1366 matches found
October 2013 Security Bulletin Webcast, Q&A, and Slide Deck
Today we’re publishing the October 2013 Security Bulletin Webcast Questions & Answers page. We fielded 11 questions during the webcast, with specific bulletin questions focusing primarily on the SharePoint MS13-084 and Kernel-Mode Drivers MS13-081 bulletins. There was one additional question that...
Advance Notification Service for September 2013 Security Bulletin Release
In celebration of kids heading back to school, today we’re providing advance notification for the release of 14 bulletins, four Critical and 10 Important, for September 2013. The Critical updates address issues in Internet Explorer, Outlook, SharePoint and Windows. As always, we’ve scheduled the...
Announcing the 2013 MSRC Progress Report featuring MAPP expansions
Over the years, our customers have come to expect a certain regularity and transparency in both our security updates and the guidance that goes with them. One regular piece of communication about our work is a yearly progress report, which provides a look into the program updates and bulletin...
New Bounty Program Details
Today we announced the upcoming Mitigation Bypass Bounty, the BlueHat Bonus for Defense, and the Internet Explorer 11 Preview Bug Bounty program. It’s very exciting to finally take the wraps off of these initiatives and we are anticipating some great submissions from the security research...
How Brad Schlintz built a life of freedom and impact through security research
At Microsoft Security Response Center MSRC, we celebrate the diverse paths that bring researchers to our community. Brad Schlintz’s story is one of curiosity, resilience, and a relentless drive to learn, spanning rural beginnings, career pivots, and a life shaped by both technology and travel. In...
Weaponizing cross site scripting: When one bug isn’t enough
Cross-Site Scripting XSS is often underestimated as a minor vulnerability. In reality, XSS can open the door to more severe attacks when combined with other vulnerabilities...
Toward greater transparency: Introducing machine-readable Vulnerability Exploitability Xchange (VEX) for Azure Linux and beyond
Microsoft is now publishing standard attestations about third-party CVEs through the Vulnerability Exploitability eXchange VEX standard including vulnerabilities in embedded open-source software in Microsoft products and services and starting with the Azure Linux Distribution formerly CBL-Mariner...
Zero Day Quest 2025: $1.6 million awarded for vulnerability research
This month, the Microsoft Security Response Center recently welcomed some of the world’s most talented security researchers at Microsoft’s Zero Day Quest, the largest live hacking competition of its kind. The inaugural event challenged the security community to focus on the highest-impact securit...
Announcing the Microsoft Machine Learning Membership Inference Competition (MICO)
We’re excited to announce the launch of a new competition focusing on the security and privacy of machine learning ML systems. Machine learning has already become a key enabler in many products and services, and this trend is likely to continue. It is therefore critical to understand the security...
BlueHat 2023 Call for Papers is Now Open!
For nearly 20 years, BlueHat has been where the security research community, and Microsoft security professionals come together as peers, to share, debate, challenge, learn, and exchange ideas in the interest of creating a safer and more secure world for all. We are extremely excited to announce...
Defense-in-Depth Updates for Azure Identity libraries and Azure Key Vault libraries within Azure SDK plus Best Practice Implementation Guidance
Summary Summary Today, Microsoft released new versions of the Azure Key Vault libraries and Azure Identity libraries as part of the Azure Software Development Kit SDK that includes defense-in-depth feature improvements. We also published best practice guidance to help protect applications and...
好奇心旺盛、革新的、創造的、コミュニティ主導型:Cyb3rWard0g、ロベルトロドリケスに会う
本ブログは、Curious, Innovative, Creative, Community Driven: Meet Cyb3rWard0g, Roberto Rodriquez の抄訳版です。最新の情報は原文を参照してください。 大きく...
Microsoft Bug Bounty Programs Year in Review: $13.7M in Rewards
The Microsoft Bug Bounty Programs and partnerships with the global security research community are important parts of Microsoft’s holistic approach to defending customers against security threats. Our bounty programs incentivize security research in high-impact areas to stay ahead of the...
Security Update Guide Notification System News: Create your profile now
Sharing information through the Security Update Guide SUG is an important part of our ongoing effort to help customers manage security risks and keep systems protected. In January 2022 we introduced Phase One of a new way for customers to receive email notifications about new Microsoft product...
Microsoft Office to publish symbols starting August 2022
We are excited to announce that Microsoft Office will begin publishing Office symbols for Windows via the Microsoft Public Symbol Server on August 9th 2022. The publication of Office symbols is a part of our continuing investment to improve security and performance for customers and partners. Key...
