Microsoft will release its next big Windows 11 update, 23H2, on September 26th. The update will include the new AI-powered Windows Copilot feature, a redesigned File Explorer, a new Ink Anywhere feature for pen users, big improvements to the Paint app, native RAR and 7-zip file support, a new volume mixer, and much more. From a report: Windows Copilot is the headline feature for the Windows 11 23H2 update, bringing the same Bing Chat feature straight to the Windows 11 desktop. It appears as a sidebar in Windows 11, allowing you to control settings on a PC, launch apps, or simply answer queries. It`s integrated all over the operating system, too: Microsoft executives demoed using Copilot to write text messages using data from your calendar, navigation options in Outlook, and more. This is also Microsoft`s latest attempt to deliver a digital assistant inside Windows after the company shut down the Cortana app inside Windows 11 last month. It might be more successful this time, particularly as it`s powered by the same technologies behind Bing Chat, so you can ask real questions and get answers (that might not always be accurate) in return. [...] Microsoft is also adding native RAR and 7-zip support to Windows 11 with this update. That means you`ll be able to easily open files like tar, 7-zip, rar, gz, and many others using the libarchive open-source project that`s now built into Windows 11. Microsoft is also planning to provide support for creating these file formats in 2024.\n \n\n \n

Mozilla has released emergency security updates to fix a critical zero-day vulnerability exploited in the wild, impacting its Firefox web browser and Thunderbird email client. From a report: Tracked as CVE-2023-4863, the security flaw is caused by a heap buffer overflow in the WebP code library (libwebp), whose impact spans from crashes to arbitrary code execution. `Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild,` Mozilla said in an advisory published on Tuesday. Mozilla addressed the exploited zero-day in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2. Even though specific details regarding the WebP flaw`s exploitation in attacks remain undisclosed, this critical vulnerability is being abused in real-world scenarios.\n \n\n \n

\nGoogle has rolled out a security update for a critical Chrome zero-day vulnerability (CVE-2023-4863) exploited in the wild. About the vulnerability (CVE-2023-4863) CVE-2023-4863 is a critical heap buffer overflow vulnerability in the component that handles WebP, a raster graphics file format that replaces JPEG, PNG, and GIF file formats. Buffer overflows can lead to crashes, infinite loops, and can be used to execute arbitrary code. “The Stable and Extended stable channels has been updated to … More → \n \nThe post Chrome zero-day exploited in the wild, patch now! (CVE-2023-4863) appeared first on Help Net Security .\n

Microsoft has made it clear: it will ax third-party printer drivers in Windows. From a report: The death rattle will be lengthy, as the timeline for the end of servicing stretches into 2027 -- although Microsoft noted that the dates will be subject to change. There is, after all, always that important customer with a strange old printer lacking Mopria support. Mopria is part of the Windows` teams justification for removing support. Founded in 2013 by Canon, HP, Samsung and Xerox, the Mopria Alliance`s mission is to provide universal standards for printing and scanning. Epson, Lexmark, Adobe and Microsoft have also joined the gang since then. Since Windows 10 21H2, Microsoft has baked Mopria support into the flagship operating system, with support for devices connected via the network or USB, thanks to the Microsoft IPP Class driver. Microsoft said: `This removes the need for print device manufacturers to provide their own installers, drivers, utilities, and so on.`\n \n\n \n

An anonymous reader quotes a report from CNBC: Chinese state-aligned influence and disinformation campaigns are impersonating U.S. voters and targeting political candidates on multiple social media platforms with improved sophistication, Microsoft said in a threat analysis report Thursday. Chinese Communist Party-affiliated `covert influence operations have now begun to successfully engage with target audiences on social media to a greater extent than previously observed,` according to the report, which focused on the rise in `digital threats from East Asia.` The Microsoft report also cautioned that some Chinese influence campaigns are now using generative artificial intelligence to create visual content that`s `already drawn higher levels of engagement from authentic` users, a trend the company said began around March. Chinese influence campaigns have historically struggled to gain traction with intended targets, who in this case are U.S. voters and residents. But since the 2022 midterm elections, those efforts have become more effective, Microsoft warned. Microsoft found content from Chinese influence campaigns on multiple apps, including Meta`s Facebook and Instagram, Microsoft-owned LinkedIn, and X. In August, Facebook parent Meta announced it had disrupted the largest ever identified disinformation campaign and linked it to China state-affiliated actors. Microsoft`s report included screenshots of two different X posts in April that were identified as CCP-affiliated disinformation. Both were about the Black Lives Matter movement and had the same graphic. The first came from an automated CCP-affiliated account. The second, Microsoft said, was uploaded by an account impersonating a conservative U.S. voter seven hours later.\n \n\n \n

Microsoft will finally stop forcing Windows 11 users in Europe into Edge if they click a link from the Windows Widgets panel or from search results. From a report: The software giant has started testing the changes to Windows 11 in recent test builds of the operating system, but the changes are restricted to countries within the European Economic Area (EEA). `In the European Economic Area (EEA), Windows system components use the default browser to open links,` reads a change note from a Windows 11 test build released to Dev Channel testers last month. Microsoft has been ignoring default browser choices in its search experience in Windows 10 and the taskbar widget that forces users into Edge if they click a link instead of their default browser. Windows 11 continued this trend, with search still forcing users into Edge and a new dedicated widgets area that also ignores the default browser setting.\n \n\n \n

`Microsoft has quietly revealed that WordPad, the basic word processor that`s been included with Windows since 1995, is being retired,` reports Windows blog Paul Thurrott: `WordPad is no longer being updated and will be removed in a future release of Windows,` the Deprecated features for Windows client page on Microsoft Learn notes in a September 1, 2023 addition. `We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt....` [W]hile Microsoft`s advice to use Microsoft Word instead seems a bit off-base, given that Word is a paid product, RTF is rarely used these days, and anyone can access the web versions of Word for free if needed. The actual date of removal is unclear. But Neowinisn`t the only thing Microsoft is removing from Windows: The company recently turned off Cortana, its neglected voice assistant, and announced the end of Microsoft Support Diagnostic Tool (MSDT). Also, Microsoft will soon disable old Transport Layer Security protocols to make Windows 11 more secure.\n \n\n \n

Microsoft will unbundle its chat and video app Teams from its Office suite and make it easier for rival products to work with its software, the U.S. company said on Thursday in a move aimed at staving off a possible EU antitrust fine. From a report: The proposed changes came a month after the European Commission launched an investigation into Microsoft`s tying of Office and Teams following a complaint by Salesforce-owned workspace messaging app Slack in 2020. Microsoft`s preliminary concessions failed to address concerns. The EU competition enforcer on Thursday said it took note of the company`s announcement and declined further comment. Teams was added to Office 365 in 2017 for free. It eventually replaced Skype for Business and gained in popularity during the pandemic due in part to its video conferencing. `Today we are announcing proactive changes that we hope will start to address these concerns in a meaningful way, even while the European Commission`s investigation continues and we cooperate with it,` [...] The changes, effective from Oct. 1, will apply in Europe and Switzerland.\n \n\n \n

An anonymous reader writes: I thought I had malware on my main Windows 11 machine this weekend. There I was minding my own business in Chrome before tabbing back to a game and wham a pop-up appeared asking me to switch my default search engine to Microsoft Bing in Chrome. Stunningly, Microsoft now thinks it`s ok to shove a pop-up in my face above my apps and games just because I dare to use Chrome instead of Microsoft Edge. This isn`t a normal notification, either. It didn`t appear in the notification center in Windows 11, nor is it connected to the part of Windows 11 that suggests new features to you. It`s quite literally a rogue executable file that has somehow appeared in c:\windows\temp\mubstemp and is digitally signed by Microsoft. `We are aware of these reports and have paused this notification while we investigate and take appropriate action to address this unintended behavior,` says Caitlin Roulston, director of communications, in a statement to The Verge. [...] This isn`t Microsoft`s first rodeo, either. I`m growing increasingly frustrated by the company`s methods of getting people to switch from Google and Chrome to Bing and Edge. Microsoft has been using a variety of prompts for years now, with pop-ups appearing inside Chrome, on the Windows taskbar, and elsewhere. Microsoft has even forced people into Edge after a Windows Update, and regularly presents a full-screen message to switch to Bing and Edge after updates.\n \n\n \n

Microsoft`s August 2023 preview updates for Windows 11 and Windows 10, labeled as KB5029351 and KB5029331 respectively, have led to blue screen errors citing an unsupported processor problem. BleepingComputer reports: `Microsoft has received reports of an issue in which users are receiving an `UNSUPPORTED_PROCESSOR` error message on a blue screen after installing updates released on August 2,` Redmond said. The company also added that the problematic cumulative updates `might automatically uninstall to allow Windows to start up as expected.` Microsoft is investigating the newly acknowledged known issue to find out whether it stems from a Microsoft-related cause. The company also urged users encountering these BSOD errors to file a report using the Feedback Hub. \n \n\n \n

