1366 matches found
Update (2/10) - Advance Notification Service for February 2014 Security Bulletin Release
Update as of February 10, 2014 We are adding two updates to the February release. There will be Critical-rated updates for Internet Explorer and VBScript in addition to the previously announced updates scheduled for release on February 11, 2014. These updates have completed testing and will be...
Antimalware Support for Windows XP and the January 2014 Security Bulletin Webcast and Q&A
Today we’re publishing the January 2014 Security Bulletin Webcast Questions & Answers page. We answered 16 questions in total, with the majority of questions focusing on the Dynamics AX bulletin MS14-004, the update for Microsoft Word MS14-001 and the re-release of the Windows 7 and Windows Serve...
Security Advisory 2868725: Recommendation to disable RC4
In light of recent research into practical attacks on biases in the RC4 stream cipher, Microsoft is recommending that customers enable TLS1.2 in their services and take steps to retire and deprecate RC4 as used in their TLS implementations. Microsoft recommends TLS1.2 with AES-GCM as a more secur...
Software Defense: mitigating heap corruption vulnerabilities
Heap corruption vulnerabilities are the most common type of vulnerability that Microsoft addresses through security updates today. These vulnerabilities typically occur as a result of programming mistakes that make it possible to write beyond the bounds of a heap buffer a spatial issue or to plac...
Assessing risk for the October 2013 security updates
Today we released eight security bulletins addressing 25 CVE’s. Four bulletins have a maximum severity rating of Critical while the other four have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your...
The October 2013 security updates
This month we release eight bulletins – four Critical and four Important - which address 25 unique CVEs in Microsoft Windows, Internet Explorer, SharePoint, .NET Framework, Office, and Silverlight. For those who need to prioritize their deployment planning, we recommend focusing on MS13-080,...
An update on the bounty programs
Back in June of this year, we announced three new bounty programs that will pay researchers for techniques that bypass built-in OS mitigations and protections, for defenses that stop those bypasses and for vulnerabilities in Internet Explorer 11 Preview. This past Friday, we provided some...
Bounty News Update: Bountiful Harvest
Fall is a season traditionally associated with a harvest after planting the seeds and tending the crops. Today I’m proud to announce the names of six very smart people who have helped us make our products more secure by participating in our new bounty programs. When we launched our bounty program...
August 2013 Security Bulletin Webcast, Q&A, and Slide Deck
Today we’re publishing the August 2013 Security Bulletin Webcast Questions & Answers page. We fielded 13 questions on various topics during the webcast, with specific bulletin questions focusing primarily on Exchange Server MS13-061 and Windows Kernel MS13-063. There were 3 additional questions...
The story of MS13-002: How incorrectly casting fat pointers can make your code explode
C++ supports developers in object-orientated programming and removes from the developer the responsibility of dealing with many object-oriented programming OOP paradigm problems. But these problems do not magically disappear. Rather it is the compiler that aims to provide a solution to many of th...
Assessing risk for the July 2013 security updates
Today we released seven security bulletins addressing 34 CVE’s. Six bulletins have a maximum severity rating of Critical, and one has a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulleti...
A new policy for store apps and the July 2013 security updates
There are those I’ve met who think my life is something akin to the classic comedy Groundhog Day. No, I don’t wake up to the musical stylings of Sonny and Cher each morning, but month after month after month, the second Tuesday rolls around and I’m involved in releasing security updates...
New Bounty Programs – One Week In
Two weeks ago, Microsoft made an important evolutionary step in our work with the security community when we announced our first-ever bounty programs for security issues. One week ago, the Windows 8.1 Preview and Internet Explorer 11 Preview became available for download, and the doors officially...
June 2013 Security Bulletin Webcast, Q&A, and Slide Deck
Today we’re publishing the June 2013 Security Bulletin Webcast Questions & Answers page. We fielded three questions during the webcast, with specific questions focusing primarily on Windows Print Spooler MS13-050, Microsoft Office MS13-051, and the security advisory addressing digital certificate...
MS13-051: Get Out of My Office!
MS13-051 addresses a security vulnerability in Microsoft Office 2003 and Office for Mac. Newer versions of Microsoft Office for Windows are not affected by this vulnerability, but the newest version of Office for Mac 2011 is affected. We have seen this vulnerability exploited in targeted 0day...
A note on this month's Patch Tuesday
Each Patch Tuesday looks a little different. Some months are quieter, others are larger. This month's release sits on the larger side of a hotpatch month, and we expect releases to continue trending larger for some time. Every update reflects investments we have made across the development...
