Microsoft and the Next Fix Problem
July 11, 2022
I spotted a now routine story about a bug in Microsoft’s software. The story “Windows 11’s ‘Resolved’ Outlook Search Bug Resurfaces: When’s the Next Fix?” reveals a key insight into the software giant’s technical method.
I noted this statement in the article about an issue with search functionality in the Outlook email program, one of the original landscape apps which are pretty much orthogonal to the mobile phone’s display:
When doing a search in Outlook on Windows 11 PCs, the email program sometimes fails to provide results relevant to recent messages…
Yep, search. Microsoft. Not working.
But the important facet of the story appears in the story headline; specifically, “When’s the next fix?”
The Microsoft softies have experienced many issues with search and retrieval. Unlike Elizabeth Barrett Browning, I shall not count the ways. However, I will point out that there is now a fatalism about Microsoft. Stuff goes wrong. Microsoft attempts to fix the problem. Then the problem comes back
Whether it is the outstanding security systems or the brilliance of Word’s fascinating approach to automatic numbering, fixes beget more fixes.
So here we are: Unfixable code, persistent issues, and a giant theme park of opportunities for people to make bad decisions, waste time, and hunt for security flaws.
Yep, next fix. Working11ood. Which time is the charm? Third, fourth, nth? Is there a macro for excellence? Wait, let’s roll that macro thing back.
Stephen E Arnold, July 11, 2022
What Microsoft Wants: Identity System and Data for Good Purposes Of Course
June 28, 2022
Microsoft wants its new Verified ID program to move beyond social media platforms. According to Error! Hyperlink reference not valid. in the article, “Microsoft Wants Everything To Come With Its Verified Check Mark,” Microsoft wants Verified ID to validate more personal information and it is starting with verifying credentials.
Verified ID would allow people to get digital credentials that prove where they graduated, their jobs, where they bank, and if they are in good health. Microsoft says Verified ID would be good for people who need to quickly share their personal information, such as job applications. Verified ID uses blockchain-based decentralized identity standards. Microsoft plans to release its Entry Verified ID, its official name, in August. The name for Microsoft’s identity product line is Entra.
Ankur Patel is a Microsoft principal program manager for digital identity and he believes Entry Verified ID will be mainstream in three years:
“In the first year, it’s likely that Verified ID will be used by organizations in tandem with existing verification methods, both digital and analog, with a portion of their users, according to Patel. Wider adoption will depend, in part, on making sure that the service itself hasn’t “done harm,” he acknowledged.
One potential risk is that individuals might inadvertently share sensitive information with the wrong parties using the system, Patel said. ‘In the physical world, when you’re presenting these kinds of things, you’re careful — you don’t just give your birth certificate to anybody,’ he said. Microsoft is aiming to limit the issues in its own digital wallets with features meant to protect against this type of accidental exposure, Patel said.”
Microsoft wants to verify everyone’s information, but what about guaranteeing that its own products are real?
Whitney Grace, June 28, 2022
Microsoft: Helping Out Google Security. What about Microsoft Security?
June 14, 2022
While Microsoft is not among the big tech giants, the company still holds a prominent place within the technology industry. Microsoft studies rival services and products to gain insights as well as share anything to lower their standing such as a security threat, “Microsoft Researchers Discover Serious Security Vulnerabilities In Big-Name Android Apps.” The Microsoft 365 Defender Research Team found a slew of severe vulnerabilities in the mce Systems mobile framework used by large companies, including Rogers Communications, Bell Canada, and AT&T, for their apps.
Android phones have these apps preinstalled in the OS and they are downloaded by millions of users. These vulnerabilities could allow bad actors to remotely attack phones. The types of attacks range from command injection to privilege escalation.
The Microsoft 365 Defender Research Team shared the discovery:
“Revealing details of its findings, the security research team says: ‘Coupled with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information’.
In the course of its investigation, the team found the mce Systems’ framework had a “BROWSABLE” service activity that an attacker could remotely invoke to exploit several vulnerabilities that could allow adversaries to implant a persistent backdoor or take substantial control over the device.”
Vulnerabilities also affected apps on Apple phones. Preinstalled apps simplify device activation, troubleshooting, and optimize performance. Unfortunately, this gives apps control over the majority of the phone and the bad actors will exploit them to gain access. Microsoft is worked with mce Systems to fix the threats.
Interestingly, Microsoft found the security threats. Maybe Microsoft wants to reclaim its big tech title by protecting the world from Google’s spies?
Whitney Grace, June 14, 2022
Microsoft and Security: This Must Be an April Fool Joke in May, Right?
May 27, 2022
I read “Pwn2Own Hackers Just Broke Into Windows 11 and Teams in a Single Day.” Was this an Onion article? A write up from a former Punch writer? An output from Google’s almost human super capable smart software?
Nope. The source is a reliable online publication called Make Use Of or MUO to its friends.
I learned:
Day one of Pwn2Own is over, and taking a look at the bounty board shows that Microsoft’s software didn’t stand up well to the onslaught. The event saw three successful attacks on Microsoft Teams, and two against Windows 11. Each successful hack was rewarded accordingly, with the lowest bounty coming in at an impressive $40,000, and the biggest at an eye-watering $150,000.
