According to Bloomberg, the U.S. Justice Department wants Google to sell off its Chrome browser as part of its ongoing search monopoly case. The recommendations will be made official on Wednesday. 9to5Google reports: At the top of the list is having Google sell Chrome `because it represents a key access point through which many people use its search engine.` There are many questions about how that works, including what the impact on the underlying Chromium codebase would be. Would Google still be allowed to develop the open-source project by which many other browsers, like Microsoft Edge use? `The government has the option to decide whether a Chrome sale is necessary at a later date if some of the other aspects of the remedy create a more competitive market,` reports Bloomberg. Google, which plans to appeal, previously said that `splitting off Chrome or Android would break them.` Bloomberg reports that `antitrust officials pulled back from a more severe option that would have forced Google to sell off Android.` However, the government wants Google to `uncouple its Android smartphone operating system from its other products, including search and its Google Play mobile app store, which are now sold as a bundle.` Meanwhile, other recommendations include licensing Google Search data and results, as well as allowing websites that are indexed for Search to opt out of AI training.\n \n\n \n

A security update mislabeling by Microsoft led to Windows Server 2022 systems unexpectedly upgrading to Windows Server 2025, impacting 7 percent of Heimdal customers and leaving administrators scrambling to manage unexpected licensing and configuration challenges. The Register reports: It took Heimdal a while to trace the problem. According to a post on Reddit: `Due to the limited initial footprint, identifying the root cause took some time. By 18:05 UTC, we traced the issue to the Windows Update API, where Microsoft had mistakenly labeled the Windows Server 2025 upgrade as KB5044284.` It added: `Our team discovered this discrepancy in our patching repository, as the GUID for the Windows Server 2025 upgrade does not match the usual entries for KB5044284 associated with Windows 11. This appears to be an error on Microsoft`s side, affecting both the speed of release and the classification of the update. After cross-checking with Microsoft`s KB repository, we confirmed that the KB number indeed references Windows 11, not Windows Server 2025.` As of last night, Heimdal estimated that the unexpected upgrade had affected 7 percent of customers -- it said it had blocked KB5044284 across all server group policies. However, this is of little comfort to administrators finding themselves receiving an unexpected upgrade. Since rolling back to the previous configuration will present a challenge, affected users will be faced with finding out just how effective their backup strategy is or paying for the required license and dealing with all the changes that come with Windows Server 2025.\n \n\n \n

Microsoft is once again delaying the roll out of its controversial Recall feature for Copilot Plus PCs. From a report: The software giant had planned to start testing Recall, which creates screenshots of mostly everything you see or do on a Copilot Plus PC, with Windows Insiders in October. Now, Microsoft says it needs more time to get the feature ready. `We are committed to delivering a secure and trusted experience with Recall. To ensure we deliver on these important updates, we`re taking additional time to refine the experience before previewing it with Windows Insiders,` says Brandon LeBlanc, senior product manager of Windows, in a statement to The Verge. `Originally planned for October, Recall will now be available for preview with Windows Insiders on Copilot Plus PCs by December.`\n \n\n \n

`Who asked for any of this in the first place?` wonders a New York Times consumer-tech writer. (Alternate URL here.) `Judging from the feedback I get from readers, lots of people outside the tech industry remain uninterested in AI - and are increasingly frustrated with how difficult it has become to ignore.` The companies rely on user activity to train and improve their AI systems, so they are testing this tech inside products we use every day. Typing a question such as `Is Jay-Z left-handed?` in Google will produce an AI-generated summary of the answer on top of the search results. And whenever you use the search tool inside Instagram, you may now be interacting with Meta`s chatbot, Meta AI. In addition, when Apple`s suite of AI tools, Apple Intelligence, arrives on iPhones and other Apple products through software updates this month, the tech will appear inside the buttons we use to edit text and photos. The proliferation of AI in consumer technology has significant implications for our data privacy, because companies are interested in stitching together and analyzing our digital activities, including details inside our photos, messages and web searches, to improve AI systems. For users, the tools can simply be an annoyance when they don`t work well. `There`s a genuine distrust in this stuff, but other than that, it`s a design problem,` said Thorin Klosowski, a privacy and security analyst at the Electronic Frontier Foundation, a digital rights nonprofit, and a former editor at Wirecutter, the reviews site owned by The New York Times. `It`s just ugly and in the way.` It helps to know how to opt out. After I contacted Microsoft, Meta, Apple and Google, they offered steps to turn off their AI tools or data collection, where possible. I`ll walk you through the steps. The article suggests logged-in Google users can toggle settings at myactivity.google.com. (Some browsers also have extensions that force Google`s search results to stop inserting an AI summary at the top.) And you can also tell Edge to remove Copilot from its sidebar at edge://settings. But `There is no way for users to turn off Meta AI, Meta said. Only in regions with stronger data protection laws, including the EU and Britain, can people deny Meta access to their personal information to build and train Meta`s AI.` On Instagram, for instance, people living in those places can click on `settings,` then `about` and `privacy policy,` which will lead to opt-out instructions. Everyone else, including users in the United States, can visit the Help Center on Facebook to ask Meta only to delete data used by third parties to develop its AI. By comparison, when Apple releases new AI services this month, users will have to opt in, according to the article. `If you change your mind and no longer want to use Apple Intelligence, you can go back into the settings and toggle the Apple Intelligence switch off, which makes the tools go away.`\n \n\n \n

Microsoft has notified customers that it`s missing more than two weeks of security logs for some of its cloud products, leaving network defenders without critical data for detecting possible intrusions. From a report: According to a notification sent to affected customers, Microsoft said that `a bug in one of Microsoft`s internal monitoring agents resulted in a malfunction in some of the agents when uploading log data to our internal logging platform` between September 2 and September 19. The notification said that the logging outage was not caused by a security incident, and `only affected the collection of log events.` Business Insider first reported the loss of log data earlier in October. Details of the notification have not been widely reported. As noted by security researcher Kevin Beaumont, the notifications that Microsoft sent to affected companies are likely accessible only to a handful of users with tenant admin rights. Logging helps to keep track of events within a product, such as information about users signing in and failed attempts, which can help network defenders identify suspected intrusions. Missing logs could make it more difficult to identify unauthorized access to the customers` networks during that two-week window.\n \n\n \n

When Congress passed the Communications Assistance for Law Enforcement Act (CALEA) in 1994, they were assured by then-FBI Director Louis Freeh that the mandated wiretap backdoors posed no security risks. Fast forward to today, following the news of a massive CALEA hack and Senator Ron Wyden is reminding the DOJ of that history, while urging […]

One year from today, on October 14, 2025, Microsoft will stop releasing security updates for PCs that are still running Windows 10. From a report: Organizations and individuals will still be able to pay for three more years of updates, with prices that go up steadily each year (Microsoft still hasn`t provided pricing for end users, only saying that it will release pricing info `closer to the October 2025 date.`) But for most PCs running Windows 10, the end of the line is in sight.\n \n\n \n

smooth wombat writes: The Windows 11 24H2 update has had a host of issues associated with it including disappearing mouse cursors and blue screens related to Intel drivers. Now comes word that the new update leaves behind over 8 GB of undeletable cache files. According to Windows Latest, attempts to delete the cache via the Control Panel are unsuccessful. Although you can select the cache for deletion and initiate the deletion process, the cache remains. Various other methods to remove the Windows update cache failed, too. It only cleared after a clean Windows installation altogether.\n \n\n \n

\nMozilla has pushed out an emergency update for its Firefox and Firefox ESR browsers to fix a vulnerability (CVE-2024-9680) that is being exploited in the wild. About CVE-2024-9680 Reported by ESET malware researcher Damien Schaeffer, CVE-2024-9680 is a use-after-free vulnerability in the browser’s Animation timelines and, according to Mozilla, has been exploited to achieve code execution in the content process. Additional details about the vulnerability or the attacks are yet to be shared. According to … More → \n \nThe post Actively exploited Firefox zero-day fixed, update ASAP! (CVE-2024-9680) appeared first on Help Net Security .\n

Alypius shares a report from 9to5Mac: It was revealed this weekend that Chinese hackers managed to access systems run by three of the largest internet service providers (ISPs) in the US. What`s notable about the attack is that it compromised security backdoors deliberately created to allow for wiretaps by US law enforcement. [...] Apple famously refused the FBI`s request to create a backdoor into iPhones to help access devices used by shooters in San Bernardino and Pensacola. The FBI was subsequently successful in accessing all the iPhones concerned without the assistance it sought. Our arguments against such backdoors predate both cases, when Apple spoke out on the issue in the wake of terrorist attacks in Paris more than a decade ago: `Apple is absolutely right to say that the moment you build in a backdoor for use by governments, it will only be a matter of time before hackers figure it out. You cannot have an encryption system which is only a little bit insecure any more than you can be a little bit pregnant. Encryption systems are either secure or they`re not -- and if they`re not then it`s a question of when, rather than if, others are able to exploit the vulnerability.` This latest case perfectly illustrates the point. The law required ISPs to create backdoors that could be used for wiretaps by US law enforcement, and hackers have now found and accessed them. Exactly the same would be true if Apple created backdoors into iPhones.\n \n\n \n

\nFor October 2024 Patch Tuesday, Microsoft has released fixes for 117 security vulnerabilities, including two under active exploitation: CVE-2024-43573, a spoofing bug affecting the Windows MSHTML Platform, and CVE-2024-43572, a remote code execution flaw in the Microsoft Management Console (MMC). About CVE-2024-43573 and CVE-2024-43572 As far as it can be deduced from the accompanying advisory, CVE-2024-43573 is similar to CVE-2024-38112, a vulnerability in MSHTML, a browser engine for the now deprecated Internet Explorer, which has … More → \n \nThe post Microsoft patches two zero-days exploited in the wild (CVE-2024-43573, CVE-2024-43572) appeared first on Help Net Security .\n