An anonymous reader quotes a report from Ars Technica: A newly discovered zeroday in the widely used WinRAR file-compression program has been under exploit for four months by unknown attackers who are using it to install malware when targets open booby-trapped JPGs and other innocuous inside file archives. The vulnerability, residing in the way WinRAR processes the ZIP file format, has been under active exploit since April in securities trading forums, researchers from security firm Group IB reported Wednesday. The attackers have been using the vulnerability to remotely execute code that installs malware from families including DarkMe, GuLoader, and Remcos RAT. From there, the criminals withdraw money from broker accounts. The total amount of financial losses and total number of victims infected is unknown, although Group-IB said it has tracked at least 130 individuals known to have been compromised. WinRAR developers fixed the vulnerability, tracked as CVE-2023-38831, earlier this month. `By exploiting a vulnerability within this program, threat actors were able to craft ZIP archives that serve as carriers for various malware families,` Group-IB Malware Analyst Andrey Polovinkin wrote. `Weaponized ZIP archives were distributed on trading forums. Once extracted and executed, the malware allows threat actors to withdraw money from broker accounts. This vulnerability has been exploited since April 2023.` It`s recommended that you update to version 6.23 before using WinRAR again.\n \n\n \n

An anonymous reader quotes a report from The Register: Microsoft prohibits users from reverse engineering or harvesting data from its AI software to train or improve other models, and will store inputs passed into its products as well as any output generated. The details emerged as companies face fresh challenges with the rise of generative AI. People want to know what corporations are doing with information provided by users. And users are likewise curious about what they can do with the content generated by AI. Microsoft addresses these issues in a new clause titled `AI Services` in its terms of service. The five new policies, which were introduced on 30 July and will come into effect on September 30, state that: Reverse Engineering. You may not use the AI services to discover any underlying components of the models, algorithms, and systems. For example, you may not try to determine and remove the weights of models. Extracting Data. Unless explicitly permitted, you may not use web scraping, web harvesting, or web data extraction methods to extract data from the AI services. Limits on use of data from the AI Services. You may not use the AI services, or data from the AI services, to create, train, or improve (directly or indirectly) any other AI service. Use of Your Content. As part of providing the AI services, Microsoft will process and store your inputs to the service as well as output from the service, for purposes of monitoring for and preventing abusive or harmful uses or outputs of the service. Third party claims. You are solely responsible for responding to any third-party claims regarding Your use of the AI services in compliance with applicable laws (including, but not limited to, copyright infringement or other claims relating to content output during Your use of the AI services). A spokesperson from Microsoft declined to comment on how long the company plans to store user inputs into its software. `We regularly update our terms of service to better reflect our products and services. Our most recent update to the Microsoft Services Agreement includes the addition of language to reflect artificial intelligence in our services and its appropriate use by customers,` the representative told us in a statement. Microsoft has previously said, however, that it doesn`t save conversations or use that data to train its AI models for its Bing Enterprise Chat mode. The policies are a little murkier for its Microsoft 365 Copilot, although it doesn`t appear to use customer data or prompts for training, it does store information. `[Copilot] can generate responses anchored in the customer`s business content, such as user documents, emails, calendar, chats, meetings, contacts, and other business data. Copilot combines this content with the user`s working context, such as the meeting a user is in now, the email exchanges the user has had on a topic, or the chat conversations the user had last week. Copilot uses this combination of content and context to help deliver accurate, relevant, contextual responses,` it said.\n \n\n \n

An anonymous reader quotes a report from Ars Technica: A few months ago, an engineer in a data center in Norway encountered some perplexing errors that caused a Windows server to suddenly reset its system clock to 55 days in the future. The engineer relied on the server to maintain a routing table that tracked cell phone numbers in real time as they were being moved from one carrier to the other. A jump of eight weeks had dire consequences because it caused numbers that had yet to be transferred to be listed as having already been moved and numbers that had already been transferred to be reported as pending. `With these updated routing tables, a lot of people were unable to make calls, as we didn`t have a correct state!` the engineer, who asked to be identified only by his first name, Simen, wrote in an email. `We would route incoming and outgoing calls to the wrong operators! This meant, e.g., children could not reach their parents and vice versa.` Simen had experienced a similar error last August when a machine running Windows Server 2019 reset its clock to January 2023 and then changed it back a short time later. Troubleshooting the cause of that mysterious reset was hampered because the engineers didn`t discover it until after event logs had been purged. The newer jump of 55 days, on a machine running Windows Server 2016, prompted him to once again search for a cause, and this time, he found it. The culprit was a little-known feature in Windows known as Secure Time Seeding. Microsoft introduced the time-keeping feature in 2016 as a way to ensure that system clocks were accurate. Windows systems with clocks set to the wrong time can cause disastrous errors when they can`t properly parse time stamps in digital certificates or they execute jobs too early, too late, or out of the prescribed order. Secure Time Seeding, Microsoft said, was a hedge against failures in the battery-powered on-board devices designed to keep accurate time even when the machine is powered down. `You may ask -- why doesn`t the device ask the nearest time server for the current time over the network?` Microsoft engineers wrote. `Since the device is not in a state to communicate securely over the network, it cannot obtain time securely over the network as well, unless you choose to ignore network security or at least punch some holes into it by making exceptions.` To avoid making security exceptions, Secure Time Seeding sets the time based on data inside an SSL handshake the machine makes with remote servers. These handshakes occur whenever two devices connect using the Secure Sockets Layer protocol, the mechanism that provides encrypted HTTPS sessions (it is also known as Transport Layer Security). Because Secure Time Seeding (abbreviated as STS for the rest of this article) used SSL certificates Windows already stored locally, it could ensure that the machine was securely connected to the remote server. The mechanism, Microsoft engineers wrote, `helped us to break the cyclical dependency between client system time and security keys, including SSL certificates.`\n \n\n \n

Microsoft is rolling out a new update for Windows 11 that disables the digital assistant Cortana. The Verge reports: If you attempt to launch Cortana on Windows 11 you`ll now be met with a notice about how the app is deprecated and a link to a support article on the change. Microsoft is now planning to end support for Cortana in Teams mobile, Microsoft Teams Display, and Microsoft Teams Rooms `in the fall of 2023.` Surprisingly, Cortana inside Outlook mobile `will continue to be available,` according to Microsoft. Microsoft is now working on Windows Copilot, a new sidebar for Windows 11 that is powered by Bing Chat and can control Windows settings, answer questions, and lots more. Windows Copilot is expected to be available this fall as part of a Windows 11 update that will also include native RAR and 7-Zip support.\n \n\n \n

Microsoft has long been one of several companies that attempted to monopolize repair in a bid for profit, particularly when it has come to the company’s game consoles. But in recent years the company appears to have realized that with state and federal lawmakers and regulators cracking down on this behavior, it might be smart […]

\nA phishing campaign leveraging the EvilProxy phishing-as-a-service (PhaaS) tool has been spotted targeting Microsoft 365 user accounts of C-level executives and managers at over 100 organizations around the world. The rise of phishing-as-a-service As organizations increasingly employ multi-factor authentication (MFA), threat actors have switched to using phishing services such as EvilProxy, which uses reverse proxy and cookie injection methods to steal authentication credentials and session cookies (and thus bypass the extra protection offered by MFA). … More → \n \nThe post Microsoft 365 accounts of execs, managers hijacked through EvilProxy appeared first on Help Net Security .\n

Filipe Esposito, writing for Apple-focused news site 9to5Mac: As reported by Windows Latest, the Cortana app has received an update via the Microsoft Store after two years without getting a single new feature. But instead of new features, the update pretty much kills Cortana and now shows a message saying that `Cortana in Windows as a standalone app is deprecated.` [...] Earlier this week, during a call with investors, Apple CEO Tim Cook reinforced that Apple has been conducting research with a `wide range of AI technologies,` including `generative AI` for years. Multiple rumors have pointed to Apple internally developing a technology to compete with ChatGPT. However, while Microsoft and Google have already made their new tools available to the public, Apple is still a long way off. In the meantime, Siri is still Siri. Even Apple employees complain about `organizational dysfunction and a lack of ambition` when it comes to the development of Apple`s virtual assistant. Some employees point out that Siri is still based on a very legacy technology and that improving it would require a lot of efforts. Seeing what other companies are achieving with generative AI, I do think it`s time for Apple to give up on Siri and focus its efforts on new technologies. What about you? What are your thoughts on Apple, Siri, and AI?\n \n\n \n

An anonymous reader quotes a report from Ars Technica: Microsoft has once again come under blistering criticism for the security practices of Azure and its other cloud offerings, with the CEO of security firm Tenable saying Microsoft is `grossly irresponsible` and mired in a `culture of toxic obfuscation.` The comments from Amit Yoran, chairman and CEO of Tenable, come six days after Sen. Ron Wyden (D-Ore.) blasted Microsoft for what he said were `negligent cybersecurity practices` that enabled hackers backed by the Chinese government to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce. Microsoft has yet to provide key details about the mysterious breach, which involved the hackers obtaining an extraordinarily powerful encryption key granting access to a variety of its other cloud services. The company has taken pains ever since to obscure its infrastructure`s role in the mass breach. On Wednesday, Yoran took to LinkedIn to castigate Microsoft for failing to fix what the company said on Monday was a `critical` issue that gives hackers unauthorized access to data and apps managed by Azure AD, a Microsoft cloud offering for managing user authentication inside large organizations. Monday`s disclosure said that the firm notified Microsoft of the problem in March and that Microsoft reported 16 weeks later that it had been fixed. Tenable researchers told Microsoft that the fix was incomplete. Microsoft set the date for providing a complete fix to September 28. `To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank,` Yoran wrote. `They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft.` He continued: `Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers` networks and services? Of course not. They took more than 90 days to implement a partial fix -- and only for new applications loaded in the service.` In response, Microsoft officials wrote: `We appreciate the collaboration with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption.` Microsoft went on to say that the initial fix in June `mitigated the issue for the majority of customers` and `no customer action is required.` In a separate email, Yoran responded: `It now appears that it`s either fixed, or we are blocked from testing. We don`t know the fix, or mitigation, so hard to say if it`s truly fixed, or Microsoft put a control in place like a firewall rule or ACL to block us. When we find vulns in other products, vendors usually inform us of the fix so we can validate it effectively. With Microsoft Azure that doesn`t happen, so it`s a black box, which is also part of the problem. The `just trust us` lacks credibility when you have the current track record.`\n \n\n \n

