Security

Microsoft DNS boo-boo breaks Hotmail for users around the globe

ALSO: NYC says kthxbye to TikTok, slain Microsoft exec's wife indicted, and some ASAP patch warnings


Infosec in brief Someone at Microsoft has some explaining to do after a messed-up DNS record caused emails sent from accounts using Microsoft's Outlook Hotmail service to be rejected and directed to spam folders starting on Thursday.

Late on Thursday evening, Hotmail users began reporting that some emails were being returned with errors related to Sender Policy Framework (SPF), and thus recipient email services were unable "to confirm that [a] message came from a trusted location." 

SPF, for those unfamiliar with it, is a method of outbound email authentication that helps avoid email spoofing, impersonation and phishing. If, for example, a service like Hotmail were to have one of its subdomains removed from the DNS TXT record that stores its SPF list, then recipient services may assume it's junk. 

And that appears to be just what happened. 

Reddit users posting to the Sysadmin subreddit verified they were experiencing SPF issues with Hotmail. One user pulled up Hotmail's SPF record and found that Redmond had made two changes: removing spf.protection.outlook.com from the record, and changing the SPF failure condition from soft to hard. That meant any suspicious messages from Hotmail should be rejected rather than just sent to spam. 

Microsoft support forum advisors confirmed that the issue was known, which was further confirmed by a look at the Office service status page. Per Microsoft: "Some users may receive non-delivery reports when attempting to send emails from hotmail.com." 

At time of writing, the status page indicated that "a recent change to email authentication" was the potential root cause of the outage. Microsoft said it made a configuration change to remediate impact, but shortly after said the problem may have been worse than it appeared at first glance. 

"We've identified that additional configuration entries are impacted, and we're implementing further configuration changes to resolve the issue," Microsoft said. Not long after that was posted, Microsoft indicated configuration changes were complete and the problem was fixed. 

Microsoft didn't respond to our questions about the incident, only saying the issue had been resolved.

Critical vulnerabilities of the week

Last week was a quiet one for critical vulns, but Cisco and Juniper still managed to put out some patches worthy of your attention.

Juniper's was the most pressing: A series of four relatively low-risk CVEs that can be chained together into one with a CVSS score of 9.8. According to Juniper, the flaw lies in Junos OS found on both SRX and EX series devices. 

"By chaining exploitation of these vulnerabilities, an unauthenticated, network-based attacker may be able to remotely execute code on the devices," Juniper warned. You know the drill: patch ASAP.

Cisco released patches for several of its products last week, each of which should be installed ASAP. Of particular note is an SQL injection vulnerability in Cisco's Unified Communications Manager due to improper input validation. 

Finally, for readers in charge of industrial control systems, several Schneider Electric EcoStruxure and Modicon components are vulnerable to authentication bypass by capture-replay that could allow attackers to hijack sessions.

NYC hops on the TikTok ban-wagon

The government of New York City has banned TikTok on city-owned devices and given departments just 30 days to comply with its decision to divest from the Chinese social media app. 

Several news sources have cited statements from New York City Hall spokespeople, who've all given the same general line of reasoning: The NYC Cyber Command determined that TikTok posed a potential threat to city technology, and thus shouldn't run on city devices. 

TikTok accounts operated by NYC's sanitation and Police departments both indicate they're no longer in use. 

The ban in NYC is the latest in a wave of TikTok turnoffs that have seen several states order the removal of the made-in-China app from publicly-owned devices – a move the US House of Representatives also made late last year. 

A bipartisan bill was introduced into the US House in 2022 to ban TikTok in the US completely, though it hasn't advanced – the only state to ban the app for civilian use is Montana, an effort which TikTok is fighting

Ex-wife of murdered Microsoft exec arrested for role in plot

A former Microsoft executive murdered last year was killed at the behest of his ex-wife, law enforcement officials charged after arresting Shanna Gardner this week. 

Gardner's ex-husband, Jared Bridegan, was shot to death in February 2022 after dropping his two older children off at Gardner's home. Shortly after leaving, Bridegan spotted a tire in the road, stopped his car to move it, and was gunned down while his two-year old child watched. 

Bridegan's obituary indicates he was a senior design manager at Microsoft at the time of his death.

Mario Fernandez Saldana, Gardner's current husband, and his associate Henry Tenon were indicted and charged in the murder in early 2023. Gardner was indicted Thursday by a grand jury on charges of first degree murder and conspiracy to commit such, solicitation to commit a capital felony and child abuse. 

"This investigation has uncovered the truth of Jared's murder," said state attorney Melissa Nelson. "Henry Tenon did not act alone. Mario Fernandez did not plan alone. And Shanna Gardner's indictment acknowledges her central and key role in the cold, calculated, and premeditated murder of Jared Bridegan." ®

Send us news
11 Comments

From chaos to cadence: Celebrating two decades of Microsoft's Patch Tuesday

IT folks look back on 20 years of what is now infosec tradition

Microsoft takes another run at closing Exchange brute-force security hole

Meanwhile, Exchange Online is on the fritz

LinkedIn lays off nearly 700 staff, engineers to suffer the most

Time to update that resume on, er ... oh.

It's 2023 and Microsoft WordPad can be exploited to hijack vulnerable systems

Happy Halloween! Security bugs under attack squashed, more flaws fixed

Microsoft says VBScript will be ripped from Windows in future release

It's PowerShell or something similar in the not too distant future

Calls for Visual Studio security tweak fall on deaf ears despite one-click RCE exploit

Two years on and Microsoft refuses to address the issue

Microsoft does not want ValueLicensing CEO anywhere near its confidentiality ring

Perpetual license case perpetually rumbles on

Brit watchdog slams Microsoft as it clears $69B Activision Blizzard buy

'Tactics employed by Microsoft are no way to engage with us'

Microsoft reportedly runs GitHub's AI Copilot at a loss

Redmond willing to do its accounts in red ink to get you hooked

Microsoft attempts to woo governments with Cloud for Sovereignty preview

Sovereignty = you’ll run on Azure and you’ll be told when our engineers access your resources

Windows 10's latest update issue isn't a bug but a feature – to test your patience

Some attempted installations of KB5031356 were reportedly stuck on 30% after 24 hours

Microsoft delays debut of IoT security offer due to 'unexpected system challenges'

Software giant tells partners not to sell it but also happy to take your cash now