http://technet.microsoft.com/security/advisoryTue, 14 Feb 2012 08:00:00 GMTumbracoen-UShttp://technet.microsoft.com/en-us/security/advisory/22696372012-02-14T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/2269637 Summary: Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that affects how applications load external libraries.]]>http://technet.microsoft.com/en-us/security/advisory/26416902012-01-19T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/2641690 Summary: Microsoft is aware that DigiCert Sdn. Bhd, a Malaysian subordinate certification authority (CA) under Entrust and GTE CyberTrust, has issued 22 certificates with weak 512 bit keys. These weak encryption keys, when broken, could allow an attacker to use the certificates fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. While this is not a vulnerability in a Microsoft product, this issue affects all supported releases of Microsoft Windows.]]>http://technet.microsoft.com/en-us/security/advisory/25885132012-01-10T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/2588513 Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS12-006 to address this issue. For more information about this issue, including download links for an available security update, please review MS12-006. The vulnerability addressed is the SSL/TLS Information Disclosure Vulnerability - CVE-2011-3389.]]>http://technet.microsoft.com/en-us/security/advisory/26598832011-12-29T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/2659883 Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS11-100 to address this issue. For more information about this issue, including download links for an available security update, please review MS11-100. The vulnerability addressed is the Collisions in HashTable May Cause DoS Vulnerability - CVE-2011-3414.]]>http://technet.microsoft.com/en-us/security/advisory/26396582011-12-13T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/2639658 Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS11-087 to address this issue. For more information about this issue, including download links for an available security update, please review MS11-087. The vulnerability addressed is the TrueType Font Parsing Vulnerability - CVE-2011-3402.]]>http://technet.microsoft.com/en-us/security/advisory/26077122011-09-19T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/2607712 Summary: Microsoft is aware of active attacks using at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store. A fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. While this is not a vulnerability in a Microsoft product, this issue affects all supported releases of Microsoft Windows.]]>http://technet.microsoft.com/en-us/security/advisory/25629372011-08-09T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/2562937 Summary: Microsoft is releasing a new set of ActiveX kill bits with this advisory.]]>http://technet.microsoft.com/en-us/security/advisory/25243752011-07-06T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/2524375 Summary: Microsoft is aware of nine fraudulent digital certificates issued by Comodo, a certification authority present in the Trusted Root Certification Authorities Store, on all supported releases of Microsoft Windows, Windows Mobile 6.x, Windows Phone 7, Microsoft Kin, and Zune HD devices. Comodo advised Microsoft on March 16, 2011 that nine certificates had been signed on behalf of a third party without sufficiently validating its identity. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer.]]>http://technet.microsoft.com/en-us/security/advisory/25015842011-06-30T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/2501584 Summary: Microsoft is announcing the availability of the Office File Validation feature for supported editions of Microsoft Office 2003 and Microsoft Office 2007. The feature, previously only available for supported editions of Microsoft Office 2010, is designed to make it easier for customers to protect themselves from Office files that may contain malformed data, such as unsolicited Office files received from unknown or known sources, by scanning and validating files before they are opened.]]>http://technet.microsoft.com/en-us/security/advisory/25060142011-04-12T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/2506014 Summary: Microsoft is announcing the availability of an update to winload.exe to address an issue in driver signing enforcement. While this is not an issue that would require a security update, this update addresses a method by which unsigned drivers could be loaded by winload.exe. This technique is often utilized by malware to stay resident on a system after the initial infection. ]]>http://technet.microsoft.com/en-us/security/advisory/25016962011-04-12T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/2501696 Summary: Microsoft has completed the investigation into public reports of this vulnerability. We have issued MS11-026 to address this issue. For more information about this issue, including download links for an available security update, please review MS11-026. The vulnerability addressed is the MHTML Mime-Formatted Request Vulnerability - CVE-2011-0096.]]>http://technet.microsoft.com/en-us/security/advisory/9738112011-04-12T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/973811 Summary: Microsoft is announcing the availability of a new feature, Extended Protection for Authentication, on the Windows platform. This feature enhances the protection and handling of credentials when authenticating network connections using Integrated Windows Authentication (IWA).]]>http://technet.microsoft.com/en-us/security/advisory/24918882011-03-08T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/2491888 Summary: Microsoft is releasing this security advisory to help ensure customers are aware that an update to the Microsoft Malware Protection Engine also addresses a security vulnerability reported to Microsoft. The update addresses a privately reported vulnerability that could allow elevation of privilege if the Microsoft Malware Protection Engine scans a system after an attacker with valid logon credentials has created a specially crafted registry key. An attacker who successfully exploited the vulnerability could gain the same user rights as the LocalSystem account. The vulnerability could not be exploited by anonymous users.]]>http://technet.microsoft.com/en-us/security/advisory/9679402011-02-22T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/967940 Summary: Microsoft is announcing the availability of updates to the Autorun feature that help to restrict AutoPlay functionality to only CD and DVD media on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Restricting AutoPlay functionality to only CD and DVD media can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a USB flash drive, network shares, or other non-CD and non-DVD media containing a file system with an Autorun.inf file.]]