Microsoft Store announced that starting on July 16, it will begin prohibiting the sale of open-source apps that are generally free outside the store.  The developer community is not happy about it. Giorgio Sardo, Engineering General Manager in the Experiences and Devices organization at Microsoft Corp, explains in a tweet that this action will tackle illegitimate app listings, but developers say that it can also affect the legit app creators. SUSE. “The Store provides independent open-source developers an opportunity to create sustainable projects by charging a reasonable amount there.” Microsoft Store is a platform for developers who release open-source apps to collect donations and promote the visibility and accessibility of their apps. However, with the broad, vague policy coming, the said advantage will be stripped away from all developers. “Several projects have benefited from being sold in the Store, not copycats, but the official upstream projects: WinSCP, Krita, more. In addition to hurting them, this could also drive more Store apps to go proprietary,” adds Barnes. This is all true as Microsoft describes some of the apps on the store, such as Paint.NET. In its description, the store notes that by buying “Paint.NET in the Windows Store, you’ll be supporting its development directly (normally we ask for a donation).” Sardo defends the planned change, saying it is only directed toward people who are putting and selling apps they don’t own on the Microsoft Store. We absolutely want to support developers distributing successfully OSS apps,” Sardo writes in a tweet. “In fact, there are already fantastic OSS apps in the Store! The goal of this policy is to protect customers from misleading listings.” Barnes says that he recognized the purpose of the policy change is “intended to thwart copycat open source apps repackaged by third parties and sold at absurd prices.” He adds that he supports removing such apps but expresses dissatisfaction at how it could adversely affect all developers in general. “Microsoft is an excellent open-source ecosystem steward and Microsoft Store policies are significantly better than those of the Apple App Store and Google Play Store for both app developers and consumers,” Barnes notes. “However, I strongly encourage Microsoft to revisit the proposed policy as written because it sweeps in legitimate open-source applications published by the official upstream projects. Revenue from sales in the Store supports independent open-source application developers and sustainable open source projects.” Sardo says he appreciates the feedback and that the company “will review to make sure the intent is clear.” Stay informed and visit OUR FORUM.

In the words of several famous or important people, the time has come again. No, we’re not talking about any blockbuster scenes that are about to happen, just about the latest Windows 10 cumulative update.

Microsoft has released security updates with the June 2022 cumulative Windows Updates to address a critical Windows zero-day vulnerability known as Follina and actively exploited in ongoing attacks. "Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action," Microsoft said in an update to the original advisory. "Microsoft recommends installing the updates as soon as possible," the company further urged customers in a post on the Microsoft Security Response Center. Tracked as CVE-2022-30190, the security flaw is described by Redmond as a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution bug that affects all Windows versions still receiving security updates (i.e., Windows 7+ and Server 2008+). Attackers who successfully exploit this zero-day can execute arbitrary code with the privileges of the calling app to install programs, view, change, or delete data, and even create new Windows accounts as allowed by the compromised user's rights. As security researcher nao_sec found, Follina exploits allow threat actors to execute malicious PowerShell commands via MSDT in what Redmond describes as Arbitrary Code Execution (ACE) attacks when opening or previewing Word documents. While applying today's updates does not prevent Microsoft Office from automatically loading Windows protocol URI handlers without user interaction, it blocks PowerShell injection and disables this attack vector. The Follina security vulnerability has been exploited in attacks for a while by state-backed and cybercrime threat actors with various end goals. As Proofpoint security researchers revealed, the Chinese TA413 hacking group exploited the bug in attacks targeting the Tibetan diaspora. In contrast, a second state-aligned threat group used it in phishing attacks against US and EU government agencies. Follina is now also being abused by the TA570 Qbot affiliate in ongoing phishing campaigns to infect recipients with Qbot malware. However, the first attacks targeting this zero-day have started in mid-April, with sextortion threats and invitations to Sputnik Radio interviews as baits. In light of Microsoft reporting active exploitation of the bug in the wild, CISA has also urged Windows admins and users to disable the MSDT protocol abused in these attacks. Shadow Chaser Group's CrazymanArmy, the security researcher who reported the zero-day to Microsoft's security team in April, said the company rejected his initial submission as not a "security-related issue." However, according to the researcher, Redmond's engineers later closed the bug submission report with a remote code execution impact. Follow this and more on OUR FORUM.

