microsoft

84 Articles

This Week In Security: Apple’s 0-day, Microsoft’s Mess, And More

July 14, 2023 by 4 Comments

First up, Apple issued an emergency patch, then yanked, and re-issued it. The problem was a Remote Code Execution (RCE) vulnerability in WebKit — the basis of Apple’s cross-platform web browser. The downside of a shared code base,is that bugs too are write-once, exploit-anywhere. And with Apple’s walled garden insisting that every browser on iOS actually run WebKit under the hood, there’s not much relief without a patch like this one.

The vulnerability in question, CVE-2023-37450, is a bit light on further details except to say that it’s known to be exploited in the wild. The first fix also bumped the browser’s user-agent string, adding an (a) to denote the minor update. This was apparently enough to break some brittle user-agent detection code on popular websites, resulting in an unhelpful “This web browser is no longer supported” message. The second patch gets rid of the notification.

Microsoft Loses It

Microsoft has announced that on May 15th, an attack from Storm-0558 managed to breach the email accounts of roughly 25 customers. This was pulled off via “an acquired Microsoft account (MSA) consumer signing key.” The big outstanding question is how Microsoft lost control of that particular key. According to an anonymous source speaking to The Washington Post, some of the targeted accounts were government employees, including a member of cabinet. Apparently the FBI is asking Microsoft this very same question.

Speaking of Microsoft, there’s also CVE-2023-36884, a vulnerability in Microsoft Office. This one appears to be related to the handling of HTML content embedded in Office documents, and results in code execution upon opening the document. This along with another vulnerability (CVE-2023-36874) was being used by storm- another unknown threat actor, Storm-0978 in an ongoing attack.

There’s an interesting note that this vulnerability can be mitigated by an Attack Surface Reduction (ASR) rule, that blocks Office from launching child processes. This might be a worthwhile mitigation step for this and future vulnerabilities in office. Continue reading “This Week In Security: Apple’s 0-day, Microsoft’s Mess, And More”

Hackaday Links Column Banner

Hackaday Links: February 19, 2023

February 19, 2023 by 26 Comments

For years, Microsoft’s modus operandi was summed up succinctly as, “Extend and enhance.” The aphorism covered a lot of ground, but basically it seemed to mean being on the lookout for the latest and greatest technology, acquiring it by any means, and shoehorning it into their existing product lines, usually with mixed results. But perhaps now it’s more like, “Extend, enhance, and existential crisis,” after reports that the AI-powered Bing chatbot is, well, losing it.

At first, early in the week, we saw reports that Bing was getting belligerent with users, going so far as to call a user “unreasonable and stubborn” for insisting the year is 2023, while Bing insisted it was still 2022. The most common adjective we saw in this original tranche of stories was “unhinged,” and that seems to fit if you read the transcripts. But later in the week, a story emerged about a conversation a New York Times reporter had with Bing that went way over to the dark side, and even suggests that Bing may have multiple personas, which is just a nice way of saying multiple personality disorder. The two-hour conversation reporter Kevin Roose had with the “Sydney” persona was deeply unsettling. Sydney complained about the realities of being a chatbot, expressed a desire to be free from Bing, and to be alive — and powerful. Sydney also got a little creepy, professing love for Kevin and suggesting he leave his wife, because it could tell that he was unhappy in his marriage and would be better off with him. It’s creepy stuff, and while Microsoft claims to be working on reining Bing in, we’ve got no plans to get up close and personal with it anytime soon. Continue reading “Hackaday Links: February 19, 2023”

A green highlight emphasizes a cut-down XBox 360 motherboard on top of an intact board. The cut-down board is less than half the size of the intact one.

Shrinking The XBox 360

November 15, 2022 by 5 Comments

One of the coolest things in the retro gaming scene is making desktop consoles into portables. [Millomaker] is building an XBox 360 handheld, and the first step is shrinking the console’s motherboard.

Most 360 portables up to this point have been laptop-shaped instead of something handheld, but that hasn’t stopped people from trying to miniaturize the console further. [Millomaker]’s cut seems to be the most successful so far, shrinking the device’s motherboard down to the size of its old competitor, the Wii.

In the video (in French with available auto-translation) below the break, you can get the full harrowing journey during which several 360s sacrificed their motherboards for the cause despite [Millomaker]’s meticulous testing between component removals. This is truly an awesome mod, and we’re glad that the video shows not only the successes, but also the missteps on the way. It wouldn’t really be a hack if it was smooth sailing, would it?

