Though the cybersecurity vendor has since reverted the update, chaos continues as companies continue to struggle to get back up and running.

Source: SOPA Images Limited via Alamy Stock Photo

This is a breaking news story and will be updated as new developments occur.

This morning, Microsoft servers across the world displayed the dreaded "blue screen of death," leading to mass IT outages that disrupted business, airlines and flights, healthcare providers, banks, and more. The cause: A defective update to CrowdStrike Falcon Sensor, a widely used cloud-based endpoint detection and prevention (EDR) software program.

CrowdStrike said its engineering team has identified the issue that caused the massive disruption to Windows-based systems: A bug in the Memory Scanning prevention policy, which was not identified during their testing stages, Callie Guenther, senior manager at Critical Start, noted in an emailed statement.

"While CrowdStrike likely performed standard regression and functionality tests, these were insufficient because they did not simulate the real-world deployment environment where the bug caused the Falcon sensor to consume 100% of a CPU core," she wrote. This ultimately led to system performance issues.

CrowdStrike has since reverted the flawed Falcon software update. Even so, some users are still experiencing system crashes or are unable to stay online to receive the new and fixed version. The cybersecurity vendor has provided workaround steps for this issue.

In a post on social platform X, Microsoft CEO Satya Nadella said the company is aware of the issue and is working closely with CrowdStrike to provide technical support to its customers and get their systems back online.

**Falcon Fallout**

The severity of the broken CrowdStrike update became increasingly painful as victim reports rolled in throughout the day: More than 1,300 flights have been canceled or delayed, trains, card payments in stores, pharmacies, and even general practitioner (GP) surgeries were stalled. 

The Department of Health in Belfast reported that two-thirds of GP practices in Northern Ireland have been affected, with patient records inaccessible as well as lab tests and routine prescriptions.

Delta flights have been paused as it "works through a vendor technology issue," the New York Times reported, and Turkish Airlines has canceled at least 84 flights. Employees at financial institutions like JPMorgan Chase and Instinet have had trouble accessing their corporate systems as operations began to stutter.

Even the Paris Olympics organizing committee reports that its IT operations have been affected, mainly affecting delivery of uniforms and accreditations.

Meanwhile, President Joe Biden has been briefed on the outage, according to the White House, and administration officials are reportedly in touch with affected entities as well as CrowdStrike, which is working with customers that have been impacted.

"Mac and Linux hosts are not impacted," George Kurtz, president and CEO of CrowdStrike, wrote online. "This is not a security incident or cyberattack. The issue has been identified \[and isolated,\] and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website."

**It's Not a Data Breach, but it's a Disaster**

In an industry where cybersecurity practices and services are meant to protect an enterprise without interrupting them, this outage proves that "even non-malicious cybersecurity failures can bring businesses to their knees," according to Maxine Holt, cybersecurity analyst at Omdia.

This massive incident underscores an over-reliance on cloud services, Holt noted in an online statement, and the outage may prompt organizations to reconsider moving their mission-critical applications to the cloud.

"Omdia's Cloud and Data Center analysts have long warned about over-reliance on cloud services," Holt said. "Today's outages will make enterprises rethink moving mission-critical applications off-premises. The ripple effect is massive, hitting CrowdStrike, Microsoft, AWS, Azure, Google, and beyond. CrowdStrike's shares have plummeted by more than 20% in unofficial pre-market trading in the US, translating to a staggering $16 billion loss in value."

As CrowdStrike will undoubtedly face scrutiny as it gets back on its feet, only time will tell how this outage could affect regulation and pressure on software vendors.

"We need stronger regulations and guidance on vendor responsibilities for functional testing," Josh Thorngren, security strategist at ForAllSecure, wrote in an emailed statement. "If you're not testing the behavior of your application under-expected (and unexpected) conditions with every update — this type of issue will always be a risk."

Buggy CrowdStrike EDR Update Crashes Windows Systems Worldwide

Microsoft has released patches to address a total of 143 security flaws as part of its monthly security updates, two of which have come under active exploitation in the wild.
Five out of the 143 flaws are rated Critical, 136 are rated Important, and four are rated Moderate in severity. The fixes are in addition to 33 vulnerabilities that have been addressed in the Chromium-based Edge browser

Endpoint Security / Vulnerability

Microsoft has released patches to address a total of 143 security flaws as part of its monthly security updates, two of which have come under active exploitation in the wild.

