Security News

Microsoft has issued an out-of-band non-security update to address an issue triggering SSL/TLS handshake failures on client and server platforms. "We address an issue that might affect some types of Secure Sockets Layer and Transport Layer Security connections. These connections might have handshake failures," Microsoft explains.

New research has disclosed what's being called a security vulnerability in Microsoft 365 that could be exploited to infer message contents due to the use of a broken cryptographic algorithm. Office 365 Message Encryption is a security mechanism used to send and receive encrypted email messages between users inside and outside an organization without revealing anything about the communications themselves.

Microsoft Office 365 Message Encryption claims to offer a way "To send and receive encrypted email messages between people inside and outside your organization." Office 365 Message Encryption relies on a strong cipher, AES, but WithSecure says that's irrelevant because ECB is weak and vulnerable to cryptanalysis regardless of the cipher used.

Microsoft says new Prestige ransomware is being used to target transportation and logistics organizations in Ukraine and Poland in ongoing attacks. "This activity was not connected to any of the 94 currently active ransomware activity groups that Microsoft tracks. The Prestige ransomware had not been observed by Microsoft prior to this deployment," MSTIC added.

We're not quite sure what to call it right now, so we referred to it in the headline by the hybrid name Microsoft Office 365. The web-based versions of the Office tools don't have the same feature set as the full apps, so any results we might obtain are unlikely to align with how most business users of Office, ah, 365 have configured Word, Excel, Outlook and friends on their Windows laptops.

Microsoft has improved the Microsoft Edge efficiency mode feature in the latest stable release to increase battery life when the device is unplugged or on low battery. Efficiency mode is a cross-platform feature that works on Windows, macOS, and Linux, follows Battery Saver mode on Windows, turning on at 20% battery on macOS, and requires enabling on Linux devices since it's off by default.

WithSecure researchers are warning organizations of a security weakness in Microsoft Office 365 Message Encryption that could be exploited by attackers to obtain sensitive information. OME, which is used by organizations to send encrypted emails internally and externally, utilizes the Electronic Codebook implementation - a mode of operation known to leak certain structural information about messages.

Security researchers at WithSecure, previously F-Secure Business, found that it is possible to partially or fully infer the contents of encrypted messages sent through Microsoft Office 365 due to the use of a weak block cipher mode of operation. Organizations use Office 365 Message Encryption to send or receive emails, both external and internal, to ensure confidentiality of the content from destination to source.

Microsoft has begun to kill off the Microsoft Office brand, with plans to rebrand its Office.com and Office cloud-based apps to Microsoft 365 in the near future. In 2020, Microsoft rebranded Office 365 to Microsoft 365 and started to heavily push the subscription-based productivity suite to both the enterprise and consumers.

Microsoft has now made it possible to receive notifications about new security updates through a new RSS feed for the Security Update Guide. Typically, Microsoft discloses new vulnerabilities twice a month, the bulk being the monthly Patch Tuesday and when Microsoft fixes vulnerabilities in Microsoft Edge.