\nWhile trends in phishing frequently evolve, Facebook and Microsofts collective dominance as the most spoofed brands continues, according to Vade. Facebook and Microsofts collective dominance as the most spoofed brands continued into H1 2023, with the former accounting for 18% of all phishing URLs and the latter accounting for 15%. Microsoft experienced increase in spoofing attempts While Facebook was the clear leader, Microsoft overtook the social media giant in Q2 after experiencing a 22% QoQ … More → \n \nThe post Facebook and Microsoft remain prime targets for spoofing appeared first on Help Net Security .\n

Microsoft has been increasingly moving Windows to the cloud on the commercial side with Windows 365, but the software giant also wants to do the same for consumers. From a report: In an internal `state of the business` Microsoft presentation from June 2022, Microsoft discuses building on `Windows 365 to enable a full Windows operating system streamed from the cloud to any device.` The presentation has been revealed as part of the ongoing FTC v. Microsoft hearing, as it includes Microsoft`s overall gaming strategy and how that relates to other parts of the company`s businesses. Moving `Windows 11 increasingly to the cloud` is identified as a long-term opportunity in Microsoft`s `Modern Life` consumer space, including using `the power of the cloud and client to enable improved AI-powered services and full roaming of people`s digital experience.` Windows 365 is a service that streams a full version of Windows to devices. So far, it`s been limited to just commercial customers, but Microsoft has been deeply integrating it into Windows 11 already. A future update will include Windows 365 Boot, which will enable Windows 11 devices to log directly in to a Cloud PC instance at boot instead of the local version of Windows. Windows 365 Switch is also built into Windows 11 to integrate Cloud PCs into the Task View (virtual desktops) feature.\n \n\n \n

An anonymous reader shares a report: Not so long ago, Microsoft Edge ended up in hot waters after users discovered a bug leaking your browser history to Bing. Now you may want to toggle off another feature to ensure Edge is not sending every picture you view online to Microsoft. Edge has a built-in image enhancement tool that, according to Microsoft, can use `super-resolution to improve clarity, sharpness, lighting, and contrast in images on the web.` Although the feature sounds exciting, recent Microsoft Edge Canary updates have provided more information on how image enhancement works. The browser now warns that it sends image links to Microsoft instead of performing on-device enhancements.\n \n\n \n

In a support document today, Microsoft announced its ending support for Cortana on Windows in late 2023. `Cortana continues to live on in Outlook mobile, Teams mobile, Teams display, and Teams rooms,` notes XDA Developers. From the report: In the support document announcing the end of the Cortana era, Microsoft notes that you`ll still be able to access AI experiences in Windows 11, and calls out Windows Copilot by name. Alongside that, there`s the new Bing, Microsoft 365 Copilot, and voice access in Windows, the last of which lets you control your PC with your voice. The writing has been on the wall for Cortana for some time now. It was first introduced as a virtual assistant for Windows Phone 8.1, back in 2014, competing with the likes of Apple`s Siri. In 2015, it launched on the desktop with Windows 10, and then it started to feel like Microsoft was putting Cortana everywhere. It started showing up in apps like Office and such, similar to what we`re seeing with Copilot now. There were third-party Cortana devices too, like the Harman Kardon Invoke smart speaker and the Johnson Controls Glas thermostat, both of which are no longer supported. Soon after it started becoming apparent that Cortana wouldn`t compete with Amazon Alexa, Microsoft started to roll back. Cortana was stripped out of Windows, becoming a standalone app rather than something you found in the taskbar. For a couple of years now, it`s just kind of lived as an app on Windows 11, with no news arriving about any kinds of new features. Now is the era of Bing Chat and Copilot.\n \n\n \n

At its Build 2023 conference this week, Microsoft announced Windows 11 will soon be able to run Win32 apps in isolation mode. XDA Developers reports: Starting [today], Microsoft is launching a preview of Win32 apps in isolation for Windows 11 customers. As the name suggests, it will allow users to run Win32 apps in an isolated environment so that they can be sandboxed from the rest of the operating system in order to further strengthen security. The idea is to leverage Windows 11`s isolation capabilities to run Win32 apps in an environment where they don`t have access to critical Windows components and subsystems. This will ensure that if someone runs a compromised Win32 app in isolation, it will be very difficult for an attacker to break through the sandbox and penetrate the rest of the system. This capability will be available in public preview for both enterprise customers and consumers.\n \n\n \n

An anonymous reader shares a report: Then, at some point, someone at Microsoft must have gotten fed up with rushing their .rar operations the way I have for 20 years and thought, there must be a better way. And so, under the subheading of `Reducing toil,` we have a few helpful UI updates, then casually and apropos of nothing, this: `In addition... We have added native support for additional archive formats, including tar, 7-zip, rar, gz and many others using the libarchive open-source project. You now can get improved performance of archive functionality during compression on Windows.`\n \n\n \n

An anonymous reader quotes a report from Ars Technica: Microsoft cloud services are scanning for malware by peeking inside users` zip files, even when they`re protected by a password, several users reported on Mastodon on Monday. Compressing file contents into archived zip files has long been a tactic threat actors use to conceal malware spreading through email or downloads. Eventually, some threat actors adapted by protecting their malicious zip files with a password the end user must type when converting the file back to its original form. Microsoft is one-upping this move by attempting to bypass password protection in zip files and, when successful, scanning them for malicious code. While analysis of password-protected in Microsoft cloud environments is well-known to some people, it came as a surprise to Andrew Brandt. The security researcher has long archived malware inside password-protected zip files before exchanging them with other researchers through SharePoint. On Monday, he took to Mastodon to report that the Microsoft collaboration tool had recently flagged a zip file, which had been protected with the password `infected.` `While I totally understand doing this for anyone other than a malware analyst, this kind of nosy, get-inside-your-business way of handling this is going to become a big problem for people like me who need to send their colleagues malware samples,` Brandt wrote. `The available space to do this just keeps shrinking and it will impact the ability of malware researchers to do their jobs.` Fellow researcher Kevin Beaumont joined the discussion to say that Microsoft has multiple methods for scanning the contents of password-protected zip files and uses them not just on files stored in SharePoint but all its 365 cloud services. One way is to extract any possible passwords from the bodies of email or the name of the file itself. Another is by testing the file to see if it`s protected with one of the passwords contained in a list. `If you mail yourself something and type something like `ZIP password is Soph0s`, ZIP up EICAR and ZIP password it with Soph0s, it`ll find (the) password, extract and find (and feed MS detection),` he wrote. `A Google representative said the company doesn`t scan password-protected zip files, though Gmail does flag them when users receive such a file,` notes Ars. `One other thing readers should remember: password-protected zip files provide minimal assurance that content inside the archives can`t be read. As Beaumont noted, ZipCrypto, the default means for encrypting zip files in Windows, is trivial to override. A more dependable way is to use an AES-256 encryptor built into many archive programs when creating 7z files.`\n \n\n \n

An anonymous reader quotes a report from Ars Technica: Earlier this week, Microsoft released a patch to fix a Secure Boot bypass bug used by the BlackLotus bootkit we reported on in March. The original vulnerability, CVE-2022-21894, was patched in January, but the new patch for CVE-2023-24932 addresses another actively exploited workaround for systems running Windows 10 and 11 and Windows Server versions going back to Windows Server 2008. The BlackLotus bootkit is the first-known real-world malware that can bypass Secure Boot protections, allowing for the execution of malicious code before your PC begins loading Windows and its many security protections. Secure Boot has been enabled by default for over a decade on most Windows PCs sold by companies like Dell, Lenovo, HP, Acer, and others. PCs running Windows 11 must have it enabled to meet the software`s system requirements. Microsoft says that the vulnerability can be exploited by an attacker with either physical access to a system or administrator rights on a system. It can affect physical PCs and virtual machines with Secure Boot enabled. We highlight the new fix partly because, unlike many high-priority Windows fixes, the update will be disabled by default for at least a few months after it`s installed and partly because it will eventually render current Windows boot media unbootable. The fix requires changes to the Windows boot manager that can`t be reversed once they`ve been enabled. Additionally, once the fixes have been enabled, your PC will no longer be able to boot from older bootable media that doesn`t include the fixes. On the lengthy list of affected media: Windows install media like DVDs and USB drives created from Microsoft`s ISO files; custom Windows install images maintained by IT departments; full system backups; network boot drives including those used by IT departments to troubleshoot machines and deploy new Windows images; stripped-down boot drives that use Windows PE; and the recovery media sold with OEM PCs. Not wanting to suddenly render any users` systems unbootable, Microsoft will be rolling the update out in phases over the next few months. The initial version of the patch requires substantial user intervention to enable -- you first need to install May`s security updates, then use a five-step process to manually apply and verify a pair of `revocation files` that update your system`s hidden EFI boot partition and your registry. These will make it so that older, vulnerable versions of the bootloader will no longer be trusted by PCs. A second update will follow in July that won`t enable the patch by default but will make it easier to enable. A third update in `first quarter 2024` will enable the fix by default and render older boot media unbootable on all patched Windows PCs. Microsoft says it is `looking for opportunities to accelerate this schedule,` though it`s unclear what that would entail.\n \n\n \n

