Tag: Microsoft

Google Calls Out Microsoft For Security Issue

Depending on who you ask, Google’s Project Zero is either the thing that’s going to singlehandedly save the internet, or the bane of many companies’ existence.  It’s easy to see both sides of the argument.

On one hand, by uncovering previously undiscovered bugs in all manner of software and handing that information over to the authors, Google is undeniably performing a valued public service.  The problem has never been with the “carrot” side of the equation, always with the stick.

The stick is this:  Google gives each company 90 days in which to address the bug.  If they take no action during that time, then Google will announce the existence of the bug to the world, which of course, means that hackers everywhere immediately have access to a new exploit.

This approach often accomplishes what contacting the vendor privately does not.  Once the bug becomes common knowledge, the company in question is essentially forced to fix the problem, thus making the internet safer.

It should be noted that Google does allow exemptions to the 90-day rule.  If a company is hard at work on a fix and needs more time, Google has been known to delay their announcement.  In a similar vein, if a bug is simply catastrophic in scope and scale, the company has been known to make the announcement to help deploy resources of multiple companies toward addressing the issue.

More than 90 days ago, the Project Zero team discovered a pair of security flaws in Microsoft products.  One in their Edge browser, and the other in the Windows 10 OS.  One of the two got fixed.  The other did not, and Google called them out for it.

Needless to say, Microsoft is not pleased, and they have hit Google back for such behavior in the past. They scored a PR victory last year when Microsoft engineers discovered a flaw in Google’s Chrome browser, and contacted the company privately so they could fix the issue and then bragged about their more responsible approach after the fact.

It will be interesting to see what Microsoft does in this instance.

Remote Desktop Flaw Affects Every Windows Version

Researchers at Preempt Security recently discovered a critical flaw in Microsoft’s Credential Security Support Provider protocol (CredSSP for short) that impacts every version of Windows in existence. It could allow a hacker to remotely exploit Windows Remote Desktop to execute malicious code and steal any data stored on the machine.

The flaw, logged as CVE-2018-0886 would allow a hacker to execute a man in the middle attack, (provided that they had Wi-Fi or physical access to the machine) and steal authentication data via a Remote Procedure Call attack.

Yaron Zinar, a lead researcher at Preempt, had this to say about the flaw:

“An attacker which has stolen a session from a user with sufficient privileges could run different commands with local admin privileges.  This is especially critical in case of domain controllers, where most Remote Procedure Calls (DCE/RPC) are enabled by default.  This could leave enterprises vulnerable to a variety of threats from attackers including lateral movement and infection on critical servers or domain controllers.”

This is a big deal because Windows Desktop is hands-down the most popular means of performing remote logins. In addition, business of all shapes and sizes make regular use of RDP for a variety of purposes, making them vulnerable until the flaw is patched.

Microsoft released a fix for the issue as part of their March 2018 Patch Tuesday, but security professionals close to the issue warned that simply applying the patch is not enough to provide protection.  You’ll also need to instruct your staff to make a few configuration changes (explained in the documentation surrounding the issue), including limiting your use of privileged accounts as much as possible and use non-privileged accounts whenever possible.

The March 2018 patch release was a hefty one, and included patches for a number of products including Core ChakraCore, PowerShell, Microsoft Office, Windows (OS), and both the Edge browser and Internet Explorer.

Having Chrome Issues Since The Latest Windows 10 Update?

Microsoft has been having some “issues” of late.  It’s April Windows 10 rollout had to be delayed on account of some mysterious BSOD (“Blue Screen of Death”) issues. This month’s rollout is plagued by similar problems, trading the BSOD issues for problems with both “Hey Cortana” and Google’s Chrome browser.

