The Canada-based company illegally collected “vast amounts of location data,” such as every time a person entered or left their home, workplace, or another coffee shop.

Canadian investigators determined that users of the Tim Hortons coffee chain's mobile app "had their movements tracked and recorded every few minutes of every day," even when the app wasn't open, in violation of the country's privacy laws.

"The Tim Hortons app asked for permission to access the mobile device's geolocation functions but misled many users to believe information would only be accessed when the app was in use. In reality, the app tracked users as long as the device was on, continually collecting their location data," according to an announcement Wednesday by Canada's Office of the Privacy Commissioner. The federal office collaborated with provincial authorities in Quebec, British Columbia, and Alberta in the investigation of Tim Hortons.

"The app also used location data to infer where users lived, where they worked, and whether they were traveling," the Office of the Privacy Commissioner said. "It generated an 'event' every time users entered or left a Tim Hortons competitor, a major sports venue, or their home or workplace."

Tim Hortons scrapped plans to use the app for targeted advertising but "continued to collect vast amounts of location data" for another year "even though it had no legitimate need to do so," the Office of the Privacy Commissioner said. Tim Hortons said it used aggregated location data "to analyze user trends—for example, whether users switched to other coffee chains and how users' movements changed as the pandemic took hold," the federal office said.

“Inappropriate Form of Surveillance”

“Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers,” Canada Privacy Commissioner Daniel Therrien said. “Following people's movements every few minutes of every day was clearly an inappropriate form of surveillance."

Tim Hortons has more than 5,100 stores in 13 countries. Most are in Canada, but there are more than 600 in the US, mostly in New York, Michigan, and Ohio.

Tim Hortons halted the continual tracking of users' locations in 2020 after the government began investigating. But that "did not eliminate the risk of surveillance" because "Tim Hortons' contract with an American third-party location services supplier contained language so vague and permissive that it would have allowed the company to sell 'de-identified' location data for its own purposes," the Office of the Privacy Commissioner said. As the office noted, there "is a real risk that de-identified geolocation data could be re-identified."

Tim Hortons agreed to implement the agencies' recommendations but apparently will not face any punishment. The investigative report said that Tim Hortons' commitments "will bring the company into compliance" with Canadian law and that "we therefore find this matter to be well-founded and conditionally resolved." That's the language used when an organization violates Canadian privacy laws but has "committed to implementing satisfactory corrective actions."

The announcement said Tim Hortons agreed to "delete any remaining location data and direct third-party service providers to do the same," implement a privacy program that "includes privacy impact assessments for the app and any other apps it launches," implement "a process to ensure information collection is necessary and proportional to the privacy impacts identified," and ensure "that privacy communications are consistent with, and adequately explain, app-related practices." Tim Hortons also agreed to report back to the government with details on its compliance.

Reporter Uncovered Privacy Violation

The investigation began after a June 2020 Financial Post report titled "Double-double tracking: How Tim Hortons knows where you sleep, work, and vacation." Reporter James McLeod found that "Tim Hortons had recorded my longitude and latitude coordinates more than 2,700 times in less than five months, and not just when I was using the app," even though the app "told customers that it tracks location 'only when you have the app open.'"

Tim Hortons' statement said, "In June 2020, we took immediate steps to improve how we communicate with guests about the data they share with us and began reviewing our privacy practices with external experts. Shortly thereafter, we proactively removed the geolocation technology outlined in the report from the Tims app. Data from this geolocation technology was never used for personalized marketing for individual guests. The very limited use of this data was on an aggregated, de-identified basis to study trends in our business—and the results did not contain personal information from any guests."

Alberta Information and Privacy Commissioner Jill Clayton said the investigation provides "yet another example where an organization has not effectively notified customers about its practices. Tim Hortons' customers did not have adequate information to consent to the location tracking that was actually occurring."

_This story originally appeared on_ _Ars Technica__._

Your Tim Hortons Coffee App Knew Where You Were at All Times

The company continues to downplay the severity of the Follina vulnerability, which remains present in all supported versions of Windows.

Researchers warned last weekend that a flaw in Microsoft's Support Diagnostic Tool could be exploited using malicious Word documents to remotely take control of target devices. Microsoft released guidance on Monday, including temporary defense measures. By Tuesday, the United States Cybersecurity and Infrastructure Security Agency had warned that “a remote, unauthenticated attacker could exploit this vulnerability,” known as Follina, “to take control of an affected system.” But Microsoft would not say when or whether a patch is coming for the vulnerability, even though the company acknowledged that the flaw was being actively exploited by attackers in the wild. And the company still had no comment about the possibility of a patch when asked by WIRED yesterday.