Strengthening secure software at global scale: How MSRC is evolving with AI
Cybersecurity has always been a race between defenders and attackers, constrained by human time, attention, and scale. What is changing now is the level of capability available to apply security fundamentals with far greater reach and speed...
Evolving our approach to coordinated security research: In scope by default
Today at Black Hat Europe, I raised our commitment to customer security through our partnerships with the security research community...
INTERN(al) MSRC variant hunting: From multi-tenant authorization to Model Context Protocol
When security researchers submit a vulnerability report to MSRC, the Vulnerabilities and Mitigations V&M team reviews it, reproduces the issue, and determines severity. The team reviews all submissions from internal and external security researchers...
postMessaged and Compromised
At Microsoft, securing the ecosystem means more than just fixing bugs—it means proactively hunting for variant classes, identifying systemic weaknesses, and working across teams to protect customers before attackers ever get the chance. This blog highlights one such effort: a deep dive into the...
Microsoft Bounty Program year in review: $17 million in rewards
We’re thrilled to share that this year, the Microsoft Bounty Program has distributed $17 million to 344 security researchers from 59 countries, the highest total bounty awarded in the program’s history. In close collaboration with the Microsoft Security Response Center MSRC, these security...
Congratulations to the Top MSRC 2025 Q1 Security Researchers!
Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers. The top three researchers of the 2025 Q1 Security Researcher Leaderboard are 0x140ce,...
Jailbreaking is (mostly) simpler than you think
Content warning: This blog post contains discussions of sensitive topics. These subjects may be distressing or triggering for some readers. Reader discretion is advised. Today, we are sharing insights on a simple, optimization-free jailbreak method called Context Compliance Attack CCA, that has...
Best practices regarding Azure Storage Keys, Azure Functions, and Azure Role Based Access
Summary Azure provides developers and security operations staff a wide array of configurable security options to meet organizational needs. Throughout the software development lifecycle, it is important for customers to understand the shared responsibility model, as well as be familiar with vario...
First steps in CHERIoT Security Research
At Microsoft, we invest a lot of time researching and investigating possibilities in our journey to memory safety. Because the massive majority of existing codebases are written in unsafe programming languages, the task of protecting legacy code is very important. Hardware solutions are an...
BlueHat 2023: Applications to Attend NOW OPEN!
We are excited to announce that applications to attend BlueHat 2023 are now open We are excited to announce that applications to attend BlueHat 2023 are now open BlueHat 2023 will be the 20th version of the BlueHat conference and will once again be on the Microsoft campus in Redmond, WA, USA, fro...
Microsoft Mitigates Vulnerability in Jupyter Notebooks for Azure Cosmos DB
Summary Microsoft recently fixed an authentication bypass vulnerability in Jupyter Notebooks for Azure Cosmos DB currently in preview reported by Orca Security. Customers not using Jupyter Notebooks 99.8% of Azure Cosmos DB customers do NOT use Jupyter notebooks were not susceptible to this...
Microsoft Exchange サーバーのゼロデイ脆弱性報告に関するお客様向けガイダンス
本ブログは、Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Serverの抄訳版です。最新の情報は原文を参照してくだ...
2022 年 8 月のセキュリティ更新プログラム (月例)
2022 年 8 月 9 日(米国時間)、マイクロソフトは、マイクロソフト製品に影響する脆弱性を修正するために、セキ...
Congratulations to the Top MSRC 2022 Q2 Security Researchers!
Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers. The top three researchers of the 2022 Q2 Security Researcher Leaderboard are: Yuki Chen...
A Man of Action: Meet Callum Carney
Hidden Talents : He was a competitive swimmer for many years. Instrument of Choice : His fingers were made for the keyboard, but he used to play the trumpet. 5 pieces of entertainment for the rest of his life : The Office, World War Z, The Matrix, Breaking Bad, The Thick of It...
Anatomy of a Security Update
The Microsoft Security Response Center is part of the defender community and on the front line of security response for our customers and the company. Our mission is to protect customers and Microsoft from current and emerging threats related to security and privacy. We monitor threats and provid...
Congratulations and New Swag Awards for the Top MSRC 2022 Q1 Security Researchers!
Today, we are excited to recognize this quarter’s Microsoft Researcher Recognition Program leaderboard and share new swag awards and improvements to the leaderboard. Congratulations and thank you to everyone for your hard work and continued partnership to secure customers. The top three researche...
