Sep 14 2021

Apple products vulnerable to FORCEDENTRY zero-day attack – patch now!

Category: Zero dayDISC @ 9:41 am
Apple products vulnerable to FORCEDENTRY zero-day attack – patch now!

You know what we’re going to say, so we’ll say it right away.

Patch early, patch often.

Canadian privacy and cybersecurity activist group The Citizen Lab just announced a zero-day security hole in Apple’s iPhone, iPad and Macintosh operating systems.

They’ve given the attack the nickname FORCEDENTRY, for rather obvious reasons, though its official designation is CVE-2021-30860.

Citizen Lab has attributed the vulnerability, and the code that exploits it, to controversial device surveillance company NSO Group, already well-known for its so-called Pegasus line of spyware-like products.

According to Citizen Lab, this exploit relies on booby-trapped PDF files, and was spotted in the wild when a Saudi Arabian activist handed over their phone for analysis after suspecting that spyware had somehow been implanted on the device.

The Citizen Lab report coincides with Apple’s own security bulletin HT21807, which credits Citizen Lab for reporting the hole, and says simply:

Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. […] An integer overflow was addressed with improved input validation.

The problem with integers

The Art of Mac Malware: The Guide to Analyzing Malicious Software

Tags: Apple products, FORCEDENTRY zero-day

Sep 13 2021

Designing Contact-Tracing Apps

Category: Information Privacy,Information SecurityDISC @ 9:45 pm
Designing Contact-Tracing Apps

Also see her excellent book on the topic.

Tags: Contact-Tracing Apps

Sep 13 2021

Mobile app creation: Why data privacy and compliance should be at the forefront

Category: App Security,Mobile SecurityDISC @ 9:44 am
Mobile app creation: Why data privacy and compliance should be at the forefront

A user’s personal data can be anything from their user name and email address to their telephone name and physical address. Less obvious forms of sensitive data include IP addresses, log data and any information gathered through cookies, as well as users’ biometric data.

Any business whose mobile app collects personal information from users is required to have a Privacy Policy. Regardless of app geography or business domain, there are mandatory regulations such as the GDPR, the CCPA, and the PDPA, as well as Apple, Google and Android guidelines that ensure accountability and user data privacy. Some apps do not directly collect personal data but instead use a third-party tool like Google Analytics – they, too, need a Privacy Policy.

Data privacy and security and the mobile app creation process

Xamarin in Action: Creating native cross-platform mobile apps

Tags: Mobile app

Sep 10 2021

Digital Driver’s Licenses: Unintended Consequences

Category: Information Privacy,Information SecurityDISC @ 10:15 pm
Digital Driver’s Licenses: Unintended Consequences

Maryland recently joined seven other U.S. states to permit users to carry “digital driver’s licenses.” Under the program—which initially will work with Apple devices like iPhones—users can download a digital credential—a digital driver’s license—to their phones. The digital ID would be carried in the Apple digital wallet in much the same way as a regular ID is carried in a regular wallet. The digital driver’s license is based on the International Standards Organization (ISO) standard which is described more fully here.

Obviously, there are issues here related to the security of the credential, the degree of authentication necessary to obtain the credential, whether the credential can be simultaneously loaded into multiple devices and whether I can “loan” my driver’s license to my identical twin brother (yes, I have an identical twin brother). Moreover, for the credential to be meaningful, it must permit both local and connected validation—that is, a police officer needs to be able to check to see if you have an apparently valid ID at the scene of a violation or accident without access to online verification and they must also be able to validate the ID against some online database. In addition, we need to decide who has access to the digital validation protocols—police and other traffic enforcement officials? TSA or transportation security officials? The dude at the front desk of the office building? The bouncer at the bar? The server serving alcohol? The resident associate (RA) checking people in at the college dorm? Are there any controls on who can access these credential validation services and for what purpose? A digital credential is much easier to spoof (simply do a screenshot) if there is no ability to validate online. Moreover, the validation must be robust enough to work reasonably well offline—things like a photo ID, a watermark, etc. You know, all the stuff we put on the “real ID” driver’s license.

digital ID driver's license personal data

Digital Driver’s Licenses: Unintended Consequences

Tags: Digital Driver’s Licenses

Sep 10 2021

How getting a CISSP can change the course of a career

Category: CISSPDISC @ 11:53 am
How getting a CISSP can change the course of a career

Technical certifications are increasingly in demand with 87% of IT employees possessing at least one and 40% pursuing their next, according to Questionmark. Despite cybersecurity pros being more likely to have earned vendor-specific credentials, they think job pursuers should focus more on getting vendor-neutral ones.

