iDefense Labs News

Microsoft Security Bulletin: July 2009

Tue, 14 Jul 2009 05:00:00 UTC

Microsoft Corp. has released six Security Bulletins encompassing nine vulnerabilities. This report provides an initial summary of these pending issues.

Microsoft Security Bulletin: June 2009

Tue, 09 Jun 2009 05:00:00 UTC

Microsoft Corp. has released 10 Security Bulletins encompassing 31 vulnerabilities. This report provides an initial summary of these pending issues.

Microsoft Security Bulletin: May 2009

Tue, 12 May 2009 05:00:00 UTC

Microsoft Corp. has released one Security Bulletin encompassing 14 vulnerabilities. This report provides an initial summary of these pending issues.

Microsoft Security Bulletin: April 2009

Tue, 14 Apr 2009 05:00:00 UTC

Microsoft Corp. has released eight Security Bulletins encompassing 23 vulnerabilities. This report provides an initial summary of these pending issues.

Microsoft Security Bulletin: March 2009

Tue, 10 Mar 2009 05:00:00 UTC

Microsoft Corp. has released three Security Bulletins encompassing eight vulnerabilities. This report provides an initial summary of these pending issues.

Microsoft Security Bulletin: February 2009

Tue, 10 Feb 2009 05:00:00 UTC

Microsoft Corp. has released four Security Bulletins encompassing eight vulnerabilities. This report provides an initial summary of these pending issues.

iDefense Awards $50,000 VCP Challenge Prize

Thu, 15 Jan 2009 05:00:00 UTC

Today VeriSign's iDefense Labs announced the list of winners for the First Annual Vulnerability Contributor Program (VCP) Challenge. In 2008 iDefense scrapped their old Quarterly Challenge Program, whose prizes averaged around $5,000, for an annual program with more substantial prizes. Says Andrew Scholnick, Director of the iDefense Labs and its VCP; "Our intention in the VCP is to provide substantial reward to those vulnerability researchers who choose the ethical path outlined by our Responsible Disclosure policy. It is a firm belief at iDefense that Full Disclosure programs, and even the more restrained Partial Disclosure policies of certain 'high profile' researchers, simply cause too much damage. We are trying to make the point to all vulnerability researchers that, although the Responsible Disclosure process can be slower than less ethical methods at times, it is the most appropriate way to receive competitive compensation and recognition for their efforts."

The new Annual Challenge awards prizes for the top overall contributors to the iDefense Labs VCP and/or the top quality individual VCP submissions processed by iDefense within a challenge year. The prizes being awarded today include:

Grand Prize – $50,000 (US) – Michal "regenrecht" Luczaj
First Prize – $25,000 (US) – VCP researcher "Zdenda"
Second Prize – $10,000 (US) – An anonymous contributor from Russia
Tied for Third Prize – $5,000 (US) – VCP researcher "sef0cus"
Tied for Third Prize – $5,000 (US) – Silvio Cesare of Australia
Honorable Mention – iPod nano – Javier Vicente Vallejo
Honorable Mention – iPod nano – Stephen Fewer of Harmony Security

About the Winners:

Michal Luczaj was selected as the Grand Prize winner this year both for a 'Sun Java JRE Decompression' vulnerability he submitted in September (disclosed by Sun Microsystems on December 2), and the consistent high quality of his research submissions (over a dozen this year). Aside from being the first winner of the annual $50,000 Grand Prize, Mr. Luczaj has seen his average payments from iDefense more than double in the past six months as a result of the new payment structure in the VCP.

Zdenda received the First Prize for a vulnerability that has yet to be disclosed, that was submitted to iDefense in July of 2008. Compensation for this contributor's individual contributions have increased tenfold over what was paid in 2007.

A Russian Contributor, who prefers to remain anonymous, took the Second Place prize for a vulnerability that has yet to be disclosed, that was submitted to iDefense in April of 2008. This individual is one of our most prolific contributors, with over 30 submissions in the past year.

Silvio Cesare of Australia won one of two Third Place prizes for a 'SNORT IP Fragment TTL Evasion' vulnerability submitted in January of 2008. The other Third Place prize went to sef0cus for a vulnerability that has yet to be disclosed, that was submitted to iDefense in August of 2008.

Two Honorable Mention prizes were also awarded to Stephen Fewer of Harmony Security and Javier Vicente Vallejo.

Microsoft Security Bulletin: January 2009

Tue, 13 Jan 2009 05:00:00 UTC

Microsoft Corp. has released one Security Bulletin encompassing three vulnerabilities. This report provides an initial summary of these pending issues.

Microsoft Security Bulletin: December 2008

Tue, 09 Dec 2008 05:00:00 UTC

Microsoft Corp. has released eight Security Bulletins encompassing 28 vulnerabilities. This report provides an initial summary of these pending issues.

Microsoft Security Bulletin: November 2008

Tue, 11 Nov 2008 05:00:00 UTC

Microsoft Corp. has released two Security Bulletins encompassing four vulnerabilities. This report provides an initial summary of these pending issues.