The Follina vulnerability in a Windows support tool can be easily exploited by a specially crafted Word document. The lure is outfitted with a remote template that can retrieve a malicious HTML file and ultimately allow an attacker to execute Powershell commands within Windows. Researchers note that they would describe the bug as a “zero-day,” or previously unknown vulnerability, but Microsoft has not classified it as such.

“After public knowledge of the exploit grew, we began seeing an immediate response from a variety of attackers beginning to use it,” says Tom Hegel, senior threat researcher at security firm SentinelOne. He adds that while attackers have primarily been observed exploiting the flaw through malicious documents thus far, researchers have discovered other methods as well, including the manipulation of HTML content in network traffic.

 “While the malicious document approach is highly concerning, the less documented methods by which the exploit can be triggered are troubling until patched,” Hegel says. “I would expect opportunistic and targeted threat actors to use this vulnerability in a variety of ways when the option is available—it’s just too easy.” 

The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 through 2019, Office 2021, and Office ProPlus. Microsoft's main proposed mitigation involves disabling a specific protocol within Support Diagnostic Tool and using Microsoft Defender Antivirus to monitor for and block exploitation. 

But incident responders say that more action is needed, given how easy it is to exploit the vulnerability and how much malicious activity is being detected. 

“We are seeing a variety of APT actors incorporate this technique into longer infection chains that utilize the Follina vulnerability," says Michael Raggi, a staff threat researcher at the security firm Proofpoint who focuses on Chinese government-backed hackers. "For instance, on May 30, 2022, we observed Chinese APT actor TA413 send a malicious URL in an email which impersonated the Central Tibetan Administration. Different actors are slotting in the Follina-related files at different stages of their infection chain, depending on their preexisting toolkit and deployed tactics.”

Researchers have also seen malicious documents exploiting Follina with targets in Russia, India, the Philippines, Belarus, and Nepal. An undergraduate researcher first noticed the flaw in August 2020, but it was first reported to Microsoft on April 21. Researchers also noted that Follina hacks are particularly useful to attackers because they can stem from malicious documents without relying on Macros, the much-abused Office document feature that Microsoft has worked to rein in.

“Proofpoint has identified a variety of actors incorporating the Follina vulnerability within phishing campaigns," says Sherrod DeGrippo, Proofpoint's vice president of threat research.

With all this real-world exploitation, the question is whether the guidance Microsoft has published so far is adequate and proportionate to the risk. 

“Security teams could view Microsoft’s nonchalant approach as a sign that this is ‘just another vulnerability,’ which it most certainly is not,” says Jake Williams, director of cyber threat intelligence at the security firm Scythe. “It’s not clear why Microsoft continues to downplay this vulnerability, especially while it’s being actively exploited in the wild.”

An Actively Exploited Microsoft Zero-Day Flaw Still Has No Patch

A new proposal by India's telecom regulator aims to make accurate caller ID mandatory, but critics say it may be fundamentally flawed.

Indian phone users may not have to wonder who that “unknown” caller is for too much longer. Regulatory changes being considered might help them avoid that pesky telemarketer and the annoying call from a bank customer care executive trying to sell insurance.

In an attempt to combat the plague of spam calls, India’s telecom regulator is in the process of drafting a consultation paper supporting a mechanism that would allow phones to display the name of a caller even if the number is not saved on that person's phone. This name will be sourced from the Know Your Customer (KYC) data that telecom operators are required to collect from users before providing them with a SIM card.

“We are in the process of preparing a consultation paper,” Syed Tausif Abbas, an advisor to Telecom Regulatory Authority of India, tells WIRED. “It will take maybe one month at least. Once the paper is \[ready\], it will be in public domain for the comments of stakeholders.”

India has witnessed a sharp rise in spam calls over the past year. According to a report by Swedish company Truecaller—which counts India as its biggest market—the country was the fourth-highest spammed of the 20 it surveyed in 2021, climbing from ninth-highest the year before. Over 200 million calls came from just one spammer between January and October 2021, according to the company. Even though the majority of the calls were spam, over 1 percent of them were scams in which the callers pretended to be from a bank or a financial technology startup and asked customers for their personal details. Over the past few years, Indians have had to deal with a barrage of fraudulent calls that have caused some to lose money.

