Microsoft Exchange Server Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21980, CVE-2022-24477.

CVE-2022-24516

Microsoft Exchange Server Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-24477, CVE-2022-24516.

CVE-2022-21980

Microsoft Exchange Server Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21980, CVE-2022-24516.

CVE-2022-24477

Microsoft Exchange Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-30134, CVE-2022-34692.

CVE-2022-21979

Microsoft ATA Port Driver Elevation of Privilege Vulnerability.

CVE-2022-35760

Sharing information through the Security Update Guide (SUG) is an important part of our ongoing effort to help customers manage security risks and keep systems protected. In January 2022 we introduced Phase One of a new way for customers to receive email notifications about new Microsoft product security content using any email address, not just …
  Security Update Guide Notification System News: Create your profile now Read More »

Sharing information through the Security Update Guide (SUG) is an important part of our ongoing effort to help customers manage security risks and keep systems protected. In January 2022 we introduced Phase One of a new way for customers to receive email notifications about new Microsoft product security content using any email address, not just a Microsoft account, or Live ID as it is sometimes known.

As of June 14, 2022, we have moved into Phase Two and are now sending the monthly Microsoft Security Update Summary and the Microsoft Security Update Revisions notifications through a modern Azure-based service to customers who have created their profile on the SUG. In this phase, we are also still sending text-based notifications in parallel via the Security Notification Service. This will give customers time to create profiles in the SUG and to sign up for the new Azure-based service. We will soon discontinue sending notifications via the legacy Security Notification Service.

Remember, with the new system you can now sign up with any email address, including a group alias, and receive notifications at that email address. This includes corporate addresses, as we have fixed the issue for customers who were unable to create a profile for addresses that use Active Directory. For those who experienced the issue, we apologize for the delay and encourage you to create your profile again. After you create your profile you will receive a verification email to activate the profile, so be sure to respond to the email to complete the process.

Upon creating and verifying your profile, you can manage your settings from within the SUG itself. We encourage you to create your profile and select your notifications preference as soon as possible if you have not already done so.

****Here’s how to create your SUG profile****

Your profile on the SUG defines the email address where you wish the notifications to be delivered and the type of notifications you want to receive.

You can create a profile by selecting **Sign in** at the top right corner of the SUG. Then follow these steps:

1.  You can see from the option for sign in that you can use any email and password.
2.  To use your existing Microsoft account (LiveID) or corporate AAD account, select **Live, Work, or School Account**.
3.  If you do not have a Microsoft account or corporate AAD account, you can use the sign-in dialog to create either a Microsoft account or a local account:  
    a. While we no longer require a Microsoft account to receive notifications, it can be preferable to having to enter your username and password each time you sign in. To create a Microsoft account, select **Live, Work, or School account**. Look next to “No account?” and select **Create one!**

b. To create a local account in the Sign in dialog, look next to “Don’t have an account?” and select **Sign up now** to begin creating a local account profile.

4.  Enter the email you want to use for your profile, then select **Send verification code**.  
    You will receive the verification code from the Microsoft Security Response Center. For example,

5.  Retrieve the email verification code from your email, enter the verification code, and complete the rest of the information to set up your profile.
6.  Select **Continue**.

5.  Now you can sign into the SUG as follows:  
    • For a Microsoft account, or a work or school account that uses Active Directory, select **Live, Work, or School Account**.  
    • For a Gmail account, select **Google**.  
    • For any other account, enter your email address and password.

****Sign up for the new notifications****

Notifications are sent when information is added or changed in the Security Update Guide. There are two types of notifications – Major Updates and Minor Updates, or revisions. Major revisions include newly published CVEs and existing CVEs that are republished due to a change in software updates in the Security Updates table. These major Revisions are marked with an incremented initial number such as **1.0, 2.0**, etc. Minor revisions are changes to FAQs or Acknowledgements or other information. These types of revisions are marked with an incremented final number such as **1.1, 3.2**, etc.

