MSRC was informed by Wiz.io, a cloud security vendor, under Coordinated Vulnerability Disclosure (CVD) of an issue where customers can unintentionally configure the .git folder to be created in the content root, which would put them at risk for information disclosure. This, when combined with an application configured to serve static content, makes it possible for others to download files not intended to be public.
Researcher Spotlight: Dr. Nestori Syynimaa’s Constant Mission Protecting Identities
“When you find the things I find, they really matter. They affect everybody’s security.”
Currently streaming : The Expanse and Lost in Space on Netflix
Currently listening to : Amorphis, Architects, and Killswitch Engage
Currently running : 130 kilometers (or ~80 miles) a month
Currently playing : Floorball (a type of floor hockey with five players and a goalkeeper)
[IT 管理者むけ] Active Directoryのセキュリティ強化への対応をご確認ください
2021 年 11 月以降のセキュリティ更新プログラムには、脆弱性を解決するために、Active Directory における 4 件のセ
Microsoft’s Response to CVE-2021-44228 Apache Log4j 2
Published on: 2021 Dec 11, updated 2022 Apr 6.
SUMMARY SUMMARY Microsoft continues our analysis of the remote code execution vulnerabilities related to Apache Log4j (a logging tool used in many Java-based applications) disclosed on 9 Dec 2021. Currently, Microsoft is not aware of any impact, outside of the initial disclosure involving Minecraft: Java Edition, to the security of our enterprise services and has not experienced any degradation in availability of those services as a result of this vulnerability.
CVE-2021-44228 Apache Log4j 2 に対するマイクロソフトの対応
本ブログは、Microsoft’s Response to CVE-2021-44228 Apache Log4j 2 の抄訳版です。最新の情報は、元記事を参照してください。
アプリケーションおよびサービス プリンシパル API での Azure Active Directory (AD) keyCredential プロパティの情報漏えいに関するガイダンス
本ブログは、“Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs” の抄訳版です。最新の情報は、原本
Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs
Microsoft recently mitigated an information disclosure issue, CVE-2021-42306, to prevent private key data from being stored by some Azure services in the keyCredentialsproperty of an Azure Active Directory (Azure AD) Applicationand/or Service Principal, and prevent reading of private key data previously stored in the keyCredentials property.
The keyCredentials property is used to configure an application’s authentication credentials.
BlueHat is Back!
After a short hiatus, BlueHat is coming back with a vengeance! And we’ve got big plans for the entire researcher community.
But first, I must apologize. It’s been a while since you have heard from us. We didn’t have BlueHat 2020 or 2021, and we know that was disappointing. It was partly due to the pandemic, where our priority was simply keeping everyone safe.