❌
There are new articles available, click to refresh the page.
Before yesterdayMicrosoft Security Response Center

Announcing the Microsoft Machine Learning Membership Inference Competition (MICO)

16 November 2022 at 18:58
We’re excited to announce the launch of a new competition focusing on the security and privacy of machine learning (ML) systems. Machine learning has already become a key enabler in many products and services, and this trend is likely to continue. It is therefore critical to understand the security and privacy guarantees provided by state-of-the-art …

Announcing the Microsoft Machine Learning Membership Inference Competition (MICO) Read More Β»

Awareness and guidance related to OpenSSL 3.0 – 3.0.6 risk (CVE-2022-3786 and CVE-2202-3602)

By: msrc
3 November 2022 at 00:46
SummaryΒ Β  Microsoft is aware and actively addressing the impact associated with the recent OpenSSL vulnerabilities announced on October 25th 2022, fixed in version 3.0.7. As part of our standard processes, we are rolling out fixes for impacted services.Β  Any customer action that is required will be highlighted in this blog and our associated Security Update …

Awareness and guidance related to OpenSSL 3.0 – 3.0.6 risk (CVE-2022-3786 and CVE-2202-3602) Read More Β»

Microsoft Mitigates Vulnerability in Jupyter Notebooks for Azure Cosmos DB

By: msrc
1 November 2022 at 13:00
Summary Microsoft recently fixed an authentication bypass vulnerability in Jupyter Notebooks for Azure Cosmos DB (currently in preview) reported by Orca Security. Β Customers not using Jupyter Notebooks (99.8% of Azure Cosmos DB customers do NOT use Jupyter notebooks) were not susceptible to this vulnerability. The bug was introduced on August 12th and fully patched worldwide …

Microsoft Mitigates Vulnerability in Jupyter Notebooks for Azure Cosmos DB Read More Β»

Reflecting on Cybersecurity Awareness Month: At its Core, Cybersecurity is all about People

As Cybersecurity Awareness Month 2022 comes to a close, I’m grateful for the impact it has had in bringing cybersecurity to the forefront since it began in 2004. Though the month may be over, our work in cybersecurity is never done. Often, we think about cybersecurity as a complex technology problem, but at its core, …

Reflecting on Cybersecurity Awareness Month: At its Core, Cybersecurity is all about People Read More Β»

Congratulations to the Top MSRC 2022 Q3 Security Researchers!

By: msrc
24 October 2022 at 17:10
Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers. The top three researchers of the 2022 Q3 Security Researcher Leaderboard are: Zhiyi Zhang, Yuki Chen, and Dang The Tuyen! Check out the full list of researchers …

Congratulations to the Top MSRC 2022 Q3 Security Researchers! Read More Β»

Investigation Regarding Misconfigured Microsoft Storage Location

By: msrc
19 October 2022 at 14:04
October 28, 2022 update:Added a Customer FAQ section. Summaryβ€― Security researchers at SOCRadar informed Microsoft on September 24, 2022, of a misconfigured Microsoft endpoint. This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning …

Investigation Regarding Misconfigured Microsoft Storage Location Read More Β»

Awareness and guidance related to potential Service Fabric Explorer (SFX) v1 web client risk

By: msrc
19 October 2022 at 13:01
Summary Microsoft was recently made aware of a Cross-Site Scripting (XSS) vulnerability (CVE-2022-35829), that under limited circumstances, affects older versions of Service Fabric Explorer (SFX). The current default SFX web client (SFXv2) is not vulnerable to this attack. However, customers can manually switch from the default web client (SFXv2) to an older vulnerable SFX web …

Awareness and guidance related to potential Service Fabric Explorer (SFX) v1 web client risk Read More Β»

Hunting for Cobalt Strike: Mining and plotting for fun and profit

By: msrc
13 October 2022 at 16:00
Introduction Cobalt Strike is a commercial Command and Control framework built by Helpsystems. You can find out more about Cobalt Strike on the MITRE ATT&CK page. But it can also be used by real adversaries. In this post we describe how to use RiskIQ and other Microsoft technologies to see if you have Cobalt Strike …

Hunting for Cobalt Strike: Mining and plotting for fun and profit Read More Β»

BlueHat 2023 Call for Papers is Now Open!

