Security Leftovers
-
Microsoft Catches Russian Government Hackers Phishing with Teams Chat App [Ed: No, Microsoft is at fault, not Russia. Stop portraying the culprit as the expert. Political spin with complicity from the media.]
Microsoft says a Russian government-linked hacking group is using its Microsoft Teams chat app to phish for credentials at targeted organizations.
-
Tenable claim: Microsoft sat on critical Azure flaw for more than 90 days
Yoran said the bank he had referred to was still vulnerable more than four months after the Azure flaw had been reported.
"And, to the best of our knowledge, they [the bank] still have no idea they are at risk and therefore can’t make an informed decision about compensating controls and other risk mitigating actions," he explained.
"Microsoft claims that they will fix the issue by the end of September, four months after we notified them. That’s grossly irresponsible, if not blatantly negligent. We know about the issue, Microsoft knows about the issue, and hopefully threat actors don’t."
Yoran said cloud providers had supported the shared responsibility model for a long time. "That model is irretrievably broken if your cloud vendor doesn’t notify you of issues as they arise and apply fixes openly," he said.
"What you hear from Microsoft is 'just trust us', but what you get back is very little transparency and a culture of toxic obfuscation.
"How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact [of the ] patterns and current behaviours? Microsoft’s track record puts us all at risk. And it’s even worse than we thought."
Contacted for comment, a Microsoft spokesperson told iTWire: "We appreciate the collaboration with the security community to responsibly disclose product issues.
"We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications.
-
Microsoft comes under blistering criticism for “grossly irresponsible” security
Microsoft has once again come under blistering criticism for the security practices of Azure...
-
MTE As Implemented, Part 1: Implementation Testing
Through mid-2022 and early 2023, Project Zero had access to pre-production hardware implementing this instruction set extension to evaluate the security properties of the implementation. In particular, we're interested in whether it's possible to use this instruction set extension to implement effective security mitigations, or whether its use is limited to debugging/fault detection purposes.
-
MTE As Implemented, Part 2: Mitigation Case Studies
In order to understand the "additional difficulty" that attackers will face in writing exploits that can bypass MTE based mitigations, we need to consider carefully the context in which the attacker finds themself.
-
MTE As Implemented, Part 3: The Kernel
-
The return of FPM2
Ever since KeePassXC got builtin and in the tray in EasyOS, I have had reservations about it. FPM2, Figaro's Password Manager v2 is tiny in comparison, about 1/100 the size, yet has adequate functionality and is simpler to use.
Up until now, Easy has FPM2 version 0.79. Today have compiled version 0.90, which has superior encryption. Here is the website: [...]
-
New hVNC macOS Malware Advertised on Hacker Forum
A new macOS-targeting hVNC malware family is being advertised on a prominent cybercrime forum.
-
Impact of Freenom halting registrations on cybercrime
Freenom, which offers free domain names in .tk and several other ccTLDs, is being sued by Meta for ignoring abuse complaints. Freenom subsequently paused new domain registrations in March 2023.
-
Hackers can abuse Microsoft Office executables to download malware
-
Microsoft accidentally leaks internal utility for testing new Windows 11 features | Ars Technica
StagingTool is a lot like a widely used third-party utility called ViVeTool.