An anonymous reader shares a report: Microsoft has now started notifying IT admins that it will force Outlook and Teams to ignore the default web browser on Windows and open links in Microsoft Edge instead. Reddit users have posted messages from the Microsoft 365 admin center that reveal how Microsoft is going to roll out this change. `Web links from Azure Active Directory (AAD) accounts and Microsoft (MSA) accounts in the Outlook for Windows app will open in Microsoft Edge in a single view showing the opened link side-by-side with the email it came from,` reads a message to IT admins from Microsoft. While this won`t affect the default browser setting in Windows, it`s yet another part of Microsoft 365 and Windows that totally ignores your default browser choice for links. Microsoft already does this with the Widgets system in Windows 11 and even the search experience, where you`ll be forced into Edge if you click a link even if you have another browser set as default. Further reading: Microsoft Broke a Chrome Feature To Promote Its Edge Browser.\n \n\n \n

An anonymous reader quotes a report from Gizmodo: Microsoft issued a Windows update that broke a Chrome feature, making it harder to change your default browser and annoying Chrome users with popups, Gizmodo has learned. An April Windows update borked a new button in Chrome -- the most popular browser in the world -- that let you change your default browser with a single click, but the worst was reserved for users on the enterprise version of Windows. For weeks, every time an enterprise user opened Chrome, the Windows default settings page would pop up. There was no way to make it stop unless you uninstalled the operating system update. It forced Google to disable the setting, which had made Chrome more convenient. This petty chapter of the browser wars started in July 2022 when Google quietly rolled out a new button in Chrome for Windows. It would show up near the top of the screen and let you change your default browser in one click without pulling up your system settings. For eight months, it worked great. Then, in April, Microsoft issued Windows update KB5025221, and things got interesting. `Every time I open Chrome the default app settings of Windows will open. I`ve tried many ways to resolve this without luck,` one IT administrator said on a Microsoft forum. A Reddit user noticed that the settings page also popped up any and every time you clicked on a link, but only if Chrome was your default browser. `It doesn`t happen if we change the default browser to Edge,` the user said. Others made similar complaints on Google support forums, some saying that entire organizations were having the issue. Users quickly realized the culprit was the operating system update. For people on the regular consumer version of Windows, things weren`t quite as bad; the one-click `Make Default` button just stopped working. Gizmodo was able to replicate the problem. In fact, we were able to circumvent the issue just by changing the name of the Chrome app on a Windows desktop. It seems that Microsoft threw up the roadblock specifically for Chrome, the main competitor to its Edge browser. [...] In response, Google had to disable its one-click default button; the issue stopped after it did. In other words, Microsoft seems to have gone out of its way to break a Chrome feature that made life easier for users. Google confirmed the details of this story, but declined to comment further.\n \n\n \n

Microsoft is rewriting core Windows libraries in the Rust programming language, and the more memory-safe code is already reaching developers. From a report: David `dwizzle` Weston, director of OS security for Windows, announced the arrival of Rust in the operating system`s kernel at BlueHat IL 2023 in Tel Aviv, Israel, last month. `You will actually have Windows booting with Rust in the kernel in probably the next several weeks or months, which is really cool,` he said. `The basic goal here was to convert some of these internal C++ data types into their Rust equivalents.` Microsoft showed interest in Rust several years ago as a way to catch and squash memory safety bugs before the code lands in the hands of users; these kinds of bugs were at the heart of about 70 percent of the CVE-listed security vulnerabilities patched by the Windows maker in its own products since 2006. The Rust toolchain strives to prevent code from being built and shipped that is exploitable, which in an ideal world reduces opportunities for miscreants to attack weaknesses in software. Simply put, Rust is focused on memory safety and similar protections, which cuts down on the number of bad bugs in the resulting code. Rivals like Google have already publicly declared their affinity for Rust.\n \n\n \n

Windows 10 22H2 will be the final version of the operating system, Microsoft said in a blog post on Thursday. From a report: Moving forward, all editions of Windows 10 will be supported with monthly security updates until October 14th, 2025, when Microsoft will end support. (Some releases on the Long-Term Servicing Channel, or LTSC, will get updates past that end of support date.) Microsoft is encouraging users to now transition to Windows 11 because Windows 10 won`t be getting any new features.\n \n\n \n

Microsoft`s Edge browser appears to be sending URLs you visit to its Bing API website. Reddit users first spotted the privacy issues with Edge last week, noticing that the latest version of Microsoft Edge sends a request to bingapis.com with the full URL of nearly every page you navigate to. Microsoft tells The Verge it`s investigating the reports. From a report: `Searching for references to this URL give very few results, no documentation on this feature at all,` said hackermchackface, the Reddit user who first discovered the issue. While Reddit users weren`t able to uncover why Microsoft Edge is sending the URLs you visit to its Bing API site, we asked Rafael Rivera, a software engineer and one of the developers behind EarTrumpet, to investigate, and he discovered it`s part of a poorly implemented new feature in Edge. `Microsoft Edge now has a creator follow feature that is enabled by default,` says Rivera in a conversation with The Verge. `It appears the intent was to notify Bing when you`re on certain pages, such as YouTube, The Verge, and Reddit. But it doesn`t appear to be working correctly, instead sending nearly every domain you visit to Bing.`\n \n\n \n

Longtime Slashdot reader GeorgeK and author at FreeSpeech.com writes: ICANN and Verisign have quietly proposed enormous changes to global domain name policy in their proposed renewal of the .NET registry agreement, which is now open for public comments. They`ve proposed allowing any government in the world to cancel, redirect, or transfer to their control applicable domain names. This is an outrageous and dangerous proposal that must be stopped, as it does not respect due process. While this proposal is currently only for .NET domain names, presumably they would want to also apply it to other extensions like .COM as those contracts come up for renewal. `This proposal represents a complete government takeover of domain names, with no due process protections for registrants,` adds Kirikos. `It would usurp the role of registrars, making governments go directly to Verisign (or any other registry that adopts similar language) to achieve anything they desired. It literally overturns more than two decades of global domain name policy.` Furthermore, Kirikos claims ICANN and Verisign `have deliberately timed the comment period to avoid public scrutiny.` He writes: `The public comment period opened on April 13, 2023, and is scheduled to end (currently) on May 25, 2023. However, the ICANN76 public meeting was held between March 11 and March 16, 2023, and the ICANN77 public meeting will be held between June 12 and June 15, 2023. Thus, they published the proposal only after the ICANN76 public meeting had ended (where we could have asked ICANN staff and the board questions about the proposal), and seek to end the public comment period before ICANN77 begins. This is likely not by chance, but by design.`\n \n\n \n

Microsoft is heading further down the path of advertising its own services in Windows 11, with different ads now popping up in the Start menu. From a report: To be precise, this is Windows 11 preview build 23435, which was just released to the Dev channel. As Microsoft puts it: `We are continuing the exploration of badging on the Start menu with several new treatments for users logging in with local user accounts to highlight the benefits of signing in with a Microsoft account (MSA).` So, the translation of this is that `badging` is essentially advertising (`badgering` would perhaps be more accurate), and it`s something we`ve recently seen with Windows 11 urging users to perform a cloud backup (in OneDrive). In this new preview build, the prodding stick is being employed to nudge those who haven`t enlisted for a Microsoft Account (who remain using a local account) into signing up for an MSA. Compared to the previous cloud backup prompt on the Start menu, it`s even clearer that this is advertising because it`s fully selling the benefits of having a Microsoft account. For example, Microsoft tells you how hooking your Windows 11 installation into an MSA will ensure that your PC is kept backed up and more secure, or that it`ll keep your settings synced across multiple devices.\n \n\n \n

Firefox has a reputation of being something of a resource hog, even among modern browsers. But it might not be entirely earned, because it looks like a CPU bug affecting Firefox users on Windows was actually the fault of Windows Defender. The latest update to the ubiquitous security tool addresses the issue, and should result in measurably lower CPU usage for the Windows version of Firefox. According to Mozilla senior software engineer Yannis Juglaret, the culprit was MsMpEng.exe, which you might recognize from your Task Manager. It handles the Real-Time protection feature that monitors web activity for malicious threats. The bug was causing Firefox to call on the service much more frequently than comparable browsers like Chrome or Edge, resulting in notable CPU spikes. Said CPU spikes could reduce performance in other applications or affect a laptop`s battery life. The issue was first reported on Mozilla`s bug tracker system way back in 2018 and quickly assigned to the MsMpEng service, but some more recent and diligent documentation on the part of Juglaret resulted in more swift action from Microsoft`s developers.

