Microsoft Azure SDK 代码问题漏洞

The Microsoft Azure SDK is a code library developed by Microsoft that allows for interaction with programming languages to manage Azure services. The Microsoft Azure SDK has code-related vulnerabilities. Attackers can exploit these vulnerabilities to execute code remotely...

Building security that lasts: Microsoft’s journey towards durability at scale ​​

In this blog you will hear directly from Microsoft’s Deputy Chief Information Security Officer CISO for Azure and operating systems, Mark Russinovich, about how Microsoft operationalized security durability at scale. This blog is part of an ongoing series where our Deputy CISOs share their though...

Azure Service Tags Vulnerability: Microsoft Warns of Potential Abuse by Hackers

Microsoft is warning about the potential abuse of Azure Service Tags by malicious actors to forge requests from a trusted service and get around firewall rules, thereby allowing them to gain unauthorized access to cloud resources. "This case does highlight an inherent risk in using service tags a...

The vulnerability of the C language library for interacting with Azure services via uAMQP, related to a reclamation error, allows attackers to execute arbitrary code.

The vulnerability of the C language library for interacting with Azure services via uAMQP is related to a memory reclamation error. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...

The vulnerability of the C language library for interacting with Azure services via uAMQP, related to integer overflow, allows attackers to execute arbitrary code.

The vulnerability of the C language library for interacting with Azure services via uAMQP is related to a numerical overflow condition. Exploiting this vulnerability allows an attacker to execute arbitrary code using specially created data...

Microsoft Azure Subdomain Scanner / Enumerator

Background: Microsoft makes use of a number of different domains and subdomains for each of their Azure services. From SQL databases to SharePoint drives, each service maps to its respective domain/subdomain, and with the proper toolset, these can be identified through DNS enumeration to yield...

Compromised Microsoft Key: More Impactful Than We Thought

Our investigation of the security incident disclosed by Microsoft and CISA and attributed to Chinese threat actor Storm-0558, found that this incident seems to have a broader scope than originally assumed. Organizations using Microsoft and Azure services should take steps to assess potential impa...

Microsoft resolves four SSRF vulnerabilities in Azure cloud services

Summary Microsoft recently fixed a set of Server-Side Request Forgery SSRF vulnerabilities in four Azure services Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins reported by Orca Security. These SSRF vulnerabilities were determined to be low risk as they do...

Microsoft resolves four SSRF vulnerabilities in Azure cloud services

Summary Summary Microsoft recently fixed a set of Server-Side Request Forgery SSRF vulnerabilities in four Azure services Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins reported by Orca Security. These SSRF vulnerabilities were determined to be low risk as...

Delete Passwords: Passwordless Connections for Spring Boot Apps to Azure Services

Using username/password credentials to access one application from another presents a huge security risk for many reasons. Today, we are announcing the preview of passwordless connections for Java applications to Azure database and eventing services, letting you finally shift away from using...

Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs

Microsoft recently mitigated an information disclosure issue, CVE-2021-42306, to prevent private key data from being stored by some Azure services in the keyCredentialsproperty of an Azure Active Directory Azure AD Applicationand/or Service Principal, and prevent reading of private key data...

Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs

Microsoft recently mitigated an information disclosure issue, CVE-2021-42306, to prevent private key data from being stored by some Azure services in the keyCredentialsproperty of an Azure Active Directory Azure AD Applicationand/or Service Principal, and prevent reading of private key data...

Microsoft Security: Use baseline default tools to accelerate your security career

I wrote a series of blogs last year on how gamified learning through cyber ranges can create more realistic and impactful cybersecurity learning experiences and help attract tomorrow’s security workforce. With the global talent shortage in this field, we need to work harder to bring people into t...

Zero Trust—Part 1: Networking

Enterprises used to be able to secure their corporate perimeters with traditional network controls and feel confident that they were keeping hackers out. However, in a mobile- and cloud-first world, in which the rate and the sophistication level of security attacks are increasing, they can no...

Vulnerability hunting with Semmle QL, part 2

The first part of this series introduced Semmle QL, and how the Microsoft Security Response Center MSRC are using it to investigate variants of vulnerabilities reported to us. This post discusses an example of how we’ve been using it proactively, covering a security audit of an Azure firmware...

Microsoft .NET Core, ASP.NET Beta Bug Bounty

Microsoft today opened a bounty for the .NET Core and ASP.NET Beta, both of which are part of the Visual Studio development suite. The bounty will remain open through Jan. 20 and payouts will fall between $500 and $15,000 USD. Microsoft said only bugs in the .NET core runtime CoreCLR and beta...

Microsoft Azure Backup Server V4 - Data Protection Manager

Microsoft Azure Backup Server V4 - Data Protection Manager...