Microsoft Security Response Center Blog Alerts

Subscribe to Microsoft Security Response Center Blog Alerts hírcsatorna
Frissítve: 2 óra 32 perc
2019. május 14.

Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)

Today Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware. 

Now that I have your attention, it is important that affected systems are patched as quickly as possible to prevent such a scenario from happening. In response, we are taking the unusual step of providing a security update for all customers to protect Windows platforms, including some out-of-support versions of Windows. 

Vulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008. Downloads for in-support versions of Windows can be found in the Microsoft Security Update Guide. Customers who use an in-support version of Windows and have automatic updates enabled are automatically protected.  

Out-of-support systems include Windows 2003 and Windows XP. If you are on an out-of-support version, the best way to address this vulnerability is to upgrade to the latest version of Windows. Even so, we are making fixes available for these out-of-support versions of Windows in KB4500705

Customers running Windows 8 and Windows 10 are not affected by this vulnerability, and it is no coincidence that later versions of Windows are unaffected. Microsoft invests heavily in strengthening the security of its products, often through major architectural improvements that are not possible to backport to earlier versions of Windows.  

There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate. 

It is for these reasons that we strongly advise that all affected systems – irrespective of whether NLA is enabled or not – should be updated as soon as possible.  

Resources
Links to downloads for Windows 7, Windows 2008 R2, and Windows 2008
Links to downloads for Windows 2003 and Windows XP  

Simon PopeDirector of Incident ResponseMicrosoft Security Response Center (MSRC)

2019. május 14.

May 2019 Security Update Release

Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates.

More information about this month’s security updates can be found on the Security Update Guide.

2019. április 9.

April 2019 Security Update Release

Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates.

More information about this month’s security updates can be found on the Security Update Guide.

Tags
2019. április 3.

Microsoft Bounty Program Updates: Faster bounty review, faster payments, and higher rewards

In 2018 The Microsoft Bounty Program awarded over $2,000,000 to encourage and reward external security research in key technologies to protect our customers. Building on that success, we are excited to announce a number of improvements in our bounty programs to better serve the security research community.  

Faster bounty review – As of January 2019, the Cloud, Windows, and Azure DevOps programs now award bounties upon completion of reproduction and assessment of each submission, rather than waiting until the final fix has been determined. Shortening the time from submission to award determination is just one way we will get bounty rewards to researchers faster.    

Faster bounty payments, with more payment options – Once a vulnerability submission has successfully qualified for bounty award, we want to ensure payments happen quickly. Microsoft is partnering with HackerOne for bounty payment processing and support to deliver bounty awards efficiently and with more options like PayPal, crypto currency, or direct bank transfer in more than 30 currencies. HackerOne also supports award splitting and charity donations. Additionally, Microsoft bounty awards processed through HackerOne will contribute to your overall reputation score on the HackerOne platform. To find out more about our new partnership with HackerOne, check out our FAQ page.   

Vulnerability reports should still be sent to the Microsoft Security Response Center directly at secure@microsoft.com. Do not send reports of vulnerabilities in Microsoft products and services to HackerOne.
As we accelerate our bounty assessments and rewards, we ask that researchers continue to work with us to protect customers and follow Coordinated Vulnerability Disclosure guidelines. 

Increasing awards and scope – Microsoft is rewarding more for vulnerability reports in multiple bounty programs; in January 2019 we raised top award levels from $15K to $50K for the Windows Insider Preview bounty and from $15K to $20K for the Microsoft Cloud Bounty program which includes Azure, O365, and other online services.  We’ve also expanded the scope of the Cloud bounty and will continue to expand scope and rewards across our programs throughout the year. Check back regularly for new research areas and follow us on Twitter for bounty program announcements.   

New policy for duplicates – Historically, external reports of internally known vulnerabilities were rewarded 10% of the eligible bounty award as the report did not inform us of a new and previously unknown issue.  But understanding what external researchers are capable of discovering is valuable insight, and we want to reward researchers for their contributions whenever we can. Therefore, we have updated our policy on duplicate submissions. The first researcher to report a bounty-eligible vulnerability will receive the full eligible bounty award, even if it is internally known. There is no change to our policy regarding duplicate external reports of the same vulnerability. 

