Microsoft shared details of workarounds that Windows users can implement to protect themselves against exploits targeting a new zero-day vulnerability which allows attackers to steal information from users.

The company confirmed reports of the newly discovered Windows security hole, as well as the fact that both published information and proof-of-concept code made their way into the wild.

According to the software giant, the flaw resides in the MHTML (MIME Encapsulation of Aggregate HTML). Applications such as Internet Explorer leverage MHTML to interpret MIME-formatted requests for content blocks within certain documents that need to be rendered. More »

Microsoft has confirmed a zero-day vulnerability affecting all supported versions of Internet Explorer, including IE8, IE7 and IE6.

The Redmond company explains that the security flaw involves the creation of uninitialized memory during a CSS function within the browser.

“It is possible under certain conditions for the memory to be leveraged by an attacker using a specially crafted Web page to gain remote code execution,” the software giant informed.

Given the fact that successful exploits against this vulnerability can allow for remote code execution, and attacker could potentially take over a victim’s computer.

However, Dave Forstrom, Director, Trustworthy Computing, Microsoft denied that this has happened yet. More »

Microsoft has wrapped up 2010 with a real bang as far as the volume of security vulnerabilities goes.

The company released no less than 17 security bulletins in December 2010, patching no less than 40 vulnerabilities.

However, just a couple of the patch packages are rated Critical, which means that the security holes they’re designed to plug can allow attackers to execute code remotely on a vulnerable computer and gain control over the machine.

The updates resolve security flaws in a range of products, including Office, Windows, Internet Explorer, SharePoint Server and Exchange.

Jerry Bryant, group manager, response communications, Microsoft was kind enough to provide a complete list with all the security bulletins issued by the software giant this month, which customers will be able to find below. More »

Microsoft will release patches for no less than 34 security vulnerabilities in a range of its products next week. The Redmond company revealed that it plans to introduce no less than 14 security bulletins as a part of its normal patch cycle, with the June security bulletin release scheduled for Tuesday, August 10. The upcoming availability of the massive number of security bulletins will mark a new record for the Redmond company, as the software giant has never released 14 patch packages in a single month before.

“For those who keep track of such things, this will be the most bulletins we have ever released in a month; we have released 13 bulletins on a couple of occasions. However, in total CVE count, this release ties with June 2010, so there’s no new record there,” revealed Angela Gunn, Security Response Communications Manager. More »

Microsoft will release a total of 11 security bulletins on April 13, 2010, as a part of the company’s monthly patch cycle. According to Jerry Bryant, group manager, Response Communications, no less than 25 vulnerabilities affecting Windows, Office and Exchange will be patched next week. Out of the 11 patch packages, no less than eight impact releases of the Windows operating system, two affect Office and one both Windows and Exchange.

In the Security Bulletin Advance Notification for April 2010, the Redmond company offers general details about the upcoming patches, enough so that IT professionals can make the necessary preparations for deployment, but not sufficient for attackers to do reverse engineering on the security updates before they become available.

“I also want to point out to customers that we will be closing the following open Security Advisories with next week’s updates: Microsoft Security Advisory (981169) – Vulnerability in VBScript Could Allow Remote Code Execution. Microsoft Security Advisory (977544) – Vulnerability in SMB Could Allow Denial of Service,” Bryant stated. More »