Vulnerability

Microsoft has addressed a new critical security vulnerability in its Azure Automation service. The exploit labeled “AutoWarp” was mitigated in December 2021, and the company confirmed that it could enable malicious actors to get access to the data and resources of other Azure customers. The cross-tenant vulnerability was first discovered by a researcher at Orca…

GitHub is getting new AI-powered code scanning analysis capabilities that should enable developers to identify the most common security flaws in their code. The company has launched this new experimental security feature in public beta for all GitHub users, and it supports JavaScript and TypeScript repositories. With this new code scanning analysis tool, developers can…

Last month, Microsoft released the November Patch Tuesday updates to address two Active Directory (AD) Domain Services privilege escalation security flaws affecting all supported versions of Windows Server. But it looks like some customers have not updated their servers yet. The company published a blog post yesterday advising customers to install the emergency fixes on…

The revelations that Exchange Server has had a vulnerability in the Exchange Control Panel since Exchange 2010 shocked some. Microsoft has patched CVE-2020-0688, but the problem gives on-premises administrators something to think about as they look to the long-term future of their email service. Staying on-premises is an option, but going to the cloud might be more secure.

No fix is available yet for the Exchange vulnerability reported by Dirk-jan Mollema and described in CVE-2018-8581. Apart from deploying a split permissions model, no out-of-the-box mitigation exists today. Microsoft is working actively to fix the problem and in the meantime, the brains of the Exchange community are hard at work to come up with possible solutions.

A newly-discovered vulnerability in Exchange potentially allows attackers to gain control over Active Directory. Since Exchange 2000, Exchange has been a highly-privileged server that’s tightly connected to Active Directory. Add in some NTLM weakness, Exchange Web Services push notifications, and everything comes together for the bad guys.