To sign up for notifications:

1.  If you have not already signed in, select **Sign in** at the upper right corner and repeat the steps to sign in depending on your account type. You will know you have successfully signed in when your **Profile** name is displayed.
2.  To opt into notifications, select **Profile** at the upper left.

3.  Select **Edit** on the left-hand **Email notifications** column to choose the type of notifications you would like to receive.

4.  In the panel that is displayed on the right-hand side, select the types of notifications you want to receive. If you select **Major Revisions**, you will receive only notifications for major updates. If you select **Minor Revisions**, you will receive notifications for minor updates. To receive both major and minor revision notifications, select both options. Select **Save** when you’re finished.

****Questions or Feedback****

As always, we encourage and appreciate your feedback on the SUG. To submit questions or feedback, please send fill out our feedback form at MSRC Portal Support Form (office.com).

Security Update Guide Notification System News: Create your profile now

Browser adds defense in depth to prevent abuse of unpatched vulnerabilities

Browser adds defense in depth to prevent abuse of unpatched vulnerabilities

Microsoft has introduced an optional feature to its Edge browser that applies more stringent security controls when users visit unfamiliar websites.

Enhanced security mode mitigates memory-related vulnerabilities by disabling just-in-time (JIT) JavaScript compilation, while activating additional operating system protections for the browser such as arbitrary code guard and hardware-enforced stack protection, according to Microsoft.

It said these changes provide “defense in depth” by making it harder for malicious sites to leverage unpatched vulnerabilities in order to write to executable code into memory.

RELATED Chromium site isolation bypass allows wide range of attacks on browsers

Microsoft said the provision of a “rich browsing experience using powerful technologies like JavaScript” heightens the risks of visiting malicious sites. “With enhanced security mode, Microsoft Edge helps reduce the risk of an attack by automatically applying more conservative security settings on unfamiliar sites and adapts over time as you continue to browse,” said Redmond.

**First of its kind**

Rival browsers Chrome and Firefox currently lack equivalent features, although can be configured to disable features such as JIT.

As for Safari, Apple recently announced a new security feature aimed at defending users at potential risk of highly targeted cyber-attacks that also disables JIT and other complex web technologies, unless the user excludes a trusted site. Called Lockdown Mode, this feature is designed to protect journalists, politicians, and human rights activists from spyware.

Catch up with the latest browser security news

The Microsoft Edge security team published analysis of the results of its experimentations with the new feature in August 2021 and February 2022.

The feature was rolled out in Microsoft Edge version 104, which was released August 5.

**Three levels of security**

The new feature, which is turned off by default, can be enabled as one of three modes.

In its ‘basic’ – and recommended – configuration, the feature applies “added security protection to the less visited sites”, but “preserves the user experience for the most popular sites on the web”, explained Microsoft.

Basic mode does not adapt according to user behavior. By contrast, ‘balanced’ mode “builds on user’s behavior on a particular device, and Microsoft’s understanding of risk across the web to give sites that users are most likely to use and trust full access to the web platform, while limiting what new and unfamiliar sites can do”.

Finally, the ‘strict’ setting applies enhanced safeguards universally against all sites. It isn’t recommended for most end users because of the additional configuration required for users “to complete their normal tasks”.

In all three modes, users can create exceptions for trusted websites, with enterprise admins able to create ‘allow’ and ‘deny’ lists.

Sites that use WebAssembly (WASM), a binary instruction format for stack-based virtual machines, are not currently supported by the feature. Sites that need WASM can be added to the exception site list.

An ‘added security’ banner appears in the URL navigation bar when enhanced security mode is activated for a particular site.

RECOMMENDED XSS in Gmail’s AMP For Email earns researcher $5,000

Microsoft Edge deepens defenses against malicious websites with enhanced security mode

New time series model and enhanced alerting experience make it easy for organizations to address more threats in the cloud while enabling faster investigations.