The problem is that when you try to navigate the web using Chrome with the latest Windows 10 update, the entire system will inexplicably hang.  The company is hoping to have a fix ready for release in time for the next “Patch Tuesday” on May 8, but in the meantime, offered the following suggestions to users who are impacted by this issue:

  • If you’re on a laptop, sometimes (but not always) opening and closing the lid will revive the system.
  • Failing that, or if you’re not on a laptop, try using the keyboard combination: Win + Ctrl + Shift + B. This activates the “wake screen” sequence.
  • If you’re on a tablet, press the volume up and volume down buttons at the same time, three times within two seconds. If you hear a short beep, then you know Windows is responsive, and it will attempt to refresh the screen.

If none of the above works for you, then your only other option is to simply reboot the system, which is beyond annoying.  Fortunately, however, it’s only temporary. The company is currently working on a fix (although whether it’s ready by Patch Tuesday remains to be seen).

While this is by no means the kiss of death, it is troubling that the last two updates have had major issues.  Unless the issue is identified and remedied, the company could be facing larger and more pervasive problems in the months ahead.

High Speed Wireless Coming To Laptops Next Year

If you’re in the market for a new laptop but can milk a little more life out of the one you’ve got, 2019 will be the year to buy.  The reason?  5G.  AT&T is slated to become the first carrier to offer 5G network connectivity to small segments of its customer base this year (starting in Atlanta, Dallas, and Waco, and then slowly spreading to other areas).

While they’ll be the first, it’s not hard to imagine that their competitors will be hot on their heels, and all the major PC and laptop manufacturers are keenly aware of this.  That’s why Microsoft, Lenovo, HP, Dell, and Intel have all announced that the first 5G-enabled PCs will become available sometime in mid to late 2019, in a bid to take advantage of the awesome new capabilities that 5G promises to make a reality.

While Intel missed the 4G opportunity, the company has every intention of being front and center in the 5G revolution.

In fact, the company had this to say when it made its announcement earlier this week:

“Intel is investing deeply across its wireless portfolio and partners to bring 5G-connected mobile PCs to market, with benefits for users like high quality video on-the-go, high-end gaming, and seamless connections as users traverse WiFi and Cellular networks.”

All true, and a widespread 5G network would truly be a game changer.  The problem though, is that 5G has a bit of an image problem.  It has long been considered the Holy Grail of wireless networking, and Intel and other companies have been hyping its many advantages for years.

The difference of course is that now, companies have the technical capabilities to make it all real, and have firm timetables in place for a rollout, neither of which were true in the past. Even so, 5G now has to swim against a bit of a tide of its own making as it draws closer to becoming reality.

Microsoft To Help Intel With Security Issues

By now, you’ve almost certainly heard of the “Spectre” and “Meltdown” security flaws that affect every Intel chip produced in the last decade.  Users have been waiting for a fix for both of these since January, when the issues were first discovered.

From the beginning, Microsoft agreed to include the fix for Spectre in its regular software updates but insisted that Intel and PC manufacturers would have to push the Meltdown fix on their own.

Unfortunately, the overwhelming majority of users are still waiting, and in the meantime, untold millions of machines are at risk.  Intel’s first attempt at a fix was so spectacularly bad that the company urged users not to install it until a better fix could be rolled out.

Intel has since released an updated fix, but few users have taken advantage of it so far.  The reason is because most users simply don’t know how.  They’re not aware that they have to go to Intel’s website to manually download and install it, or wait for an OEM push, which could still be months away.

Given this reality and the extreme danger that Spectre poses, Microsoft has reversed course and agreed to make special Windows update releases that include the Spectre fix.  The first such update, KB4090007, is now out and available to users.

There are two important caveats to be aware of, however:

  • These special updates will not be delivered automatically. Users will have to go to the Windows Update Catalog and select the appropriate package, then run it on their computers
  • The updates are available only for Windows 10, version 1709, and Windows Server, version 1709
  • The currently available package (KB4090007) is meant for Intel Skylake CPU owners only. Additional packages will be released over the course of the next few months.

Windows Media Player May Be Replaced By Microsoft App

A Reddit user named “Noam_ha” recently posted a screenshot displaying a popup message when users open the venerable Windows Media Player (WMP), asking users if they would instead like to open the video file with the company’s more modern Movies and TV app.