While Truecaller—and similar apps—can help identify the caller’s identity in some cases, the information may not be accurate, as it is crowdsourced rather than based on official data. And while India’s attempt to fight spam and scam callers on a larger scale may help make citizens more aware of who’s calling them, some policy experts say the effort will be futile and raises questions of privacy.

Pranesh Prakash, policy director of the Center for Internet and Society, says knowing who a number is connected to and being able to dodge spam or scam calls would in some ways be helpful. “It might be good for people to know they are talking to so and so, or the cell phone is registered under so and so’s name, \[especially\] if they have been subject to fraud or something like that. So it might actually be useful from that perspective,” says Prakash. But he’s not entirely sold on the idea.

His biggest concern about this proposal is the sharing of KYC data with the government in the absence of a comprehensive data protection law in India. “There’s an anemic provision of the IT \[Information Technology\] Act, which acts as a data protection provision, so what the government does with the data that you have entrusted to it isn’t actually governed by a law,” says Prakash. That said, the data privacy draft law is expected to be discussed in the Indian Parliament soon, and if passed it could provide a layer of protection for user data.

But there are other concerns. Archana Sivasubramanian, a senior researcher with the Centre for Policy Research, questions the overall utility of the plan: If the intention is just to let people know who is calling, it does not address the underlying problem of spam. “What purpose is it serving if it just notifies the caller that this person is calling,” she says. “It’s not fully solving the problems of spam calling.” 

Sivasubramanian points to the US’s Truth in Caller ID Act, which President Barack Obama signed into law in 2010, as an approach India could draw on. This legislation outlaws ID spoofing and prosecutes robocallers, and it also has an authentication function to automatically identify robocalls. “The US has protocols on how to authenticate calls which filter out the robocalls, and \[then\] they have prosecution for that,” says Sivasubramanian. “Here \[in India\], by just displaying caller ID, yes I will know the number, but will it cause any less frustration just because I can see a name associated with that spam call? I don’t think so.”

The Fight Against Robocall Spam and Scams Heats Up in India

Indian phone users may not have to wonder who that “unknown” caller is for too much longer. Regulatory changes being considered might help them avoid that pesky telemarketer and the annoying call from a bank customer care executive trying to sell insurance.

In an attempt to combat the plague of spam calls, India’s telecom regulator is in the process of drafting a consultation paper supporting a mechanism that would allow phones to display the name of a caller even if the number is not saved on that person's phone. This name will be sourced from the Know Your Customer (KYC) data that telecom operators are required to collect from users before providing them with a SIM card.

“We are in the process of preparing a consultation paper,” Syed Tausif Abbas, an advisor to Telecom Regulatory Authority of India, tells WIRED. “It will take maybe one month at least. Once the paper is \[ready\], it will be in public domain for the comments of stakeholders.”

India has witnessed a sharp rise in spam calls over the past year. According to a report by Swedish company Truecaller—which counts India as its biggest market—the country was the fourth-highest spammed of the 20 it surveyed in 2021, climbing from ninth-highest the year before. Over 200 million calls came from just one spammer between January and October 2021, according to the company. Even though the majority of the calls were spam, over 1% of them were scams in which the callers pretended to be from a bank or a financial technology startup and asked customers for their personal details. Over the past few years, Indians have had to deal with a barrage of fraudulent calls that have caused some to lose money.

While Truecaller—and similar apps—can help identify the caller’s identity in some cases, the information may not be accurate, as it is crowdsourced rather than based on official data. And while India’s attempt to fight spam and scam callers on a larger scale may help make citizens more aware of who’s calling them, some policy experts say the effort will be futile and raises questions of privacy.

Pranesh Prakash, policy director of the Center for Internet and Society, says knowing who a number is connected to and being able to dodge spam or scam calls would in some ways be helpful. “It might be good for people to know they are talking to so and so, or the cell phone is registered under so and so’s name, \[especially\] if they have been subject to fraud or something like that. So it might actually be useful from that perspective,” says Prakash. But he’s not entirely sold on the idea.

His biggest concern about this proposal is the sharing of KYC data with the government in the absence of a comprehensive data protection law in India. “There’s an anemic provision of the IT \[Information Technology\] Act, which acts as a data protection provision, so what the government does with the data that you have entrusted to it isn’t actually governed by a law,” says Prakash. That said, the data privacy draft law is expected to be discussed in the Indian Parliament soon, and if passed it could provide a layer of protection for user data.

