Skip to main content
Please wait...

Just who is Windows 11 for, anyway?

16 hours 8 minutes ago

Seriously, who did Microsoft develop Windows 11 for? Only people who like centered taskbars? Only people who don’t mind “unlearning” how to get into task manager?

Maybe not, but I’d argue that Windows 11 wasn’t designed for you and me. Rather, it was designed for the businesses, governments, schools, and other entities that we interact with. It’s built to ensure that sensitive information can be secured.

[ Related: Windows 11 in-depth review: Windows 10 gets a nip and tuck ] Baked-in security

For starters, Windows 11 has allowed Microsoft to cut the cord on the 32-bit platform. Windows 11 will be first Windows OS that is 64-bit only. This allows Microsoft to build in more virtualization and containerization security features that cannot be done in the 32-bit platform.

To read this article in full, please click here

Susan Bradley

Four zero-day exploits add urgency to October's Patch Tuesday

3 days 14 hours ago

October brings four zero-day exploits and 74 updates to the Windows ecosystem, including a hard-to-test kernel update (CVE-2021-40449) that requires immediate attention and an Exchange Server update that requires technical skill and due diligence (and a reboot). The testing profile for the October Patch Tuesday covers Windows error handling, AppX, Hyper-V and Microsoft Word. We recommend a Patch Now schedule for Windows and then staging the remaining patch groups according to your normal release pattern.

To read this article in full, please click here

Greg Lambert

Experts call Apple's CSAM scheme 'a dangerous technology'

4 days 13 hours ago

Apple’s decision to postpone introduction of its controversial client-side scanning (CSS) CSAM-detection system looks like an even better idea amid news governments already want to use the controversial tools for other forms of surveillance.

A 'dangerous technology'

In a new report, an influential group of 14 internationally reputed security researchers have said such plans represent a “dangerous technology” that expands state surveillance powers. They warn the client-side scanning system, if used “would be much more privacy invasive than previous proposals to weaken encryption. Rather than reading the content of encrypted communications, CSS gives law enforcement the ability to remotely search not just communications, but information stored on user devices.”

To read this article in full, please click here

Jonny Evans

Windows 11 and the need for better BIOS integration

4 days 19 hours ago

Disclosure:  The vendors listed are clients of the author.

Microsoft DOS and then Windows have gone through several evolutions over the years. When Windows first arrived, it was a User Interface (UI) shell on top of DOS. Then Windows 95 absorbed DOS to create something new — but didn’t include security. Windows 8 tried to absorb the smartphone experience, failed, but essentially made third-party anti-virus software obsolete.  

Windows 10 took security a few steps farther (and integrated a better digital assistant, Cortana, that few people ever used). And now, with  Windows 11, Microsoft has begun to integrate hardware security without integrating PC firmware (BIOS). Due to issues with the move to Windows 11, I think the next integration will be BIOS.

To read this article in full, please click here

Rob Enderle

How to choose the right UEM platform

5 days 18 hours ago

Endpoint devices have become so ubiquitous, connected, and data-intensive that they are among the most valuable technology assets an organization has today. They’re also some of the biggest security risks. It’s no surprise, then, that managing the large and growing number of smartphones, laptops, tablets, desktops, and other end-user products is a high priority for IT.

For a growing number of enterprises, unified endpoint management (UEM) is the method of choice for keeping management of endpoints from descending into chaos. UEM platforms are designed to simplify the management of devices and enhance the security of heterogeneous environments.

To read this article in full, please click here

Bob Violino

Apple warns: Sideloading apps threatens an iCrime wave

6 days 11 hours ago

Apple is fighting back against growing pressure to support sideloading on its App Stores with an extensive 28-page white paper in which it offers stark security and privacy warnings.

The risks of sideloading

The white paper, "Building a Trusted Ecosystem for Millions of Apps – a Threat analysis of Sideloadingargues that because iPhones and other devices capture so much personal information about people, maintaining privacy and security is critical.“Supporting sideloading through direct downloads and third-party app stores would cripple the privacy and security protections that have made iPhone so secure, and expose users to serious security risks,” the company said.

To read this article in full, please click here

Jonny Evans

Google now tells criminals when Chrome users are 'idle.' What could go wrong?

1 week 5 days ago

When Google released Chrome 94 for Android (and desktop), it slipped in some naughty capabilities via an API called Idle Detection.  

“The Idle Detection API notifies developers when a user is idle, indicating such things as lack of interaction with the keyboard, mouse, screen, activation of a screensaver, locking of the screen, or moving to a different screen. A developer-defined threshold triggers the notification,” Google said in a blog post. “Applications that facilitate collaboration require more global signals about whether the user is idle than are provided by existing mechanisms that only consider a user's interaction with the application's own tab.”

