At its Build 2023 conference this week, Microsoft announced Windows 11 will soon be able to run Win32 apps in isolation mode. XDA Developers reports: Starting [today], Microsoft is launching a preview of Win32 apps in isolation for Windows 11 customers. As the name suggests, it will allow users to run Win32 apps in an isolated environment so that they can be sandboxed from the rest of the operating system in order to further strengthen security. The idea is to leverage Windows 11`s isolation capabilities to run Win32 apps in an environment where they don`t have access to critical Windows components and subsystems. This will ensure that if someone runs a compromised Win32 app in isolation, it will be very difficult for an attacker to break through the sandbox and penetrate the rest of the system. This capability will be available in public preview for both enterprise customers and consumers.\n \n\n \n

An anonymous reader shares a report: Then, at some point, someone at Microsoft must have gotten fed up with rushing their .rar operations the way I have for 20 years and thought, there must be a better way. And so, under the subheading of `Reducing toil,` we have a few helpful UI updates, then casually and apropos of nothing, this: `In addition... We have added native support for additional archive formats, including tar, 7-zip, rar, gz and many others using the libarchive open-source project. You now can get improved performance of archive functionality during compression on Windows.`\n \n\n \n

An anonymous reader quotes a report from Ars Technica: Microsoft cloud services are scanning for malware by peeking inside users` zip files, even when they`re protected by a password, several users reported on Mastodon on Monday. Compressing file contents into archived zip files has long been a tactic threat actors use to conceal malware spreading through email or downloads. Eventually, some threat actors adapted by protecting their malicious zip files with a password the end user must type when converting the file back to its original form. Microsoft is one-upping this move by attempting to bypass password protection in zip files and, when successful, scanning them for malicious code. While analysis of password-protected in Microsoft cloud environments is well-known to some people, it came as a surprise to Andrew Brandt. The security researcher has long archived malware inside password-protected zip files before exchanging them with other researchers through SharePoint. On Monday, he took to Mastodon to report that the Microsoft collaboration tool had recently flagged a zip file, which had been protected with the password `infected.` `While I totally understand doing this for anyone other than a malware analyst, this kind of nosy, get-inside-your-business way of handling this is going to become a big problem for people like me who need to send their colleagues malware samples,` Brandt wrote. `The available space to do this just keeps shrinking and it will impact the ability of malware researchers to do their jobs.` Fellow researcher Kevin Beaumont joined the discussion to say that Microsoft has multiple methods for scanning the contents of password-protected zip files and uses them not just on files stored in SharePoint but all its 365 cloud services. One way is to extract any possible passwords from the bodies of email or the name of the file itself. Another is by testing the file to see if it`s protected with one of the passwords contained in a list. `If you mail yourself something and type something like `ZIP password is Soph0s`, ZIP up EICAR and ZIP password it with Soph0s, it`ll find (the) password, extract and find (and feed MS detection),` he wrote. `A Google representative said the company doesn`t scan password-protected zip files, though Gmail does flag them when users receive such a file,` notes Ars. `One other thing readers should remember: password-protected zip files provide minimal assurance that content inside the archives can`t be read. As Beaumont noted, ZipCrypto, the default means for encrypting zip files in Windows, is trivial to override. A more dependable way is to use an AES-256 encryptor built into many archive programs when creating 7z files.`\n \n\n \n

An anonymous reader quotes a report from Ars Technica: Earlier this week, Microsoft released a patch to fix a Secure Boot bypass bug used by the BlackLotus bootkit we reported on in March. The original vulnerability, CVE-2022-21894, was patched in January, but the new patch for CVE-2023-24932 addresses another actively exploited workaround for systems running Windows 10 and 11 and Windows Server versions going back to Windows Server 2008. The BlackLotus bootkit is the first-known real-world malware that can bypass Secure Boot protections, allowing for the execution of malicious code before your PC begins loading Windows and its many security protections. Secure Boot has been enabled by default for over a decade on most Windows PCs sold by companies like Dell, Lenovo, HP, Acer, and others. PCs running Windows 11 must have it enabled to meet the software`s system requirements. Microsoft says that the vulnerability can be exploited by an attacker with either physical access to a system or administrator rights on a system. It can affect physical PCs and virtual machines with Secure Boot enabled. We highlight the new fix partly because, unlike many high-priority Windows fixes, the update will be disabled by default for at least a few months after it`s installed and partly because it will eventually render current Windows boot media unbootable. The fix requires changes to the Windows boot manager that can`t be reversed once they`ve been enabled. Additionally, once the fixes have been enabled, your PC will no longer be able to boot from older bootable media that doesn`t include the fixes. On the lengthy list of affected media: Windows install media like DVDs and USB drives created from Microsoft`s ISO files; custom Windows install images maintained by IT departments; full system backups; network boot drives including those used by IT departments to troubleshoot machines and deploy new Windows images; stripped-down boot drives that use Windows PE; and the recovery media sold with OEM PCs. Not wanting to suddenly render any users` systems unbootable, Microsoft will be rolling the update out in phases over the next few months. The initial version of the patch requires substantial user intervention to enable -- you first need to install May`s security updates, then use a five-step process to manually apply and verify a pair of `revocation files` that update your system`s hidden EFI boot partition and your registry. These will make it so that older, vulnerable versions of the bootloader will no longer be trusted by PCs. A second update will follow in July that won`t enable the patch by default but will make it easier to enable. A third update in `first quarter 2024` will enable the fix by default and render older boot media unbootable on all patched Windows PCs. Microsoft says it is `looking for opportunities to accelerate this schedule,` though it`s unclear what that would entail.\n \n\n \n

An anonymous reader shares a report: Microsoft has now started notifying IT admins that it will force Outlook and Teams to ignore the default web browser on Windows and open links in Microsoft Edge instead. Reddit users have posted messages from the Microsoft 365 admin center that reveal how Microsoft is going to roll out this change. `Web links from Azure Active Directory (AAD) accounts and Microsoft (MSA) accounts in the Outlook for Windows app will open in Microsoft Edge in a single view showing the opened link side-by-side with the email it came from,` reads a message to IT admins from Microsoft. While this won`t affect the default browser setting in Windows, it`s yet another part of Microsoft 365 and Windows that totally ignores your default browser choice for links. Microsoft already does this with the Widgets system in Windows 11 and even the search experience, where you`ll be forced into Edge if you click a link even if you have another browser set as default. Further reading: Microsoft Broke a Chrome Feature To Promote Its Edge Browser.\n \n\n \n

An anonymous reader quotes a report from Gizmodo: Microsoft issued a Windows update that broke a Chrome feature, making it harder to change your default browser and annoying Chrome users with popups, Gizmodo has learned. An April Windows update borked a new button in Chrome -- the most popular browser in the world -- that let you change your default browser with a single click, but the worst was reserved for users on the enterprise version of Windows. For weeks, every time an enterprise user opened Chrome, the Windows default settings page would pop up. There was no way to make it stop unless you uninstalled the operating system update. It forced Google to disable the setting, which had made Chrome more convenient. This petty chapter of the browser wars started in July 2022 when Google quietly rolled out a new button in Chrome for Windows. It would show up near the top of the screen and let you change your default browser in one click without pulling up your system settings. For eight months, it worked great. Then, in April, Microsoft issued Windows update KB5025221, and things got interesting. `Every time I open Chrome the default app settings of Windows will open. I`ve tried many ways to resolve this without luck,` one IT administrator said on a Microsoft forum. A Reddit user noticed that the settings page also popped up any and every time you clicked on a link, but only if Chrome was your default browser. `It doesn`t happen if we change the default browser to Edge,` the user said. Others made similar complaints on Google support forums, some saying that entire organizations were having the issue. Users quickly realized the culprit was the operating system update. For people on the regular consumer version of Windows, things weren`t quite as bad; the one-click `Make Default` button just stopped working. Gizmodo was able to replicate the problem. In fact, we were able to circumvent the issue just by changing the name of the Chrome app on a Windows desktop. It seems that Microsoft threw up the roadblock specifically for Chrome, the main competitor to its Edge browser. [...] In response, Google had to disable its one-click default button; the issue stopped after it did. In other words, Microsoft seems to have gone out of its way to break a Chrome feature that made life easier for users. Google confirmed the details of this story, but declined to comment further.\n \n\n \n

Microsoft is rewriting core Windows libraries in the Rust programming language, and the more memory-safe code is already reaching developers. From a report: David `dwizzle` Weston, director of OS security for Windows, announced the arrival of Rust in the operating system`s kernel at BlueHat IL 2023 in Tel Aviv, Israel, last month. `You will actually have Windows booting with Rust in the kernel in probably the next several weeks or months, which is really cool,` he said. `The basic goal here was to convert some of these internal C++ data types into their Rust equivalents.` Microsoft showed interest in Rust several years ago as a way to catch and squash memory safety bugs before the code lands in the hands of users; these kinds of bugs were at the heart of about 70 percent of the CVE-listed security vulnerabilities patched by the Windows maker in its own products since 2006. The Rust toolchain strives to prevent code from being built and shipped that is exploitable, which in an ideal world reduces opportunities for miscreants to attack weaknesses in software. Simply put, Rust is focused on memory safety and similar protections, which cuts down on the number of bad bugs in the resulting code. Rivals like Google have already publicly declared their affinity for Rust.\n \n\n \n