**SAN JOSE, Calif., Aug. 9, 2022** \-- Lacework, the data-driven cloud security company, today announced new capabilities that enable organizations to uncover more critical threats to their infrastructure and empower teams to collaborate more efficiently in alert investigation and response. Lacework has added fully automated time series modeling to the existing anomaly detection capabilities of the Polygraph Data Platform. Using automated learning and behavioral analytics, the time series model builds a baseline of the volume and frequency of activity within a customer's environment and actively monitors for spikes that deviate from that unique baseline to detect potential threats such as cryptominer attacks and compromised accounts with accuracy. Organizations can also proactively discover increased cloud usage due to misconfigurations — gaining a better understanding of their environment to help control costs. Lacework does this without the need for constant tuning of thresholds, significantly reducing both manual work and false-positive alerts. Lacework has also upgraded its alerting experience with features that empower teams to collaborate more efficiently in alert investigation and response.

The enormous amount of activity in the cloud and adoption of new technology makes it difficult to gain visibility into risks, investigate alerts efficiently, and take action, especially when teams are siloed into different workstreams and tools. Signature and rules-based approaches can't keep pace with this dynamic environment and often overwhelm security teams with thousands of contextless alerts across a range of environments.

Polygraph, the Lacework cloud behavioral analytics engine, uses dozens of models to build a baseline of normal behaviors in the cloud. The time series model introduces a new dimension of analysis by tracking changes in activity frequency and volume over time in a cloud environment. It works with the existing models to uncover more anomalies with fewer alerts.

Lacework also automatically adjusts the severity of alerts based on continuous learning and a fine-grained understanding of how much the observed behaviors deviate from the predicted baseline for improved accuracy. According to Cybersecurity Ventures, the number of unfilled cybersecurity jobs worldwide grew by 350% between 2013 and 2021, with no sign of relief in the next five years. By consolidating alerts into only those that matter and providing security teams with more context about what is happening across their environment, Lacework allows these overburdened teams to uncover more risks and deal with them more efficiently.

"It's critical organizations get transparency as to what is happening across their multicloud environments, but security teams face a massive challenge keeping up with the dynamic nature of cloud environments while threats like cryptomining continue to proliferate," said Frank Dickson, IDC Group Vice President, Security and Trust. "As an industry plagued by a seemingly insurmountable skills shortage, simply layering more alerts on the SOC does not help. Context matters; context quickly forwards SOC investigations from awareness to understanding by enabling correlations across datasets. Alerts are thus replaced with context-rich incidents that are quickly actionable and facilitate outcomes for customers. In the end, secure outcomes are the goal of every SOC."

Lacework has also revamped the alerting experience to help organizations better collaborate with teams to prioritize, investigate, and track the status of all alerts. This includes:

· **Context-rich insights:** Richer insights give the complete picture of what happened, associated events, timelines, and other details, helping organizations understand where to focus and make better decisions.

· **Configurable bi-directional sync:** When teams update an alert on the Lacework user interface or the associated ticket in backend workflow tools like Jira, the alert status is automatically updated on both sides with bi-directional sync for accelerated resolution. Organizations can even give feedback on Lacework alert severity levels, which in turn helps the Polygraph Data Platform learn and optimize modeling to further improve alerting experience.

· **Easy to manage alert life cycle:** Teams can more easily organize alerts, view tags, filter to see a set of specific alerts, change the state of an alert to indicate whether it needs to be investigated or has been resolved, and add comments to classify and better collaborate with teams.

"Lacework relentlessly innovates to deliver features that help customers gain the visibility and controls they need to stay ahead of the evolving threat landscape," said Arash Nikkar, VP of Engineering, Lacework. "The Polygraph Data Platform is the only cloud security solution to combine automated time series analysis with sophisticated cloud behavioral analytics to build baselines that are tailored to a company's unique environment. Combined with our enhanced alerting capabilities, we're making it easier for teams to identify relevant risks and prioritize threats, even as their organization scales, the attack surface grows bigger, and security incidents increase exponentially."

Time series modeling is available now for Lacework customers in AWS environments. Configurable bi-directional sync enhancements to the Lacework alerting experience are available to select customers in beta.

