Microsoft Office to publish symbols starting August 2022

We are excited to announce that Microsoft Office will begin publishing Office symbols for Windows via the Microsoft Public Symbol Server on August 9th 2022. The publication of Office symbols is a part of our continuing investment to improve security and performance for customers and partners. Key Advantages for customers, partners, and Microsoft Security: Empowering …

Microsoft Office to publish symbols starting August 2022 Read More »

Anatomy of a Cloud-Service Security Update

Our security teams around the world focus on identifying and mitigating security issues as soon as possible while minimizing customer disruption. One of the challenges of a traditional security update is ensuring customers apply the protections promptly. We recently discussed the work that goes into these updates in The Anatomy of a Security update.  Cloud …

Anatomy of a Cloud-Service Security Update Read More »

Congratulations to the Top MSRC 2022 Q2 Security Researchers!

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers. The top three researchers of the 2022 Q2 Security Researcher Leaderboard are: Yuki Chen, Zhiyi Zhang, and William Söderberg! Check out the full list of researchers recognized …

Congratulations to the Top MSRC 2022 Q2 Security Researchers! Read More »

Mitigation for Azure Storage SDK Client-Side Encryption Padding Oracle Vulnerability

Summary: Google informed Microsoft under Coordinated Vulnerability Disclosure (CVD) of a padding oracle vulnerability that may affect customers using Azure Storage SDK (for Python, .NET, Java) client-side encryption (CVE-2022-30187). To mitigate this vulnerability, we released a new General Availability (GA) version of the Azure Storage SDK client-side encryption feature (v2) on July 12, 2022. Microsoft …

Mitigation for Azure Storage SDK Client-Side Encryption Padding Oracle Vulnerability Read More »

All Hands-on Deck: A Whole-of-Society Approach for Cybersecurity

The morning of June 9th, I was driving over the Golden Gate Bridge into San Francisco with my family. While crossing the bridge my children shared some facts about this modern engineering marvel. Each day, approx. 100,000 vehicles travel over the bridge deck, which weighs a staggering 150,000 tons, and is suspended by 250 pairs …

All Hands-on Deck: A Whole-of-Society Approach for Cybersecurity Read More »

Microsoft Mitigates Azure Site Recovery Vulnerabilities

Summary: Microsoft recently mitigated a set of vulnerabilities in Azure Site Recovery (ASR) and released fixes today, July 12, as part of our regular Update Tuesday cycle. These vulnerabilities affect all ASR on-premises customers using a VMware/Physical to Azure scenario and are fixed in the latest ASR 9.49 release. We recommend customers update to the …

Microsoft Mitigates Azure Site Recovery Vulnerabilities Read More »

Service Fabric Privilege Escalation from Containerized Workloads on Linux

Under Coordinated Vulnerability Disclosure (CVD), cloud-security vendor Palo Alto Networks informed Microsoft of an issue affecting Service Fabric (SF) Linux clusters (CVE-2022-30137). The vulnerability enables a bad actor, with access to a compromised container, to escalate privileges and gain control of the resource’s host SF node and the entire cluster. Though the bug exists on …

Service Fabric Privilege Escalation from Containerized Workloads on Linux Read More »

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

UPDATE July 12, 2022: As part of the response by Microsoft, a defense in depth variant has been found and fixed in the Windows July cumulative updates. Microsoft recommends installing the July updates as soon as possible. Windows Version Link to KB article LInk to Catalog Windows 8.1, Windows Server 2012 R2 5015805 Download Windows …

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability Read More »

An overview of account pre-hijacking attacks.

New Research Paper: Pre-hijacking Attacks on Web User Accounts

In 2020, MSRC awarded two Identity Project Research Grants to support external researchers working to further strengthen the security of identity protocols and systems. Today we are pleased to release the results of the first of these projects. This research, led by independent security researcher Avinash Sudhodanan, investigated account pre-hijacking – a new class of …

New Research Paper: Pre-hijacking Attacks on Web User Accounts Read More »