1366 matches found
The September 2014 Security Updates
Today, as a part of our regular Update Tuesday process, we released four security bulletins – one rated Critical and three rated Important in severity – to address 42 Common Vulnerabilities & Exposures CVEs in Microsoft Windows, Internet Explorer, .NET Framework, and Lync Server. We encourage you...
Assessing risk for the August 2013 security updates
Today we released eight security bulletins addressing 23 CVE’s. Three bulletins have a maximum severity rating of Critical while the other five have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your...
From arcades to Azure: Felix’s security research journey
When you talk with Felix, you quickly get the sense that he has always been propelled by curiosity and by a need for something that truly challenges him. Today, he is a successful independent security researcher who uncovers vulnerabilities across Microsoft cloud services. However, his path into...
Congratulations to the top MSRC 2025 Q4 security researchers!
Congratulations to all the researchers recognized in this quarter’sMicrosoft Researcher Recognition Programleaderboard! Thank you to everyone for your hard work and continued partnership to secure customers...
A deep dive into MUTZ
AtDEF CON 33, we shared our research into MapUrlToZone, a critical Windows security component that determines whether a given path is local, on the intranet, or on the broader Internet. This classification drives several security decisions across Windows, for example, preventing a CreateFile call...
Securing AI and Cloud with the Zero Day Quest
Our security teams work around the clock to help protect every person and organization on the planet from security threats. We also know that security is a team sport, and that’s why we also partner with the global security community through our bug bounty programs to proactively identify and...
Introducing the MSRC Researcher Resource Center
Microsoft partners with the global security researcher community to surface and report security vulnerabilities to protect all users of Microsoft products and services. Researcher submissions help us address immediate threats while also identifying trends and insights to holistically improve the...
Celebrating ten years of the Microsoft Bug Bounty program and more than $60M awarded
This year marks the tenth anniversary of the Microsoft Bug Bounty Program, an essential part of our proactive strategy to protect customers from security threats. Since its inception in 2013, Microsoft has awarded more than $60 million to thousands of security researchers from 70 countries. These...
Cybersecurity Awareness Month 2023: Elevating Security Together
As the 20th anniversary of Cybersecurity Awareness Month begins, I find myself reflecting on the strides made since its inception. The journey to enhance and improve cybersecurity is ongoing and extends beyond October. It’s not merely a technological challenge; it is fundamentally about people...
Microsoft mitigates set of cross-site scripting (XSS) vulnerabilities in Azure Bastion and Azure Container Registry
Summary Summary Microsoft recently mitigated a set of cross-site scripting vulnerabilities affecting Azure Bastion and Azure Container Registry ACR. Exploitation of these vulnerabilities could have potentially allowed for an unauthorized user to gain access to a target users session within the...
Guidance on Potential Misconfiguration of Authorization of Multi-Tenant Applications that use Azure AD
Summary Microsoft has addressed an authorization misconfiguration for multi-tenant applications that use Azure AD, initially discovered by Wiz, and reported to Microsoft, that impacted a small number of our internal applications. The misconfiguration allowed external parties read and write access...
Microsoft resolves four SSRF vulnerabilities in Azure cloud services
Summary Summary Microsoft recently fixed a set of Server-Side Request Forgery SSRF vulnerabilities in four Azure services Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins reported by Orca Security. These SSRF vulnerabilities were determined to be low risk as...
2022 年 12 月のセキュリティ更新プログラム (月例)
2022 年 12 月 13 日 米国時間 、マイクロソフトは、マイクロソフト製品に影響する脆弱性を修正するために、セキ...
Hunting for Cobalt Strike: Mining and plotting for fun and profit
Introduction Cobalt Strike is a commercial Command and Control framework built by Helpsystems. You can find out more about Cobalt Strike on the MITRE ATT&CK page. But it can also be used by real adversaries. In this post we describe how to use RiskIQ and other Microsoft technologies to see if you...
Improvements in Security Update Notifications Delivery - And a New Delivery Method
At MSRC, we are passionate about ensuring our customers have a positive experience when they use the Microsoft Security Update Guide SUG. A big part of improving that experience is ensuring that customers have timely and easily accessible notifications. As such we have two important announcements...