Windows 10 22H2 will be the final version of the operating system, Microsoft said in a blog post on Thursday. From a report: Moving forward, all editions of Windows 10 will be supported with monthly security updates until October 14th, 2025, when Microsoft will end support. (Some releases on the Long-Term Servicing Channel, or LTSC, will get updates past that end of support date.) Microsoft is encouraging users to now transition to Windows 11 because Windows 10 won`t be getting any new features.\n \n\n \n

Microsoft`s Edge browser appears to be sending URLs you visit to its Bing API website. Reddit users first spotted the privacy issues with Edge last week, noticing that the latest version of Microsoft Edge sends a request to bingapis.com with the full URL of nearly every page you navigate to. Microsoft tells The Verge it`s investigating the reports. From a report: `Searching for references to this URL give very few results, no documentation on this feature at all,` said hackermchackface, the Reddit user who first discovered the issue. While Reddit users weren`t able to uncover why Microsoft Edge is sending the URLs you visit to its Bing API site, we asked Rafael Rivera, a software engineer and one of the developers behind EarTrumpet, to investigate, and he discovered it`s part of a poorly implemented new feature in Edge. `Microsoft Edge now has a creator follow feature that is enabled by default,` says Rivera in a conversation with The Verge. `It appears the intent was to notify Bing when you`re on certain pages, such as YouTube, The Verge, and Reddit. But it doesn`t appear to be working correctly, instead sending nearly every domain you visit to Bing.`\n \n\n \n

Longtime Slashdot reader GeorgeK and author at FreeSpeech.com writes: ICANN and Verisign have quietly proposed enormous changes to global domain name policy in their proposed renewal of the .NET registry agreement, which is now open for public comments. They`ve proposed allowing any government in the world to cancel, redirect, or transfer to their control applicable domain names. This is an outrageous and dangerous proposal that must be stopped, as it does not respect due process. While this proposal is currently only for .NET domain names, presumably they would want to also apply it to other extensions like .COM as those contracts come up for renewal. `This proposal represents a complete government takeover of domain names, with no due process protections for registrants,` adds Kirikos. `It would usurp the role of registrars, making governments go directly to Verisign (or any other registry that adopts similar language) to achieve anything they desired. It literally overturns more than two decades of global domain name policy.` Furthermore, Kirikos claims ICANN and Verisign `have deliberately timed the comment period to avoid public scrutiny.` He writes: `The public comment period opened on April 13, 2023, and is scheduled to end (currently) on May 25, 2023. However, the ICANN76 public meeting was held between March 11 and March 16, 2023, and the ICANN77 public meeting will be held between June 12 and June 15, 2023. Thus, they published the proposal only after the ICANN76 public meeting had ended (where we could have asked ICANN staff and the board questions about the proposal), and seek to end the public comment period before ICANN77 begins. This is likely not by chance, but by design.`\n \n\n \n

Microsoft is heading further down the path of advertising its own services in Windows 11, with different ads now popping up in the Start menu. From a report: To be precise, this is Windows 11 preview build 23435, which was just released to the Dev channel. As Microsoft puts it: `We are continuing the exploration of badging on the Start menu with several new treatments for users logging in with local user accounts to highlight the benefits of signing in with a Microsoft account (MSA).` So, the translation of this is that `badging` is essentially advertising (`badgering` would perhaps be more accurate), and it`s something we`ve recently seen with Windows 11 urging users to perform a cloud backup (in OneDrive). In this new preview build, the prodding stick is being employed to nudge those who haven`t enlisted for a Microsoft Account (who remain using a local account) into signing up for an MSA. Compared to the previous cloud backup prompt on the Start menu, it`s even clearer that this is advertising because it`s fully selling the benefits of having a Microsoft account. For example, Microsoft tells you how hooking your Windows 11 installation into an MSA will ensure that your PC is kept backed up and more secure, or that it`ll keep your settings synced across multiple devices.\n \n\n \n

Firefox has a reputation of being something of a resource hog, even among modern browsers. But it might not be entirely earned, because it looks like a CPU bug affecting Firefox users on Windows was actually the fault of Windows Defender. The latest update to the ubiquitous security tool addresses the issue, and should result in measurably lower CPU usage for the Windows version of Firefox. According to Mozilla senior software engineer Yannis Juglaret, the culprit was MsMpEng.exe, which you might recognize from your Task Manager. It handles the Real-Time protection feature that monitors web activity for malicious threats. The bug was causing Firefox to call on the service much more frequently than comparable browsers like Chrome or Edge, resulting in notable CPU spikes. Said CPU spikes could reduce performance in other applications or affect a laptop`s battery life. The issue was first reported on Mozilla`s bug tracker system way back in 2018 and quickly assigned to the MsMpEng service, but some more recent and diligent documentation on the part of Juglaret resulted in more swift action from Microsoft`s developers.

An anonymous reader writes: Windows users don`t like it when Microsoft changes long-used and familiar functions in its OS, so altering something that`s been the same for 28 years is always going to bring controversy. Nevertheless, it seems that the Redmond firm is planning on changing the Print Screen button into a key that opens the Windows 11 Snipping Tool. The Print Screen button has performed the same function in the Windows operating system since Windows 95: taking a screenshot of the current screen and copying it to the clipboard, usually so it can be edited in another program. But Windows Latest discovered that Microsoft is changing the default function of the Print Screen key in Windows 11. In the Windows 11 Beta preview builds 22621.1546 and 22624.1546, hitting the key will open the Windows Snipping Tool, Windows` built-in screenshotting tool that`s currently accessed by pressing the Windows logo Key + Shift + S.\n \n\n \n

An anonymous reader shares a report: Firefox has a reputation of being something of a resource hog, even among modern browsers. But it might not be entirely earned, because it looks like a CPU bug affecting Firefox users on Windows was actually the fault of Windows Defender. The latest update to the ubiquitous security tool addresses the issue, and should result in measurably lower CPU usage for the Windows version of Firefox. According to Mozilla senior software engineer Yannis Juglaret, the culprit was MsMpEng.exe, which you might recognize from your Task Manager. It handles the Real-Time protection feature that monitors web activity for malicious threats. The bug was causing Firefox to call on the service much more frequently than comparable browsers like Chrome or Edge, resulting in notable CPU spikes. Said CPU spikes could reduce performance in other applications or affect a laptop`s battery life. The issue was first reported on Mozilla`s bug tracker system way back in 2018 and quickly assigned to the MsMpEng service, but some more recent and diligent documentation on the part of Juglaret resulted in more swift action from Microsoft`s developers.\n \n\n \n

An anonymous reader shares a report: If you`ve ever researched anything online, you`ve probably used the Internet Archive (IA). The IA, founded in 1996 by librarian and engineer Brewster Kahle, describes itself as `a non-profit library of millions of free books, movies, software, music, websites, and more.` Their annals include 37 million books, many of which are old tomes that aren`t commercially available. It has classic films, plenty of podcasts and -- via its Wayback Machine -- just about every deleted webpage ever. Four corporate publishers have a big problem with this, so they`ve sued the Internet Archive. In Hachette v. Internet Archive, the Hachette Publishing Group, Penguin Random House, HarperCollins and Wiley have alleged that the IA is committing copyright infringement. Now a federal judge has ruled in the publishers` favor. The IA is appealing the decision. [...] Not only is this concern-trolling disingenuous, but the ruling itself, grounded in copyright, is a smack against fair use. It brings us one step closer to perpetual copyright -- the idea that individuals should own their work forever. The IA argued that their project was covered by fair use, as the Emergency Library provides texts for educational and scholarly purposes. Even writers objected to the court`s ruling. More than 300 writers signed a petition against the lawsuit, including Neil Gaiman, Naomi Klein and -- get this -- Chuck Wendig. Writers lost nothing from the Emergency Library and gained everything from it. For my part, I`ve acquired research materials from the IA that I wouldn`t have found anywhere else. The archive has scads of primary sources which otherwise might require researchers to fly across the country for access. The Internet Archive is good for literacy. It`s good for the public. It`s good for readers, writers and anyone who`s invested in literary education. It does not harm authors, whose income is no more dented by it than any library programs. Even the Emergency Library`s initial opponents have conceded this. The federal court`s decision is a victory for corporations and a disaster for everyone else. If this decision isn`t reversed, human beings will lose more knowledge than the Library of Alexandra ever contained. If IA`s appeal fails, it will be a tragedy of historical proportions.\n \n\n \n

The FBI recently warned consumers against using free public charging stations, saying crooks have managed to hijack public chargers that can infect devices with malware, or software that can give hackers access to your phone, tablet or computer. From a report: `Avoid using free charging stations in airports, hotels or shopping centers,` a tweet from the FBI`s Denver field office said. `Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead.` The FBI offers similar guidance on its website to avoid public chargers.\n \n\n \n

