MS – 보안 대응 센터

April 2017 security update release Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found on the Security Update Guide. MSRC team Source: April 2017 security update release

Announcing the new Bug Bounty Program for Office Insider Builds on Windows We’ve engineered Office to be secure by design and continually invest in enhancing its security capabilities. In the spirit of maintaining a high security bar in Office, we’re launching the Bug Bounty Program for Office Insider Builds on Windows. The Office Bug Bounty Program complements our continuous internal engineering investments that include designing secure features through threat modeling, security in code reviews, security automation, and internal penetration testing. The Microsoft Cloud and Online Services Bounty Program has helped us identify elusive vulnerabilities and provided a way to reward the individuals actively partnering with us to protect our customers. We want to continue incentivizing research around design and logic and reward deeper thought in important areas of Office. Office Insider Builds give users early access to the latest Office [ more… ]

March 2017 security update release Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found on the Security Update Guide.  Security bulletins were also published this month to give customers extra time to ensure they are ready to transition their processes. MSRC team       Source: March 2017 security update release

Office 365 security researchers: Double your bounties March-May 2017 Microsoft strives to protect our customers and we’re constantly improving our security posture to meet their needs. We realize the desire of researchers and customers to security test our services to ensure they can trust us and our solutions. We also believe that if a researcher informs us of a security flaw in our Office 365 services, they should be awarded for protecting us. These discoveries along with our internal security testing efforts contribute to keeping our users safe. Keeping in line with our philosophy of protecting users and awarding researchers, we are pleased to announce an update to our Online Services bounty program. We will be giving out double rewards for security vulnerabilities from March 1, 2017 to May 1, 2017 for eligible vulnerabilities submitted in Exchange Online and Office [ more… ]

SHA-1 Collisions Research Today, a group of eight researchers from across the security industry released a research report on SHA-1 that demonstrates for the first time, a “hash collision” for the full SHA-1 hash algorithm (called “SHAttered”). This is a significant step toward understanding this type of security issue, a milestone in cryptanalysis that has been underway for the past decade. The report website also includes a tool co-authored by my colleague Dan Shumow (Senior Software Development Engineer, Security & Cryptography, Microsoft Research) that can be used to detect the presence of a collision in a file. SHA-1 is used in digital certificates (TLS) and code signing applications. By taking advantage of SHA-1, a potential attacker could spoof content, perform phishing attacks, or perform “man-in-the-middle” attacks. Anticipating a point in time when there would be capability to create a practical “collision,” [ more… ]