To read this article in full, please click here

Evan Schuman

How one coding error turned AirTags into perfect malware distributors

2 weeks 1 day ago

One of the more frightening facts about mobile IT in 2021 is that simplicity and convenience are far too tempting in small devices (think AppleWatch, AirTags, even rings that track health conditions, smart headphones, etc.). 

Compared with their laptop and desktop ancestors, they make it far more difficult to check that URLs are proper, that SPAM/malware texts/emails don’t get opened and that emlpoyees follow the minimal cybersecurity precautions IT asks. In short, as convenience ramps up, so do security risks. (Confession: Even though I try to be ultra-vigilant with desktop emails, I do periodically — far more often than I should — drop my guard on a message coming through my AppleWatch.)

To read this article in full, please click here

Evan Schuman

How to make sense of Microsoft’s upcoming mail security changes

2 weeks 1 day ago

With Microsoft about to shut off some versions of Outlook from access to Microsoft 365 and Outlook 365 services — that happens Nov. 1 — it’s important to remember this isn’t the only change coming for Outlook. A second change scheduled for next year may have a bigger impact on how you connect your email client — and may affect other email apps, too.

Because it could affect many users and businesses, Microsoft is giving everyone fair warning — a year in advance. On Oct. 1, 2022, Microsoft will be disabling basic authentication for its online mail services. This isn’t the first time the company has warned us about this. It had planned to disable authentication earlier this year before realizing it couldn’t do so without impacting businesses and users still struggling amid the pandemic. Hence, the delay.

To read this article in full, please click here

Susan Bradley

Apple deepens its engagement in enterprise security

2 weeks 4 days ago

The switch to mobile and remote work exposed grim security realities for many companies during the pandemic, and this seems to be driving change at the very top of the tech tree. For example, Apple has joined the Cyber Readiness Institute (CRI) as a co-chair.

Apple takes a seat

The Institute focuses on helping SMBs (small and mid-sized businesses) improve security practices by developing free resources to help them. This builds on the work platform providers already do to secure their platforms by educating and preparing enterprise customers with enhanced security awareness.

To read this article in full, please click here

Jonny Evans

Chrome, Edge kick off faster release cadence; enterprises can skip versions

3 weeks ago

Google's Chrome and Microsoft's Edge began their every-four-weeks release cadence with the launch last week of version 94 of each browser.

Google released Chrome 94 on Sept. 21, while Microsoft issued Edge 94 three days later, on Sept. 24.

From those dates, Chrome and Edge will upgrade every four weeks. Chrome 95 and Edge 95, for example, will debut Oct. 19 and Oct. 21, respectively. There will be exceptions to that pace for holidays, however. For instance, Chrome 96, the final version of 2021, will release Nov. 16, and be followed by Chrome 97 on Jan. 4, 2022, a seven-week interval.

Google announced the then-upcoming change to a more frequent release schedule in early March; Microsoft quickly followed with news of its own several days later.

To read this article in full, please click here

Gregg Keizer

Apple, 1Password, and Cloudflare all move to protect email

3 weeks ago

Apple’s new Hide My Email feature, designed to protect users against phishing attacks and unwanted marketing spam, has swiftly become but one of a variety of options now available.

The river becomes a flood

For a very long time, the daily ritual of checking email accounts has been one in which many of us must first delete the majority of messages received because our addresses have been sold all over the place. Spam filters help, but in my experience plenty gets through — and you can’t easily tell who shared your address(es) in the first place.

Everyone is at it. Capturing and selling email addresses and data about people is a big business. Not only that, but most privacy and security breaches begin with phishing emails carrying suspect links and fraudulent requests for personal information.

To read this article in full, please click here

Jonny Evans

On app tracking, both Android and iOS have to do better

3 weeks ago

Mobile app use continues to climb in enterprises worldwide, and it won’t be long before almost all employee/contractor communications take place over mobile devices. That’s why it’s such a threat to security and compliance that mobile apps have extensive access to everything on a device — and few limitations on what those apps can share.

Apple argues that it’s already doing something about this in iOS with its app tracking transparency push. But a report in The Washington Post last week undermines the company’s promises. Why? Because Apple has been trusting app vendors to actually do what they agree to do. (No one could have foreseen that blowing up.)

To read this article in full, please click here

Evan Schuman

Survey says! What my informal survey shows about Windows

3 weeks 1 day ago

Several weeks ago, I asked readers to answer 11 questions about Windows. More than 1,000 people submitted responses, and while the results aren’t statistically valid, they do shed light on attitudes to Microsoft’s operating system

What do users run?

Not surprisingly, most respondents (74.75%) run some variation of Windows 10, with another 9.7% still on Windows 7. Linux was third, with 5.94%; “other” — a mixture of Windows 11, Windows XP, Chromebook, and even one Windows 98 user — had 4.55%. (I’m just hoping Windows 98 wasn’t used to answer the online survey questions.) The Mac was next, with 1.98%, followed by a smattering of phone platforms.