Microsoft Security Bulletin: October 2008

Tue, 14 Oct 2008 05:00:00 UTC

Microsoft Corp. has released 11 Security Bulletins encompassing 20 vulnerabilities. This report provides an initial summary of these pending issues.

Microsoft Security Bulletin: September 2008

Tue, 09 Sep 2008 05:00:00 UTC

Microsoft Corp. has released four Security Bulletins encompassing eight vulnerabilities. This report provides an initial summary of these pending issues.

Microsoft Security Bulletin: August 2008

Tue, 12 Aug 2008 05:00:00 UTC

Microsoft Corp. has released 11 security bulletins encompassing 26 vulnerabilities. This report provides an initial summary of these pending issues.

Microsoft Security Bulletin: July 2008

Tue, 08 Jul 2008 05:00:00 UTC

Microsoft Corp. has released four security bulletins encompassing nine vulnerabilities. This report provides an initial summary of these pending issues.

2008: $50,000 Annual Vulnerability Challenge

Wed, 02 Jul 2008 05:00:00 UTC

Prior to 2008, the old Challenge Program had awarded cash prizes for the best research submission targeting a specific technology over a 90 day period. Many iDefense VCP contributors had complained that 90 days was simply not enough time to properly research a good vulnerability, and informed the VCP that more time was needed. Recognizing that this was a fundamentally valid assertion, iDefense decided to ‘take the hint’ and restructure the entire iDefense VCP Challenge Program.

As of July 1, 2008 the new VCP Challenge Program takes effect, considering all qualifying research submissions through the end of the calendar year (31 December). Thereafter, the Challenge will consider all qualifying research accepted and compensated by the VCP Program that were received between the first day of January and the last day of December in each subsequent year. Following the acceptance deadline the iDefense Labs Vulnerability Research Team (VRT) will determine the winners and award the prizes. iDefense will award all cash prizes within thirty (30) days of the Challenge deadline. Under no circumstances will any submission be considered for any of the current year’s Challenge prizes if the contributor has not accepted the iDefense VCP’s offer for compensation for the submission.

Microsoft Security Bulletin: June 2008

Tue, 10 Jun 2008 05:00:00 UTC

Microsoft Corp. has released seven security bulletins encompassing 10 vulnerabilities. This report provides an initial summary of these pending issues.

Spear Phishing and Whaling Attacks Reach Record Levels

Sat, 07 Jun 2008 05:00:00 UTC

Targeted social engineering attacks against corporations have reached new highs during April and May 2008. These e-mail-based attacks, often referred to as "spear phishing" or "whaling,' target individual users and contain personal information such as name, company, mailing address and phone number. Many of these attacks target senior executives and other high profile individuals

Symantec Moves to Threatcon 2 Based on Flash Vuln...

Wed, 28 May 2008 05:00:00 UTC

On May 27, 2008, Symantec moved to Threatcon 2 based on information that a new and unpatched vulnerability in Adobe's Flash player was being exploited in the wild. Based on analysis of the sites provided by Symantec and exploit sites gathered from internal data, it is clear that an older vulnerability is currently being exploited. The vulnerability in question was found by Mark Dowd of ISS in a paper in which he describes a novel technique for exploiting null pointer dereference bugs.

Microsoft Security Bulletin: May 2008

Tue, 13 May 2008 05:00:00 UTC

Microsoft Corp. has released four security bulletins encompassing six vulnerabilities. This report provides an initial summary of these pending issues.

Microsoft Security Bulletin: April 2008

Tue, 08 Apr 2008 05:00:00 UTC

Microsoft Corp. has released eight security bulletins encompassing 10 vulnerabilities. Please note that Microsoft combined two similar iDefense Exclusive reports into one fix. Also note that iDefense has created a separate Threat report to include third-party ActiveX kill bits. This report provides an initial summary of these pending issues.

Microsoft Security Bulletin: March 2008

Tue, 11 Mar 2008 05:00:00 UTC

Microsoft Corp. has released four security bulletins encompassing 12 vulnerabilities. This report provides an initial summary of these pending issues.

Microsoft Security Bulletin: February 2008

Tue, 12 Feb 2008 05:00:00 UTC

Microsoft Corp. has released 11 security bulletins encompassing 17 vulnerabilities. This report provides an initial summary of these pending issues.

Microsoft Security Bulletin: January 2008

Tue, 08 Jan 2008 05:00:00 UTC

Microsoft Corp. has released two security bulletins encompassing three vulnerabilities. This report provides an initial summary of these pending issues.

Microsoft Security Bulletin: December 2007

Tue, 11 Dec 2007 05:00:00 UTC

Microsoft Corp. has released seven security bulletins encompassing 11 vulnerabilities. This report provides an initial summary of these pending issues.

Microsoft Security Bulletin: November 2007

Tue, 13 Nov 2007 05:00:00 UTC

Microsoft Corp. has released two security bulletins encompassing two vulnerabilities. This report provides an initial summary of these pending issues.