Security News

Microsoft has released the first Windows 11 "Nickel" preview build 22449 to Windows Insiders in the 'Dev' channel, allowing them to test out new unstable features that are still being developed. After announcing Windows 11's release date, Microsoft began emailing Windows Insiders in the 'Dev' channel warning them that they would soon be distributing unstable Windows 11 builds in this channel.

Microsoft has announced that Window Server 2022, a Long Term Servicing Channel release with ten years of support, is generally available starting today. While the general availability of Windows Server 2022 was just revealed, the new release was made available to customers via the Volume Licensing Service Center and began rolling out to mainstream users almost two weeks ago, as ZDNet reported.

Microsoft is kicking unsupported Windows 11 devices out of the Windows 11 preview program without warning, even though it said that wouldn't happen until the new Windows version was released. To show appreciation to their most loyal fans and supporters, Microsoft exempted Windows Insiders in the 'Dev' channel from these hardware requirements and allowed their unsupported devices to install and test Windows 11 until it was released.

Microsoft has announced today that it will start anonymizing user-level info by default Microsoft 365 Usage Analytics beginning with September 1, 2021. "At Microsoft, we're committed to both data-driven insights and user privacy," said James Bell, Senior Product Marketing Manager for Microsoft 365 Product Marketing & Growth Strategy.

Microsoft has announced the public preview launch of Visual Studio Code for the Web, a browser-based version of its free and cross-platform VS Code integrated development environment. "Announcing the preview of Visual Studio Code for the Web, a new web-based code editor that runs entirely in your browser and without backing compute," the company announced today.

Details have emerged about a now-patched security vulnerability impacting Microsoft Exchange Server that could be weaponized by an unauthenticated attacker to modify server configurations, thus leading to the disclosure of Personally Identifiable Information. The issue, tracked as CVE-2021-33766 and coined "ProxyToken," was discovered by Le Xuan Tuyen, a researcher at the Information Security Center of Vietnam Posts and Telecommunications Group, and reported through the Zero-Day Initiative program in March 2021.

Microsoft is warning of a widespread credential phishing campaign that leverages open redirector links in email communications as a vector to trick users into visiting malicious websites while effectively bypassing security software. "Attackers combine these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking," Microsoft 365 Defender Threat Intelligence Team said in a report published this week.

Microsoft Exchange uses two websites; one, the front end, is what users connect to in order to access email. "The front-end website is mostly just a proxy to the back end. To allow access that requires forms authentication, the front end serves pages such as /owa/auth/logon.aspx," according to a Monday posting on the bug from Trend Micro's Zero Day Initiative.

Technical details have emerged on a serious vulnerability in Microsoft Exchange Server dubbed ProxyToken that does not require authentication to access emails from a target account. An attacker can exploit the vulnerability by crafting a request to web services within the Exchange Control Panel application and steal messages from a victim's inbox.

Most of the time it's the first; it can be complicated to add security to a running system without affecting how everyone does their jobs-in some cases even the security team. It's a process the initial notification described as Microsoft taking responsibility for its role as a security service and acting "On your behalf to prevent your users from being compromised." As the process continues to roll out, one of the most obvious effects will be on security teams testing their systems and their staff.