Microsoft News, Articles and Updates

Hey Cortana, how security dumb are 'intelligent' digital assistants?

Microsoft Windows intelligent digital assistant, Cortana enabled the execution of arbitrary commands with elevated privileges on a locked machine - so turn off the Cortana interaction from the lock screen, unless absolutely necessary

Spectre variant 4 fix included in Microsoft Patch Tuesday rollout

Microsoft's June 2018 Patch Tuesday cumulative rollout for Windows 10 contains a mitigation for the fourth Spectre variant known as Speculative Store Bypass (CVE-2018-3639).

Microsoft's Github buy: is it good news for security?

Microsoft has announced a £5.6 billion deal to acquire software development platform GitHub, arguably the most visible open source resource online.

Banking RAT leverages Microsoft SQL Server database to target Brazilians

A newly discovered banking malware that's been actively targeting Brazilians behaves as a remote access trojan (RAT) and uses a Microsoft SQL Server database server as an unconventional command-and-control infrastructure.

PDF exploit built to combine zero-day Windows and Adobe Reader bugs

A privilege escalation vulnerability patched last week in Microsoft Windows and an Adobe Reader remote code execution bug fixed in a product update were both jointly targeted by a PDF-based zero-day exploit.

Patch Tuesday: Microsoft mends RCE bug exploited by cyber-espionage group

Microsoft Corporation's Patch Tuesday security update yesterday fixed 67 bugs, including two that have been actively exploited in zero-day attacks, and another two whose details became public.

Office 365 defences vulnerable to baseStriker malware

Microsoft's Office 365 has been found vulnerable to attack methodology that enables malicious links to sneak past most of the product's cyber-security defences by splitting off the dangerous part of the link to it is not spotted.

Microsoft fixes critical RCE bug in hcsshim library

Last week Microsoft Corporation updated its Windows Host Compute Service Shim (hcsshim) library to correct a critical remote code execution bug caused by improper input validation when importing a container image.

NHS' new £150m Microsoft deal to upgrade all legacy systems to Windows 10

In November last year, six months after the WannaCry ransomware attack took place, the NHS entered into a landmark Custom Support Agreement with Microsoft.

Microsoft issues more Spectre updates

Microsoft has released two updates as part of the company's on-going effort to secure devices running Intel processors from the Spectre vulnerability.

RSA: Major tech companies band together to fight cyber-attacks

Possibly the second most ambitious crossover in history after Infinity War. Thirty eight companies have signed an accord to develop long-term, wide-reaching cyber-security akin to a "Digital Geneva Convention."

Microsoft adds ransomware protection, recovery tools to Office 365

Microsoft has rolled out a series of new tools to protect its Office 365 Home and 365 Personal customers from a variety of cyber-threats, including ransomware.

Microsoft pushes update for critical RCE bug in Malware Protection Engine

Microsoft Corporation on Tuesday announced an emergency patch for a memory corruption vulnerability in its Microsoft Malware Protection Engine (MMPE) that remote attackers can exploit to execute arbitrary code.

Top security flaws move to Microsoft from Adobe

Hackers more likely to use cryptocurrency mining malware than an exploit kit, report says. Malware campaigns have shifted focus onto Microsoft and cryptocurrency mining rather than using flaws in Adobe Flash and exploit kits.

Microsoft remote assistance tool threat patched, danger remains

Microsoft has just patched a vulnerability in the primary tool the company uses to help provide remote assistance to its users, but until all devices are updated there is still some danger.

Microsoft launches $250,000 bug bounty for Spectre/Meltdown-like flaws

Microsoft has kicked off a bug bounty programme that could bring in between US$ 25,000 and US$ 250,000 (£17,800 to £178,000) to anyone able to find vulnerabilities similar to the now infamous Spectre and Meltdown.

Pwn2Own competition flushes out five Apple bugs, four Microsoft flaws

Independent researchers collected £190,000 in bug purchases this week at the annual Pwn2Own contest at CanSecWest in Vancouver.

Patch Tuesday: Microsoft patches Remote Desktop Protocol exploit

This month's Microsoft patch Tuesday included more than 70 patches 15 of which were marked as critical and one that could exploit authentication in Microsoft Remote Desktop Protocol.

Microsoft partners with MK college to plan Institute of Tech Bletchley Park

On Wednesday 7 March Milton Keynes College in partnership with Microsoft held a bid event for the creation of the Institute of Digital Technology at Bletchley Park, home of the World War Two Codebreakers.

MS Word feature can be exploited to display videos that mine cryptocurrency

Malicious actors can abuse Microsoft Word's Online Video feature to deliver videos that secretly exhaust their viewers' computer processing power in order to mine cryptocurrencies, according to Israeli cyber-security firm Votiro.

Google divulges vulnerability in Microsoft Edge before patch is ready

Microsoft misses Project Zero disclosure deadline. Security researchers at Google's Project Zero have publicised a flaw in Microsoft Edge before a patch has been readied.

Reported vulnerabilities in Microsoft products more than doubled since 2013

The total number of reported vulnerabilities in Microsoft's software products, including those in the new Windows 10 operating system, rose over two-fold in the last four years and critical vulnerabilities rose by 60 percent.

Microsoft Patch Tuesday: Nearly 50 patches, most for privilege escalation

Microsoft patched nearly 50 vulnerabilities this month, including patches for an Adobe Flash Player zero-day vulnerability that was announced earlier this month.

Windows Installer service hacked to infect victims' systems with malware

Cyber-criminals are using a malware spam campaign to exploit a remote code execution vulnerability in Microsoft Office to download and execute malicious scripts on victims' systems.

New and old Windows vulnerabilities top Alienvault list

Adobe's Flash Player may gain a lot of negative headlines, but when it comes to the most frequented targeted software Microsoft Office and Windows beat out the much maligned Adobe software.

'Locky' ransomware exploits Windows DDE weakness

Microsoft has said it will continue to support and not remove DDE as an Office document feature despite its acting as a highly effective exploit method for cyber-criminals.

Microsoft halts Spectre/Meltdown patch roll out after AMD BSoD issues

Microsoft is having a different type of Patch Tuesday, instead of simply pushing out security updates the company is dealing with several new issues surrounding the patches it released last week to mitigate Spectre/Meltdown issues.

Microsoft bug CVE-2017-11882 exploited to deliver Loki information stealer

Attackers continue to exploit a recently patched remote code execution vulnerability in the Microsoft Equation Editor component of Microsoft Office, using the bug to deliver a modified version of Loki information-stealing malware.

Loki Bot expands from Excel spreadsheet to attack other office applications

Security researchers have discovered a new attack vector launched through Microsoft Excel spreadsheets, and the Loki Bot has just recently expanded into other Office applications.

Microsoft launches privilege escalation attack on itself with Office 365

A flaw in the way Microsoft Azure Active Directory (AD) Connect configures the AD synchronisation account in Office 365 hybrid installations, creates stealthy admins in the user group by default.