>http://technet.microsoft.com/en-us/security/advisory/24906062011-02-08T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/2490606 Summary: Microsoft has completed the investigation into public reports of this vulnerability. We have issued MS11-006 to address this issue. For more information about this issue, including download links for an available security update, please review MS11-006. The vulnerability addressed is the Windows Shell Graphics Processing Overrun Vulnerability - CVE-2010-3970.]]>http://technet.microsoft.com/en-us/security/advisory/24880132011-02-08T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/2488013 Summary: Microsoft has completed the investigation into public reports of this vulnerability. We have issued MS11-003 to address this issue. For more information about this issue, including download links for an available security update, please review MS11-003. The vulnerability addressed is the CSS Memory Corruption Vulnerability - CVE-2010-3971.]]>http://technet.microsoft.com/en-us/security/advisory/24585112010-12-14T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/2458511 Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-090 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-090. The vulnerability addressed is the Uninitialized Memory Corruption Vulnerability - CVE-2010-3962.]]>http://technet.microsoft.com/en-us/security/advisory/24167282010-09-28T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/2416728 Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-070 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-070. The vulnerability addressed is the ASP.NET Padding Oracle Vulnerability - CVE-2010-3332.]]>http://technet.microsoft.com/en-us/security/advisory/24015932010-09-14T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/2401593 Summary: Microsoft has completed the investigation of a publicly disclosed vulnerability in Outlook Web Access (OWA) that may affect Microsoft Exchange customers. An attacker who successfully exploited this vulnerability could hijack an authenticated OWA session. The attacker could then perform actions on behalf of the authenticated user without the user's knowledge, within the security context of the active OWA session.]]>http://technet.microsoft.com/en-us/security/advisory/22640722010-08-10T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/2264072 Summary: Microsoft is aware of the potential for attacks that leverage the Windows Service Isolation feature to gain elevation of privilege. This advisory discusses potential attack scenarios and provides suggested actions that can help to protect against this issue. This advisory also offers a non-security update for one of the potential attack scenarios through Windows Telephony Application Programming Interfaces (TAPI). ]]>http://technet.microsoft.com/en-us/security/advisory/9773772010-08-10T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/977377 Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-049 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-049. The vulnerability addressed is the TLS/SSL Renegotiation Vulnerability - CVE-2009-3555. For additional information on this advisory, see Microsoft Knowledge Base Article 977377.]]>http://technet.microsoft.com/en-us/security/advisory/22861982010-08-02T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/2286198 Summary: Microsoft has completed the investigation into a public report of this vulnerability.]]>http://technet.microsoft.com/en-us/security/advisory/22194752010-07-13T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/2219475 Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-042 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-042. The vulnerability addressed is the Help Center URL Validation Vulnerability - CVE-2010-1885.]]>http://technet.microsoft.com/en-us/security/advisory/20288592010-07-13T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/2028859 Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-043 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-043. The vulnerability addressed is the Canonical Display Driver Integer Overflow Vulnerability - CVE-2009-3678.]]>http://technet.microsoft.com/en-us/security/advisory/9800882010-06-09T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/980088 Summary: Microsoft is investigating new public reports of a vulnerability in Internet Explorer. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue.]]>http://technet.microsoft.com/en-us/security/advisory/9834382010-06-08T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/983438 Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-039 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-039. The vulnerability addressed is the Help.aspx XSS Vulnerability - CVE-2010-0817.]]>http://technet.microsoft.com/en-us/security/advisory/9811692010-04-13T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/981169 Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-022 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-022. The vulnerability addressed is the VBScript Help Keypress Vulnerability - CVE-2010-0483.]]>http://technet.microsoft.com/en-us/security/advisory/9775442010-04-13T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/977544 Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-020 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-020. The vulnerability addressed is the SMB Client Incomplete Response Vulnerability - CVE-2009-3676.]]>http://technet.microsoft.com/en-us/security/advisory/9813742010-03-30T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/981374 Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-018 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-018. The vulnerability addressed is the Uninitialized Memory Corruption Vulnerability - CVE-2010-0806.]]>http://technet.microsoft.com/en-us/security/advisory/9796822010-02-09T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/979682 Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-015 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-015. The vulnerability addressed is the Windows Kernel Exception Handler Vulnerability - CVE-2010-0232.]]>http://technet.microsoft.com/en-us/security/advisory/9793522010-01-21T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/979352 Summary: Microsoft has completed the investigation the public reports of this vulnerability. We have issued MS10-002 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-002. The vulnerability addressed is the HTML Object Memory Corruption Vulnerability - CVE-2010-0249.]]