Five out of the 143 flaws are rated Critical, 136 are rated Important, and four are rated Moderate in severity. The fixes are in addition to 33 vulnerabilities that have been addressed in the Chromium-based Edge browser over the past month.

The two security shortcomings that have come under exploitation are below -

*   **CVE-2024-38080** (CVSS score: 7.8) - Windows Hyper-V Elevation of Privilege Vulnerability
*   **CVE-2024-38112** (CVSS score: 7.5) - Windows MSHTML Platform Spoofing Vulnerability

"Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment," Microsoft said of CVE-2024-38112. "An attacker would have to send the victim a malicious file that the victim would have to execute."

Check Point security researcher Haifei Li, who has been credited with discovering and reporting the flaw in May 2024, said that threat actors are leveraging specially-crafted Windows Internet Shortcut files (.URL) that, upon clicking, redirects victims to a malicious URL by invoking the retired Internet Explorer (IE) browser.

"An additional trick on IE is used to hide the malicious .HTA extension name," Li explained. "By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim's computer, although the computer is running the modern Windows 10/11 operating system."

"CVE-2024-38080 is an elevation of privilege flaw in Windows Hyper-V," Satnam Narang, senior staff research engineer at Tenable, said. "A local, authenticated attacker could exploit this vulnerability to elevate privileges to SYSTEM level following an initial compromise of a targeted system."

While the exact specifics surrounding the abuse of CVE-2024-38080 is currently unknown, Narang noted that this is the first of the 44 Hyper-V flaws to come under exploitation in the wild since 2022.

Two other security flaws patched by Microsoft have been listed as publicly known at the time of the release. This includes a side-channel attack called FetchBench (CVE-2024-37985, CVSS score: 5.9) that could enable an adversary to view heap memory from a privileged process running on Arm-based systems.

The second publicly disclosed vulnerability in question is CVE-2024-35264 (CVSS score: 8.1), a remote code execution bug impacting .NET and Visual Studio.

"An attacker could exploit this by closing an http/3 stream while the request body is being processed leading to a race condition," Redmond said in an advisory. "This could result in remote code execution."

Also resolved as part of Patch Tuesday updates are 37 remote code execution flaws affecting the SQL Server Native Client OLE DB Provider, 20 Secure Boot security feature bypass vulnerabilities, three PowerShell privilege escalation bugs, and a spoofing vulnerability in the RADIUS protocol (CVE-2024-3596 aka BlastRADIUS).

"\[The SQL Server flaws\] specifically affect the OLE DB Provider, so not only do SQL Server instances need to be updated, but client code running vulnerable versions of the connection driver will also need to be addressed," Rapid7's Lead Product Manager Greg Wiseman said.

"For example, an attacker could use social engineering tactics to dupe an authenticated user into attempting to connect to a SQL Server database configured to return malicious data, allowing arbitrary code execution on the client."

Rounding off the long list of patches is CVE-2024-38021 (CVSS score: 8.8), a remote code execution flaw in Microsoft Office that, if successfully exploited, could permit an attacker to gain high privileges, including read, write, and delete functionality.

Morphisec, which reported the flaw to Microsoft in late April 2024, said the vulnerability does not require any authentication and poses a severe risk due to its zero-click nature.

"Attackers could exploit this vulnerability to gain unauthorized access, execute arbitrary code, and cause substantial damage without any user interaction," Michael Gorelik said. "The absence of authentication requirements makes it particularly dangerous, as it opens the door to widespread exploitation."

The fixes come as Microsoft announced late last month that it will begin issuing CVE identifiers for cloud-related security vulnerabilities going forward in an attempt to improve transparency.

