All news with #microsoft tag

Hidden .NET proxy behavior can enable RCE in many apps

⚠️ Researchers found that .NET HTTP client proxy classes will accept file:// and other non-HTTP schemes, invoking the filesystem handler and enabling attacker-controlled writes to arbitrary files. This unexpected behavior enabled proof-of-concept remote code execution via web shells and malicious PowerShell scripts in multiple products, including Barracuda, Ivanti, Umbraco, Microsoft PowerShell, and SQL Server Integration Services. Microsoft says it will not change the Framework behavior and places responsibility on application developers to avoid passing untrusted URLs and to validate WSDL imports.

Smashing Security 447 — AI Abuse, Stalking and Museum Heist

🤖 On episode 447 of the Smashing Security podcast Graham Cluley and guest Jenny Radcliffe explore how generative AI can enable stalking — reporting that Grok was used to doxx people, outline stalking strategies, and share revenge‑porn tips. They also recount the audacious Louvre crown jewels heist, where thieves abused assumptions about what ‘looks normal’. Graham additionally interviews Rob Edmondson about how Microsoft 365 misconfigurations and over‑privileged accounts create serious security exposures. The episode emphasizes practical lessons in threat modelling and access hygiene.

Microsoft Teams adds alerts for suspicious external traffic

🔔 Microsoft is introducing an External Domains Anomalies Report for Microsoft Teams to analyze messaging trends and surface suspicious interactions with external domains. The tool will flag sharp spikes in activity, communications with new domains, and abnormal engagement patterns to give administrators early visibility into potential data-sharing or security risks. Microsoft plans a worldwide rollout to standard multi-tenant web environments in February 2026, though licensing implications remain unspecified. The change complements other Teams protections such as malicious-link warnings, false-positive reporting, meeting screen-capture blocking, and desktop performance improvements.

SOAPwn: WSDL/SOAP Flaw Enables File Writes in .NET

🛡️WatchTowr Labs has disclosed SOAPwn, an "invalid cast" vulnerability in the .NET Framework that lets attackers abuse WSDL imports and dynamically generated SOAP client proxies to write files and achieve remote code execution. The issue impacts products including Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8. Barracuda addressed the flaw in Service Center RMM 2025.1.1 (CVE-2025-34392, CVSS 9.8) and Ivanti issued fixes in EPM 2024 SU4 SR1 (CVE-2025-13659, CVSS 8.8). Researchers presented the findings at Black Hat Europe after disclosures in March 2024 and July 2025.

Building a security-first culture for agentic AI enterprises

🔒 Microsoft argues that as organizations adopt agentic AI, security must be a strategic priority that enables growth, trust, and continued innovation. The post identifies risks such as oversharing, data leakage, compliance gaps, and agent sprawl, and recommends three pillars: prepare for AI and agent integration, strengthen organization-wide skilling, and foster a security-first culture. It points to resources like Microsoft’s AI adoption model, Microsoft Learn, and the AI Skills Navigator to help operationalize these steps.

Microsoft Ignite 2025: Building with Agentic AI and Azure

🚀 Microsoft Ignite 2025 showcased a suite of Azure and AI updates aimed at accelerating production use of agentic systems. Anthropic's Claude models are now available in Microsoft Foundry alongside OpenAI GPTs, and Azure HorizonDB adds PostgreSQL compatibility with built-in vector indexing for RAG. New Azure Copilot agents automate migration, operations, and optimization, while refreshed hardware (Blackwell Ultra GPUs, Cobalt CPUs, Azure Boost DPU) targets scalable training and secure inference.

Transparent Email Security: New Microsoft Benchmarking

📊 Microsoft published its second email security benchmarking report comparing environments protected solely by Microsoft Defender to deployments using a Secure Email Gateway (SEG) in front of Defender and Integrated Cloud Email Security (ICES) layered after Defender. The updated methodology corrects for journaling and connector reinjection and now includes Defender's zero‑hour auto purge post‑delivery detections to avoid misattribution. Results show layering reduces marketing and bulk mail (avg 9.4%), while incremental gains for spam and malicious filtering remain modest. Post‑delivery remediation remains critical: Defender's zero‑hour auto purge removed 45% of malicious mail reaching inboxes on average, and ICES vendors accounted for an average 55% post‑delivery catch.

Microsoft Patches Three Zero-Days Including Kernel EoP

⚠️ Microsoft has released patches for three zero-day vulnerabilities in its December update, including an actively exploited kernel elevation-of-privilege in the Windows Cloud Files Mini Filter Driver (CVE-2025-62221). Two additional zero-days—an RCE in PowerShell (CVE-2025-54100) and an RCE in GitHub Copilot for JetBrains (CVE-2025-64671)—were publicly disclosed but not observed in the wild. Security experts warn attackers could chain the kernel flaw with other exploits to achieve full system or domain compromise.

Microsoft Patches 56 Flaws Including Active Zero-Days

🛡️ Microsoft released December 2025 patches addressing 56 Windows vulnerabilities, three rated Critical and 53 Important. The update fixes 29 privilege-escalation flaws, 18 remote code execution bugs and other defects, and includes two zero-days and one actively exploited use-after-free (CVE-2025-62221) in the Cloud Files Mini Filter Driver. Administrators are urged to prioritize the KEV-listed fix and follow vendor guidance for mitigation and monitoring.

December Patch Tuesday: Active Windows Cloud Files Zero Day

🚨 Microsoft’s December Patch Tuesday delivers 57 fixes, but an actively exploited zero-day in Windows Cloud Files Mini Filter Driver (CVE-2025-62221) requires immediate remediation. The flaw is a low-complexity use-after-free escalation-of-privilege that can enable a local foothold to become full system compromise. Security teams should prioritize this patch, enforce least-privilege controls, and enhance monitoring where rapid patching isn't possible.