After 26 years of suffering as a laughingstock on the web, Internet Explorer was finally put to sleep by Microsoft on June 15. Its spirit, nonetheless, will still be felt by many users for the next years to come as its creator decides to continue to support IE mode in Microsoft Edge until 2029. “Internet Explorer’s reputation today is, deservedly, one of a product from an older era—quirky in behavior and lacking the security of a modern browser,” Microsoft Edge Enterprise General Manager Sean Lyndersay says in a eulogy for the browser. “But its contributions to the evolution of the web have been remarkable, from helping to make the web truly interactive with DHTML and AJAX to hardware-accelerated graphics to innovations in touch/pen browsing. Working on the retirement of Internet Explorer has been a constant reminder of its importance; every day we work with customers who have built their businesses on Internet Explorer. Working on a product with such broad impact has been humbling—our story in many ways is the story of the internet and what it has allowed people and organizations around the world to do.” While Windows 11 is already shipping without the Intenet Explorer, the retirement will remove it from every supported version of Windows 10 Home, Pro, Enterprise, Edu, and IoT. Nonetheless, understanding that some businesses and organizations still rely on Internet Explorer, Microsoft promises to provide continuous IE support on specific versions of Windows currently in support and used in critical environments “until they go out of support.” These versions of Windows include in-support Windows 10 LTSC releases (including IoT), all Windows Server versions, Windows 10 China Government Edition, Windows 8.1, and Windows 7 with Extended Security Updates (ESUs). On the other hand, Microsoft underscores that affected users will be guided to a redirection process to its modern browser, Microsoft Edge with IE mode. Included in this transition is allowing the users to import their data (e.g., favorites, passwords, and settings) from Internet Explorer. They can also manage and delete the data in Microsoft Edge from the Settings menu. “Over the next few months, Internet Explorer will progressively redirect users to our new modern browser, Microsoft Edge with IE mode,” explains Lyndersay. “Users will still see the Internet Explorer icon on their devices (such as on the taskbar or in the Start menu) but if they click to open Internet Explorer, Microsoft Edge will open instead with easy access to IE mode.” The reason behind the IE mode, according to Microsoft, is to cater to some websites that only function using Internet Explorer since they are created using older internet technology. When these users visit such websites and they don’t work properly, they can use the “Reload in IE mode” button in Microsoft Edge to resolve the issue. IT professionals managing legacy sites can also automate IE mode, allowing the pages to launch in IE mode automatically for users. For more visit OUR FORUM.

The European Commission is expected to target Facebook parent Meta, Google, Twitter, Microsoft, and TikTok on Thursday with new measures to tackle forms of disinformation, including deepfakes and fake accounts, according to reports from Reuters and the Financial Times. Companies that fail to adhere to the updated regulation could reportedly face hefty fines. The updated version of the EU's anti-disinformation code will reportedly have tech and social media companies share key data with individual countries to help combat disinformation. An updated "code of practice on disinformation" will require tech companies to disclose how harmful content is being removed and blocked. It will also reportedly more clearly lay out examples of harmful content such as deepfakes, which are video forgeries that make people appear to do or say things they never did. The voluntary code was first introduced in 2018 but will become a co-regulation scheme, according to Reuters. Both regulators and signatories will reportedly share responsibility. There will be 30 signatories, including big tech companies and civil society groups, according to the Financial Times. Social media and online tech companies will also reportedly need to do a better job of informing the public about factual sources. This includes developing tools and partnerships with fact-checkers to push back against "harmful disinformation," which may include removing propaganda and adding "indicators of trustworthiness" on independently verified information, according to the Financial Times. The code will be enforced through the Digital Services Act of 2022, a landmark piece of legislation aimed to rein in Big Tech. Companies that break the code could reportedly face fines of up to 6% of their global revenue. Considering companies such as Google parent Alphabet and Meta brought in $257 billion and $117.93 billion in 2021, respectively, 6% would amount to a hefty chunk. Tech companies can't provide a blanket fix for all of Europe, but instead must show, country by country, how they're fighting disinformation. "We know disinformation is different in every country, and the big platforms will now have to provide meaningful data that would allow [us] to understand better the situation on the country level," said Věra Jourová, the EU's vice president for values and transparency, in a statement to the Financial Times. Jourová added that Russian propaganda following the war in Ukraine shaped the updated anti-disinformation code. For more visit OUR FORUM.