No Image

Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)

2019-05-15 KENNETH 0

Prevent a worm by updating Remote Desktop Services (CVE-2019-0708) Today Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.  Now that I have your attention, it is important that affected systems are patched as quickly as possible to prevent such a scenario from happening. In response, we are taking the unusual step of providing a security update [ more… ]

No Image

May 2019 Security Update Release

2019-05-15 KENNETH 0

May 2019 Security Update Release Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found on the Security Update Guide. Source: May 2019 Security Update Release

No Image

April 2019 Security Update Release

2019-04-10 KENNETH 0

April 2019 Security Update Release Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found on the Security Update Guide. Tags Security Advisory Security Update Update Tuesday Source: April 2019 Security Update Release

Microsoft Bounty Program Updates: Faster bounty review, faster payments, and higher rewards

2019-04-03 KENNETH 0

Microsoft Bounty Program Updates: Faster bounty review, faster payments, and higher rewards In 2018 The Microsoft Bounty Program awarded over $2,000,000 to encourage and reward external security research in key technologies to protect our customers. Building on that success, we are excited to announce a number of improvements in our bounty programs to better serve the security research community.   Faster bounty review – As of January 2019, the Cloud, Windows, and Azure DevOps programs now award bounties upon completion of reproduction and assessment of each submission, rather than waiting until the final fix has been determined. Shortening the time from submission to award determination is just one way we will get bounty rewards to researchers faster.     Faster bounty payments, with more payment options – Once a vulnerability submission has successfully qualified for bounty award, we want to ensure payments happen [ more… ]

No Image

Join Microsoft Security Response at the Product Security Operations forum at LocoMocoSec!

2019-03-16 KENNETH 0

Join Microsoft Security Response at the Product Security Operations forum at LocoMocoSec! The MSRC is more than managing vulnerability reports, publishing Microsoft security updates, and defending the cloud. The MSRC is passionate about helping everyone improve internal engineering practices and supporting the defender community, and are excited to partner with Blackberry to host a Product Security Operations Forum at LocoMocoSec on April 18, 2019. Featuring exceptional speakers from across the industry, the Product Security Operations Forum will share what industry practitioners have learned about problems (and solutions!) of secure development and managing vulnerability response. We’ll have hands-on practitioners from, npm, Adobe, Microsoft, GitHub, and elsewhere discussing the operational programs and processes they are using to tackle real-world challenges. Since no single person has all the answers, we also hope that everyone attending will take advantage of the event format to [ more… ]