Microsoft Security Response Center Blog

Software defense: safe unlinking and reference count hardening

Wednesday, November 06, 2013

Object lifetime management vulnerabilities represent a very common class of memory safety vulnerability. These vulnerabilities come in many shapes and sizes, and are typically quite difficult to mitigate generically. Vulnerabilities of this type result commonly from incorrect accounting with respect to reference counts describing active users of an object, or improper handling of certain object states or error conditions.

CVE-2013-3906: a graphics vulnerability exploited through Word documents

Tuesday, November 05, 2013

Recently we become aware of a vulnerability of a Microsoft graphics component that is actively exploited in targeted attacks using crafted Word documents sent by email. Today we are releasing Security Advisory 2896666 which includes a proactive Fix it workaround for blocking this attack while we are working on the final update.

• 0day
• 2896666
• CVE-2013-3906
• EMET
• Exploit
• FixIt
• Office
• Zero-Day

Microsoft Releases Security Advisory 2896666

Tuesday, November 05, 2013

Today we released Security Advisory 2896666 regarding an issue that affects customers using Microsoft Windows Vista and Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync. We are aware of targeted attacks, largely in the Middle East and South Asia. The current versions of Microsoft Windows and Office are not affected by this issue.

• Microsoft Office
• Microsoft Windows
• Security Advisory

Bounty Evolution: $100,000 for New Mitigation Bypass Techniques Wanted Dead or Alive

Friday, November 01, 2013

Those who know me personally or follow me on Twitter are familiar with my obsession with karaoke. I do it as often as I can rope people into going with me, never forcing anyone to sing, though invariably everyone does – or at least sings from the sidelines to the songs they know.

Software Defense: mitigating heap corruption vulnerabilities

Tuesday, October 29, 2013

Heap corruption vulnerabilities are the most common type of vulnerability that Microsoft addresses through security updates today. These vulnerabilities typically occur as a result of programming mistakes that make it possible to write beyond the bounds of a heap buffer (a spatial issue) or to place a heap allocated object in an unexpected state such as by using the object after it has been freed (a temporal issue).

Introduction: Chris Betz, new head of MSRC

Friday, October 25, 2013

By way of introduction, I am Chris Betz, the leader of the Microsoft Security Response Center (MSRC). I’m stepping in to fill the shoes of Mike Reavey, who has moved on to become the General Manager of Secure Operations, still within Trustworthy Computing. Since joining the MSRC, I’ve spent time immersed in learning the business, meeting our global team of security research and response professionals and many of the other teams we frequently interact with here at Microsoft.

10 years of Update Tuesdays

Monday, October 14, 2013

On October 1, 2003, Microsoft announced it would move to a monthly security bulletin cadence. Today, marks 10 years since that first monthly security update. We looked at many ways to improve our security preparedness and patch timing was the number one customer request. Your feedback was clear and we delivered a predictable schedule.

• Security Bulletins
• Update Tuesday

October 2013 Security Bulletin Webcast, Q&A, and Slide Deck

Sunday, October 13, 2013

Today we’re publishing the October 2013 Security Bulletin Webcast Questions & Answers page. We fielded 11 questions during the webcast, with specific bulletin questions focusing primarily on the SharePoint (MS13-084) and Kernel-Mode Drivers (MS13-081) bulletins. There was one additional question that we were unable to answer on air, and we have included a response to that question on the Q&A page.

• Customer Questions
• Security Bulletin Webcast
• Security Bulletins
• Webcast
• Webcast Q&A

Assessing risk for the October 2013 security updates

Tuesday, October 08, 2013

Today we released eight security bulletins addressing 25 CVE’s. Four bulletins have a maximum severity rating of Critical while the other four have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Likely first 30 days impact Platform mitigations and key notes MS13-080(Internet Explorer) Victim browses to a malicious webpage.

• Rating
• Risk Asessment

Congratulations to James Forshaw Recipient of Our First $100,000 Bounty for New Mitigation Bypass Techniques!

Tuesday, October 08, 2013

Congratulations to James Forshaw for coming up with a new exploitation technique to get our first ever $100,000 bounty. A security vulnerability researcher with Context Information Security, James already came in hot with design level bugs he found during the IE11 Preview Bug Bounty, and we’re thrilled to give him even more money for helping us improve our platform-wide security by leaps.