Microsoft DNS boo-boo breaks Hotmail for users around the globe

Infosec in brief Someone at Microsoft has some explaining to do after a messed up DNS record caused emails sent from Hotmail accounts using Microsoft’s Outlook service to be rejected and directed to spam folders starting on Thursday.

Late on Thursday evening, Hotmail users began reporting that some emails were being returned with errors related to Sender Policy Framework (SPF), and thus recipient email services were unable “to confirm that [a] message came from a trusted location.” 

SPF, for those unfamiliar with it, is a method of outbound email authentication that helps avoid email spoofing, impersonation and phishing. If, for example, a service like Hotmail were to have one of its subdomains removed from the DNS TXT record that stores its SPF list, then recipient services may assume it’s junk. 

And that appears to be just what happened. 

Reddit users posting to the Sysadmin subreddit verified they were experiencing SPF issues with Hotmail. One user pulled up Hotmail’s SPF record and found that Redmond had made two changes: removing spf.protection.outlook.com from the record, and changing the SPF failure condition from soft to hard. That meant any suspicious messages from Hotmail should be rejected rather than just sent to spam. 

Microsoft support forum advisors confirmed that the issue was known, which was further confirmed by a look at the Office service status page. Per Microsoft: “Some users may receive non-delivery reports when attempting to send emails from hotmail.com.” 

At time of writing, the status page indicated that “a recent change to email authentication” was the potential root cause of the outage. Microsoft said it made a configuration change to remediate impact, but shortly after said the problem may have been worse than it appeared at first glance. 

“We’ve identified that additional configuration entries are impacted, and we’re implementing further configuration changes to resolve the issue,” Microsoft said. Not long after that was posted, Microsoft indicated configuration changes were complete and the problem was fixed. 

Microsoft didn’t respond to our questions about the incident, only saying the issue had been resolved.

Critical vulnerabilities of the week

Last week was a quiet one for critical vulns, but Cisco and Juniper still managed to put out some patches worthy of your attention.

Juniper’s was the most pressing: A series of four relatively low-risk CVEs that can be chained together into one with a CVSS score of 9.8. According to Juniper, the flaw lies in Junos OS found on both SRX and EX series devices. 

“By chaining exploitation of these vulnerabilities, an unauthenticated, network-based attacker may be able to remotely execute code on the devices,” Juniper warned. You know the drill: patch ASAP.

Cisco released patches for several of its products last week, each of which should be installed ASAP. Of particular note is an SQL injection vulnerability in Cisco’s Unified Communications Manager due to improper input validation. 

Finally, for readers in charge of industrial control systems, several Schneider Electric EcoStruxure and Modicon components are vulnerable to authentication bypass by capture-replay that could allow attackers to hijack sessions.

NYC hops on the TikTok ban-wagon

The government of New York City has banned TikTok on city-owned devices and given departments just 30 days to comply with its decision to divest from the Chinese social media app. 

Several news sources have cited statements from New York City Hall spokespeople, who’ve all given the same general line of reasoning: The NYC Cyber Command determined that TikTok posed a potential threat to city technology, and thus shouldn’t run on city devices. 

TikTok accounts operated by NYC’s sanitation and Police departments both indicate they’re no longer in use. 

The ban in NYC is the latest in a wave of TikTok turnoffs that have seen several states order the removal of the made-in-China app from publicly-owned devices – a move the US House of Representatives also made late last year. 

A bipartisan bill was introduced into the US House in 2022 to ban TikTok in the US completely, though it hasn’t advanced – the only state to ban the app for civilian use is Montana, an effort which TikTok is fighting

Ex-wife of murdered Microsoft exec arrested for role in plot

A former Microsoft executive murdered last year was killed at the behest of his ex-wife, law enforcement officials charged after arresting Shanna Gardner this week. 

Gardner’s ex-husband, Jared Bridegan, was shot to death in February 2022 after dropping his two older children off at Gardner’s home. Shortly after leaving, Bridegan spotted a tire in the road, stopped his car to move it, and was gunned down while his two-year old child watched. 

Bridegan’s obituary indicates he was a senior design manager at Microsoft at the time of his death.

Mario Fernandez Saldana, Gardner’s current husband, and his associate Henry Tenon were indicted and charged in the murder in early 2023. Gardner was indicted Thursday by a grand jury on charges of first degree murder and conspiracy to commit such, solicitation to commit a capital felony and child abuse. 

“This investigation has uncovered the truth of Jared’s murder,” said state attorney Melissa Nelson. “Henry Tenon did not act alone. Mario Fernandez did not plan alone. And Shanna Gardner’s indictment acknowledges her central and key role in the cold, calculated, and premeditated murder of Jared Bridegan.” ®

READ MORE HERE