For nearly 20 years, BlueHat has been where the security research community, and Microsoft security professionals come together as peers, to share, debate, challenge, learn, and exchange ideas in the interest of creating a safer and more secure world for all. We are extremely excited to announce that BlueHat is back in-person and the 2023 …

BlueHat 2023 Call for Papers is Now Open! Read More Β»

Improvements in Security Update Notifications Delivery – And a New Delivery Method

At MSRC, we are passionate about ensuring our customers have a positive experience when they use the Microsoft Security Update Guide (SUG). A big part of improving that experience is ensuring that customers have timely and easily accessibleΒ notifications. As such we have two important announcements to share about changes to the way we provide notifications. …

Improvements in Security Update Notifications Delivery – And a New Delivery Method Read More Β»

Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server

By: msrc
30 September 2022 at 06:55
November 8, 2022 update – Microsoft released security updates for CVE-2022-41040 and CVE-2022-41082. We recommend that customers protect their organizations by applying the updates immediately to affected systems. The options described in the Mitigations section are no longer recommended. For more information, review the Exchange Team blog. Summary On November 8 Microsoft released security updates …

Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server Read More Β»

Defense-in-Depth Updates for Azure Identity libraries and Azure Key Vault libraries within Azure SDK plus Best Practice Implementation Guidance

By: msrc
20 September 2022 at 17:17
Summary Today, Microsoft released new versions of the Azure Key Vault libraries and Azure Identity libraries as part of the Azure Software Development Kit (SDK) that includes defense-in-depth feature improvements. We also published best practice guidance to help protect applications and services that allow externally controlled input into the Azure Key Vault client URI for …

Defense-in-Depth Updates for Azure Identity libraries and Azure Key Vault libraries within Azure SDK plus Best Practice Implementation Guidance Read More Β»

Curious, Innovative, Creative, Community Driven: Meet Cyb3rWard0g, Roberto Rodriquez

When I grow up I want to be? Dancer or a veterinarian Happiest memories: Tearing up the dance floor at weddings and playing soccer in the streets of Lima, Peru Previous Job roles: Mopped floors for McDonalds, packed boxes at an Avon warehouse, Manager at Olive Garden, Beer taster/server and then dove into tech and …

Curious, Innovative, Creative, Community Driven: Meet Cyb3rWard0g, Roberto Rodriquez Read More Β»

What’s the smallest variety of CHERI?

By: Saar Amar
6 September 2022 at 08:09
The Portmeirion project is a collaboration between Microsoft Research Cambridge, Microsoft Security Response Center, and Azure Silicon Engineering & Solutions. Over the past year, we have been exploring how to scale the key ideas from CHERI down to tiny cores on the scale of the cheapest microcontrollers. These cores are very different from the desktop …

What’s the smallest variety of CHERI? Read More Β»

Vulnerability Fixed in Azure Synapse Spark

By: msrc
1 September 2022 at 15:00
Summary: Microsoft takes a proactive approach to continually probe our defenses, hunt for vulnerabilities, and seek new, innovative ways to protect our customers. Security researchers are an important part of this effort, and our collaborative partnership is critical in a world where cybersecurity attacks continue to grow in number and sophistication.Β  We value the role …

Vulnerability Fixed in Azure Synapse Spark Read More Β»

Microsoft Bug Bounty Programs Year in Review: $13.7M in Rewards

By: msrc
11 August 2022 at 16:00
The Microsoft Bug Bounty Programs and partnerships with the global security research community are important parts of Microsoft’s holistic approach to defending customers against security threats. Our bounty programs incentivize security research in high-impact areas to stay ahead of the ever-changing security landscapes, emerging technology, and new threats. Security Researchers help us secure millions of …

Microsoft Bug Bounty Programs Year in Review: $13.7M in Rewards Read More Β»

Security Update Guide Notification System News: Create your profile now

By: msrc
9 August 2022 at 17:20
Sharing information through the Security Update Guide (SUG) is an important part of our ongoing effort to help customers manage security risks and keep systems protected. In January 2022 we introduced Phase One of a new way for customers to receive email notifications about new Microsoft product security content using any email address, not just …

Security Update Guide Notification System News: Create your profile now Read More Β»

Congratulations to the MSRC 2022 Most Valuable Researchers!

By: msrc
8 August 2022 at 17:30
The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure.Β  Today, we are excited to recognize this year’s top 100 Most Valuable Researchers (MVRs) based on the total number of points earned for each valid report. Congratulations …

Congratulations to the MSRC 2022 Most Valuable Researchers! Read More Β»

Microsoft Office to publish symbols starting August 2022

By: msrc
8 August 2022 at 09:30
We are excited to announce that Microsoft Office will begin publishing Office symbols for Windows via the Microsoft Public Symbol Server on August 9th 2022. The publication of Office symbols is a part of our continuing investment to improve security and performance for customers and partners. Key Advantages for customers, partners, and Microsoft Security: Empowering …

Microsoft Office to publish symbols starting August 2022 Read More Β»

Anatomy of a Cloud-Service Security Update

Our security teams around the world focus on identifying and mitigating security issues as soon as possible while minimizing customer disruption. One of the challenges of a traditional security update is ensuring customers apply the protections promptly. We recently discussed the work that goes into these updates in The Anatomy of a Security update.Β  Cloud …

Anatomy of a Cloud-Service Security Update Read More Β»

Congratulations to the Top MSRC 2022 Q2 Security Researchers!