The popup message touts the Movie and TV app’s advantages, which includes better battery life if running on a phone or laptop, better compatibility with more modern video formats, a mini-view, and support for 360-degree video on Augmented Reality devices.

There are several interesting things to note here:

First, while the new popup message clearly signals Microsoft’s preferences, the reality is that in many ways, the Movie and TV app is a poor substitute for WMP.  It only has modest functionality and has a downright awful interface. Even worse, many features found in WMP (like streaming video from online repositories, queuing, and variable play speeds), are simply not present in the new app.

Second, this appears to be a recent shift inside the company, because WMP comes pre-installed on Windows 10.

On the other hand, WMP hasn’t received a significant update since the Movie and TV app was first released with the launch of Windows 7.  In that respect, at least, the writing has been on the wall for some time now.

This marks the second beloved app that Microsoft has decided to kill in recent months.  Recall that just last year, the company announced the end of Microsoft Paint, a kludgy, barely functional graphics program that was nonetheless, strangely beloved by users.  It was retired and replaced with “Paint 3D,” and now, all indications are that Windows Media Player is headed for a similar fate.

That wouldn’t necessarily be a bad thing, but given the condition of  the new Movies and TV app, the decision probably isn’t going to win Microsoft any friends.

Hackers Zone In On Microsoft Products To Attack

Congratulations to Adobe Flash Player for not being the software most targeted by hackers.  Security vendor “Recorded Future” has just published their annual list of the software hackers most commonly focus on when targeting computers and handheld devices for attack.

For the last several years, Adobe’s Flash Player has topped the list, but this year they have been dethroned.  Microsoft now has the embarrassing honor. There are multiple Microsoft programs on this year’s list, with some of them having exploits that date back more than a decade.

It’s a shameful honor to say the least, and even worse, in this year’s report, Microsoft captured seven of the top ten places.

The most often abused security flaw this year was CVE 2017-0199.  Found in a variety of Microsoft Office products, the flaw allows a hacker to embed and execute VBS (Visual Basic Scripts) that contain Powershell commands into an Office document.  Recorded Future has found exploit kits for sale on the Dark Web that automate the process going for between $400 and $800.

Hot on the heels of the #1 entry is CVE 2016-0189, which is one of a whole raft of Internet Explorer vulnerabilities that allow hackers to take unfettered control of a victim’s PC, laptop, or smartphone. It is one of the reasons Microsoft has moved away from IE in preference for Microsoft Edge.

Despite this dismaying news, Recorded Future notes that attacks via exploit kit are down significantly, with a staggering 62 percent drop in new variants.

The report’s author, Scott Donnelly, had this to say:

“The observed drop in exploit kit activity overlaps with the rapid decline of Flash Player usage.  Users have shifted to more secure browsers and attackers have shifted as well.  Spikes in cryptocurrency mining malware and more targeted victim attacks have filled the void.”

Despite the shifting landscape, the central lesson is clear.  Hackers tend to take advantage of known exploits.  Companies that keep their software properly patched dramatically reduce their chances of being targeted.

Most “Wannacry” Hacks Were On Windows 7 Machines

Last year’s Wannacry attack was bad, but in many ways, it was a self-inflicted wound.  According Webroot’s recently published “Annual Threat Report,” almost all of the machines that succumbed to the Wannacry attack were running Windows 7.  That attack is estimated to have caused in excess of $4 billion in total losses.

The central problem is that businesses have been much slower than individuals to make the shift from Windows 7 to the much more secure Windows 10.  For example, in January 2017, only one Enterprise computer in five was running Windows 10, a figure which climbed to 32 percent by year’s end.

Contrast that with the number of Enterprise computers running Windows 7.  In January 2017, a staggering 62 percent of Enterprise computers were still running Windows 7.  That figure declined as the year went on, but only marginally, dropping to 54 percent by the end of the year.

