Agregátor RSS

Microsoft pushed out 90 updates this week in its August Patch Tuesday release, including fixes for five Windows zero-days (CVE-2024-38178, CVE-2024-38193, CVE-2024-38213, CVE-2024-38106, CVE-2024-38107) and one zero-day affecting Office (CVE-2024-38189). 

Unfortunately, this means a “Patch Now” recommendation for both Windows and Microsoft Office this month. Microsoft offered several (pretty useful) mitigations and recommendations to reduce the impact of these security issues; our testing guidance reflects this, with a focus on the networking related features of Windows. 

Minor updates for the Microsoft development platforms can be added to your standard patch release schedule, while Microsoft did not release any patches for Microsoft SQL Server or Exchange Server. And Adobe Reader updates are back, though we assume this will be included in your Windows desktop Patch Now release cycle. 

The team at Readiness has provided a helpful infographic that outlines the risks associated with each of these updates. (See our running list of recent Patch Tuesday updates here.)

Known issues 

Each month, Microsoft publishes a list of known issues affecting the operating system and platforms included in the latest update cycle, including these two reported minor issues:

• After installing the Windows update released on or after July 9, 2024, Windows Servers might (intermittently) affect Remote Desktop Connectivity across an organization. This issue might occur if legacy protocol (Remote Procedure Call over HTTP) is used in Remote Desktop Gateway. Microsoft is working on a resolution. 
• There’s an issue where “players” on Arm devices are unable to download and play Roblox via the Microsoft Store on Windows. This might be a good time to “block out” (sorry, not sorry) some time to look at potential compatibility issues on ARM platforms. Don’t forget to try to change your account profile photo — oh, wait!

Major revisions 

This Patch Tuesday saw the following major revisions to past Microsoft security and feature updates, including:

• CVE-2024-29187: WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM. Microsoft released updates on Tuesday for Microsoft Visual Studio 2017 version 15.9, Microsoft Visual Studio 2019 version 16.11, and Microsoft Visual Studio 2022 to address this GitHub-related issue. 
• CVE-2024-35058: BitLocker Security Feature Bypass Vulnerability. Microsoft has added a FAQ to explain that because of firmware incompatibility issues, BitLocker would go into recovery mode on some devices; the fix for CVE-2024-38058 has been disabled with the release of this month’s updates. Customers who want to be protected can apply the mitigations described in KB5025885.

Mitigations and workarounds

Microsoft published the following vulnerability-related mitigations for this month’s release cycle:

• CVE-2024-38199: Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability. Microsoft recommended as part of their mitigation strategy that all corporate users no longer install the LPD utility. Given that this reported vulnerability has been publicly disclosed, the Readiness team highly recommends a scan of your environment to ensure that this service is not running (and preferably not installed).
• CVE-2024-38159 and CVE-2024-38160: Windows Network Virtualization Remote Code Execution Vulnerability. To reduce exposure to this vulnerability, Microsoft recommends that Hyper-V be disabled on the target machine. 
• CVE-2024-38140: Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability. Microsoft offers solid advice here. This vulnerability is only exploitable if there is a program listening on a Pragmatic General Multicast (PGM) port. If PGM is installed or enabled, but no programs are actively listening, this vulnerability is not exploitable. 

Each month, the team at Readiness analyses the latest updates and provides detailed, actionable testing guidance based on a large application portfolio and a detailed analysis of the patches and their potential impact on Windows and app  installations. We have grouped the critical updates and required testing efforts into separate product and functional areas, including:

Microsoft Office

Due to the changes to Microsoft Outlook and .NET components, we recommend a full test of sending/receiving mails with HTML content.

Microsoft .NET and developer tools

Microsoft updated both Microsoft .NET (Version 8) and Visual Studio 2022 with the following testing recommendations

• Due to the update to System.Net.Mail.SmtpClient a test of sending mail over TLS with a HTTP body will be required.