By: msrc
19 July 2022 at 16:15
Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers. The top three researchers of the 2022 Q2 Security Researcher Leaderboard are: Yuki Chen, Zhiyi Zhang, and William SΓΆderberg! Check out the full list of researchers recognized …

Congratulations to the Top MSRC 2022 Q2 Security Researchers! Read More Β»

Mitigation for Azure Storage SDK Client-Side Encryption Padding Oracle Vulnerability

By: msrc
18 July 2022 at 13:40
Summary: Google informed Microsoft under Coordinated Vulnerability Disclosure (CVD) of a padding oracle vulnerability that may affect customers using Azure Storage SDK (for Python, .NET, Java) client-side encryption (CVE-2022-30187). To mitigate this vulnerability, we released a new General Availability (GA) version of the Azure Storage SDK client-side encryption feature (v2) on July 12, 2022. Microsoft …

Mitigation for Azure Storage SDK Client-Side Encryption Padding Oracle Vulnerability Read More Β»

All Hands-on Deck: A Whole-of-Society Approach for Cybersecurity

The morning of June 9th, I was driving over the Golden Gate Bridge into San Francisco with my family. While crossing the bridge my children shared some facts about this modern engineering marvel. Each day, approx. 100,000 vehicles travel over the bridge deck, which weighs a staggering 150,000 tons, and is suspended by 250 pairs …

All Hands-on Deck: A Whole-of-Society Approach for Cybersecurity Read More Β»

Microsoft Mitigates Azure Site Recovery Vulnerabilities

By: msrc
12 July 2022 at 17:49
Summary: Microsoft recently mitigated a set of vulnerabilities in Azure Site Recovery (ASR) and released fixes today, July 12, as part of our regular Update Tuesday cycle. These vulnerabilities affect all ASR on-premises customers using a VMware/Physical to Azure scenario and are fixed in the latest ASR 9.49 release. We recommend customers update to the …

Microsoft Mitigates Azure Site Recovery Vulnerabilities Read More Β»

Service Fabric Privilege Escalation from Containerized Workloads on Linux

By: msrc
28 June 2022 at 23:35
Under Coordinated Vulnerability Disclosure (CVD), cloud-security vendor Palo Alto Networks informed Microsoft of an issue affecting Service Fabric (SF) Linux clusters (CVE-2022-30137). The vulnerability enables a bad actor, with access to a compromised container, to escalate privileges and gain control of the resource’s host SF node and the entire cluster. Though the bug exists on …

Service Fabric Privilege Escalation from Containerized Workloads on Linux Read More Β»

A Man of Action: Meet Callum Carney

Hidden Talents: He was a competitive swimmer for many years. Instrument of Choice: His fingers were made for the keyboard, but he used to play the trumpet. 5 pieces of entertainment for the rest of his life: The Office, World War Z, The Matrix, Breaking Bad, The Thick of It. Favorite non-profit: RSPCA How he …

A Man of Action: Meet Callum Carney Read More Β»

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

By: msrc
30 May 2022 at 23:25
UPDATE July 12, 2022: As part of the response by Microsoft, a defense in depth variant has been found and fixed in the Windows July cumulative updates. Microsoft recommends installing the July updates as soon as possible. Windows Version Link to KB article LInk to Catalog Windows 8.1, Windows Server 2012 R2 5015805 Download Windows …

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability Read More Β»

New Research Paper: Pre-hijacking Attacks on Web User Accounts

In 2020, MSRC awarded two Identity Project Research Grants to support external researchers working to further strengthen the security of identity protocols and systems. Today we are pleased to release the results of the first of these projects. This research, led by independent security researcher Avinash Sudhodanan, investigated account pre-hijacking – a new class of …

New Research Paper: Pre-hijacking Attacks on Web User Accounts Read More Β»

Researcher Spotlight: Hector Peralta’s Evolution from Popcorn Server to the MSRC Leaderboards

β€œThe bug bounty literally changed my life. Before this, I had nothing.” Coolest thing he purchased: His first vehicle! Best gift to give: Buying his nephew gaming accessories. Favorite Hacking Companion: His two cats. They’re always by his side when he is working late. Origin of his Hacker name: The word dog in Spanish is …

Researcher Spotlight: Hector Peralta’s Evolution from Popcorn Server to the MSRC Leaderboards Read More Β»

❌
❌