted to let you know that we have just posted Microsoft Security Advisory (961040). This advisory contains information regarding public reports of a vulnerability in SQL Server that could allow for remote code execution. We are aware that exploit code has been published on the Internet; however, we are not …

Microsoft Security Advisory 961040 Read More »

More information about the SQL stored procedure vulnerability

Security Advisory 961040 provides mitigations and workarounds for a newly-public post-authentication heap buffer overrun in SQL Server, MSDE, and SQL Express. This blog post goes into more detail about the attack surface for each affected version and the overall risk from this vulnerability. As listed in the advisory, the following products have the vulnerable code: …

More information about the SQL stored procedure vulnerability Read More »

ポータルサイトのリニューアルと、IT Security Award 2009

小野寺です。 Internet Explorerのセキュリティ更新プログラムは既に適用済みでしょうか?「実は、まだ・・・」という方は、先ずは、Microsoft Update でPCを最新の状態にしてから、このブログを読んでください。 さて、今日はお知らせが2つあります。 1つ目は、セキュリティ ポータルをリニューアルです。 今回の変更では、「利用する人に合わせてより情報を入手しやすく、行いたい事が見つかるページ」を念頭に、4つの利用者群「家庭」「企業」「IT Pro」「開発者」に分けてページ構成しています。少しでも、皆様の役に立つことを期待しています。 セキュリティ ポータル

Internet Explorerのセキュリティ更新プログラム提供開始

小野寺です。 先日お伝えしたとおり、本日 Internet Explorer の脆弱性に対処するセキュリティ更新プログラムの提供を開始しました。Microsoft Update または 自動更新を通じて、提供中のセキュリティ更新を全て適用する事を強く推奨します。  http://update.microsoft.com/microsoftupdate/ 今回の脆弱性と、セキュリティ更新プログラムに関する詳細は、以下のセキュリティ情報を見てください。  MS08-078: Internet Explorer 用のセキュリティ更新プログラム (960714)  http://www.microsoft.com/japan/technet/security/bulletin/MS08-078.mspx   絵で見る MS08-078 : Internet Explorer の重要な更新  http://www.microsoft.com/japan/security/bulletins/MS08-078e.mspx 今回のInternet Explorer向けのセキュリティ更新プログラムは、「累積」ではありません。 そのため、12月の月例で公開している MS08-073 も合わせて適用する事を推奨します。 MS08-073が、検証中等の理由で直ぐに適用できない場合でも、MS08-078 のみを先に適用する事も可能です。 また、今回の更新プログラムを含めて、被害を軽減するための推奨事項を実施されているかを是非確認してみてください。

MS08-078 Released

Hello, Mike here, Today we released security update MS08-078, protecting customers from active attacks against Internet Explorer.   This update will be applied automatically to hundreds of millions of customers through automatic updates over the next few days.  And, for our enterprise customers – with multiple systems within their networks – this update can be deployed …

MS08-078 Released Read More »