Anatomy of a Cloud-Service Security Update
Our security teams around the world focus on identifying and mitigating security issues as soon as possible while minimizing customer disruption. One of the challenges of a traditional security update is ensuring customers apply the protections promptly. We recently discussed the work that goes...
セキュリティ更新プログラムのアナトミー
本ブログは、Anatomy of a Security Update の抄訳版です。最新の情報は原文を参照してください。 マイクロソフト セ...
オンプレミスサーバー製品追加! アプリケーションとオンプレミス サーバーのバグ報奨金プログラムの紹介
本ブログは、On-Premises Servers Products are Here! Introducing the Applications and On-Premises Servers Bug Bounty Program の抄訳版です。最新の情報は原文を参照して...
Researcher Spotlight: Cyber Viking Nate Warfield is Here to Help
“There are few jobs where I can say, I make two billion people more secure on the internet every single day.” Childhood Look: Goth kid, all in black Current Look: Cyber Viking Childhood hobby: Head banging to Metallica, Marilyn Manson, and Guns N’ Roses Current hobby: n0x08 DJ’s Live events aroun...
An Armful of CHERIs
Today, Arm announced that the first silicon supporting the Morello prototype architecture, a research project led by Arm, Microsoft, University of Cambridge and others, is now available on a limited run of demonstration boards, which are being shipped from today to industry partners for testing...
Introducing Bounty Awards for Teams Mobile Applications Security Research
We are pleased to announce the addition of Microsoft Teams mobile applications to the Microsoft Applications Bounty Program. Through the expanded program we welcome researchers from across the globe to seek out and disclose any high impact security vulnerabilities they may find in Teams mobile...
Investigating and Mitigating Malicious Drivers
The security landscape continues to rapidly evolve as threat actors find new and innovative methods to gain access to environments across a wide range of vectors. As the industry moves closer to the adoption of a Zero Trust security posture with broad and layered defenses, we remain committed to...
New Nobelium activity
The Microsoft Threat Intelligence Center is tracking new activity from the NOBELIUM threat actor. Our investigation into the methods and tactics being used continues, but we have seen password spray and brute-force attacks and want to share some details to help our customers and communities prote...
New and Improved Report Abuse Portal and API!
The Report Abuse CERT Portal and Report Abuse API have played a significant role in MSRC’s response to suspected cyberattacks, privacy issues, and abuse originating from Microsoft Online Services. With the contributions from our wonderful community of reporters, we continue to gain insightful...
Security Update Guide Supports CVEs Assigned by Industry Partners
Hi Folks, This month we are introducing a new data element for each CVE in the Security Update Guide, called Assigning CNA. First let me back up a bit and give some information about the CVE program. The purpose of a CVE is to uniquely identify a cybersecurity vulnerability. The CVE program was...
Nobelium Resource Center - updated March 4, 2021
UPDATE: Microsoft continues to work with partners and customers to expand our knowledge of the threat actor behind the nation-state cyberattacks that compromised the supply chain of SolarWinds and impacted multiple other organizations. Microsoft previously used ‘Solorigate’ as the primary...
Customer Guidance on Recent Nation-State Cyber Attacks
Note: we are updating as the investigation continues. Revision history listed at the bottom. This post contains technical details about the methods of the actor we believe was involved in Recent Nation-State Cyber Attacks, with the goal to enable the broader security community to hunt for activit...
2020 年 12 月のセキュリティ更新プログラム (月例)
2020 年 12 月 9 日 日本時間、マイクロソフトは以下のソフトウェアのセキュリティ更新プログラムを公開しまし...
Vulnerability Descriptions in the New Version of the Security Update Guide
With the launch of the new version of the Security Update Guide, Microsoft is demonstrating its commitment to industry standards by describing the vulnerabilities with the Common Vulnerability Scoring System CVSS. This is a precise method that describes the vulnerability with attributes such as t...
2020 年 9 月のセキュリティ更新プログラム (月例)
2020 年 9 月 9 日 日本時間、マイクロソフトは以下のソフトウェアのセキュリティ更新情報を公開しました。 Microsoft...
より安全な TLS 設定を利用しましょう
データを暗号化し安全にやり取りを行う Transport Layer Security TLS。本ブログでも、過去に何度かお知らせしてきたよう...