Expanding High Impact Scenario Awards for Microsoft Bug Bounty Programs
We are excited to announce the addition of scenario-based bounty awards to the Dynamics 365 and Power Platform Bounty Program and M365 Bounty Program. Through these new scenario-based bounty awards, we encourage researchers to focus their research on vulnerabilities that have the highest potentia...
ウクライナにおけるサイバー脅威アクティビティ: 分析とリソース
本ブログは、Cyber threat activity in Ukraine: analysis and resources – Microsoft Security Response Center の抄訳版です。最新の情報は原文を参照してください。 2022 年...
Coming Soon: New Security Update Guide Notification System
Sharing information through the Security Update Guide is an important part of our ongoing effort to help customers manage security risks and keep systems protected. Based on your feedback we have been working to make signing up for and receiving Security Update Guide notifications easier. We are...
Coming Soon: New Security Update Guide Notification System
Sharing information through the Security Update Guide is an important part of our ongoing effort to help customers manage security risks and keep systems protected. Based on your feedback we have been working to make signing up for and receiving Security Update Guide notifications easier. We are...
Azure App Service Linux source repository exposure
MSRC was informed by Wiz.io, a cloud security vendor, under Coordinated Vulnerability Disclosure CVD of an issue where customers can unintentionally configure the .git folder to be created in the content root, which would put them at risk for information disclosure. This, when combined with an...
セキュリティ更新プログラム リリース スケジュール (2022 年)
2022 年のセキュリティ更新プログラムの公開予定日は下記のとおりです。更新プログラムの評価、テスト、適用の...
New High Impact Scenarios and Awards for the Azure Bounty Program
Microsoft is excited to announce new Azure Bounty Program awards up to $60,000 to encourage and reward vulnerability research focused on the highest potential impact to customer security. These increased awards are a part of our ongoing investment in partnership with the security research...
Power Platform is Here! Introducing the Dynamics 365 and Power Platform Bug Bounty Program
Microsoft is excited to announce the addition of Power Platform to the newly rebranded Dynamics 365 and Power Platform Bounty Program. Through this expanded program, we encourage researchers to discover and report high impact security vulnerabilities they may find in the new Power Platform scope ...
Congratulations to the MSRC 2021 Most Valuable Security Researchers!
The MSRC Researcher Recognition Program offers public thanks and acknowledgement to the researchers who help protect customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure. Today, we are excited to recognize this year’s Most Valuable Security...
Security Update Validation Program (SUVP) に関するよくあるお問い合わせ
本記事は「Security Update Validation Program: the early bird tests the worm」の日本語抄訳です。 Security Update Validation Program SUVP、セキュリテ...
2021 年 7 月のセキュリティ更新プログラム (月例)
2021 年 7 月 14 日 日本時間、マイクロソフトは以下のソフトウェアのセキュリティ更新プログラムを公開しまし...
On-Premises Exchange Server Vulnerabilities Resource Center - updated March 25, 2021
On March 2nd, we released several security updates for Microsoft Exchange Server to address vulnerabilities that are being used in ongoing attacks. Due to the critical nature of these vulnerabilities, we recommend that customers protect their organizations by applying the patches immediately to...
MSRC Security Researcher Recognition: 2021
Wondering how to get into the 2021 MSRC Most Valuable Security Researcher list and get recognized during the Black Hat USA this August? Read on to learn more about the different paths you can take to get into the top researcher tiers. The MSRC Most Valuable Security Researcher MVR and MSRC...
2021 年 2 月のセキュリティ更新プログラム (月例)
2021 年 2 月 10 日 日本時間、マイクロソフトは以下のソフトウェアのセキュリティ更新プログラムを公開しまし...
Top MSRC 2020 Q4 Security Researchers – Congratulations!
We’re excited to announce the top contributing researchers for the 2020 Fourth Quarter Q4! Congratulations to all of the researchers who made this quarter’s leaderboard and a huge thank you to everyone who continues to help secure our customers and the ecosystem. The top three researchers of the...
Microsoft Internal Solorigate Investigation Update
As we said in our recent blog, we believe the Solorigate incident is an opportunity to work together in important ways, to share information, strengthen defenses and respond to attacks. Like other SolarWinds customers, we have been actively looking for indicators of the Solorigate actor and want ...
Nobelium Resource Center - updated March 4, 2021
UPDATE: Microsoft continues to work with partners and customers to expand our knowledge of the threat actor behind the nation-state cyberattacks that compromised the supply chain of SolarWinds and impacted multiple other organizations. Microsoft previously used ‘Solorigate’ as the primary...