Microsoft Leftovers
-
Ivanti warns of second vulnerability used in attacks on Norway gov’t
“A vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability impacts all supported versions – releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk. This vulnerability is different from CVE-2023-35078, released on July 23,” the company said.
“As of now we are only aware of the same limited number of customers impacted by CVE-2023-35078 as being impacted by CVE-2023-35081.”
The advisory says the vulnerability allows a threat actor to take a variety of actions on a victim device and can be used in conjunction with the first bug to bypass administrator authentication.
-
Chatbots sometimes make things up, not everyone thinks AI's hallucination problem is fixable
Spend enough time with ChatGPT and other artificial intelligence chatbots and it doesn't take long for them to spout falsehoods.
Described as hallucination, confabulation or just plain making things up, it's now a problem for every business, organization and high school student trying to get a generative AI system to compose documents and get work done. Some are using it on tasks with the potential for high-stakes consequences, from psychotherapy to researching and writing legal briefs.
-
Microsoft concession: You can run our wares in AWS virtual desktop under 'revised policy'
Microsoft is making a minor concession that allows customers with specific licenses to run Office wares in an AWS cloud – a week after Europe's competition regulators decided to officially probe its biz policies and practices.
The licensing tweak, first noticed by analyst Directions on Microsoft (DoM), in part reverses a licensing change made in 2019 that meant customers with perpetual licenses would need to buy fresh licenses to run those applications on AWS, Google Cloud or Alibaba infrastructure.
-
Windows TCO
-
Tenable CEO accuses Microsoft of negligence in addressing security flaw
His harsh public critique of Microsoft — a relatively rare event for a high-profile corporate figure in cybersecurity — follows criticism from lawmakers and researchers alike after a recent cyberattack affecting U.S. government officials resulted from a Microsoft security lapse.
As the CEO of Tenable, a firm that helps companies understand and mitigate their cybersecurity vulnerabilities, Yoran said he works with hundreds of companies every year to disclose and patch vulnerabilities. Microsoft, he said, consistently fails to proactively and professionally address vulnerabilities in their products.
“In Microsoft’s case you have a culture which denies the criticality of vulnerabilities,” Yoran told CyberScoop in an interview.
-
New SEC Rules around Cybersecurity Incident Disclosures
The US Securities and Exchange Commission adopted final rules around the disclosure of cybersecurity incidents. There are two basic rules: [...]
-
SEC: Public companies must report cyberattacks within four days
In a move to prevent public companies from delaying news about cyberattacks, the US Security and Exchange Commission has set a four-day deadline to disclose "material cybersecurity incidents." A US attorney general could potentially delay that disclosure if doing so would lead to "substantial risk to national security or public safety." Otherwise, the rules will serve as a stiff new guidepost — albeit, one that's slightly less restrictive than the EU's GDPR cyberattack deadline of just three days.
The news comes after Microsoft was criticized by security experts for taking weeks to confirm an attack against Outlook and other online services. “We really have no way to measure the impact [of the attack] if Microsoft doesn’t provide that info," Jake Williams, a cybersecurity researcher and former NSA hacker, told the AP in June.
-