1366 matches found
Cryptographic Improvements in Microsoft Windows
You might remember that in June 2013 we released Security Advisory 2854544 announcing additional options for enterprise customers to manage their digital certificate handling configuration on the Windows platform. The particular functionality announced in Security Advisory 2854544 was first built...
Attention Bounty Hunters – The Ramp Up to Black Hat
We’re three weeks into our new world of bounties for Microsoft products now, and as the clock ticks down on one program, we’re prepping for some live excitement with one of the others. First, the Internet Explorer 11 Preview Bounty is entering its final 10 days; the bounty period for that program...
July 2013 Security Bulletin Webcast, Q&A, and Slide Deck
Today we’re publishing the July 2013 Security Bulletin Webcast Questions & Answers page. During the webcast, we fielded 10 questions covering all updates. All questions are included on the Q&A page. We invite our customers to join us for the next scheduled webcast on Wednesday, August 14th at 11...
Filling A Gap In the Vulnerability Market – First Bounty Notification
When Microsoft decided to offer not one but three new bounties, paying outside researchers directly for security research on some of our latest products, we put a lot of thought into developing those bounty programs. We developed a customized set of programs designed to create a win-win between t...
Running in the wild, not for so long
Over the weekend we received a report from our partners about a possible unpatched Internet Explorer vulnerability being exploited in the wild. The exploit code uses a memory corruption bug triggered from a webpage but it deeply leverages a Flash SWF file in order to achieve reliable exploitation...
Improved cryptography infrastructure and the June 2013 bulletins
It was just over one year ago, May 28, 2012, to be exact, that I transitioned from running active MSRC cases and writing bulletins to my current role managing software security incidents. A lot has changed in that year- and I’ve dealt with some interesting issues during my tenure - but our goal o...
Advanced Notification Service for the June 2013 Security Bulletin Release
Today we’re providing Advance Notification of five bulletins for release on Tuesday, June 11, 2013. This release brings one Critical- and four Important-class bulletins. The Critical-rated bulletin addresses issues in Internet Explorer, and the Important-rated bulletins address issues in Microsof...
The research never stops: Zhiniang Peng’s security research story
Some security researchers discover hacking early. Others discover it accidentally. For Zhiniang Peng, it started with curiosity and cybersecurity magazines...
How Asem Eleraky went from a shared family PC to finding critical vulnerabilities
In the world of vulnerability research, origin stories are rarely linear. For Asem Eleraky, the path to becoming a Microsoft MVR began not in a SOC lab or a university classroom, but with a single family PC and a short daily window to explore his growing interest in cybersecurity...
Fixing the script: Journey to reduce XSS exposure
Cross‑site scripting XSS remains one of the most frequently reported web vulnerabilities—not because developers are unaware of it, but because many deployed mitigations address symptoms rather than root causes. Across vulnerability reports and incident response investigations, both within Microso...
Scaling Dynamic Application Security Testing (DAST)
Introduction Microsoft engineering teams use the Security Development Lifecycle to ensure our products are built in alignment with Microsoft’s Secure Future Initiative security principles: Secure by Design, Secure by Default, and Secure Operations. A key component of the Security Development...
Announcing The BlueHat Podcast: Listen and Subscribe Now!
Available today on all major podcast platforms is The BlueHat Podcast, a new series of security research focused conversations, continuing the themes from the BlueHat 2023 conference session recordings available to watch here. Since 2005, BlueHat has been where the security research community, an...
Congratulations to the Top MSRC 2022 Q4 Security Researchers!
Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers. The top three researchers of the 2022 Q4 Security Researcher Leaderboard are:...
Security Update Guide Improvement – Representing Hotpatch Updates
Today we are updating the way Microsoft Security Update Guide SUG represents the Windows Hotpatch feature to make it easier for users to identify the hotpatch and security updates. Hotpatching was introduced a year ago as a new way to install updates on supported Windows Server Azure Edition...
Reflecting on Cybersecurity Awareness Month: At its Core, Cybersecurity is all about People
As Cybersecurity Awareness Month 2022 comes to a close, I’m grateful for the impact it has had in bringing cybersecurity to the forefront since it began in 2004. Though the month may be over, our work in cybersecurity is never done. Often, we think about cybersecurity as a complex technology...
Investigation Regarding Misconfigured Microsoft Storage Location
October 28, 2022 update: Added a Customer FAQ section. Summary Security researchers at SOCRadar informed Microsoft on September 24, 2022, of a misconfigured Microsoft endpoint. This misconfiguration resulted in the potential for unauthenticated access to some business transaction data correspondi...