Solving Uninitialized Kernel Pool Memory on Windows
This blog post outlines the work that Microsoft is doing to eliminate uninitialized kernel pool memory vulnerabilities from Windows and why we’re on this path. For a background on why uninitialized memory matters and what options have been used in the past to tackle this issue, please see our...
Announcing the Xbox Bounty program
We are pleased to announce the launch of the Xbox Bounty program today. The Xbox bounty program invites gamers, security researchers, and technologists around the world to help identify security vulnerabilities in the Xbox network and services, and share them with the Microsoft Xbox team through...
January 2020 security updates are available!
We have released the January security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found in the Security Update Guide. As a reminder,...
Customer Guidance for the Dopplepaymer Ransomware
Microsoft has been investigating recent attacks by malicious actors using the Dopplepaymerransomware. There is misleading information circulating about Microsoft Teams, along with references to RDP BlueKeep, as ways in which this malware spreads. Our security research teams have investigated and...
BlueHat Seattle videos are online!
Were you unable to attend BlueHat Seattle, or wanted to see a session again? We have good news. If you have been waiting for the videos from BlueHat Seattle last month, the wait is over. All videos which the presenter authorized to be recorded are now online and available to anyone...
November 2019 security updates are available!
We have released the November security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found in the Security Update Guide. As a reminder,...
November 2019 security updates are available!
We have released the November security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found in the Security Update Guide. As a reminder,...
Welcome to the second stage of BlueHat!
We’ve finished two incredible days of security trainings at the Living Computer Museum in Seattle. Now it’s time for the second part of BlueHat: the briefings at ShowBox SoDo. We’ve got a big day planned, so head on down. Please join us for breakfast we have doughnuts! and bacon! and cereal!...
MSRC is going to ROOTCON!
The Microsoft Security Response Center MSRC works with partners all over the world to protect Microsoft customers. This week we’re headed to the Philippines to meet security researchers and bounty hunters at ROOTCON 13! Planning on attending ROOTCON? If you want to learn more about how you can ea...
Announcing the Microsoft Edge Insider Bounty
This week, we released the first Beta preview of the next version of Microsoft Edge. Alongside this, Microsoft is excited to announce the launch of the Microsoft Edge Insider Bounty Program. We welcome researchers to seek out and disclose any high impact vulnerabilities they may find in the next...
Announcing 2019 MSRC Most Valuable Security Researchers
Earlier today we announced MSRC’s 2018-2019 Most Valuable Security Researchers at Black Hat. The following 75 researchers hail from all corners of the world and possess varied experience and skills, yet all of them have contributed to securing the Microsoft’s customers and the broader ecosystem...
Azure Security Lab: a new space for Azure research and collaboration
Azure is exceptionally secure. To help keep it that way, we are doubling the top bounty reward for Azure vulnerabilities to $40,000. But we aren’t stopping there. To make it easier for security researchers to confidently and aggressively test Azure, we are inviting a select group of talented...
Corporate IoT - a path to intrusion
Several sources estimate that by the year 2020 some 50 billion IoT devices will be deployed worldwide. IoT devices are purposefully designed to connect to a network and many are simply connected to the internet with little management or oversight. Such devices still must be identifiable,...
2019 年 6 月のセキュリティ更新プログラム (月例)
2019 年 6 月 12 日 日本時間、マイクロソフトは以下のソフトウェアのセキュリティ更新プログラムを公開しまし...
2019 年 4 月のセキュリティ更新プログラム (月例)
2019 年 4 月 10 日 日本時間、マイクロソフトは以下のソフトウェアのセキュリティ更新プログラムを公開しまし...
Microsoft Bounty Program Updates: Faster bounty review, faster payments, and higher rewards
In 2018 The Microsoft Bounty Program awarded over $2,000,000 to encourage and reward external security research in key technologies to protect our customers. Building on that success, we are excited to announce a number of improvements in our bounty programs to better serve the security research...
Vulnerability hunting with Semmle QL, part 2
The first part of this series introduced Semmle QL, and how the Microsoft Security Response Center MSRC are using it to investigate variants of vulnerabilities reported to us. This post discusses an example of how we’ve been using it proactively, covering a security audit of an Azure firmware...
Inside MSRC: Sharing Our Story & Customer Tips
For the last 20 years, the Microsoft Security Response Center has been an integral part of Microsoft’s commitment to customer security. We are often called on to talk about the work we do and how customers can apply the lessons we have learned over that period to better their security posture...
August 2018 Security Update Release
Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found on the Security Update Guide. MSRC team...