The IT Nerd

At Microsoft’s Surface event yesterday, Microsoft announced its Surface Duo 2 dual-screen Android smartphone, featuring a trio of new cameras, a faster processor, larger displays, and support for 5G. The company also unveiled a successor to the Surface Book line of laptops, the Surface Laptop Studio, as well as the Surface Pro 8.

The last Surface Duo was a flop. So I wonder if this second generation device is going to any more successful. As for a Surface Pro 8, it is going to get attention from companies and the like as they always do. Especially with the 120 Hz screen in the Surface Pro 8. I’d be interested in seeing these devices and seeing what they’re like as with Windows 11 on the horizon, you can expect new devices to be hitting the market.

Anyone with a Microsoft account can now remove their password from the account entirely to enable better security:

For the past couple of years we’ve been saying that the future is passwordless, and today I am excited to announce the next step in that vision,” Microsoft corporate vice president Vasu Jakkal writes in the announcement post. “Beginning today, you can now completely remove the password from your Microsoft account.” As for the “why” of this change, Microsoft points to the fact that passwords are insecure and are the focus of over 18 billion attacks every year, or 579 attacks every second. Before you can go passwordless, you’ll need the Microsoft Authenticator app on your smartphone. Then, you can use Windows Hello, a security key, or a verification code that’s sent to an email address, your phone, or a compatible app or service like Outlook, OneDrive, Microsoft Family Safety, and more to sign-in, depending on the location.

This is huge and I applaud Microsoft for making this move as this will encourage other companies like Apple and others to make the same move. I’ll be experimenting with this and I will post a story on what my experiences are with living in a passwordless world.

According to a blog post, Microsoft will be launching Windows 11. It will not however be a free for all as it will be launched in a phased approach. New devices that are eligible for the upgrade will be offered the upgrades first. Then, it will roll out over time to older devices based on intelligence models gathered by Microsoft. These intelligence models consider the hardware eligibility, reliability metrics, age of device, and other factors. Microsoft expects all eligible devices will be upgraded to Windows 11 by mid-2022. Though given the gong show that has surrounded what will and will not be eligible for an upgrade, I fully expect that to be messy.

Now if you want to buy a new PC with Windows 11 pre-installed, you’ll have a few choices:

• Acer Swift 5
• Acer Swift X
• Asus Zenbook Flip 13
• Asus Zenbook 14
• Alienware x15
• Dell XPS 13
• HP Spectre x360
• Samsung Galaxy Book Pro
• Surface Pro 7
• Surface Laptop 4

At this point, my thinking is that if you really want Windows 11, your best route may be to buy a new PC. I personally will be setting up Windows 11 in a virtual machine and keeping it off of my actual PCs in the short term.

According to The Verge, Microsoft had a flaw in their Cosmos DB product that was kind of epic:

A flaw in Microsoft’s Azure Cosmos DB database product left more than 3,300 Azure customers open to complete unrestricted access by attackers. The vulnerability was introduced in 2019 when Microsoft added a data visualization feature called Jupyter Notebook to Cosmos DB. The feature was turned on by default for all Cosmos DBs in February 2021.

And who are those customers? Well:

A listing of Azure Cosmos DB clients includes companies like Coca-Cola, Liberty Mutual Insurance, ExxonMobil, and Walgreens, to name just a few.

That’s not exactly a insigicant company list.

The company that discovered the flaw got paid $40,000 by Microsoft for finding it. And here’s what the company who found the flaw said:

“This is the worst cloud vulnerability you can imagine,” said Ami Luttwak, Chief Technology Officer of Wiz, the security company that discovered the issue. “This is the central database of Azure, and we were able to get access to any customer database that we wanted.”

I wonder how Microsoft is going to explain this screw up. Well, here’s how they tried to do so:

“There is no evidence of this technique being exploited by malicious actors,” Microsoft told Bloomberg in an emailed statement. “We are not aware of any customer data being accessed because of this vulnerability.”

And:

In an update posted to the Microsoft Security Response Center, the company said its forensic investigation included looking through logs to find any current activity or similar events in the past. “Our investigation shows no unauthorized access other than the researcher activity,” said Microsoft.

Remember kids. The cloud is just someone else’s computer. And if you choose to use the cloud for sensitive or business critical activities, you need to trust that the cloud provider’s security is on point. And looking at this example, even Microsoft can screw this up. Thus you have to wonder if going to the cloud is really worth it.

Microsoft has warned that it has been tracking a widespread credential-phishing campaign that relies on open redirector links, while simultaneously suggesting it can defend against such attacks.

Here’s the warning:

Microsoft has been actively tracking a widespread credential phishing campaign using open redirector links. Attackers combine these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking. Doing so leads to a series of redirections—including a CAPTCHA verification page that adds a sense of legitimacy and attempts to evade some automated analysis systems—before taking the user to a fake sign-in page. This ultimately leads to credential compromise, which opens the user and their organization to other attacks.

The use of open redirects in email communications is common among organizations for various reasons. For example, sales and marketing campaigns use this feature to lead customers to a desired landing web page and track click rates and other metrics. However, attackers could abuse open redirects to link to a URL in a trusted domain and embed the eventual final malicious URL as a parameter. Such abuse may prevent users and security solutions from quickly recognizing possible malicious intent.