An anonymous reader writes: Windows users don`t like it when Microsoft changes long-used and familiar functions in its OS, so altering something that`s been the same for 28 years is always going to bring controversy. Nevertheless, it seems that the Redmond firm is planning on changing the Print Screen button into a key that opens the Windows 11 Snipping Tool. The Print Screen button has performed the same function in the Windows operating system since Windows 95: taking a screenshot of the current screen and copying it to the clipboard, usually so it can be edited in another program. But Windows Latest discovered that Microsoft is changing the default function of the Print Screen key in Windows 11. In the Windows 11 Beta preview builds 22621.1546 and 22624.1546, hitting the key will open the Windows Snipping Tool, Windows` built-in screenshotting tool that`s currently accessed by pressing the Windows logo Key + Shift + S.\n \n\n \n

An anonymous reader shares a report: Firefox has a reputation of being something of a resource hog, even among modern browsers. But it might not be entirely earned, because it looks like a CPU bug affecting Firefox users on Windows was actually the fault of Windows Defender. The latest update to the ubiquitous security tool addresses the issue, and should result in measurably lower CPU usage for the Windows version of Firefox. According to Mozilla senior software engineer Yannis Juglaret, the culprit was MsMpEng.exe, which you might recognize from your Task Manager. It handles the Real-Time protection feature that monitors web activity for malicious threats. The bug was causing Firefox to call on the service much more frequently than comparable browsers like Chrome or Edge, resulting in notable CPU spikes. Said CPU spikes could reduce performance in other applications or affect a laptop`s battery life. The issue was first reported on Mozilla`s bug tracker system way back in 2018 and quickly assigned to the MsMpEng service, but some more recent and diligent documentation on the part of Juglaret resulted in more swift action from Microsoft`s developers.\n \n\n \n

An anonymous reader shares a report: If you`ve ever researched anything online, you`ve probably used the Internet Archive (IA). The IA, founded in 1996 by librarian and engineer Brewster Kahle, describes itself as `a non-profit library of millions of free books, movies, software, music, websites, and more.` Their annals include 37 million books, many of which are old tomes that aren`t commercially available. It has classic films, plenty of podcasts and -- via its Wayback Machine -- just about every deleted webpage ever. Four corporate publishers have a big problem with this, so they`ve sued the Internet Archive. In Hachette v. Internet Archive, the Hachette Publishing Group, Penguin Random House, HarperCollins and Wiley have alleged that the IA is committing copyright infringement. Now a federal judge has ruled in the publishers` favor. The IA is appealing the decision. [...] Not only is this concern-trolling disingenuous, but the ruling itself, grounded in copyright, is a smack against fair use. It brings us one step closer to perpetual copyright -- the idea that individuals should own their work forever. The IA argued that their project was covered by fair use, as the Emergency Library provides texts for educational and scholarly purposes. Even writers objected to the court`s ruling. More than 300 writers signed a petition against the lawsuit, including Neil Gaiman, Naomi Klein and -- get this -- Chuck Wendig. Writers lost nothing from the Emergency Library and gained everything from it. For my part, I`ve acquired research materials from the IA that I wouldn`t have found anywhere else. The archive has scads of primary sources which otherwise might require researchers to fly across the country for access. The Internet Archive is good for literacy. It`s good for the public. It`s good for readers, writers and anyone who`s invested in literary education. It does not harm authors, whose income is no more dented by it than any library programs. Even the Emergency Library`s initial opponents have conceded this. The federal court`s decision is a victory for corporations and a disaster for everyone else. If this decision isn`t reversed, human beings will lose more knowledge than the Library of Alexandra ever contained. If IA`s appeal fails, it will be a tragedy of historical proportions.\n \n\n \n

The FBI recently warned consumers against using free public charging stations, saying crooks have managed to hijack public chargers that can infect devices with malware, or software that can give hackers access to your phone, tablet or computer. From a report: `Avoid using free charging stations in airports, hotels or shopping centers,` a tweet from the FBI`s Denver field office said. `Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead.` The FBI offers similar guidance on its website to avoid public chargers.\n \n\n \n

Windows Central reports: According to my sources who are familiar with Microsoft`s plans, the company is once again hard at work on a new project internally that`s designed to modernize the Windows platform with many of the same innovations it was working on for Windows Core OS, but with a focus on native compatibility for legacy Win32 applications on devices where it makes sense. The project is codenamed CorePC and is designed to be a modular and customizable variant of Windows for Microsoft to leverage different form factors with. Not all Windows PCs need the full breadth of legacy Win32 app support, and CorePC will allow Microsoft to configure `editions` of Windows with varying levels of feature and app compatibility. The big change with CorePC versus the current shipping version of Windows is that CorePC is state separated, just like Windows Core OS. State separation enables faster updates and a more secure platform via read-only partitions that are inaccessible to the user and third-party apps, just like on iPadOS or Android. [...] CorePC splits up the OS into multiple partitions, which is key to enabling faster OS updates. State separation also enables faster and more reliable system reset functionality, which is important for Chromebook compete devices in the education sector. [...] My sources tell me CorePC will allow Microsoft to finally deliver a version of Windows that truly competes with Chromebooks in OS footprint, performance, and capabilities. [...] Microsoft is also working on a version of CorePC that meet the current feature set and capabilities of Windows desktop, but with state separation enabled for those faster OS updates and improved security benefits. The company is working on a compatibility layer codenamed Neon for legacy apps that require a shared state OS to function, too. Lastly, I hear that Microsoft is experimenting with a version of CorePC that`s `silicon-optimized,` designed to reduce legacy overhead, focus on AI capabilities, and vertically optimize hardware and software experiences in a way similar to that of Apple Silicon. Unsurprisingly, AI experiences are a key focus for Windows going into 2024.\n \n\n \n

Researchers have announced a major cybersecurity find -- the world`s first-known instance of real-world malware that can hijack a computer`s boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows. From a report: Dubbed BlackLotus, the malware is what`s known as a UEFI bootkit. These sophisticated pieces of malware hijack the UEFI -- short for Unified Extensible Firmware Interface -- the low-level and complex chain of firmware responsible for booting up virtually every modern computer. As the mechanism that bridges a PC`s device firmware with its operating system, the UEFI is an OS in its own right. It`s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch. Because the UEFI is the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows. These traits make the UEFI the perfect place to run malware. When successful, UEFI bootkits disable OS security mechanisms and ensure that a computer remains infected with stealthy malware that runs at the kernel mode or user mode, even after the operating system is reinstalled or a hard drive is replaced. As appealing as it is to threat actors to install nearly invisible and unremovable malware that has kernel-level access, there are a few formidable hurdles standing in their way. One is the requirement that they first hack the device and gain administrator system rights, either by exploiting one or more vulnerabilities in the OS or apps or by tricking a user into installing trojanized software. Only after this high bar is cleared can the threat actor attempt an installation of the bootkit. The second thing standing in the way of UEFI attacks is UEFI Secure Boot, an industry-wide standard that uses cryptographic signatures to ensure that each piece of software used during startup is trusted by a computer`s manufacturer. Secure Boot is designed to create a chain of trust that will prevent attackers from replacing the intended bootup firmware with malicious firmware. If a single firmware link in that chain isn`t recognized, Secure Boot will prevent the device from starting.\n \n\n \n

An anonymous reader shares a report: Did you force your PC to install Windows 11 despite it not meeting the official requirements? Microsoft might start nagging you for doing that -- or at least reminding you that what you`ve done is against the intended use of its operating system. The January 2023 Windows 11 update is pestering folks who forced the update on their PCs with a persistent watermark on the desktop warning that system requirements haven`t been met. The story is circulating among Windows blogs, though I found a couple of instances of folks complaining about the watermark on the official Microsoft support forums. The watermark says `system requirements not met` and is emblazoned on the desktop`s lower right hand corner if the operating system notices that it`s running on hardware that doesn`t meet the minimum requirements. It`s possible the culprit is the dedicated security processor, or TPM 2.0 (Trusted Platform Module) chip, used by services like BitLocker and Windows Hello. Microsoft requires this module before upgrading. It`s why many PCs were rendered un-upgradeable when Windows 11 was announced. Most new CPUs and motherboards have capability for it built into them, but the feature wasn`t a guaranteed inclusion prior to the Windows 11 launch.\n \n\n \n

An anonymous reader shares a report: Internet Explorer 11 was never Windows 10`s primary browser -- that would be the old, pre-Chromium version of Microsoft Edge. But IE did continue to ship with Windows 10 for compatibility reasons, and IE11 remained installed and accessible in most versions of Windows 10 even after security updates for the browser ended in June of 2022. That ends today, as Microsoft`s support documentation says that a Microsoft Edge browser update will fully disable Internet Explorer in most versions of Windows 10, redirecting users to Edge.\n \n\n \n

An anonymous reader shares a report from Tom`s Hardware: According to the PC Security Channel (via TechSpot), Microsoft`s Windows 11 sends data not only to the Redmond, Washington-based software giant, but also to multiple third parties. To analyze DNS traffic generated by a freshly installed copy of Windows 11 on a brand-new notebook, the PC Security Channel used the Wireshark network protocol analyzer that reveals precisely what is happening on a network. The results were astounding enough for the YouTube channel to call Microsoft`s Windows 11 `spyware.` As it turned out, an all-new Windows 11 PC that was never used to browse the Internet contacted not only Windows Update, MSN and Bing servers, but also Steam, McAfee, geo.prod.do, and Comscore ScorecardResearch.com. Apparently, the latest operating system from Microsoft collected and sent telemetry data to various market research companies, advertising services, and the like. When Tom`s Hardware contacted Microsoft, their spokesperson argued that flowing data is common in modern operating systems `to help them remain secure, up to date, and keep the system working as anticipated.` `We are committed to transparency and regularly publish information about the data we collect to empower customers to be more informed about their privacy.`\n \n\n \n

