The IT Nerd

Happy 2022 Microsoft Exchange admins. You’re waking up to a new year with a bug that has broken your Microsoft Exchange server if you’re using an on premise server. BleepingComputer has the details:

Microsoft Exchange on-premise servers cannot deliver email starting on January 1st, 2022, due to a “Year 2022” bug in the FIP-FS anti-malware scanning engine.

Starting with Exchange Server 2013, Microsoft enabled the FIP-FS anti-spam and anti-malware scanning engine by default to protect users from malicious email. According to numerous reports from Microsoft Exchange admins worldwide, a bug in the FIP-FS engine is blocking email delivery with on-premise servers starting at midnight on January 1st, 2022.

Security researcher and Exchange admin Joseph Roosen said that this is caused by Microsoft using a signed int32 variable to store the value of a date, which has a maximum value of 2,147,483,647. However, dates in 2022 have a minimum value of 2,201,010,001 or larger, which is greater than the maximum value that can be stored in the signed int32 variable, causing the scanning engine to fail and not release mail for delivery. When this bug is triggered, an 1106 error will appear in the Exchange Server’s Event Log stating, “The FIP-FS Scan Process failed initialization. Error: 0x8004005. Error Details: Unspecified Error” or “Error Code: 0x80004005. Error Description: Can’t convert “2201010001” to long.” Microsoft will need to release an Exchange Server update that uses a larger variable to hold the date to officially fix this bug.

However, for on-premise Exchange Servers currently affected, admins have found that you can disable the FIP-FS scanning engine to allow email to start delivering again.

There’s a slight problem with that fix. If you use the unofficial fix, it will expose users to more spam, more phishing, and more malware infected email. So that’s not really a solution. However Microsoft has an actual solution:

Thus Exchange admins will need to wake up this morning and run that script before this becomes a major issue on Monday when everyone heads back to work.

It never ends does it.

Microsoft announced yesterday that will kill OneDrive on Windows 7, 8 and 8.1 on March 1st, 2022. Which means that if you’re on any of those operating systems, you have two choices:

• Update to Windows 10 or newer
• Access your files using the OneDrive website

Here’s why Microsoft is doing this:

In order to focus resources on new technologies and operating systems, and to provide users with the most up-to-date and secure experience, beginning January 1, 2022, updates will no longer be provided for the OneDrive desktop application on your personal Windows 7, 8, and 8.1 devices. Personal OneDrive desktop applications running on these operating systems will stop syncing to the cloud on March 1, 2022. 

I think that translates to “we want to focus on Windows 10 and Windows 11”. Which makes sense. But is still sure to rile up a few people out there. In any case, if you are running Windows 7, 8 and 8.1 and you use OneDrive, consider yourself warned.

At Microsoft’s Surface event yesterday, Microsoft announced its Surface Duo 2 dual-screen Android smartphone, featuring a trio of new cameras, a faster processor, larger displays, and support for 5G. The company also unveiled a successor to the Surface Book line of laptops, the Surface Laptop Studio, as well as the Surface Pro 8.

The last Surface Duo was a flop. So I wonder if this second generation device is going to any more successful. As for a Surface Pro 8, it is going to get attention from companies and the like as they always do. Especially with the 120 Hz screen in the Surface Pro 8. I’d be interested in seeing these devices and seeing what they’re like as with Windows 11 on the horizon, you can expect new devices to be hitting the market.

Anyone with a Microsoft account can now remove their password from the account entirely to enable better security:

For the past couple of years we’ve been saying that the future is passwordless, and today I am excited to announce the next step in that vision,” Microsoft corporate vice president Vasu Jakkal writes in the announcement post. “Beginning today, you can now completely remove the password from your Microsoft account.” As for the “why” of this change, Microsoft points to the fact that passwords are insecure and are the focus of over 18 billion attacks every year, or 579 attacks every second. Before you can go passwordless, you’ll need the Microsoft Authenticator app on your smartphone. Then, you can use Windows Hello, a security key, or a verification code that’s sent to an email address, your phone, or a compatible app or service like Outlook, OneDrive, Microsoft Family Safety, and more to sign-in, depending on the location.

