What if you could eliminate a common class of vulnerabilities by changing the language you used? MSRC is publishing a series on why Microsoft is looking at
@rustlang
for memory-safe development and why we think you should too. See the first post here:
Microsoft is aware of a RCE vulnerability in the way that the SMBv3 protocol handles certain requests. If you wish to be notified when updates for this vulnerability are available, please follow the guidance in the advisory linked here:
July 2020 Security Update includes a fix for a wormable RCE vulnerability in Windows DNS Server affecting all versions of Windows server running the DNS Server role. This should be patched quickly. For more information, see:
To mitigate against various NTLM relay attacks, disable NTLM where not needed (eg DCs) or implement the mitigation feature, Extended Protection for Authentication. Guidance at
MSRC has confirmed an active Linux worm leveraging critical Remote Code Execution (RCE) vulnerability CVE-2019-10149 in Linux Exim email servers. We advise Azure customers to patch or restrict network access to VMs running affected versions. More info:
Microsoft’s Bug Bounty Programs awarded $13.7M to over 300 security researchers in the last 12 months. Thank you for all your hard work to help secure millions of customers.
#bugbounty
,
#CommunityBasedDefense
Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure. Learn more ⬇️
Open call for SSRF enthusiasts! We’re excited to announce the launch of our three-month Azure SSRF Security Research Challenge with awards up to $60,000 USD! Ready, set, go! More information can be found on our blog:
Microsoft Bug Bounty Programs awarded $13.6M to 341 security researchers in the last 12 months. Thank you to everyone for your continued work to help secure millions of customers.
We've released an advisory to address the concerns around
#BitLocker
and the recently disclosed vulnerabilities in self-encrypting
#SSDs
. See to see how to turn on software encryption. You will not need to reformat the drive or reinstall applications.
Our work continues, but we are seeing strong momentum for on-premises Exchange Server updates:
• 92% of worldwide Exchange IPs are now patched or mitigated.
• 43% improvement worldwide in the last week.
We’re excited to announce the Xbox Bounty Program, which awards up to $20,000 for vulnerabilities in the Xbox network space. Find out more information:
Microsoft has released a security advisory for “PrivExchange”, an elevation of privilege vulnerability in Microsoft Exchange Server and identified as CERT/CC VU
#465632
:
Today, we released several security updates for Microsoft Exchange Server to address vulnerabilities under limited, targeted attacks. We recommend customers apply these updates as quickly as possible. See: .
Calling all present and future bounty hunters! See our new blog post on improvements to the Microsoft vulnerability bounty program to increase some awards and pay bounties more quickly.
We are excited to announce higher Azure bounties and a new space for Azure research! The Azure Security Lab is a set of dedicated hosts that researchers can use to probe IaaS security without affecting customers. To find out more, see our blog.
We use PGP to sign security notifications and encourage you to use our key when sending vulnerability reports to secure
@microsoft
.com. We've just updated the MSRC PGP key; the most recent version is always here:
In our ongoing commitment to transparency, we will now issue CVEs for critical cloud service vulnerabilities, regardless of whether customers need to install a patch or take other actions to protect themselves. Learn more in our blog post:
August 2019 Security Update includes fixes for wormable RCE vulnerabilities in Remote Desktop Services (RDS), affecting all in-support versions of Windows. These should be patched quickly. For more information, see
The May 2019 release includes updates for a critical vulnerability affecting the Remote Desktop Services service in older operating systems; we recommend customers install as soon as possible. More details here:
Congratulations to our MSRC 2021 Most Valuable Security Researchers! Thank you to all the researchers who have helped secure our customers. Check out our blog for the full list:
Microsoft Bug Bounty Programs awarded $13.8M to 345 security researchers from 45 countries across the globe in the past year. A huge thank you to all the security researchers who partnered with us to help protect millions of customers:
#bugbounty
We are pleased to announce that we will now publish root cause data for all Microsoft CVEs using the Common Weakness Enumeration (CWE) industry standard. This standard will facilitate more effective community discussions about finding and mitigating these weaknesses in existing
Next in our series on eliminating memory safety issues through safe systems programming, we answer the question some of you have asked: why are we talking about
@rustlang
?
#rustlang
Providing alternative mitigation techniques to help Microsoft Exchange customers needing more time to patch deployments & are willing to make risk & service function trade-offs. These mitigations are not remediation & aren't full protection against attack.
Microsoft is aware of limited targeted attacks that could leverage unpatched vulnerabilities in the Adobe Type Manager Library, and is providing guidance to help reduce customer risk until the security update is released. See the link for more details.
Microsoft is aware of a RCE vulnerability in the way that the SMBv3 protocol handles certain requests. If you wish to be notified when updates for this vulnerability are available, please follow the guidance in the advisory linked here:
Exciting news! 📣 We’re launching the Microsoft Defender Bounty Program, offering awards up to $20,000 for identifying vulnerabilities in our Defender products and services. Learn more in our blog post:
#bugbounty
Reminder to all our Windows customers to deploy at least the August 2020 update or later and follow the original, published guidance to fully resolve the vulnerability, CVE-2020-1472. For further information, see our blog post:
If you've ever wondered how incident response works at Microsoft, we're running a series of posts to illustrate our SSIRP process. Our first entry is live now:
Wondering what it's like to learn Rust? Next in our series on safe systems programming, MSRC intern Alexander Clarke describes ramping up on
#Rust
and how it built on his previous programming experience.