Additional Resources:

· Visit our team at Black Hat USA at booth #2440 on the show floor.

· Check out the Lacework blog to learn more about the new time series model and enhanced alerting experience.

· Become an expert on security fundamentals and learn more from your security and developer peers through Lacework Academy and the Lacework Community.

· Read what Lacework customers have to say about the Lacework Polygraph Data Platform.

**About Lacework**

Lacework is the data-driven security company for the cloud. The Lacework Polygraph® Data Platform automates cloud security at scale so our customers can innovate with speed and safety. Only Lacework can collect, analyze, and accurately correlate data across an organization's AWS, Microsoft Azure, Google Cloud, and Kubernetes environments, and narrow it down to the handful of security events that matter. Customers all over the globe depend on Lacework to drive revenue, bring products to market faster and safer, and consolidate point security solutions into a single platform. Founded in 2015 and headquartered in San Jose, Calif., Lacework is backed by leading investors like Sutter Hill Ventures, Altimeter Capital, D1 Capital Partners, Tiger Global Management, Counterpoint Global (Morgan Stanley), Franklin Templeton, Durable Capital, GV, General Catalyst, XN, Coatue, Dragoneer, Liberty Global Ventures, and Snowflake Ventures, among others. Get started at www.lacework.com.

Lacework Updates Threat Detection To Uncover More Malicious Activity and Speed Investigation at Scale

Machine-learning algorithms alone may miss signs of a successful attack on your organization.

Zero-day attacks that exploit unpatched software vulnerabilities saw exponential growth last year. According to cybersecurity researchers like the Zero-Day Tracking Project, 2021 saw more than 80 zero-day exploits recorded, versus 36 in 2000. There are already 22 such exploits on record for the first half of 2022.

As soon as a vulnerability becomes known, cybercriminals rush to exploit it before the software developer can write, test, and release a patch. That window may be hours, but more likely days or weeks long. So, it's important that you have threat hunters — humans, not machine-learning algorithms — scouring your infrastructure proactively for signs of a successful attack.

The risk of falling victim to a zero-day attack is considerable, and the consequences real. One study from the Ponemon Institute found that 80% of successful data breaches originated with zero-day exploits. The vulnerabilities exploited are found in software common to the enterprise, including Microsoft Windows and Office, Google Chrome, Adobe Reader, Apple iOS, and Linux.

With 2021's Apache Log4j Java-based vulnerability, we can add hundreds of millions of devices and a wide range of websites, consumer and enterprise services, and applications to the list.

Step one in protecting every organization is to practice excellent IT hygiene — keep up to date on patching and updating all software. It's the back-to-basics measure that so many companies love to overlook or postpone. Granted, it can be time and resource consuming to test and deploy software patches, and the process can disrupt business operations. But it's a critical safeguard and far less costly than a data breach.

**The Invisibility of Newness**

A strong perimeter and signature-based edge controls like anti-virus software and intrusion prevention do not provide complete protection. That's because they can only detect known threats. They are blind to the footprints of zero-day attacks, when the cybercriminals are the first to uncover and exploit a software vulnerability. That's why zero-day exploit kits carry very high price tags on the black market, running from tens of thousands of dollars up to millions. They work that well.

Once a cybercriminal has used a zero-day exploit to penetrate a network unseen, they can take their time and deploy their weapon of choice, from viruses and worms to malware and ransomware to remote code execution. They can move laterally in the network, steal identities, and steal data. As long as you don't know they're there, it's like handing over the keys to the crown jewels.

**The Role of Threat Hunting**

It's that invisibility that makes proactive threat hunting an essential component of the layered approach to security. It's made possible in part because we have been smart about using machine learning to free up scarce cybersecurity people resources by reducing the number of alerts needing human intervention by 90%. Some in the industry have taken this success to mean that humans can be phased out of the security equation by algorithms, and that algorithms can do the work for us, including threat hunting.