Microsoft is committed to enhancing our Bounty Programs and strengthening our partnership with the security research community, and I look forward to sharing more updates and improvements in the coming months. As always, if you ever have any questions or concerns about the process, you can reach us at msrclistens@microsoft.com. 

 

Happy Hacking!
Jarek Stanley, @JarekMSFT
Senior Program Manager
MSRC 

  

All Microsoft Bug Bounty Programs are subject to the terms and conditions outlined here. 

The Microsoft Security Response Center is part of the defender community and on the front line of security response evolution. For more than twenty years, we have been engaged with security researchers working to protect customers and the global online community. For more information, please visit our website at www.microsoft.com/msrc and follow our Twitter page at @msftsecresponse. 

2019. március 16.

Join Microsoft Security Response at the Product Security Operations forum at LocoMocoSec!

The MSRC is more than managing vulnerability reports, publishing Microsoft security updates, and defending the cloud. The MSRC is passionate about helping everyone improve internal engineering practices and supporting the defender community, and are excited to partner with Blackberry to host a Product Security Operations Forum at LocoMocoSec on April 18, 2019.

Featuring exceptional speakers from across the industry, the Product Security Operations Forum will share what industry practitioners have learned about problems (and solutions!) of secure development and managing vulnerability response. We’ll have hands-on practitioners from, npm, Adobe, Microsoft, GitHub, and elsewhere discussing the operational programs and processes they are using to tackle real-world challenges. Since no single person has all the answers, we also hope that everyone attending will take advantage of the event format to meet and share knowledge with each other about the approaches they’ve taken—and then continue the conversation at the luau event in the evening.

And if that’s not enough, LocoMocoSec has loads of other great content and workshops scheduled. Interested? The conference schedule is online and the advance purchase discount deadline is March 26.

We look forward to seeing you there!

 

Christa Anderson,

Senior Security Program Manager

MSRC

 

The Microsoft Security Response Center (MSRC) is part of the defender community and on the front line of security response evolution. For more than twenty years, we have been engaged with security researchers working to protect customers and the global online community. For more information, please visit our website at www.microsoft.com/msrc and follow our Twitter page at @msftsecresponse.

2019. március 13.

Call for Papers | Microsoft BlueHat Shanghai 2019

The Microsoft Security Response Center (MSRC) recently announced our first BlueHat security conference in Shanghai which will take place on May 29-30, 2019. After 15 years of BlueHat events in Redmond, Washington and Israel, we are thrilled to expand to a new location. We work with many talented security researchers throughout the Asia Pacific region to protect our shared online ecosystem, and we can’t wait to connect with them in person at BlueHat!

BlueHat Shanghai will provide a fun, accessible venue for security researchers to come together and share innovative cybersecurity research and ideas. If you are a security researcherer or a security engineer, come join us! We are accepting CFP submissions through March 31, 2019. To submit a talk, please review the CFP information and complete the form via https://aka.ms/bhcfp.

Topics of interest include, but are not limited to:

  • Virtualization & Cloud-Based Research, Exploits, and Defense
  • New Exploit Techniques
  • Emerging Threats and Trends
  • Hardware and Firmware Security
  • Infrastructure and The Internet of Things (IoT) Security Research, Exploits, and Defense
  • Machine Learning and Security Analytics
  • Supply Chain Security
  • Malware Research

Speakers can choose to present in English or Mandarin. We will provide simultaneous interpretation and content translation during the conference. While BlueHat Shanghai presentations may be made in Mandarin or English, please submit to the CFP in English only.

If you are interested in attending and would like to get an invite, please complete the pre-registration form. You will receive a conference registration link in mid-April if your pre-registration is confirmed.

If you have any questions, please feel free to contact us at bluehat@microsoft.com.

Hope to see you in Shanghai soon!

 

近期微软安全应急响应中心(MSRC)宣布了将会于2019年5月29日至5月30日首次在中国上海举办微软的安全大会BlueHat。在过去的十五年间,我们在微软北美总部和以色列举办了多届BlueHat安全大会。一直以来亚太地区都有非常多的安全专家与我们合作来保护这个共同的网络安全生态圈,于是我们决定将这个安全大会带到新的一站,期待与你们在上海相会!

