Microsoft has released security updates with the June 2022 cumulative Windows Updates to address a critical Windows zero-day vulnerability known as Follina and actively exploited in ongoing attacks. "Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action," Microsoft said in an update to the original advisory. "Microsoft recommends installing the updates as soon as possible," the company further urged customers in a post on the Microsoft Security Response Center. Tracked as CVE-2022-30190, the security flaw is described by Redmond as a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution bug that affects all Windows versions still receiving security updates (i.e., Windows 7+ and Server 2008+). Attackers who successfully exploit this zero-day can execute arbitrary code with the privileges of the calling app to install programs, view, change, or delete data, and even create new Windows accounts as allowed by the compromised user's rights. As security researcher nao_sec found, Follina exploits allow threat actors to execute malicious PowerShell commands via MSDT in what Redmond describes as Arbitrary Code Execution (ACE) attacks when opening or previewing Word documents. While applying today's updates does not prevent Microsoft Office from automatically loading Windows protocol URI handlers without user interaction, it blocks PowerShell injection and disables this attack vector. The Follina security vulnerability has been exploited in attacks for a while by state-backed and cybercrime threat actors with various end goals. As Proofpoint security researchers revealed, the Chinese TA413 hacking group exploited the bug in attacks targeting the Tibetan diaspora. In contrast, a second state-aligned threat group used it in phishing attacks against US and EU government agencies. Follina is now also being abused by the TA570 Qbot affiliate in ongoing phishing campaigns to infect recipients with Qbot malware. However, the first attacks targeting this zero-day have started in mid-April, with sextortion threats and invitations to Sputnik Radio interviews as baits. In light of Microsoft reporting active exploitation of the bug in the wild, CISA has also urged Windows admins and users to disable the MSDT protocol abused in these attacks. Shadow Chaser Group's CrazymanArmy, the security researcher who reported the zero-day to Microsoft's security team in April, said the company rejected his initial submission as not a "security-related issue." However, according to the researcher, Redmond's engineers later closed the bug submission report with a remote code execution impact. Follow this and more on OUR FORUM.
After 26 years of suffering as a laughingstock on the web, Internet Explorer was finally put to sleep by Microsoft on June 15. Its spirit, nonetheless, will still be felt by many users for the next years to come as its creator decides to continue to support IE mode in Microsoft Edge until 2029. “Internet Explorer’s reputation today is, deservedly, one of a product from an older era—quirky in behavior and lacking the security of a modern browser,” Microsoft Edge Enterprise General Manager Sean Lyndersay says in a eulogy for the browser. “But its contributions to the evolution of the web have been remarkable, from helping to make the web truly interactive with DHTML and AJAX to hardware-accelerated graphics to innovations in touch/pen browsing. Working on the retirement of Internet Explorer has been a constant reminder of its importance; every day we work with customers who have built their businesses on Internet Explorer. Working on a product with such broad impact has been humbling—our story in many ways is the story of the internet and what it has allowed people and organizations around the world to do.” While Windows 11 is already shipping without the Intenet Explorer, the retirement will remove it from every supported version of Windows 10 Home, Pro, Enterprise, Edu, and IoT. Nonetheless, understanding that some businesses and organizations still rely on Internet Explorer, Microsoft promises to provide continuous IE support on specific versions of Windows currently in support and used in critical environments “until they go out of support.” These versions of Windows include in-support Windows 10 LTSC releases (including IoT), all Windows Server versions, Windows 10 China Government Edition, Windows 8.1, and Windows 7 with Extended Security Updates (ESUs). On the other hand, Microsoft underscores that affected users will be guided to a redirection process to its modern browser, Microsoft Edge with IE mode. Included in this transition is allowing the users to import their data (e.g., favorites, passwords, and settings) from Internet Explorer. They can also manage and delete the data in Microsoft Edge from the Settings menu. “Over the next few months, Internet Explorer will progressively redirect users to our new modern browser, Microsoft Edge with IE mode,” explains Lyndersay. “Users will still see the Internet Explorer icon on their devices (such as on the taskbar or in the Start menu) but if they click to open Internet Explorer, Microsoft Edge will open instead with easy access to IE mode.” The reason behind the IE mode, according to Microsoft, is to cater to some websites that only function using Internet Explorer since they are created using older internet technology. When these users visit such websites and they don’t work properly, they can use the “Reload in IE mode” button in Microsoft Edge to resolve the issue. IT professionals managing legacy sites can also automate IE mode, allowing the pages to launch in IE mode automatically for users. For more visit OUR FORUM.