This is huge and I applaud Microsoft for making this move as this will encourage other companies like Apple and others to make the same move. I’ll be experimenting with this and I will post a story on what my experiences are with living in a passwordless world.

According to a blog post, Microsoft will be launching Windows 11. It will not however be a free for all as it will be launched in a phased approach. New devices that are eligible for the upgrade will be offered the upgrades first. Then, it will roll out over time to older devices based on intelligence models gathered by Microsoft. These intelligence models consider the hardware eligibility, reliability metrics, age of device, and other factors. Microsoft expects all eligible devices will be upgraded to Windows 11 by mid-2022. Though given the gong show that has surrounded what will and will not be eligible for an upgrade, I fully expect that to be messy.

Now if you want to buy a new PC with Windows 11 pre-installed, you’ll have a few choices:

• Acer Swift 5
• Acer Swift X
• Asus Zenbook Flip 13
• Asus Zenbook 14
• Alienware x15
• Dell XPS 13
• HP Spectre x360
• Samsung Galaxy Book Pro
• Surface Pro 7
• Surface Laptop 4

At this point, my thinking is that if you really want Windows 11, your best route may be to buy a new PC. I personally will be setting up Windows 11 in a virtual machine and keeping it off of my actual PCs in the short term.

According to The Verge, Microsoft had a flaw in their Cosmos DB product that was kind of epic:

A flaw in Microsoft’s Azure Cosmos DB database product left more than 3,300 Azure customers open to complete unrestricted access by attackers. The vulnerability was introduced in 2019 when Microsoft added a data visualization feature called Jupyter Notebook to Cosmos DB. The feature was turned on by default for all Cosmos DBs in February 2021.

And who are those customers? Well:

A listing of Azure Cosmos DB clients includes companies like Coca-Cola, Liberty Mutual Insurance, ExxonMobil, and Walgreens, to name just a few.

That’s not exactly a insigicant company list.

The company that discovered the flaw got paid $40,000 by Microsoft for finding it. And here’s what the company who found the flaw said:

“This is the worst cloud vulnerability you can imagine,” said Ami Luttwak, Chief Technology Officer of Wiz, the security company that discovered the issue. “This is the central database of Azure, and we were able to get access to any customer database that we wanted.”

I wonder how Microsoft is going to explain this screw up. Well, here’s how they tried to do so:

“There is no evidence of this technique being exploited by malicious actors,” Microsoft told Bloomberg in an emailed statement. “We are not aware of any customer data being accessed because of this vulnerability.”

And:

In an update posted to the Microsoft Security Response Center, the company said its forensic investigation included looking through logs to find any current activity or similar events in the past. “Our investigation shows no unauthorized access other than the researcher activity,” said Microsoft.

Remember kids. The cloud is just someone else’s computer. And if you choose to use the cloud for sensitive or business critical activities, you need to trust that the cloud provider’s security is on point. And looking at this example, even Microsoft can screw this up. Thus you have to wonder if going to the cloud is really worth it.

Microsoft has warned that it has been tracking a widespread credential-phishing campaign that relies on open redirector links, while simultaneously suggesting it can defend against such attacks.

Here’s the warning:

Microsoft has been actively tracking a widespread credential phishing campaign using open redirector links. Attackers combine these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking. Doing so leads to a series of redirections—including a CAPTCHA verification page that adds a sense of legitimacy and attempts to evade some automated analysis systems—before taking the user to a fake sign-in page. This ultimately leads to credential compromise, which opens the user and their organization to other attacks.

The use of open redirects in email communications is common among organizations for various reasons. For example, sales and marketing campaigns use this feature to lead customers to a desired landing web page and track click rates and other metrics. However, attackers could abuse open redirects to link to a URL in a trusted domain and embed the eventual final malicious URL as a parameter. Such abuse may prevent users and security solutions from quickly recognizing possible malicious intent.