Windows Central reports: According to my sources who are familiar with Microsoft`s plans, the company is once again hard at work on a new project internally that`s designed to modernize the Windows platform with many of the same innovations it was working on for Windows Core OS, but with a focus on native compatibility for legacy Win32 applications on devices where it makes sense. The project is codenamed CorePC and is designed to be a modular and customizable variant of Windows for Microsoft to leverage different form factors with. Not all Windows PCs need the full breadth of legacy Win32 app support, and CorePC will allow Microsoft to configure `editions` of Windows with varying levels of feature and app compatibility. The big change with CorePC versus the current shipping version of Windows is that CorePC is state separated, just like Windows Core OS. State separation enables faster updates and a more secure platform via read-only partitions that are inaccessible to the user and third-party apps, just like on iPadOS or Android. [...] CorePC splits up the OS into multiple partitions, which is key to enabling faster OS updates. State separation also enables faster and more reliable system reset functionality, which is important for Chromebook compete devices in the education sector. [...] My sources tell me CorePC will allow Microsoft to finally deliver a version of Windows that truly competes with Chromebooks in OS footprint, performance, and capabilities. [...] Microsoft is also working on a version of CorePC that meet the current feature set and capabilities of Windows desktop, but with state separation enabled for those faster OS updates and improved security benefits. The company is working on a compatibility layer codenamed Neon for legacy apps that require a shared state OS to function, too. Lastly, I hear that Microsoft is experimenting with a version of CorePC that`s `silicon-optimized,` designed to reduce legacy overhead, focus on AI capabilities, and vertically optimize hardware and software experiences in a way similar to that of Apple Silicon. Unsurprisingly, AI experiences are a key focus for Windows going into 2024.\n \n\n \n

Researchers have announced a major cybersecurity find -- the world`s first-known instance of real-world malware that can hijack a computer`s boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows. From a report: Dubbed BlackLotus, the malware is what`s known as a UEFI bootkit. These sophisticated pieces of malware hijack the UEFI -- short for Unified Extensible Firmware Interface -- the low-level and complex chain of firmware responsible for booting up virtually every modern computer. As the mechanism that bridges a PC`s device firmware with its operating system, the UEFI is an OS in its own right. It`s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch. Because the UEFI is the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows. These traits make the UEFI the perfect place to run malware. When successful, UEFI bootkits disable OS security mechanisms and ensure that a computer remains infected with stealthy malware that runs at the kernel mode or user mode, even after the operating system is reinstalled or a hard drive is replaced. As appealing as it is to threat actors to install nearly invisible and unremovable malware that has kernel-level access, there are a few formidable hurdles standing in their way. One is the requirement that they first hack the device and gain administrator system rights, either by exploiting one or more vulnerabilities in the OS or apps or by tricking a user into installing trojanized software. Only after this high bar is cleared can the threat actor attempt an installation of the bootkit. The second thing standing in the way of UEFI attacks is UEFI Secure Boot, an industry-wide standard that uses cryptographic signatures to ensure that each piece of software used during startup is trusted by a computer`s manufacturer. Secure Boot is designed to create a chain of trust that will prevent attackers from replacing the intended bootup firmware with malicious firmware. If a single firmware link in that chain isn`t recognized, Secure Boot will prevent the device from starting.\n \n\n \n

An anonymous reader shares a report: Did you force your PC to install Windows 11 despite it not meeting the official requirements? Microsoft might start nagging you for doing that -- or at least reminding you that what you`ve done is against the intended use of its operating system. The January 2023 Windows 11 update is pestering folks who forced the update on their PCs with a persistent watermark on the desktop warning that system requirements haven`t been met. The story is circulating among Windows blogs, though I found a couple of instances of folks complaining about the watermark on the official Microsoft support forums. The watermark says `system requirements not met` and is emblazoned on the desktop`s lower right hand corner if the operating system notices that it`s running on hardware that doesn`t meet the minimum requirements. It`s possible the culprit is the dedicated security processor, or TPM 2.0 (Trusted Platform Module) chip, used by services like BitLocker and Windows Hello. Microsoft requires this module before upgrading. It`s why many PCs were rendered un-upgradeable when Windows 11 was announced. Most new CPUs and motherboards have capability for it built into them, but the feature wasn`t a guaranteed inclusion prior to the Windows 11 launch.\n \n\n \n

An anonymous reader shares a report: Internet Explorer 11 was never Windows 10`s primary browser -- that would be the old, pre-Chromium version of Microsoft Edge. But IE did continue to ship with Windows 10 for compatibility reasons, and IE11 remained installed and accessible in most versions of Windows 10 even after security updates for the browser ended in June of 2022. That ends today, as Microsoft`s support documentation says that a Microsoft Edge browser update will fully disable Internet Explorer in most versions of Windows 10, redirecting users to Edge.\n \n\n \n

An anonymous reader shares a report from Tom`s Hardware: According to the PC Security Channel (via TechSpot), Microsoft`s Windows 11 sends data not only to the Redmond, Washington-based software giant, but also to multiple third parties. To analyze DNS traffic generated by a freshly installed copy of Windows 11 on a brand-new notebook, the PC Security Channel used the Wireshark network protocol analyzer that reveals precisely what is happening on a network. The results were astounding enough for the YouTube channel to call Microsoft`s Windows 11 `spyware.` As it turned out, an all-new Windows 11 PC that was never used to browse the Internet contacted not only Windows Update, MSN and Bing servers, but also Steam, McAfee, geo.prod.do, and Comscore ScorecardResearch.com. Apparently, the latest operating system from Microsoft collected and sent telemetry data to various market research companies, advertising services, and the like. When Tom`s Hardware contacted Microsoft, their spokesperson argued that flowing data is common in modern operating systems `to help them remain secure, up to date, and keep the system working as anticipated.` `We are committed to transparency and regularly publish information about the data we collect to empower customers to be more informed about their privacy.`\n \n\n \n

Microsoft wants everyone to know that it isn`t looking to invade their privacy while looking through their Windows PCs to find out-of-date versions of Office software. From a report: In its KB5021751 update last month, Microsoft included a plan to scan Windows systems to smoke out those Office versions that are no longer supported or nearing the end of support. Those include Office 2007 (which saw support end in 2017) and Office 2010 (in 2020) and the 2013 build (this coming April). The company stressed that it would run only one time and would not install anything on the user`s Windows system, adding that the file for the update is scanned to ensure it`s not infected by malware and is stored on highly secure servers to prevent unauthorized changes to it. The update caused some discussion among users, at least enough to convince Microsoft to make another pitch that it is respecting user privacy and won`t access private data despite scanning their systems. The update collects diagnostic and performance data so that it can determine the use of various versions of Office and how to best support and service them, the software maker wrote in an expanded note this week. The update will silently run once to collect the data and no files are left on the user`s systems once the scan is completed.\n \n\n \n

An anonymous reader shares a report: Microsoft`s Windows 10 operating system has been available on the retail market for over seven years and was superseded by Windows 11 in October 2021. However, despite its age, Windows 10 remains the most popular version of Windows, with a global market share of 67.95% in December 2022 compared to 16.97% for Windows 11, according to StatCounter. But it now looks like Microsoft is ready to put the brakes on issuing new Windows 10 licenses to everyday consumers. Microsoft`s official product pages for Windows 10 Home and Windows 10 Pro now include the following disclaimer: `January 31, 2023 will be the last day this Windows 10 download is offered for sale. Windows 10 will remain supported with security updates that help protect your PC from viruses, spyware, and other malware until October 14, 2025.`\n \n\n \n

Mozilla recently fixed a bug that was first reported 18 years ago in Firebox 1.0, reports How-to Geek: Bug 290125 was first reported on April 12, 2005, only a few days before the release of Firefox 1.0.3, and outlined an issue with how Firefox rendered text with the ::first-letter CSS pseudo-element. The author said, `when floating left a :first-letter (to produce a dropcap), Gecko ignores any declared line-height and inherits the line-height of the parent box. [...] Both Opera 7.5+ and Safari 1.0+ correctly handle this.` The initial problem was that the Mac version of Firefox handled line heights differently than Firefox on other platforms, which was fixed in time for Firefox 3.0 in 2007. The issue was then re-opened in 2014, when it was decided in a CSS Working Group meeting that Firefox`s special handling of line heights didn`t meet CSS specifications and was causing compatibility problems. It led to some sites with a large first letter in blocks of text, like The Verge and The Guardian, render incorrectly in Firefox compared to other browsers. The issue was still marked as low priority, so progress continued slowly, until it was finally marked as fixed on December 20, 2022. Firefox 110 should include the updated code, which is expected to roll out to everyone in February 2023.\n \n\n \n

Ars Technica reports on a dangerously `wormable` Windows vulnerability that allowed attackers to execute malicious code with no authentication required - a vulnerability that was present `in a much broader range of network protocols, giving attackers more flexibility than they had when exploiting the older vulnerability.` Microsoft fixed CVE-2022-37958 in September during its monthly Patch Tuesday rollout of security fixes. At the time, however, Microsoft researchers believed the vulnerability allowed only the disclosure of potentially sensitive information. As such, Microsoft gave the vulnerability a designation of `important.` In the routine course of analyzing vulnerabilities after they`re patched, IBM security researcher Valentina Palmiotti discovered it allowed for remote code execution in much the way EternalBlue did [the flaw used to detonate WannaCry]. Last week, Microsoft revised the designation to critical and gave it a severity rating of 8.1, the same given to EternalBlue.... One potentially mitigating factor is that a patch for CVE-2022-37958 has been available for three months. EternalBlue, by contrast, was initially exploited by the NSA as a zero-day. The NSA`s highly weaponized exploit was then released into the wild by a mysterious group calling itself Shadow Brokers. The leak, one of the worst in the history of the NSA, gave hackers around the world access to a potent nation-state-grade exploit. Palmiotti said there`s reason for optimism but also for risk: `While EternalBlue was an 0-Day, luckily this is an N-Day with a 3 month patching lead time,` said Palmiotti. There`s still some risk, Palmiotti tells Ars Technica. `As we`ve seen with other major vulnerabilities over the years, such as MS17-010 which was exploited with EternalBlue, some organizations have been slow deploying patches for several months or lack an accurate inventory of systems exposed to the internet and miss patching systems altogether.` Thanks to Slashdot reader joshuark for sharing the article.\n \n\n \n

Microsoft has released its final monthly batch of security updates for 2022, fixing more than four dozen security holes in its various Windows operating systems and related software. The most pressing patches include a zero-day vulnerability in a Windows feature that tries to flag malicious files from the Web, a critical bug in PowerShell, and a dangerous flaw in Windows 11 systems that was detailed publicly prior to this week`s Patch Tuesday.

