Smokey's Security Weblog

veritas odium parit

Microsoft Security Bulletin MS13-008 – Out-Of-Band Critical Security Update for Internet Explorer (2799329)

Published: Monday, January 14, 2013 by Microsoft

Version: 1.0
General Information
Executive Summary

This security update resolves one publicly disclosed vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows clients and Moderate for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows servers. Internet Explorer 9 and Internet Explorer 10 are not affected. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by modifying the way that Internet Explorer handles objects in memory. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

This security update also addresses the vulnerability first described in Microsoft Security Advisory 2794220.

Recommendation. Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

Known Issues. None

Affected and Non-Affected Software: see the Security Bulletin.

Some Frequently Asked Questions (FAQ) Related to This Security Update, for all FAQ’s see the Security Bulletin.

Is this update, MS13-008, a cumulative security update for Internet Explorer?
No. This security update, MS13-008, only addresses the vulnerability described in this bulletin.

Do I need to install the last cumulative security update for Internet Explorer, MS12-077?
Yes. In all cases MS13-008 protects customers from the vulnerability discussed in this bulletin. However, customers who have not installed the latest cumulative security update for Internet Explorer may experience compatibility issues after installing the MS13-008 update.

Customers need to ensure that the latest cumulative security update for Internet Explorer, MS12-077, is installed to avoid compatibility issues.

If I applied the automated Microsoft Fix it solution for Internet Explorer in Microsoft Security Advisory 2794220, do I need to undo the workaround before applying this update?
Customers who implemented the Microsoft Fix it solution, “MSHTML Shim Workaround,” in Microsoft Security Advisory 2794220, do not need to undo the Microsoft Fix it solution before applying this update.

However, since the workaround is no longer needed, customers may wish to undo the workaround after installing this update. See the vulnerability workarounds in this bulletin for more information on how to undo this workaround.

Where are the file information details?
Refer to the reference tables in the Security Update Deployment section for the location of the file information details.

Where are the hashes of the security updates?
The SHA1 and SHA2 hashes of the security updates can be used to verify the authenticity of downloaded security update packages. For the hash information pertaining to this update, see Microsoft Knowledge Base Article 2799329.

How are Server Core installations affected by the vulnerability addressed in this bulletin?
The vulnerability addressed by this update does not affect supported editions of Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 as indicated in the Non-Affected Software table, when installed using the Server Core installation option.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

January 14, 2013 Posted by | Advisories, Alerts, Downloads, Vulnerabilities | , , , , , , , , , | Leave a comment

Download and try-out Windows 7 Beta 32-bit (x86) or 64-bit (x64)

Welcome to the Windows 7 Beta Customer Preview Program

Published: January 2009

–  Learn about Windows 7 Beta
–  Test Windows 7 Beta in your lab environment
–  Stay informed on updates and resources

Windows 7 is…
the next release of the Windows client operating system, built on the secure foundation of Windows Vista and Windows Server 2008. Performance, reliability, security, and compatibility are core tenets of this release as we collect your feedback to meet our engineering goals of making Windows 7 the best-performing and most stable Windows operating system to date. New innovations in the product are designed to augment your ability as an IT professional to better provision and manage increasingly mobile PCs, protect data, and improve both end-user and personal productivity.

See Windows 7 for yourself

We are inviting IT professionals around the world to work with the Windows 7 Beta in their lab environments and secondary PCs to help ensure smooth adoption when the final product is available and to gather feedback from real-world settings.

How can you get involved?

1. Take a look at some of the new features and functionality in Windows 7 as part of our Springboard Series guidance on the Windows Client TechCenter on TechNet. As a partner you can also see additional resources on the Microsoft Partner Program portal.

2. Download the Beta for a hands-on trial. For a limited time, Microsoft is making this pre-release version of Windows 7 available to the first 2.5 million people who download. Ready to take a test drive? You can get one by trying the Windows 7 Beta. We think you’ll have the best experience if:

– You are willing to participate as an active beta tester and provide feedback to help us complete Windows 7.
– You have an extra computer available to dedicate to testing beta software.
– You can back up your PC, install and reinstall Windows, and reconfigure your home network connection.
– You’re comfortable troubleshooting your own PC problems. There’s no technical support available for the Beta.
– You understand how to burn an ISO file to a DVD using your computer’s DVD burner.
– You have a system recovery disc and know how to use it.
– You enjoy participating in an interactive community of beta testers, sharing experiences and feedback in real-time.