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors in the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   Amazon Web Services
*   AMD
*   Apple
*   Arm
*   Broadcom (including VMware)
*   Cisco
*   Citrix
*   CODESYS
*   D-Link
*   Dell
*   Drupal
*   Emerson
*   F5
*   Fortinet
*   Fortra FileCatalyst Workflow
*   GitLab
*   Google Android
*   Google Chrome
*   Google Cloud
*   Google Pixel
*   Google Wear OS
*   Hitachi Energy
*   HP
*   HP Enterprise
*   IBM
*   Ivanti
*   Jenkins
*   Juniper Networks
*   Lenovo
*   Linux distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   MongoDB
*   Mozilla Firefox and Firefox ESR
*   NETGEAR
*   NVIDIA
*   OpenSSH
*   Progress Software
*   QNAP
*   Qualcomm
*   Rockwell Automation
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   Splunk
*   Spring Framework
*   TP-Link
*   Veritas
*   WordPress, and
*   Zoom

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft's July Update Patches 143 Flaws, Including Two Actively Exploited

Red Hat Security Advisory 2024-4352-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Issues addressed include double free, memory leak, null pointer, spoofing, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4352.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel-rt security and bug fix update  
Advisory ID:        RHSA-2024:4352-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4352  
Issue date:         2024-07-08  
Revision:           03  
CVE Names:          CVE-2020-26555  
====================================================================

Summary: 

An update for kernel-rt is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

[Updated 03 July 2024]

The text of this advisory has been updated with the correct product name (Red  
Hat Enterprise Linux 8) in the Topics section. In the Problem Description  
section, CVEs of the same sub-components have been grouped together. The  
packages included in this revised update have not been changed in any way from  
the packages included in the original advisory.

Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: tls (CVE-2024-26585,CVE-2024-26584, CVE-2024-26583

* kernel-rt: kernel: PCI interrupt mapping cause oops [rhel-8] (CVE-2021-46909)

* kernel: ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry (CVE-2021-47069)

* kernel: hwrng: core - Fix page fault dead lock on mmap-ed hwrng (CVE-2023-52615)

* kernel-rt: kernel: drm/amdgpu: use-after-free vulnerability (CVE-2024-26656)

* kernel: Bluetooth: Avoid potential use-after-free in hci_error_reset CVE-2024-26801)

* kernel: Squashfs: check the inode number is not the invalid value of zero  (CVE-2024-26982)

* kernel: netfilter: nf_tables: use timestamp to check for set element timeout (CVE-2024-27397)

* kernel: wifi: mac80211: (CVE-2024-35789, CVE-2024-35838, CVE-2024-35845)

* kernel: wifi: nl80211: reject iftype change with mesh ID change (CVE-2024-27410)

* kernel: perf/core: Bail out early if the request AUX area is out of bound (CVE-2023-52835)

* kernel:TCP-spoofed ghost ACKs and leak initial sequence number (CVE-2023-52881)

* kernel: Bluetooth BR/EDR PIN Pairing procedure is vulnerable to an impersonation attack (CVE-2020-26555)

* kernel: ovl: fix leaked dentry (CVE-2021-46972)

* kernel: platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios (CVE-2021-47073)

* kernel: mm/damon/vaddr-test: memory leak in damon_do_test_apply_three_regions() (CVE-2023-52560)

* kernel: ppp_async: limit MRU to 64K (CVE-2024-26675)

* kernel: mm/swap: fix race when skipping swapcache (CVE-2024-26759)

* kernel: RDMA/mlx5: Fix fortify source warning while accessing Eth segment (CVE-2024-26907)

* kernel: x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() (CVE-2024-26906)

* kernel: net: ip_tunnel: prevent perpetual headroom growth (CVE-2024-26804)

* kernel: net/usb: kalmia: avoid printing uninitialized value on error path (CVE-2023-52703)

* kernel: KVM: SVM: improper check in svm_set_x2apic_msr_interception allows direct access to host x2apic msrs (CVE-2023-5090)

* kernel: EDAC/thunderx: Incorrect buffer size in drivers/edac/thunderx_edac.c (CVE-2023-52464)

* kernel: ipv6: sr: fix possible use-after-free and null-ptr-deref (CVE-2024-26735)

* kernel: mptcp: fix data re-injection from stale subflow (CVE-2024-26826)

* kernel: net/bnx2x: Prevent access to a freed page in page_pool (CVE-2024-26859)

* kernel: crypto: (CVE-2024-26974, CVE-2023-52813)

* kernel: can: (CVE-2023-52878, CVE-2021-47456)

* kernel: usb: (CVE-2023-52781, CVE-2023-52877)

* kernel: net/mlx5e: fix a potential double-free in fs_any_create_groups (CVE-2023-52667)

* kernel: usbnet: sanity check for maxpacket (CVE-2021-47495)

* kernel: gro: fix ownership transfer (CVE-2024-35890)

* kernel: erspan: make sure erspan_base_hdr is present in skb->head (CVE-2024-35888)