\nIt’s December 2022 Patch Tuesday, and Microsoft has delivered fixes for 50+ vulnerabilities, including a Windows SmartScreen bypass flaw (CVE-2022-44698) exploited by attackers to deliver a variety of malware. CVE-2022-44698 CVE-2022-44698 affects all Windows OS versions starting from Windows 7 and Windows Server 2008 R2. “The vulnerability has low complexity. It uses the network vector, and requires no privilege escalation. However, it does need user interaction; attackers need to dupe a victim into visiting a … More → \n \nThe post Microsoft fixes exploited zero-day, revokes certificate used to sign malicious drivers (CVE-2022-44698) appeared first on Help Net Security .\n

Microsoft`s Chromium-based Edge browser was an improvement over the initial version of Edge in many ways, including its support for Windows 7 and Windows 8. But the end of the road is coming: Microsoft has announced that Edge will end support for Windows 7 and Windows 8 in mid-January of 2023, shortly after those operating systems stop getting regular security updates. From a report: Support will also end for Microsoft Edge Webview2, which can use Edge`s rendering engine to embed webpages in non-Edge apps. The end-of-support date for Edge coincides with the end of security update support for both Windows 7 and Windows 8 on January 10, and the end of Google Chrome support for Windows 7 and 8 in version 110. Because the underlying Chromium engine in both Chrome and Edge is open source, Microsoft could continue supporting Edge in older Windows versions if it wanted, but the company is using both end-of-support dates to justify a clean break for Edge.\n \n\n \n

\nGoogle has patched CVE-2022-4262, a type confusion vulnerability in the V8 JavaScript engine used by Google Chrome (and Chromium), which is being exploited by attackers in the wild. No other technical details have been shared about this zero-day flaw, only that it was reported by security engineer Clement Lecigne of Google’s Threat Analysis Group (TAG), whose goal is to protect users from state-sponsored attacks and other advanced persistent threats. About CVE-2022-4262 With a “High” security … More → \n \nThe post Google Chrome zero-day exploited in the wild (CVE-2022-4262) appeared first on Help Net Security .\n

Microsoft has released an out-of-band update to nudge laggards toward Windows 11 amid a migration pace that company executives would undoubtedly prefer is rather faster. From a report: The software giant is offering an option of upgrading to Windows 11 as an out of box experience to its Windows 10 22H2 installed base, the main aim being to smooth their path forward to the latest operating system. `On November 30, 2022, an out-of-band update was released to improve the Windows 10, version 2004, 20H2, 21H1, 21H2, and 22H2 out-of-box experience (OOBE). It provides eligible devices with the option to upgrade to Windows 11 as part of the OOBE process. This update will be available only when an OOBE update is installed.` The update, KB5020683, applies only to Windows 10 Home and Professional versions 2004, 20H2, 21H1, 22H2. There are some pre-requisites that Microsoft has listed here before users can make the move to Windows 11. The operating system was released on October 5 last year but shifting stubborn consumers onto this software has proved challenging for top brass at Microsoft HQ in Redmond. According to Statcounter, a web analytics service that has tracking code installed on 1.5 million websites and records a page view for each, some 16.12 percent of Windows users had installed Windows 11 in November, higher than the 15.44 percent in the prior month, but likely still not close to the figures that Microsoft was hoping for.\n \n\n \n

`There is no evidence to suggest that TrustCor violated conduct, policy, or procedure` says biz \nMozilla and Microsoft have taken action against a certificate authority accused of having close ties to a US military contractor that allegedly paid software developers to embed data-harvesting malware in mobile apps.\n

Google researchers say they have linked a Barcelona, Spain-based IT company to the sale of advanced software frameworks that exploit vulnerabilities in Chrome, Firefox, and Windows Defender. From a report: Variston IT bills itself as a provider of tailor-made Information security solutions, including technology for embedded SCADA (supervisory control and data acquisition) and Internet of Things integrators, custom security patches for proprietary systems, tools for data discovery, security training, and the development of secure protocols for embedded devices. According to a report from Google`s Threat Analysis Group, Variston sells another product not mentioned on its website: software frameworks that provide everything a customer needs to surreptitiously install malware on devices they want to spy on. Researchers Clement Lecigne and Benoit Sevens said the exploit frameworks were used to exploit n-day vulnerabilities, which are those that have been patched recently enough that some targets haven`t yet installed them. Evidence suggests, they added, that the frameworks were also used when the vulnerabilities were zero-days. The researchers are disclosing their findings in an attempt to disrupt the market for spyware, which they said is booming and poses a threat to various groups.\n \n\n \n

Flaws in the open-source tool exploited and India`s power grid was a target \nMicrosoft is warning that systems using the long-discontinued Boa web server could be at risk of attacks after a series of intrusion attempts of power grid operations in India likely included exploiting security flaws in the technology.\n

Mark Hachman, writing for PCWorld: Windows 8 stunk. It might have helped cost chief executive Steve Ballmer his job. Windows 8.1 was a bit better -- but if you love it, you have only a month or so left to enjoy it. Microsoft will kill off Windows 8.1 support on January 10, 2023. There`s no out: Microsoft will not be offering an extended support package for Windows 8.1. At that point, you`ll have a choice: buy a new Windows PC, or officially pay to upgrade to either Windows 10 or Windows 11. What does the end of support mean? Until January 10, Microsoft will offer security patches and other fixes for any security issues that crop up. Afterwards, you`re on your own. If any exploit or malware surfaces, you`ll have to depend on any antivirus software you have running -- Microsoft won`t be issuing any more patches after Jan. 10, and your PC will absolutely be at risk.\n \n\n \n

Microsoft says token theft attacks are on the rise. From a report: Microsoft has outlined several mitigations to protect against attacks on multi-factor authentication that will unfortunately make life more difficult for your remote workers. Three years ago, attacks on multi-factor authentication (MFA) were so rare that Microsoft didn`t have decent statistics on them, largely because few organisations had enabled MFA. But with MFA use rising as attacks on passwords become more common, Microsoft has seen an increase in attackers using token theft in their attempts to sidestep MFA. In these attacks, the attacker compromises a token issued to someone who`s already completed MFA and replays that token to gain access from a different device. Tokens are central to OAuth 2.0 identity platforms, including Azure Active Directory (AD), which aim to make authentication simpler and faster for users, but in a way that`s still resilient to password attacks. Moreover, Microsoft warns that token theft is dangerous because it doesn`t require high technical skills, detection is difficult and, because the technique has only recently seen an uptick, few organisations have mitigations in place. `Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose,` Microsoft says in a blogpost. `By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly. This poses to be a concerning tactic for defenders because the expertise needed to compromise a token is very low, is hard to detect, and few organizations have token theft mitigations in their incident response plan.`\n \n\n \n

Microsoft has fixed yet another problem in some versions of Windows 10, a bug that makes the taskbar and desktop temporarily vanish or causes the system to ignore you. From a report: According to Redmond, users `might experience an error in which the desktop or taskbar might momentarily disappear, or your device might become unresponsive.` The issue affects PCs running Windows 10 versions 22H2, 21H2, 21H1, and 20H2, the company wrote on its Windows Health Dashboard. Microsoft didn`t outline the exact cause but notes it was related to the KB5016688 220820_03051 cumulative update and later. The software giant is using its Known Issue Rollback (KIR) feature -- which enables IT administrators to roll back the unwanted changes of an update -- to resolve the problem, adding that it could take up to 24 hours for the fix to reach non-managed business systems and consumer devices. Restarting the device may accelerate the timeframe. Organizations that use enterprise-managed devices can install and configure a special Group Policy by going to `Computer Configuration` and then `Administrative Templates` and `Group Policy name.` If the resolution doesn`t work, users can try restarting the Windows device, according to Microsoft. The latest fix comes after a number of other problems were resolved this week.\n \n\n \n

whoever57 writes: Would you trust your communications to a company that has links to a spyware company and claims that its address is a UPS store in Toronto? You probably already do. Washington Post reports: An offshore company that is trusted by the major web browsers and other tech companies to vouch for the legitimacy of websites has connections to contractors for U.S. intelligence agencies and law enforcement, according to security researchers, documents and interviews. Google`s Chrome, Apple and #226;(TM)s Safari, nonprofit Firefox and others allow the company, TrustCor Systems, to act as what`s known as a root certificate authority, a powerful spot in the internet`s infrastructure that guarantees websites are not fake, guiding users to them seamlessly. The company`s Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade. One of those TrustCor partners has the same name as a holding company managed by Raymond Saulino, who was quoted in a 2010 Wired article as a spokesman for Packet Forensics. Saulino also surfaced in 2021 as a contact for another company, Global Resource Systems, that caused speculation in the tech world when it briefly activated and ran more than 100 million previously dormant IP addresses assigned decades earlier to the Pentagon. The Pentagon reclaimed the digital territory months later, and it remains unclear what the brief transfer was about, but researchers said the activation of those IP addresses could have given the military access to a huge amount of internet traffic without revealing that the government was receiving it. whoever57 has also shared a unpaywalled link to the story.\n \n\n \n

