The IT Nerd

Further information can be found here.

Well, this isn’t good. An unpatched zero-day that was originally found in Microsoft Windows 10 allows attackers to corrupt an NTFS-formatted hard drive with a one-line command:

In August 2020, October 2020, and finally this week, infosec researcher Jonas L drew attention to an NTFS vulnerability impacting Windows 10 that has not been fixed. When exploited, this vulnerability can be triggered by a single-line command to instantly corrupt an NTFS-formatted hard drive, with Windows prompting the user to restart their computer to repair the corrupted disk records. The researcher told BleepingComputer that the flaw became exploitable starting around Windows 10 build 1803, the Windows 10 April 2018 Update, and continues to work in the latest version. What’s worse is, the vulnerability can be triggered by standard and low privileged user accounts on Windows 10 systems. […] It is unclear why accessing this attribute corrupts the drive, and Jonas told BleepingComputer that a Registry key that would help diagnose the issue doesn’t work. 

One striking finding shared by Jonas with us was that a crafted Windows shortcut file (.url) that had its icon location set to C:\:$i30:$bitmap would trigger the vulnerability even if the user never opened the file! As observed by BleepingComputer, as soon as this shortcut file is downloaded on a Windows 10 PC, and the user views the folder it is present in, Windows Explorer will attempt to display the file’s icon. To do this, Windows Explorer would attempt to access the crafted icon path inside the file in the background, thereby corrupting the NTFS hard drive in the process. Next, “restart to repair hard drive” notifications start popping up on the Windows PC — all this without the user even having opened or double-clicked on the shortcut file.

This has been tested onWindows XP and the issue has been found there as well. Thus it appears to be an NTFS based issue as opposed to a Windows 10 issue. Microsoft is investigating this, but they need to have a rapid fix for this as a threat actor is going to be able to exploit this to cause chaos.

Microsoft really won’t let forcing its users to run the versions of Windows it wants them to use go. Now they are apparently going to force feed Windows updates down their throats:

Starting this month, Microsoft will begin forcing some users to upgrade to Windows 10 version 1909 or version 2004 if they don’t update their PC manually. This is coming after Microsoft announced that it’s ending support for Windows 10 version 1903, including Windows 10 Home and Windows 10 Pro. If you’re on Windows 10 version 1903, you’ll be force upgraded to version 1909 later this month. If you’re on Windows 10 version 1909, you’ll be forcefully upgraded to Windows 10 version 2004 (May 2020 Update) by the spring of next year. If you’re still using last year’s Windows 10 versions, it’s better to attempt the upgrade manually.

While I will admit that that some people don’t keep up to date in terms of the latest version of Windows they should be running, some people make a choice to run a specific version of Windows because of the hardware or software that they run. Microsoft is effectively taking that choice away from users which I think is wrong. This is the sort of thing that sends people to Apple Stores to buy Macs in droves. Microsoft may want to keep that in mind and reconsider this move.

Microsoft in their infinite wisdom decided to a feature in some of their Office 365 apps that logged app usage data at a user level. They claimed enterprise customers could use the data to measure both the productivity and influence of their employees. The Guardian summed this feature up this way:

Microsoft has been criticised for enabling “workplace surveillance” after privacy campaigners warned that the company’s “productivity score” feature allows managers to use Microsoft 365 to track their employees’ activity at an individual level.

The tools, first released in 2019, are designed to “provide you visibility into how your organisation works”, according to a Microsoft blogpost, and aggregate information about everything from email use to network connectivity into a headline percentage for office productivity.

But by default, reports also let managers drill down into data on individual employees, to find those who participate less in group chat conversations, send fewer emails, or fail to collaborate in shared documents.

Researcher Wolfie Christl says this is problematic:

Needless to say, the blowback to this was epic as this is a significant privacy issue. And to nobody’s surprise, Microsoft has now yanked user level data according this blog post:

We appreciate the feedback we’ve heard over the last few days and are moving quickly to respond by removing user names entirely from the product. This change will ensure that Productivity Score can’t be used to monitor individual employees. At Microsoft, we’re committed to both data-driven insights and user privacy. We always strive to get the balance right, but if and when we miss, we will listen carefully and make appropriate adjustments.

We’re making the following changes to Productivity Score:

First, we’re removing user names from the product. During preview, we added a feature that showed end-user names and associated actions over a 28-day period. In response to feedback over the last week, we’re removing that feature entirely. Going forward, the communications, meetings, content collaboration, teamwork, and mobility measures in Productivity Score will only aggregate data at the organization level—providing a clear measure of organization-level adoption of key features. No one in the organization will be able to use Productivity Score to access data about how an individual user is using apps and services in Microsoft 365.

Second, we’re modifying the user interface to make it clearer that Productivity Score is a measure of organizational adoption of technology—and not individual user behavior […]

The remaining three measures in the product— Microsoft 365 App health, network connectivity, and endpoint analytics—don’t include user names. 

I am not sure if this is enough. I can see scenarios where some data could still be tied back to specific individuals seeing as it includes device identifiers. So I fully expect this to continue to be an issue that Microsoft will have to deal with.

rag & bone unveils a preview of its Spring/Summer 2021 collection with a dynamic teaser film, Metamorphosis, created in partnership with Microsoft. Metamorphosis explores new ways of bringing collections to life through the integration of innovative technology.

Metamorphosis is a special stand-alone collaboration that spans the creative worlds of design, technology, and filmmaking to bridge the authentic craft of rag & bone with technology to reveal elements from the collection. Creating the unexpected between rag & bone and Microsoft began with the Spring/Summer 2020 show, which featured real time point cloud data capture technology. The partnership will continue into 2021 with concepts aimed at simplifying how consumers digitally engage with rag & bone collections.

Set in a fantastical vision of New York, Metamorphosis represents a virtual transformation of movement, fabric detail and the versatility of rag & bone signatures. Through the use of Azure Virtual Machines for Cloud Rendering, classic outerwear, feminine meets masculine silhouettes, relaxed tailoring, and easy to wear essentials are mixed and matched to redefine an everyday wardrobe.

Created remotely on the Cloud and supported by Azure Virtual Machines, an avatar figure was generated to capture key looks in the collection. Through a variety of camera movements and atmospheric plays on light and dimension, the avatar explores a New York City that shifts perspectives of space and dimension. Each small and highly defined detail in the looks are created on the cloud using Microsoft Azure Solutions. Additionally, Microsoft Azure allows for powerful remote GPUs and other services that optimize the output of a virtual rag & bone collection. 3D software was utilized to run virtually in the cloud to facilitate direct renders of each piece featured in the teaser to cloud GPUs. A musical arrangement by DJ Kris Bones was created to round out the film’s surreal and imagined landscapes.

Available to view from today, Metamorphosis launches across rag & bone and Microsoft’s channels worldwide. A new set of look book imagery featuring expanded looks from Metamorphosis will accompany the film’s debut. Through a virtual articulation of how Cloud Computing has shaped the ways in which fashion can be interpreted, the partnership with Microsoft highlights rag & bone’s ongoing commitment to creating digital first experiences that are uniquely their own.