Microsoft Security Response Center Blog Alerts

Subscribe to Microsoft Security Response Center Blog Alerts hírcsatorna Microsoft Security Response Center Blog Alerts
Frissítve: 25 perc 20 másodperc
2019. július 18.

We Need a Safer Systems Programming Language

In our first post in this series, we discussed the need for proactively addressing memory safety issues. Tools and guidance are demonstrably not preventing this class of vulnerabilities; memory safety issues have represented almost the same proportion of vulnerabilities assigned a CVE for over a decade. We feel that using memory-safe languages will mitigate this …

We Need a Safer Systems Programming Language Read More »

2019. július 17.

Announcing the Microsoft Dynamics 365 Bounty program

One of Microsoft’s many security investments to protect customers is in the partnerships we build with the external security research community. We are excited to announce the launch of the Dynamics 365 Bounty program and welcome researchers to seek out and disclose any high impact vulnerabilities they may find in Dynamics 365. Rewards up to …

Announcing the Microsoft Dynamics 365 Bounty program Read More »

2019. július 16.

A proactive approach to more secure code

What if we could eliminate an entire class of vulnerabilities before they ever happened? Since 2004, the Microsoft Security Response Centre (MSRC) has triaged every reported Microsoft security vulnerability. From all that triage one astonishing fact sticks out: as Matt Miller discussed in his 2019 presentation at BlueHat IL, the majority of vulnerabilities fixed and …

A proactive approach to more secure code Read More »

2019. július 10.

2019 年 7 月のセキュリティ更新プログラム (月例)

2019 年 7 月 10 日 (日本時間)、マイクロソフトは以下のソフトウェアのセキュリティ更新プログラムを公開しました。
2019. július 9.

July 2019 Security Update Release

We have released the July security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found in the Security Update Guide.
2019. július 9.

日本セキュリティチーム ブログ移行のお知らせ

日本セキュリティチーム ブログが、新しいプラットフォームに移行してアドレスが変更になりました。旧アドレス (https://blogs.technet.microsoft.com/jpsecurity/) をブラウザのお気に入りに登録や、RSS フィードの登録等で利用されている方は、お手数ですが、新たなアドレス (https://aka.ms/jpsecurity) へ変更をお願いします。
2019. július 2.

Inside the MSRC – Building your own security incident response process

This is the third and last in a series of posts that looks at how Microsoft responds to elevated threats to customers through the Microsoft Security Response Center’s (MSRC) Software and Services Incident Response Plan (SSIRP). Our previous posts discussed how Microsoft protects customers against elevated threats and the anatomy of a SSIRP incident. In …

Inside the MSRC – Building your own security incident response process Read More »

2019. június 27.

Inside the MSRC – Anatomy of a SSIRP incident

This is the second in a series of blog posts that shares how the MSRC responds to elevated threats to customers through the Software and Services Incident Response Plan (SSIRP).   In our last blog post, we looked at the history of the Microsoft Security Response Center and SSIRP, and how Microsoft takes a holistic …

Inside the MSRC – Anatomy of a SSIRP incident Read More »

2019. június 25.

Inside the MSRC – Customer-centric incident response

The Microsoft Security Response Center (MSRC) is an integral part of Microsoft’s Cyber Defense Operations Center (CDOC) that brings together security response experts from across the company to help protect, detect, and respond to threats in real-time. Staffed with dedicated teams 24×7, the CDOC has direct access to thousands of security professionals, data scientists, and …

Inside the MSRC – Customer-centric incident response Read More »

2019. június 15.

Prevent the impact of a Linux worm by updating Exim (CVE-2019-10149)

This week, MSRC confirmed the presence of an active Linux worm leveraging a critical Remote Code Execution (RCE) vulnerability, CVE-2019-10149, in Linux Exim email servers running Exim version 4.87 to 4.91. Azure customers running VMs with Exim 4.92 are not affected by this vulnerability. 

Azure has controls in place to help limit the spread of this worm from work we’ve already done to combat SPAM, but customers using the vulnerable software would still be susceptible to infection. 