Machine learning does bring significant advantages to cybersecurity management, but it will never completely replace humans in the security operations center. Machines handle high-volume tasks like eliminating false positives and repetitions extremely well. Machine learning may assist when you are hunting for known threats, including advanced and "low-and-slow" threats, where you know what indicators of compromise (IoCs) to look for.

However, human intelligence, intuition, strategic thinking, and creative problem solving are essential in proactive zero-day threat hunting where the IoCs are unknown and the hunter is looking for the subtle indications that another human is maliciously active in your environment.

This approach is research intensive. The analyst may create a hypothesis and then validate it based on observed patterns or anomalous activity in security data logs and user and entity behavioral analysis (UEBA) logs. According to CISA, these can include failed file modifications, increased CPU activity, inability to access files, unusual network communications, compromised administrator privileges, credentials theft, increases in database read volumes, and irregular geographical access.

Companies can develop threat hunting skills in-house or acquire them as a managed service. Either way, these human defenders and their proactive threat hunting expertise are the new elites in the security industry. Supported by comprehensive log data, threat intelligence, and tools like the MITRE ATT&CK knowledge base, human threat hunters are essential to combatting zero-day attacks, multistage attacks, and devious, low-and-slow hackers.

Human Threat Hunters Are Essential to Thwarting Zero-Day Attacks

Regulators are close to stopping Meta from sending EU data to the US, bringing a years-long privacy battle to a head.

Facebook faces trouble in Europe—and Meta wants you to know about it. Every three months since June 2018, the company has used its financial results to warn that it could be forced to stop running Facebook and Instagram across the continent—potentially pulling its apps from millions of people and thousands of businesses—if it can’t send data between the EU and the US.

Whether Meta’s bluffing will become clear soon enough.

Data regulators are on the verge of making a historic ruling in a years-long case, and they are expected to say Facebook’s data transfers across the Atlantic should be blocked. For years, Meta has fought against European privacy activists over how data is sent to the US, with courts ruling multiple times that European data isn’t properly protected and can potentially be snooped on by the NSA and other US intelligence agencies.

While the case focuses on Meta, it has widespread ramifications, potentially impacting thousands of businesses across Europe that rely upon the services of Google, Amazon, Microsoft, and more. At the same time, US and European negotiators are scrambling to finalize a long-awaited new data-sharing deal that will limit what information US intelligence agencies can get their hands on. If negotiators can’t get it right, people’s privacy will remain at risk and billions of dollars of trade will be put in jeopardy.

At the start of July, the Irish Data Protection Commission, Facebook’s main data regulator in Europe, issued a draft decision that would block Meta from sending data across the Atlantic. While the specifics of that draft decision aren’t known, if it is enacted, it could create a Facebook blackout across Europe.

Under the GDPR, Europe’s data law, countries across the continent get 30 days to scrutinize Ireland’s Meta decision and respond with any potential changes or complaints. That time is now up. A spokesperson for the Irish regulator says “some” objections have been received from a “small” number of other countries and it is working to address these. Experts say these are likely to be minor points of law, rather than overturning the entire decision.

So, how likely is it that Meta will actually pull its services from Europe? In reality, the chances are probably pretty slim. Meta has said it has “no desire” to leave the continent, going as far as publishing a blog post titled “Meta Is Absolutely Not Threatening to Leave Europe.” Europe’s 30-plus countries are a large market for Meta, and stopping services, even temporarily, could be costly. (A close comparison is when the company briefly banned news posts in Australia in early 2021, following a row with publishers.) While Meta may not leave Europe, it may have to make changes to how it stores and transfers data once the final decision from the Irish regulator is published, although there is no set timeline. It may also face a fine.

“My guess is that Meta is going to have to look at some form of geo-siloing if they want to continue to operate in the EU,” says Calli Schroeder, global privacy counsel at the Electronic Privacy Information Center, a nonprofit digital rights research organization. Schroeder, who previously worked with companies on international data transfers, says this approach could mean Meta would have to create its own servers and data centers in the EU that aren’t connected to its broader databases.

