Microsoft

The H-Online: As previously announced, Microsoft has released seven bulletins to close a total of 23 vulnerabilities on its May Patch Tuesday. The total number of bulletins belies the scope of the patches, however, as the combined update MS12-034 closes various holes in numerous products. The reason for this is a critical hole in the code for processing TrueType fonts that was exploited by the Duqu spyware last year. The hole was closed in the Windows kernel on the December Patch Tuesday; however, Microsoft has since used a code scanner to track down the vulnerable code in numerous other components; among them is the gdiplus.dll library, which is used by various browsers to render web fonts. ...

Cross-posted from BetaNews: In a blog post on Wednesday, President of Microsoft’s Windows division Steven Sinofsky announced the seven-year old Windows Live brand is being retired. Do not be mistaken, there are more than 500 million users of the various Microsoft services that fall under the general classification of Windows Live. They are alive and well. The brand and the concept of Windows Live as a whole, however, is antiquated in this mobile-driven era, and Microsoft is finally halting the differentiation. ...

Cnet: Microsoft today made available for download a new release of its free anti-virus/anti-malware program for Windows PCs, Microsoft Security Essentials (MSE). The MSE 4.0 release is available via the Microsoft Download Center and the MSE Web site. (I learned of its availability from a post on Neowin today.) The latest version runs on Windows XP, Windows Vista, and Windows 7. The 4.0 version has been in beta since late 2011. As ZDNet sister site TechRepublic reported back in December 2011, Microsoft officials said the 4.0 release would include a streamlined interface; a renamed version of the SpyNet service (now slated to be known as Microsoft Active Protection Services); new automatic remediation functionality; and overall improved performance and detection capabilities. ...

The H-Online: The Tuesday after the Easter weekend, 10 April, is set to be a busy one for system administrators as Microsoft and Adobe have sent out notifications that they will both be issuing fixes for critical vulnerabilities in their products. Microsoft’s April notification says there will be four critical advisories concerning Microsoft Windows, Internet Explorer, .NET Framework, Office, SQL Server, Microsoft Server and Developer tools, which all lead to remote code execution. A fifth remote code execution vulnerability in Office is marked as important, as is a sixth information disclosure issue in Microsoft’s Forefront United Access Gateway. The critical bulletins will affect all versions of Windows, from Windows XP SP3 to Windows Server 2008R2. One critical bulletin for Internet Explorer covers IE 6, 7, 8 and 9 ...

The H-Security: Next week’s Patch Tuesday sees Microsoft planning to publish a total of six bulletins, including one that addresses a critical vulnerability in all versions of Windows from Windows XP service pack 3 to Windows 7 service pack 1 and Windows Server 2008 R2. The rating means that the hole enables attackers to infect a system via the internet and inject malicious code. Other bulletins will address a privilege elevation flaw which affects the same span of Windows versions. ...

H-Online.com: Following the revelation that Google and other online marketing companies have been bypassing the mechanism for blocking third-party cookies in Safari, the Internet Explorer development team asked themselves whether Google might be doing the same thing in IE. As they detail on IEBlog, they discovered that this was the case – Google circumvents Internet Explorer’s cookie policy by subverting the browser’s P3P-based privacy protection mechanism. P3P stands for Platform for Privacy Preferences Project and is an open W3C standard. It is intended to help both users and programs determine what sites do with personal data. The cookie management system in Internet Explorer blocks third party cookies from sites that do not supply a P3P policy statement telling it how cookies are used. ...

The H-Online: As expected, Microsoft has released nine bulletins to close a total of 21 holes in its products. Four of the bulletins close critical vulnerabilities in Windows, Internet Explorer, .NET and Silverlight, including an issue in the Windows kernel-mode drivers that became publicly known in December of last year. The company advises those responsible for prioritizing update deployment to focus on the critical patches for Internet Explorer and the C Runtime Library in Windows, as these could be exploited by an attacker to remotely execute arbitrary code on a victim’s system. For an attack to be successful, a user must first visit a malicious web page or open a specially crafted file. The other critical bulletins fix issues in .NET and Silverlight, as well as the Windows kernel. Microsoft notes that it has yet to see any active attacks exploiting these issues in the wild. ...

The Hacker News: Today, Hackers from group EvilShadow successfully hack and deface the website of Microsoft Store India (http://www.microsoftstore.co.in) . But Hacker upload his deface page at location http://www.microsoftstore.co.in/evil.html . Hacker revealed that user passwords were saved in plain text as shown below:

The Register: Microsoft plans to publish nine updates next Tuesday – four of which are critical – as part of a Valentine’s Day edition of its Patch Tuesday update cycle. Highlights of the batch, which collectively address 21 vulnerabilities, include a critical update for Internet Explorer. There are also two critical fixes for Windows itself, plus one for Microsoft’s .NET framework. Three the five remaining “important” fixes grapple with remote code execution-type vulnerabilities, one of which involves Office. Flaws of this type are best addressed sooner rather than later because they might easily be exploited by malware slingers. ...

Windows Experience Blog wrote: If you’ve been reading the blog lately, you know that I’m trying to bring back Valentine’s Day as a cool hip holiday. It’s not my fault; really, I’m just a sucker for a love note. The best thing about a Valentine’s Day card, to be honest, isn’t the words (they are always cheesy) – it’s the thought. With that thought in mind, we headed to the wilderness to create this card for you. ...