In this interview with Help Net Security, May (Maytal) Brooks-Kempler, CEO at Helena, talks about her CISSP journey. Seven years ago she passed the CISSP exam, and today she teaches a CISSP course based on materials she co-authored.

Certified Information Systems Security Professional (CISSP) training course

If you’re building a career in information security the Certified Information Systems Security Professional (CISSP) is the must-have qualification to help you progress. It is a globally recognized standard that demonstrates your competence as an IT professional.

This course will prepare you with the knowledge and skills to complete the CISSP exam, which will get you Certified Information Systems Security Professional status. professional. Covering topics including cloud computing, mobile security, application development security, and risk management, you will gain the knowledge to best manage information security issues back in your organization.

Certified Information Systems Security Professional (CISSP) training course

(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide & Practice Tests Bundle 3rd Edition

Tags: CISSP

Sep 10 2021

ProtonMail Now Keeps IP Logs

Category: Email SecurityDISC @ 9:51 am
ProtonMail Now Keeps IP Logs

ProtonMail Amends Its Policy After Giving Up an Activist’s Data

ProtonMail Forced to Log IP Address of French Activist

Tags: ProtonMail

Sep 09 2021

50 Key Stats About Freedom of the Internet Around the World

Category: Information Privacy,Security and privacy LawDISC @ 11:15 am

50 Key Stats About Freedom of the Internet Around the World

Almost every part of our everyday lives is closely connected to the internet – we depend on it for communication, entertainment, information, running our households, even running our cars.

Not everyone in the world has access to the same features and content on the internet, though, with some governments imposing restrictions on what you can do online. This severely limits internet freedom and, with it, the quality of life and other rights of the affected users.

Internet freedom is a broad term that covers digital rights, freedom of information, the right to internet access, freedom from internet censorship, and net neutrality.

To cover this vast subject, we’ve compiled 50 statistics that will give you a pretty clear picture about the state of internet freedom around the world. Dig into the whole thing or simply jump into your chosen area of interest below:

Digital Rights

Freedom of Information

Right to Internet Access

Freedom from Internet Censorship

Net Neutrality

The Bottom Line

Freedom and the Future of the Internet

Tags: Freedom of the Internet

Sep 08 2021

Windows zero-day MSHTML attack

Category: Windows Security,Zero dayDISC @ 9:51 am
Windows zero-day MSHTML attack – how not to get booby trapped!

Details are scarce so far, but Microsoft is warning Office users about a bug that’s dubbed 

CVE-2021-40444
, and described as Microsoft MSHTML Remote Code Execution Vulnerability.

The bug doesn’t have a patch yet, so it’s what’s known as a zero-day, shorthand for “the Good Guys were zero days ahead of the Bad Guys with a patch for this vulnerability.”

In other words: the crooks got there first.

As far as we can tell, the treachery works like this:

  1. You open a booby-trapped Office file from the internet, either via an email attachment or by downloading a document from a criminal-controlled web link.
  2. The document includes an ActiveX control (embedded add-on code) that ought not to have unrestricted access to your computer.
  3. The ActiveX code activates the Windows MSHTML component, used for viewing web pages, exploits a bug in it to give itself the same level of control that you yourself would have right from the Windows desktop, and uses it to implant malware of the attacker’s choice.

MSHTML isn’t a full-on browser, like Internet Explorer or Edge, but is a part of the operating system that can be used to create browsers or browser-like applications that need or want to display HTML files.

Even though HTML is most closely associated with web browsing, many apps other than browsers find it useful to be able to render and display web content, for example as a convenient and good-looking way to present documentation and help files, or to let users fill in and submit support tickets.

This “stripped down minibrowser” concept can be found not only on Windows but also on Google’s Android and Apple’s iOS, where the components Blink and WebKit respectively provide the same sort of functionality as MSHTML on Microsoft platforms. Mozilla products such as Firefox and Thunderbird are based on a similar idea, known as Gecko. On iOS, interestingly, Apple not only uses WebKit as the core of its own browser, Safari, but also mandates the use of WebKit in browsers or browser-like apps from all other vendors. That’s why Firefox on iOS is the only version of that product that doesn’t include Gecko -it has no choice but to use WebKit instead.

how not to get booby trapped!

