A Google security engineer claims that a bug in Internet Explorer 8 can be used to access users’ data and their web accounts, so that an attacker could do such things as send unauthorized tweet's from a user’s Twitter account. It’s the CSS cross-origin theft bug that’s been tracked by researchers at Carnegie-Mellon for several years. more..... more »

Many small businesses and even local governments use the online survey services to poll customers or residents about their experiences, concerns, complaints and so forth. It’s a way to get more input from people who wouldn’t take the time to call or write a detailed message, but some people may be hesitant to participate because of privacy conc.. more »

Mozilla expects to release the final version of Firefox 4 (which has been in beta since early July) before the end of the year. Beta 5 comes out this week. This version will include a new security feature, the HTTP Strict Transport Security (HSTS) standard, which allows web site owners to ensure that the browser goes to the secure version of a web .. more »

We’ve been asked if commercial enterprises can use the SDL documentation that we recently released under a Creative Commons license. It seems that there is some confusion within the IT community regarding our use of a CC license that stipulates non-commercial terms. The purpose of this post is to clarify our intent in releasing the SDL materials un.. more »

Today we are pleased to announce the availability of the Enhanced Mitigation Experience Toolkit (EMET) version 2.0. click here to download the tool For those who may be unfamiliar with the tool, EMET provides users with the ability to deploy security mitigation technologies to arbitrary applications. This helps prevent vulnerabilities in those .. more »

A new rogue has started making its appearance from compromised websites: . We received a sample (70be8ca73142922fd78acf2aafa9f141a977f15a) and a URL and began our investigation. Let us say from the beginning that the guys behind this rogue like to copy The similarity between the fake warning pages is so accurate that it can trick even highly .. more »

The Infrastructure Planning and Design (IPD) team has released a new guide: Windows User State Virtualization (USV). The Infrastructure Planning and Design guide for Windows User State Virtualization (USV) helps IT get started with planning a Windows...(read more).. more »

The U.S. Federal Communications Commission (FCC) posted a public notification last month that requests input on the role the Commission should play in regard to cybersecurity, as part of their project to develop a “cybersecurity roadmap. All of this is part of the National Broadband Plan (NBP), which is the plan for expanding high speed Internet ac.. more »

notifying customers of a publicly disclosed remote attack vector to a class of vulnerabilities affecting applications that load dynamic-link libraries (DLL’s) in an insecure manner. At that time, we also to help protect systems by disallowing unsafe DLL-loading behavior. Today we wanted to provide an update by answering several questions we have re.. more »

on August 23, we've continued to conduct an investigation not only into our own affected products, but also into how we can best help to protect customers given DLL preloading also affects some third-party applications. We'd like to provide an update on our investigation. First, I want to be clear that Microsoft plans to address those of our .. more »

It's very important your computer, software and browser are running with the latest updates, but it's equally important to be discerning about where your updates are coming from. A perfect example of the latest update scam: Recently, we observed malware writers using compromised Twitter accounts to post the fake tweets about the 'latest update' as .. more »

Back in May, we posted an article with an . As the numbers demonstrate, we have been making a positive impact in terms of protecting customers from this family of attacks. Since releasing the Alureon rootkit detection and removal capabilities in (the Microsoft Malicious Software Removal Tool), there have been over 1,200,000 successful removals of .. more »

Recently, my MMPC research colleague Michael Johnson about an interesting social engineering technique that results in a malicious JavaScript being run on the unsuspecting recipient's computer when they follow the instructions provided in a .PNG image file. Unsurprisingly, we recently found that malware authors are using this PNG-to-BMP conversion .. more »

We have received a quite a number of requests from various organizations and individuals that wish to use our Security Development Lifecycle (SDL) content to build out their own secure development processes. We have put a lot of thought into these requests and how best to service them. Up to this point, Microsoft has released SDL information using .. more »

Over the last week, there have been numerous articles on the web about the DDL hijacking vulnerability reported by ACROS and H.D. Moore of Megasploit. The headlines mentioned “at least 40 applications that are vulnerable.” These are applications that don’t specify a fully qualified path name when loading a library. more..... more »

Revision Note: V1.0 (August 23, 2010) Advisory published.Summary: Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that affects how applications load external libraries... more »

notifying customers of a remote attack vector to a class of vulnerabilities affecting applications that load DLL’s in an insecure manner. The root cause of this issue has been understood by developers for some time. However, last week researchers published a remote attack vector for these issues, whereas in the past, these issues were generally co.. more »

. This is different from other Microsoft Security Advisories because it's not talking about specific vulnerabilities in Microsoft products. Rather, this is our official guidance in response to security research that has outlined a new, remote vector for a well-known class of vulnerabilities, known as .  We are currently conducting a thorough i.. more »

Severity Rating: Critical - Revision Note: V1.1 (August 11, 2010): Added a link to Microsoft Knowledge Base Article 2265906 under Known Issues in the Executive Summary. Also corrected the entries for Microsoft Silverlight in the Non-Affected Software table and the workarounds for Microsoft Silverlight Memory Corruption Vulnerability - .. more »

This month’s Malicious Software Removal Tool (MSRT) release added new detection and cleaning for several malware threats that incorporate the use of the CVE-2010-2568 vulnerability (which was fixed by the security bulletin released in August). This includes the Win32/Stuxnet family and several variants of Win32/Vobfus and W32/Sality. From a gl.. more »