"The software behemoth gives some software vendors early bug disclosures under its Microsoft Active Protections Program (MAPP), which typically delivers info two weeks before Patch Tuesday. MAPP participants sign a non-disclosure agreement, and in exchange get vulnerability details so that they can provide updated protections to customers more quickly. According to Microsoft spokesperson David Cuddy, who spoke with Bloomberg about changes to the program, MAPP has begun limiting access to companies in "countries where they're required to report vulnerabilities to their governments," including China."
"In late July, China-based crews - including government goons, data thieves, and a ransomware gang - exploited a couple of bugs that allowed them to hijack on-premises SharePoint servers belonging to more than 400 organizations and remotely execute code. Redmond disclosed the two SharePoint flaws during its July 8 Patch Tuesday event, and a couple weeks later admitted that the software update didn't fully fix the issues."
Microsoft has begun limiting Microsoft Active Protections Program (MAPP) disclosures to companies in countries that are required to report vulnerabilities to their governments, including China. These companies will stop receiving proof-of-concept exploit code and will instead receive a more general written description delivered when patches are released. In late July, China-based actors exploited two SharePoint vulnerabilities to hijack on-premises servers at over 400 organizations and remotely execute code. An initial July 8 update failed to fully fix the issues; working patches were issued on July 21 after mass exploitation was already underway. Past MAPP leaks were linked to companies in China.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]