But there are other concerns. Shalini Sivasubramanian, a senior researcher with the Centre for Policy Research, questions the overall utility of the plan: If the intention is just to let people know who is calling, it does not address the underlying problem of spam. “What purpose is it serving if it just notifies the caller that this person is calling,” she says. “It’s not fully solving the problems of spam calling.” 

Sivasubramanian points to the US’s Truth in Caller ID Act, which President Barack Obama signed into law in 2010, as an approach India could draw on. This legislation outlaws ID spoofing and prosecutes robocallers, and it also has an authentication function to automatically identify robocalls. “The US has protocols on how to authenticate calls which filter out the robocalls, and \[then\] they have prosecution for that,” says Sivasubramanian. “Here \[in India\], by just displaying caller ID, yes I will know the number, but will it cause any less frustration just because I can see a name associated with that spam call? I don’t think so.”

Voice recognition—and data collection—have boomed in recent years. Researchers are figuring out how to protect your privacy.

Your voice reveals more about you than you realize. To the human ear, your voice can instantly give away your mood, for example—it’s easy to tell if you’re excited or upset. But machines can learn a lot more: inferring your age, gender, ethnicity, socio-economic status, health conditions, and beyond. Researchers have even been able to generate images of faces based on the information contained in individuals’ voice data.

As machines become better at understanding you through your voice, companies are cashing in. Voice recognition systems—from Siri and Alexa to those using your voice as your password—have proliferated in recent years as artificial intelligence and machine learning have unlocked the ability to understand not just what you are saying but who you are. Big Voice may be a $20 billion industry within a few years. And as the market grows, privacy-focused researchers are increasingly searching for ways to protect people from having their voice data used against them.

Vocal Threats

Both the words you say and how you say them can be used to identify you, says Emmanuel Vincent, a senior research scientist specializing in voice technologies at France’s National Institute for Research in Digital Science and Technology (Inria), but this is only the beginning. “You will also find other pieces of information about your emotions or your medical condition,” Vincent says.

“These additional pieces of information help build a more complete profile—then this would be used for all sorts of targeted advertisements,” Vincent says. As well as your voice data potentially feeding into the vast realm of data used to show you online ads, there’s also the risk that hackers could access the location where your voice data is stored and use it to impersonate you. A small number of these cloning incidents have already happened, proving the value your voice holds. Simple robocall scams have also recorded people saying “yes” to use the confirmation in payment scams.

Last year, TikTok changed its privacy policies and started collecting the voiceprints—a loose term for the data your voice contains—of people in the US alongside other biometric data, such as your faceprint. More broadly, call centers are using AI to analyze people’s “behavior and emotion” during phone calls and evaluate the “tone, pace, and pitch of every single word” to develop profiles of people and increase sales. “We’re almost in a situation where the systems to recognize who you are and link everything together exist, but the protection is not there—and it’s still quite far away from being readily usable,” says Henry Turner, who researched the security of voice systems at the University of Oxford.

Hidden Meaning

Your voice is produced through a complex process involving the lungs and your voice box, throat, nose, mouth, and sinuses. More than a hundred muscles are activated when you speak, says Rébecca Kleinberger, a voice researcher at the MIT Media Lab. “It's also very much the brain,” Kleinberger says. 

Researchers are experimenting with four ways to enhance privacy for your voice, says Natalia Tomashenko, a researcher at Avignon University, France, who has been studying voice and is the first author of a research paper on the results of a voice privacy engineering challenge. None of the methods are perfect, but they are being explored as possible ways to boost privacy in the infrastructure processing your voice data.

First is obfuscation, which tries to completely hide who the speaker is. Think of a Hollywood depiction of a hacker totally distorting their voice over a phone call as they explain a devilish plot or ransom (or hacktivist collective Anonymous’s promotional videos). Simple voice-changing hardware allows anyone to quickly change the sound of their voice. More advanced speech-to-text-to-speech systems can transcribe what you’re saying and then reverse the process and say it in a new voice.

Second, Tomashenko says, researchers are looking at distributed and federated learning—where your data doesn’t leave your device but machine learning models still learn to recognize speech by sharing their training with a bigger system. Another approach involves building encrypted infrastructure to protect people’s voices from snooping. However, most efforts are focused on voice anonymization.

Anonymization attempts to keep your voice sounding human while stripping out as much of the information that could be used to identify you as possible. Speech anonymization efforts currently involve two separate strands: anonymizing the content of what someone is saying by deleting or replacing any sensitive words in files before they are saved and anonymizing the voice itself. Most voice anonymization efforts at the moment involve passing someone’s voice through experimental software that will change some of the parameters in the voice signal to make it sound different. This can involve altering the pitch, replacing segments of speech with information from other voices, and synthesizing the final output.

