Security News

Security researchers have warned about an "Easily exploitable" flaw in the Microsoft Visual Studio installer that could be abused by a malicious actor to impersonate a legitimate publisher and distribute malicious extensions. "A threat actor could impersonate a popular publisher and issue a malicious extension to compromise a targeted system," Varonis researcher Dolev Taler said.

Two flaws in Microsoft software are under attack on systems that haven't been patched by admins. Redmond issued fixes for the vulnerabilities - one affecting Visual Studio and the other the Win32k subsystem - in April and May, but in separate reports this week, security researchers with Varonis Threat Labs and Numen Cyber warned that unpatched systems are already being exploited.

Microsoft announced today that users would also be able to communicate with Bing Chat, the AI-powered chat-based version of its Bing search engine, via voice commands. "We know many of you love using voice input for chat on Mobile. It's now also available on desktop by clicking on the microphone icon in the Bing Chat box," the Bing Team said.

Banking and financial services organizations are the targets of a new multi-stage adversary-in-the-middle phishing and business email compromise attack, Microsoft has revealed. "The attack originated from a compromised trusted vendor and transitioned into a series of AiTM attacks and follow-on BEC activity spanning multiple organizations," the tech giant disclosed in a Thursday report.

The Microsoft Azure Portal is down on the web as a threat actor known as Anonymous Suda claims to be targeting the site with a DDoS attack.At the same time, a threat actor known as Anonymous Sudan claims to be conducting a DDoS attack against the Microsoft Azure portal, sharing an image of the page not working.

Microsoft is investigating an ongoing outage that is preventing OneDrive customers from accessing the cloud file hosting service worldwide, just as a threat actor known as 'Anonymous Sudan' claims to be DDoSing the service. "We've reviewing OneDrive telemetry that captures this impact scenario to determine the source of the service access failures and begin identifying a mitigation plan."

If enterprises are going to protect themselves in a threat environment that is constantly changing and evolving, they need a posture management strategy that not only takes in industry standards and best practices from vendors but also learns from recent attacks, according to Israel Cohen, senior product manager for Microsoft 365 Defender. The software giant is therefore adding a capability to Microsoft 365 Defender that automatically maps techniques that were used in attacks against an organization, and then recommends what security pros can do to bolster their security posture and prevent a similar attack.

Microsoft has agreed to pay a penalty of $20 million to settle U.S. Federal Trade Commission charges that the company illegally collected and retained the data of children who signed up to use its Xbox video game console without their parents' knowledge or consent. The privacy protections also extend to third-party gaming publishers with whom Microsoft shares children's data, in addition to subjecting biometric information and avatars created from a children's faces to the privacy laws.

Along with paying the rather small fine, the FTC is also requiring the company to update its account creation process for children to prevent collection and storage of data, and extend those responsibilities to third-party publishers that Microsoft shares such data with. Xbox users trying to create an account weren't asked to involve a parent until after Microsoft collected all of that personally identifiable information.

Microsoft has agreed to pay a $20 million fine and change data privacy procedures for children to settle Federal Trade Commission charges over Children's Online Privacy Protection Act violations. COPPA is a U.S. federal law designed to protect the privacy of children under the age of 13 on the internet by requiring parental consent, the ability to review and ask for the deletion of the child's personal information, the ability to refuse data collection, implement security protections for the collected information, and more when registering online accounts.