Windows

With the release of the Windows updates, Microsoft put a real focus on securing Windows networking features with updates to core system files such as AFD.SYS; these will require the following testing:

• Network packets: try using a web browser to download and upload large files from both internal and external websites. Multicast senders will require validation on packet returns.
• Network sockets: check that bind, connect and listen functions work as expected. Close socket functions will require testing this month, as well.
• Smartcards: full logon/logoff testing will be required.
• Network Bridges: This update will require testing across two or more network adapters. Try creating a bridge using IPv6 packets.
• Bluetooth: Sending files across two Bluetooth adapters will require testing.
• DNS: Recursive DNS queries will require a basic test. Have a look for any SERVFAIL returns or time-outs. We also suggest trying NETSH to configure proxy settings. 
• Remote Desktop: Test remote configurations on RRAS platforms while using copy/paste functions over a VPN.

In addition to these networking-focused changes, Microsoft updated core features in the Windows desktop and server platforms, including:

• Windows Error logs: a complete CRUD test (create, read, update and delete) will be required for Windows log files.
• Kerberos: Logon and certificate workflows will require validation.
• Codec and camera updates will require a basic test of camera (both still and video) features.
• Hyper-V: With only minor changes to the Microsoft Hyper-V platform, a basic VM startup and shut-down test is recommended.

Microsoft made a number of significant changes to the Windows file system (NTFS) with changes to both the NtQueryEaFile and NtSetEaFile APIs. Unfortunately, a significant testing cycle is required that should include large file CRUD file tests — and remember to include a query component. The Readiness team suggests that a PowerShell test be included to assist with “pacing” rapid changes to the Windows file system.

Given recent challenges with CrowdStrike and BitLocker, Microsoft published changes that will require testing of the Microsoft BitLocker recovery environment.

Windows lifecycle update (now including enforcements)

This section contains important changes to servicing, significant feature deprecations and security-related enforcements across the Windows desktop and server platforms.

• Enforcements: Now that we are past the July 2024 deadline for the enforcement phase, the Windows certificate “Windows Production PCA 2011” will be automatically revoked.
• Lifecycle: Both Windows 11 Enterprise, Versions 21H2 and 22H2, have an end of servicing date of Oct. 8.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

• Browsers (Microsoft IE and Edge).
• Microsoft Windows (both desktop and server).
• Microsoft Office.
• Microsoft Exchange Server.
• Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
• Adobe (if you get this far).

Browsers

Microsoft released 11 updates to the Edge browser platform. These low-profile changes have been rated as either important or moderate, reflecting their lower security and deployment risks. We recommend following the stable channel release of Microsoft Edge, as there will be mid-cycle releases at the end of this month. Add these browser updates to your standard release schedule.

Windows

Microsoft has released six critical and 60 updates rated as important by Microsoft with five zero-day patches (as already noted, they are: CVE-2024-38178, CVE-2024-38193, CVE-2024-38213, CVE-2024-38106, and CVE-2024-38107.

In addition to these updates, Microsoft released patches that affect the following Windows feature groups:

• Windows DNS, broadband, routing, translation and multicast networking features.
• Kernel mode and system drivers.
• Line printer services (daemon).
• Windows OLE.
• Windows Kerberos.

Given the larger (and somewhat concerning) number of exploited and publicly disclosed vulnerabilities this month, we again recommend a “Patch Now” schedule for this update.

Microsoft Office 

Microsoft returns to form with one critical rated update to Copilot (CVE-2024-38206) and nine other updates to the Microsoft Office suite, all rated important. Unfortunately, one of the vulnerabilities (CVE-2024-38189) that affects the entire Office platform has been reported as exploited. Add Microsoft Office to the Patch Now release schedule.

Microsoft SQL (nee Exchange) Server 

Good news: no updates or patches for either SQL Server or Exchange Server. 

Microsoft development platforms 

Microsoft released four low-profile updates to the Microsoft .NET and Visual Studio 2022 platforms. We do not expect serious testing requirements for these lesser reported vulnerabilities. Add these updates to your standard developer release schedule.

Adobe Reader (and other third-party updates) 

Adobe Reader is back in the game with an important update, APSB24-57, which has addressed 12 memory and “use after free” (my favorite) security vulnerabilities; it can be added to your Windows update cycle. 