Customers using Azure virtual machines (VMs) are responsible for updating the operating systems running on their VMs. As this vulnerability is being actively exploited by worm activity, MSRC urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim. 

There is a partial mitigation for affected systems that can filter or block network traffic via Network Security Groups (NSGs). The affected systems can mitigate Internet-based ‘wormable’ malware or advanced malware threats that could exploit the vulnerability. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker’s IP Address is permitted through Network Security Groups.  

It is for these reasons that we strongly advise that all affected systems – irrespective of whether NSGs are filtering traffic or not – should be updated as soon as possible.   

Resources: 

Links to Azure Network Security Group Documentation 
Links to Update Management Solutions using Azure Automation
Links to Azure Security Best Practices and Patterns 

 

JR Aquino
Manager, Azure Incident Response
Microsoft Security Response Center (MSRC

 

2019. június 14.

Prevent the impact of a Linux worm by updating Exim (CVE-2019-10149)

This week, MSRC confirmed the presence of an active Linux worm leveraging a critical Remote Code Execution (RCE) vulnerability, CVE-2019-10149, in Linux Exim email servers running Exim version 4.87 to 4.91.  Microsoft Azure infrastructure and Services are not affected; only customer’s Linux IaaS instances running a vulnerable version of Exim are affected.  Azure customers running VMs with Exim 4.92 are not …

Prevent the impact of a Linux worm by updating Exim (CVE-2019-10149) Read More »

2019. június 12.

2019 年 6 月のセキュリティ更新プログラム (月例)

2019 年 6 月 12 日 (日本時間)、マイクロソフトは以下のソフトウェアのセキュリティ更新プログラムを公開しました。
2019. június 11.

June 2019 security update release

Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates

 

More information about this month’s security updates can be found on the Security Update Guide.  

2019. május 31.

BlueHat Shanghai 2019: Amplifying the power of defensive partnerships around the world

Earlier this week BlueHat Shanghai brought together security researchers and hundreds of cybersecurity professionals from China and across Asia to explore the latest topics in cybersecurity research. Including presentations from Qihoo 360, Baidu, Alibaba and the Chinese Academy of Sciences, BlueHat Shanghai highlighted incredibly talented Chinese researchers and focused on cutting edge topics including container and IoT security.   

In the conference kick off, Eric Doerr (General Manager, MSRC) shared how researchers in China have helped protect Microsoft customers over the last year by reporting high impact vulnerabilities under Coordinated Vulnerability Disclosure. Many of these researchers qualified for bounty awards as well; Chinese researchers dominate the Microsoft Edge bounty program, and report a substantial portion of submissions made to the Windows Insider Preview bounty program.  

Microsoft has long invested in security engineering and fortifying our products and services, while recognizing that partnerships with the worldwide research community plays an important role in securing Microsoft customers and the broader ecosystem. Expanding our BlueHat events to China is just one example of how we’re working to build and strengthen these partnerships and recognize the contributions of our community members. We’re also continuing to improve our security response and management operations to make it easier and more rewarding to work with the MSRC. In addition to the recent launch of the MSRC submission portal and increased bounty awards, we’re pleased to give researchers more choices in how they receive their bounty awards with the addition of Bugcrowd to Microsoft’s bounty payment provider options.     

Eric highlighted some of the emerging areas of technology that are getting quick adoption by Microsoft customers like AI, GitHub and Dynamics, and the need for researchers around the world to increase their focus on these and other emerging areas of technology to continue to keep the world safe.  As technology evolves, Microsoft’s security engineering practices keep pace to ensure our customers remain safe. And as we have done for two decades, we look forward to working with researchers around the world to tackle these new challenges.

Sylvie Liu & Jarek Stanley
Security Program Managers
Microsoft Security Response Center

 

 

BlueHat Shanghai brought together cybersecurity professionals from China and beyond!  

2019. május 31.

A Reminder to Update Your Systems to Prevent a Worm

On May 14, Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. In our previous blog post on this topic we warned that the vulnerability is ‘wormable’, and that future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.  