Tags: MSHTML attack

Sep 07 2021

Securing your WordPress website against ransomware attacks

Category: Information SecurityDISC @ 9:10 pm
Securing your WordPress website against ransomware attacks

There are analysts around the globe who are continually being jolted awake in the middle of the night to respond to ransomware attacks. Because WordPress is the market share leader (39.5% of all websites are powered by WordPress; that number jumps to 64.1% for content management systems), my team of SOC analysts aren’t strangers to responding to WordPress security issues. The one lesson we’ve learned time and time again: Preventative security measures are the most effective steps you can take against ransomware attacks.

For businesses currently on the WordPress platform, we’ve put together five easy-to-follow tips:

Sep 07 2021

Poisoned proxy PACs! The NPM package with a network-wide security hole

Category: Network securityDISC @ 9:24 am
Poisoned proxy PACs! The NPM package with a network-wide security hole…

Not long ago, independent software developer Tim Perry, creator of the HTTP Toolkit for intercepting and debugging web traffic…

…decided to add proxy support to his product, which, like lots of software these days, is written using Node.js.

ICYMI, Node.js is the project that took the JavaScript language out of your browser and turned it into a full-blown application development system in its own right, a bit like Java (which is unrelated to JavaScript, by the way, for all that the names sound similar).

As well as the JavaScript core, which uses the V8 JavaScript engine from Google’s Chromium project, Node.js sofware typically also relies on NPM, the Node package manager, and the NPM registry, a truly enormous repository of open-source Node tools and programming libraries.

The NPM registry runs from basic text formatting to full-on facial recognition, and almost everything in between.

Instead of writing all, of the code in your project yourself, or even most of it, you simply reference the add-on packages you want to use, and NPM will fetch them for you, along with any additional packages that your chosen package needs…

…and all the packages that those packages need, following the turtles packages all the way down until every piece of add-on code needed to complete the jigsaw has been located and installed automatically.

Poisoned proxy PACs! The NPM package with a network-wide security hole…

Tags: security hole

Sep 05 2021

Pwned! The home security system that can be hacked with your email address

Category: Hacking,Security BreachDISC @ 12:31 pm
Pwned! The home security system that can be hacked with your email address

A researcher at vulnerability and red-team company Rapid7 recently uncovered a pair of risky security bugs in a digital home security product.

The first bug, reported back in May 2021 and dubbed CVE-2021-39276, means that an attacker who knows the email address against which you registered your product can effectively use your email as a password to issue commands to the system, including turning the entire alarm off.

The affected product comes from the company Fortress Security Store, which sells two branded home security setups, the entry-level S03 Wifi Security System, which starts at $130, and the more expensive S6 Titan 3G/4G WiFi Security System, starting at $250.

The intrepid reseacher, Arvind Vishwakarma, acquired an S03 starter system, which includes a control panel, remote control fobs, a door or window sensor, a motion detector, and an indoor siren.

(The company also sells additional fobs and sensors, outdoor sirens, which are presumably louder, and “pet-immune” motion detectors, which we assume are less sensitive than the regular ones.)

Unfortunately, it didn’t take much for Vishwakarma to compromise the system, and figure out how to control it without authorisation, both locally and remotely.

Pwned! The home security system

Life Hacks: DIY Home Camera Security System: Protect Your Property for FREE

Life Hacks: DIY Home Camera Security System: Protect Your Property for FREE by [Tam S.]

Tags: home security system, Pwned

Sep 04 2021

JAPANESE ROCKET ENGINE EXPLODES: CONTINUOUSLY AND ON PURPOSE

Category: Cyber resilienceDISC @ 4:01 pm
Japanese Rocket Engine Explodes: Continuously and On Purpose

Liquid-fuelled rocket engine design has largely followed a simple template since the development of the German V-2 rocket in the middle of World War 2. Propellant and oxidizer are mixed in a combustion chamber, creating a mixture of hot gases at high pressure that very much wish to leave out the back of the rocket, generating thrust.

However, the Japan Aerospace Exploration Agency (JAXA) has recently completed a successful test of a different type of rocket, known as a rotating detonation engine. The engine relies on an entirely different method of combustion, with the aim to produce more thrust from less fuel. We’ll dive into how it works, and how the Japanese test bodes for the future of this technology.

DEFLAGRATION VS. DETONATION

Humans love combusting fuels in order to do useful work. Thus far in our history, whether we look at steam engines, gasoline engines, or even rocket engines, all these technologies have had one thing in common: they all rely on fuel that burns in a deflagration. It’s the easily controlled manner of slow combustion that we’re all familiar with since we started sitting around campfires.