Microsoft Mitigates Azure Site Recovery Vulnerabilities
Summary Microsoft recently mitigated a set of vulnerabilities in Azure Site Recovery ASR and released fixes today, July 12, as part of our regular Update Tuesday cycle. These vulnerabilities affect all ASR on-premises customers using a VMware/Physical to Azure scenario and are fixed in the latest...
A Man of Action: Meet Callum Carney
Hidden Talents : He was a competitive swimmer for many years. Instrument of Choice : His fingers were made for the keyboard, but he used to play the trumpet. 5 pieces of entertainment for the rest of his life : The Office, World War Z, The Matrix, Breaking Bad, The Thick of It...
New Research Paper: Pre-hijacking Attacks on Web User Accounts
In 2020, MSRC awarded two Identity Project Research Grants to support external researchers working to further strengthen the security of identity protocols and systems. Today we are pleased to release the results of the first of these projects. This research, led by independent security researche...
On-Premises Servers Products are Here! Introducing the Applications and On-Premises Servers Bug Bounty Program
Microsoft is excited to announce the addition of Exchange on-premises, SharePoint on-premises, and Skype for Business on-premises to the Applications and On-Premises Servers Bounty Program. Through this expanded program, we encourage researchers to discover and report high-impact security...
Disclosure of Vulnerability in Azure Automation Managed Identity Tokens
On December 10, 2021, Microsoft mitigated a vulnerability in the Azure Automation service. Azure Automation accounts that used Managed Identitiestokens for authorization and an Azure Sandbox for job runtime and execution were exposed. Microsoft has not detected evidence of misuse of tokens...
Cyber threat activity in Ukraine: analysis and resources
UPDATE 27 Apr 2022: See Updated malware details and Microsoft security product detections below as discussed in the Special Report: Ukraine. UPDATE 02 MAR 2022: See Updated malware details and Microsoft security product detections below for additional insights and protections specific to the...
An Armful of CHERIs
Today, Arm announced that the first silicon supporting the Morello prototype architecture, a research project led by Arm, Microsoft, University of Cambridge and others, is now available on a limited run of demonstration boards, which are being shipped from today to industry partners for testing...
Azure App Service Linux source repository exposure
MSRC was informed by Wiz.io, a cloud security vendor, under Coordinated Vulnerability Disclosure CVD of an issue where customers can unintentionally configure the .git folder to be created in the content root, which would put them at risk for information disclosure. This, when combined with an...
We’re Excited to Announce the Launch of Comms Hub!
We are excited to announce the launch of Comms Hub to the Researcher Portal submission experience! With this launch, security researchers will be able to streamline communication with MSRC case SPMs case managers, attach additional files, track case and bug bounty status all in the Researcher...
2021 年 10 月のセキュリティ更新プログラム (月例)
2021 年 10 月 13 日 日本時間、マイクロソフトは、マイクロソフト製品に影響する脆弱性を修正するために、セキ...
Coordinated disclosure of vulnerability in Azure Container Instances Service
Microsoft recently mitigated a vulnerability reported by a security researcher in the Azure Container Instances ACI that could potentially allow a user to access other customers’ information in the ACI service. Our investigation surfaced no unauthorized access to customer data. Out of an abundanc...
Announcing the Top MSRC 2021 Q2 Security Researchers - Congratulations!
We’re excited to announce the top contributing researchers for the 2021 Second Quarter Q2! Congratulations to all the researchers recognized in this quarter’s leaderboard and thank you to everyone who continues to help secure our customers and the...
Microsoft Bug Bounty Programs Year in Review: $13.6M in Rewards
Partnering with the security research community is an important part of Microsoft’s holistic approach to defending against security threats. Bug bounty programs are one part of this partnership. By discovering and reporting vulnerabilities to Microsoft through Coordinated Vulnerability Disclosure...
New Nobelium activity
The Microsoft Threat Intelligence Center is tracking new activity from the NOBELIUM threat actor. Our investigation into the methods and tactics being used continues, but we have seen password spray and brute-force attacks and want to share some details to help our customers and communities prote...
Introducing Bounty Awards for Teams Desktop Client Security Research
Partnering with the security research community is an important part of Microsoft’s holistic approach to defending against security threats. As much of the world has shifted to working from home in the last year, Microsoft Teams has enabled people to stay connected, organized, and collaborate...
サイバーセキュリティ月間期間の取り組みのおさらい
3 月 18 日に今年のサイバーセキュリティ月間が終わりました。この期間中、日本セキュリティチームは、Mic...
オンプレミス Exchange 緩和ツール (ワンクリックの緩和ツール)
「One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021」の日本語抄訳です。 最近のオンプレミスの Exchange Server を狙った攻撃に...
