msrc

Microsoft mitigated exposure of internal information in a storage account due to overly-permissive SAS token

Monday, September 18, 2023

Summary As part of a recent Coordinated Vulnerability Disclosure (CVD) report from Wiz.io, Microsoft investigated and remediated an incident involving a Microsoft employee who shared a URL for a blob store in a public GitHub repository while contributing to open-source AI learning models. This URL included an overly-permissive Shared Access Signature (SAS) token for an internal storage account.

• Azure
• Security
• Security Researcher
• Coordinated Vulnerability Disclosure
• CVD

Results of Major Technical Investigations for Storm-0558 Key Acquisition

Wednesday, September 06, 2023

March 12, 2024 update As part of our continued commitment to transparency and trust outlined in Microsoft’s Secure Future Initiative, we are providing further information as it relates to our ongoing investigation. This new information does not change the customer guidance we previously shared, nor have our ongoing investigations revealed additional impact to Microsoft or our customers.

• Azure AD
• Identity
• Investigations

Microsoft Bug Bounty Program Year in Review: $13.8M in Rewards

Monday, August 07, 2023

We are thrilled to share the results of our collaboration with over 345 security researchers from +45 countries around the world in the past 12 months. Together, we have discovered and fixed more than a thousand potential security issues before they impacted our customers. In recognition of this valuable collaboration, we have awarded $13.

• Bounty
• Bug Bounty
• Bug Bounty Programs
• Community-based Defense
• CyberSecurity
• MSRC
• Researcher Recognition
• Security Research
• Security Researcher

Microsoft mitigates Power Platform Custom Code information disclosure vulnerability

Friday, August 04, 2023

Summary On 30 March 2023, Tenable informed Microsoft under Coordinated Vulnerability Disclosure (CVD) of a security issue concerning Power Platform Custom Connectors using Custom Code. This feature allows customers to write code for custom connectors. This issue has been fully addressed for all customers and no customer remediation action is required.

• Bug Bounty
• Exploit Mitigations
• Security Researcher
• Security Vulnerability

Updated Researcher Portal Submission Form: Discover the New Fields in the Submission Form

Thursday, July 20, 2023

Summary: We are excited to announce the release of the updated Researcher Portal submission form. These new fields allow Security Researchers to provide additional context for the reported security issue, providing product teams with more data for analysis, gain insights and identify trends across multiple reported security vulnerabilities. The additional fields are not mandatory fields to submit a report.

• Researcher Portal
• Security Researcher
• Security Research

What to expect when reporting vulnerabilities to Microsoft

Friday, July 14, 2023

At the Microsoft Security Response Center (MSRC), our mission is to protect our customers, communities, and Microsoft from current and emerging threats to security and privacy. One way we achieve this is by working with security researchers to identify and fix security vulnerabilities in our services and products that could pose a threat to our customers.

• Report Vulnerability
• Researcher Portal
• Security Research

Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email

Tuesday, July 11, 2023

UPDATE: Microsoft performed a comprehensive technical investigation into the acquisition of the Microsoft account consumer signing key, including how it was used to access enterprise email. Our technical investigation has concluded, and on September 6, 2023, we published our investigation findings. Microsoft has released threat analysis on Storm-0558 activity here. Microsoft additionally released additional defense-in-depth security fixes to help customers improve token validation in their custom applications.

Breaking Barriers: Aditi’s Journey Through Sight Loss to Microsoft AI Innovator

Wednesday, June 28, 2023

Facts about Aditi Shah: Tools she uses: Aditi’s main tool is JAWS, a screen reader from Freedom Scientific, which she touts as the best in the market. This tool has made her digital life more manageable, enabling her to perform almost any task independently. Aditi also uses Seeing AI, a Microsoft app that she uses for important life tasks, like reading her mail, providing descriptions of different products, identifying colors for her outfits, and more.

Potential Risk of Privilege Escalation in Azure AD Applications

Tuesday, June 20, 2023

Summary Microsoft has developed mitigations for an insecure anti-pattern used in Azure AD (AAD) applications highlighted by Descope, and reported to Microsoft, where use of the email claim from access tokens for authorization can lead to an escalation of privilege. An attacker can falsify the email claim in tokens issued to applications.

• Azure AD

Microsoft Response to Layer 7 Distributed Denial of Service (DDoS) Attacks

Friday, June 16, 2023

Summary Beginning in early June 2023, Microsoft identified surges in traffic against some services that temporarily impacted availability. Microsoft promptly opened an investigation and subsequently began tracking ongoing DDoS activity by the threat actor that Microsoft tracks as Storm-1359. These attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools.