Security News

August 2023 Patch Tuesday is here; among the 76 CVE-numbered issues fixed by Microsoft this time around is a DoS vulnerability in. There is a Microsoft Office "Defense in Depth Update" available that, according to Microsoft, stops the attack chain leading to CVE-2023-36884, a Windows Search RCE vulnerability that has been previously exploited by Russian hackers in targeted attacks.

Today is Microsoft's August 2023 Patch Tuesday, with security updates for 87 flaws, including two actively exploited and twenty-three remote code execution vulnerabilities. This month's Patch Tuesday fixes two zero-day vulnerabilities, with both exploited in attacks and one of them publicly disclosed.

Qualys report looks at how misconfiguration issues on cloud service providers help attackers gain access. Cloud misconfiguration - incorrect control settings applied to both hardware and software elements in the cloud - are threat vectors that amplify the risk of data breaches.

A bunch of networks, including US Government networks, have been hacked by the Chinese. The hackers used forged authentication tokens to access user email, using a stolen Microsoft Azure account consumer signing key.

Microsoft has explained why it seemingly took its time to fix a flaw reported to it by infosec intelligence vendor Tenable. On July 10, Tenable again contacted Microsoft to reports its findings on what it regarded as a dangerously incomplete fix.

Microsoft has accidentally revealed an internal 'StagingTool' utility that can be used to enable hidden features, or Moments, in Windows 11. As first discovered by Windows sleuth XenoPanther, Microsoft has a utility for enabling hidden development features in Windows 11 called 'StagingTool'.

Microsoft on Friday disclosed that it has addressed a critical security flaw impacting Power Platform, but not before it came under criticism for its failure to swiftly act on it. "The vulnerability could lead to unauthorized access to Custom Code functions used for Power Platform custom connectors," the tech giant said.

Microsoft fixed a security flaw in the Power Platform Custom Connectors feature that let unauthenticated attackers access cross-tenant applications and Azure customers' sensitive data after being called "Grossly irresponsible" by Tenable's CEO. The root cause of the issue stemmed from inadequate access control measures for Azure Function hosts launched by connectors within the Power Platform. "It should be noted that this is not exclusively an issue of information disclosure, as being able to access and interact with the unsecured Function hosts, and trigger behavior defined by custom connector code, could have further impact," says cybersecurity firm Tenable which discovered the flaw and reported it on March 30th. "However, because of the nature of the service, the impact would vary for each individual connector, and would be difficult to quantify without exhaustive testing."

Microsoft has officially begun killing off Cortana as the company moves its focus towards integrating ChatGPT and AI into Windows 11. [...]

Microsoft's new Azure Active Directory Cross-Tenant Synchronization feature, introduced in June 2023, has created a new potential attack surface that might allow threat actors to more easily spread laterally to other Azure tenants. Microsoft tenants are client organizations or sub-organizations in Azure Active Directory that are configured with their own policies, users, and settings.