Meanwhile, Windows 8 was running on 5 percent of Enterprise computers in January 2017, and had dropped to 4 percent by the end of the year.  Windows Vista and XP both represented a tiny fraction (less than 1 percent) of Enterprise OS’s.

Contrast that to the Windows 10 migration figures for individuals.  In January 2017, 65 percent of home users had made to switch to Windows 10.  By the end of the year, that figure had grown to an impressive 72 percent.

A Webroot spokesperson had this to say about the report:

“While Windows 10 won’t solve all security woes, it’s a step in the right direction.  Combined with advanced endpoint protection that uses behavioral analysis and machine learning, adopting Windows 10 can greatly reduce enterprises’ vulnerability to cyber-attacks.”

All that to say, if you haven’t moved away from outdated operating systems at your company, this is yet another compelling reason to do so immediately.  No matter what legacy systems you may be running that rely on old OS’s, it’s just not worth the risk.

Microsoft Is Issuing Surface Book 4 Replacements

Do you own a Surface Book 4?  If you do, you may have been unfortunate enough to get one that suffers from a peculiar screen flickering issue.  It’s not known exactly how many Surface Book 4’s have been affected by the issue, but thousands of angry users have been comparing horror stories about it on various discussion forums around the web.

For their part, Microsoft has been very slow to even acknowledge the existence of the issue, even though there are some user videos showing the screen flicker in real time. In addition, there are videos of various crude hacks and workarounds owners have been using to get the screen to behave normally. These have included popping their computers in the freezer or running a hair dryer over them.  Even when these “fixes” worked, they only worked for short periods of time.

Finally, the company has officially acknowledged the problem, and have now begun offering to replace the units for anyone dealing with “Flickergate.”  Sadly, it’s too little, too late for some frustrated users, who have shelled out an average of $450 to replace the problematic screens on their own.

If you have a Surface Book 4, are dealing with the aggravating screen flicker issue and haven’t replaced it on your own yet, stop by Microsoft’s website and follow the prompts to see if you qualify for a replacement.

Over the past couple of years, Microsoft has done a good job at demonstrating nimbleness and responsiveness to customer complaints, which makes their handling of Flickergate more than a little disappointing.  Our hope is that in the months ahead, whatever shape or form the next issue the company faces might be, they’ll return to recent form and be much more responsive than they were this time around.

Microsoft Helping With Ransomware In Office 365

Microsoft recently made small but significant changes to its Office 365 subscription service and to OneDrive, which are often used in tandem.  The goal is to make it easier for users whose files have been encrypted by ransomware (or otherwise corrupted) to recover them.

The most significant of the changes is a new button that Office 365 users will see a new “File Restore” function in both applications.  If you’ve saved your Office 365 files to OneDrive, you’ll be able to restore files in a thirty-day window.  In the event that your files are accidentally deleted or corrupted, getting them back is as simple as pressing the button and selecting the files to be restored.

That’s a huge win for Office 365 and OneDrive users, but there’s more.

The additional changes include:

  • A mobile alert sent to the phone number you select, which will inform you if your files may have been encrypted or otherwise tampered with
  • Support for end-to-end email encryption in their mail service (Outlook), including the web version of the mail app
  • Office now scans all links embedded in PowerPoint, Excel and Word documents to check if they point to malicious content on the web
  • All file attachments and links embedded in emails are now scanned for known phishing threats and viruses
  • Outlook.com now gives users the ability to prevent email recipients from forwarding your emails
  • The ability to password protect OneDrive shared links

That last one is also significant, and is a feature that OneDrive’s user base has been clamoring on about for quite some time.  OneDrive has made it incredibly easy to share files via a link-based system, but unfortunately, never offered users a way to secure those links.  That, thankfully, has now changed.

Individually, all these changes are quite good, but taken together, they represent a significant step in the right direction.  Kudos to Microsoft for taking the threat of ransomware so seriously, and adding specific features to help protect their users.