Harshvardhan Pandit, a computer science research fellow at Trinity College Dublin who is researching the GDPR, says that as data authorities are still considering Meta’s case and a final decision hasn’t been published yet, they could include several caveats or steps that Meta should take to fall in line. For instance, one recent data protection decision in Europe gave a six-month period for a company to make changes to its business.

“I think the most pragmatic solution would be for them to create the European infrastructure, like Google or Amazon, which have quite a few data centers here,” Pandit says, adding that Meta could also introduce more encryption to how it stores data and maximize how much it keeps in the EU. All these measures would be costly, though. Jack Gilbert, director and associate general counsel at Meta, says that the issue “is in the process of being resolved.” Facebook did not respond specifically to questions about its plan to respond to the Irish decision.

European officials have twice ruled that systems put in place to share data between the EU and US don’t properly protect people’s data—the complaints have been ongoing since the early 2010s. European courts ruled that international data-sharing agreements weren’t up to scratch first in 2015 and then again in July 2020, when the Privacy Shield agreement was ruled illegal.

“All that the EU is asking for when organizations transfer data to other countries is to protect that data in line with the GDPR,” says Nader Henein, a research vice president specializing in privacy and data protection at Gartner. “The issue is that laws in the US that protect the data of ‘nonresident aliens’ are woefully insufficient and make it very difficult for organizations like Facebook to comply with local law and the GDPR.”

While Meta is the focus of the most high-profile complaint, it isn’t the only company impacted by a lack of clarity on how companies in Europe can send data to the US. “The data transfer issue is not Meta-specific,” David Wehner, Meta’s chief strategy officer, said in a July earnings call. “It relates to how in general data is transferred for all US and EU companies back and forth to the US.”

The impacts of the July 2020 decision to get rid of Privacy Shield are now being felt. Since January of this year, multiple European data regulators have ruled that using Google Analytics, the company’s traffic-monitoring service for websites, falls foul of the GDPR. Danish authorities went even further: Schools can’t use Chromebooks without restrictions being put in place. “There is a ton of legal uncertainty, and there is a significant compliance risk,” says Gabriela Zanfir-Fortuna, vice president of global privacy at Future of Privacy Forum, a nonprofit think tank.

Politicians are well aware of the problems. In March, US president Joe Biden and European Commission president Ursula von der Leyen announced a new Trans-Atlantic Data Privacy Framework, which will change the way data is sent between the EU and US. The deal, which will be introduced by executive order, will limit what data US intelligence agencies can access and will create a new system where Europeans can complain if they think they’ve been illegally spied upon by US agencies.

However, since the deal was announced, no specifics—including any legal texts—have been published. In June, officials said the deal could be published in the coming weeks, but so far, there has been little public progress. The US Department of Commerce says discussions are still taking place, including a meeting between both sides last week. (A European Commission spokesperson says work on the new agreement is ongoing, but they do not have a timeline that can be shared.) The longer the negotiations take, the more blocking orders will drop. “Obviously, if that framework is not complete, we would be in jeopardy of being able to transfer data,” Facebook’s Wehner said earlier this year.

The deal is likely to take a while yet. “Realistically, at this point, we're looking at a potential adequacy decision for this Trans-Atlantic data transfers framework sometime next year—maybe the first quarter of next year,” Zanfir-Fortuna says. Once the details have been published, EU officials will spend months scrutinizing the specifics to see if they fall in line with court orders.

And they won’t be the only ones pouring over it. Privacy activists and lawyers will also be looking at the agreement and could launch further legal challenges if they find that data moving from Europe to the US still isn’t protected strongly enough. “The continued challenges are not unwarranted, particularly considering the Snowden revelations and the prevalence of Big Tech firms coming out of the US,” Schroeder says. “As a whole, America really needs to make sure we rise to the challenge of showing that we can be good stewards of the industry that we're trying to be leaders in.”

Tag

#microsoft