Skip to main content
MSRC

XBAP

MS12-074: Addressing a vulnerability in WPAD’s PAC file handling

Tuesday, November 13, 2012

Today we released MS12-074, addressing a Critical class vulnerability in the .NET Framework that could potentially allow remote code execution with no user interaction. This particular CVE, CVE-2012-4776, could allow an attacker on a local network to host a malicious WPAD PAC file containing script code which could be executed on a victim machine without requiring any type of authentication or user interaction.

Read More

MS12-025 and XBAP: No longer a driveby threat

Tuesday, April 10, 2012

One of the security bulletins released today, MS12-025, addresses a code execution vulnerability in the .NET Framework. To exploit the vulnerability, an attacker would build a malicious XBAP application and lure victims to a malicious website serving the XBAP. The good news is that a zero-click “driveby” style attack is no longer possible from the Internet on workstations where MS11-044 (published June 2011) has been installed.

Read More

MS09-054: Extra info on the attack surface for the IE security bulletin

Monday, October 12, 2009

MS09-054 addresses an IE vulnerability (CVE-2009-2529), which was discovered and presented by Mark Dowd, Ryan Smith, and David Dewey at the BlackHat conference in July. First we’d like to make it clear that any customers that have applied the update associated with MS09-054 are protected, regardless of the attack vector. And most customers need not take any action as they’ll receive this update automatically through Automatic Updates.

Read More

MS09-061: More information about the .NET security bulletin

Monday, October 12, 2009

MS09-061 fixes vulnerabilities in the .NET Framework which could allow malicious .NET applications execute arbitrary native code, resulting in remote code execution. This post is intended to help clarify the attack vectors for these vulnerabilities, and to cover recommended workarounds. **Important note: **These vulnerabilities in the .NET framework do not affect applications built on the .

Read More