Microsoft isn’t providing technical support for the Beta and isn’t responsible for business-related downtime. Don’t install the Beta on your primary home or work computer. When the Beta expires on August 1, 2009, you’ll need to reinstall a released version of Windows to keep using your computer. (See Installation Instructions.)

These are the Microsoft minimum hardware recommendations for systems that will be running the Windows 7 Beta. These recommendations are specific to the beta release and are subject to change:

– Processor: 1 GHz 32-bit or 64-bit processor
– Memory: 1 GB of system memory
– Hard drive: 16 GB of available disk space
– Video card: Support for DirectX 9 graphics with 128MB memory (in order to enable Aero theme)
– Drive: DVD-R/W drive
– Internet connection (to download the Beta and get updates)

Note: Some product features of Windows 7, such as the ability to watch and record live TV or navigation through the use of “touch”, may require advanced or additional hardware.

To learn more, see Windows 7 Beta: Frequently Asked Questions.

Thank you for participating in this beta program and helping us build the best operating system for you and your end users.

Remarks:

– this is beta software, use at your own risk
– the downloads are provided via the official Microsoft channels
– downloadlinks are checked and working

Microsoft Windows 7 Beta Customer Preview Program and downloads: Microsoft TechNet

January 10, 2009 Posted by | Alerts, Downloads, Friends, News | , , , , , , , | Leave a comment

Microsoft Security Bulletin Advance Notification for November 2008

Published: November 6, 2008

Microsoft Security Bulletin Advance Notification issued: November 6, 2008
Microsoft Security Bulletins to be issued: November 11, 2008

This is an advance notification of security bulletins that Microsoft is intending to release on November 11, 2008.

This bulletin advance notification will be replaced with the November bulletin summary on November 11, 2008. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.

Executive Summaries

This advance notification provides the software subject as the bulletin identifier, because the official Microsoft Security Bulletin numbers are not issued until release. The bulletin summary that replaces this advance notification will have the proper Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the bulletin identifier. The security bulletins for this month are as follows, in order of severity:

Critical (1) –

Bulletin Identifier: Windows Bulletin 1
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Affected Software: Microsoft Windows, Microsoft Office. For more information, see the Affected Software section.

Important (1) –

Bulletin Identifier: Windows Bulletin 2
Maximum Severity Rating: Important
Impact of Vulnerability: Remote Code Execution
Affected Software: Microsoft Windows. For more information, see the Affected Software section.

Full bulletin: Microsoft TechNet

November 8, 2008 Posted by | Advisories, Alerts, Downloads, Friends, Recommended External Security Related Links, Uncategorized, Vulnerabilities | , | Leave a comment

Microsoft Security Bulletin Advance Notification for September 2008

Microsoft Security Bulletin Advance Notification issued: September 4, 2008
Microsoft Security Bulletins to be issued: September 9, 2008

This is an advance notification of security bulletins that Microsoft is intending to release on September 9, 2008.

This bulletin advance notification will be replaced with the September bulletin summary on September 9, 2008. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.

The security bulletins for this month are as follows:

Bulletin Identifier: Windows Media Player Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Affected Software: Microsoft Windows. For more information, see the Bulletin Affected Software section.

Bulletin Identifier: Windows Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Affected Software: Microsoft Windows, Internet Explorer, .NET Framework, Office, SQL Server, Visual Studio. For more information, see the Bulletin Affected Software section.

Bulletin Identifier: Windows Media Encoder Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Affected Software: Microsoft Windows. For more information, see the Bulletin Affected Software section.

Bulletin Identifier: Office Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Affected Software: Microsoft Office. For more information, see the Bulletin Affected Software section.

Non-Security, High-Priority Updates on MU, WU, and WSUS

For information about non-security releases on Windows Update and Microsoft update, please see:

Microsoft Knowledge Base Article 894199: Description of Software Update Services and Windows Server Update Services changes in content for 2008. Includes all Windows content.

New, Revised, and Released Updates for Microsoft Products Other Than Microsoft Windows.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Full bulletin: Microsoft TechNet

September 5, 2008 Posted by | Advisories, Alerts, Friends, Malware, Recommended External Security Related Links, Vulnerabilities | , , , , , , | Leave a comment

Microsoft Security Bulletin MS08-033 (Critical): Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)

Published: June 10, 2008 | Updated: July 16, 2008

This security update resolves two privately reported vulnerabilities in Microsoft DirectX that could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

The security update addresses the vulnerability by modifying the way that DirectX handles MJPEG and SAMI format files.

Microsoft recommends that customers apply the update immediately.

Source / full article / download: Microsoft TechNet

July 18, 2008 Posted by | Advisories, Alerts, Downloads, Malware, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , | Leave a comment