Pokud hledáte výborné tahové RPG ve stylu roguelite her, je Darkest Dungeon 2 vynikající volba. Původně vyšel na PC již v květnu 2023 a teprve nyní vychází na konzole a já jsme si tento ukrutně obtížný, ale pohlcující počin s nádhernou stylizací nemohl nechat ujít. Výhodou je, že znalostí ...

AMD se potácelo v problémech, až v roce 2017 procesorovou architekturou Zen zaskočilo Intel. Ten by potřeboval podobnou vzpruhu, protože momentálně mu táhne na šedesát a je na hranici ziskovosti. Vedení situaci pochopilo a chystá rozsáhlou restrukturalizaci. O práci přijde minimálně 15 tisíc lidí a ...

A large-scale extortion campaign has compromised various organizations by taking advantage of publicly accessible environment variable files (.env) that contain credentials associated with cloud and social media applications. "Multiple security missteps were present in the course of this campaign, including the following: Exposing environment variables, using long-lived credentials, and absence

A large-scale extortion campaign has compromised various organizations by taking advantage of publicly accessible environment variable files (.env) that contain credentials associated with cloud and social media applications. "Multiple security missteps were present in the course of this campaign, including the following: Exposing environment variables, using long-lived credentials, and absence Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Every business using tech (which means every business) should now hope that the days of insecure platform design are numbered, as one of the most powerful cybersecurity agencies on the planet steps into the ring to demand tougher security.

Following the financial disaster of the Microsoft/CrowdStrike debacle, the BSI — Germany’s Federal Office for Information Security — is demanding that tech firms take swift steps to secure their products and prevent a repeat meltdown. 

No more designer insecurity

The BSI is summoning Big Tech companies to a conference later this year and will be pushing for kernel access to be restricted or abandoned. That’s almost certainly going to mean Microsoft will need to cease allowing kernel access in Windows, just as Apple already did years ago. What Apple understood is that the risks of providing such access are too high and the consequences too great.

While many in the industry seem to think it’s normal for a computer outage to generate billions of dollars of damage to global systems and businesses, those outside that bubble disagree. That’s why Apple doesn’t do that.

There is another way

Apple’s approach to platform security isn’t foolproof. Security is ephemeral; delivering it is an eternal dance — and sometimes errors take place.  But, at least in Apple’s case, it is an ongoing investment characterized by a high degree of proactive protection. Apple’s security teams identified the risks of kernel access and got rid of it — not without opposition. 

(Microsoft has claimed it can’t get follow suit because of a 2009 agreement with the European Commission, but perhaps it could have argued already for the need to do so. I don’t know if it did.)

Chalk and cheese, and it goes way back

The difference between these approaches is not new. Think back to the early days of Mac OS X, when Apple introduced a virus-safe browser called Safari even when other browsers remained full of security flaws. I won’t say who made the dominant browser then, but you might be able to guess where that insecurity by design came from. Watch this 2006 ad for some insight into this continued commitment to platform insecurity. 

It’s a commitment that seems to extend to the present day, given the TCO costs in terms of security and tech support when you compare Apples to Windows. (The University of Kentucky recently claimed its move to Apple devices cut IT costs by 50%.)

Perhaps it is unfair to expect Microsoft, still the world’s most widely used computing platform, to match Apple on security.

The argument is growing

Apple’s success in creating platforms developers can use while eradicating kernel access shows that it’s possible to create a secure platform without leaving the very heart of that platform exposed. The powerful cybersecurity regulator thinks so, too. 

Not only does BSI want Microsoft to take urgent steps to secure its platforms (which it should have done years ago), but it also wants security firms such as CrowdStrike to redesign their tools to make such access unnecessary.

CrowdStrike, however, has argued that products like firmware analysis or device control “would not be possible” without it. The regulator doesn’t agree, telling the WSJ that it is, “positive that robust technical solutions which also respect EU regulation can be found for the problem at hand.”

Financial liability

The nature of regulation is that events take time to unfold. But it seems clear one approach that would help focus the mind of tech firms would be to make them financially responsible for outages of this kind. 

We know business lost billions as a result of the CrowdStrike/Microsoft debacle; we also know the terms and conditions of the user agreements forced on those customers mean they’ll get little or none of that lost money back. 

How does that lack of liability foster a security-first culture? Why bother being proactive about security if you face no consequences for your own failure?