Microsoft is releasing a new version of Office this week, designed for people that don`t want to subscribe to Microsoft 365. From a report: The standalone Microsoft Office 2024 release is now available for both consumers and small businesses, and includes locked-in-time versions of Word, Excel, PowerPoint, OneNote, and Outlook across both Mac and PC. Office 2024 includes a lot of the updates that Microsoft has been delivering to Microsoft 365 subscribers over the past few years. Microsoft last released a standalone version of Office in 2021, and this new Office 2024 release includes improvements to the core apps, as well as accessibility and UI changes. Office 2024 has a new default theme, with Microsoft`s latest Fluent Design principles that match the visual changes to Windows 11. Microsoft has also added accessibility-focused improvements to help Office users find potential accessibility issues in documents, slideshows, workbooks, and emails.\n \n\n \n

Microsoft launched its annual Windows 11 update today, introducing significant changes to the operating system. The Windows 11 2024 Update, or 24H2, will roll out gradually, starting with PCs running versions 22H2 or 23H2 that have opted for faster feature updates. Key additions include an Energy Saver feature, Wi-Fi 7 support, and 80Gbps USB4 Version 2.0 compatibility. Select high-end PCs meeting Copilot+ requirements will gain access to enhanced features like an improved Recall function and generative AI tools in Paint. This update marks the most substantial overhaul of Windows 11 since its 2021 release, with major changes to the compiler, kernel, and scheduler. Microsoft has also improved the Arm-to-x86 app translation layer, now dubbed `Prism.` While stable, users may encounter occasional issues. The update maintains Windows 11`s existing hardware requirements but raises the bar for unsupported installations.\n \n\n \n

Microsoft giveth and Microsoft taketh away, as administrators using Windows Server Update Services (WSUS) will soon find out. From a report: Windows Server 2025 remains in preview, but Microsoft has been busy letting users know what is set for removal and what will be deprecated in the release. WSUS fits into the latter category -- still there for now, but no longer under active development. This is a big deal for many administrators who rely on the feature to deploy and manage the distribution of updates and features in an enterprise environment. It`ll even work on a network disconnected from the internet -- download the patches to a connected computer, stick them on some removable media, import the patches to a WSUS server on the disconnected network, and away you go. A tame administrator told El Reg: `We are migrating to Intune. It`s a lot more complicated than WSUS, and it takes a lot longer to get set up.` `Such is progress!` he sighed. Microsoft`s advice is, unsurprisingly, to migrate to cloud tools. As well as the aforementioned Intune, there is also Windows Autopatch for client update management or Azure Update Manager for server update management. And there are plenty of third-party tools out there too, such as Ansible. Microsoft`s announcement has attracted comment. One user said: `Congratulations, you just made centralized automated patching subject to internal politics and budget constraints. `I survived the era of Melissa, SQL Slammer, and other things that were solved when we no longer had to choose between paid patch management or trusting admins of every server to do the right thing. For those of you that did not live through that, buckle up!`\n \n\n \n

Microsoft unveiled detailed security reforms Monday, five months after CEO Satya Nadella pledged to prioritize cybersecurity following major breaches. The 25-page Secure Future Initiative report [PDF] outlines technical and governance changes addressing criticisms in an April 2024 Cyber Safety Review Board report that deemed Microsoft`s security culture `inadequate.` Microsoft said it implemented significant security upgrades to its Entra ID and Microsoft Account systems, introducing Azure-managed hardware security modules for access token signing keys. The company has also purged 5.75 million inactive tenants to minimize potential attack vectors and adopted a new testing system with secure defaults to prevent legacy-related security issues. Concurrently, Microsoft has enhanced its network tracking capabilities, now monitoring over 99 percent of its physical network through a centralized inventory system, which aids in firmware compliance and logging. Internal security measures have been tightened, with engineering teams facing stricter access controls. Personal access tokens are now limited to seven days, SSH access has been disabled for internal engineering repositories, and access to critical engineering systems has been restricted to fewer groups. Additionally, Microsoft has extended its audit log retention period to a minimum of two years, bolstering its ability to investigate and respond to potential security incidents.\n \n\n \n

\nOrganizations that plan to upgrade to Windows Server 2025 once it becomes generally available will be able to implement some security updates by hotpatching running processes. What is hotpatching? “Hotpatching has been around for years in Windows Server 2022 Azure Edition, but always required running a VM in Azure or on Azure Stack HCI. When Windows Server 2025 becomes generally available, you will be able to run the edition you want, where you want – … More → \n \nThe post Windows Server 2025 gets hotpatching option, without reboots appeared first on Help Net Security .\n

Many GitHub users this week received a novel phishing email warning of critical security holes in their code. Those who clicked the link for details were asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. While it`s unlikely that many programmers fell for this scam, it`s notable because less targeted versions of it are likely to be far more successful against the average Windows user.

wiredmikey shares a report from SecurityWeek: Microsoft on Tuesday raised an alarm for in-the-wild exploitation of a critical flaw in Windows Update, warning that attackers are rolling back security fixes on certain versions of its flagship operating system. The Windows flaw, tagged as CVE-2024-43491 and marked as actively exploited, is rated critical and carries a CVSS severity score of 9.8/10. Redmond`s documentation of the bug suggests a downgrade-type attack similar to the `Windows Downdate` issue discussed at this year`s Black Hat conference. Microsoft`s bulletin reads: `Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015). This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024 -- KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability.` To protect against this exploit, Microsoft says Windows users should install this month`s Servicing stack update (SSU KB5043936) and the September 2024 Windows security update (KB5043083), in that order.\n \n\n \n

Microsoft Corp. today released updates to fix at least 79 security vulnerabilities in its Windows operating systems and related software, including multiple flaws that are already showing up in active attacks. Microsoft also corrected a critical bug that has caused some Windows 10 PCs to remain dangerously unpatched against actively exploited vulnerabilities for several months this year.

An anonymous reader shares a report: While the latest update to Windows 11 makes it look like the upcoming Recall feature can be easily removed by users, Microsoft tells us it`s just a bug and a fix is coming. Deskmodder spotted the change last week in the latest 24H2 version of Windows 11, with KB5041865 seemingly delivering the ability to uninstall Recall from the Windows Features section. `We are aware of an issue where Recall is incorrectly listed as an option under the `Turn Windows features on or off` dialog in Control Panel,` says Windows senior product manager Brandon LeBlanc in a statement to The Verge. `This will be fixed in an upcoming update.`\n \n\n \n

Microsoft has retracted or clarified its statement regarding the deprecation of Windows Control Panel, according to changes made to a support document. The original text, which stated that the Control Panel was `in the process of being deprecated in favor of the Settings app,` has been revised. The new version now indicates that `many of the settings in Control Panel are in the process of being migrated to the Settings app.` This modification came after widespread media coverage of the initial announcement. It remains unclear whether this change reflects a shift in Microsoft`s plans or a correction of an erroneous statement.\n \n\n \n

A university in Taiwan was breached with `a previously unseen backdoor (Backdoor.Msupedge) utilizing an infrequently seen technique,` Symantec reports. The most notable feature of this backdoor is that it communicates with a command-and-control server via DNS traffic... The code for the DNS tunneling tool is based on the publicly available dnscat2 tool. It receives commands by performing name resolution... Msupedge not only receives commands via DNS traffic but also uses the resolved IP address of the C and amp;C server (ctl.msedeapi[.]net) as a command. The third octet of the resolved IP address is a switch case. The behavior of the backdoor will change based on the value of the third octet of the resolved IP address minus seven... The initial intrusion was likely through the exploit of a recently patched PHP vulnerability (CVE-2024-4577). The vulnerability is a CGI argument injection flaw affecting all versions of PHP installed on the Windows operating system. Successful exploitation of the vulnerability can lead to remote code execution. Symantec has seen multiple threat actors scanning for vulnerable systems in recent weeks. To date, we have found no evidence allowing us to attribute this threat and the motive behind the attack remains unknown. More from The Record: Compared to more obvious methods like HTTP or HTTPS tunneling, this technique can be harder to detect because DNS traffic is generally considered benign and is often overlooked by security tools. Earlier in June, researchers discovered a campaign by suspected Chinese state-sponsored hackers, known as RedJuliett, targeting dozens of organizations in Taiwan, including universities, state agencies, electronics manufacturers, and religious organizations. Like many other Chinese threat actors, the group likely targeted vulnerabilities in internet-facing devices such as firewalls and enterprise VPNs for initial access because these devices often have limited visibility and security solutions, researchers said. Additional coverage at The Hacker News. Thanks to Slashdot reader joshuark for sharing the article.\n \n\n \n

Long-time Slashdot reader UnderAttack explains: A blog post at the SANS Internet Storm Center suggests that OpenAI actions are being abused to scan for WordPress vulnerabilities. Honeypot sensors at the Storm Center detected scans for URLs targeting WordPress that originated exclusively from OpenAI systems. The URLs requested all pages including the pattern `%%target%%`, which may indicate that the scan is meant to include additional path components but the expansion of the template failed. The scans were not only identified by the unique user agent but also by the origin IP addresses matching addresses OpenAI published as being used for OpenAI actions. OpenAI actions allow OpenAI to connect to external APIs. Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu, wrote that OpenAI seems to be scanning random IP addresses - including honeypots.\n \n\n \n

Microsoft plans to phase out Windows Control Panel, a feature dating back to the 1980s, in favor of the modern Settings app, according to a recent support page. The tech giant has been gradually shifting functions to Settings since 2015, aiming for a more streamlined user experience. However, no specific timeline for Control Panel`s complete removal has been announced. Microsoft writes in the support page: The Control Panel is a feature that`s been part of Windows for a long time. It provides a centralized location to view and manipulate system settings and controls. Through a series of applets, you can adjust various options ranging from system time and date to hardware settings, network configurations, and more. The Control Panel is in the process of being deprecated in favor of the Settings app, which offers a more modern and streamlined experience.\n \n\n \n