Azure Identity SDK と Azure Key Vault SDKに関する多層防御のためのアップデートとベストプラクティスの実装ガイダンス
本ブログは、Defense-in-Depth Updates for Azure Identity SDK and Azure Key Vault SDK plus Best Practice Implementation Guidance の抄訳版です。最新の情報は...
1年間のバグ報奨金プログラム レビュー: 報奨金 $13.7M
本ブログは、Microsoft Bug Bounty Programs Year in Review: $13.7M in Rewards の抄訳版です。最新の情報は原文を参照してください。 Microsoft...
Congratulations to the MSRC 2022 Most Valuable Researchers!
The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure. Today, we are excited to recognize this year’s top 100 Most...
Azure Storage SDK でのクライアントサイド暗号化におけるパディング オラクル の脆弱性を軽減
本ブログは、Mitigation for Azure Storage SDK Client-Side Encryption Padding Oracle Vulnerability の抄訳版です。最新の情報は原文を参照してください。...
影響の大きいシナリオにおけるマイクロソフトのバグ報奨金プログラムの拡大
本ブログは、Expanding High Impact Scenario Awards for Microsoft Bug Bounty Programsの抄訳版です。最新の情報は原文を参照し...
On-Premises Servers Products are Here! Introducing the Applications and On-Premises Servers Bug Bounty Program
Microsoft is excited to announce the addition of Exchange on-premises, SharePoint on-premises, and Skype for Business on-premises to the Applications and On-Premises Servers Bounty Program. Through this expanded program, we encourage researchers to discover and report high-impact security...
Randomizing the KUSER_SHARED_DATA Structure on Windows
Opps, this post exists, but was actually published 4/5/2022. We're navigating you to the correct page now. If that doesn't work click the link below: Randomizing the KUSERSHAREDDATA Structure on Windows – Microsoft Security Response Center...
Randomizing the KUSER_SHARED_DATA Structure on Windows
Opps, this post exists, but was actually published 4/5/2022. Were navigating you to the correct page now. If that doesnt work click the link below: Randomizing the KUSERSHAREDDATA Structure on Windows – Microsoft Security Response Center...
アプリケーションおよびサービス プリンシパル API での Azure Active Directory (AD) keyCredential プロパティの情報漏えいに関するガイダンス
本ブログは、“Guidance for Azure Active Directory AD keyCredential property Information Disclosure in Application and Service Principal APIs” の抄訳版です。最新の情報は、原本...
“BadAlloc” – Memory allocation vulnerabilities could affect wide range of IoT and OT devices in industrial, medical, and enterprise networks
Microsoft’s Section 52, the Azure Defender for IoT security research group, recently uncovered a series of critical memory allocation vulnerabilities in IoT and OT devices that adversaries could exploit to bypass security controls in order to execute malicious code or cause a system crash. These...
MSRC Security Researcher Recognition: 2021
Wondering how to get into the 2021 MSRC Most Valuable Security Researcher list and get recognized during the Black Hat USA this August? Read on to learn more about the different paths you can take to get into the top researcher tiers. The MSRC Most Valuable Security Researcher MVR and MSRC...
Continuing to Listen: Good News about the Security Update Guide API!
Based on user feedback we have simplified programmatic access to the security update data by removing the authentication and API-Key requirements when using the CVRF API. You will no longer have to log in to obtain a personal API key to access the data. Were happy to make this valuable public...
セキュリティ更新プログラム リリース スケジュール (2021 年)
2021 年のセキュリティ更新プログラムの公開予定日は下記のとおりです。更新プログラムの評価、テスト、適用の...
安心・安全に利用するために : 基本のセキュリティ設定を確認しましょう (Windows 10)
昨今は、リモートワークのために、企業や組織で新たに持ち出し用デバイスを展開したり、あるいは、個人で所...
リモート環境における更新プログラム適用の考慮事項
マイクロソフトは通常通り、4 月の月例セキュリティ更新日 2020 年 4 月 15 日 日本時間 に、定例のセキュリティ更...
2020 年 2 月のセキュリティ更新プログラム (月例)
2020 年 2 月 12 日 日本時間、マイクロソフトは以下のソフトウェアのセキュリティ更新プログラムを公開しまし...
February 2020 security updates are available
We have released the February security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found in the Security Update Guide...
