Secunia CSI7
About us
Careers
Memberships
Newsroom
Contact us
Blog
News
Articles

An Interesting Microsoft Tuesday

Get this blog as an RSS Feed
Microsoft only issued two security bulletins and an advisory, but the Microsoft Tuesday release was far from uneventful and boring.
16:24 CET on the 10th March 2010
Entry written by Carsten Eiram.

Microsoft only issued two security bulletins and an advisory, but the Microsoft Tuesday release was far from uneventful and boring.

The whole release started off in a rushed manner as a security site, which claims that it "follows a responsible disclosure policy", leaked technical details from the security bulletins hours ahead of time. This stunt forced others to publish information earlier than expected instead of waiting for the usual coordinated disclosure time.

It's very unfortunate when events like these occur as it could easily ruin the good relationships that have been created between researchers and software vendors like Microsoft where the parties are sharing information with each other more readily. We hope this occurrence won't cause Microsoft or other software vendors to have second thoughts and, hopefully, Microsoft will take proper measures to prevent such a leak from occurring again in the future.

One of the security bulletins, MS10-016, fixed a single vulnerability in Movie Maker - an application bundled with most versions of Windows to, as the application name suggests, create movies. The application apparently lost its virginity with the release of this security bulletin as it seems like it's the first vulnerability reported in it. The vulnerability is a logic error as it erroneously copies data into the wrong buffer when reading in data from a project file, causing a buffer overflow.

The other security bulletin, MS10-017, addressed a number of vulnerabilities in various versions of Microsoft Office Excel. Interestingly, Microsoft Office Excel 2007 is the application affected by most of the reported vulnerabilities (5 out of 7). The vulnerabilities are caused by various types of errors that allow execution of arbitrary code. Only two vulnerabilities received a rating of "2" in Microsoft's exploitability index; all other vulnerabilities were rated "1" (i.e. consistent exploit code likely).

To finish off the release, was a security advisory for a new 0-day vulnerability in Internet Explorer 6 and 7 that Microsoft states is currently being exploited in targeted attacks.

An interesting monthly release...

Stay Secure,

Carsten Eiram
Chief Security Specialist

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: An Interesting Microsoft Tuesday
 
No posts yet

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer