Microsoft Security Response Center Blog

MS13-080 addresses two vulnerabilities under limited, targeted attacks

Tuesday, October 08, 2013

Today we released MS13-080 which addresses nine CVEs in Internet Explorer. This bulletin fixes multiple security issues, including two critical vulnerabilities that haven been actively exploited in limited targeted attacks, which we will discuss in details in this blog entry. CVE-2013-3893: the final patch after Fix it workaround Previously, Microsoft released Security Advisory 2887505 and made available the Fix it workaround 51001 to provide earlier protection to all customers for an actively exploited security issue that was reported to us.

• FixIt
• IE
• Internet Explorer (IE)
• Zero-Day Exploit

An update on the bounty programs

Monday, October 07, 2013

Back in June of this year, we announced three new bounty programs that will pay researchers for techniques that bypass built-in OS mitigations and protections, for defenses that stop those bypasses and for vulnerabilities in Internet Explorer 11 Preview. This past Friday, we provided some additional details about the results of the IE11 Preview bounty program, which covered the first 30 days of the preview period.

• BlueHat Challenge
• BlueHat Prize
• Bounty Programs

The October 2013 security updates

Monday, October 07, 2013

This month we release eight bulletins – four Critical and four Important - which address 25* unique CVEs in Microsoft Windows, Internet Explorer, SharePoint, .NET Framework, Office, and Silverlight. For those who need to prioritize their deployment planning, we recommend focusing on MS13-080, MS13-081, and MS13-083. Our Bulletin Deployment Priority graph provides an overview of this month’s priority releases (click for larger view).

• Bulletins
• Internet Explorer (IE)
• Security
• Security Bulletin
• Security bulletin release
• Security Bulletins
• Security Update
• Update Tuesday

Bounty News Update: Bountiful Harvest

Friday, October 04, 2013

Fall is a season traditionally associated with a harvest after planting the seeds and tending the crops. Today I’m proud to announce the names of six very smart people who have helped us make our products more secure by participating in our new bounty programs. When we launched our bounty programs in June this year, we had a few strategic goals in mind:

• Bounty
• Bountyprograms
• Zero-Day Exploit

Advance Notification Service for October 2013 Security Bulletin Release

Wednesday, October 02, 2013

Today we’re providing advance notification for the release of eight bulletins, four Critical and four Important, for October 2013. The Critical updates address vulnerabilities in Internet Explorer, .NET Framework and Windows. The Critical update for Internet Explorer will be a cumulative update which will address the publicly disclosed issue described in Security Advisory 2887505.

• ANS
• Bulletins
• Internet Explorer (IE)
• Security
• Security Bulletins

Software Defense: mitigating stack corruption vulnerabilties

Tuesday, October 01, 2013

Introduction One of the oldest forms of memory safety exploitation is that of stack corruption vulnerabilities, with several early high-profile exploits being of this type. It seems fitting therefore to kick off this Software Defense series by looking at the status of software defense today with respect to this age-old problem.

Software Defense Series: Exploit mitigation and vulnerability detection

Friday, September 27, 2013

Software Defense is a broad topic requiring a multipronged approach including: - the processes and tooling associated with secure development (that we try and encapsulate within the Microsoft SDL), - core OS countermeasures that make exploitation of a given vulnerability more difficult for an attacker, - steps to secure the hardware on which the software runs,

CVE-2013-3893: Fix it workaround available

Tuesday, September 17, 2013

Today, we released a Fix it workaround tool to address a new IE vulnerability that had been actively exploited in extremely limited, targeted attacks. This Fix it makes a minor modification to mshtml.dll when it is loaded in memory to address the vulnerability. This Fix it workaround tool is linked fromSecurity Advisory 2887505 that describes this issue.

• Disassembly
• EMET
• Exploitation
• Mitigations
• Workarounds
• Zero-Day Exploit

Microsoft Releases Security Advisory 2887505

Tuesday, September 17, 2013

Today we released Security Advisory 2887505 regarding an issue that affects Internet Explorer. There are only reports of a limited number of targeted attacks specifically directed at Internet Explorer 8 and 9, although the issue could potentially affect all supported versions. This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type.

• Internet Explorer (IE)
• Security Advisory

September 2013 Security Bulletin Webcast, Q&A, and Slide Deck

Friday, September 13, 2013

Today we’re publishing the September 2013 Security Bulletin Webcast Questions & Answers page. The majority of questions focused on Office bulletins, especially SharePoint Server (MS13-067). We received multiple Office related questions that were very similar in nature, so the questions have been merged, as applicable, with consolidated answers provided. We were able to answer six questions on air, and those we did not have time for have been included on the Q&A page.

• Bulletins
• Monthly bulletin release
• Q&A
• Security bulletin release
• Security Bulletin Webcast
• Security Update
• Security Update Webcast
• Security Update Webcast Q & A
• Update Tuesday
• Webcast
• Webcast Q&A