Announcing MSRC 2019 Q4 Security Researcher Leaderboard
Following the first Security Researcher Quarterly Leaderboard we published in October 2019, we are excited to announce the MSRC Q4 2019 Security Researcher Leaderboard, which shows the top contributing researchers for the last quarter. In each quarterly leaderboard, we recognize the security...
Vulnerability hunting with Semmle QL: DOM XSS
In two previous blog posts part 1 and part 2, we talked about using Semmle QL in C and C++ codebases to find vulnerabilities such as integer overflow, path traversal, and those leading to memory corruption. In this post, we will explore applying Semmle QL to web security by hunting for one of...
セキュリティ更新プログラム リリース スケジュール (2020 年)
2019 年のリリース スケジュールは「セキュリティ更新プログラム リリース スケジュール 2019 年」をご覧ください。...
Acquiring a VHD to Investigate
In a previous post we described some of the differences between on-premises/physical forensics and cyber investigations and those performed in the cloud, and how this can make cloud forensics challenging. That blog post described a method of creating and maintaining a VM image which can be...
Why Rust for safe systems programming
In this series, we have explored the need for proactive measures to eliminate a class of vulnerabilities and walked through some examples of memory safety issues we’ve found in Microsoft code that could have been avoided with a different language. Now we’ll peek at why we think that Rust represen...
A proactive approach to more secure code
What if we could eliminate an entire class of vulnerabilities before they ever happened? Since 2004, the Microsoft Security Response Centre MSRC has triaged every reported Microsoft security vulnerability. From all that triage one astonishing fact sticks out: as Matt Miller discussed in his 2019...
Inside the MSRC – Customer-centric incident response
The Microsoft Security Response Center MSRC is an integral part of Microsoft’s Cyber Defense Operations Center CDOC that brings together security response experts from across the company to help protect, detect, and respond to threats in real-time. Staffed with dedicated teams 24×7, the CDOC has...
2019 年 6 月のセキュリティ更新プログラム (月例)
2019 年 6 月 12 日 日本時間、マイクロソフトは以下のソフトウェアのセキュリティ更新プログラムを公開しました。...
June 2019 security update release
Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found on the Security Update Guide...
BlueHat Shanghai 2019: Amplifying the power of defensive partnerships around the world
Earlier this week BlueHat Shanghai brought together security researchers and hundreds of cybersecurity professionals from China and across Asia to explore the latest topics in cybersecurity research. Including presentations from Qihoo 360, Baidu, Alibaba and the Chinese Academy of Sciences, BlueH...
Time travel debugging: It’s a blast! (from the past)
The Microsoft Security Response Center MSRC works to assess vulnerabilities that are externally reported to us as quickly as possible, but time can be lost if we have to confirm details of the repro steps or environment with the researcher to reproduce the vulnerability. Microsoft has made our...
Announcing the Microsoft Azure DevOps Bounty program
The Microsoft Security Response Center MSRC is pleased to announce the launch of the Azure DevOps Bounty program, a program dedicated to providing rock-solid security for our DevOps customers. Starting January 17, 2019, we’re excited to offer rewards up to US$20,000 for eligible vulnerabilities i...
September 2018 Security Update Release
Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found in the Security Update Guide. MSRC team...
2018 年 2 月のセキュリティ更新プログラム (月例)
更新履歴 2018/2/15 更新: ADV180005 の公開に関する情報を追記しました。 -------------------- 2018 年 2 月 14 日 日本時間、マイクロソフトは以下...
January 2018 security update release
Today, we released security updates to provide additional protections against malicious attackers. By default, Windows 10 receives these updates automatically, and for customers running previous versions, we recommend they turn on automatic updates as a best practice. More information about this...
Announcing the Windows Bounty Program
Windows 10 represents the best and newest in our strong commitment to security with world-class mitigations. One of Microsoft’s longstanding strategies toward improving software security involves investing in defensive technologies that make it difficult and costly for attackers to find, exploit...
Coming together to address Encapsulated PostScript (EPS) attacks
Today’s security updates include three updates that exemplify how the security ecosystem can come together to help protect consumers and enterprises. We would like to thank FireEye and ESET for working with us. Customers that have the latest security updates installed are protected against the...
May 2016 security update release
Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released. More information about this month’s security updates and advisories can be found in the Security...