Microsoft will begin sending a revised version of its controversial Recall feature to Windows Insider PCs beginning in October, according to an update published to the company`s original blog post about the Recall controversy. From a report: The company didn`t elaborate further on specific changes it`s making to Recall beyond what it already announced in June. For those unfamiliar, Recall is a Windows service that runs in the background on compatible PCs, continuously taking screenshots of user activity, scanning those screenshots with optical character recognition (OCR), and saving the OCR text and the screenshots to a giant searchable database on your PC. The goal, according to Microsoft, is to help users retrace their steps and dig up information about things they had used their PCs to find or do in the past.\n \n\n \n

An anonymous reader quotes a report from Dark Reading: Researchers have exploited a vulnerability in Microsoft`s Copilot Studio tool allowing them to make external HTTP requests that can access sensitive information regarding internal services within a cloud environment -- with potential impact across multiple tenants. Tenable researchers discovered the server-side request forgery (SSRF) flaw in the chatbot creation tool, which they exploited to access Microsoft`s internal infrastructure, including the Instance Metadata Service (IMDS) and internal Cosmos DB instances, they revealed in a blog post this week. Tracked by Microsoft as CVE-2024-38206, the flaw allows an authenticated attacker to bypass SSRF protection in Microsoft Copilot Studio to leak sensitive cloud-based information over a network, according to a security advisory associated with the vulnerability. The flaw exists when combining an HTTP request that can be created using the tool with an SSRF protection bypass, according to Tenable. `An SSRF vulnerability occurs when an attacker is able to influence the application into making server-side HTTP requests to unexpected targets or in an unexpected way,` Tenable security researcher Evan Grant explained in the post. The researchers tested their exploit to create HTTP requests to access cloud data and services from multiple tenants. They discovered that `while no cross-tenant information appeared immediately accessible, the infrastructure used for this Copilot Studio service was shared among tenants,` Grant wrote. Any impact on that infrastructure, then, could affect multiple customers, he explained. `While we don`t know the extent of the impact that having read/write access to this infrastructure could have, it`s clear that because it`s shared among tenants, the risk is magnified,` Grant wrote. The researchers also found that they could use their exploit to access other internal hosts unrestricted on the local subnet to which their instance belonged. Microsoft responded quickly to Tenable`s notification of the flaw, and it has since been fully mitigated, with no action required on the part of Copilot Studio users, the company said in its security advisory. Further reading: Slack AI Can Be Tricked Into Leaking Data From Private Channels\n \n\n \n

North Korean hackers exploited a critical Windows vulnerability to deploy advanced malware, security researchers revealed. The zero-day flaw, patched by Microsoft last week, allowed attackers to gain system-level access and install a sophisticated rootkit called FudModule. Gen, the firm that discovered the attacks, identified the threat actors as Lazarus, a hacking group linked to North Korea. The exploit targeted individuals in cryptocurrency and aerospace industries, likely aiming to steal digital assets and infiltrate corporate networks. FudModule, first analyzed in 2022, stands out for its ability to operate deep within Windows, evading detection by security defenses. Earlier versions used vulnerable drivers for installation, while a newer variant exploited a bug in Windows` AppLocker service.\n \n\n \n

Microsoft has finally patched a workaround exploited by users seeking an upgrade path for Windows 11 that dodged the company`s hardware requirements. From a report: The tweak arrived without fanfare in the Windows Insider build 27686. There were a few neat tweaks in the build, including updates to the Windows Sandbox Client preview and a much-needed bump from 32 GB to 2 TB for FAT32 when running the command line format function. However, the documentation did not mention an apparent end to one workaround that bypasses Microsoft`s requirements check for Windows 11. According to X user @TheBobPony, the `setup.exe /product server` workaround is not supported in the latest build. The Register contacted Microsoft to understand its intentions with the change. The switch still works in the Windows 24H2 update, but the hardware check appears to no longer be bypassed in the latest Canary channel build (27686). The company has yet to respond.\n \n\n \n

`0.0.0.0-Day` vulnerability affecting Chrome, Safari and Firefox can be and has been exploited by attackers to gain access to services on internal networks, Oligo Security researchers have revealed. The vulnerability stems from how those popular browsers handle network requests from external, public websites, and may allow attackers to change settings, gain access to protected information, uploading malicious models, or even achieve remote code execution. Attacks abusing it can succeed on vulnerable browsers More → The post `0.0.0.0-Day` vulnerability affects Chrome, Safari and Firefox appeared first on Help Net Security .

Microsoft says it will temporarily cease its contentious Windows 11 upgrade campaign following user backlash. The tech giant had been bombarding Windows 10 users with full-screen popups urging them to switch operating systems. Starting with April`s security update, these intrusive notifications will be discontinued. Microsoft says it will unveil a revised upgrade strategy in the coming months, as Windows 10 support nears its October 2025 end date.\n \n\n \n

Microsoft is making BitLocker device encryption a default feature in its next major update to Windows 11. From a report: If you clean install the 24H2 version that`s rolling out in the coming months, device encryption will be enabled by default when you first sign in or set up a device with a Microsoft account or work / school account. Device encryption is designed to improve the security of Windows machines by automatically enabling BitLocker encryption on the Windows install drive and backing up the recovery key to a Microsoft account or Entra ID. In Windows 11 version 24H2, Microsoft is reducing the hardware requirements for automatic device encryption, opening it up to many more devices -- including ones running the Home version of Windows 11. Device encryption no longer requires Hardware Security Test Interface (HSTI) or Modern Standby, and encryption will also be enabled even if untrusted direct memory access (DMA) buses / interfaces are detected.\n \n\n \n

Security researchers from SafeBreach have found what they say is a Windows downgrade attack that`s invisible, persistent, irreversible and maybe even more dangerous than last year`s BlackLotus UEFI bootkit. From a report: After seeing the damage that UEFI bootkit could do by bypassing secure boot processes in Windows, SafeBreach`s Alon Leviev became curious whether there were any other fundamental Windows components that could be abused in a similar manner. He hit the jackpot in one of the most unlikely places: The Windows update process. `I found a way to take over Windows updates to update the system, but with control over all of the actual update contents,` Leviev told us in an interview ahead of his Black Hat USA conference presentation today detailing his findings. Using his technique, having compromised a machine so that he could get in as a normal user, Leviev was able to control which files get updated, which registry keys are changed, which installers get used, and the like. And he was able to do all of it while side-stepping every single integrity verification implemented in the Windows update process. After that, `I was able to downgrade the OS kernel, DLLs, drivers ... basically everything that I wanted.` To make matters worse, Leviev said that poking and prodding around the vulnerabilities he found enabled him to attack the entire Windows virtualization stack, including virtualization-based security (VBS) features that are supposed to isolate the kernel and make attacker access less valuable.\n \n\n \n

snydeq writes: CSO Online`s Evan Schuman reports on a design flaw in Microsoft Authenticator that causes it to often overwrite authentication accounts when a user adds a new one via QR scan. `But because of the way the resulting lockout happens, the user is not likely to realize the issue resides with Microsoft Authenticator. Instead, the company issuing the authentication is considered the culprit, resulting in wasted corporate helpdesk hours trying to fix an issue not of that company`s making.` Schuman writes: `The core of the problem? Microsoft Authenticator will overwrite an account with the same username. Given the prominent use of email addresses for usernames, most users` apps share the same username. Google Authenticator and just about every other authenticator app add the name of the issuer -- such as a bank or a car company -- to avoid this issue. Microsoft only uses the username.` The flaw appears to have been in place since Authenticator was released in 2016. Users have complained about this issue in the past to no avail. In its two correspondences with Schuman, Microsoft first laid blame on users, then on issuers. Several IT experts confirmed the flaw, with one saying, `It`s possible that this problem occurs more often than anyone realizes because [users] don`t realize what the cause is. If you haven`t picked an authentication app, why would you pick Microsoft?`\n \n\n \n

\nA DDoS attack that started on Tuesday has made a number of Microsoft Azure and Microsoft 365 services temporarily inaccessible, the company has confirmed. Microsoft’s mitigation statement on the Azure status history page Microsoft Azure, 365 outage triggered by DDoS “Between approximately at 11:45 UTC and 19:43 UTC on 30 July 2024, a subset of customers may have experienced issues connecting to a subset of Microsoft services globally. Impacted services included Azure App Services, Application … More → \n \nThe post Microsoft: DDoS defense error amplified attack on Azure, leading to outage appeared first on Help Net Security .\n

Microsoft has intensified its push for OneDrive adoption in Windows 11, introducing a full-screen pop-up that prompts users to back up their files to the cloud service, according to a report from Windows Latest. The new promotional message, which appears after a recent Windows update, mirrors the out-of-box experience typically seen during initial system setup and highlights OneDrive`s features, including file protection, collaboration capabilities, and automatic syncing.\n \n\n \n

Internet service providers are pushing back against the Biden administration`s requirement for low-cost options even as they are attempting to secure funds from a $42.45 billion government broadband initiative. The Broadband Equity, Access, and Deployment program, established by law to expand internet access, mandates that recipients offer affordable plans to eligible low-income subscribers, a stipulation the providers argue infringes on legal prohibitions against rate regulation. ISPs claim that the proposed $30 monthly rate for low-cost plans is economically unfeasible, especially in hard-to-reach rural areas, potentially undermining the program`s goals by discouraging provider participation.\n \n\n \n

\nLast night, endpoint security company Crowdstrike released an update that is causing widespread `blue screens of death` (BSOD) on Windows systems. Crowdstrike released an advisory, which is only available after logging into the Crowdstrike support platform. A brief public statement can be found here .\n

An anonymous reader shares a report: Microsoft has made OneDrive slightly more annoying for Windows 11 users. Quietly and without any announcement, the company changed Windows 11`s initial setup so that it could turn on the automatic folder backup without asking for it. Now, those setting up a new Windows computer the way Microsoft wants them to (in other words, connected to the internet and signed into a Microsoft account) will get to their desktops with OneDrive already syncing stuff from folders like Desktop Pictures, Documents, Music, and Videos. Depending on how much is stored there, you might end up with a desktop and other folders filled to the brim with shortcuts to various stuff right after finishing a clean Windows installation. Automatic folder backup in OneDrive is a very useful feature when used properly and when the user deliberately enables it. However, Microsoft decided that sending a few notification prompts to enable folder backup was not enough, so it just turned the feature on without asking anybody or even letting users know about it, resulting in a flood of Reddit posts about users complaining about what the hell are those green checkmarks next to files and shortcuts on their desktops.

