Skip to main content
MSRC

msrc

BlueHat India Call for Papers is Now Open!

Monday, January 08, 2024

You asked for it and it’s finally here! The inaugural BlueHat India conference will be held May 16-17th, 2024, in Hyderabad, India! This intimate conference will bring together a unique blend of security researchers and responders, who come together as peers to exchange ideas, experiences, and learnings in the interest of creating a safer and more secure world for all.

Microsoft addresses App Installer abuse

Thursday, December 28, 2023

28 October 2024 Update Microsoft disabled the ms-appinstaller URI scheme handler by default in App Installer on 28 December 2023 as a security response to protect customers from attackers’ evolving techniques against previous safeguards for CVE-2021-43890. Microsoft is pleased to announce that we have introduced new safeguards to the ms-appinstaller URI scheme handler by default in version 1.

Reflecting on 20 years of Patch Tuesday

Friday, November 17, 2023

This year is a landmark moment for Microsoft as we observe the 20th anniversary of Patch Tuesday updates, an initiative that has become a cornerstone of the IT world’s approach to cybersecurity. Originating from the Trustworthy Computing memo by Bill Gates in 2002, our unwavering commitment to protecting customers continues to this day and is reflected in Microsoft’s Secure Future Initiative announced this month.

Microsoft guidance regarding credentials leaked to GitHub Actions Logs through Azure CLI

Tuesday, November 14, 2023

Summary The Microsoft Security Response Center (MSRC) was made aware of a vulnerability where Azure Command-Line Interface (CLI) could expose sensitive information, including credentials, through GitHub Actions logs. The researcher, from Palo Alto Networks Prisma Cloud, found that Azure CLI commands could be used to show sensitive data and output to Continuous Integration and Continuous Deployment (CI/CD) logs.

Introducing the Microsoft AI Bug Bounty Program featuring the AI-powered Bing experience

Thursday, October 12, 2023

Today at BlueHat we announced the new Microsoft AI bug bounty program with awards up to $15,000. This new bounty program features the AI-powered Bing experience as the first in scope product. The following products and integrations are eligible for bounty awards: AI-powered Bing experiences on bing.com in Browser (All major vendors are supported, including Bing Chat, Bing Chat for Enterprise, and Bing Image Creator) AI-powered Bing integration in Microsoft Edge (Windows), including Bing Chat for Enterprise AI-powered Bing integration in the Microsoft Start Application (iOS and Android) AI-powered Bing integration in the Skype Mobile Application (iOS and Android) Full details can be found on our bounty program website.

Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2

Tuesday, October 10, 2023

Summary Beginning in September 2023, Microsoft was notified by industry partners about a newly identified Distributed Denial-of-Service (DDoS) attack technique being used in the wild targeting HTTP/2 protocol. This vulnerability (CVE-2023-44487) impacts any internet exposed HTTP/2 endpoints. As an industry leader, Microsoft promptly opened an investigation and subsequently began working with industry partners for a coordinated disclosure and mitigation plan.

Microsoft’s Response to Open-Source Vulnerabilities - CVE-2023-4863 and CVE-2023-5217

Monday, October 02, 2023

Microsoft is aware and has released patches associated with the two Open-Source Software security vulnerabilities, CVE-2023-4863 and CVE-2023-5217. Through our investigation, we found that these affect a subset of our products and as of today, we have addressed them in our products as outlined below: CVE-2023-4863 Microsoft Edge Microsoft Teams for Desktop Skype for Desktop Webp Image Extensions (Released on Windows and updates through Microsoft Store) CVE-2023-5217

Microsoft mitigated exposure of internal information in a storage account due to overly-permissive SAS token

Monday, September 18, 2023

Summary As part of a recent Coordinated Vulnerability Disclosure (CVD) report from Wiz.io, Microsoft investigated and remediated an incident involving a Microsoft employee who shared a URL for a blob store in a public GitHub repository while contributing to open-source AI learning models. This URL included an overly-permissive Shared Access Signature (SAS) token for an internal storage account.

Results of Major Technical Investigations for Storm-0558 Key Acquisition

Wednesday, September 06, 2023

March 12, 2024 update As part of our continued commitment to transparency and trust outlined in Microsoft’s Secure Future Initiative, we are providing further information as it relates to our ongoing investigation. This new information does not change the customer guidance we previously shared, nor have our ongoing investigations revealed additional impact to Microsoft or our customers.