Microsoft is confident that an exploit exists for this vulnerability, and if recent reports are accurate, nearly one million computers connected directly to the internet are still vulnerable to CVE-2019-0708. Many more within corporate networks may also be vulnerable. It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise. This scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed. 

It's been only two weeks since the fix was released and there has been no sign of a worm yet. This does not mean that we’re out of the woods. If we look at the events leading up to the start of the WannaCry attacks, they serve to inform the risks of not applying fixes for this vulnerability in a timely manner. 

Our recommendation remains the same. We strongly advise that all affected systems should be updated as soon as possible. 

It is possible that we won’t see this vulnerability incorporated into malware. 

But that’s not the way to bet. 

 

EternalBlue Timeline

Almost two months passed between the release of fixes for the EternalBlue vulnerability and when ransomware attacks began. Despite having nearly 60 days to patch their systems, many customers had not.

A significant number of these customers were infected by the ransomware.

March 14, 2017: Microsoft releases security bulletin MS17-010 which includes fixes for a set of SMBv1 vulnerabilities.

April 14 2017: ShadowBrokers publicly releases a set of exploits, including a wormable exploit known as 'EternalBlue' that leverage these SMBv1 vulnerabilities.

May 12, 2017: The EternalBlue exploit is used in ransomware attacks known as WannaCry. Hundreds of thousands of vulnerable computers across the globe are infected.

 

Resources
Links to downloads for Windows 7, Windows 2008 R2, and Windows 2008
Links to downloads for Windows Vista, Windows 2003 and Windows XP  

Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC)  

 

2019. május 30.

Microsoft Launches a New Recognition Program for MAPP Partners

There are many dedicated people and organizations who contribute to the protection and security of our common customers. For years, Microsoft has recognized security researchers for helping protect the ecosystem. Now, we’re announcing the launch of a new program to better recognize and thank Microsoft Active Protections Program (MAPP) partners for all they do to protect our customers, including awards and evangelism based on their contributions.

MAPP provides better protections for customers through:

  • Early access to monthly security release information, allowing partners to proactively apply protections prior to the release date
  • Sharing of threat indicators
  • Reporting vulnerabilities in Microsoft products and following Coordinated Vulnerability Disclosure (CVD)

In the last six months, MAPP partners have provided 430 unique vulnerability reports and submitted nearly 158 million threat indicators. This data helps Microsoft harden the ecosystem and better protect customers. Many of our partners work closely with us, providing information and samples for critical incidents allowing us to release security updates prior to any broad exploitation.

Starting July 1, 2019, Microsoft will publicly recognize the great work being done by these partners and the significant contributions they make to securing customers. All partners will receive a perpetual plaque in recognition of their MAPP team membership. Then, each quarter, partners have an opportunity to receive a bronze, silver, or gold tab to attach their plaque based on their contribution to program objectives, including submitting threat indicators, reporting vulnerabilities, and practicing CVD. During the annual Black Hat USA conference, we will also offer special recognition the top ten contributors in the MAPP program.

In addition to this new recognition program, we will use our social media presence to publicly evangelize these partners. A list of all MAPP partners can be found at https://aka.ms/mapp.

Thank you to all our MAPP partners for all you do to help protect our customers and secure the broader ecosystem.

Al Brown
Senior Security Strategist
Microsoft Security Response Center

2019. május 14.

Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)

Today Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware. 

Now that I have your attention, it is important that affected systems are patched as quickly as possible to prevent such a scenario from happening. In response, we are taking the unusual step of providing a security update for all customers to protect Windows platforms, including some out-of-support versions of Windows. 

Vulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008. Downloads for in-support versions of Windows can be found in the Microsoft Security Update Guide. Customers who use an in-support version of Windows and have automatic updates enabled are automatically protected.  

Out-of-support systems include Windows 2003 and Windows XP. If you are on an out-of-support version, the best way to address this vulnerability is to upgrade to the latest version of Windows. Even so, we are making fixes available for these out-of-support versions of Windows in KB4500705

Customers running Windows 8 and Windows 10 are not affected by this vulnerability, and it is no coincidence that later versions of Windows are unaffected. Microsoft invests heavily in strengthening the security of its products, often through major architectural improvements that are not possible to backport to earlier versions of Windows.  