* kernel: tipc: fix kernel warning when sending SYN message (CVE-2023-52700)

* kernel: net/mlx5/mlxsw: (CVE-2024-35960, CVE-2024-36007, CVE-2024-35855)

* kernel: net/mlx5e: (CVE-2024-35959, CVE-2023-52626, CVE-2024-35835)

* kernel: mlxsw: (CVE-2024-35854, CVE-2024-35853, CVE-2024-35852)

* kernel: net: (CVE-2024-35958, CVE-2021-47311, CVE-2021-47236, CVE-2021-47310)

* kernel: i40e: Do not use WQ_MEM_RECLAIM flag for workqueue (CVE-2024-36004)

* kernel: mISDN: fix possible use-after-free in HFC_cleanup() (CVE-2021-47356)

* kernel: udf: Fix NULL pointer dereference in udf_symlink function (CVE-2021-47353)

Bug Fix(es):

* kernel-rt: update RT source tree to the latest RHEL-8.10.z kernel (JIRA:RHEL-40882)

* [rhel8.9][cxgb4]BUG: using smp_processor_id() in preemptible [00000000] code: ethtool/54735 (JIRA:RHEL-8779)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2020-26555

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=1918601  
https://bugzilla.redhat.com/show_bug.cgi?id=2248122  
https://bugzilla.redhat.com/show_bug.cgi?id=2258875  
https://bugzilla.redhat.com/show_bug.cgi?id=2265517  
https://bugzilla.redhat.com/show_bug.cgi?id=2265519  
https://bugzilla.redhat.com/show_bug.cgi?id=2265520  
https://bugzilla.redhat.com/show_bug.cgi?id=2265800  
https://bugzilla.redhat.com/show_bug.cgi?id=2266408  
https://bugzilla.redhat.com/show_bug.cgi?id=2266831  
https://bugzilla.redhat.com/show_bug.cgi?id=2267513  
https://bugzilla.redhat.com/show_bug.cgi?id=2267518  
https://bugzilla.redhat.com/show_bug.cgi?id=2267730  
https://bugzilla.redhat.com/show_bug.cgi?id=2270093  
https://bugzilla.redhat.com/show_bug.cgi?id=2271680  
https://bugzilla.redhat.com/show_bug.cgi?id=2272692  
https://bugzilla.redhat.com/show_bug.cgi?id=2272829  
https://bugzilla.redhat.com/show_bug.cgi?id=2273204  
https://bugzilla.redhat.com/show_bug.cgi?id=2273278  
https://bugzilla.redhat.com/show_bug.cgi?id=2273423  
https://bugzilla.redhat.com/show_bug.cgi?id=2273429  
https://bugzilla.redhat.com/show_bug.cgi?id=2275604  
https://bugzilla.redhat.com/show_bug.cgi?id=2275633  
https://bugzilla.redhat.com/show_bug.cgi?id=2275635  
https://bugzilla.redhat.com/show_bug.cgi?id=2275733  
https://bugzilla.redhat.com/show_bug.cgi?id=2278337  
https://bugzilla.redhat.com/show_bug.cgi?id=2278354  
https://bugzilla.redhat.com/show_bug.cgi?id=2280434  
https://bugzilla.redhat.com/show_bug.cgi?id=2281057  
https://bugzilla.redhat.com/show_bug.cgi?id=2281113  
https://bugzilla.redhat.com/show_bug.cgi?id=2281157  
https://bugzilla.redhat.com/show_bug.cgi?id=2281165  
https://bugzilla.redhat.com/show_bug.cgi?id=2281251  
https://bugzilla.redhat.com/show_bug.cgi?id=2281253  
https://bugzilla.redhat.com/show_bug.cgi?id=2281255  
https://bugzilla.redhat.com/show_bug.cgi?id=2281257  
https://bugzilla.redhat.com/show_bug.cgi?id=2281272  
https://bugzilla.redhat.com/show_bug.cgi?id=2281350  
https://bugzilla.redhat.com/show_bug.cgi?id=2281689  
https://bugzilla.redhat.com/show_bug.cgi?id=2281693  
https://bugzilla.redhat.com/show_bug.cgi?id=2281920  
https://bugzilla.redhat.com/show_bug.cgi?id=2281923  
https://bugzilla.redhat.com/show_bug.cgi?id=2281925  
https://bugzilla.redhat.com/show_bug.cgi?id=2281953  
https://bugzilla.redhat.com/show_bug.cgi?id=2281986  
https://bugzilla.redhat.com/show_bug.cgi?id=2282394  
https://bugzilla.redhat.com/show_bug.cgi?id=2282400  
https://bugzilla.redhat.com/show_bug.cgi?id=2282471  
https://bugzilla.redhat.com/show_bug.cgi?id=2282472  
https://bugzilla.redhat.com/show_bug.cgi?id=2282581  
https://bugzilla.redhat.com/show_bug.cgi?id=2282609  
https://bugzilla.redhat.com/show_bug.cgi?id=2282612  
https://bugzilla.redhat.com/show_bug.cgi?id=2282653  
https://bugzilla.redhat.com/show_bug.cgi?id=2282680  
https://bugzilla.redhat.com/show_bug.cgi?id=2282698  
https://bugzilla.redhat.com/show_bug.cgi?id=2282712  
https://bugzilla.redhat.com/show_bug.cgi?id=2282735  
https://bugzilla.redhat.com/show_bug.cgi?id=2282902  
https://bugzilla.redhat.com/show_bug.cgi?id=2282920

