Congratulations to the Top MSRC 2021 Q4 Security Researchers!

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers. The top three researchers of the 2021 Q4 Security Researcher Leaderboard are: rezer0dai (780 points), Callum Carney (750 points), and wtm (615 points)! In addition to our regular leaderboard, we …

Congratulations to the Top MSRC 2021 Q4 Security Researchers! Read More »

Expanding the Microsoft Researcher Recognition Program

The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure. Today, we are expanding the program to recognize more security researchers in more ways for their contributions to protecting customers, and we published the first new leaderboard …

Expanding the Microsoft Researcher Recognition Program Read More »

An Armful of CHERIs

Today, Arm announced that the first silicon supporting the Morello prototype architecture, a research project led by Arm, Microsoft, University of Cambridge and others, is now available on a limited run of demonstration boards, which are being shipped from today to industry partners for testing. Morello is the first high-performance implementation of the CHERI extensions. …

An Armful of CHERIs Read More »

Coming Soon: New Security Update Guide Notification System

Sharing information through the Security Update Guide is an important part of our ongoing effort to help customers manage security risks and keep systems protected. Based on your feedback we have been working to make signing up for and receiving Security Update Guide notifications easier. We are excited to share that starting today, you can …

Coming Soon: New Security Update Guide Notification System Read More »

Azure App Service Linux source repository exposure

MSRC was informed by Wiz.io, a cloud security vendor, under Coordinated Vulnerability Disclosure (CVD) of an issue where customers can unintentionally configure the .git folder to be created in the content root, which would put them at risk for information disclosure. This, when combined with an application configured to serve static content, makes it possible …

Azure App Service Linux source repository exposure Read More »

Researcher Spotlight: Dr. Nestori Syynimaa’s Constant Mission Protecting Identities

“When you find the things I find, they really matter. They affect everybody’s security.” Currently streaming: The Expanse and Lost in Space on Netflix Currently listening to: Amorphis, Architects, and Killswitch Engage Currently running: 130 kilometers (or ~80 miles) a month Currently playing: Floorball (a type of floor hockey with five players and a goalkeeper) …

Researcher Spotlight: Dr. Nestori Syynimaa’s Constant Mission Protecting Identities Read More »

Microsoft’s Response to CVE-2021-44228 Apache Log4j 2

Published on: 2021 Dec 11, updated 2022 Apr 6. SUMMARY Microsoft continues our analysis of the remote code execution vulnerabilities related to Apache Log4j (a logging tool used in many Java-based applications) disclosed on 9 Dec 2021. Currently, Microsoft is not aware of any impact, outside of the initial disclosure involving Minecraft: Java Edition, to the …

Microsoft’s Response to CVE-2021-44228 Apache Log4j 2 Read More »

Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs

Microsoft recently mitigated an information disclosure issue, CVE-2021-42306, to prevent private key data from being stored by some Azure services in the keyCredentials property of an Azure Active Directory (Azure AD) Application and/or Service Principal, and prevent reading of private key data previously stored in the keyCredentials property.The keyCredentials property is used to configure an …

Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs Read More »

BlueHat is Back!

After a short hiatus, BlueHat is coming back with a vengeance! And we’ve got big plans for the entire researcher community. But first, I must apologize. It’s been a while since you have heard from us. We didn’t have BlueHat 2020 or 2021, and we know that was disappointing. It was partly due to the …

BlueHat is Back! Read More »

We’re Excited to Announce the Launch of Comms Hub!

We are excited to announce the launch of Comms Hub to the Researcher Portal submission experience! With this launch, security researchers will be able to streamline communication with MSRC case SPMs (case managers), attach additional files, track case and bug bounty status all in the Researcher Portal. Summary – What is Comms Hub? Comms Hub …

We’re Excited to Announce the Launch of Comms Hub! Read More »