The first part of this series introduced Semmle QL, and how the Microsoft Security Response Center (MSRC) are using it to investigate variants of vulnerabilities reported to us. This post discusses an example of how we’ve been using it proactively, covering a security audit of an Azure firmware component.
This was part of a wider defense in depth security review of Azure services, exploring attack vectors from the point of view of a hypothetical adversary who has already penetrated at least one security boundary, and now sits in the operating environment of a service backend (marked with * on the diagram below).
Join Microsoft Security Response at the Product Security Operations forum at LocoMocoSec!
The MSRC is more than managing vulnerability reports, publishing Microsoft security updates, and defending the cloud. The MSRC is passionate about helping everyone improve internal engineering practices and supporting the defender community, and are excited to partner with Blackberry to host a Product Security Operations Forum at LocoMocoSec on April 18, 2019.
Local privilege escalation via the Windows I/O Manager: a variant finding collaboration
The Microsoft Security Response Center (MSRC) investigates all reports of security vulnerabilities affecting Microsoft products and services to help make our customers and the global online community more secure. We appreciate the excellent vulnerability research reported to us regularly from the security community, and we consider it a privilege to work with these researchers.
Call for Papers | Microsoft BlueHat Shanghai 2019
The Microsoft Security Response Center (MSRC) recently announced our first BlueHat security conference in Shanghai which will take place on May 29-30, 2019. After 15 years of BlueHat events in Redmond, Washington and Israel, we are thrilled to expand to a new location. We work with many talented security researchers
Practical advice for earning higher Microsoft bounty awards
This year at the Nullcon International Security Conference I shared practical advice for how security researchers can maximize the impact of their security vulnerability submissions and earn higher bounty awards under the Microsoft Bounty Program. For those who couldn’t be there, I had two core pieces of advice.
First , focus vulnerability research on the products and services that are eligible for bounty rewards.
March 2019 Security Update Release
Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates.
More information about this month’s security updates can be found on the Security Update Guide.
セキュリティ インテリジェンス レポート (SIR) 第 24 版公開
2019 年 2 月 28 日 (米国時間)、マイクロソフトは「マイクロソフト セキュリティ インテリジェンス レポート (SIR) 第 24
BlueHat Shanghai 2019 Call for Papers is Now Open!
We know security experts with diverse skills and experiences are found around the world. This year, the BlueHat Security Conference is coming to Shanghai!
BlueHat Shanghai 2019 will take place on May 29-30 at W Shanghai – The Bund. We want to provide a venue for security researchers to come together to learn and share information, innovations, best practices and actionable items, as well as to engage in a rich conversation about security.
February 2019 Security Update Release
Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates.
More information about this month’s security updates can be found on the Security Update Guide.