MSRC | Microsoft Security Response Center

More information on the MS06-015 issue

Thursday, April 20, 2006

Hi everyone, Stephen Toulouse here. We’ve been continually examining the best way to assist the customers who may have been impacted by the interaction of MS06-015 with the software Mike mentioned before. We wanted to check in and let you know the current plan. Up until now there have been several solutions: Upgrade to the newest version of the affected software, a manual registry key fix, uninstall the third party software (NVIDIA Drivers versions 61.

Update to the MS06-015 issue.

Monday, April 17, 2006

Hi everyone, Mike Reavey here again. I wanted to follow up with the results of our investigation into some issues with security update MS06-015. Turns out that under certain circumstances, changes introduced in MS06-015 could cause an application to stop responding during specific interactions with older versions of Hewlett Packard’s “Share-to-web” software utility, or older NVIDIA video card drivers.

Information regarding MS06-015

Friday, April 14, 2006

Hi everyone, Mike Reavey here. I wanted to quickly let you know about some things related to MS06-015 that we’ve gotten some customer questions on. First, we’re currently tracking an issue involving the interaction of the security update with some components related to some Hewlett Packard devices that so far appear to be consumer level.

April 2006 Bulletins and TechNet Radio

Tuesday, April 11, 2006

Hey, it’s Craig Gehre. Well today the MSRC released five new security updates. Four of the updates affect Windows, while the fifth affects Windows and Office. For those of you that are wondering, the first Windows update addresses the “createTextRange” issue you may have been following via our security advisory 917077.

April 2006 Advance Notification

Thursday, April 06, 2006

Hi everyone, Stephen Toulouse here. As we do each month I wanted to post about the Advance Notification for the Security Bulletin release for April. This coming Tuesday, the 11th, we’re planning to release five security bulletins, 4 for Windows and 1 that affects both Windows and Office. One of the Windows bulletins will be the cumulative Internet Explorer update that will address the “CreateTextRange” vulnerability.

An update on the IE ActiveX change from Mike Nash

Wednesday, March 29, 2006

Hi there. Mike Nash from the STU. Earlier this year, during our response to the WMF zero exploit with an out-of-band band security update, I wrote a blog entry explaining the details of how we got to the decision to release that update early. I received a lot of feedback from customers around the world that the blog entry and the internal insights into our decision-making process in that situation was very helpful and that we should make it a consistent practice for issues that have widespread impact on customers and need more clarity.

Third party solutions to the Internet Explorer CreateTextRange vulnerability

Tuesday, March 28, 2006

Hi everyone, Mike Reavey here. I wanted to make everyone aware of some recent developments regarding the “Create TextRange” IE vulnerability. First off we’re still not seeing increased spread of attacks, and in fact have been very active in taking down sites as they come up with law enforcement. But attacks are still occurring so we certainly still recommend up to date AV software and our safe browsing guidance while we work on the update, and have updated the security advisory with a list of VIA partners that are currently providing protection.

Update regarding recent Internet Explorer attacks

Sunday, March 26, 2006

Hi gang, Stepto here again. The MSRC in combination with our internal and external partner teams have been working through the weekend looking at the recent attacks involving the IE vulnerability I mentioned previously. So far we’re still seeing only limited attacks. But our anti-malware team, as always, is on the case and has uploaded removal information for the attacks to date to Windows Live Safety Center.

Recent exploits regarding the Internet Explorer HTML handling vulnerability.

Friday, March 24, 2006

Hi everyone, Stepto here. Today the MSRC became aware of public reports of attacks on some PC users utilizing the vulnerability that Lennart posted about in Internet Explorer. Here’s what we know. The attacks are limited in scope for now and are being carried out by malicious Web sites exploiting a vulnerability in the method by which Internet Explorer handles HTML rendering.

New publicly disclosed vulnerability in Internet Explorer

Wednesday, March 22, 2006

Hi, It’s Lennart again. Wanted to let you know that today we saw another public posting around a vulnerability in Internet Explorer. This one is different than the crash bug I wrote about earlier. The public posting speaks about createTextRange() and a way that this could be utilized to get code to run when visiting a specially crafted Web page.