Exploitability – Microsoft Security Response Center

Multiple Security Updates Affecting TCP/IP:  CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086

MSRC / By MSRC Team / February 9, 2021 February 9, 2021

Today Microsoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074, CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are not likely in the short term. We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release. Thus, we recommend customers move …

Multiple Security Updates Affecting TCP/IP:  CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086 Read More »

Assessing risk for the December 2013 security updates

Security Research & Defense / By swiat / December 10, 2013 June 20, 2019

Today we released eleven security bulletins addressing 24 CVE’s. Five bulletins have a maximum severity rating of Critical while the other six have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity …

Assessing risk for the December 2013 security updates Read More »

MS13-068: A difficult-to-exploit double free in Outlook

Security Research & Defense / By swiat / September 10, 2013 June 20, 2019

MS13-068 addresses a memory corruption vulnerability accessible by simply previewing a message in the Outlook Preview Pane. As such, we’ve rated this security vulnerability as Critical and we encourage customers to deploy the security update. However, in this case, we believe this particular vulnerability will be difficult to exploit for code execution. In fact, we’re …

MS13-068: A difficult-to-exploit double free in Outlook Read More »

August 2013 Security Bulletin Webcast, Q&A, and Slide Deck

MSRC / By msrc / August 19, 2013 June 20, 2019

Today we’re publishing the August 2013 Security Bulletin Webcast Questions & Answers page. We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Exchange Server (MS13-061) and Windows Kernel (MS13-063). There were 3 additional questions during the webcast that we were unable to answer on air, and we …

August 2013 Security Bulletin Webcast, Q&A, and Slide Deck Read More »

August 2012 Security Bulletin Webcast, Q&A, and Slide Deck

MSRC / By msrc / August 17, 2012 June 20, 2019

Hello. Today we’re publishing the August 2012 Security Bulletin Webcast Questions & Answers page. During the webcast, we fielded twelve questions focusing primarily on MS12-060 covering Windows Common Controls, MS12-052 regarding Internet Explorer, and Security Advisory 2661254 addressing trust certificates with RSA keys less than 1024 bit key lengths. Three additional questions were answered after …

August 2012 Security Bulletin Webcast, Q&A, and Slide Deck Read More »

Assessing risk for the February 2012 security updates

Security Research & Defense / By swiat / February 14, 2012 June 20, 2019

Today we released nine security bulletins. Four have a maximum severity rating of Critical with the other five having a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Likely first …

Assessing risk for the February 2012 security updates Read More »

Assessing risk for the January 2012 security updates

Security Research & Defense / By swiat / January 10, 2012 June 20, 2019

Today we released seven security bulletins. One has a maximum severity rating of Critical with the other six having a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability rating Likely …

Assessing risk for the January 2012 security updates Read More »

Assessing the risk of the December 2011 security updates

Security Research & Defense / By swiat / December 13, 2011 June 20, 2019

Today we released thirteen security bulletins. Three have a maximum severity rating of Critical with the other ten having a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-Ability Index Likely …

Assessing the risk of the December 2011 security updates Read More »

Assessing the exploitability of MS11-083

Security Research & Defense / By swiat / November 8, 2011 June 20, 2019

This month we released MS11-083 to address an externally found reference counter issue in TCP/IP stack. Here we would like to give further information about the exploitability of this vulnerability. VulnerabilityThe vulnerability presents itself in the specific scenario where an attacker can send a large number of specially crafted UDP packets to a random port that …

Assessing the exploitability of MS11-083 Read More »

Assessing the risk of the August security updates

Security Research & Defense / By swiat / August 9, 2011 June 20, 2019

Today we released 13 security bulletins. Two have a maximum severity rating of Critical, nine have a maximum severity rating of Important, and two have a maximum severity rating of Moderate. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max …

Assessing the risk of the August security updates Read More »