rating

Assessing the risk of the August security updates

Today we released fourteen security bulletins. Eight have a maximum severity rating of Critical with the other six having a maximum severity rating of Important. Furthermore, six of the fourteen bulletins either do not affect the latest version of our products or affect them with reduced severity. We hope that the table below helps you …

Assessing the risk of the August security updates Read More »

MS10-054: Exploitability Details for the SMB Server Update

This month Microsoft released an update for Windows to address three vulnerabilities in the SMB Server component. Two of the vulnerabilities are remote denial-of-service (DoS) attacks, while one (CVE-2010-2550) has the potential for remote code execution (RCE). This blog post provides more details on the exploitability of CVE-2010-2550, and outlines why the risk of reliable …

MS10-054: Exploitability Details for the SMB Server Update Read More »

Assessing the risk of the June Security Bulletins

Today we released ten security bulletins.  Three have a maximum severity rating of Critical and seven have a maximum severity rating of Important.  We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Index Rating Likely first …

Assessing the risk of the June Security Bulletins Read More »

Assessing the risk of the February Security Bulletins

This morning, we released 13 security bulletins.  Five have maximum severity rating of Critical, seven Important, and one Moderate. One security bulletin (MS10-015, ntvdm.dll) has exploit code already published, but we are not aware of any active attacks or customer impact. We hope that the table and commentary below helps you prioritize the deployment of …

Assessing the risk of the February Security Bulletins Read More »

MS10-001: Font file decompression vulnerability

MS10-001 addresses a vulnerability (CVE-2010-0018 ) in the LZCOMP de-compressor for Microtype Express Fonts. This blog aims to answer some questions regarding the updates we’ve made in this area. What is the issue?t2embed.dll improperly performs bounds-checking on lengths which are decoded from the LZCOMP bit-stream. This made it possible for a copy loop to violate …

MS10-001: Font file decompression vulnerability Read More »

Assessing the risk of the December security bulletins

This morning we released six security bulletins, three Critical and three Important, addressing 12 CVE’s. Please apply the Internet Explorer update right away as it poses the most risk of all the bulletins due to severity and exploitability.The Internet Explorer update addresses the vulnerability described by Security Advisory 977981. We hope that the table and …

Assessing the risk of the December security bulletins Read More »

Assessing the risk of the October security bulletins

This morning we released 13 security bulletins, our largest release of 2009.  Altogether, these bulletins address 34 separate CVEs.  We’d like to use this blog post to help you prioritize your deployment of the updates. Prioritization Criteria We’ve provided a prioritized list of bulletins in the table below.  The prioritization is based on the following …

Assessing the risk of the October security bulletins Read More »

Assessing the risk of the September Critical security bulletins

This morning we released five security bulletins, all of them having a bulletin maximum severity rating of Critical and two having a bulletin maximum exploitability index rating of “1” (Consistent exploit code likely). We wanted to just say a few words about each bulletin to help you prioritize your deployment this month. The following table …

Assessing the risk of the September Critical security bulletins Read More »

MS09-048: TCP/IP vulnerabilities

This month we released MS09-048 which addresses three vulnerabilities in the Windows TCP/IP stack. One of the vulnerabilities, CVE-2009-1925, is rated Critical due to the risk of Remote Code Execution (RCE). The other two vulnerabilities are Denial of Service (DoS) issues (due to memory exhaustion) without the risk of RCE. The Exploit Index rating for …

MS09-048: TCP/IP vulnerabilities Read More »