For instance, users trained to hover on links and inspect for malicious artifacts in emails may still see a domain they trust and thus click it. Likewise, traditional email gateway solutions may inadvertently allow emails from this campaign to pass through because their settings have been trained to recognize the primary URL without necessarily checking the malicious parameters hiding in plain sight.

Well, this is a very dangerous attack. But fortunately, Microsoft can protect you from this:

Microsoft Defender for Office 365 detects these emails and prevents them from being delivered to user inboxes using multiple layers of dynamic protection technologies, including a built-in sandbox that examines and detonates all the open redirector links in the messages, even in cases where the landing page requires CAPTCHA verification. This ensures that even the embedded malicious URLs are detected and blocked. Microsoft Defender for Office 365 is backed by Microsoft experts who enrich the threat intelligence that feeds into our solutions through expert monitoring of email campaigns.

And if you read the rest of this document, it is literally an ad for both Office 365 and Microsoft Defender for Office 365. I literally cannot find any other mitigation strategies that do not involve one of these two products. Am I the only person who thinks that this is a big “sus” to use an Among Us reference? While it is true that 91 per cent of all cyberattacks originate with email, Microsoft positioning itself as your savior makes this message seem to be little more than an ad. Which makes this a #Fail for Microsoft.

When Windows 11 was announced, the system requirements were so hefty that most PCs out there couldn’t run it. Including some of Microsoft’s own Surface hardware. I guess the heat got to Microsoft despite trying to clarify things. Because on Friday they announced a change to Windows 11 minimum operating requirements, though the loosened restrictions are not likely to make it likely that your PC will be able to run it.

So what’s the change?

Windows 11 requires a 1GHz or faster 64-bit CPU, 4GB of RAM, and 64GB of storage. Machines must also support UEFI secure boot, version 2.0 of the Trusted Platform Module (TPM) and include a graphics card compatible with DirectX 12. But they added the Intel Core X and Xeon W CPUs, as well as the Surface Studio 2’s Core i7-7820HQ, to the list of Windows 11-compatible processors. The addition is a nod to users who, despite owning fairly modern hardware (Core X and Xeon W are 7th-generation Intel designs), were seemingly left out in the cold when the operating system was announced.

But there’s a catch. Here’s what Microsoft said to The Verge:

Microsoft is announcing today that it won’t block people from installing Windows 11 on most older PCs. While the software maker has recommended hardware requirements for Windows 11 — which it’s largely sticking to — a restriction to install the OS will only be enforced when you try to upgrade from Windows 10 to Windows 11 through Windows Update. This means anyone with a PC with an older CPU that doesn’t officially pass the upgrade test can still go ahead and download an ISO file of Windows 11 and install the OS manually.

That sounds good right. Well, here’s the next thing that Microsoft said:

Microsoft now tells us that this install workaround is designed primarily for businesses to evaluate Windows 11, and that people can upgrade at their own risk as the company can’t guarantee driver compatibility and overall system reliability. Microsoft won’t be recommending or advertising this method of installing Windows 11 to consumers. In fact, after we published this post, Microsoft reached out to tell us about one potentially gigantic catch it didn’t mention during our briefing: systems that are upgraded this way may not be entitled to get Windows Updates, even security ones.

I’m sorry. That’s complete BS. And it reinforces what I said when this gong show started:

Microsoft may want to rethink this because this is the sort of thing that will drive people to go to the Apple store and have a look at those new M1 based Macs as they absolutely destroy anything that Intel makes, and Apple has a strong history of supporting computers that are as old as six or seven years in age. Which means the chances of getting screwed by Apple at some point are way less than they are with Microsoft. That’s good for Apple, and bad for Microsoft.

While they have started to rethink this, they haven’t gone far enough. And it will come back to bite them when Windows 11 ships. If not before.

Did you think that PrintNightmare was over because Microsoft released some patches to try and address it?

I’m here to tell you that it isn’t over.

Microsoft came up with a new “mitigation” which requires administrator privileges for Point and Print driver installation and update:

Today, we are addressing this risk by changing the default Point and Print driver installation and update behavior to require administrator privileges. The installation of this update with default settings will mitigate the publicly documented vulnerabilities in the Windows Print Spooler service. This change will take effect with the installation of the security updates released on August 10, 2021 for all supported versions of Windows, and is documented as CVE-2021-34481.

This change may impact Windows print clients in scenarios where non-elevated users were previously able to add or update printers. However, we strongly believe that the security risk justifies this change. While not recommended, customers can manually disable this mitigation with a registry key, which is outlined in the following KB Article:

KB5005652 How to manage new Point and Print default driver installation behavior

But the fun doesn’t stop there. Microsoft has also dropped the news that a new Remote Code Execution vulnerability exists via CVE-2021-36958. What that means that sysadmins are pretty much back to square one when it comes to protecting their infrastructures against PrintNightmare. And that doesn’t reflect well on Microsoft.

Microsoft has revealed yet another vulnerability connected to its Windows Print Spooler service. This just after fixing “PrintNightmare“. Maybe. Either way, it’s not a good look for Microsoft. This one is listed as CVE-2021-34481, and can be exploited to elevate privilege to system level via file operations. That makes it really dangerous.

Microsoft is working on yet another fix for this latest print spooler exploit. But Microsoft really needs to spend some time to figure out what else is out there in terms of vulnerabilities are in the print spooler. Because you can bet the bad guys are looking for anything that they can take advantage of to pwn you.