A former Microsoft employee claims the tech giant dismissed his repeated warnings about a security flaw that was later exploited in the SolarWinds hack, prioritizing business interests over customer safety. Andrew Harris, who worked on Microsoft`s cloud security team, says he discovered the weakness in 2016 but was told fixing it could jeopardize a multibillion-dollar government contract and the company`s competitive edge, ProPublica reported Thursday. The flaw, in a Microsoft product called Active Directory Federation Services, allowed hackers to bypass security measures and access sensitive cloud data. Russian hackers exploited the vulnerability in the 2020 SolarWinds attack, breaching several U.S. agencies. Microsoft continues to deny wrongdoing, insisting customer protection is its top priority. The revelations come at a time when Microsoft is facing increasing scrutiny over its security practices and seeks to expand its government business.\n \n\n \n

\nSecurityWeek editor-at-large Ryan Naraine examines the broad tension between tech innovation and privacy rights at a time when ChatGPT-like bots and generative-AI apps are starting to dominate the landscape.\n \nThe post Microsoft’s Windows Recall: Cutting-Edge Search Tech or Creepy Overreach? appeared first on SecurityWeek .\n

Microsoft says the Cortana, Tips, and WordPad applications will be automatically removed on systems upgraded to the upcoming Windows 11 24H2 release. From a report: This was shared in a Thursday blog announcing that Windows 11, version 24H2 (Build 26100.712) is now available for Insiders in the Release Preview Channel. The company removed the Cortana standalone app from Windows 11 in preview build 25967 for Insiders, released in the Canary Channel in early October. It first announced that it would end support for Cortana in a support document published in June and deprecated it in another Canary build in August. In September, Microsoft announced that it would deprecate WordPad -- automatically installed on Windows systems for 28 years, since 1995, and an optional Windows feature since the Windows 10 Insider Build 19551 release in February 2020 -- with a future Windows update. In November, the company also informed users that the Tips app was deprecated and would be removed in a future Windows release.\n \n\n \n

`Microsoft has confirmed plans to pull the plug on VBScript in the second half of 2024 in a move that signals the end of an era for programmers,` writes Tech Radar. Though the language was first introduced in 1996, Microsoft`s latest announcement says the move was made `considering the decline in VBScript usage`: Beginning with the new OS release slated for later this year [Windows 11, version 24H2], VBScript will be available as features on demand. The feature will be completely retired from future Windows OS releases, as we transition to the more efficient PowerShell experiences. Around 2027 it will become `disabled by default,` with the date of its final removal `to be determined.` But the announcement confirms VBScript will eventually be `retired and eliminated from future versions of Windows.` This means all the dynamic link libraries (.dll files) of VBScript will be removed. As a result, projects that rely on VBScript will stop functioning. By then, we expect that you`ll have switched to suggested alternatives. The post recommends migirating applications to PowerShell or JavaScript. This year`s annual `feature update` for Windows will also include Sudo for Windows, Rust in the Windows kernel, `and a number of user interface tweaks, such as the ability to create 7-zip and TAR archives in File Explorer,` reports the Register. `It will also include the next evolution of Copilot into an app pinned to the taskbar.` But the downgrading of VBScript `is part of a broader strategy to remove Windows and Office features threat actors use as attack vectors to infect users with malware,` reports BleepingComputer: Attackers have also used VBScript in malware campaigns, delivering strains like Lokibot, Emotet, Qbot, and, more recently, DarkGate malware.\n \n\n \n

Microsoft is adding screenshot prevention controls in Edge to block you from taking screenshots at work. `It`s all designed to prevent you from sharing screenshots with competitors, relatives, and journalists using Microsoft Edge for Business,` reports PCWorld. From the report: Specifically, IT managers at corporations will be able to tag web pages as protected, as defined in various Microsoft policy engines in Microsoft 365, Microsoft Defender for Cloud Apps, Microsoft Intune Mobile Application Management and Microsoft Purview, Microsoft said. The screenshot prevention feature will be available to customers in the `coming months,` Microsoft said. It`s also unclear whether third-party tools will be somehow blocked from taking screenshots or recording video, too. Microsoft will also roll out a way to force Edge for Business users to automatically update their browsers. The feature will enter a preview phase over the next few weeks, Microsoft said. `The Edge management service will enable IT admins to see which devices have Edge instances that are out of date and at risk,` Microsoft said. `It will also provide mitigating controls, such as forcing a browser restart to install updates, enabling automatic browser updates or enabling enhanced security mode for added protections.`\n \n\n \n

Microsoft`s Windows Recall feature is attracting controversy before even venturing out of preview. From a report: The principle is simple. Windows takes a snapshot of a user`s active screen every few seconds and dumps it to disk. The user can then scroll through the snapshots and, when something is selected, the user is given options to interact with the content. Mozilla`s Chief Product Officer, Steve Teixeira, told The Register: `Mozilla is concerned about Windows Recall. From a browser perspective, some data should be saved, and some shouldn`t. Recall stores not just browser history, but also data that users type into the browser with only very coarse control over what gets stored. While the data is stored in encrypted format, this stored data represents a new vector of attack for cybercriminals and a new privacy worry for shared computers. `Microsoft is also once again playing gatekeeper and picking which browsers get to win and lose on Windows -- favoring, of course, Microsoft Edge. Microsoft`s Edge allows users to block specific websites and private browsing activity from being seen by Recall. Other Chromium-based browsers can filter out private browsing activity but lose the ability to block sensitive websites (such as financial sites) from Recall. `Right now, there`s no documentation on how a non-Chromium based, third-party browser, such as Firefox, can protect user privacy from Recall. Microsoft did not engage our cooperation on Recall, but we would have loved for that to be the case, which would have enabled us to partner on giving users true agency over their privacy, regardless of the browser they choose.`\n \n\n \n

\nMicrosoft has announced the Copilot+ line of Windows 11-powered PCs that, among other things, will have Recall, a feature that takes screenshots every few seconds, encrypts them, saves them, and leverages AI to allow users to search through them for specific content that has been viewed in apps, websites, documents, etc. What could possibly go wrong? About Windows Recall “Once you find the snapshot that you were looking for in Recall, it will be analysed … More → \n \nThe post Windows’ new Recall feature: A privacy and security nightmare? appeared first on Help Net Security .\n

Microsoft`s ambitious goal to be carbon negative by 2030 is threatened by its expanding AI operations, which have increased its carbon footprint by 30% since 2020. To meet its targets, Microsoft must quickly adopt green technologies and improve efficiency in its data centers, which are critical for AI but heavily reliant on carbon-intensive resources. Bloomberg reports: Now to meet its goals, the software giant will have to make serious progress very quickly in gaining access to green steel and concrete and less carbon-intensive chips, said Brad Smith, president of Microsoft, in an exclusive interview with Bloomberg Green. `In 2020, we unveiled what we called our carbon moonshot. That was before the explosion in artificial intelligence,` he said. `So in many ways the moon is five times as far away as it was in 2020, if you just think of our own forecast for the expansion of AI and its electrical needs.` [...] Despite AI`s ravenous energy consumption, this actually contributes little to Microsoft`s hike in emissions -- at least on paper. That`s because the company says in its sustainability report that it`s 100% powered by renewables. Companies use a range of mechanisms to make such claims, which vary widely in terms of credibility. Some firms enter into long-term power purchase agreements (PPAs) with renewable developers, where they shoulder some of a new energy plant`s risk and help get new solar and wind farms online. In other cases, companies buy renewable energy credits (RECs) to claim they`re using green power, but these inexpensive credits do little to spur new demand for green energy, researchers have consistently found. Microsoft uses a mix of both approaches. On one hand, it`s one of the biggest corporate participants in power purchase agreements, according to BloombergNEF, which tracks these deals. But it`s also a huge purchaser of RECs, using these instruments to claim about half of its energy use is clean, according to its environmental filings in 2022. By using a large quantity of RECs, Microsoft is essentially masking an even larger growth in emissions. `It is Microsoft`s plan to phase out the use of unbundled RECs in future years,` a spokesperson for the company said. `We are focused on PPAs as a primary strategy.` So what else can be done? Smith, along with Microsoft`s Chief Sustainability Officer Melanie Nakagawa, has laid out clear steps in the sustainability report. High among them is to increase efficiency, which is to use the same amount of energy or computing to do more work. That could help reduce the need for data centers, which will reduce emissions and electricity use. On most things, `our climate goals require that we spend money,` said Smith. `But efficiency gains will actually enable us to save money.` Microsoft has also been at the forefront of buying sustainable aviation fuels that has helped reduce some of its emissions from business travel. The company also wants to partner with those who will `accelerate breakthroughs` to make greener steel, concrete and fuels. Those technologies are starting to work at a small scale, but remain far from being available in commercial quantities even if expensive. Cheap renewable power has helped make Microsoft`s climate journey easier. But the tech giant`s electricity consumption last year rivaled that of a small European country -- beating Slovenia easily. Smith said that one of the biggest bottlenecks for it to keep getting access to green power is the lack of transmission lines from where the power is generated to the data centers. That`s why Microsoft says it`s going to increase lobbying efforts to get governments to speed up building the grid. If Microsoft`s emissions remain high going into 2030, Smith said the company may consider bulk purchases of carbon removal credits, even though it`s not `the desired course.` `You`ve got to be willing to invest and pay for it,` said Smith. Climate change is `a problem that humanity created and that humanity can solve.`\n \n\n \n