Tags: DEFLAGRATION VS. DETONATION

Sep 03 2021

Gift Card Gang Extracts Cash From 100k Inboxes Daily

Category: Email SecurityDISC @ 12:01 pm

Here’s the story of a cybercrime group that compromises up to 100,000 email inboxes per day, and apparently does little else with this access except siphon gift card and customer loyalty program data that can be resold online.

The data in this story come from a trusted source in the security industry who has visibility into a network of hacked machines that fraudsters in just about every corner of the Internet are using to anonymize their malicious Web traffic. For the past three years, the source — we’ll call him “Bill” to preserve his requested anonymity — has been watching one group of threat actors that is mass-testing millions of usernames and passwords against the world’s major email providers each day.

Bill said he’s not sure where the passwords are coming from, but he assumes they are tied to various databases for compromised websites that get posted to password cracking and hacking forums on a regular basis. Bill said this criminal group averages between five and ten million email authentication attempts daily, and comes away with anywhere from 50,000 to 100,000 of working inbox credentials.

In about half the cases the credentials are being checked via “IMAP,” which is an email standard used by email software clients like Mozilla’s Thunderbird and Microsoft Outlook. With his visibility into the proxy network, Bill can see whether or not an authentication attempt succeeds based on the network response from the email provider (e.g. mail server responds “OK” = successful access).

You might think that whoever is behind such a sprawling crime machine would use their access to blast out spam, or conduct targeted phishing attacks against each victim’s contacts. But based on interactions that Bill has had with several large email providers so far, this crime gang merely uses custom, automated scripts that periodically log in and search each inbox for digital items of value that can easily be resold.

And they seem particularly focused on stealing gift card data.

“Sometimes they’ll log in as much as two to three times a week for months at a time,” Bill said. “These guys are looking for low-hanging fruit — basically cash in your inbox. Whether it’s related to hotel or airline rewards or just Amazon gift cards, after they successfully log in to the account their scripts start pilfering inboxes looking for things that could be of value.”

Source: Gift Card Gang Extracts Cash From 100k Inboxes Daily

DISC InfoSec Shop (tools and training)

DISC Infosec Books shop

Tags: Gift Card Gang

Sep 03 2021

New BrakTooth flaws potentially impact millions of Bluetooth-enabled devices

Category: cyber security,Information Security,Laptop Security,Wi-Fi Security,Windows SecurityDISC @ 9:35 am
New BrakTooth flaws potentially impact millions of Bluetooth-enabled devices

Security flaws in commercial Bluetooth stacks dubbed BrakTooth can be exploited by threat actors to execute arbitrary code and crash the devices via DoS attacks.

A set of 16 security flaws in commercial Bluetooth stacks, collectively tracked as BrakTooth, can be exploited by threat actors to execute arbitrary code and crash the devices via DoS attacks.

The issues were discovered by the ASSET (Automated Systems SEcuriTy) Research Group from the Singapore University of Technology and Design (SUTD), their name comes from the Norwegian word “Brak” which translates to ‘crash’.

The BrakTooth flaws impact 13 Bluetooth chipsets from 11 vendors, including Intel, Qualcomm, and Texas Instruments, experts estimated that more than 1,400 commercial products may be impacted.

As of today, the researchers discovered 16 security vulnerabilities, with 20 common vulnerability exposures (CVEs) already assigned and four vulnerabilities are pending CVE assignment from Intel and Qualcomm.

“we disclose BrakTooth, a family of new security vulnerabilities in commercial BT stacks that range from denial of service (DoS) via firmware crashes and deadlocks in commodity hardware to arbitrary code execution (ACE) in certain IoTs.” reads the post published by the researchers. “All the vulnerabilities are already reported to the respective vendors, with several vulnerabilities already patched and the rest being in the process of replication and patching. Moreover, four of the BrakTooth vulnerabilities have received bug bounty from Espressif System and Xiaomi. “

The attack scenario tested by the experts only requires a cheap ESP32 development kit (ESP-WROVER-KIT) with a custom (non-compliant) LMP firmware and a PC to run the PoC tool they developed. The tool communicates with the ESP32 board via serial port (/dev/ttyUSB1) and launches the attacks targeting the BDAddress (<target bdaddr>) using the specific exploit (<exploit_name>).