Microsoft is now promoting some of its products in the sign-out flyout menu that shows up when clicking the user icon in the Windows 11 start menu. BleepingComputer: This new Windows 11 `feature` was discovered by Windows enthusiast Albacore, who shared several screenshots of advertisement notifications in the Accounts flyout. The screenshots show that Microsoft promotes the OneDrive file hosting service and prods users to create or complete their Microsoft accounts. Those reacting to this on social media had an adverse reaction to Redmond`s decision to display promotional messages in the start menu. Some said that Windows 11 is `getting worse in each and every update it gets,` while others added that this is a weird choice given that `half of the Start Menu is for recommendations` anyway. BleepingComputer has also tried replicating this on multiple Windows 11 systems, but we didn`t get any ads. This hints at an A/B testing experiment trying to gauge the success of such a `feature` on devices running Windows Insider builds or the company pushing such ads to a limited set of customers.\n \n\n \n

Much of the Windows world has yet to adopt Microsoft`s latest desktop operating system more than a year after it launched, according to figures for October collated by Statcounter. From a report: Just 15.44 percent of PCs across the globe have installed Windows 11, meaning it gained 1.83 percentage points in a month. This compares to the 71.29 percent running Windows 10, which fell marginally from 71.88 percent in September. Windows 7 is still hanging on with a tenuous grip, in third place with 9.61 percent, Windows 8.1 in fourth with 2.45 percent, plain old Windows 8 with 0.69 percent, and bless its heart, Windows XP with 0.39 percent because of your extended family. In total, Windows has almost 76 percent of the global desktop OS market followed by OS X with 15.7 percent and Linux with 2.6 percent. Android comprised 42.37 percent of total operating system market share, with Windows trailing on 30.11 percent, iOS on 17.6 percent, OS X on 6.24 percent, and Linux on 1.04 percent.\n \n\n \n

An anonymous reader quotes a report from ZDNet: Everyone depends on OpenSSL. You may not know it, but OpenSSL is what makes it possible to use secure Transport Layer Security (TLS) on Linux, Unix, Windows, and many other operating systems. It`s also what is used to lock down pretty much every secure communications and networking application and device out there. So we should all be concerned that Mark Cox, a Red Hat Distinguished Software Engineer and the Apache Software Foundation (ASF)`s VP of Security, this week tweeted, `OpenSSL 3.0.7 update to fix Critical CVE out next Tuesday 1300-1700UTC.` How bad is `Critical`? According to OpenSSL, an issue of critical severity affects common configurations and is also likely exploitable. It`s likely to be abused to disclose server memory contents, and potentially reveal user details, and could be easily exploited remotely to compromise server private keys or execute code execute remotely. In other words, pretty much everything you don`t want happening on your production systems. The last time OpenSSL had a kick in its security teeth like this one was in 2016. That vulnerability could be used to crash and take over systems. Even years after it arrived, security company Check Point estimated it affected over 42% of organizations. This one could be worse. We can only hope it`s not as bad as that all-time champion of OpenSSL`s security holes, 2014`s HeartBleed. [...] There is another little silver lining in this dark cloud. This new hole only affects OpenSSL versions 3.0.0 through 3.0.6. So, older operating systems and devices are likely to avoid these problems. For example, Red Hat Enterprise Linux (RHEL) 8.x and earlier and Ubuntu 20.04 won`t be smacked by it. RHEL 9.x and Ubuntu 22.04, however, are a different story. They do use OpenSSL 3.x. [...] But, if you`re using anything with OpenSSL 3.x in -- anything -- get ready to patch on Tuesday. This is likely to be a bad security hole, and exploits will soon follow. You`ll want to make your systems safe as soon as possible.\n \n\n \n

\n Remote attackers could exploit two Event Log vulnerabilities in Windows to crash the Event Log application and cause a denial-of-service (DoS) condition, Varonis warns. \n \n Event Log is an Internet Explorer-specific application that exists in all Windows iterations, due to the deep integration of the browser with the operating system. \n \n read more \n

Nearly 43 percent of millions of devices studied by asset management provider Lansweeper are unable to upgrade to Windows 11 due to the hardware requirements Microsoft set out for the operating system. The Register reports: Lansweeper said 42.76 percent of the estimated 27 million PCs it tested across 60,000 organizations failed the CPU test, albeit better than the 57.26 percent in its last test a year ago. Altogether 71.5 percent of the PCs failed the RAM test and 14.66 percent the TPM test. `We know that those who can`t update to Windows 11... will continue to use Windows 10,` said Roel Decneut, chief strategy officer at Lansweeper, whose customers include Sony, Pepsico, Cerner, MiT and Hilton hotels. He said that even if enterprises are prepared to upgrade their PC fleet to meet the system requirements of Microsoft`s latest OS, there are `broader issues affecting adoption that are out of Microsoft`s control.` `Global supply chain disruption has created chip a processor shortage, while many are choosing to stick with what hardware they have at the moment due to the global financial uncertainty.` Other findings from Lansweeper show adoption rates for the latest OS are improving, running on 1.44 percent of computers versus 0.52 percent in January. This means the latest incarnation has overtaken Windows 8 in the popularity stakes but remains behind market share for Windows 7, despite that software going end of life in January 2020. Adoption is, unsurprisingly, higher in the consumer space. Some 4.82 percent of the biz devices researched were running an OS that wasn`t fully supported and 0.91 percent had servers in their estate that are end of life.\n \n\n \n

Microsoft Corp. is investigating reports that attackers are exploiting two previously unknown vulnerabilities in Exchange Server, a technology many organizations rely on to send and receive email. Microsoft says it is expediting work on software patches to plug the security holes. In the meantime, it is urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks.

Microsoft on Tuesday said it`s starting to release the first major update to Windows 11, the current version of its PC operating system. The company said the update is aimed at making PCs easier and safer to use and improve productivity. Some excerpts detailing new features from Windows blog: Windows 11 brought a sense of ease to the PC, with an intuitive design people love. We`re building on that foundation with new features to ensure the content and information you need is always at your fingertips, including updates to the Start menu, faster and more accurate search, Quick Settings, improved local and current events coverage in your Widgets board, and the No. 1 ask from you, tabs in File Explorer. All of this helps Windows anticipate your needs and save you time. [...] The PC has always been where people come to get things done -- especially when it comes to tackling complex tasks. With enhancements to Snap layouts, the new Focus feature, and performance and battery optimizations, the new Windows 11 2022 update will help you be your most productive yet. Snap layouts on Windows 11 have been a game changer for multitasking, helping people optimize their view when they need to have multiple apps or documents in front of them at the same time. With the new update, we`re making Snap layouts more versatile with better touch navigation and the ability to snap multiple browser tabs in Microsoft Edge. We`re introducing Focus sessions and Do Not Disturb to help you minimize distractions that pull you away from the task at hand. [...] We also want to continue to make Windows the best place to play games. This update will deliver performance optimizations to improve latency and unlock features like Auto HDR and Variable Refresh Rate on windowed games. And with Game Pass built right into Windows 11 through the Xbox app, players can access hundreds of high-quality PC games. Having the right content fuels a great PC experience. A year ago, we redesigned the Microsoft Store on Windows to be more open and easier-to-use -- a one-stop shop for the apps, games and TV shows you love. Today, through our partnership with Amazon, we are expanding the Amazon Appstore Preview to international markets, bringing more than 20,000 Android apps and games to Windows 11 devices that meet the feature-specific hardware requirements. In addition to a growing catalog of apps and games, we are also excited to share that we are moving to the next stage of the Microsoft Store Ads pilot -- helping developers get content in front of the right customers. [...] Windows 11 provides layers of hardware and software integrated for powerful, out-of-the box protection from the moment you start your device -- and we`re continuing to innovate. The new Microsoft Defender SmartScreen identifies when people are entering their Microsoft credentials into a malicious application or hacked website and alerts them.\n \n\n \n

An anonymous reader shares a report: When ArsTechnica reviewed Windows 11 last fall, one of its biggest concerns was that it would need to wait until the fall of 2022 to see changes or improvements to its new -- and sometimes rough -- user interface. Nearly a year later, it`s become abundantly clear that Microsoft isn`t holding back changes and new apps for the operating system`s yearly feature update. One notable smattering of additions was released back in February alongside a commitment to `continuous innovation.` Other, smaller updates before and since (not to mention the continuously-updated Microsoft Edge browser) have also emphasized Microsoft`s commitment to putting out new Windows features whenever they`re ready. There`s been speculation that Microsoft could be planning yet another major shake-up to Windows` update model, moving away from yearly updates that would be replaced by once-per-quarter feature drops, allegedly called `Moments` internally. These would be punctuated by larger Windows version updates every three years or so. As part of the PR around the Windows 11 2022 Update (aka Windows 11 22H2), the company has made clear that none of this is happening. `Windows 11 will continue to have an annual feature update cadence, released in the second half of the calendar year that marks the start of the support lifecycle,` writes Microsoft VP John Cable, `with 24 months of support for Home and Pro editions and 36 months of support for Enterprise and Education editions.` These updates will include their own new features and changes, as the 2022 Update does, but you`ll also need to have the latest yearly update installed to continue to get additional feature updates via Windows Update and the Microsoft Store. As for the Windows 12 rumors, Microsoft simply told Ars it has `no plans to share today.` This stance leaves the company plenty of room to change its plans tomorrow or any day after that. But we can safely say that a new numbered version of Windows won`t happen in the near future. For smaller changes that aren`t delivered as part of a yearly feature update or via a Microsoft Store update, Microsoft will use something called Controlled Feature Rollout (CFR) to test features with a subset of Windows users rather than delivering them to everyone all at once.\n \n\n \n

