Microsoft Security Bulletin Advance Notification for March 2011

Discussion in 'other security issues & news' started by ronjor, Mar 3, 2011.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    https://www.microsoft.com/technet/security/bulletin/ms11-mar.mspx
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    http://blogs.technet.com/b/msrc/arc...the-march-2011-security-bulletin-release.aspx
     
  3. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    I read the links but can't tell if the MHTML Script Injection vulnerability is scheduled to be patched?
     
  4. prius04

    prius04 Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    1,238
    Location:
    USA
    All speculation at this point but check what MS is currently calling "Bulletin 2" (see the link in Ron's first post) and compare the MHTML advisory:

    http://www.microsoft.com/technet/security/advisory/2501696.mspx

    Sure seems to match up with each OS, particularly the part about "Windows Server 2008 or Windows Server 2008 R2, when installed using the Server Core installation option" not being affected. Again, just a wild guess.
     
  5. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    I believe the correct answer is, no MHTML vulnerability patch...
    Microsoft won't patch IE before Pwn2Own
     
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    Does that mean contestants are allowed to use it?
     
  7. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Cha-ching!
     
  8. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    That's odd, one would think they wouldn't be allowed to use exploits discovered by someone else.
     
  9. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Oh I agree, and I doubt that that is the case.
    Discovered exploits are just that... already discovered.
     
  10. katio

    katio Guest

    There's nothing explicit in the short rules posted http://dvlabs.tippingpoint.com/blog/2011/02/02/pwn2own-2011
    but I think I remember that known vulnerabilities are excluded. This Miller guy who won 3 times was claimed to have cheated on a particular OS X/Safari vulnerability that involved code that wasn't only known to be vulnerable but already fixed in the upstream open source code.

    Anyway, I don't think you'd get far with the mhtml exploit, maybe it could be useful on the Windows Phone but I doubt that is even vulnerable to it. On the Desktop IE side of things remote code execution is a requirement and for that cross site scripting when you already can send the victim to a attacker controlled site doesn't get you any further.

    MS is waiting with a fix so it can roll out a single patch sometime later this month fixing whatever other (and more important) security vulns are going to be reported via pwn2own.
     
  11. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
  12. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    From the blog...
    Thanks for posting the link, Ron. :)
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Has anyone received this update -http://www.microsoft.com/downloads/en/details.aspx?FamilyID=ef2ee37e-5562-4150-b3df-371651b83162&pf=true ?

    I can't find any info about what "issues" it will resolve. There's no knowledge base article either -http://support.micrososft.com/kb/2505438

    o_O
     
  14. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
Loading...
Thread Status:
Not open for further replies.