Ensuring every tech firm delivers solutions at least as secure and reliable as Apple’s has to be the goal of any regulation. It seems to me that making tech firms financially responsible for such errors should help make that happen. 

Of course, that means waiting for action. What if you can’t wait that long? 

There is an alternative

For many in business making purchasing decisions today, there is another approach: deploy Apple products, just like the German government has. After all, as well as plenty of solutions to help integrate those products into existing Microsoft infrastructure, the platform has a now-decades long track record for better security, regular updates, hardware-based encryption and data protection that is second to none in the business. 

More from Jonny Evans

• For IT, Jamf’s Microsoft Azure partnership means a lot
• Convenience has a cost, privacy has iPhone
• Apple, this is the time to seize the moment

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

**Windows 11 24H2 automaticky zapnou šifrování úložiště **Microsoft snižuje požadavky, které musí počítač splnit **Šifrování ochrání vaše data před slídily, počítač ale zpomalí

Windows 11 24H2 automaticky zapnou šifrování úložiště •Microsoft snižuje požadavky, které musí počítač splnit •Šifrování ochrání vaše data před slídily, počítač ale zpomalí

Take a deep dive into the world of emerging cyber threats and defense strategies with Cloudflare

Webinar  In a world where cyber threats are continually evolving, staying informed is critical for IT and security professionals.…

Debian slaví 31 let. Ian Murdock oznámil vydání "Debian Linux Release" 16. srpna 1993.

Uměl neuvěřitelné věci, nebyl drahý, přesto díru do světa neudělal • Simon měl prvky, které dodnes používají moderní smartphony • Začal se prodávat v létě 1994, tedy před 30 lety

Obchod s hrami Epic Games Store je k dispozici na Androidu i iOS. Na Androidu celosvětově, na iOS pouze v Evropské unii.

A 27-year-old Russian national has been sentenced to over three years in prison in the U.S. for peddling financial information, login credentials, and other personally identifying information (PII) on a now-defunct dark web marketplace called Slilpp. Georgy Kavzharadze, 27, of Moscow, Russia, pleaded guilty to one count of conspiracy to commit bank fraud and wire fraud earlier this February. In

A 27-year-old Russian national has been sentenced to over three years in prison in the U.S. for peddling financial information, login credentials, and other personally identifying information (PII) on a now-defunct dark web marketplace called Slilpp. Georgy Kavzharadze, 27, of Moscow, Russia, pleaded guilty to one count of conspiracy to commit bank fraud and wire fraud earlier this February. In Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Vetřelec: Romulus (Alien: Romulus) patří pro fanoušky hororů a ikonické značky mezi nejočekávanější filmy roku. Pachuť po posledních rádoby filozofujících experimentech Ridleyho Scotta byla sice veliká, ze všemožných ohlasů, výtečných trailerů a poctivého přístupu režiséra se však zdálo, že ...

Texas Instruments dostane od americké vlády v souladu se zákonem o čipech (CHIPS Act) dotaci 1,6 miliardy dolarů na financování výroby polovodičů v Texasu a Utahu.

Baterie jsou jednou z nejdražších komponent nových elektromobilů, a výrazně tak ovlivňují jejich pořizovací cenu. Přestože jsou náklady na jejich výrobu stále poměrně vysoké, v posledních letech došlo k dramatickému poklesu. Nejnovější údaje ukazují, že baterie dnes stojí jen zlomek toho, co ...

Cybersecurity researchers have shed light on a sophisticated information stealer campaign that impersonates legitimate brands to distribute malware like DanaBot and StealC. The activity cluster, orchestrated by Russian-speaking cybercriminals and collectively codenamed Tusk, is said to encompass several sub-campaigns, leveraging the reputation of the platforms to trick users into downloading the

Cybersecurity researchers have shed light on a sophisticated information stealer campaign that impersonates legitimate brands to distribute malware like DanaBot and StealC. The activity cluster, orchestrated by Russian-speaking cybercriminals and collectively codenamed Tusk, is said to encompass several sub-campaigns, leveraging the reputation of the platforms to trick users into downloading theRavie Lakshmananhttp://www.blogger.com/profile/[email protected]