There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate. 

It is for these reasons that we strongly advise that all affected systems – irrespective of whether NLA is enabled or not – should be updated as soon as possible.  

Resources
Links to downloads for Windows 7, Windows 2008 R2, and Windows 2008
Links to downloads for Windows 2003 and Windows XP  

Simon PopeDirector of Incident ResponseMicrosoft Security Response Center (MSRC)

2019. május 14.

May 2019 Security Update Release

Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates.

More information about this month’s security updates can be found on the Security Update Guide.

2019. április 9.

April 2019 Security Update Release

Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates.

More information about this month’s security updates can be found on the Security Update Guide.

Tags
2019. április 3.

Microsoft Bounty Program Updates: Faster bounty review, faster payments, and higher rewards

In 2018 The Microsoft Bounty Program awarded over $2,000,000 to encourage and reward external security research in key technologies to protect our customers. Building on that success, we are excited to announce a number of improvements in our bounty programs to better serve the security research community.  

Faster bounty review – As of January 2019, the Cloud, Windows, and Azure DevOps programs now award bounties upon completion of reproduction and assessment of each submission, rather than waiting until the final fix has been determined. Shortening the time from submission to award determination is just one way we will get bounty rewards to researchers faster.    

Faster bounty payments, with more payment options – Once a vulnerability submission has successfully qualified for bounty award, we want to ensure payments happen quickly. Microsoft is partnering with HackerOne for bounty payment processing and support to deliver bounty awards efficiently and with more options like PayPal, crypto currency, or direct bank transfer in more than 30 currencies. HackerOne also supports award splitting and charity donations. Additionally, Microsoft bounty awards processed through HackerOne will contribute to your overall reputation score on the HackerOne platform. To find out more about our new partnership with HackerOne, check out our FAQ page.   

Vulnerability reports should still be sent to the Microsoft Security Response Center directly at secure@microsoft.com. Do not send reports of vulnerabilities in Microsoft products and services to HackerOne.
As we accelerate our bounty assessments and rewards, we ask that researchers continue to work with us to protect customers and follow Coordinated Vulnerability Disclosure guidelines. 

Increasing awards and scope – Microsoft is rewarding more for vulnerability reports in multiple bounty programs; in January 2019 we raised top award levels from $15K to $50K for the Windows Insider Preview bounty and from $15K to $20K for the Microsoft Cloud Bounty program which includes Azure, O365, and other online services.  We’ve also expanded the scope of the Cloud bounty and will continue to expand scope and rewards across our programs throughout the year. Check back regularly for new research areas and follow us on Twitter for bounty program announcements.   

New policy for duplicates – Historically, external reports of internally known vulnerabilities were rewarded 10% of the eligible bounty award as the report did not inform us of a new and previously unknown issue.  But understanding what external researchers are capable of discovering is valuable insight, and we want to reward researchers for their contributions whenever we can. Therefore, we have updated our policy on duplicate submissions. The first researcher to report a bounty-eligible vulnerability will receive the full eligible bounty award, even if it is internally known. There is no change to our policy regarding duplicate external reports of the same vulnerability. 

Microsoft is committed to enhancing our Bounty Programs and strengthening our partnership with the security research community, and I look forward to sharing more updates and improvements in the coming months. As always, if you ever have any questions or concerns about the process, you can reach us at msrclistens@microsoft.com. 

 

Happy Hacking!
Jarek Stanley, @JarekMSFT
Senior Program Manager
MSRC 

  

All Microsoft Bug Bounty Programs are subject to the terms and conditions outlined here. 

The Microsoft Security Response Center is part of the defender community and on the front line of security response evolution. For more than twenty years, we have been engaged with security researchers working to protect customers and the global online community. For more information, please visit our website at www.microsoft.com/msrc and follow our Twitter page at @msftsecresponse.