Recent research from the otto-js Research Team has uncovered that data that is being checked by both Microsoft Editor and the enhanced spellcheck setting within Google Chrome is being sent to Microsoft and Google respectively. This data can include usernames, emails, DOB, SSN, and basically anything that is typed into a text box that is checked by these features. Neowin reports: As an additional note, even passwords can be sent by these features, but only when a `Show Password` button is pressed, which converts the password into visible text, which is then checked. The key issue resolves around sensitive user personally identifiable information (PII), and this is a key concern for enterprise credentials when accessing internal databases and cloud infrastructure. Some companies are already taking action to prevent this, with both AWS and LastPass security teams confirming that they have mitigated this with an update. The issue has already been dubbed `spell-jacking`. What`s most concerning is that these settings are so easy to enable by users, and could result in data exposure without anyone ever realising it. The team at otto-js ran a test of 30 websites, across a range of sectors, and found that 96.7% of them sent data with PII back to Google and Microsoft. At present, the otto-js Research Team recommends that these extensions and settings are not used until this issue is resolved.\n \n\n \n

The makers of the secure telnet client PuTTY also sell a service monitoring company security services - and this July Mandiant Managed Defense `identified a novel spear phish methodology,` according to a post on the company`s blog: [The threat cluster] established communication with the victim over WhatsApp and lured them to download a malicious ISO package regarding a fake job offering that led to the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the PuTTY utility.... This activity was identified by our Mandiant Intelligence: Staging Directories mission, which searches for anomalous files written to directories commonly used by threat actors.... The amazon_assessment.iso archive held two files: an executable and a text file. The text file named Readme.txt had connection details for use with the second file: PuTTY.exe.... [T]he PuTTY.exe binary in the malicious archive does not have a digital signature. The size of the PuTTY binary downloaded by the victim is also substantially larger than the legitimate version. Upon closer inspection, it has a large, high entropy .data section in comparison to the officially distributed version. Sections like these are typically indicative of packed or encrypted data. The suspicious nature of the PuTTY.exe embedded in the ISO file prompted Managed Defense to perform a deeper investigation on the host and the file itself. The execution of the malicious PuTTY binary resulted in the deployment of a backdoor to the host. `The executable embedded in each ISO file is a fully functional PuTTY application compiled using publicly available PuTTY version 0.77 source code,` the blog post points out. Ars Technica notes that Mandiant`s researchers believe it`s being pushed by groups with ties to North Korea: The executable file installed the latest version of Airdry, a backdoor the US government has attributed to the North Korean government. The US Cybersecurity and Infrastructure Security Agency has a description here. Japan`s community emergency response team has this description of the backdoor, which is also tracked as BLINDINGCAN.\n \n\n \n

Security analysts have found a severe security vulnerability in the desktop app for Microsoft Teams that gives threat actors access to authentication tokens and accounts with multi-factor authentication (MFA) turned on. BleepingComputer reports: `This attack does not require special permissions or advanced malware to get away with major internal damage,` Connor Peoples at cybersecurity company Vectra explains in a report this week. The researcher adds that by taking `control of critical seats -- like a company`s Head of Engineering, CEO, or CFO -- attackers can convince users to perform tasks damaging to the organization.` Vectra researchers discovered the problem in August 2022 and reported it to Microsoft. However, Microsoft did not agree on the severity of the issue and said that it doesn`t meet the criteria for patching. With a patch unlikely to be released, Vectra`s recommendation is for users to switch to the browser version of the Microsoft Teams client. By using Microsoft Edge to load the app, users benefit from additional protections against token leaks. The researchers advise Linux users to move to a different collaboration suite, especially since Microsoft announced plans to stop supporting the app for the platform by December.\n \n\n \n

Plus: Nasty no-auth RCE in TCP/IP stack, and many more updates \n Patch Tuesday September`s Patch Tuesday is here and it brings, among other things, fixes from Microsoft for one security bug that miscreants have used to fully take over Windows systems along with details of a second vulnerability that, while not yet under attack, has already been publicly disclosed.\n

Microsoft has confirmed to Sky News that criminals are posting counterfeit packages designed to appear like Office products in order to defraud people. From the report: One such package seen by Sky News is manufactured to a convincing standard and contains an engraved USB drive, alongside a product key. But the USB does not install Microsoft Office when plugged in to a computer. Instead, it contains malicious software which encourages the victim to call a fake support line and hand over access to their PC to a remote attacker. Microsoft launched an internal investigation into the suspect package after being contacted by Sky News. The company spokesperson confirmed that the USB and the packaging were counterfeit and that they had seen a pattern of such products being used to scam victims before. They added that while Microsoft had seen this type of fraud, it is very infrequent. More often when fraudulent products are sold they tend to be product keys sent to customers via email, with a link to a site for downloading the malicious software.\n \n\n \n

\n Mozilla this week patched several high-severity vulnerabilities in its Firefox and Thunderbird products. \n \n Firefox 104 as well as Firefox ESR 91.13 and 102.2 patches a high-severity address bar spoofing issue related to XSLT error handling. The flaw, tracked as CVE-2022-38472, could be exploited for phishing. \n \n read more \n

joshuark writes: Microsoft has found a bug in ChromeOS and given it a high vulnerability 9.8 out of 10. The bug was promptly fixed and, about a month later, merged in ChromeOS code then released on June 15, 2022. This is a reversal in that Google usually finds security bugs in software from Microsoft and other vendors after typically 90 days -- even if a patch had not been released -- in the interest of forcing companies to respond to security flaws more quickly. [...] The ChromeOS memory corruption vulnerability -- CVE-2022-2587 -- was particularly severe. As Jonathan Bar Or, a member of the Microsoft 365 Defender research team, explains in his post, the problem follows from the use of D-Bus, an Inter-Process-Communication (IPC) mechanism used in Linux. A D-Bus service called org.chromium.cras (for ChromiumOS Audio Server) provides a way to route audio to newly added peripherals like USB speakers and Bluetooth headsets. The service includes a function called SetPlayerIdentity, which accepts a string argument called identity as its input. And the function`s C code calls out to strcpy in the standard library. Yes, strcpy, which is a dangerous function.\n \n\n \n

Multiple people who appear to be employees of Microsoft have exposed sensitive login credentials to the company`s own infrastructure on GitHub, potentially offering attackers a gateway into internal Microsoft systems, according to a cybersecurity research firm that found the exposed credentials. Motherboard reports: `We continue to see that accidental source code and credential leakages are part of the attack surface of a company, and it`s becoming more and more difficult to identify in a timely and accurate manner. This is a very challenging issue for most companies these days,` Mossab Hussein, chief security officer at cybersecurity firm spiderSilk which discovered the issue, told Motherboard in an online chat. Hussein provided Motherboard with seven examples in total of exposed Microsoft logins. All of these were credentials for Azure servers. Azure is Microsoft`s cloud computer service and is similar to Amazon Web Services. All of the exposed credentials were associated with an official Microsoft tenant ID. A tenant ID is a unique identifier linked to a particular set of Azure users. One of the GitHub users also listed Microsoft on their profile. Three of the seven login credentials were still active when spiderSilk discovered them, with one seemingly uploaded just days ago at the time of writing. The other four sets of credentials were no longer active but still highlighted the risk of workers accidentally uploading keys for internal systems. Microsoft refused to elaborate on what systems the credentials were protecting when asked multiple times by Motherboard. But generally speaking, an attacker may have an opportunity to move onto other points of interest after gaining initial access to an internal system. One of the GitHub profiles with exposed and active credentials makes a reference to the Azure DevOps code repository. Highlighting the risk that such credentials may pose, in an apparently unrelated hack in March attackers gained access to an Azure DevOps account and then published a large amount of Microsoft source code, including for Bing and Microsoft`s Cortana assistant. `We`ve investigated and have taken action to secure these credentials,` said a Microsoft spokesperson in a statement. `While they were inadvertently made public, we haven`t seen any evidence that sensitive data was accessed or the credentials were used improperly. We`re continuing to investigate and will continue to take necessary steps to further prevent inadvertent sharing of credentials.`\n \n\n \n

joshuark shares a report from Computerworld: Despite previously claiming the DogWalk vulnerability did not constitute a security issue, Microsoft has now released a patch to stop attackers from actively exploiting the vulnerability. [...] The vulnerability, known as CVE-2022-34713 or DogWalk, allows attackers to exploit a weakness in the Windows Microsoft Support Diagnostic Tool (MSDT). By using social engineering or phishing, attackers can trick users into visiting a fake website or opening a malicious document or file and ultimately gain remote code execution on compromised systems. DogWalk affects all Windows versions under support, including the latest client and server releases, Windows 11 and Windows Server 2022. The vulnerability was first reported in January 2020 but at the time, Microsoft said it didn`t consider the exploit to be a security issue. This is the second time in recent months that Microsoft has been forced to change its position on a known exploit, having initially rejected reports that another Windows MSDT zero-day, known as Follina, posed a security threat. A patch for that exploit was released in June`s Patch Tuesday update.\n \n\n \n