\nFor May 2024 Patch Tuesday, Microsoft has released fixes for 59 CVE-numbered vulnerabilities, including two zero-days (CVE-2024-30051, CVE-2024-30040) actively exploited by attackers. CVE-2024-30051 and CVE-2024-30040 CVE-2024-30051 is a heap-based buffer overflow vulnerability affecting the Windows DWM Core Library that can be exploited to elevate attackers’ privileges on a target system. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft says. Researchers from Kaspersky, DBAPPSecurity WeBin Lab, Google Threat Analysis Group and Google … More → \n \nThe post May 2024 Patch Tuesday: Microsoft fixes exploited zero-days (CVE-2024-30051, CVE-2024-30040) appeared first on Help Net Security .\n

Microsoft has confirmed that the April 2024 Windows security updates break VPN connections across client and server platforms. From a report: The company explains on the Windows health dashboard that `Windows devices might face VPN connection failures after installing the April 2024 security update or the April 2024 non-security preview update.` `We are investigating user reports, and we will provide more information in the coming days,` Redmond added. The list of affected Windows versions includes Windows 11, Windows 10, and Windows Server 2008 and later.\n \n\n \n

Windows 11`s market share dropped in April 2024, falling below 26% after reaching an all-time high of 28.16% in February. According to Statcounter, Windows 11 lost 0.97 points, while Windows 10 gained 0.96 points, crossing the 70% mark for the first time since September 2023. Neowin adds: Some argue that Windows 11 still offers little to no benefits for upgrading, especially in light of Microsoft killing some of the system`s unique features, such as Windows Subsystem for Android. Add to that the ever-increasing number of ads, some of which are quite shameless, and you get an operating system that has a hard time winning hearts and minds, and retaining its customers.\n \n\n \n

An anonymous reader shares a report: With Windows 11 24H2 all geared up to have AI-intensive applications, Microsoft has added a code that will warn you if your PC does not meet the hardware requirements, according to code dug up by Twitter/X sleuth Albacore. The warning will be displayed as a watermark so you know that you cannot use certain AI-powered built-in apps because of an unsupported CPU.\n \n\n \n

An anonymous reader shares a report: It used to be that you could pay for a retail version of Windows 11 and expect it to be ad-free, but those days are apparently finito. The latest update to Windows 11 (KB5036980) comes out this week and includes ads for apps in the `recommended` section of the Start Menu, one of the most oft-used parts of the OS. `The Recommended section of the Start menu will show some Microsoft Store apps,` according to the release notes. `These apps come from a small set of curated developers.` The app suggestions are enabled by default, but you can restore your previously pristine Windows experience if you`ve installed the update, fortunately. To do so, go into Settings and select Personalization and gt; Start and switch the `Show recommendations for tips, app promotions and more` toggle to `off.`\n \n\n \n

This week the Register spoke to former senior White House cyber policy director A.J. Grotto - who complained it was hard to get even slight concessions from Microsoft: `If you go back to the SolarWinds episode from a few years ago ... [Microsoft] was essentially up-selling logging capability to federal agencies` instead of making it the default, Grotto said. `As a result, it was really hard for agencies to identify their exposure to the SolarWinds breach.` Grotto told us Microsoft had to be `dragged kicking and screaming` to provide logging capabilities to the government by default. [In the interview he calls it `an epic fight` which lasted 18 months.`] [G]iven the fact the mega-corp banked around $20 billion in revenue from security services last year, the concession was minimal at best. That illustrates, Grotto said, that `they [Microsoft] just have a ton of leverage, and they`re not afraid to use it.` Add to that concerns over an Exchange Online intrusion by Chinese snoops, and another Microsoft security breach by Russian cyber operatives, both of which allowed spies to gain access to US government emails, and Grotto says it`s fair to classify Microsoft and its products as a national security concern. He estimates that Microsoft makes 85% of U.S. government productivity software - and has an even greater share of their operating systems. `Microsoft in many ways has the government locked in, he says in the interview, `and so it`s able to transfer a lot of these costs associated with the security breaches over to the federal government.` And about five minutes in, he says, point-blank, that `It`s perfectly fair` to consider Microsoft a national security threat, given its dominance `not just within the federal government, but really in sort of the boarder IT marketplace. I think it`s fair to say, yeah, that a systemic compromise that affects Microsoft and its products do rise to the level of a national security risk.` He`d like to see the government encourage more competition - to the point where public scrutiny prompts software customers to change their behavior, and creates a true market incentive for better performance...\n \n\n \n

Microsoft is getting ready to annoy its faithful Windows 10 user base with yet another prompt. From a report: This time, Microsoft wants Windows 10 users to switch from using a local account to their online Microsoft account. As first noticed by the outlet Windows Latest, the most recent Windows 10 update Release Preview includes some information about new notifications added to the operating system intended to make users switch from their local account to their Microsoft account. `New! This update starts the [roll out] of account-related notifications for Microsoft accounts in Settings and gt; Home,` reads the update, originally from the official Windows blog, which then lays out its case for using a Microsoft account.\n \n\n \n

Microsoft has started showing full screen warnings about the upcoming end of support date on Windows 10 PCs. From a report: Users on Reddit have reported seeing the prompt, which began appearing after this week`s Patch Tuesday updates were installed, and encourages the user to learn more about how they can transition to Windows 11. Windows 10`s end of support date is currently set for October 14, 2025. After that date, Windows 10 users will no longer receive critical security and bug fix updates, leaving any Windows 10 PC connected to the internet vulnerable to any newly discovered security exploits. The full screen prompt that is now appearing on some Windows 10 PCs thanks the user for their loyalty using Windows 10, and warns that this end of life (EOL) date is approaching. It also wastes no time advertising Windows 11, encouraging the user to learn more about how they can transition to a new Windows 11 PC. Notably, there`s no button to tell the prompt to never show again.\n \n\n \n

\nAnnounced last year, Googles proposal to reduce the lifespan of TLS (transport layer security) certificates from 13 months to 90 days could be implemented in the near future. It will certainly improve security and shrink the window of opportunity for bad actors to exploit compromised or stolen certificates and private keys. Unfortunately, it will also dramatically increase the time and energy required to manage TLS certificates. For organizations with only a handful of certificates, this … More → \n \nThe post How Googles 90-day TLS certificate validity proposal will affect enterprises appeared first on Help Net Security .\n

quonset shares a report: In a scathing indictment of Microsoft corporate security and transparency, a Biden administration-appointed review board issued a report Tuesday saying `a cascade of errors` by the tech giant let state-backed Chinese cyber operators break into email accounts of senior U.S. officials including Commerce Secretary Gina Raimondo. The Cyber Safety Review Board, created in 2021 by executive order, describes shoddy cybersecurity practices, a lax corporate culture and a lack of sincerity about the company`s knowledge of the targeted breach, which affected multiple U.S. agencies that deal with China. It concluded that `Microsoft`s security culture was inadequate and requires an overhaul` given the company`s ubiquity and critical role in the global technology ecosystem. Microsoft products `underpin essential services that support national security, the foundations of our economy, and public health and safety.` The panel said the intrusion, discovered in June by the State Department and dating to May `was preventable and should never have occurred,` blaming its success on `a cascade of avoidable errors.` What`s more, the board said, Microsoft still doesn`t know how the hackers got in. [...] It said Microsoft`s CEO and board should institute `rapid cultural change` including publicly sharing `a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products.`\n \n\n \n

Google plans to destroy a trove of data that reflects millions of users` web-browsing histories, part of a settlement of a lawsuit that alleged the company tracked millions of users without their knowledge. WSJ: The class action, filed in 2020, accused Google of misleading users about how Chrome tracked the activity of anyone who used the private `Incognito` browsing option. The lawsuit alleged that Google`s marketing and privacy disclosures didn`t properly inform users of the kinds of data being collected, including details about which websites they viewed. The settlement details, filed Monday in San Francisco federal court, set out the actions the company will take to change its practices around private browsing. According to the court filing, Google has agreed to destroy billions of data points that the lawsuit alleges it improperly collected, to update disclosures about what it collects in private browsing and give users the option to disable third-party cookies in that setting. The agreement doesn`t include damages for individual users. But the settlement will allow individuals to file claims. Already the plaintiff attorneys have filed 50 in California state court. Attorney David Boies, who represents the consumers in the lawsuit, said the settlement requires Google to delete and remediate `in unprecedented scope and scale` the data it improperly collected. `This settlement is an historic step in requiring honesty and accountability from dominant technology companies,` Boies said.\n \n\n \n

The U.S. House has set a strict ban on congressional staffers` use of Microsoft Copilot, the company`s AI-based chatbot, Axios reported Friday. From the report: The House last June restricted staffers` use of ChatGPT, allowing limited use of the paid subscription version while banning the free version. The House`s Chief Administrative Officer Catherine Szpindor, in guidance to congressional offices obtained by Axios, said Microsoft Copilot is `unauthorized for House use.` `The Microsoft Copilot application has been deemed by the Office of Cybersecurity to be a risk to users due to the threat of leaking House data to non-House approved cloud services,` it said. The guidance added that Copilot `will be removed from and blocked on all House Windows devices.`\n \n\n \n

SofiaWW writes: Microsoft has announced that the next subscription-free version of its Office suite will launch later this year. A commercial preview of Office LTSC 2024 will be available from next month, with a full launch scheduled for later in the year. The Office Long-Term Servicing Channel is supported for five years, and it holds great appeal for the many businesses that are not keen on the idea of software subscriptions. There will also be a consumer-focused version of the suite, Office 2024, available via a traditional `one-time purchase` model. Further reading: Microsoft Really Doesn`t Want You To Buy Office 2019 (From 2019).\n \n\n \n

\nMidnight Blizzard (aka APT29), a group of Russian hackers tied to the country’s Foreign Intelligence Service (SVR), has leveraged information stolen from Microsoft corporate email systems to burrow into the company’s source code repositories and internal systems. “It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, … More → \n \nThe post Microsoft: Russian hackers accessed internal systems, code repositories appeared first on Help Net Security .\n

Microsoft revealed earlier this year that Russian state-sponsored hackers had been spying on the email accounts of some members of its senior leadership team. Now, Microsoft is disclosing that the attack, from the same group behind the SolarWinds attack, has also led to some source code being stolen in what Microsoft describes as an ongoing attack. From a report: `In recent weeks, we have seen evidence that Midnight Blizzard [Nobelium] is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access,` explains Microsoft in a blog post. `This has included access to some of the company`s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.` It`s not clear what source code was accessed, but Microsoft warns that the Nobelium group, or `Midnight Blizzard,` as Microsoft refers to them, is now attempting to use `secrets of different types it has found` to try to further breach the software giant and potentially its customers. `Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures,` says Microsoft.\n \n\n \n

An anonymous reader shares a report: On a late night in December, Shane Jones, an AI engineer at Microsoft, felt sickened by the images popping up on his computer. Jones was noodling with Copilot Designer, the AI image generator that Microsoft debuted in March 2023, powered by OpenAI`s technology. Like with OpenAI`s DALL-E, users enter text prompts to create pictures. Creativity is encouraged to run wild. Since the month prior, Jones had been actively testing the product for vulnerabilities, a practice known as red-teaming. In that time, he saw the tool generate images that ran far afoul of Microsoft`s oft-cited responsible AI principles. The AI service has depicted demons and monsters alongside terminology related to abortion rights, teenagers with assault rifles, sexualized images of women in violent tableaus, and underage drinking and drug use. All of those scenes, generated in the past three months, have been recreated by CNBC this week using the Copilot tool, which was originally called Bing Image Creator. `It was an eye-opening moment,` Jones, who continues to test the image generator, told CNBC in an interview. `It`s when I first realized, wow this is really not a safe model.` Jones has worked at Microsoft for six years and is currently a principal software engineering manager at corporate headquarters in Redmond, Washington. He said he doesn`t work on Copilot in a professional capacity. Rather, as a red teamer, Jones is among an army of employees and outsiders who, in their free time, choose to test the company`s AI technology and see where problems may be surfacing. Jones was so alarmed by his experience that he started internally reporting his findings in December. While the company acknowledged his concerns, it was unwilling to take the product off the market. Jones said Microsoft referred him to OpenAI and, when he didn`t hear back from the company, he posted an open letter on LinkedIn asking the startup`s board to take down DALL-E 3 (the latest version of the AI model) for an investigation.\n \n\n \n

Microsoft is ending support for its Android subsystem in Windows 11 next year. From a report: The software giant first announced it was bringing Android apps to Windows 11 with Amazon`s Appstore nearly three years ago, but this Windows Subsystem for Android will now be deprecated starting March 5th, 2025. `Microsoft is ending support for the Windows Subsystem for Android (WSA),` reads a new support document from Microsoft. `As a result, the Amazon Appstore on Windows and all applications and games dependent on WSA will no longer be supported beginning March 5, 2025.` If you currently use Android apps from the Amazon Appstore, then you`ll continue to have access to these past the support cutoff date, but you won`t be able to download any new ones once Microsoft makes its Android subsystem end of life next year. On March 6th (tomorrow), Windows 11 users will no longer be able to search for Amazon Appstore or associated Android apps from the Microsoft Store.\n \n\n \n

Hackers backed by the North Korean government gained a major win when Microsoft left a Windows zero-day unpatched for six months after learning it was under active exploitation. From a report: Even after Microsoft patched the vulnerability last month, the company made no mention that the North Korean threat group Lazarus had been using the vulnerability since at least August to install a stealthy rootkit on vulnerable computers. The vulnerability provided an easy and stealthy means for malware that had already gained administrative system rights to interact with the Windows kernel. Lazarus used the vulnerability for just that. Even so, Microsoft has long said that such admin-to-kernel elevations don`t represent the crossing of a security boundary, a possible explanation for the time Microsoft took to fix the vulnerability. `When it comes to Windows security, there is a thin line between admin and kernel,` Jan Vojtesek, a researcher with security firm Avast, explained last week. `Microsoft`s security servicing criteria have long asserted that `[a]dministrator-to-kernel is not a security boundary,` meaning that Microsoft reserves the right to patch admin-to-kernel vulnerabilities at its own discretion. As a result, the Windows security model does not guarantee that it will prevent an admin-level attacker from directly accessing the kernel.` The Microsoft policy proved to be a boon to Lazarus in installing `FudModule,` a custom rootkit that Avast said was exceptionally stealthy and advanced. Rootkits are pieces of malware that have the ability to hide their files, processes, and other inner workings from the operating system itself and at the same time control the deepest levels of the operating system. To work, they must first gain administrative privileges -- a major accomplishment for any malware infecting a modern OS. Then, they must clear yet another hurdle: directly interacting with the kernel, the innermost recess of an OS reserved for the most sensitive functions.\n \n\n \n

Microsoft is `delighted to introduce some useful new features` for its `Copilot Preview for Windows 11,` according to a recent blog post. TechRepublic adds that `most features will be enabled by default... rolling out from today until April 2024.` Windows 11 users will be able to change system settings through prompts typed directly into Copilot in Windows, currently accessible in the Copilot Preview via an icon on the taskbar, or by pressing Windows + C. Microsoft Copilot will be able to perform the following actions: - Turn on/off battery saver. - Show device information. - Show system information. - Show battery information. - Open storage page. - Launch Live Captions. - Launch Narrator. - Launch Screen Magnifier. - Open Voice Access page. - Open Text size page. - Open contrast themes page. - Launch Voice input. - Show available Wi-Fi network. - Display IP Address. - Show Available Storage. The new third-party app integrations for Copilot will give Windows 11 users new ways to interact with various applications. For example, making business lunch reservations through OpenTable... Other new AI features for Windows 11 rolling out today include a new, AI-powered Generative Erase tool, which sounds reminiscent of Google`s Magic Eraser tool for Google Photos. Generative Erase allows users to remove unwanted objects or artifacts from their photos in the Photos app. Likewise, Microsoft`s video editing tool Clipchamp is receiving a Silence Removal tool, which functions much as the name implies and #194; - it allows users to remove gaps in conversation or audio from a video clip. Voice access is another focal point of Microsoft`s latest Windows 11 update, detailed in a separate blog post by Windows Commercial Product Marketing Manager Harjit Dhaliwal. Users can now use voice controls to navigate between multiple displays, aided by number and grid overlays that provide easy switching between screens. A Copilot icon has already started appearing in the taskbar of some Windows systems. If you Google `microsoft installs copilot preview windows,` Google adds these helpful suggestions. People also ask: Why is Copilot preview on my computer? How do I get rid of Copilot preview on Windows 10? `Apparently there was some sort of update...` writes one Windows users. `Anyway, there is a logo at the bottom of the screen that is distracting and I`d like to get rid of it.` Lifehacker has already published an article titled `How to Hide (or Disable) Copilot in Windows 11.` `Artificial intelligence is feeling harder and harder to avoid,` it begins, `but you still have options.`\n \n\n \n

An anonymous reader shares a report: Microsoft is already testing Windows 11 24H2, this fall`s big new Windows release. The company has already demonstrated a few new features, like 80Gbps USB4 support and Sudo for Windows, and the new version could also give a significant refresh to the Windows installer for the first time since the Windows Vista days. But there`s one big update you might not notice at all. Late last week, Microsoft released `servicing updates` with no new features to Windows Insiders in the Dev and Canary channels. The updates were `designed to test [Microsoft`s] servicing pipeline for Windows 11.` It`s pretty common for Insiders to get these kinds of updates-that-exist-only-to-test-the-update-process, but the twist here is that PCs with Virtualization Based Security (VBS) enabled could apply the update without rebooting. Sources speaking to Windows Central say this isn`t a fluke -- Microsoft reportedly intends to use a Windows Server feature called hotpatching to deliver more Windows 11 security updates without requiring a reboot, making it easier to stay up to date without disrupting whatever you`re doing. You`ll still need to reboot `every few months` -- Microsoft`s documentation says a reboot is needed roughly once every three months, though it can happen more often than that for unanticipated zero-day patches and others that can`t be fixed via hotpatching. The Arm versions of Windows 11 also won`t get the feature for another year or so, according to Windows Central.\n \n\n \n

Windows 11 users still clinging to the past are to be dragged into a bright, 23H2-shaped future by Microsoft, whether they want to or not. From a report: Microsoft has added a notification to its Release Health dashboard warning Windows 11 users that it is time for the beatings automatic upgrades to begin. `We are starting to update eligible Windows 11 devices automatically to version 23H2.` As for what eligible means, according to Microsoft, this is `Windows 11 devices that have reached or are approaching end of servicing.` Support for Windows 11 21H2 came to an end last year on October 10, 2023, and version 22H2 is due to end on October 8, 2024. Win 11 23H2 itself will endure until November 11, 2025, or just after the plug gets pulled on Windows 10. The update comes shortly after Microsoft quashed the last of its compatibility holds in Windows 11 23H2, which affected customers attempting to use the Co-pilot preview with multiple monitors. Icons tended to move unexpectedly between monitors.\n \n\n \n

Intel has landed Microsoft as a customer for its made-to-order chip business, marking a key win for an ambitious turnaround effort under Chief Executive Officer Pat Gelsinger. From a report: Microsoft plans to use Intel`s 18A manufacturing technology to make a forthcoming chip that the software maker designed in-house, the two companies said at an event Wednesday. They didn`t identify the product, but Microsoft recently announced plans for two homegrown chips: a computer processor and an artificial intelligence accelerator. Intel has been seeking to prove it can compete in the foundry market, where companies produce custom chips for clients. It`s a major shift for the semiconductor pioneer, which once had the world`s most advanced chipmaking facilities and kept them to itself. These days, Intel is racing to catch up with companies like Taiwan Semiconductor Manufacturing Co., which leads the foundry industry. Microsoft, meanwhile, is looking to secure a steady supply of semiconductors to power its data-center operations -- especially as demand for AI grows. Designing its own chips also lets Microsoft fine-tune the products to its specific needs. `We need a reliable supply of the most advanced, high-performance and high-quality semiconductors,` Microsoft CEO Satya Nadella said in a statement. and #226;oeThat`s why we are so excited to work with Intel.`\n \n\n \n

Microsoft is confirming plans to deprecate its Publisher application in 2026. From a report: This writer has fond memories of Microsoft Publisher, which started life in 1991 as a desktop publisher for Windows 3.0. While alternatives existed in the form of Ventura Publisher, Timeworks, and later QuarkXPress, Microsoft Publisher was a useful tool to write newsletters. Unlike Word, Publisher was focused on layout and page design. Though it lacked many of the features of its competitors, it was responsible for some genuinely horrendous designs, and was popular due to its cheap price. Despite not finding much favor with professionals, Microsoft Publisher continued to be updated over the years. Microsoft Publisher 97 was the first to turn up in the Microsoft Office suite, and the most recent edition, released in 2021, is available as part of Microsoft 365. However, all good things -- and Publisher -- must come to an end. Microsoft has warned that the end is nigh for its venerable designer. `In October 2026, Microsoft Publisher will reach its end of life,` the company said. `After that time, it will no longer be included in Microsoft 365, and existing on-premises suites will no longer be supported. Until then, support for Publisher will continue, and users can expect the same experience as today.`\n \n\n \n

An anonymous reader shares a report: Most people know that Microsoft really wants everyone to move onto Windows 11. But just in case there are some Windows 10 users still unaware of this fact, the company is once again nagging them to upgrade with full-screen, multi-slide popups. The lengthy advertisement for Windows 11 was highlighted by Windows Latest after it installed the optional January update (in preview) on a Windows 10 machine. The nagging Windows 11 upgrade promo consists of an excruciating number of screens (i.e., more than one): The first informs users that they can switch to Windows 11 for free and that they can still use their PC while the newer OS is set up in the background; another is Microsoft recommending the move and noting that users can revert to Windows 10 within the first ten days of upgrading; the last is for those who decide to stay on Windows 10, with a reminder that Windows 11 remains a free upgrade option. There is another panel that lists some of Windows 11 features, but this only appears for those who select the `See what`s inside` button.\n \n\n \n

An anonymous reader shared this report from BleepingComputer Microsoft released the first Windows Server 2025 Insider preview build last week. However, soon after, a newer version was leaked online. As first reported by Windows Latest, the leaked version contains some new in-development features, including new settings for a Windows `sudo` command. These settings are only available after enabling developer mode, and the sudo command does not currently work from the command line yet, showing it is early in development. However, the sudo settings provide some clues as to how the command will work, with the ability to run sudo applications `In a new windows`, `With input disabled`, and `Inline`.... It is important to note that Microsoft commonly tests new features in preview builds that do not make it into the production builds. Obligatory XKCD.\n \n\n \n

Mozilla claims in a new 74-page research report that Microsoft `repeatedly uses harmful design` and `dark patterns` to push users toward Microsoft Edge and away from rival browsers like Mozilla`s Firefox or Google`s Chrome browser. PCMag: `Microsoft uses the harmful preselection, visual interference, trick wording, and disguised ads patterns to skew user choice,` the report argues, adding that `Microsoft`s harmful design practices mean users are unable to download, install, use, or set as default an alternative browser without interference.` The researchers claim this harms consumers because they can experience `distortion of choice,` lose trust in the broader tech industry, and even possibly experience `emotional distress` as a result of Microsoft`s efforts. For the study, user experiences were tested on Windows 10 Home and Windows 11 Pro as well as the Windows 11 Home Insider Preview Version. The UK-based testers did not attempt to use a VPN to change or hide their IP addresses during their investigation. While Microsoft recently said it will allow users in the European Union to uninstall Edge as part of its efforts to comply with the Digital Markets Act (DMA), it`s unclear whether US, UK, or other users around the globe could ever get the same option. Some Windows 11 users can remove five other apps that come preinstalled, however.\n \n\n \n

\nA zero-day vulnerability that, when triggered, could crash the Windows Event Log service on all supported (and some legacy) versions of Windows could spell trouble for enterprise defenders. Discovered by a security researcher named Florian and reported to Microsoft, the vulnerability is yet to be patched. In the meantime, the researcher has gotten the go-ahead from the company to publish a PoC exploit. The vulnerability and the PoC Florian found the bug while working on … More → \n \nThe post A zero-day vulnerability (and PoC) to blind defenses relying on Windows event logs appeared first on Help Net Security .\n

Todd Bishop reports via GeekWire: A Microsoft AI engineering leader says he discovered vulnerabilities in OpenAI`s DALL-E 3 image generator in early December allowing users to bypass safety guardrails to create violent and explicit images, and that the company impeded his previous attempt to bring public attention to the issue. The emergence of explicit deepfake images of Taylor Swift last week `is an example of the type of abuse I was concerned about and the reason why I urged OpenAI to remove DALL-E 3 from public use and reported my concerns to Microsoft,` writes Shane Jones, a Microsoft principal software engineering lead, in a letter Tuesday to Washington state`s attorney general and Congressional representatives. 404 Media reported last week that the fake explicit images of Swift originated in a `specific Telegram group dedicated to abusive images of women,` noting that at least one of the AI tools commonly used by the group is Microsoft Designer, which is based in part on technology from OpenAI`s DALL-E 3. `The vulnerabilities in DALL-E 3, and products like Microsoft Designer that use DALL-E 3, makes it easier for people to abuse AI in generating harmful images,` Jones writes in the letter to U.S. Sens. Patty Murray and Maria Cantwell, Rep. Adam Smith, and Attorney General Bob Ferguson, which was obtained by GeekWire. He adds, `Microsoft was aware of these vulnerabilities and the potential for abuse.` Jones writes that he discovered the vulnerability independently in early December. He reported the vulnerability to Microsoft, according to the letter, and was instructed to report the issue to OpenAI, the Redmond company`s close partner, whose technology powers products including Microsoft Designer. He writes that he did report it to OpenAI. `As I continued to research the risks associated with this specific vulnerability, I became aware of the capacity DALL-E 3 has to generate violent and disturbing harmful images,` he writes. `Based on my understanding of how the model was trained, and the security vulnerabilities I discovered, I reached the conclusion that DALL-E 3 posed a public safety risk and should be removed from public use until OpenAI could address the risks associated with this model.` On Dec. 14, he writes, he posted publicly on LinkedIn urging OpenAI`s non-profit board to withdraw DALL-E 3 from the market. He informed his Microsoft leadership team of the post, according to the letter, and was quickly contacted by his manager, saying that Microsoft`s legal department was demanding that he delete the post immediately, and would follow up with an explanation or justification. He agreed to delete the post on that basis but never heard from Microsoft legal, he writes. `Over the following month, I repeatedly requested an explanation for why I was told to delete my letter,` he writes. `I also offered to share information that could assist with fixing the specific vulnerability I had discovered and provide ideas for making AI image generation technology safer. Microsoft`s legal department has still not responded or communicated directly with me.` `Artificial intelligence is advancing at an unprecedented pace. I understand it will take time for legislation to be enacted to ensure AI public safety,` he adds. `At the same time, we need to hold companies accountable for the safety of their products and their responsibility to disclose known risks to the public. Concerned employees, like myself, should not be intimidated into staying silent.` The full text of Jones` letter can be read here (PDF).\n \n\n \n

An anonymous reader shares a report: Microsoft has introduced more protections to Designer, an AI text-to-image generation tool that people were using to make nonconsensual sexual images of celebrities. Microsoft made the changes after 404 Media reported that the AI-generated nude images of Taylor Swift that went viral last week came from 4chan and a Telegram channel where people were using Designer to make AI-generated images of celebrities. `We are investigating these reports and are taking appropriate action to address them,` a Microsoft spokesperson told us in an email on Friday. `Our Code of Conduct prohibits the use of our tools for the creation of adult or non-consensual intimate content, and any repeated attempts to produce content that goes against our policies may result in loss of access to the service. We have large teams working on the development of guardrails and other safety systems in line with our responsible AI principles, including content filtering, operational monitoring and abuse detection to mitigate misuse of the system and help create a safer environment for users.`\n \n\n \n

\nSeveral proof-of-concept (PoC) exploits for a recently patched critical vulnerability (CVE-2024-23897) in Jenkins have been made public and there’s evidence of exploitation in the wild. About CVE-2024-23897 Jenkins is a widely used Java-based open-source automation server that helps developers build, test and deploy applications, enabling continuous integration (CI) and continuous delivery (CD). CVE-2024-23897 is an arbitrary file read vulnerability in Jenkins’ built-in command line interface (CLI) that could allow an unauthenticated threat actor with Overall/Read … More → \n \nThe post Critical Jenkins RCE flaw exploited in the wild. Patch now! (CVE-2024-23897) appeared first on Help Net Security .\n

\nCozy Bear (aka Midnight Blizzard, aka APT29) has been busy hacking and spying on big tech companies: both Microsoft and Hewlett Packard Enterprise (HPE) have recently disclosed successful attack campaigns by the Russia-affiliated APT group. The Microsoft breach Last Friday, Microsoft revealed that a threat-actor identified as Midnight Blizzard – a hacking group believed to be associated with the Russian Foreign Intelligence Service (SVR) – has breached their corporate systems on January 12, 2024. The … More → \n \nThe post Russian hackers breached Microsoft, HPE corporate maliboxes appeared first on Help Net Security .\n