Microsoft wants everyone to know that it isn`t looking to invade their privacy while looking through their Windows PCs to find out-of-date versions of Office software. From a report: In its KB5021751 update last month, Microsoft included a plan to scan Windows systems to smoke out those Office versions that are no longer supported or nearing the end of support. Those include Office 2007 (which saw support end in 2017) and Office 2010 (in 2020) and the 2013 build (this coming April). The company stressed that it would run only one time and would not install anything on the user`s Windows system, adding that the file for the update is scanned to ensure it`s not infected by malware and is stored on highly secure servers to prevent unauthorized changes to it. The update caused some discussion among users, at least enough to convince Microsoft to make another pitch that it is respecting user privacy and won`t access private data despite scanning their systems. The update collects diagnostic and performance data so that it can determine the use of various versions of Office and how to best support and service them, the software maker wrote in an expanded note this week. The update will silently run once to collect the data and no files are left on the user`s systems once the scan is completed.\n \n\n \n

An anonymous reader shares a report: Microsoft`s Windows 10 operating system has been available on the retail market for over seven years and was superseded by Windows 11 in October 2021. However, despite its age, Windows 10 remains the most popular version of Windows, with a global market share of 67.95% in December 2022 compared to 16.97% for Windows 11, according to StatCounter. But it now looks like Microsoft is ready to put the brakes on issuing new Windows 10 licenses to everyday consumers. Microsoft`s official product pages for Windows 10 Home and Windows 10 Pro now include the following disclaimer: `January 31, 2023 will be the last day this Windows 10 download is offered for sale. Windows 10 will remain supported with security updates that help protect your PC from viruses, spyware, and other malware until October 14, 2025.`\n \n\n \n

Mozilla recently fixed a bug that was first reported 18 years ago in Firebox 1.0, reports How-to Geek: Bug 290125 was first reported on April 12, 2005, only a few days before the release of Firefox 1.0.3, and outlined an issue with how Firefox rendered text with the ::first-letter CSS pseudo-element. The author said, `when floating left a :first-letter (to produce a dropcap), Gecko ignores any declared line-height and inherits the line-height of the parent box. [...] Both Opera 7.5+ and Safari 1.0+ correctly handle this.` The initial problem was that the Mac version of Firefox handled line heights differently than Firefox on other platforms, which was fixed in time for Firefox 3.0 in 2007. The issue was then re-opened in 2014, when it was decided in a CSS Working Group meeting that Firefox`s special handling of line heights didn`t meet CSS specifications and was causing compatibility problems. It led to some sites with a large first letter in blocks of text, like The Verge and The Guardian, render incorrectly in Firefox compared to other browsers. The issue was still marked as low priority, so progress continued slowly, until it was finally marked as fixed on December 20, 2022. Firefox 110 should include the updated code, which is expected to roll out to everyone in February 2023.\n \n\n \n

Ars Technica reports on a dangerously `wormable` Windows vulnerability that allowed attackers to execute malicious code with no authentication required - a vulnerability that was present `in a much broader range of network protocols, giving attackers more flexibility than they had when exploiting the older vulnerability.` Microsoft fixed CVE-2022-37958 in September during its monthly Patch Tuesday rollout of security fixes. At the time, however, Microsoft researchers believed the vulnerability allowed only the disclosure of potentially sensitive information. As such, Microsoft gave the vulnerability a designation of `important.` In the routine course of analyzing vulnerabilities after they`re patched, IBM security researcher Valentina Palmiotti discovered it allowed for remote code execution in much the way EternalBlue did [the flaw used to detonate WannaCry]. Last week, Microsoft revised the designation to critical and gave it a severity rating of 8.1, the same given to EternalBlue.... One potentially mitigating factor is that a patch for CVE-2022-37958 has been available for three months. EternalBlue, by contrast, was initially exploited by the NSA as a zero-day. The NSA`s highly weaponized exploit was then released into the wild by a mysterious group calling itself Shadow Brokers. The leak, one of the worst in the history of the NSA, gave hackers around the world access to a potent nation-state-grade exploit. Palmiotti said there`s reason for optimism but also for risk: `While EternalBlue was an 0-Day, luckily this is an N-Day with a 3 month patching lead time,` said Palmiotti. There`s still some risk, Palmiotti tells Ars Technica. `As we`ve seen with other major vulnerabilities over the years, such as MS17-010 which was exploited with EternalBlue, some organizations have been slow deploying patches for several months or lack an accurate inventory of systems exposed to the internet and miss patching systems altogether.` Thanks to Slashdot reader joshuark for sharing the article.\n \n\n \n

Microsoft has released its final monthly batch of security updates for 2022, fixing more than four dozen security holes in its various Windows operating systems and related software. The most pressing patches include a zero-day vulnerability in a Windows feature that tries to flag malicious files from the Web, a critical bug in PowerShell, and a dangerous flaw in Windows 11 systems that was detailed publicly prior to this week`s Patch Tuesday.

\nIt’s December 2022 Patch Tuesday, and Microsoft has delivered fixes for 50+ vulnerabilities, including a Windows SmartScreen bypass flaw (CVE-2022-44698) exploited by attackers to deliver a variety of malware. CVE-2022-44698 CVE-2022-44698 affects all Windows OS versions starting from Windows 7 and Windows Server 2008 R2. “The vulnerability has low complexity. It uses the network vector, and requires no privilege escalation. However, it does need user interaction; attackers need to dupe a victim into visiting a … More → \n \nThe post Microsoft fixes exploited zero-day, revokes certificate used to sign malicious drivers (CVE-2022-44698) appeared first on Help Net Security .\n

Microsoft`s Chromium-based Edge browser was an improvement over the initial version of Edge in many ways, including its support for Windows 7 and Windows 8. But the end of the road is coming: Microsoft has announced that Edge will end support for Windows 7 and Windows 8 in mid-January of 2023, shortly after those operating systems stop getting regular security updates. From a report: Support will also end for Microsoft Edge Webview2, which can use Edge`s rendering engine to embed webpages in non-Edge apps. The end-of-support date for Edge coincides with the end of security update support for both Windows 7 and Windows 8 on January 10, and the end of Google Chrome support for Windows 7 and 8 in version 110. Because the underlying Chromium engine in both Chrome and Edge is open source, Microsoft could continue supporting Edge in older Windows versions if it wanted, but the company is using both end-of-support dates to justify a clean break for Edge.\n \n\n \n

\nGoogle has patched CVE-2022-4262, a type confusion vulnerability in the V8 JavaScript engine used by Google Chrome (and Chromium), which is being exploited by attackers in the wild. No other technical details have been shared about this zero-day flaw, only that it was reported by security engineer Clement Lecigne of Google’s Threat Analysis Group (TAG), whose goal is to protect users from state-sponsored attacks and other advanced persistent threats. About CVE-2022-4262 With a “High” security … More → \n \nThe post Google Chrome zero-day exploited in the wild (CVE-2022-4262) appeared first on Help Net Security .\n

Microsoft has released an out-of-band update to nudge laggards toward Windows 11 amid a migration pace that company executives would undoubtedly prefer is rather faster. From a report: The software giant is offering an option of upgrading to Windows 11 as an out of box experience to its Windows 10 22H2 installed base, the main aim being to smooth their path forward to the latest operating system. `On November 30, 2022, an out-of-band update was released to improve the Windows 10, version 2004, 20H2, 21H1, 21H2, and 22H2 out-of-box experience (OOBE). It provides eligible devices with the option to upgrade to Windows 11 as part of the OOBE process. This update will be available only when an OOBE update is installed.` The update, KB5020683, applies only to Windows 10 Home and Professional versions 2004, 20H2, 21H1, 22H2. There are some pre-requisites that Microsoft has listed here before users can make the move to Windows 11. The operating system was released on October 5 last year but shifting stubborn consumers onto this software has proved challenging for top brass at Microsoft HQ in Redmond. According to Statcounter, a web analytics service that has tracking code installed on 1.5 million websites and records a page view for each, some 16.12 percent of Windows users had installed Windows 11 in November, higher than the 15.44 percent in the prior month, but likely still not close to the figures that Microsoft was hoping for.\n \n\n \n

`There is no evidence to suggest that TrustCor violated conduct, policy, or procedure` says biz \nMozilla and Microsoft have taken action against a certificate authority accused of having close ties to a US military contractor that allegedly paid software developers to embed data-harvesting malware in mobile apps.\n

Google researchers say they have linked a Barcelona, Spain-based IT company to the sale of advanced software frameworks that exploit vulnerabilities in Chrome, Firefox, and Windows Defender. From a report: Variston IT bills itself as a provider of tailor-made Information security solutions, including technology for embedded SCADA (supervisory control and data acquisition) and Internet of Things integrators, custom security patches for proprietary systems, tools for data discovery, security training, and the development of secure protocols for embedded devices. According to a report from Google`s Threat Analysis Group, Variston sells another product not mentioned on its website: software frameworks that provide everything a customer needs to surreptitiously install malware on devices they want to spy on. Researchers Clement Lecigne and Benoit Sevens said the exploit frameworks were used to exploit n-day vulnerabilities, which are those that have been patched recently enough that some targets haven`t yet installed them. Evidence suggests, they added, that the frameworks were also used when the vulnerabilities were zero-days. The researchers are disclosing their findings in an attempt to disrupt the market for spyware, which they said is booming and poses a threat to various groups.\n \n\n \n

Flaws in the open-source tool exploited and India`s power grid was a target \nMicrosoft is warning that systems using the long-discontinued Boa web server could be at risk of attacks after a series of intrusion attempts of power grid operations in India likely included exploiting security flaws in the technology.\n

Mark Hachman, writing for PCWorld: Windows 8 stunk. It might have helped cost chief executive Steve Ballmer his job. Windows 8.1 was a bit better -- but if you love it, you have only a month or so left to enjoy it. Microsoft will kill off Windows 8.1 support on January 10, 2023. There`s no out: Microsoft will not be offering an extended support package for Windows 8.1. At that point, you`ll have a choice: buy a new Windows PC, or officially pay to upgrade to either Windows 10 or Windows 11. What does the end of support mean? Until January 10, Microsoft will offer security patches and other fixes for any security issues that crop up. Afterwards, you`re on your own. If any exploit or malware surfaces, you`ll have to depend on any antivirus software you have running -- Microsoft won`t be issuing any more patches after Jan. 10, and your PC will absolutely be at risk.\n \n\n \n

Microsoft says token theft attacks are on the rise. From a report: Microsoft has outlined several mitigations to protect against attacks on multi-factor authentication that will unfortunately make life more difficult for your remote workers. Three years ago, attacks on multi-factor authentication (MFA) were so rare that Microsoft didn`t have decent statistics on them, largely because few organisations had enabled MFA. But with MFA use rising as attacks on passwords become more common, Microsoft has seen an increase in attackers using token theft in their attempts to sidestep MFA. In these attacks, the attacker compromises a token issued to someone who`s already completed MFA and replays that token to gain access from a different device. Tokens are central to OAuth 2.0 identity platforms, including Azure Active Directory (AD), which aim to make authentication simpler and faster for users, but in a way that`s still resilient to password attacks. Moreover, Microsoft warns that token theft is dangerous because it doesn`t require high technical skills, detection is difficult and, because the technique has only recently seen an uptick, few organisations have mitigations in place. `Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose,` Microsoft says in a blogpost. `By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly. This poses to be a concerning tactic for defenders because the expertise needed to compromise a token is very low, is hard to detect, and few organizations have token theft mitigations in their incident response plan.`\n \n\n \n

Microsoft has fixed yet another problem in some versions of Windows 10, a bug that makes the taskbar and desktop temporarily vanish or causes the system to ignore you. From a report: According to Redmond, users `might experience an error in which the desktop or taskbar might momentarily disappear, or your device might become unresponsive.` The issue affects PCs running Windows 10 versions 22H2, 21H2, 21H1, and 20H2, the company wrote on its Windows Health Dashboard. Microsoft didn`t outline the exact cause but notes it was related to the KB5016688 220820_03051 cumulative update and later. The software giant is using its Known Issue Rollback (KIR) feature -- which enables IT administrators to roll back the unwanted changes of an update -- to resolve the problem, adding that it could take up to 24 hours for the fix to reach non-managed business systems and consumer devices. Restarting the device may accelerate the timeframe. Organizations that use enterprise-managed devices can install and configure a special Group Policy by going to `Computer Configuration` and then `Administrative Templates` and `Group Policy name.` If the resolution doesn`t work, users can try restarting the Windows device, according to Microsoft. The latest fix comes after a number of other problems were resolved this week.\n \n\n \n

whoever57 writes: Would you trust your communications to a company that has links to a spyware company and claims that its address is a UPS store in Toronto? You probably already do. Washington Post reports: An offshore company that is trusted by the major web browsers and other tech companies to vouch for the legitimacy of websites has connections to contractors for U.S. intelligence agencies and law enforcement, according to security researchers, documents and interviews. Google`s Chrome, Apple and #226;(TM)s Safari, nonprofit Firefox and others allow the company, TrustCor Systems, to act as what`s known as a root certificate authority, a powerful spot in the internet`s infrastructure that guarantees websites are not fake, guiding users to them seamlessly. The company`s Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade. One of those TrustCor partners has the same name as a holding company managed by Raymond Saulino, who was quoted in a 2010 Wired article as a spokesman for Packet Forensics. Saulino also surfaced in 2021 as a contact for another company, Global Resource Systems, that caused speculation in the tech world when it briefly activated and ran more than 100 million previously dormant IP addresses assigned decades earlier to the Pentagon. The Pentagon reclaimed the digital territory months later, and it remains unclear what the brief transfer was about, but researchers said the activation of those IP addresses could have given the military access to a huge amount of internet traffic without revealing that the government was receiving it. whoever57 has also shared a unpaywalled link to the story.\n \n\n \n

Microsoft is now promoting some of its products in the sign-out flyout menu that shows up when clicking the user icon in the Windows 11 start menu. BleepingComputer: This new Windows 11 `feature` was discovered by Windows enthusiast Albacore, who shared several screenshots of advertisement notifications in the Accounts flyout. The screenshots show that Microsoft promotes the OneDrive file hosting service and prods users to create or complete their Microsoft accounts. Those reacting to this on social media had an adverse reaction to Redmond`s decision to display promotional messages in the start menu. Some said that Windows 11 is `getting worse in each and every update it gets,` while others added that this is a weird choice given that `half of the Start Menu is for recommendations` anyway. BleepingComputer has also tried replicating this on multiple Windows 11 systems, but we didn`t get any ads. This hints at an A/B testing experiment trying to gauge the success of such a `feature` on devices running Windows Insider builds or the company pushing such ads to a limited set of customers.\n \n\n \n

Much of the Windows world has yet to adopt Microsoft`s latest desktop operating system more than a year after it launched, according to figures for October collated by Statcounter. From a report: Just 15.44 percent of PCs across the globe have installed Windows 11, meaning it gained 1.83 percentage points in a month. This compares to the 71.29 percent running Windows 10, which fell marginally from 71.88 percent in September. Windows 7 is still hanging on with a tenuous grip, in third place with 9.61 percent, Windows 8.1 in fourth with 2.45 percent, plain old Windows 8 with 0.69 percent, and bless its heart, Windows XP with 0.39 percent because of your extended family. In total, Windows has almost 76 percent of the global desktop OS market followed by OS X with 15.7 percent and Linux with 2.6 percent. Android comprised 42.37 percent of total operating system market share, with Windows trailing on 30.11 percent, iOS on 17.6 percent, OS X on 6.24 percent, and Linux on 1.04 percent.\n \n\n \n

An anonymous reader quotes a report from ZDNet: Everyone depends on OpenSSL. You may not know it, but OpenSSL is what makes it possible to use secure Transport Layer Security (TLS) on Linux, Unix, Windows, and many other operating systems. It`s also what is used to lock down pretty much every secure communications and networking application and device out there. So we should all be concerned that Mark Cox, a Red Hat Distinguished Software Engineer and the Apache Software Foundation (ASF)`s VP of Security, this week tweeted, `OpenSSL 3.0.7 update to fix Critical CVE out next Tuesday 1300-1700UTC.` How bad is `Critical`? According to OpenSSL, an issue of critical severity affects common configurations and is also likely exploitable. It`s likely to be abused to disclose server memory contents, and potentially reveal user details, and could be easily exploited remotely to compromise server private keys or execute code execute remotely. In other words, pretty much everything you don`t want happening on your production systems. The last time OpenSSL had a kick in its security teeth like this one was in 2016. That vulnerability could be used to crash and take over systems. Even years after it arrived, security company Check Point estimated it affected over 42% of organizations. This one could be worse. We can only hope it`s not as bad as that all-time champion of OpenSSL`s security holes, 2014`s HeartBleed. [...] There is another little silver lining in this dark cloud. This new hole only affects OpenSSL versions 3.0.0 through 3.0.6. So, older operating systems and devices are likely to avoid these problems. For example, Red Hat Enterprise Linux (RHEL) 8.x and earlier and Ubuntu 20.04 won`t be smacked by it. RHEL 9.x and Ubuntu 22.04, however, are a different story. They do use OpenSSL 3.x. [...] But, if you`re using anything with OpenSSL 3.x in -- anything -- get ready to patch on Tuesday. This is likely to be a bad security hole, and exploits will soon follow. You`ll want to make your systems safe as soon as possible.\n \n\n \n

\n Remote attackers could exploit two Event Log vulnerabilities in Windows to crash the Event Log application and cause a denial-of-service (DoS) condition, Varonis warns. \n \n Event Log is an Internet Explorer-specific application that exists in all Windows iterations, due to the deep integration of the browser with the operating system. \n \n read more \n

Nearly 43 percent of millions of devices studied by asset management provider Lansweeper are unable to upgrade to Windows 11 due to the hardware requirements Microsoft set out for the operating system. The Register reports: Lansweeper said 42.76 percent of the estimated 27 million PCs it tested across 60,000 organizations failed the CPU test, albeit better than the 57.26 percent in its last test a year ago. Altogether 71.5 percent of the PCs failed the RAM test and 14.66 percent the TPM test. `We know that those who can`t update to Windows 11... will continue to use Windows 10,` said Roel Decneut, chief strategy officer at Lansweeper, whose customers include Sony, Pepsico, Cerner, MiT and Hilton hotels. He said that even if enterprises are prepared to upgrade their PC fleet to meet the system requirements of Microsoft`s latest OS, there are `broader issues affecting adoption that are out of Microsoft`s control.` `Global supply chain disruption has created chip a processor shortage, while many are choosing to stick with what hardware they have at the moment due to the global financial uncertainty.` Other findings from Lansweeper show adoption rates for the latest OS are improving, running on 1.44 percent of computers versus 0.52 percent in January. This means the latest incarnation has overtaken Windows 8 in the popularity stakes but remains behind market share for Windows 7, despite that software going end of life in January 2020. Adoption is, unsurprisingly, higher in the consumer space. Some 4.82 percent of the biz devices researched were running an OS that wasn`t fully supported and 0.91 percent had servers in their estate that are end of life.\n \n\n \n

Microsoft Corp. is investigating reports that attackers are exploiting two previously unknown vulnerabilities in Exchange Server, a technology many organizations rely on to send and receive email. Microsoft says it is expediting work on software patches to plug the security holes. In the meantime, it is urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks.

Microsoft on Tuesday said it`s starting to release the first major update to Windows 11, the current version of its PC operating system. The company said the update is aimed at making PCs easier and safer to use and improve productivity. Some excerpts detailing new features from Windows blog: Windows 11 brought a sense of ease to the PC, with an intuitive design people love. We`re building on that foundation with new features to ensure the content and information you need is always at your fingertips, including updates to the Start menu, faster and more accurate search, Quick Settings, improved local and current events coverage in your Widgets board, and the No. 1 ask from you, tabs in File Explorer. All of this helps Windows anticipate your needs and save you time. [...] The PC has always been where people come to get things done -- especially when it comes to tackling complex tasks. With enhancements to Snap layouts, the new Focus feature, and performance and battery optimizations, the new Windows 11 2022 update will help you be your most productive yet. Snap layouts on Windows 11 have been a game changer for multitasking, helping people optimize their view when they need to have multiple apps or documents in front of them at the same time. With the new update, we`re making Snap layouts more versatile with better touch navigation and the ability to snap multiple browser tabs in Microsoft Edge. We`re introducing Focus sessions and Do Not Disturb to help you minimize distractions that pull you away from the task at hand. [...] We also want to continue to make Windows the best place to play games. This update will deliver performance optimizations to improve latency and unlock features like Auto HDR and Variable Refresh Rate on windowed games. And with Game Pass built right into Windows 11 through the Xbox app, players can access hundreds of high-quality PC games. Having the right content fuels a great PC experience. A year ago, we redesigned the Microsoft Store on Windows to be more open and easier-to-use -- a one-stop shop for the apps, games and TV shows you love. Today, through our partnership with Amazon, we are expanding the Amazon Appstore Preview to international markets, bringing more than 20,000 Android apps and games to Windows 11 devices that meet the feature-specific hardware requirements. In addition to a growing catalog of apps and games, we are also excited to share that we are moving to the next stage of the Microsoft Store Ads pilot -- helping developers get content in front of the right customers. [...] Windows 11 provides layers of hardware and software integrated for powerful, out-of-the box protection from the moment you start your device -- and we`re continuing to innovate. The new Microsoft Defender SmartScreen identifies when people are entering their Microsoft credentials into a malicious application or hacked website and alerts them.\n \n\n \n

An anonymous reader shares a report: When ArsTechnica reviewed Windows 11 last fall, one of its biggest concerns was that it would need to wait until the fall of 2022 to see changes or improvements to its new -- and sometimes rough -- user interface. Nearly a year later, it`s become abundantly clear that Microsoft isn`t holding back changes and new apps for the operating system`s yearly feature update. One notable smattering of additions was released back in February alongside a commitment to `continuous innovation.` Other, smaller updates before and since (not to mention the continuously-updated Microsoft Edge browser) have also emphasized Microsoft`s commitment to putting out new Windows features whenever they`re ready. There`s been speculation that Microsoft could be planning yet another major shake-up to Windows` update model, moving away from yearly updates that would be replaced by once-per-quarter feature drops, allegedly called `Moments` internally. These would be punctuated by larger Windows version updates every three years or so. As part of the PR around the Windows 11 2022 Update (aka Windows 11 22H2), the company has made clear that none of this is happening. `Windows 11 will continue to have an annual feature update cadence, released in the second half of the calendar year that marks the start of the support lifecycle,` writes Microsoft VP John Cable, `with 24 months of support for Home and Pro editions and 36 months of support for Enterprise and Education editions.` These updates will include their own new features and changes, as the 2022 Update does, but you`ll also need to have the latest yearly update installed to continue to get additional feature updates via Windows Update and the Microsoft Store. As for the Windows 12 rumors, Microsoft simply told Ars it has `no plans to share today.` This stance leaves the company plenty of room to change its plans tomorrow or any day after that. But we can safely say that a new numbered version of Windows won`t happen in the near future. For smaller changes that aren`t delivered as part of a yearly feature update or via a Microsoft Store update, Microsoft will use something called Controlled Feature Rollout (CFR) to test features with a subset of Windows users rather than delivering them to everyone all at once.\n \n\n \n

Recent research from the otto-js Research Team has uncovered that data that is being checked by both Microsoft Editor and the enhanced spellcheck setting within Google Chrome is being sent to Microsoft and Google respectively. This data can include usernames, emails, DOB, SSN, and basically anything that is typed into a text box that is checked by these features. Neowin reports: As an additional note, even passwords can be sent by these features, but only when a `Show Password` button is pressed, which converts the password into visible text, which is then checked. The key issue resolves around sensitive user personally identifiable information (PII), and this is a key concern for enterprise credentials when accessing internal databases and cloud infrastructure. Some companies are already taking action to prevent this, with both AWS and LastPass security teams confirming that they have mitigated this with an update. The issue has already been dubbed `spell-jacking`. What`s most concerning is that these settings are so easy to enable by users, and could result in data exposure without anyone ever realising it. The team at otto-js ran a test of 30 websites, across a range of sectors, and found that 96.7% of them sent data with PII back to Google and Microsoft. At present, the otto-js Research Team recommends that these extensions and settings are not used until this issue is resolved.\n \n\n \n

The makers of the secure telnet client PuTTY also sell a service monitoring company security services - and this July Mandiant Managed Defense `identified a novel spear phish methodology,` according to a post on the company`s blog: [The threat cluster] established communication with the victim over WhatsApp and lured them to download a malicious ISO package regarding a fake job offering that led to the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the PuTTY utility.... This activity was identified by our Mandiant Intelligence: Staging Directories mission, which searches for anomalous files written to directories commonly used by threat actors.... The amazon_assessment.iso archive held two files: an executable and a text file. The text file named Readme.txt had connection details for use with the second file: PuTTY.exe.... [T]he PuTTY.exe binary in the malicious archive does not have a digital signature. The size of the PuTTY binary downloaded by the victim is also substantially larger than the legitimate version. Upon closer inspection, it has a large, high entropy .data section in comparison to the officially distributed version. Sections like these are typically indicative of packed or encrypted data. The suspicious nature of the PuTTY.exe embedded in the ISO file prompted Managed Defense to perform a deeper investigation on the host and the file itself. The execution of the malicious PuTTY binary resulted in the deployment of a backdoor to the host. `The executable embedded in each ISO file is a fully functional PuTTY application compiled using publicly available PuTTY version 0.77 source code,` the blog post points out. Ars Technica notes that Mandiant`s researchers believe it`s being pushed by groups with ties to North Korea: The executable file installed the latest version of Airdry, a backdoor the US government has attributed to the North Korean government. The US Cybersecurity and Infrastructure Security Agency has a description here. Japan`s community emergency response team has this description of the backdoor, which is also tracked as BLINDINGCAN.\n \n\n \n

Security analysts have found a severe security vulnerability in the desktop app for Microsoft Teams that gives threat actors access to authentication tokens and accounts with multi-factor authentication (MFA) turned on. BleepingComputer reports: `This attack does not require special permissions or advanced malware to get away with major internal damage,` Connor Peoples at cybersecurity company Vectra explains in a report this week. The researcher adds that by taking `control of critical seats -- like a company`s Head of Engineering, CEO, or CFO -- attackers can convince users to perform tasks damaging to the organization.` Vectra researchers discovered the problem in August 2022 and reported it to Microsoft. However, Microsoft did not agree on the severity of the issue and said that it doesn`t meet the criteria for patching. With a patch unlikely to be released, Vectra`s recommendation is for users to switch to the browser version of the Microsoft Teams client. By using Microsoft Edge to load the app, users benefit from additional protections against token leaks. The researchers advise Linux users to move to a different collaboration suite, especially since Microsoft announced plans to stop supporting the app for the platform by December.\n \n\n \n

Plus: Nasty no-auth RCE in TCP/IP stack, and many more updates \n Patch Tuesday September`s Patch Tuesday is here and it brings, among other things, fixes from Microsoft for one security bug that miscreants have used to fully take over Windows systems along with details of a second vulnerability that, while not yet under attack, has already been publicly disclosed.\n

Microsoft has confirmed to Sky News that criminals are posting counterfeit packages designed to appear like Office products in order to defraud people. From the report: One such package seen by Sky News is manufactured to a convincing standard and contains an engraved USB drive, alongside a product key. But the USB does not install Microsoft Office when plugged in to a computer. Instead, it contains malicious software which encourages the victim to call a fake support line and hand over access to their PC to a remote attacker. Microsoft launched an internal investigation into the suspect package after being contacted by Sky News. The company spokesperson confirmed that the USB and the packaging were counterfeit and that they had seen a pattern of such products being used to scam victims before. They added that while Microsoft had seen this type of fraud, it is very infrequent. More often when fraudulent products are sold they tend to be product keys sent to customers via email, with a link to a site for downloading the malicious software.\n \n\n \n

\n Mozilla this week patched several high-severity vulnerabilities in its Firefox and Thunderbird products. \n \n Firefox 104 as well as Firefox ESR 91.13 and 102.2 patches a high-severity address bar spoofing issue related to XSLT error handling. The flaw, tracked as CVE-2022-38472, could be exploited for phishing. \n \n read more \n