Microsoft Exchange Server Vulnerabilities Mitigations - updated March 15, 2021
Update March 15, 2021: If you have not yet patched, and have not applied the mitigations referenced below, a one-click tool, the Exchange On-premises Mitigation Tool is now our recommended path to mitigate until you can patch. Microsoft previously blogged our strong recommendation that customers...
A new experience for reporting copyright or trademark infringement on Microsoft Services
The Notice of Copyright or Trademark Infringement Portal has helped protect Microsoft's users and customers from intellectual property infringement across online services like Microsoft Azure, Office, Outlook, Skype, Stream, Microsoft News, Sway, Hotmail, NuGet, and Yammer. Microsoft's response t...
Exchange Server のセキュリティ更新プログラムの公開 (定例外)
2021 年 3 月 3 日 日本時間、マイクロソフトは限定的な標的型攻撃に使われた Exchange の脆弱性に対するセキュリティ...
Microsoft Internal Solorigate Investigation - Final Update
We believe the Solorigate incident is an opportunity to work with the community, to share information, strengthen defenses and respond to attacks. We have now completed our internal investigation into the activity of the actor and want to share our findings, which confirm that we found no evidenc...
Security Update Guide Supports CVEs Assigned by Industry Partners
Hi Folks, This month we are introducing a new data element for each CVE in the Security Update Guide, called Assigning CNA. First let me back up a bit and give some information about the CVE program. The purpose of a CVE is to uniquely identify a cybersecurity vulnerability. The CVE program was...
Nobelium Resource Center - updated March 4, 2021
UPDATE: Microsoft continues to work with partners and customers to expand our knowledge of the threat actor behind the nation-state cyberattacks that compromised the supply chain of SolarWinds and impacted multiple other organizations. Microsoft previously used ‘Solorigate’ as the primary...
Security Update Guide: Let's keep the conversation going
Hi Folks, We want to continue to highlight changes we’ve made to our Security Update Guide. We have received a lot of feedback, much of which has been very positive. We acknowledge there have been some stability problems and we are actively working through reports of older browsers not being able...
2020 年 11 月のセキュリティ更新プログラム (月例)
2020 年 11 月 11 日 日本時間、マイクロソフトは以下のソフトウェアのセキュリティ更新プログラムを公開しまし...
Announcing the Top MSRC 2020 Q3 Security Researchers
Following the MSRC’s 2020 Most Valuable Security Researchers announced during this year’s Black Hat, we’re excited to announce the top contributing researchers for the 2020 Third Quarter Q3! The top three researchers of the 2020 Q3...
Concluding the Azure Sphere Security Research Challenge, Microsoft Awards $374,300 to Global Security Research Community
The Azure Sphere Security Research Challenge brought together 70 researchers from 21 countries to help secure Azure Sphere customers and expand Microsoft’s partnerships with the global IoT security research community. During the three-month Azure Sphere Security Research Challenge, researchers...
Congratulations to the MSRC’s 2020 Most Valuable Security Researchers
Today we announce our Most Valuable Security Researchers for 2020! The MSRC Researcher Recognition program is an integral aspect of recognizing the ongoing partnerships with our community of talented security researchers who report through Coordinated Vulnerability Disclosure CVD. These...
Black Hat 2020: See you in the Cloud!
It hardly feels like summer without the annual trip to Las Vegas for Black Hat USA. With this year’s event being totally cloud based, we won’t have the chance to catch up with security researchers, industry partners, and customers in person, an opportunity we look forward to every year. We’ll sti...
Black Hat 2020: See you in the Cloud!
It hardly feels like summer without the annual trip to Las Vegas for Black Hat USA. With this year’s event being totally cloud based, we won’t have the chance to catch up with security researchers, industry partners, and customers in person, an opportunity we look forward to every year. We’ll sti...
Security Update Validation Program (SUVP) のご紹介
本記事は、What is the Security Update Validation Program? の日本語抄訳です。 Security Update Validation Program は、マイクロソフトが毎月第二火曜 米国時間...
Solving Uninitialized Kernel Pool Memory on Windows
This blog post outlines the work that Microsoft is doing to eliminate uninitialized kernel pool memory vulnerabilities from Windows and why we’re on this path. For a background on why uninitialized memory matters and what options have been used in the past to tackle this issue, please see our...
February 2020 security updates are available
We have released the February security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found in the Security Update Guide...
Access Misconfiguration for Customer Support Database
Today, we concluded an investigation into a misconfiguration of an internal customer support database used for Microsoft support case analytics. While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be...