As businesses seek to cost-effectively consume IT services, interest is growing in moving computation and storage from on-premise equipment to Internet-based systems, often referred to as “the cloud.”

This new document from Microsoft focuses on the security challenges and recommended approaches to design and develop more secure applications for Microsoft’s Windows Azure platform. Microsoft Security Engineering Center (MSEC) and Microsoft’s Online Services Security & Compliance (OSSC) team have partnered with the Windows Azure team to build on the same security principles and processes that Microsoft has developed through years of experience managing security risks in traditional development and operating environments.

You can download the paper here.

I don’t need to comment too much on this one. Yesterday someone managed to insert fake posts saying ‘eeyore is cute’ into a bunch of Blogger blogs. Here’s Blogger explanation:

Some blogs are seeing a new post that says “eeyore is cute!”

We are identifying the cause of the problem and are working on a fix.

Update: During routine testing, a bug caused a small number of FTP blogs to publish a test post. No systems or accounts were hacked. We have corrected the original bug, and are working to remove the test data from the blogs. In the meantime, republishing your FTP blog will also correct the problem. We apologize to those bloggers who were affected - we are looking at mechanisms to prevent similar occurrences in the future.

Note: Some users with non-FTP blogs who have opted to receive post confirmation emails may have seen a spurious email about a test “eeyore is cute!” post. This email can safely be ignored.

Is your privacy at risk? Of Course! You’re running in the cloud…

Microsoft confirmed a vulnerability in Microsoft Office PowerPoint that could allow remote code execution if a user opens a specially crafted PowerPoint file.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. 

In a Web-based attack scenario, an attacker would have to host a Web site that contains an Office file that is used to attempt to exploit this vulnerability. In addition, Continue reading…

Want to make a quick buck? Today, Microsoft Corp. announced a partnership with technology industry leaders and academia to implement a coordinated, global response to the Conficker (aka Downadup) worm. Together with security researchers, Internet Corporation for Assigned Names and Numbers (ICANN) and operators within the Domain Name System, Microsoft coordinated a response designed to disable domains targeted by Conficker. Microsoft also announced a $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet.

Microsoft’s reward offer stems from the company’s recognition that the Conficker worm is a criminal attack. Microsoft wants to help the authorities catch the criminals responsible for it. Residents of any country are eligible for the reward, according to the laws of that country, because Internet viruses affect the Internet community worldwide. Individuals with information about the Conficker worm should contact their international law enforcement agencies.

Good luck!

Web Sandbox is a project from Microsoft Live Labs, a group focused on Internet technologies. It tries to solve a problem all web 2.0 sites have: Mashup security. Mashup is when you include a 3rd party script in your page, like for example maps - almost no effort to include on your website. 

Web Sandbox is using a common technique called “virtualization”, so the javascript code instead of being executed directly in the browser is executed in the “sandbox” first. The sandbox runs in any modern browser: IE7/8, Firefox 2/3, Chrome, Opera.

It injects this layer between the html page (with css, javascript etc) and the browser. This virtualized layer transforms the code into an “executable” entity that will run in the sandbox. The sandbox then checks for security issues by running the javascripts.

The intercepting layer is inserted through a code transformation. By default this transformation executes server side. Alternatively, when Silverlight is installed, the transformation could also execute client-side, thus saving the round-trip to the server.

Check it out: http://websandbox.livelabs.com/