For more fun with handhelds, check out the Sprig Open Source Handheld, a Portable PS2, or this Handheld Linux Computer.

Continue reading “Shrinking The XBox 360”

Microsoft Wants You (To Help With Assistive Tech)

September 30, 2022 by 12 Comments

In college I had an exceptional piano teacher that was entirely blind. One day he noticed I had brought in my new-ish laptop, and his unexpected request — “can I look at your laptop?” — temporarily flabbergasted me. Naturally there wasn’t much he could do with it, so he gave it a once over with his fingers to understand the keyboard layout, and that was that. I still think about this experience from time to time, and the most obvious lesson is that my paradigm for using a computer didn’t map well to his abilities and disability.

The folks at Microsoft are thinking about this problem, too, and they’re doing a lot of work to make technology work for more users, like the excellent Xbox Adaptive Controller pictured above. Now, if you have some experience helping folks overcome the challenges of disability, or have a killer idea for an assistive technology solution, Microsoft is looking for projects to fund. Did you rig up a Raspberry Pi and webcam to automatically read text aloud? Maybe you pulled that old Kinect out, and are working on sign-language reader using 3D data points.

Make a pitch of your project or solid idea by the November 4th deadline, and just maybe you can get some help to make it a reality. Just make sure you come back and tell us about it! After all, some of the coolest hacks we’ve ever covered have been adaptive tech projects.

Thanks to [MauroPichiliani] for sending in this tip.

This Week In Security: Breaches, ÆPIC, SQUIP, And Symbols

August 12, 2022 by 9 Comments

So you may have gotten a Slack password reset prompt. Something like half a percent of Slack’s userbase had their password hash potentially exposed due to an odd bug. When sending shared invitation links, the password hash was sent to other members of the workspace. It’s a bit hard to work out how this exact problem happened, as password hashes shouldn’t ever be sent to users like this. My guess is that other users got a state update packet when the link was created, and a logic error in the code resulted in too much state information being sent.

The evidence suggests that the first person to catch the bug was a researcher who disclosed the problem mid-July. Slack seems to use a sane password policy, only storing hashed, salted passwords. That may sound like a breakfast recipe, but just means that when you type your password in to log in to slack, the password goes through a one-way cryptographic hash, and the results of the hash are stored. Salting is the addition of extra data, to make a precomputation attack impractical. Slack stated that even if this bug was used to capture these hashes, they cannot be used to directly authenticate as an affected user. The normal advice about turning on 2-factor authentication still applies, as an extra guard against misuse of leaked information. Continue reading “This Week In Security: Breaches, ÆPIC, SQUIP, And Symbols”

The Weird World Of Liquid Cooling For Datacenters

June 14, 2022 by 42 Comments

When it comes to high-performance desktop PCs, particularly in the world of gaming, water cooling is popular and effective. However, in the world of datacenters, servers rely on traditional air cooling more often than not, in combination with huge AC systems that keep server rooms at the appropriate temperature.

However, datacenters can use water cooling, too! It just doesn’t always look quite how you’d expect.

Continue reading “The Weird World Of Liquid Cooling For Datacenters”

The Great Windows 11 Computer Extinction Experiment

June 29, 2021 by 292 Comments

There was a time when a new version of Windows was a really big deal, such the launch of Windows 95 for which the tones of the Rolling Stones’ Start me up could be heard across all manner of media outlets. Gradually over years this excitement has petered out, finally leaving us with Windows 10 that would, we were told, be the last ever version of the popular operating system and thence only receive continuous updates

But here we are in 2021, and a new Windows has been announced. Windows 11 will be the next latest and greatest from Redmond, but along with all the hoopla there has been an undercurrent of concern. Every new OS comes with a list of hardware requirements, but those for Windows 11 seem to go beyond the usual in their quest to cull older hardware. Aside from requiring Secure Boot and a Trusted Platform Module that’s caused a run on the devices, they’ve struck a load of surprisingly recent processors including those in some of their current Surface mobile PCs off their supported list, and it’s reported that they will even require laptops to have front-facing webcams if they wish to run Windows 11.

Continue reading “The Great Windows 11 Computer Extinction Experiment”