Microsoft is reportedly laying off its team focused on winning back consumers. From a report: In 2018 the software giant originally detailed its efforts to win back the non-enterprise customers it let down, forming a Modern Life Experiences team to focus on professional consumers (prosumers). Business Insider now reports that Microsoft is laying off that team, and telling the roughly 200 affected employees to find another position at the company or take severance pay. While Microsoft isn`t officially commenting on the end of its Modern Life initiative, a Microsoft senior designer revealed there was `hard news` for the Modern Life Experiences team this week in a LinkedIn post. The news comes weeks after Microsoft cut less than 1 percent of its 180,000-person workforce, with job cuts in consulting, and customer and partner solutions. Microsoft has also been cutting open job roles as it slows hiring amid a weakening economy.\n \n\n \n

ZDNet reports: Microsoft is rolling out a new security default for Windows 11 that will go a long way to preventing ransomware attacks that begin with password-guessing attacks and compromised credentials. The new account security default on account credentials should help thwart ransomware attacks that are initiated after using compromised credentials or brute-force password attacks to access remote desktop protocol (RDP) endpoints, which are often exposed on the internet. RDP remains the top method for initial access in ransomware deployments, with groups specializing in compromising RDP endpoints and selling them to others for access. The new feature is rolling out to Windows 11 in a recent Insider test build, but the feature is also being backported to Windows 10 desktop and server, according to Dave Weston, vice president of OS Security and Enterprise at Microsoft. `Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors. This technique is very commonly used in Human Operated Ransomware and other attacks - this control will make brute forcing much harder which is awesome!,` Weston tweeted. Weston emphasized `default` because the policy is already an option in Windows 10 but isn`t enabled by default. That`s big news and is a parallel to Microsoft`s default block on internet macros in Office on Windows devices, which is also a major avenue for malware attacks on Windows systems through email attachments and links.... The defaults will be visible in the Windows Local Computer Policy directory `Account Lockout Policy`. The default `account lockout duration` is 10 minutes; the `account lockout threshold` is set to a maximum of 10 invalid logon attempts; a setting to `allow administrator account lockout` is enabled; and the `reset account lockout counter after` setting is set to 10 minutes.\n \n\n \n

Microsoft confirmed this week that it will soon start blocking Visual Basic Applications (VBA) macros in Office apps by default after quietly rolling back the change earlier this month. From a report: In a new update, the technology giant said that it will start blocking Office macros by default starting from July 27. This comes shortly after Microsoft halted the rollout of the macros-blocking feature citing unspecified `user feedback.` It`s thought the initial rollout, which kicked off at the beginning of June, caused issues for organizations using macros to automate routine processes, such as data collection or running certain tasks. In a statement given to TechCrunch, Microsoft said it paused the rollout while it `makes some additional changes to enhance usability.` The company has since updated its documentation with step-by-step instructions for end users and IT admins explaining how Office determines whether to block or run macros, which Office versions are affected by the new rules, how to allow VBA macros in trusted files and how to prepare for the change.\n \n\n \n

It`s finally happening. Microsoft will be ending support for most versions of its Internet Explorer (IE) 11 browser on June 15. ZDNet: Microsoft announced more than a year ago that IE would be removed from most versions of Windows 10 this year and has spent months encouraging customers to get ready by proactively retiring the browser from their organizations. IE 11 will be retired for Windows 10 client SKUs (version 20H2 and later) and Windows 10 IoT (version 20H2 and later). Products not affected by this retirement include IE Mode in Edge; IE 11 desktop on Windows 8.1, Windows 7 (with Extended Security Updates), Windows Server LTSC (all versions), Windows Server 2022, Windows 10 client LTSC (all versions), Windows 10 IoT LTSC (all versions). The IE 11 desktop app is not available on Windows 11, as Edge is the default browser for Windows 11. IE Mode in Microsoft Edge will be supported through at least 2029 to give web developers eight years to modernize legacy apps and eventually remove the need for IE mode, officials have said. According to Net Applications, a web monitoring tool, Internet Explorer still has a market share of 5.21% on desktops and laptops, far behind Chrome at over 69%, to be sure, but still ahead of Apple`s Safari, which commands 3.73% market share.\n \n\n \n

A recent executive brief from data storage industry analyst firm Trendfocus reports that OEMs have disclosed that Microsoft is pushing them to drop HDDs as the primary storage device in pre-built Windows 11 PCs and use SSDs instead, with the current deadlines for the switchover set for 2023. Tom`s Hardware reports: Interestingly, these actions from Microsoft come without any firm SSD requirement listed for Windows 11 PCs, and OEMs have pushed back on the deadlines. [...] Microsoft`s most current(opens in new tab) list of hardware requirements calls for a `64 GB or larger storage device` for Windows 11, so an SSD isn`t a minimum requirement for a standard install. However, Microsoft stipulates that two features, DirectStorage and the Windows Subsystem for Android(opens in new tab), require an SSD, but you don`t have to use those features. It is unclear whether or not Microsoft plans to change the minimum specifications for Windows 11 PCs after the 2023 switchover to SSDs for pre-built systems. As always, the issue with switching all systems to SSDs boils down to cost: Trendfocus Vice President John Chen tells us that replacing a 1TB HDD requires stepping down to a low-cost 256 GB SSD, which OEMs don`t consider to be enough capacity for most users. Conversely, stepping up to a 512 GB SSD would `break the budget` for lower-end machines with a strict price limit. `The original cut-in date based on our discussions with OEMs was to be this year, but it has been pushed out to sometime next year (the second half, I believe, but not clear on the firm date),` Chen told Tom`s Hardware. `OEMs are trying to negotiate some level of push out (emerging market transition in 2024, or desktop transition in 2024), but things are still in flux.` The majority of PCs in developed markets have already transitioned to SSDs for boot drives, but there are exceptions. Chen notes that it is possible that Microsoft could make some exceptions, but the firm predicts that dual-drive desktop PCs and gaming laptops with both an SSD for the boot drive and an HDD for bulk storage will be the only mass-market PCs with an HDD. [...] It`s unclear what measures, if any, Microsoft would take with OEMs if they don`t comply with its wishes, and the company has decided not to comment on the matter. Trendfocus says the switchover will have implications for HDD demand next year.\n \n\n \n

DrunkenTerror shares a report from ExtremeTech: Microsoft is advising Windows 11 users to uninstall a recent update. Reports indicated the optional update KB5012643 is causing various apps to crash. The problem involves an interaction between the update and the .Net Framework that`s part of Windows. At this time it`s unclear which apps are affected by the issue, leaving uninstallation as the `only` viable solution. `Affected apps are using certain optional components in .NET Framework 3.5, such as Windows Communication Foundation (WCF) and Windows Workflow (WWF) components.` This update also broke Safe Mode. Microsoft says when users booted into `Safe Mode without networking` users might see the screen flicker. Per MS, `Components that rely on explorer.exe, such as File Explorer, the Start menu, and the taskbar, can be affected and appear unstable.` Microsoft issued a Known Issue Rollback (KiR) for this already so it should be fixed. If you encounter it, you should be able to resolve it by enabling network support in Safe Mode.\n \n\n \n

Security researchers have noticed a malicious campaign that used Windows event logs to store malware, a technique that has not been previously documented publicly for attacks in the wild. BleepingComputer reports: The method enabled the threat actor behind the attack to plant fileless malware in the file system in an attack filled with techniques and modules designed to keep the activity as stealthy as possible. [...] The dropper copies the legitimate OS error handling file [...] and then drops an encrypted binary resource to the `wer.dll` (Windows Error Reporting) in the same location, for DLL search order hijacking to load malicious code. DLL hijacking is a hacking technique that exploits legitimate programs with insufficient checks to load into memory a malicious Dynamic Link Library (DLL) from an arbitrary path. [Denis Legezo, lead security researcher at Kaspersky] says that the dropper`s purpose is to loader on the disk for the side-loading process and to look for particular records in the event logs (category 0x4142 - `AB` in ASCII. If no such record is found, it writes 8KB chunks of encrypted shellcode, which are later combined to form the code for the next stager. `The dropped wer.dll is a loader and wouldn`t do any harm without the shellcode hidden in Windows event logs,` says Legezo. The new technique analyzed by Kaspersky is likely on its way to becoming more popular as Soumyadeep Basu, currently an intern for Mandiant`s red team, has created and published on GitHub source code for injecting payloads into Windows event logs.\n \n\n \n

UnknowingFool writes: In October 2021, PC World reviewed Windows 11 and labeled it as an `unnecessary replacement` to Windows 10 and did not recommend it for Windows 10 users. PC World noted that it was a `mixed bag of improved features and unnecessary changes.` Six months later they reviewed it again. While MS has made improvements, PC World does not feel the improvements warrant a recommendation for Windows 10 users to upgrade.\n \n\n \n