Ah, Windows 11 and the feature-spawning Teams!
My view of Windows 11 is that it was pushed out to distract some Silicon Valley type news reporters from the massively bad SolarWinds’ misstep. Few agree with me.
Be that as it may, Windows 11 does not seem to be the paragon of security that I thought Microsoft explained. You know, the TPM thing and the idea that certain computers were not able to deal with the the Millie Vanillie approach to security. Catchy lyrics, but not exactly what paying customers expected.
The article cited concludes with this statement:
With hackers putting up big wins against Microsoft’s apps at Pwn2Win, it shows that the company’s software is perhaps not as secure as it should be. Hopefully, Microsoft can publish fixes for these exploits before they fall into the wrong hands.
Will Microsoft, like Netgear, find that it cannot “fix” certain issues with its software and systems.
Stephen E Arnold, May 27, 2022
Some Criticism of Microsoft? Warranted or Not?
May 13, 2022
Microsoft’s LinkedIn comes out on top—in one regard, anyway. IT-Online reports, “LinkedIn the Brand Most Imitated for Phishing.” In its Brand Phishing Report for the first quarter of 2022, Check Point Research found the professional network was imitated in more than half of all phishing attempts during January, February, and March. The write-up tells us:
“Dominating the rankings for the first time ever, LinkedIn accounted for more than half (52%) of all phishing attempts during the quarter. This represents a dramatic 44% uplift from the previous quarter, where the professional networking site was in fifth position accounting for only 8% of phishing attempts. LinkedIn overtook DHL as the most targeted brand, which is now in second position and accounted for 14% of all phishing attempts during the quarter.”
Social media platforms in general jumped in popularity as phishing spots. Shipping companies like DHL, which became attractive targets with the rise in e-commerce, are now in second place. Apparently different types of companies make juicy bait for different kinds of attacks. The article quotes Check Point’s Omer Dembinsky:
“Some attacks will attempt to gain leverage over individuals or steal their information, such as those we’re seeing with LinkedIn. Others will be attempts to deploy malware on company networks, such as the fake emails containing spoof carrier documents that we’re seeing with the likes of Maersk.”
Of course, a phishing attack can only work if someone falls for it. Do not be that person. Dembinsky advises:
“The best defense against phishing threats, as ever, is knowledge. Employees in particular should be trained to spot suspicious anomalies such as misspelled domains, typos, incorrect dates and other details that can expose a malicious email or text message. LinkedIn users in particular should be extra vigilant over the course of the next few months.”
In Check Point’s list of the top ten companies to find themselves on phishing hooks, LinkedIn and DH are followed by Google (at 7%), Microsoft (6%), FedEx (6%), WhatsApp (4%), Amazon (2%), Maersk (1%), AliExpress (0.8%), and Apple (0.8%).
Cynthia Murrell, May 13, 2022
Cyber Security: Oxymoron?
May 9, 2022
I read an interesting article called “Botnet That Hid for 18 Months Boasted Some of the Coolest Tradecraft Ever.” I am not sure I would have described the method as “cool,” but as some say, “Let many flowers bloom.”
The main point of the article is a sequence of actions which compromise a target without calling attention to the attack or leaving size 13 digital footprints. The diagrams provide a broad overview of the major components, but there are no code snippets. That’s a plus in my book because many cyber revelations are cookbooks with easy-to-follow recipes for dorm room cyber snacks.
What caught my attention is this statement in the excellent write up:
One of the ways the hackers maintain a low profile is by favoring standard Windows protocols over malware to move laterally. To move to systems of interest, UNC3524 used a customized version of WMIEXEC, a tool that uses Windows Management Instrumentation to establish a shell on the remote system.
I also noted:
“Once UNC3524 successfully obtained privileged credentials to the victim’s mail environment, they began making Exchange Web Services (EWS) API requests to either the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment,” the Mandiant researchers wrote. “In each of the UNC3524 victim environments, the threat actor would target a subset of mailboxes….”
With the core functionality of the Microsoft software and services the pivot on which the system and methods of the attacker pivot, what does this suggest about cyber security going forward?
My answer: There is an attack surface of significant scope. Plus, undetectable but for specialized analyses. The ball is in the hands of Microsoft. The bad actors just toss it around.
Stephen E Arnold, May 9, 2022
NCC April Microsoft: Customer and User Focused?
April 29, 2022
Bill Gates designed Microsoft to make personal computers more user friendly. While the Microsoft operating system is among the easiest to learn, unfortunately it is also the most hackable. Black hat bad actors adore Microsoft systems, especially when the company releases a new update. Bleeping Computer shares a problem with the newest Windows update: “Microsoft: Windows Domain Controller Restarts Caused By LSASS Crashes.”
