Attack Vector

Assessing the risk of the December security bulletins

This morning we released six security bulletins, three Critical and three Important, addressing 12 CVE’s. Please apply the Internet Explorer update right away as it poses the most risk of all the bulletins due to severity and exploitability.The Internet Explorer update addresses the vulnerability described by Security Advisory 977981. We hope that the table and …

Assessing the risk of the December security bulletins Read More »

Attacking SMS

This year at BlackHat USA in Las Vegas, we presented on the topic of attacking Short Message Service (SMS). Our presentation focused on the different ways in which SMS can be used to compromise mobile security. We’re excited to give an updated version of our talk at the upcoming BlueHat v9 conference later this month, …

Attacking SMS Read More »

October 2009 Security Bulletin Release

Summary of Microsoft’s Security Bulletin Release for October 2009 This month, we released 13 new bulletins which address 33 vulnerabilities in Windows, Internet Explorer and Microsoft Office. Since we published this information in our advance notification (ANS) last Thursday, we have been asked “is this the most bulletins Microsoft has ever released”? The short answer …

October 2009 Security Bulletin Release Read More »

Assessing the risk of the October security bulletins

This morning we released 13 security bulletins, our largest release of 2009.  Altogether, these bulletins address 34 separate CVEs.  We’d like to use this blog post to help you prioritize your deployment of the updates. Prioritization Criteria We’ve provided a prioritized list of bulletins in the table below.  The prioritization is based on the following …

Assessing the risk of the October security bulletins Read More »

MS09-054: Extra info on the attack surface for the IE security bulletin

MS09-054  addresses an IE vulnerability (CVE-2009-2529), which was discovered and presented by Mark Dowd, Ryan Smith, and David Dewey at the BlackHat conference in July. First we’d like to make it clear that any customers that have applied the update associated with MS09-054 are protected, regardless of the attack vector.  And most customers need not …

MS09-054: Extra info on the attack surface for the IE security bulletin Read More »

MS09-061: More information about the .NET security bulletin

MS09-061 fixes vulnerabilities in the .NET Framework which could allow malicious .NET applications execute arbitrary native code, resulting in remote code execution. This post is intended to help clarify the attack vectors for these vulnerabilities, and to cover recommended workarounds.   Important note: These vulnerabilities in the .NET framework do not affect applications built on …

MS09-061: More information about the .NET security bulletin Read More »

September 2009 Security Bulletin Webcast Video and Customer Q and A

In the September 2009 security bulletin webcast, it was clear that customers had a lot of concerns about MS09-048 as almost half the questions we answered were on that topic. The questions and answers from the session are now posted here on the blog. As we mentioned in the webcast, The MS09-048 bulletin has been …

September 2009 Security Bulletin Webcast Video and Customer Q and A Read More »

Assessing the risk of the September Critical security bulletins

This morning we released five security bulletins, all of them having a bulletin maximum severity rating of Critical and two having a bulletin maximum exploitability index rating of “1” (Consistent exploit code likely). We wanted to just say a few words about each bulletin to help you prioritize your deployment this month. The following table …

Assessing the risk of the September Critical security bulletins Read More »