The European Commission is expected to target Facebook parent Meta, Google, Twitter, Microsoft, and TikTok on Thursday with new measures to tackle forms of disinformation, including deepfakes and fake accounts, according to reports from Reuters and the Financial Times. Companies that fail to adhere to the updated regulation could reportedly face hefty fines. The updated version of the EU's anti-disinformation code will reportedly have tech and social media companies share key data with individual countries to help combat disinformation. An updated "code of practice on disinformation" will require tech companies to disclose how harmful content is being removed and blocked. It will also reportedly more clearly lay out examples of harmful content such as deepfakes, which are video forgeries that make people appear to do or say things they never did. The voluntary code was first introduced in 2018 but will become a co-regulation scheme, according to Reuters. Both regulators and signatories will reportedly share responsibility. There will be 30 signatories, including big tech companies and civil society groups, according to the Financial Times. Social media and online tech companies will also reportedly need to do a better job of informing the public about factual sources. This includes developing tools and partnerships with fact-checkers to push back against "harmful disinformation," which may include removing propaganda and adding "indicators of trustworthiness" on independently verified information, according to the Financial Times. The code will be enforced through the Digital Services Act of 2022, a landmark piece of legislation aimed to rein in Big Tech. Companies that break the code could reportedly face fines of up to 6% of their global revenue. Considering companies such as Google parent Alphabet and Meta brought in $257 billion and $117.93 billion in 2021, respectively, 6% would amount to a hefty chunk. Tech companies can't provide a blanket fix for all of Europe, but instead must show, country by country, how they're fighting disinformation. "We know disinformation is different in every country, and the big platforms will now have to provide meaningful data that would allow [us] to understand better the situation on the country level," said Věra Jourová, the EU's vice president for values and transparency, in a statement to the Financial Times. Jourová added that Russian propaganda following the war in Ukraine shaped the updated anti-disinformation code. For more visit OUR FORUM.
If all goes according to plan, Google will phase out third-party cookies by the end of 2023. These cookies, which brands use to track consumers’ browsing habits across the web, have long been controversial. Recently, the developers of major browsers have begun to block them entirely, preventing websites from saving third-party cookies on users’ systems. The end of these cookies may have big implications for privacy on the web. Third-party cookies are bits of information saved by browsers that were placed on a website by someone other than the owner. For example, pressing the "Like" button on a site may store a cookie on someone’s computer from Facebook, which the company can use to identify the user and the websites they visit. Unlike first-party cookies, which sites use to save preferences and visitor information for later visits, these cookies can track behavior across the web rather than being limited to just one location. In practice, brands and advertisers use third-party cookies to display advertisements that are relevant to users’ browsing habits. For example, if a person visits several sites related to cars, an advertiser may use third-party cookie information to serve them new auto advertisements. The use of third-party cookies has long been controversial. Proponents of online privacy say they make users less private -- and, in some cases, may even create security risks. Google’s decision to phase out third-party cookies by the end of 2023 comes after similar moves made by Apple and Mozilla, the developer of the popular web browser Firefox. No major web browsers will support them once Google phases them out. Apple and Mozilla had similar rationales for ditching third-party cookies -- protecting user privacy from brands and advertisers. Some advertising industry leaders believe consumers will want third-party cookies back so they get relevant ads. However, there’s not much evidence that consumers are particularly anxious about Google’s move to phase these cookies out. There’s a good chance that once the cookies are gone, they’ll be gone for good. The end of third-party cookies is also part of a much bigger movement to protect user privacy online. Along with laws like the GDPR in the EU or the CCPA in California, the disappearance of third-party cookies could signal the growing importance of user privacy to consumers, lawmakers, and businesses. The average consumer will probably experience a few noticeable changes due to Google’s third-party cookie phaseout. It will be much harder for brands to track browsing behavior online. This change will help protect people’s privacy from companies that want to learn more about how they use the internet. It will also make it harder for companies to target advertisements based on users’ interests and browsing history. In the months after the end of third-party cookies, people may notice ads become less specific to their particular interests. In response to the loss of third-party cookie data, marketing agencies and brands will also look for new ways to gather information on consumers’ browsing habits. Most companies that rely on third-party cookie data say they’re not ready for this change, but some brands have already shifted away from using cookies to inform their advertising strategy. People may notice that brands ask for information more frequently, rely on first-party cookies to gather information, and use surveys, polls or other data-gathering strategies to learn more about users’ interests and preferences. This new information will replace the data from third-party cookies that they currently collect. Follow this thread and more on OUR FORUM.