The bug occurred in the Local Security Authority Subsystem Service (LSASS). The LSASS crashed, users lost access to their Windows accounts, shown an error message, then the system rebooted. The LSASS crash bug was one of many issues that a Microsoft patch fixed in January 2022:
“Microsoft addressed the LSASS crash issue in out-of-band updates released in mid-January 17 [1, 2] to fix numerous other critical bugs introduced during the January 2022 Patch Tuesday, including Hyper-V no longer starting, L2TP VPN connections failing, and ReFS volumes becoming inaccessible.”
Bad actors discover coding errors in Microsoft systems then exploit them. The bad actors detect many vulnerabilities during updates, then they quickly devise plans to take advantage of users. Threat Post explains a new hacker trick in, “Microsoft Accounts Targeted By Russian-Themed Credential Harvesting.” Russia has threatened cyber attacks with their current war plan, so it did not take long for bad actors to create spam campaigns. The spam email reads:
“Unusual sign-in activity
We detected something unusual about a recent sign-in to the Microsoft account
Sign-in details
• Country/region: Russia/Moscow
• IP address:
• Date: Sat, 26 Feb 2022 02:31:23 +0100
• Platform: Kali Linux
• Browser: Firefox
A user from Russia/Moscow just logged into your account from a new device, If this wasn’t you, please report the user. If this was you, we’ll trust similar activity in the future.
Report the user
Thanks,
The Microsoft account team”
As with other spam, users are encouraged to click on a link and submit a response. If users respond to the link, they will most likely receive an email asking for login details and payment information.
My thought was that Windows Defender and other Microsoft security services would handle these types of issues. Guess not.
Whitney Grace, April 29, 2022
Microsoft: A Consistently Juicy Target
April 25, 2022
I am perched in Washington, DC, checking news flows. What did I spy this morning (April 24, 2022)? This article caught my eye: “Microsoft Exchange Servers Are Being Infected with Ransomware.” Is this a remembrance from times past? The story asserts as actual factual (but who knows anymore?):
In the attack the team studied, Hive commenced its assault via the exploitation of ProxyShell, a collection of Microsoft Exchange Server vulnerabilities (and critical ones at that) that provide a way for attackers to remotely execute code. Microsoft reportedly patched this problem in 2021.
The key phrase in this allegedly accurate write up is “Microsoft reported patched this problem in 2021.”
Several observations:
- Yo Windows Defender and the other Microsoft security systems, “What’s shaken’?”
- What’s with the “reportedly”? If the write up is accurate, the problem was fixed.
- How many thousands of bad actors are involved in this problem? Probably quite a few because this is CaaS, crime as a service.
Net net: Microsoft may be faced with security problems for which there is no reliable remediation. PR, however, is quite easy to deploy.
Stephen E Arnold, April 25, 2022
Has the Softie Been Winged by EU Antitrust Regulators?
April 25, 2022
I read “ Microsoft on EU Antitrust Regulators’ Radar after Cloud Practices Complaints by Rivals.” The big outfit in Redmond has been keeping a low profile, allowing Amazon, Apple, Facebook / Zuckbook, and Google take the glow in the dark paint ball pellets. Now the Softie has been splatted in acid green polyethylene glycol. Lookin’ good in spring colors I suppose.
The write up states:
Microsoft’s rivals and customers have been served a questionnaire with various queries by EU antitrust regulators seeking information about the company’s business and licensing deals. The latest action hints at a possible formal investigation into Microsoft’s cloud business that might take place down the line.
Paint balls can sting, but direct hits are fairly safe, just messy. Take two or three in one eye, and the target might stumble around looking for a safe haven.
What competitors are not happy with Microsoft’s approach to the cloud market? The write up names NextCloud and OVHcloud, and others may have shared their thoughts.
The next volley of shots may not be from paint ball guns. More lethal weapons might be flown over the customer centric folks in Redmond. Microsoft has coughed up money in the past, and it may have to bleed some cash to make the possible legal drones stop dropping grenades from the clouds.
Stephen E Arnold, April xx, 2022
Microsoft: Twice Cooked PR with Ban Mao?
April 18, 2022
Going green is important. Microsoft is important. Therefore, Microsoft is going green. How that logic for you, gentle reader. The editors at Fast Company followed this line of reasoning and enjoyed a sizzling plate of twice cooked PR with ban mao in “Microsoft’s Hottest New Product Is a Wok.” Yep, a wok for the woke maybe?
The write up states:
The wok is part of Microsoft’s brand new all-electric kitchen at its headquarters outside Seattle, where nearly 50,000 employees are based. The company is adding 3 million square feet of offices and facilities, and the entire project is being designed to be powered by a vast geothermal system and produce zero carbon emissions. A big part of getting there was eliminating fossil fuels from its energy portfolio. And one of the biggest users of fossil fuels were the company’s kitchens.
I wonder if Microsoft and Fast Company looked at the Microsoft Azure server farms and calculated what percentage of the energy these installations consumed and then answered this question: How much of the energy consumed is of the going green, whale saving variety?
No.
No surprise. I would like a century egg too. I wonder if Fast Company has ordered some Microsoft ads to accompany the article.
Stephen E Arnold, April 18, 2022
-
- Subscribe to Beyond Search
Feature archive
News archive
-