We are excited to announce a new IoT-focused research program, the Azure Sphere Security Research Challenge, with awards up to $100,000 USD! Deadline to apply is May 15, check out the blog post for more information:
Looking for your next research challenge? We've got you covered! Exchange on-premises, SharePoint on-premises, and Skype for Business on-premises are now part of the Microsoft Applications and On-Premises Servers Bounty Program!
Microsoft is launching the Dynamics 365 Bounty. We're awarding up to US$20,000 for eligible vulnerabilities in Dynamics 365 online services and the latest release of Dynamics 365 on-premises. See for more details.
In the next installment of our series on using Semmle QL for vulnerability hunting,
@l4wio
shows how to research DOM-based XSS by finding sources and sinks.
Congratulations to our MSRC 2023 Most Valuable Researchers! Thank you to all the researchers who have helped secure our customers. 👏🎉
Check out our blog for the full list:
This month's updates includes CVE-2020-0601 affecting Windows 10. We have not seen it used in active attacks. Learn how this is one example of our partnership with researchers and industry to release quality security updates to help protect our customers.
We’re excited to announce bounty awards for Teams desktop client security research under the new Microsoft Applications Bounty Program with awards up to $30,000. Check out our blog for more details:
Congratulations to our MSRC 2022 Most Valuable Researchers! Thank you to all the researchers who have helped secure our customers. Check out our blog for the full list:
#cybersecurity
#securityresearch
We have a tool to help speed up security investigations!
MSRC has made our "Time Travel Debugging" (TTD) tool publicly available to help security researchers provide full repro and potentially get higher bounties!
See our blog for more details
Next in our series on safe systems programming: three examples of vulnerabilities that a memory-safe systems language (like
@rustlang
) would have avoided.
#rustlang
Today, we are expanding the Microsoft Researcher Recognition Program to recognize more security researchers who help protect our customers. For the first new quarterly leaderboard, check out our blog post:
#securityresearch
#cybersecurity
The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers by discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure.
Today, we are excited to recognize this year’s
@msftsecresponse
is privileged to collaborate with some very talented people. For a recent example, see our blog on how we worked with
@tiraniddo
to address a bug class he identified, and how third-party driver developers can avoid it.
A security update addressing CVE-2019-0708 was released on May 14 2019, but recent public reports indicate nearly one million computers are still vulnerable.
Microsoft strongly advises that all affected systems should be updated as soon as possible.
Security Updates for February 2021 are now available!. Details are here:
Important: Microsoft released Windows Updates for multiple TCP/IP vulnerabilities today. See this blog for more details about these issues:
Microsoft’s Cyber Defense Operations Center shares strategy paper with insights into how we work to protect, detect, and respond to cybersecurity threats. Access the paper via our blog.
#MSFTCyberSec
,
#CDOC
,
#cybersecurity
,
#MSCloud
,
#MSIT
Microsoft Bug Bounty Programs awarded $13.7M to 335 security researchers in the last year. A big thank you to everyone for your continued work to help secure millions of customers.
#bugbounty
#cybersecurity
#securityresearch
It's that time of the year! We unveiled MSRC’s 2018-2019 Most Valuable Security Researchers at Black Hat USA this morning. If you cannot make it to the Microsoft booth, check out the list in our blog. Congratulations and thank you!
Congrats to
@TalosSecurity
, their researchers earned the first two General Scenario bounty awards in the Azure Sphere Security Research Challenge! Thanks for your help in securing the IoT—keep up the great work!
Microsoft has published debugging symbols for many of the core components of Hyper-V! We invite you to take a look... and submit any vulnerability reports to secure
@microsoft
.com for bounty review.
Microsoft is monitoring escalating cyber activity in Ukraine & published analysis to give organizations the latest intelligence to guide investigations into potential attacks & info to implement proactive protections against future attempts. Read more at .
Today we’re excited to introduce MSRC Comms Hub, a new way for security researchers to collaborate with the Microsoft Security Response Center. See our blog post: for more details!
Reminder to our customers to deploy the latest security update & follow the published guidance to prepare for the Feb 9, 2021 Security Update that enforces Secure RPC for Netlogon secure channel connections (CVE-2020-1472). For further info, see our blog:
Microsoft is launching the Azure DevOps Bounty with rewards up to US$20,000 for eligible vulnerabilities in Azure DevOps online services and the latest release of Azure DevOps server. Read more on our blog
#MSFTCyberSec
,
#bugbounty
,
#AzureDevOps
We're happy to announce a new bounty for identity services, with payouts ranging from $500 to $100,000. See our blog for more details and a link to the bounty terms. We're looking forward to seeing what you find.
#BlueHat
is back! We are thrilled to announce () that the next
@MSFTBlueHat
conference will be Feb 8-9, 2023, on the Microsoft Campus in Redmond, WA. Call for Papers is now open at . More details to come!
More opportunities to earn bounty rewards for browser research with the new Microsoft Edge Insider Bounty! We’re awarding up to $30,000 for eligible vulnerabilities in Microsoft Edge based on Chromium. See
Microsoft would like to thank our industry colleagues at Volexity and Dubex for reporting different parts of the attack chain and their collaboration in the investigation.