as a rush As cybercriminals, state-backed hackers, and scammers continue to flood the globe with digital attacks and aggressive activities, it’s no surprise that the makers of the ubiquitous Windows operating system are focusing on security defenses. Microsoft’s Patch Tuesday update releases frequently include fixes for critical vulnerabilities, including those actively exploited by attackers around the world.
The company already has the necessary teams to find weaknesses in its code (“red teams”) and develop mitigations (“blue teams”). But recently, the format has evolved again to foster more collaboration and interdisciplinary work, hopefully uncovering more bugs and flaws before things start to spiral. Known as Microsoft Offensive Research and Security Engineering or Morse, the unit combines red teams, blue teams and so-called green teams and focuses on finding flaws or fixing weaknesses. Red teams improve the way things work by changing the way work is done within the organization. Find and fix them systematically.
“People believe that you can’t move forward without investing in security,” said David Weston, Microsoft’s vice president of enterprise and operating system security, who has been with the company for 10 years. “I was in the security department for a long time. For most of my career, we were considered annoying. Now, if anything, leaders would come to me and say, ‘Dave, I’m ok Did we do everything we could? It’s a big change.”
Morse has been working to promote secure coding practices across Microsoft in order to reduce bugs in the company’s software in the first place. OneFuzz is an open-source Azure testing framework that allows Microsoft developers to continuously and automatically throw a variety of unusual use cases at their code to find bugs that wouldn’t be noticeable if the software were only used as intended.
The combined team has also been at the forefront of the company-wide rollout of safer programming languages like Rust. They also advocate for embedding security analysis tools directly into real software compilers used in a company’s production workflow. The change is impactful, Weston said, because it means developers don’t do what-if analysis in a simulated environment, where some bugs might be ignored in steps away from actual production.
The Morse team says the shift to active safety has brought real progress. In one recent example, Morse members were reviewing historical software — an important part of the group’s work, as much of the Windows codebase was developed before these extended security reviews. While researching how Microsoft implemented Transport Layer Security 1.3, Morse discovered a remotely exploitable vulnerability that could allow an attacker to gain access to a targeted device.
As Mitch Adair, Microsoft’s chief security officer for cloud security, put it: “It’s already bad. TLS is basically used to protect every service product Microsoft uses.”