For instance, users trained to hover on links and inspect for malicious artifacts in emails may still see a domain they trust and thus click it. Likewise, traditional email gateway solutions may inadvertently allow emails from this campaign to pass through because their settings have been trained to recognize the primary URL without necessarily checking the malicious parameters hiding in plain sight.

Well, this is a very dangerous attack. But fortunately, Microsoft can protect you from this:

Microsoft Defender for Office 365 detects these emails and prevents them from being delivered to user inboxes using multiple layers of dynamic protection technologies, including a built-in sandbox that examines and detonates all the open redirector links in the messages, even in cases where the landing page requires CAPTCHA verification. This ensures that even the embedded malicious URLs are detected and blocked. Microsoft Defender for Office 365 is backed by Microsoft experts who enrich the threat intelligence that feeds into our solutions through expert monitoring of email campaigns.

And if you read the rest of this document, it is literally an ad for both Office 365 and Microsoft Defender for Office 365. I literally cannot find any other mitigation strategies that do not involve one of these two products. Am I the only person who thinks that this is a big “sus” to use an Among Us reference? While it is true that 91 per cent of all cyberattacks originate with email, Microsoft positioning itself as your savior makes this message seem to be little more than an ad. Which makes this a #Fail for Microsoft.

When Windows 11 was announced, the system requirements were so hefty that most PCs out there couldn’t run it. Including some of Microsoft’s own Surface hardware. I guess the heat got to Microsoft despite trying to clarify things. Because on Friday they announced a change to Windows 11 minimum operating requirements, though the loosened restrictions are not likely to make it likely that your PC will be able to run it.

So what’s the change?

Windows 11 requires a 1GHz or faster 64-bit CPU, 4GB of RAM, and 64GB of storage. Machines must also support UEFI secure boot, version 2.0 of the Trusted Platform Module (TPM) and include a graphics card compatible with DirectX 12. But they added the Intel Core X and Xeon W CPUs, as well as the Surface Studio 2’s Core i7-7820HQ, to the list of Windows 11-compatible processors. The addition is a nod to users who, despite owning fairly modern hardware (Core X and Xeon W are 7th-generation Intel designs), were seemingly left out in the cold when the operating system was announced.

But there’s a catch. Here’s what Microsoft said to The Verge:

Microsoft is announcing today that it won’t block people from installing Windows 11 on most older PCs. While the software maker has recommended hardware requirements for Windows 11 — which it’s largely sticking to — a restriction to install the OS will only be enforced when you try to upgrade from Windows 10 to Windows 11 through Windows Update. This means anyone with a PC with an older CPU that doesn’t officially pass the upgrade test can still go ahead and download an ISO file of Windows 11 and install the OS manually.

That sounds good right. Well, here’s the next thing that Microsoft said:

Microsoft now tells us that this install workaround is designed primarily for businesses to evaluate Windows 11, and that people can upgrade at their own risk as the company can’t guarantee driver compatibility and overall system reliability. Microsoft won’t be recommending or advertising this method of installing Windows 11 to consumers. In fact, after we published this post, Microsoft reached out to tell us about one potentially gigantic catch it didn’t mention during our briefing: systems that are upgraded this way may not be entitled to get Windows Updates, even security ones.

I’m sorry. That’s complete BS. And it reinforces what I said when this gong show started:

Microsoft may want to rethink this because this is the sort of thing that will drive people to go to the Apple store and have a look at those new M1 based Macs as they absolutely destroy anything that Intel makes, and Apple has a strong history of supporting computers that are as old as six or seven years in age. Which means the chances of getting screwed by Apple at some point are way less than they are with Microsoft. That’s good for Apple, and bad for Microsoft.

While they have started to rethink this, they haven’t gone far enough. And it will come back to bite them when Windows 11 ships. If not before.