Red Hat Security Advisory 2024-4352-03

Red Hat Security Advisory 2024-4211-03 - An update for kernel is now available for Red Hat Enterprise Linux 8. Issues addressed include double free, memory leak, null pointer, spoofing, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4211.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security and bug fix update  
Advisory ID:        RHSA-2024:4211-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4211  
Issue date:         2024-07-02  
Revision:           03  
CVE Names:          CVE-2020-26555  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: Bluetooth BR/EDR PIN Pairing procedure is vulnerable to an impersonation attack (CVE-2020-26555)

* kernel:TCP-spoofed ghost ACKs and leak leak initial sequence number (CVE-2023-52881,RHV-2024-1001)

* kernel: ovl: fix leaked dentry (CVE-2021-46972)

* kernel: platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios (CVE-2021-47073)

* kernel: mm/damon/vaddr-test: memory leak in damon_do_test_apply_three_regions() (CVE-2023-52560)

* kernel: ppp_async: limit MRU to 64K (CVE-2024-26675)

* kernel: mm/swap: fix race when skipping swapcache (CVE-2024-26759)

* kernel: net: ip_tunnel: prevent perpetual headroom growth (CVE-2024-26804)

* kernel: RDMA/mlx5: Fix fortify source warning while accessing Eth segment (CVE-2024-26907)

* kernel: x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() (CVE-2024-26906)

* kernel: powerpc/powernv: Add a null pointer check in opal_event_init() (CVE-2023-52686)

* kernel: powerpc/imc-pmu: Add a null pointer check in update_events_in_group() (CVE-2023-52675)

* kernel: KVM: SVM: improper check in svm_set_x2apic_msr_interception allows direct access to host x2apic msrs (CVE-2023-5090)

* kernel: EDAC/thunderx: Incorrect buffer size in drivers/edac/thunderx_edac.c (CVE-2023-52464)

* kernel: ipv6: sr: fix possible use-after-free and null-ptr-deref (CVE-2024-26735)

* kernel: mptcp: fix data re-injection from stale subflow (CVE-2024-26826)

* kernel: net/bnx2x: Prevent access to a freed page in page_pool (CVE-2024-26859)

* kernel: crypto: qat - resolve race condition during AER recovery (CVE-2024-26974)

* kernel: net/mlx5e: fix a potential double-free in fs_any_create_groups (CVE-2023-52667)

* kernel: net/mlx5: Properly link new fs rules into the tree (CVE-2024-35960)

* kernel: net/mlx5e: Fix mlx5e_priv_init() cleanup flow (CVE-2024-35959)

* kernel: net: ena: Fix incorrect descriptor free behavior (CVE-2024-35958)

* kernel: i40e: Do not use WQ_MEM_RECLAIM flag for workqueue (CVE-2024-36004)

* kernel: mISDN: fix possible use-after-free in HFC_cleanup() (CVE-2021-47356)

* kernel: udf: Fix NULL pointer dereference in udf_symlink function (CVE-2021-47353)

* kernel: net: ti: fix UAF in tlan_remove_one (CVE-2021-47310)

Bug Fix(es):

