Tag Archives: Microsoft

Unknown's avatar

A Cybersecurity Directive From Dept of Homeland Security Is Usually of Interest

by

When the DHS says “all civilian federal agencies” must take some action relative to security, it usually means something interesting is going on. Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472)

To be vulnerable to this issue, you must NOT have applied the patch that was issued by Microsoft in August. That is from more than 6 weeks ago.

Last month, Microsoft patched a very interesting vulnerability that would allow an attacker with a foothold on your internal network to essentially become Domain Admin with one click. All that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint.

I assume that folks currently employed in the security arena know about this already, but whenever DHS says do something “Now!” my curiosity is heightened.

Here are the directives from DHS Cybersecurity. Under the law, civilian federal agencies have to do this.

1. Update all Windows Servers with the domain controller role by 11:59 PM EDT, Monday, September 21, 2020,

  1. Apply the August 2020 Security Update to all Windows Servers with the domain controller role. If affected domain controllers cannot be updated, ensure they are removed from the network.
  2. By 11:59 PM EDT, Monday, September 21, 2020, ensure technical and/or management controls are in place to ensure newly provisioned or previously disconnected domain controller servers are updated before connecting to agency networks.

Now I know that patches on Patch Tuesday can cause problems. But if you have this vulnerability un-patched, you are going to have many more problems than a few disgruntled users.

Unknown's avatar

Because Putting Resources on the Most Severe Problems Is For Suckers

by

Maybe Microsoft just doesn’t give a damn about security. Hands-on with Windows 10’s new Start Menu

So for the past 4 months, Microsoft’s Patch Tuesday fixed more than 120 errors in their products. So where is Microsoft choosing to expend resources?

During a Windows Insider webcast, Microsoft teased its vision for a new Windows 10 Start Menu that features partially transparent theme-aware tiles to showcase the new Fluent-based colorful icons.

Microsoft said it will bring the new Start Menu to your devices with Windows 10 version 20H2, which is expected to arrive in October or November.

Of course they are.

I don’t know about you, but when I am working on my PC, it never occurs to me to think, “If only they would upgrade the start menu…” And that was really not the case when I was fighting thru the issues I encountered BECAUSE of Patch Tuesday.

Unknown's avatar

Is It Just Me…

by

Or is Microsoft Windows spinning out of control? Microsoft Patch Tuesday, Sept. 2020 Edition

September marks the seventh month in a row Microsoft has shipped fixes for more than 100 flaws in its products, and the fourth month in a row that it fixed more than 120.

While none of the “critical issues,” and there were more than a few, are known to be in the wild. But the key word in that phrase is “known.”

Unknown's avatar

Microsoft Joins the List of Companies that Hates Privacy

by

They want to snoop on EVERYTHING you do online. EVERYTHING. Research Finds Microsoft Edge Has Privacy-Invading Telemetry.

When testing the Edge Browser, Leith saw that every URL that was typed into Edge would be sent back to Microsoft sites.

For example, every URL typed into the address bar is shared with Bing and other Microsoft services such as SmartScreen. This was confirmed by BleepingComputer who used Fiddler to see the JSON data being sent to Microsoft.

“Telemetry” data. Everything you do online, is a bit beyond telemetry, and more like a creepy invasion of privacy.

Google’s Blogspot blogging software, has decided that in order to comment on any post at a blogspot.com website, you need to have 3rd-party cookies enabled. So I keep Edge handy with that feature on in case I ever want to comment on a blogspot blog. Because I won’t enable 3rd party cookies in my usual browsers. (Which are all of them, aside from Edge.)

Unknown's avatar

Bets On Whether Management Learned the Lesson of WannaCry?

by

My bet is that since they didn’t update XP between the time Microsoft published a patch – for a non-supported version of the operating system – last time, they won’t do it this time either. Prevent a worm by updating Remote Desktop Services (CVE-2019-0708).

That’s right. Microsoft released a patch for Windows XP, and server 2003. Computers which don’t update are vulnerable to an exploit. Just like before WannaCry, MS didn’t see an exploit in the wild, the problem fixed in this patch WILL BE reverse engineered. Soon.

This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.

But I don’t think anyone running XP (aside from MAYBE Maersk Lines, and FedEx) will update. I don’t even believe that the United Kingdom’s National Health Service, which was decimated for a week or more, by WannaCry will update anything. Why? Bureaucracies can’t move fast. Hackers can and do.

While I was astounded that companies could say (with a straight face) that they had “critical systems,” running on insecure, non-supported software before WannaCry, today, I have no doubt that they are just as stupid as they were 2 years ago.

And in 3 or 4 months, when an exploit from this vulnerability is in the wild, and doing damage, management will pull out all the excuses they used in 2017.

Unknown's avatar

Are We Glad Microsoft Took Over GitHub?

by

Things are so much better. GitHub Hacked for Bitcoins: Is it a Hackers Smartness or Microsoft Security Weakness?.

Well, hackers have struck again and this time it’s to the heart of developers- the code repositories at Github. Well, it been a couple of days since A hacker has been breaking into GitHub accounts and is wiping code repositories, to then demand a ransom in bitcoin from its owners. While there are still no signs of who the hacker, it definitely raises questions on Microsoft connection to it and its capabilities of managing the code repository vertical which it acquired last year.

If you are relying on GitHub, or one of the other Git service providers, to manage everything, well this should serve as a wake-up call. And other providers have been hit as well.

Microsoft is getting the blame because they are stonewalling.

Unknown's avatar

Microsoft Unveils Way to Block Updates

by

I’m sure it wasn’t intentional. From the comments on Windows 10 May 2019 Update to Be Blocked If Using USB Drives.

“… Internal hard drives can also be affected.”
Also, it’s another potentional way to disable updates.
1. Dig up some 2Gb drive from its grave
2. Identify slowest and least useful port
3. Plug and forget
4. Apply some glue (optional)

The whole piece is good – at least if you’re interested in tech – but that made me spit out my coffee.

The nuts and bolts of blocking the upgrade…

Microsoft will block upgrades to the Windows 10 May 2019 Update if external media such as a USB device or SD card is attached to the computer.

Unknown's avatar

Yet Another Reason to Avoid the Edge Browser

by

Microsoft and F*c*book: Individually they are each obnoxious. Together they achieve critical mass for being a force for evil. Microsoft Edge Secret Whitelist Allows Facebook to Autorun Flash.

Microsoft’s Edge web browser comes with a hidden whitelist file designed to allow Facebook to circumvent the built-in click-to-play security policy to autorun Flash content without having to ask for user consent.

Never-mind that Flash continues to be full of security defects. Never-mind that I want nothing to do with F*c*book. Microsoft knows what’s best for everyone – and that is letting F*c*book spy on me.

Unknown's avatar

More News About the Tech Industry Hypocrites

by

The folks in tech are SO ready to tell us how much more enlightened they are than those of us in “fly-over” country. (Right behind entertainment and ahead of sports-figures.) Microsoft women filed 238 discrimination and harassment complaints

A lawsuit, filed in 2015, has entered the discovery phase, so a lot stuff is being made public.

Out of 118 gender discrimination complaints filed by women at Microsoft, only one was deemed “founded” by the company, according to the unsealed court filings.

That is a lot of complaints for only one to be found to be of substance. Or so it seems. Can I assume that when lawyers are using the term “shocking” in filings, things aren’t good? Or does this kind of language seep into most court cases? They also called the investigation process “lackluster.”

Unknown's avatar

Windows 10 Is Morphing Into Adware, Bloatware and Malware

by

“If you were wondering whether Microsoft could inflict even more damage to Windows’ reputation, the answer is yes.” More forced advertising creeps into Windows 10 Pro. Whiskey. Tango. Uniform.

Starting Aug. 2, admins will not be able to keep Microsoft from pushing the likes of Candy Crush Soda Saga onto Win10 Pro PCs on their networks because certain Group Policies will be deactivated

Because what do people who pay extra for the “professional” version of an operating system want? More ads. I wonder how long it will be until the ads become of the Not Safe For Work variety, or the start downloading spyware, like so many ads before them. Oh, but wait, Windows 10 was free – if you paid for Windows 7 or 8.

And it isn’t just ads, as Microsoft will install stuff that it thinks you should have on your machine.

I can’t find an official list of “consumer experiences,” but they include a lot of tiles for crapware that’s now being installed by Microsoft on new machines. My list is pretty impressive. Here are the crapware app tiles I’ve seen installed by Microsoft on my test machines, apparently as part of the Windows 10 consumer experience: Candy Crush Soda Saga, Flipboard, Adobe Photoshop Express, iHeartRadio, USA Today, Twitter (the official app), Farmville 2, World of Tanks Blitz, Duolingo, and Pandora. Microsoft’s also pushed tiles for its own Minecraft, Get Office, and Solitaire Collection.

A piece of software that is installed on my machine, that I don’t want, and that I have not asked for nor OKed, is malware. But that is pretty much how I have looked at Windows 10 since Microsoft started trying to cram it down my throat.

So now we know how MS intends to monetize the “free” world of Windows 10. Proving once again, “There ain’t no such thing as a free lunch.”

Unknown's avatar

Microsoft Windows 7 Claims: “they are complete rubbish”

by

Not satisfied with forced downloads and blatant attempts to trick people into upgrading to Windows 10, Microsoft has now launched a propaganda campaign. A stupid one at that. Microsoft Warns Windows 7 Has Serious Problems

There’s only one problem with Capossela’s statements: they are complete rubbish.

Windows 7 is no less secure than Windows 10 (it will be supported until 2020) and no less compatible with new hardware and software. In fact its far greater market share means it is developers’ priority and has greater compatibility with legacy programmes and peripherals. If Fallout 4 won’t run on your Windows 7 computer, it will be upgrading your components not installing Windows 10 which fixes that.

I think I have settled on Linux Mint as the version of Linux that will go on my old Laptop. It still runs, but I don’t use it for much. Putting Linux on it will accomplish 2 things: 1, it will get me to remember everything I’ve forgotten about the Unix operating system, and 2, it will allow me to demonstrate to people just how close the Unix graphical interface is looking like Windows or Mac. The fact that most folks find Linux more efficient than Windows is a plus, and I need to learn Python programming anyway.

For years if you wanted a PC without a Windows license, well you either built your own, or you uninstalled the Windows version that came by default on every Dell, HP etc. PC. I always found that annoying. But then I always found Microsoft annoying on so many levels.

Unknown's avatar

Microsoft Isn’t Giving Up on Migrating You to Windows 10. No Matter What YOU Want!

by

The fact that you might not WANT Windows 10, or that you have stuff that isn’t ready of Windows 10. (What, you have something from a company other than Microsoft?) you are going to get it anyway.

Fortunately, there is a way to stop Windows 10. The Get Windows 10 Control Panel, the GWX Control Panel. Ultimate Outsider: GWX Control Panel 1.6 Introduces Monitor Mode and More

You can get a rundown on the product from Security Now. (A This Week in Tech podcast). The December 8th edition has the info. The relative portion is at 18 minutes.

You can download the GWX Control Panel at the Ultimate Outsider. (As Steve Gibson says on the SN podcast, throw the guy a buck or 2 via his PayPal link.)

I have been threatening to dump windows in favor of Linux for some time. (You buy a new computer and it comes with Windows…) But MS is BEYOND annoying. And Windows 10 is probably the biggest bit of spyware I have seen in some time. And the new GNU graphical interfaces look a lot like Windows or a Mac. And Linux is a lot more efficient, and all I do is use the internet, and LibreOffice. Well, and a few other things I can run under Linux.