An anonymous reader quotes a report from XDA Developers: Microsoft is testing a VPN-like service for its Edge browser, adding a new layer of security and privacy to the browsing experience. A recently-discovered support page on Microsoft`s website details the `Microsoft Edge Secure Network` feature, which provides data encryption and prevents online tracking, courtesy of Cloudflare. While it isn`t available yet, even if you have the latest Dev channel build, the Microsoft Edge Secure Network feature appears to be similar in nature to Cloudflare`s 1.1.1.1 service. This is essentially a proxy or VPN service, which encrypts your browsing data so that it`s safe from prying eyes, including your ISP. It also keeps your location private, so you can use it to access geo-restricted websites, or content that`s blocked in your country. Microsoft Edge`s Secure Network mode will require you to be signed into your Microsoft account, and that`s because the browser keeps track of how much data you`ve used in this mode. You get 1GB of free data per month, and that`s tied to your Microsoft account. Most VPN services aren`t free, so this shouldn`t come as a surprise. Cloudflare itself doesn`t keep any personally-identifiable user data, and any data related to browsing sessions is deleted every 25 hours. Information related to your data usage is also deleted at the end of each monthly period.\n \n\n \n

`The Register reports Microsoft fixed a Point of Sale bug that delayed Windows 11 startup for 40 minutes,` writes Slashdot reader ellithligraw. `So much for the express lane at check-out.` From the report: A fresh Windows 11 patch slipped out overnight as an optional update, but contains an impressively long list of fixes for Microsoft`s flagship operating system. One bug addressed in KB5012643 could leave Point of Sale terminals hanging for up to 40 minutes during startup. Microsoft stated, `We fixed an issue that delays OS startup by approximately 40 minutes.` `Microsoft described the fixes as `improvements` [and chose to highlight the fact that temperature would now be displayed on top of the weather icon on the taskbar],` added Slashdot reader ellithligraw. `[Y]eah, Windows 11 is great as a PoS.`\n \n\n \n

joshuark shares a report: Microsoft`s Windows 10 operating system already disables by default SMB (Server Message Block) version 1, the 30-year-old file-sharing protocol. Now the company is doing the same with Windows 11 Home Dev Channel test builds, announced officials on April 19. SMB1 is considered outdated and not secure. However, some users with very old equipment may be in for a surprise if their Windows 11 laptops can`t connect to an old networked hard drive, as officials said in a blog post about the SMB1 phase out plan. `There is no edition of Windows 11 Insider that has any part of SMB1 enabled by default anymore. At the next major release of Windows 11, that will be the default behavior as well,` said Ned Pyle, Principal Program Manager. `Like always, this doesn`t affect in-place upgrades of machines where you were already using SMB1. SMB1 is not gone here, an admin can still intentionally reinstall it,` Pyle added.\n \n\n \n

`A new survey claims Windows 11 adoption is so low it`s actually less popular than the 20-year-old Windows XP,` reports PC Magazine: The survey comes from an IT management provider called Lansweeper. Through its own software products, the company scanned 10 million Windows devices this month to determine which OS they were using. The results found that only 1.44% of the devices had Windows 11 installed, which is lower than the 1.71% for Windows XP. In contrast, Windows 10 maintains a dominant share at 80.34%. Although Windows 11`s adoption is low at 1.44%, the number actually went up almost three times from 0.52% back in January. It`s also important to note that other surveys have found much higher Windows 11 adoption numbers. Last month, the app advertising platform AdDuplex found Windows 11 usage was at 19.4%, although this represented a mere 0.1% growth from the previous month. Meanwhile, the Steam hardware survey from Valve estimates Windows 11 usage has reached 16.8%.\n \n\n \n

Ars Technica`s Andrew Cunningham combed through Steam Hardware and amp; Software Survey data `to see how Windows 11 is fairing with enthusiasts.` An anonymous reader shares an excerpt from the report: Steam users are migrating to Windows 11 about half as quickly as they moved to Windows 10. Six months after its release, Windows 10 ran on 31 percent of all Steam computers -- nearly one in three. As of March 2022, Windows 11 runs on just under 17 percent of Steam computers -- about one in six. Three-quarters of all Steam computers in 2022 are still running Windows 10. It`s easy to interpret these results as an indictment of Windows 11, which generated some controversy with its relatively stringent (and often poorly explained) security-oriented system requirements. At least some of this slow adoption is caused by those system requirements -- many of the PCs surveyed by Steam probably can`t install Windows 11. That could be because users have an older unsupported CPU or have one or more of the required security features disabled; Secure Boot and the firmware TPM module were often turned off by default on new motherboards for many years. But there are other compelling explanations. Windows 11`s adoption looks slow compared to Windows 10, but Windows 10`s adoption was also exceptionally good. Windows 8 and 8.1 were not well-loved, to put it mildly, and Windows 10 was framed as a response to (and a fix for) most of Windows 8`s user interface changes. And people who were still on Windows 7 were missing out on some of the nice quality-of-life additions and under-the-hood improvements that Windows 8 added. You can see that pent-up demand in the jump between July 2015 and September 2015. In the first two months of Windows 10`s availability, Windows 8 hemorrhaged users, falling from around 35 percent usage to 19 percent. Virtually all of those users -- and a smaller but still notable chunk of Windows 7 users -- were moving to Windows 10. Windows 11 also got a decent early adopter bump in November 2021, but its gains every other month were much smaller. In contrast, Windows 11 was announced with little run-up, and it was replacing what users had been told was the `last version of Windows.` Where Windows 10 replaced one new, unloved OS and one well-liked but aging OS, Windows 11 replaced a modern OS that nobody really complained about (Windows 10 ran on over 90 percent of all Steam computers in September 2021 -- even Windows 7 in its heyday couldn`t boast that kind of adoption). It`s also worth noting that Microsoft didn`t try to re-create that initial burst of adoption for Windows 11. Following some turbulence after early Windows 10 servicing updates, Microsoft began rolling updates out more methodically, starting with small numbers of PCs and then expanding availability gradually as problems were discovered and ironed out. Windows 11 only entered `its final phase of availability` in February, ensuring that anyone with a compatible PC could get Windows 11 through Windows Update if they wanted it.\n \n\n \n

If you are waiting for Windows 11 side-taskbar support before upgrading to the latest operating system, you may be waiting for a long time, according to a recent Microsoft Ask Me Anything (AMA) session. BleepingComputer reports: As first reported by Neowin, in a recent Microsoft Ask Me Anything (AMA) session, a user asked whether Microsoft would be bringing back the ability to move the sidebar to the sides. The response was not very promising, with Tali Roth, Microsoft`s Head of Product, explaining that a small amount of Windows users use the feature and that it is unsure whether the feature will ever be brought back: `When it comes to something like actually being able to move the taskbar to different locations on the screen, there`s a number of challenges with that. When you think about having the taskbar on the right or the left, all of a sudden the reflow and the work that all of the apps have to do to be able to understand the environment is just huge. And when you look at the data, while we know there is a set of people that love it that way and, like, really appreciate it, we also recognize that this set of users is really small compared to the set of other folks that are asking for other features. So at the moment we are continuing to focus on things that I hear more pain around. It is one of those things that we are still continuing to look at, and we will keep looking to feedback, but at the moment we do not have a plan or a set date for when we would, or if we would, actually build the side taskbar.` You can watch the entire discussion about this feature on YouTube.\n \n\n \n

Microsoft has rolled out a new security feature called Smart App Control with Windows 11. From a report: `Smart App Control is a major enhancement to the Windows 11 security model that prevents users from running malicious applications on Windows devices that default blocks untrusted or unsigned applications,` Microsoft vice president David Weston explains. `It goes beyond previous built-in browser protections and is woven directly into the core of the OS at the process level. Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud. Model inference occurs 24 hours a day on the latest threat intelligence that provides trillions of signals.` Smart App Control is interesting because it will be enabled by default on new Windows PCs in the future. But if you upgrade to whatever version of Windows 11 that enables this feature on an existing install, you will have to use Reset this PC to reset Windows 11 and clean install it. That is, I believe, unprecedented.\n \n\n \n

Microsoft is finally making it easier to change your default browser in Windows 11. A new update (KB5011563) has started rolling out this week that allows Windows 11 users to change the default browser with a single click. After testing the changes in December, this new one-click method is rolling out to all Windows 11 users. From a report: Originally, Windows 11 shipped without a simple button to switch default browsers that was always available in Windows 10. Instead, Microsoft forced Windows 11 users to change individual file extensions or protocol handlers for HTTP, HTTPS, .HTML, and .HTM, or you had to tick a checkbox that only appeared when you clicked a link from outside a browser. Microsoft defended its decision to make switching defaults harder, but rival browser makers like Mozilla, Brave, and even Google`s head of Chrome criticized Microsoft`s approach.\n \n\n \n

Microsoft is pushing ahead with plans to warn Windows 11 users that have installed the operating system on unsupported hardware. In a new update to Windows 11, a watermark has appeared on the desktop wallpaper for unsupported systems, alongside a similar warning in the landing page of the settings app. From a report: Microsoft had been testing these changes last month, but they`re now rolling out to Release Preview just ahead of a full release to all Windows 11 users in the coming days. While Microsoft doesn`t mention the addition of a watermark in its `improvements` list for this update, testers have noticed it`s included. If Windows 11 is running on unsupported hardware, a new desktop watermark will state `System requirements not met. Go to settings to learn more.` It`s similar, but far less prominent, to the semi-transparent watermark that appears in Windows if you haven`t activated the OS.\n \n\n \n