Latest news with #MSRC
Geek Wire
6 days ago
- Geek Wire
Microsoft contains SharePoint security wildfire, but questions linger about on-premises software
Microsoft's latest vulnerability impacted on-premises SharePoint software. (GeekWire File Photo / Todd Bishop) Editor's note: This is a guest analysis from Christopher Budd, who previously spent a decade at the Microsoft Security Response Center (MSRC). Emergency security teams know summer weekends are made for work. Last weekend was a reminder of that industry truism with Microsoft's SharePoint vulnerability (CVE-2025-53770). It's a classic 'remote code execution' vulnerability that only affects on-premises SharePoint servers. It can give an attacker full control over a system without authentication. If you can access the system on the internet, you can attack it and take it over. We saw attackers around the world using it quickly to establish a foothold on vulnerable networks, frequently using webshells like we saw happen with Microsoft Exchange in 2012 and 2022 with the ProxyShell and ProxyNotShell attacks. The attacks were another classic 'zero day' situation, with a new vulnerability under attack and no patch initially available. This time, Microsoft published information broadly within a day and started releasing patches within two days of the event breaking, a nearly unprecedented speed of response for them. Microsoft execs got the word out with each new development, providing clear, urgent direction. Certainly, when we look at the response, it was faster and better than we saw with ProxyNotShell. It was another example of Microsoft showing that when it needs to, it can pull out the stops with its security response, much like it did with SolarWinds in December 2020. Microsoft has also steered clear recently of the kinds of major breaches that plagued the company from March 2022 through January 2024, when corporate and cloud systems were breached by three major threat actor groups (Lapsu$, Storm-0558, Midnight Blizzard). RELATED STORY Microsoft grapples with another security breach: The latest on the SharePoint attacks Taken altogether, we can think of this as a wildfire that was identified and contained relatively quickly. There is damage from it, and teams are coming off (yet another) very long summer weekend. But compared to what this could have been, this situation was merely bad, not awful. Yet this vulnerability also exposes a fundamental tension: While Microsoft's response was exemplary, the fact that we're still seeing critical zero-day flaws in on-premises products raises questions about where these systems fit in Microsoft's cloud-first, AI-focused future. Where does securing on-premises software like Exchange, SharePoint, and, yes, Windows (which includes ActiveDirectory) get prioritized in the company's Secure Future Initiative? The well-oiled Patch Tuesday machine that I and others helped build in the early 2000s continues to chug along. But the number of patches continues to increase and the level of innovation and development around Patch Tuesday has generally dropped off in recent years. As a case in point, Microsoft promised 'no reboot' patches in the late 2000s. I distinctly recall that we promised this as 'coming soon' on the security bulletin webcasts I hosted then. But no-reboot patches never materialized at the time. While Microsoft is delivering on this promise, finally, it has taken more than 15 years, and the company is implementing it in a way that is clearly focused on the enterprise space — at a cost to users and tied to the company's cloud offerings. In today's cloud-and-AI era, many organizations still rely on on-premises systems like SharePoint for essential operations. Microsoft's swift response to this latest vulnerability proves it can rise to the occasion. But as the company accelerates its cloud-first agenda, it's fair to ask: Will on-premises software receive the same level of care and innovation? The latest fire may be out, but that burning question remains.
Time of India
6 days ago
- Business
- Time of India
Oil explorers may get legal shield if assets stripped off
New Delhi: An explorer will be entitled to compensation if the government takes away its assets or contractual rights under an oilfield agreement, according to a draft contract proposed by the oil ministry. The move aims to address international energy companies' long standing demand for protection against expropriation. "If any measure or series of measures taken by the government or the state government substantially or permanently deprives the contractor of the ownership of any assets being utilised for mineral oil operations, or of its rights under the lease or this contract, the contractor shall be entitled to compensation," the draft contract states. The compensation will be equivalent to "all costs and expenditures incurred in respect of mineral oil operations, up to that point relating to such asset or rights deprived," per the draft. However, compensation will not be paid if the company hasn't submitted a field development plan for the specific field, or if the government action was prompted by the need to protect its own rights or legitimate public interests. Energy giant ExxonMobil has for years demanded that exploration contracts provide a legal shield against government moves to expropriate assets. Without using the term 'expropriation', the draft contract attempts to address concerns like those raised by Exxon by including a provision for compensation, an official said. An Exxon India executive previously told ET that its demand for protection against expropriation was "rooted in experience," citing how it faced expropriation after a change in government in Venezuela in the past. The government is reworking the Model Revenue Sharing Contract (MSRC) to attract large foreign oil companies , which have largely stayed away from India's exploration licensing rounds under the Open Acreage Licensing Policy introduced eight years ago. Scarce exploration success and maturing fields have led to falling output and rising dependence on oil and gas imports. Globally, capital allocation for exploration has been shrinking and is being increasingly directed toward regions offering the best returns and stronger investment protection. Lower oil prices are also making it harder for multinationals to commit capital to countries like India, which are not known for abundant petroleum resources.
Time of India
6 days ago
- Business
- Time of India
Oil explorers may get legal shield if assets stripped off
New Delhi: An explorer will be entitled to compensation if the government takes away its assets or contractual rights under an oilfield agreement, according to a draft contract proposed by the oil ministry. The move aims to address international energy companies' long standing demand for protection against expropriation. "If any measure or series of measures taken by the government or the state government substantially or permanently deprives the contractor of the ownership of any assets being utilised for mineral oil operations, or of its rights under the lease or this contract, the contractor shall be entitled to compensation," the draft contract states. Explore courses from Top Institutes in Please select course: Select a Course Category Others Design Thinking Artificial Intelligence MBA Degree Management Finance Data Science CXO MCA Data Analytics Operations Management Leadership Digital Marketing Public Policy healthcare Product Management Cybersecurity Data Science Healthcare others Project Management Technology PGDM Skills you'll gain: Duration: 16 Weeks Indian School of Business CERT-ISB Transforming HR with Analytics & AI India Starts on undefined Get Details Skills you'll gain: Duration: 7 Months S P Jain Institute of Management and Research CERT-SPJIMR Exec Cert Prog in AI for Biz India Starts on undefined Get Details Skills you'll gain: Duration: 9 months IIM Lucknow SEPO - IIML CHRO India Starts on undefined Get Details Skills you'll gain: Duration: 28 Weeks MICA CERT-MICA SBMPR Async India Starts on undefined Get Details The compensation will be equivalent to "all costs and expenditures incurred in respect of mineral oil operations, up to that point relating to such asset or rights deprived," per the draft. However, compensation will not be paid if the company hasn't submitted a field development plan for the specific field, or if the government action was prompted by the need to protect its own rights or legitimate public interests. Energy giant ExxonMobil has for years demanded that exploration contracts provide a legal shield against government moves to expropriate assets. Without using the term 'expropriation', the draft contract attempts to address concerns like those raised by Exxon by including a provision for compensation, an official said. An Exxon India executive previously told ET that its demand for protection against expropriation was "rooted in experience," citing how it faced expropriation after a change in government in Venezuela in the past. The government is reworking the Model Revenue Sharing Contract (MSRC) to attract large foreign oil companies , which have largely stayed away from India's exploration licensing rounds under the Open Acreage Licensing Policy introduced eight years ago. Scarce exploration success and maturing fields have led to falling output and rising dependence on oil and gas imports. Globally, capital allocation for exploration has been shrinking and is being increasingly directed toward regions offering the best returns and stronger investment protection. Lower oil prices are also making it harder for multinationals to commit capital to countries like India, which are not known for abundant petroleum resources.