The ASSET group has released the PoC tool to allow vendors to test their devices against the vulnerabilities

braktooth

Guide to Bluetooth Security: Recommendations of the National Institute of Standards and Technology (Special Publication 800-121 Revision 1)

Tags: Bluetooth security

Sep 02 2021

Zero-Click iPhone Exploits

Category: Smart PhoneDISC @ 2:31 pm
Zero-Click iPhone Exploits

IT’S A SHOCKING revelation: The Bahraini government allegedly purchased and deployed sophisticated malware against human rights activists, including spyware that required no interaction from the victim—no clicked links, no permissions granted—to take hold on their iPhones. But as disturbing as this week’s report from the University of Toronto’s Citizen Lab may be, it’s also increasingly familiar.

These “zero-click” attacks can happen on any platform, but a string of high-profile hacks show that attackers have homed in on weaknesses in Apple’s iMessage service to execute them. Security researchers say the company’s efforts to resolve the issue haven’t been working—and that there are other steps the company could take to protect its most at-risk users.

Interactionless attacks against current versions of iOS are still extremely rare, and almost exclusively used against a small population of high-profile targets around the world. In other words, the average iPhone owner is very unlikely to encounter them. But the Bahrain incident shows that Apple’s efforts to defuse iMessage risks for its most vulnerable users have not fully succeeded. The question now is how far the company is willing to go to make its messaging platform less of a liability.

“It’s frustrating to think that there is still this un-deletable app on iOS that can accept data and messages from anyone,” says longtime macOS and iOS security researcher Patrick Wardle. “If somebody has a zero-click iMessage exploit, they can just send it from anywhere in the world at any time and hit you.”

The Stealthy iPhone Hacks That Apple Still Can’t Stop

After another “zero-click” attack, security experts say it’s time for more extreme measures to keep iMessage users safe.

Tags: exploits, iPhone, NSO Group, zero click

Sep 02 2021

DoJ Launches Cybersecurity Fellowship Program as Threats Rise

Category: cyber security,Cyber StrategyDISC @ 9:35 am
DoJ Launches Cybersecurity Fellowship Program as Threats Rise

The U.S. Department of Justice (DoJ) announced the creation of a cybersecurity fellowship program that will train prosecutors and attorneys to handle emerging national cybersecurity threats.

Fellows in the three-year Cyber Fellowship program will investigate and prosecute state-sponsored cybersecurity threats, transnational criminal groups, infrastructure and ransomware attacks and the use of cryptocurrency and money laundering to finance and profit from cybercrimes.

Cyber Fellowship Program

The program will train selected attorneys to deal with emerging cybercriminal threats and the ability to secure a top-secret security clearance is a prerequisite. All participants will be based in the Washington, D.C. area.

As part of the fellowship, participants will rotate through the multiple departments charged with protecting the country from cybersecurity threats, including the Criminal Division, the National Security Division and the U.S. Attorneys’ Offices.

The program is coordinated through the Criminal Division’s Computer Crime and Intellectual Property Section and the creation of the Fellowship is the result of a recommendation from the department’s ongoing comprehensive cybersecurity review, which was ordered by Deputy Attorney General Lisa Monaco in May 2021.

fellowship web app election security government

Enhancing Efforts Against Cybersecurity Threats

Tags: Cybersecurity Fellowship Program

Sep 01 2021

Threats Grow as Digital Wallets Gain Popularity

Category: Crypto,Cyber ThreatsDISC @ 11:35 am
Threats Grow as Digital Wallets Gain Popularity

The pandemic, as well as users’ personal preferences, have helped enable the rapid emergence of digital payment applications and digital wallets, which compete with credit cards and cash as preferred payment options.

The growing popularity of digital wallets such as Google Pay, Samsung Pay and Apple Pay is making them a bigger target for malicious actors, according to a report from security analytics software specialist Cognyte.

The study, which collected and analyzed threat actors’ conversations about digital wallets from 2016 through 2020, found the number of threat actors’ interactions around the topic almost doubled from 2017 to 2018.

By 2019, this number grew by 456%, reaching 31,878 interactions and by 2020 it grew by another 292%, reaching 96,363 interactions.

Increase in Popularity and Threats

Next Generation Crypto Hardware Wallet

Trezor Model T - Next Generation Crypto Hardware Wallet with LCD Color Touchscreen and USB-C, Store your Bitcoin, Ethereum, ERC20 and more with Total Security

Tags: Digital Wallets

Sep 01 2021

Feds Warn of Ransomware Attacks Ahead of Labor Day

Category: Information Security,RansomwareDISC @ 11:12 am

Feds Warn of Ransomware Attacks Ahead of Labor Day

Though lots of people might be taking some time off over the Labor Day weekend, threat actors likely won’t — which means organizations should remain particularly vigilante about the potential for ransomware attacks, the federal government has warned.