Does anonymization technology work? Male and female voice clips that were anonymized as part of the Voice Privacy Challenge in 2020 definitely do sound different. They’re more robotic, sound slightly pained and could—to some listeners at least—be from a different person than the original voice clips. “I think it can already guarantee a much higher level of protection than doing nothing, which is the current status,” says Vincent, who has been able to reduce how easy it is to identify people in anonymization research. However, humans aren’t the only listeners. Rita Singh, an associate professor in Carnegie Mellon University’s Language Technologies Institute, says that total de-identification of the voice signal is not possible, as machines will always have the potential to make links between attributes and individuals, even connections that aren’t clear to humans. “Is the anonymization with respect to a human listener or is it with respect to a machine listener?” says Shri Narayanan, a professor of electrical and computer engineering at the University of Southern California.

“True anonymization is not possible without completely changing the voice,” Singh says. “When you completely change the voice, then it's not the same voice.” Despite this, it is still worth developing voice-privacy technology, Singh adds, as no privacy or security system is totally secure. Fingerprints and face identification systems on iPhones have been spoofed in the past, but overall, they’re still an effective method of protecting people’s privacy.

Bye, Alexa

Your voice is increasingly being used as a way to verify your identity. For example, a growing number of banks and other companies are analyzing your voiceprints, with your permission, to replace your password. There’s also the potential for voice analysis to detect illness before other signs are obvious. But the technology to clone or fake someone’s voice is advancing quickly.

If you have a few minutes of someone’s voice recorded, or in some instances a few seconds, it’s possible to recreate that voice using machine learning—_The Simpsons’_ voice actors could be replaced by deep fake voice clones, for instance. And commercial tools for recreating voices are readily available online. “There’s definitely more work in speaker identification and producing speech to text and text to speech than there is in protecting people from any of those technologies,” Turner says.

Many of the voice anonymization techniques being developed at the moment are still a long way from being used in the real world. When they are ready to be used it’s likely that companies will have to implement tools themselves, to protect their customers' privacy—there’s currently little individuals can do to protect their own voice. Avoiding calls with call centers or companies that use voice analysis, and not using voice assistants, could limit how much your voice is recorded and reduce possible attack opportunities.

But the biggest protections may come from legal cases and protections. Europe’s GDPR covers biometric data, including people’s voices, in its privacy protections. Guidelines say people should be told how their data is being used and provide consent if they’re being identified, and that some restrictions should be placed on personalization. Meanwhile, in the US, courts in Illinois— home to some of the strongest biometric laws in the country—are increasingly inspecting cases involving people’s voice data. McDonald’s, Amazon, and Google are all facing judicial scrutiny over how they use people’s voice data. The decisions in these cases could lay down new rules for the protection of people’s voices.

The Race to Hide Your Voice

Plus: Google patches 36 Android vulnerabilities, Cisco fixes three high-severity issues, and VMWare closes two “serious” flaws.

May has been another busy month of security updates, with Google’s Chrome browser and Android operating system, Zoom, and Apple’s iOS releasing patches to fix serious vulnerabilities.

Meanwhile, things have not run smoothly for Microsoft, which was forced to issue an out-of-band update after a disastrous Patch Tuesday during the month. And Cisco, Nvidia, Zoom, and VMWare all issued patches for pressing flaws.

Here’s what you need to know.

Apple iOS and iPadOS 15.5, macOS Big Sur 11.6.6, tvOS 15.5, watchOS 8.6

With Apple due to announce iOS 16 at its Worldwide Developers Conference in June, the iPhone maker released probably its last major iOS 15-point update in May. It came with new features, but iOS and iPadOS 15.5 also fixed 34 security vulnerabilities, some of which are serious.

Security issues fixed in iOS 15.5 include flaws in the Kernel, as well as in the WebKit browser engine, according to Apple’s support page. Thankfully, none of the issued patches in iOS and iPad 15.5 are being used in attacks, according to the company, but that doesn’t mean they won’t be if you don’t update now.

Meanwhile, users of macOS, tvOS, and the Apple Watch should update their devices ASAP, as Apple also issued an emergency update to patch an issue it believes is already being used in attacks. The flaw in Apple AVD, labeled CVE-2022-22675, could allow an app to execute code with Kernel privileges. Issues in the Kernel are as bad as it gets, so it’s worth checking and updating your devices right away.