此次BlueHat Shanghai安全大会主要是面向中国以及亚太地区的白帽子,安全工程师和安全从业者的一个专注于漏洞挖掘、响应与防护的安全大会。我们非常荣幸有这个机会为大家带来最前沿的安全技术议题以及创造一个让安全专家们面对面的交流的机会。

目前我们的演讲者征集已经开启,在此我们邀请亚太地区的顶级安全专家和白帽子登台演讲,为与会者带来最精和最前沿的研究成果。如果您有兴趣成为我们的演讲嘉宾,请在2019年3月31日前通过https://aka.ms/bhcfp提交您的演讲内容,更多信息请参见CFP information页面。

主要议题方向包括(而非限定于)下列方向:

  • 虚拟化和云安全
  • 新型漏洞利用技术
  • 安全威胁趋势
  • 硬件与固件安全
  • 信息基础设施与物联网安全
  • 机器学习与大数据安全分析
  • 供应链安全
  • 恶意软件研究

在大会期间,演讲者可以选择使用中文或者英文进行演讲,我们会提供中英文同声传译。您仅需提供一段英文摘要以便我们的组委会进行审阅。

如果您希望来参加此次的BlueHat Shanghai安全大会,请提交预注册表格。如果您的预注册通过组委会的审核,我们将会在四月中旬的时候以邮件形式向您发送正式注册的链接。

如果有任何问题或有兴趣参与演讲,请通过bluehat@microsoft.com与我们联系。

期待与您在上海相会!

 

Regards,

Sylvie Liu, Security Program Manager

Microsoft Security Response Center (MSRC)

 

The Microsoft Security Response Center is part of the defender community and on the front line of security response evolution. For more than twenty years, we have been engaged with security researchers working to protect customers and the global online community. For more information, please visit our website at www.microsoft.com/msrc and follow our Twitter page at @msftsecresponse.

 

2019. március 13.

Practical advice for earning higher Microsoft bounty awards

This year at the Nullcon International Security Conference I shared practical advice for how security researchers can maximize the impact of their security vulnerability submissions and earn higher bounty awards under the Microsoft Bounty Program. For those who couldn’t be there, I had two core pieces of advice.

  • First, focus vulnerability research on the products and services that are eligible for bounty rewards. The eligible scope is published on our website. We expand our programs throughout the year, so check back regularly for new potential areas to research and follow us on Twitter for announcements of new bounty programs.
  • Second, when reporting security vulnerabilities, provide clear, concise information to help our engineering teams reproduce the vulnerability for themselves. Detailed and well written instructions, or even short videos can more than double the possible award amount for bounty eligible properties.

In addition to talking about vulnerability hunting in Microsoft’s bounty programs, we also want to help security researchers develop their skills. This year we sponsored more than 20 researchers to attend the conference, which included hands on training and workshops on hardware and software security. With almost 2000 attendees from across India, Nullcon was a great place to connect with the security researcher community across the region and see excellent technical talks from James Forshaw, Jaya Baloo, and others . Thanks to Antriksh Shah and the team at Payatu for bringing everyone together for such a great event.

Thank you to everyone who I met at Nullcon and to those who attended my talk. For more details and some real-world examples of high quality and high reward submissions, check out my presentation slides here.

 

Happy Hacking!
Jarek Stanley, @JarekMSFT
Senior Program Manager
MSRC

 

All Microsoft Bug Bounty Programs are subject to the terms and conditions outlined here.

The Microsoft Security Response Center is part of the defender community and on the front line of security response evolution. For more than twenty years, we have been engaged with security researchers working to protect customers and the global online community. For more information, please visit our website at www.microsoft.com/msrc and follow our Twitter page at @msftsecresponse.

2019. március 12.

March 2019 Security Update Release

Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates.

More information about this month’s security updates can be found on the Security Update Guide.

2019. február 12.

February 2019 Security Update Release

Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates.

More information about this month’s security updates can be found on the Security Update Guide.