Citing historical precedence, the FBI and CISA put out a joint cybersecurity advisory (PDF) Tuesday noting that ransomware actors often ambush organizations on holidays and weekends when offices are normally closed, making the upcoming three-day weekend a prime opportunity for threat activity.

While the agencies said they haven’t discovered “any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday,” they are working on the idea that it’s better to be safe than sorry given that some major cyber-attacks have occurred over holidays and weekends during the past few months.

Indeed, attackers recently have taken advantage of the fact that many extend holiday weekends to four days or more, leaving a skeleton crew behind to oversee IT and network infrastructure and security, security professionals observed.

“Modern cyber criminals use some pretty sneaky tactics to maximize the damage and collect the most money per attack,” noted Erich Kron, security awareness advocate at security firm KnowBe4, in an e-mail to Threatpost.

Because organizations are generally short-staffed over holiday weekends, the swiftness with which they can respond to attacks that occur during these times “will be impacted,” he said.

That’s mainly because the absence of key personnel make it less likely that organizations that are targeted can quickly detect and contain attacks once launched, observed Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel.

“This additional time gives attackers the ability to exfiltrate more sensitive data or lock up more computers with ransomware than they otherwise might have been able to,” he said in an email to Threatpost.

History of Holiday Attacks

The Ransomware Threat Landscape: Prepare for, recognize and survive ransomware attacks

Tags: Labor Day, ransomware attacks, Ransomware Threat

Aug 31 2021

Skimming the CREAM – recursive withdrawals loot $13M in cryptocash

Category: CryptoDISC @ 11:54 am
Skimming the CREAM – recursive withdrawals loot $13M in cryptocash

You must have had that happy feeling (happiest of all when it’s still a day or two to payday and you know that your balance is paper-thin) when you’re withdrawing money from a cash machine and, even though you’re still nervously watching the ATM screen telling you that your request is being processed, you hear the motors in the cash dispensing machinery start to spin up.

That means, even before any banknotes get counted out or the display tells you the final verdict, that [a] you’ve got enough funds, [b] the transaction has been approved, [c] the machine is working properly, and [d] you’re about to get the money.

Well, imagine that if you hit the [Cancel] button at exactly the right moment between the mechanism firing up and the money being counted out…

…and if your timing was spot on, then your card would stay in the machine, your account wouldn’t get debited, and you’d be asked if you wanted to try again, BUT YOU’D GET THE CASH FROM THE CANCELLED TRANSACTION ANYWAY!?!!?

And imagine that, as long as you kept pressing that magic button at just the right moment, you could loop back on yourself and layer ghost withdrawal on ghost withdrawal…

…until the machine finally ran out of money, or hit some internal software limit on recursive withdrawals, or you decided to quit while you were ahead and get clear of the ATM before an alarm went off.

Blockchain Bubble or Revolution: The Future of Bitcoin, Blockchains, and Cryptocurrencies

Tags: cryptocash

Aug 31 2021

Windows 11 Security Scare—MS Nixes Fixes on Older PCs

Category: Information Security,Windows SecurityDISC @ 9:33 am
Windows 11 Security Scare—MS Nixes Fixes on Older PCs

Windows 11 won’t auto-update on slightly old PCs. It appears this includes security updates—although Microsoft PR is doing its usual trick of ghosting reporters who ask.

This sounds like a terrible idea: A fleet of unpatched Windows 11 PCs connected to the internet? That’s a recipe for disaster.

Stand by for Redmond to walk this one back in an embarrassing climbdown. In today’s SB Blogwatch, we hope against hope.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Olivia vs. Paramore.

MSFT MBEC+HVCI FAIL

What’s the craic? Sean Hollister reports—“Microsoft is threatening to withhold Windows 11 updates if your CPU is old”:

Why leave us in the dark?”
Windows 11 won’t technically leave millions of PCs behind … so long as you download and manually install an ISO file. … But it turns out even that technicality has a technicality: Microsoft is now threatening to withhold Windows Updates … potentially even security updates.

It’s quite possible this is just a cover-your-ass measure. … But it’s also possible Microsoft genuinely does mean to withhold patches. … Microsoft declined to clarify things further.

Windows 11 could theoretically be an operating system where you go back to the days of manually downloading [security] updates. … Feature updates are probably less of a big deal. [But] why leave us in the dark?

Windows 11 Security Scare

Tags: Windows 11

« Previous PageNext Page »