Microsoft’s Flubbed May Patch Tuesday

Microsoft’s May Patch Tuesday was something of a disaster for the diligent businesses that installed it straight away.

On May 10, the firm issued security updates to fix 75 vulnerabilities, eight labeled as serious and three that were being exploited by attackers. The issues fixed in May’s Patch Tuesday were important, but there were soon problems for some Microsoft users, who reported authentication failures after installing the latest updates. It impacted people using the client and server Windows platforms and systems running all Windows versions, including Windows 11 and Windows Server 2022.

In a bid to fix the problem, the firm was forced to issue an out-of-band update for Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022 on May 20. The update won’t install automatically—you need to download it from Microsoft’s update catalog.

Firefox 100.0.2

In early May, Mozilla released Firefox 100, including nine security fixes for its Firefox browser, of which seven were rated as high severity. But later in May, ethical hackers at the Pwn20wn competition in Vancouver were able to demonstrate how attackers could execute JavaScript code on devices running the latest Mozilla software. Mozilla fixed the issues in another updateFirefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1. Click those update buttons.

Android

May’s Android security update is a big one, patching 36 vulnerabilities, including an issue already being exploited by attackers. This exploited flaw is a privilege escalation bug in the Linux Kernel known as “The Dirty Pipe.”

The flaw, which impacts newer Android devices running Android 12 and later, was disclosed by Google in February, but it has taken a while to reach devices.

You Need to Update iOS, Chrome, Windows, and Zoom ASAP

May has been another busy month of security updates, with Google’s Chrome browser and Android operating system, Zoom, and Apple’s iOS releasing patches to fix serious vulnerabilities.

Meanwhile, things have not run smoothly for Microsoft, which was forced to issue an out-of-band update after a disastrous Patch Tuesday during the month. And Cisco, Nvidia, Zoom, and VMWare all issued patches for pressing flaws.

Here’s what you need to know.

Apple iOS and iPadOS 15.5, macOS Big Sur 11.6.6, tvOS 15.5, watchOS 8.6

With Apple due to announce iOS 16 at its Worldwide Developers Conference in June, the iPhone maker released probably its last major iOS 15 point update in May. It came with new features, but iOS and iPadOS 15.5 also fixed 34 security vulnerabilities, some of which are serious.

Security issues fixed in iOS 15.5 include flaws in the Kernel as well as in the WebKit browser engine, according to Apple’s support page. Thankfully, none of the issued patches in iOS and iPad 15.5 are being used in attacks, according to the company, but that doesn’t mean they won’t be if you don’t update now.

Meanwhile, users of macOS, tvOS, and the Apple Watch should update their devices ASAP, as Apple also issued an emergency update to patch an issue it believes is already being used in attacks. The flaw in Apple AVD, labeled CVE-2022-22675, could allow an app to execute code with Kernel privileges. Issues in the Kernel are as bad as it gets, so it’s worth checking and updating your devices right away.

Microsoft’s Flubbed May Patch Tuesday

Microsoft’s May Patch Tuesday was something of a disaster for the diligent businesses that installed it straight away.

On May 10, the firm issued security updates to fix 75 vulnerabilities, eight labeled as serious and three that were being exploited by attackers. The issues fixed in May’s Patch Tuesday were important, but there were soon problems for some Microsoft users, who reported authentication failures after installing the latest updates. It impacted people using the client and server Windows platforms and systems running all Windows versions, including Windows 11 and Windows Server 2022.

In a bid to fix the problem, the firm was forced to issue an out-of-band update for Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022 on May 20. The update won’t install automatically—you need to download it from Microsoft's update catalog.

Firefox 100.0.2

In early May, Mozilla released Firefox 100, including nine security fixes for its Firefox browser, of which seven were rated as high severity. But later in May, ethical hackers at the Pwn20wn competition in Vancouver were able to demonstrate how attackers could execute JavaScript code on devices running the latest Mozilla software. Mozilla fixed the issues in another update, Firefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, and Thunderbird 91.9.1. Click those update buttons.

Android

May’s Android security update is a big one, patching 36 vulnerabilities including an issue already being exploited by attackers. The already exploited flaw is a privilege escalation bug in the Linux Kernel known as “The Dirty Pipe.”

The flaw, which impacts newer Android devices running Android 12 and later, was disclosed by Google in February, but it’s taken a while to reach devices.

Source

Wired