Zero-Day Exploit

Technical details of the targeted attack using IE vulnerability CVE-2013-3918

Over the weekend we became aware of an active attack relying on an unknown remote code execution vulnerability of a legacy ActiveX component used by Internet Explorer. We are releasing this blog to confirm one more time that the code execution vulnerability will be fixed in today’s UpdateTuesday release and to clarify some details about …

Technical details of the targeted attack using IE vulnerability CVE-2013-3918 Read More »

ActiveX Control issue being addressed in Update Tuesday

Late last Friday, November 8, 2013, a vulnerability, CVE-2013-3918, affecting an Internet Explorer ActiveX Control was publically disclosed. We have confirmed that this vulnerability is an issue already scheduled to be addressed in “Bulletin 3”, which will be released as MS13-090, as listed in the November Advanced Notification Service (ANS). The security update will be …

ActiveX Control issue being addressed in Update Tuesday Read More »

MS13-080 addresses two vulnerabilities under limited, targeted attacks

Today we released MS13-080 which addresses nine CVEs in Internet Explorer. This bulletin fixes multiple security issues, including two critical vulnerabilities that haven been actively exploited in limited targeted attacks, which we will discuss in details in this blog entry. CVE-2013-3893: the final patch after Fix it workaround Previously, Microsoft released Security Advisory 2887505 and …

MS13-080 addresses two vulnerabilities under limited, targeted attacks Read More »

CVE-2013-3893: Fix it workaround available

Today, we released a Fix it workaround tool to address a new IE vulnerability that had been actively exploited in extremely limited, targeted attacks.  This Fix it makes a minor modification to mshtml.dll when it is loaded in memory to address the vulnerability. This Fix it workaround tool is linked from Security Advisory 2887505 that describes this …

CVE-2013-3893: Fix it workaround available Read More »

Filling A Gap In the Vulnerability Market – First Bounty Notification

When Microsoft decided to offer not one but three new bounties, paying outside researchers directly for security research on some of our latest products, we put a lot of thought into developing those bounty programs. We developed a customized set of programs designed to create a win-win between the security researcher community and Microsoft’s customers, …

Filling A Gap In the Vulnerability Market – First Bounty Notification Read More »

Doors Open for New Bounty Programs

As we announced last week, Microsoft is now offering $100,000 bounties for new exploitation techniques that can bypass our latest platform-wide defenses and up to $50,000 bonus bounties for defense ideas. We’re also offering (from now until July 26) bounties of up to $11,000 for critical security issues in Internet Explorer 11 Preview. Please see …

Doors Open for New Bounty Programs Read More »