\nA vulnerability (CVE-2023-36025) that Microsoft fixed in November 2023 continues to be exploited by malware peddlers: this time around, the delivered threat is a variant of the Phemedrone Stealer. About the malware Phemedrone Stealer is a piece of malware written in C#, with no dependencies. It’s capable of: Collecting system information (hardware, OS, geolocation) and making screenshots Gathering all data contained in the targed device’s memory Grabbing user files from specific folders (e.g., Documents, Desktop) … More → \n \nThe post Windows SmartScreen bug exploited to deliver powerful info-stealer (CVE-2023-36025) appeared first on Help Net Security .\n

Microsoft has started testing a change to Windows 11 that will see its AI-powered Copilot feature automatically open when Windows starts on `widescreen devices.` From a report: The change is being tested as part of Microsoft`s latest Dev Channel preview of Windows 11, allowing Windows testers to provide feedback ahead of a broader rollout. `We are trying out opening Copilot automatically when Windows starts on widescreen devices with some Windows Insiders in the Dev Channel,` says Microsoft in a blog post. The company doesn`t make it clear what exactly a `widescreen` device is, but the Windows 11 setting itself says Copilot will automatically open `when you`re using a wider screen.` So I`m assuming this is limited to ultrawide monitors and less traditional desktop resolutions, but I`ve asked Microsoft to clarify and will update you accordingly.\n \n\n \n

\nFor January 2024 Patch Tuesday, Microsoft has released fixes for 49 CVE-numbered vulnerabilities, two of which are critical: CVE-2024-20674 and CVE-2024-20700. None of the vulnerabilities fixed this time aroundare under active exploitation or have been previously publicly disclosed. The critical fixes (CVE-2024-20674, CVE-2024-20700) CVE-2024-20674 is a security feature bypass vulnerability that may allow attackers to impersonate Windows’ Kerberos server. “An unauthenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MITM) attack or other local … More → \n \nThe post Microsoft fixes critical flaws in Windows Kerberos, Hyper-V (CVE-2024-20674, CVE-2024-20700) appeared first on Help Net Security .\n

Microsoft has begun ditching WordPad from Windows and removed the editor from the first Canary Channel build of 2024. From a report: We knew it was coming, but the reality has arrived in the Canary Channel. A clean install will omit WordPad as of build 26020 of Windows 11. At an undisclosed point, the application will be removed on upgrade. The People app is also being axed, as expected, and the Steps Recorder won`t be getting any more updates and will instead show a banner encouraging users to try something else. Perhaps ClipChamp? WordPad was always an odd tool. Certainly not something one would want to edit text with, but not much of a word processor either. It feels like a throwback to a previous era. However, it was also free, came with Windows, and didn`t insist on having a connection to the internet for it to work.\n \n\n \n

Microsoft is adding a dedicated `Copilot` key to PC keyboards, adjusting the standard Windows layout for the first time since 1994. The key will open its AI assistant Copilot on Windows 10 and 11. On Copilot-enabled PCs, users can already invoke Copilot by pressing Windows+C. On other PCs, the key will open Search instead. ArsTechnica adds: A quick Microsoft demo video shows the Copilot key in between the cluster of arrow keys and the right Alt button, a place where many keyboards usually put a menu button, a right Ctrl key, another Windows key, or something similar. The exact positioning, and the key being replaced, may vary depending on the size and layout of the keyboard. We asked Microsoft if a Copilot key would be required on OEM PCs going forward; the company told us that the key isn`t mandatory now, but that it expects Copilot keys to be required on Windows 11 keyboards `over time.` Microsoft often imposes some additional hardware requirements on major PC makers that sell Windows on their devices, beyond what is strictly necessary to run Windows itself.\n \n\n \n

Summary In recent months, Microsoft Threat Intelligence has observed threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme. We have addressed and mitigated this malicious activity by turning off ms-appinstaller by default. Additionally, Microsoft has coordinated with Certificate Authorities to revoke the abused code signing certificates utilized by malware samples we have identified.

An anonymous reader writes: If you`ve ever performed a fresh reinstall of Windows 11, you`ll know how long it takes and how much effort you need to make to get it started. Fortunately, Microsoft is taking note. As spotted in a recent update to the Windows 11 beta branch, the company is working on a way to reinstall your operating system through Windows Update, and no files are lost in the process. The newest update to the Windows Insider beta branch has added a new feature titled `Fix Problems using Windows Update.` The feature is still a work in progress, so it doesn`t work as it should right now. However, if you`re on the Windows 11 Insider beta branch, you can see the button for yourself on the Recovery page, among the Windows 11 backup settings.\n \n\n \n

According to Canalys Research, Microsoft`s plan to end support for Windows 10 could result in about 240 million computers being sent to landfills. `The electronic waste from these PCs could weigh an estimated 480 million kilograms, equivalent to 320,000 cars,` adds Reuters. From the report: While many PCs could remain functional for years post the end of OS support, Canalys warned demand for devices without security updates could be low. Microsoft announced a plan to provide security updates for Windows 10 devices until October 2028 for an undisclosed annual price. If the pricing structure for extended Windows 10 support mirrors past trends, migrating to newer PCs could be more cost-effective, increasing the number of older PCs heading to scrap, Canalys said.\n \n\n \n

What`s next for Windows? Microsoft plans next-gen Windows AI release in 2024, plus details on recent changes to the Windows roadmap. From a report: According to my sources, the new Windows bosses are now returning to an annual release cycle for major versions of the Windows platform, meaning Windows is going back to having just one big feature update a year instead of multiple smaller ones throughout. Microsoft may still use Moment updates sparingly, but they will no longer be the primary delivery vehicle for new features going forward. These changes are said to take effect after Hudson Valley launches in 2024, so I`m still expecting at least one more Moment update for the current version of Windows 11, which sources say will ship in the February or March time frame early next year. [...] According to my sources, Microsoft`s blockbuster new feature will be the introduction of an AI-powered Windows Shell, enhanced with an `advanced Copilot,` that`s able to constantly work in the background to enhance search, jumpstart projects or workflows, understand context, and much more. Sources say these AI features will be `groundbreaking.` The company is working on a new history/timeline feature that will let users scroll back in time through all the apps and websites that Copilot has remembered, which can be filtered based on a user`s specific search criteria. For example, you could type `FY24 earnings` and every instance where that term was on-screen will reappear for you to see and open. AI will also enhance search in Windows, with the ability to use natural language to find things that you`ve previously opened or seen on your PC.\n \n\n \n

`Researchers have identified a large number of bugs to do with the processing of images at boot time,` writes longtime Slashdot reader jd. `This allows malicious code to be installed undetectably (since the image doesn`t have to pass any validation checks) by appending it to the image. None of the current secure boot mechanisms are capable of blocking the attack.` Ars Technica reports: LogoFAIL is a constellation of two dozen newly discovered vulnerabilities that have lurked for years, if not decades, in Unified Extensible Firmware Interfaces responsible for booting modern devices that run Windows or Linux. The vulnerabilities are the product of almost a year`s worth of work by Binarly, a firm that helps customers identify and secure vulnerable firmware. The vulnerabilities are the subject of a coordinated mass disclosure released Wednesday. The participating companies comprise nearly the entirety of the x64 and ARM CPU ecosystem, starting with UEFI suppliers AMI, Insyde, and Phoenix (sometimes still called IBVs or independent BIOS vendors); device manufacturers such as Lenovo, Dell, and HP; and the makers of the CPUs that go inside the devices, usually Intel, AMD or designers of ARM CPUs. The researchers unveiled the attack on Wednesday at the Black Hat Security Conference in London. As its name suggests, LogoFAIL involves logos, specifically those of the hardware seller that are displayed on the device screen early in the boot process, while the UEFI is still running. Image parsers in UEFIs from all three major IBVs are riddled with roughly a dozen critical vulnerabilities that have gone unnoticed until now. By replacing the legitimate logo images with identical-looking ones that have been specially crafted to exploit these bugs, LogoFAIL makes it possible to execute malicious code at the most sensitive stage of the boot process, which is known as DXE, short for Driver Execution Environment. `Once arbitrary code execution is achieved during the DXE phase, it`s game over for platform security,` researchers from Binarly, the security firm that discovered the vulnerabilities, wrote in a whitepaper. `From this stage, we have full control over the memory and the disk of the target device, thus including the operating system that will be started.` From there, LogoFAIL can deliver a second-stage payload that drops an executable onto the hard drive before the main OS has even started. The following video demonstrates a proof-of-concept exploit created by the researchers. The infected device -- a Gen 2 Lenovo ThinkCentre M70s running an 11th-Gen Intel Core with a UEFI released in June -- runs standard firmware defenses, including Secure Boot and Intel Boot Guard. LogoFAIL vulnerabilities are tracked under the following designations: CVE-2023-5058, CVE-2023-39538, CVE-2023-39539, and CVE-2023-40238. However, this list is currently incomplete. `A non-exhaustive list of companies releasing advisories includes AMI (PDF), Insyde, Phoenix, and Lenovo,` reports Ars. `People who want to know if a specific device is vulnerable should check with the manufacturer.` `The best way to prevent LogoFAIL attacks is to install the UEFI security updates that are being released as part of Wednesday`s coordinated disclosure process. Those patches will be distributed by the manufacturer of the device or the motherboard running inside the device. It`s also a good idea, when possible, to configure UEFIs to use multiple layers of defenses. Besides Secure Boot, this includes both Intel Boot Guard and, when available, Intel BIOS Guard. There are similar additional defenses available for devices running AMD or ARM CPUs.`\n \n\n \n