Microsoft Patch Tuesday December 2025: 57 Vulnerabilities

🛡️ Microsoft released its December 2025 Patch Tuesday addressing 57 vulnerabilities, two labeled as critical and the remainder as important. Cisco Talos notes Microsoft assessed exploitation of the two critical issues as less likely, while several important flaws are considered more likely to be attacked. Talos published Snort and Snort 3 rules to detect exploitation attempts and recommends updating firewall SRUs and applying vendor patches promptly.

Microsoft Patch Tuesday — December 2025 Security Fixes

🛡️ Microsoft released its final Patch Tuesday of 2025, addressing 56 vulnerabilities including one actively exploited zero-day, CVE-2025-62221, and two publicly disclosed bugs. The zero-day is a privilege escalation in the Windows Cloud Files Mini Filter Driver, a core component used by cloud sync services such as OneDrive. Three flaws received Microsoft’s Critical rating, including two Office bugs exploitable via Outlook’s Preview Pane. Administrators should prioritize updates for the flagged privilege escalation issues and apply patches promptly.

Shai-Hulud 2.0: Detecting and Defending Supply-Chain Attacks

🛡️ The Shai-Hulud 2.0 campaign is a widescale npm supply-chain compromise that injects malicious preinstall scripts to execute a bundled Bun runtime and harvest cloud credentials. Microsoft Defender observed attackers installing GitHub Actions runners named SHA1HULUD, using TruffleHog to locate secrets, and exfiltrating stolen credentials to public repositories. The guidance outlines detections, hunting queries, and prioritized mitigations for developers, maintainers, and cloud defenders.

Windows PowerShell Warns When Invoke-WebRequest Runs

⚠ Windows PowerShell 5.1 now displays a security confirmation when using Invoke-WebRequest to fetch web pages, warning that scripts in a downloaded page might run during parsing. The change, delivered with update KB5074204, mitigates a high-severity RCE tracked as CVE-2025-54100 and brings safer parsing behavior from PowerShell 7. Microsoft recommends rerunning commands with the -UseBasicParsing switch or updating automation to include it. Note that the 'curl' alias maps to Invoke-WebRequest and will trigger the same prompt.

Microsoft issues KB5071546 ESU update for Windows 10

🔒 Microsoft has released the KB5071546 extended security update for Windows 10 Enterprise LTSC and systems enrolled in the ESU program, addressing 57 security vulnerabilities including three zero-days. The mandatory patch updates Windows 10 to build 19045.6691 (LTSC 2021 to 19044.6691) and installs automatically, requiring a restart. Notably, it fixes a remote code execution zero-day in PowerShell (CVE-2025-54100) by adding a confirmation prompt and guidance to use -UseBasicParsing with Invoke-WebRequest to avoid parsing embedded scripts.

Microsoft December 2025 Patch Tuesday: 57 Fixes, 3 Zero-Days

🔒 Microsoft's December 2025 Patch Tuesday delivers fixes for 57 vulnerabilities, including three zero-day flaws — one actively exploited and two publicly disclosed. The update addresses 19 remote code execution, 28 elevation of privilege, four information disclosure, three denial of service, and two spoofing issues across Windows, PowerShell, Office, Exchange Server and drivers. Administrators should prioritize the actively exploited CVE-2025-62221 and apply vendor patches promptly.

Windows 11 KB5072033 & KB5071417 Patch Tuesday December 2025

🔔 Microsoft released cumulative updates KB5072033 (25H2/24H2) and KB5071417 (23H2) as the December 2025 Patch Tuesday rollup. The mandatory updates include security fixes, bug patches, and new or enhanced features such as improved File Explorer dark mode, Virtual Workspaces advanced settings, and expanded Full‑Screen Experience for handheld devices. Install via Settings > Windows Update or the Microsoft Update Catalog; features will roll out gradually.

Changing the Physics of Cyber Defense with Graphs Today

🔍 John Lambert of MSTIC argues defenders should model infrastructure as directed graphs of credentials, entitlements, dependencies and logs so they can trace the attacker’s “red thread.” He introduces the algebras of defense—graphs, relational tables, anomalies, and vectors over time—that let analysts and AI ask domain-specific questions like blast radius or path to crown jewels. Lambert also emphasizes preventative hygiene: asset and entitlement management, deprecating legacy systems, segmentation, and phishing-resistant MFA. He urges collaborative intelligence and AI-enabled tooling to shift advantage back to defenders.

Microsoft Expands U.S. Cloud Infrastructure and Regions

☁️ Microsoft is expanding its U.S. cloud footprint with a new East US 3 region in the Greater Atlanta Metro, scheduled to open in early 2027, and by adding capacity and Availability Zones across multiple existing U.S. regions. The East US 3 region is designed for resilience with Availability Zones, support for advanced AI workloads, and sustainability goals including LEED Gold and water conservation. Microsoft is also increasing zone redundancy in North Central US, West Central US, and the US Government Arizona region to boost capacity, compliance, and mission readiness.

Hidden Forensic Evidence in Windows ETL: Diagtrack File

🔍 FortiGuard IR analysts discovered that an obscure ETL file, AutoLogger-Diagtrack-Listener.etl, can retain historical process execution data useful for post-incident forensics. Parsing ETW payloads exposed ProcessStarted events including ImageName, ProcessID, ParentProcessID and sometimes CommandLine entries that revealed deleted tools. Controlled testing showed creating the autologger and setting AllowTelemetry=3 often produced an empty file, indicating the DiagTrack service may populate the file only under undocumented conditions. Further research is needed to understand when and how this telemetry is written.