Microsoft has made Windows licensing and activation ridiculously complex. Here's what you need to know. That sentence, which has scrolled past PC users' eyeballs for decades as they click through Windows license agreements without reading them, is what made Bill Gates rich. It is also the gateway to an insanely confusing thicket of legal verbiage, and Microsoft has made the topic even more bewildering through the years by adding layers of anti-piracy protection that are only indirectly related to the license itself. (And let's not even start on weaselly words like genuine.) I've been studying Microsoft licensing agreements for more than two decades. During that time, I've written dozens of articles on the subject and have prepared testimony as an expert witness in criminal and civil cases where Microsoft licensing was at the crux of some serious disagreements. One thing I've learned along the way is that even people who work for Microsoft sometimes get confused about when a license is legitimate and when it's not. And if they have trouble sorting out license agreements, what chance do the rest of us have? Most of the time, a Windows license is strictly a formality, something you can safely ignore. But occasionally, it matters, especially if you're building your own PC or upgrading to a different edition. If you're making IT purchases for a business that involves more than a few dozen PCs, it absolutely matters. To make this difficult topic a little easier, I've put together a list of questions and answers focused specifically on Windows PCs. Is your license valid? How can you tell? Should you care? All of those things are, potentially, evidence that you possess a valid license, which is a legal grant from the licensor (Microsoft) to the licensee (you) which gives you the right to use Microsoft Windows on a particular device, provided that you follow the terms of the license agreement. The license itself is an intangible thing, governed by a legal agreement between you and either Microsoft or one of its partners who resold the Windows license as part of a new PC. That license agreement is the thing you scroll through quickly without reading every time you install Windows. But here's the most fascinating and frustrating part of Windows licensing. If I sit down in front of your computer and (with your permission) do a thorough inspection, I cannot conclusively determine whether you have a valid Windows license. I can confirm that the system is properly activated. I can also make an educated guess about the license status, and I will probably be right. But without seeing an audit trail of receipts for the PC and/or its system software, there's no way of knowing for sure. Over time, Microsoft discovered that it was in the company's best interests to tolerate a certain amount of casual copying as part of its goal of not pissing off legitimate customers. I can't remember the last time I received a complaint about product activation issues with Windows. Today, the overwhelming majority of Windows PCs are sold by giant OEMs that pay Microsoft for every license. Only a tiny sliver of PCs is built by hobbyists or small system builders. If someone in one of those groups tries to reuse a product key inappropriately (by activating multiple PCs using the same product key in a matter of days), the activation servers will object strenuously. But if you reuse a product key months after the first use, it's likely that Microsoft's activation servers will wave you right through. If you bought a PC with Windows preinstalled, you don't need to enter a product key when you set it up for the first time. The company that built that PC entered the product key as part of the process of preparing the system for delivery to you. Big-name OEMs embed that product key into the BIOS. Smaller system builders enter the product key using deployment tools. In either case, once you start up your brand-new PC, accept the license agreement, and activate your copy, that product key is no longer necessary. You can reinstall that edition of Windows on the same hardware as many times as you want, without having to enter a product key. To read this posting in its entirety please visit OUR FORUM.
ONE THOUSAND FOUR hundred and fifty-nine days have passed since data rights nonprofit NOYB fired off its first complaints under Europe’s flagship data regulation, GDPR. The complaints allege Google, WhatsApp, Facebook, and Instagram forced people into giving up their data without obtaining proper consent, says Romain Robert, a program director at the nonprofit. The complaints landed on May 25, 2018, the day GDPR came into force and bolstered the privacy rights of 740 million Europeans. Four years later, NOYB is still waiting for final decisions to be made. And it’s not the only one. Since the General Data Protection Regulation went into effect, data regulators tasked with enforcing the law have struggled to act quickly on complaints against Big Tech firms and the murky online advertising industry, with scores of cases still outstanding. While GDPR has immeasurably improved the privacy rights of millions inside and outside of Europe, it hasn’t stamped out the worst problems: Data brokers are still stockpiling your information and selling it, and the online advertising industry remains littered with potential abuses. Now, civil society groups have grown frustrated with GDPR’s limitations, while some countries’ regulators complain the system to handle international complaints is bloated and slows down enforcement. By comparison, the information economy moves at breakneck speed. “To say that GDPR is well enforced, I think it’s a mistake. It's not enforced as quickly as we thought,” Robert says. NOYB has just settled a legal case against the delays in its consent complaints. “There’s still what we call an enforcement gap and problems with cross-border enforcement and enforcement against the big players,” adds David Martin Ruiz, a senior legal officer at the European Consumer Organization, which filed a complaint about Google’s location tracking four years ago. Lawmakers in Brussels first proposed reforming Europe’s data rules back in January 2012 and passed the final law in 2016, giving companies and organizations two years to fall in line. GDPR builds upon previous data regulations, super-charging your rights and altering how businesses must handle your personal data, information like your name or IP address. GDPR doesn’t ban the use of data in certain cases, such as police use of intrusive facial recognition; instead, seven principles sit at its heart and guide how your data can be handled, stored, and used. These principles apply equally to charities and governments, pharmaceutical companies, and Big Tech firms. Crucially, GDPR weaponized these principles and handed each European country’s data regulator the power to issue fines of up to 4 percent of a firm's global turnover and order companies to stop practices that violate GDPR's principles. (Ordering a company to stop processing people’s data is arguably more impactful than issuing fines.) It was never likely that GDPR fines and enforcement were going to flow quickly from regulators—in competition law, for instance, cases can take decades—but four years after GDPR started, the total number of major decisions against the world’s most powerful data companies remains agonizingly low. For more on GDRP visit OUR FORUM.