• Article

Security Researcher Acknowledgments for Microsoft Vulnerability Research

The Microsoft Vulnerability Research team is pleased to recognize the following researchers who have helped make the ecosystem more secure by finding and reporting security vulnerabilities to other organizations. Each name listed represents a Microsoft employee who has disclosed one or more security vulnerabilities in a third party product or website and worked with that third party in a coordinated fashion to remediate the issue. Microsoft recommends that all installed software be kept fully up-to-date at all times, including the software mentioned below.

August 2015 Acknowledgements

  • Richard van Eeden for reporting an unexpected code execution vulnerability in Samba (CVE-2015-0240). This issue was fixed in February 2015.
  • Omar Benbouazza for reporting a server configuration issue on Apple.com. The issue was fixed in June 2015. See the Apple acknowledgement for more information.
  • Laisvis Lingvevicius for reporting a stored cross-site scripting vulnerability and other vulnerabilities in HP Network Automation (CVE-2014-7886). This issue was fixed in April 2015. See the HP advisory for additional information.
  • David Weston for reporting a remote escalation of privilege vulnerability in Lenovo QuickSnip. This issue was fixed in June 2014.

March 2015 Acknowledgements

  • Jeremy Brown for reporting a memory corruption vulnerability in TurboTax (CVE-2014-7873). This issue was resolved in October 2014.
  • Behrang Fouladi Azarnaminy and Axel Souchet for reporting a privilege escalation vulnerability in Adobe Flash Broker (CVE-2014-8442). This issue was fixed in version 15.0.0.223, which was released in November 2014.
  • Michael Scovetta for reporting a memory corruption vulnerability after a failed heap allocation in the International Components for Unicode (ICU) library version 53. The issue was fixed in ICU 54.
  • Joe Bialek and Adam Zabrocki for reporting a heap overflow vulnerability in Nginx. This issue was fixed in version 1.7.10, which was released in February 2015.
  • Jeremy Brown for reporting a memory corruption vulnerability in Oracle B2B (CVE-2014-6548). This issue was resolved in October 2014. See the Oracle advisory for additional information.
  • Elias Bachaalany for reporting an ASLR bypass vulnerability in Sophos Endpoint Security and Control. This issue was fixed in version 10.3.12, which was released in January 2014.

February 2015 Acknowledgements

  • Behrang Fouladi Azarnaminy and Axel Souchet for reporting a privilege escalation vulnerability in Adobe Flash Broker (CVE-2014-8442). This issue was fixed in version 15.0.0.223, which was released in November 2014.
  • Jeremy Brown for reporting a memory corruption vulnerability in SOX. This issue was fixed in version 14.4.2rc2, which was released in December 2014.
  • Joe Bialek and Adam Zabrocki for reporting a heap overflow vulnerability in Nginx. This issue was fixed in version 1.7.10, which was released in February 2015.

December 2014 Acknowledgements

  • Daniel Edwards for reporting a malformed MPLS packet vulnerability in Cisco IOS XR (CVE-2014-3379). This issue was resolved in September 2014.
  • Daniel Edwards for reporting a malformed TACACS+ packet vulnerability in Cisco IOS XR (CVE-2014-3378). This issue was resolved in September 2014.
  • Daniel Edwards for reporting a malformed SNMPv2 packet vulnerability in Cisco IOS XR (CVE-2014-3377). This issue was resolved in September 2014.
  • Daniel Edwards for reporting a malformed RSVP packet vulnerability in Cisco IOS XR (CVE-2014-3376). This issue was resolved in September 2014.
  • Jeremy Brown for reporting a privilege escalation vulnerability in Comodo GeekBuddy (CVE-2014-7872). This issue was fixed in version 4.18.121, released in October 2014.
  • Justin Hendricks for reporting a critical server-side validation vulnerability in Eurest ZipThru Online Ordering web service. This vulnerability was fixed in June 2014.
  • Jeremy Brown for reporting a memory corruption vulnerability in Adobe Photoshop Elements. This issue was resolved in Photoshop Elements 13.
  • Michal Zygmunt and Arthur Wongtschowski for reporting a design-level vulnerability in Google Update that enabled a browser sandbox escape. This issue was fixed in version 1.3.24.15.

June 2014 Acknowledgements

  • Jeremy Brown for reporting stack corruption and format string vulnerabilities in Bochs PC emulator (CVE-2014-4176, CVE-2014-4177). These issues were resolved in May 2014.
  • Jeremy Brown for reporting multiple memory corruption vulnerabilities in Symantec PGP Desktop and Symantec Encryption Desktop Professional (CVE-2014-1646, CVE-2014-1647). These issues were fixed in version 10.3.2 Maintenance Pack 1, released in April 2014. See these Symantec advisories for additional information.
  • Jeremy Brown for reporting a heap corruption vulnerability via ISO file parsing in 7-Zip (CVE-2014-4175). The issue was fixed in alpha version 9.32.
  • Jeremy Brown for reporting multiple heap corruption vulnerabilities in the Cisco WebEx Player for ARF. These issues were fixed in the players for WebEx Business Suite versions T28.8 and T27LDSP32EP16, the deployment of which was completed in April 2014.
  • Jeremy Brown for reporting multiple memory corruption vulnerabilities in Cisco WebEx Player for WRF. These issues were fixed in the players for WebEx Business Suite versions T28.8 and T27LDSP32EP16, the deployment of which was completed in April 2014.

April 2014 Acknowledgements

  • Jeremy Brown for reporting a memory corruption vulnerability in PuTTY (CVE-2014-4178). This issue was fixed in version 0.63, which was released in August 2013.
  • Jeremy Brown for reporting a CAP memory corruption vulnerability in Wireshark version 1.10.1 (CVE-2014-4174). The issue was fixed in version 1.10.4.

January 2014 Acknowledgements

  • Jeremy Brown for reporting an RM memory corruption vulnerability in RealPlayer (CVE-2013-4974). The issue was fixed in version 16.0.3.51, which was released in August 2013.
  • Jeremy Brown for reporting a FLAC memory corruption vulnerability in Libavcodec (CVE-2014-4173). The issue was fixed in version 2.1.0, which was released in September 2013.
  • Jeremy Brown for reporting multiple vulnerabilities in Adobe RoboHelp (CVE-2013-5327). This issue was fixed and released in a RoboHelp security update that was made available in October 2013.