>http://technet.microsoft.com/en-us/security/advisory/9792672010-01-12T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/979267 Summary: Security Advisory]]>http://technet.microsoft.com/en-us/security/advisory/9749262009-12-08T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/974926 Summary: This advisory addresses the potential for attacks that affect the handling of credentials using Integrated Windows Authentication (IWA), and the mechanisms Microsoft has made available for customers to help protect against these attacks.]]>http://technet.microsoft.com/en-us/security/advisory/9541572009-12-08T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/954157 Summary: Microsoft is announcing the availability of an update that provides security mitigations to the Indeo codec on supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003. ]]>http://technet.microsoft.com/en-us/security/advisory/9779812009-12-08T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/977981 Summary: Microsoft has completed investigating public reports of this vulnerability. We have issued Microsoft Security Bulletin MS09-072 to address this issue. For more information about this issue, including download links for an available security update, please review MS09-072. The vulnerability addressed is the HTML Object Memory Corruption Vulnerability - CVE-2009-3672.]]>http://technet.microsoft.com/en-us/security/advisory/9754972009-10-13T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/975497 Summary: Security Advisory]]>http://technet.microsoft.com/en-us/security/advisory/9751912009-10-13T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/975191 Summary: Microsoft has completed the investigation into a public report of this issue. We have released MS09-053 to address this issue. For more information about this issue, including download links for an available security update, please review MS09-053. The vulnerabilities addressed are the IIS FTP Service DoS Vulnerability (CVE-2009-2521) and the IIS FTP Service RCE and DoS Vulnerability (CVE-2009-3023).]]>http://technet.microsoft.com/en-us/security/advisory/9738822009-10-13T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/973882 Summary: Security Advisory]]>http://technet.microsoft.com/en-us/security/advisory/9734722009-08-11T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/973472 Summary: Microsoft has completed the investigation of a privately reported vulnerability in Microsoft Office Web Components. We have issued MS09-043 to address this issue. For more information about this issue, including download links for an available security update, please review MS09-043. The vulnerability addressed is the Office Web Components HTML Script Vulnerability - CVE-2009-1136.]]>http://technet.microsoft.com/en-us/security/advisory/9728902009-07-14T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/972890 Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS09-032 to address this issue. For more information about this issue, including download links for an available security update, please review MS09-032. The vulnerability addressed is the Microsoft Video ActiveX Control Vulnerability - CVE-2008-0015.]]>http://technet.microsoft.com/en-us/security/advisory/9717782009-07-14T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/971778 Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS09-028 to address this issue. For more information about this issue, including download links for an available security update, please review MS09-028. The vulnerability addressed is the DirectX NULL Byte Overwrite Vulnerability - CVE-2009-1537.]]>http://technet.microsoft.com/en-us/security/advisory/9698982009-06-17T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/969898 Summary: Microsoft is releasing a new set of ActiveX kill bits with this advisory.]]>http://technet.microsoft.com/en-us/security/advisory/9607152009-06-17T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/960715 Summary: Microsoft is releasing a new set of ActiveX kill bits with this advisory.]]>http://technet.microsoft.com/en-us/security/advisory/9563912009-06-17T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/956391 Summary: Microsoft is releasing a new set of ActiveX kill bits with this advisory.]]>http://technet.microsoft.com/en-us/security/advisory/9718882009-06-09T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/971888 Summary: Microsoft is announcing the availability of an update to DNS devolution that can help customers in keeping their systems protected. Customers whose domain name has three or more labels , such as "contoso.co.us", or who do not have a DNS suffix list configured, or for whom the following mitigating factors do not apply may inadvertently be allowing client systems to treat systems outside of the organizational boundary as though they were internal to the organization's boundary.]]>http://technet.microsoft.com/en-us/security/advisory/9714922009-06-09T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/971492 Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS09-020 to address this issue. For more information about this issue, including download links for an available security update, please review MS09-020. The vulnerability addressed is the IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability - CVE-2009-1535.]]>http://technet.microsoft.com/en-us/security/advisory/9457132009-06-09T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/945713 Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS09-008 to address the WPAD issue and have released configuration guidance and updates for DNS devolution in Microsoft Security Advisory 971888. For more information about this issue, including download links for an available security update, please review MS09-008 and Microsoft Security Advisory 971888. The vulnerabilities addressed are the WPAD server registration vulnerabilities in WINS and DNS - CVE-2009-0094 and CVE-2009-0093.]]>http://technet.microsoft.com/en-us/security/advisory/9691362009-05-12T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/969136 Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS09-017 to address this issue. For more information about this issue, including download links for an available security update, please review MS09-017. The vulnerability addressed is the Memory Corruption Vulnerability - CVE-2009-0556.]]>http://technet.microsoft.com/en-us/security/advisory/9682722009-04-14T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/968272 Summary: Microsoft is investigating new public reports of a vulnerability in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability.]]>http://technet.microsoft.com/en-us/security/advisory/9609062009-04-14T00:00:00.0000000Zhttp://technet.microsoft.com/en-us/security/advisory/960906 Summary: Microsoft is investigating new reports of a vulnerability in the WordPad Text Converter for Word 97 files on Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Windows XP Service Pack 3, Windows Vista, and Windows Server 2008 are not affected as these operating systems do not contain the vulnerable code.]]>