Tuesday, July 28, 2009
This morning we released MS09-035 to address ATL vulnerabilities in Visual Studio. This blog post will help you answer the following questions: What are the ATL vulnerabilities? Which versions of ATL are vulnerable? How can I tell if my ActiveX control is affected? How can I fix a vulnerable control? What are the ATL vulnerabilities?
Tuesday, July 28, 2009
IE security update MS09-034 implements two defense-in-depth measures intended to mitigate the threat of attacks which attempt to exploit the Microsoft Active Template Library (ATL) vulnerabilities described in Security Advisory 973882 and MS09-034. We would like to explain these mitigations in more detail. ATL persisted data checks The first mitigation is a change to modify how ATL-based controls read persisted data by detecting specific call patterns that are problematic.
Tuesday, July 28, 2009
Today we have released Security Advisory 973882 that describes vulnerabilities in the Microsoft Active Template Library (ATL), as well as security updates for Internet Explorer (MS09-034) and Visual Studio (MS09-035). The Visual Studio update addresses several vulnerabilities in the public versions of the ATL headers and libraries. The IE update contains two defense in depth mitigations to help prevent exploitation of the ATL vulnerabilities described in Security Advisory 973882 and MS09-035 (the IE updates contains additional security fixes that are not related to the ATL issue).
Tuesday, July 28, 2009
Today we released Security Advisory 973882 and with it, two out-of-band security bulletins. These updates are MS09-034 (an Internet Explorer update) and MS09-035 (a Visual Studio update). At this time _for customers who have applied _ MS09-032_ we are not aware of any “in the wild” exploits that leverage the vulnerabilities documented in 973882 and MS09-035_.
Friday, July 24, 2009
We have just published our advance notification for an out-of-band security bulletin release, with a target of 10:00 AM Pacific Time next Tuesday, July 28, 2009. While this release is to address a single, overall issue, in order to provide the broadest protections possible to customers, we’ll be releasing two separate security bulletins:
Monday, June 15, 2009
Hi! Manuel Caballero here. I had the pleasure of penetration testing (pen-testing) the previous versions of Microsoft Silverlight, and now, for the last three weeks, I’ve been playing around with the beta version of Silverlight 3. When I say, “the pleasure”, I really mean it. Playing with Silverlight means to play with a plug-in that, from a security point of view, was born being already mature.
Tuesday, June 09, 2009
Benefits of IE Protected Mode One of the vulnerabilities addressed in MS09-019, CVE-2009-1140, involves navigating to a local file via a UNC path, ex: \\127.0.0.1\c$. This roundabout way of navigating to a file is necessary to execute local content such that it runs in the Internet Explorer Internet zone, where scripting is enabled.
Tuesday, June 09, 2009
IE8 behavior notes MS09-019 contains the fix for the IE8 vulnerability responsibly disclosed by Nils at the CanSecWest pwn2own competition (CVE-2009-1532). Nils exploited this vulnerability on an IE8 build that did allow .NET assemblies to load in the Internet Zone. The final, released build of IE8 does not allow .Net assemblies to load in the Internet Zone.
Thursday, May 28, 2009
Recently, we found a remote code execution vulnerability in Microsoft’s DirectShow platform (quartz.dll) when processing the QuickTime format. We have released advisory 971778 providing guidance to help protect customers. We’d like to go into more detail in this blog to help you understand: Which configurations are at risk? Why is this a high risk vulnerability?
Wednesday, May 13, 2009
Hi, Billy Rios here, I was recently invited to speak at Hack in the Box (HITB) in Dubai. While at HITB, I participated in two different talks, but I’m going to focus on the talk Chris Evans and I co-presented: “Cross Domain Leakiness.” Chris Evans is a security lead for Google’s Core Security team.
