msrc

Awareness and guidance related to OpenSSL 3.0 – 3.0.6 risk (CVE-2022-3786 and CVE-2202-3602)

Summary   Microsoft is aware and actively addressing the impact associated with the recent OpenSSL vulnerabilities announced on October 25th 2022, fixed in version 3.0.7. As part of our standard processes, we are rolling out fixes for impacted services.  Any customer action that is required will be highlighted in this blog and our associated Security Update …

Awareness and guidance related to OpenSSL 3.0 – 3.0.6 risk (CVE-2022-3786 and CVE-2202-3602) Read More »

Microsoft Mitigates Vulnerability in Jupyter Notebooks for Azure Cosmos DB

Summary Microsoft recently fixed an authentication bypass vulnerability in Jupyter Notebooks for Azure Cosmos DB (currently in preview) reported by Orca Security.  Customers not using Jupyter Notebooks (99.8% of Azure Cosmos DB customers do NOT use Jupyter notebooks) were not susceptible to this vulnerability. The bug was introduced on August 12th and fully patched worldwide …

Microsoft Mitigates Vulnerability in Jupyter Notebooks for Azure Cosmos DB Read More »

Congratulations to the Top MSRC 2022 Q3 Security Researchers!

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers. The top three researchers of the 2022 Q3 Security Researcher Leaderboard are: Zhiyi Zhang, Yuki Chen, and Dang The Tuyen! Check out the full list of researchers …

Congratulations to the Top MSRC 2022 Q3 Security Researchers! Read More »

Investigation Regarding Misconfigured Microsoft Storage Location

October 28, 2022 update:Added a Customer FAQ section. Summary  Security researchers at SOCRadar informed Microsoft on September 24, 2022, of a misconfigured Microsoft endpoint. This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning …

Investigation Regarding Misconfigured Microsoft Storage Location Read More »

Awareness and guidance related to potential Service Fabric Explorer (SFX) v1 web client risk

Summary Microsoft was recently made aware of a Cross-Site Scripting (XSS) vulnerability (CVE-2022-35829), that under limited circumstances, affects older versions of Service Fabric Explorer (SFX). The current default SFX web client (SFXv2) is not vulnerable to this attack. However, customers can manually switch from the default web client (SFXv2) to an older vulnerable SFX web …

Awareness and guidance related to potential Service Fabric Explorer (SFX) v1 web client risk Read More »

Hunting for Cobalt Strike: Mining and plotting for fun and profit

Introduction Cobalt Strike is a commercial Command and Control framework built by Helpsystems. You can find out more about Cobalt Strike on the MITRE ATT&CK page. But it can also be used by real adversaries. In this post we describe how to use RiskIQ and other Microsoft technologies to see if you have Cobalt Strike …

Hunting for Cobalt Strike: Mining and plotting for fun and profit Read More »

Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server

November 8, 2022 update – Microsoft released security updates for CVE-2022-41040 and CVE-2022-41082. We recommend that customers protect their organizations by applying the updates immediately to affected systems. The options described in the Mitigations section are no longer recommended. For more information, review the Exchange Team blog. Summary On November 8 Microsoft released security updates …

Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server Read More »

Defense-in-Depth Updates for Azure Identity libraries and Azure Key Vault libraries within Azure SDK plus Best Practice Implementation Guidance

Summary Today, Microsoft released new versions of the Azure Key Vault libraries and Azure Identity libraries as part of the Azure Software Development Kit (SDK) that includes defense-in-depth feature improvements. We also published best practice guidance to help protect applications and services that allow externally controlled input into the Azure Key Vault client URI for …

Defense-in-Depth Updates for Azure Identity libraries and Azure Key Vault libraries within Azure SDK plus Best Practice Implementation Guidance Read More »

Vulnerability Fixed in Azure Synapse Spark

Summary: Microsoft takes a proactive approach to continually probe our defenses, hunt for vulnerabilities, and seek new, innovative ways to protect our customers. Security researchers are an important part of this effort, and our collaborative partnership is critical in a world where cybersecurity attacks continue to grow in number and sophistication.  We value the role …

Vulnerability Fixed in Azure Synapse Spark Read More »

Microsoft Bug Bounty Programs Year in Review: $13.7M in Rewards

The Microsoft Bug Bounty Programs and partnerships with the global security research community are important parts of Microsoft’s holistic approach to defending customers against security threats. Our bounty programs incentivize security research in high-impact areas to stay ahead of the ever-changing security landscapes, emerging technology, and new threats. Security Researchers help us secure millions of …

Microsoft Bug Bounty Programs Year in Review: $13.7M in Rewards Read More »