To read this article in full, please click here

Susan Bradley

Apple needs to act against fake app-privacy promises

3 weeks 4 days ago

Apple will need to become more aggressive in how it polices the privacy promises developers make when selling apps in the App Store. What can enterprise users do to protect themselves and their users in the meantime?

What’s the problem?

Some developers continue to abuse the spirit of Apple’s App Store Privacy rules. This extends to posting misleading information on App Privacy Labels, along with outright violation of promises not to track devices. Some developers continue to ignore do-not-track requests to exfiltrate device-tracking information.

To read this article in full, please click here

Jonny Evans

MSRT vs. MSERT: When to use each Windows malware tool

3 weeks 6 days ago

Microsoft provides Windows users with two tools that offer malware scanning and repair services, should those scans turn up anything in need of fixing. One is named MSRT; the other runs an executable called MSERT.

Naturally, this overlap raised my curiosity, and led me to explore these two tools to suss out their similarities and differences.

IDG

Figure 1: MSRT appears in File Explorer as a Windows Knowledge Base download, while MSERT comes from Microsoft Docs documentation.

To read this article in full, please click here

Ed Tittel

A penchant for patching: After 20 years, the system’s still a mess

4 weeks 1 day ago

As a Microsoft Patch Lady, I’ve been patching computers and servers for more than 20 years. We started with a process that wasn’t well planned. We had no set day or time for when patches were released, and no way to centrally manage and deploy updates. Over the years Microsoft has moved to a more dependable deployment plan and the ability to manage updates through platforms ranging from Windows Update to Windows Software Update Services to Cloud services.

So things should be better now, right? We’ve had 20 years to get this right.

And yet, here’s what I’ve seen regarding patching in just the last week.

We are now on three months and counting of continuing issues with printing caused by patches. (This month included yet another fix for another print spooler vulnerability.) I’ve seen businesses dealing with new side effects directly impacting printing and, interestingly enough, these are businesses that didn’t have problems with earlier updates. This month, Windows 10 peer-to-peer networks appear to be the most affected. (FYI: The trigger for all of these printer issues seems to be older Type 3 printer drivers. Moving to type 4 drivers might help if that’s an option for you.)

To read this article in full, please click here

Susan Bradley

Legacy apps are at risk with the September Patch Tuesday update

1 month ago

This week's Patch Tuesday was an unusual update from Microsoft and we have added Windows, the Microsoft development platform, and Adobe Reader to our "Patch Now" schedule.

These updates are driven by the zero-day patch (CVE-2021-40444) to the core Microsoft browser library MSHTML. In addition to leading to significant remote code execution worries, this update may also lead to unexpected behaviours in legacy applications that depend on or include this browser component. Be sure to assess your portfolio for key apps that have these dependencies and perform a full functionality test before deployment. (We have identified some key mitigation strategies for handling ActiveX controls and for protecting your system during your testing and deployment phases.)

To read this article in full, please click here

Greg Lambert

It’s been a big week for patches

1 month ago

This week brought updates that I consider critical for the “Big Three” — my operating system (Windows), my browser (Google Chrome) and my phone (from Apple). All three releases patch major zero-day vulnerabilities on all three platforms.

While I strongly recommend that you patch Chrome and your iPhone as soon as possible, I always recommend that you hold back on updating Windows. That remains true — at least until we see whether there are any trending side effects from the Patch Tuesday updates.

Let’s break down the patching to do right away.

First, prioritize patching Apple devices. Among this week’s patches is one for Pegasus spyware, which can open up access to the camera and microphone as well as text messages, phone calls, and emails.  iPhones, in particular, have been targeted. Apple typically pushes these updates overnight if your phone is plugged in and charging (and connected to the Internet). If you want to make sure your iPhone has received the update, click on Settings, then General, then tap Software Update. Typically, after my iPhone updates, some apps may need passwords again. I personally try to save critical ones in the iCloud keychain. Look for patches for iOS 14.8 and iPad OS 14.8, and Security Update 2021-005 for macOS Catalina and Big Sur 11.6.

To read this article in full, please click here

Susan Bradley
Checked
26 minutes 55 seconds ago
Computer World Security
Subscribe to Computer World Security feed

About SecurityFeeds

SecurityFeeds Logo

Tim Weil is a Security Architect/IT Security Manager with over twenty five years of IT management, consulting and engineering experience in the U.S. Government and Communications Industry.  Mr. Weil's technical areas of expertise include IT Security Management, Enterprise Security Architecture, FISMA Compliance, Identity Management, and Network Engineering. Mr. Weil is a Senior Member of the IEEE and has served in several IEEE positions.