* Kernel panic - kernel BUG at mm/slub.c:376! (JIRA:RHEL-29783)

* Temporary values in FIPS integrity test should be zeroized [rhel-8.10.z] (JIRA:RHEL-35361)

* RHEL8.6 - kernel: s390/cpum_cf: make crypto counters upward compatible (JIRA:RHEL-36048)

* [RHEL8] blktests block/024 failed (JIRA:RHEL-8130)

* RHEL8.9: EEH injections results  Error:  Power fault on Port 0 and other call traces(Everest/1050/Shiner) (JIRA:RHEL-14195)

* Latency spikes with Matrox G200 graphic cards (JIRA:RHEL-36172)

For more details about the security issue(s), including the impact,   
            a CVSS score, acknowledgments, and other related information, refer to the CVE page(s)  
            listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2020-26555

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=1918601  
https://bugzilla.redhat.com/show_bug.cgi?id=2248122  
https://bugzilla.redhat.com/show_bug.cgi?id=2258875  
https://bugzilla.redhat.com/show_bug.cgi?id=2265517  
https://bugzilla.redhat.com/show_bug.cgi?id=2265519  
https://bugzilla.redhat.com/show_bug.cgi?id=2265520  
https://bugzilla.redhat.com/show_bug.cgi?id=2265800  
https://bugzilla.redhat.com/show_bug.cgi?id=2266408  
https://bugzilla.redhat.com/show_bug.cgi?id=2266831  
https://bugzilla.redhat.com/show_bug.cgi?id=2267513  
https://bugzilla.redhat.com/show_bug.cgi?id=2267518  
https://bugzilla.redhat.com/show_bug.cgi?id=2267730  
https://bugzilla.redhat.com/show_bug.cgi?id=2270093  
https://bugzilla.redhat.com/show_bug.cgi?id=2271680  
https://bugzilla.redhat.com/show_bug.cgi?id=2272692  
https://bugzilla.redhat.com/show_bug.cgi?id=2272829  
https://bugzilla.redhat.com/show_bug.cgi?id=2273204  
https://bugzilla.redhat.com/show_bug.cgi?id=2273278  
https://bugzilla.redhat.com/show_bug.cgi?id=2273423  
https://bugzilla.redhat.com/show_bug.cgi?id=2273429  
https://bugzilla.redhat.com/show_bug.cgi?id=2275604  
https://bugzilla.redhat.com/show_bug.cgi?id=2275633  
https://bugzilla.redhat.com/show_bug.cgi?id=2275635  
https://bugzilla.redhat.com/show_bug.cgi?id=2275733  
https://bugzilla.redhat.com/show_bug.cgi?id=2278337  
https://bugzilla.redhat.com/show_bug.cgi?id=2278354  
https://bugzilla.redhat.com/show_bug.cgi?id=2280434  
https://bugzilla.redhat.com/show_bug.cgi?id=2281057  
https://bugzilla.redhat.com/show_bug.cgi?id=2281113  
https://bugzilla.redhat.com/show_bug.cgi?id=2281157  
https://bugzilla.redhat.com/show_bug.cgi?id=2281165  
https://bugzilla.redhat.com/show_bug.cgi?id=2281251  
https://bugzilla.redhat.com/show_bug.cgi?id=2281253  
https://bugzilla.redhat.com/show_bug.cgi?id=2281255  
https://bugzilla.redhat.com/show_bug.cgi?id=2281257  
https://bugzilla.redhat.com/show_bug.cgi?id=2281272  
https://bugzilla.redhat.com/show_bug.cgi?id=2281311  
https://bugzilla.redhat.com/show_bug.cgi?id=2281334  
https://bugzilla.redhat.com/show_bug.cgi?id=2281346  
https://bugzilla.redhat.com/show_bug.cgi?id=2281350  
https://bugzilla.redhat.com/show_bug.cgi?id=2281689  
https://bugzilla.redhat.com/show_bug.cgi?id=2281693  
https://bugzilla.redhat.com/show_bug.cgi?id=2281920  
https://bugzilla.redhat.com/show_bug.cgi?id=2281923  
https://bugzilla.redhat.com/show_bug.cgi?id=2281925  
https://bugzilla.redhat.com/show_bug.cgi?id=2281953  
https://bugzilla.redhat.com/show_bug.cgi?id=2281986  
https://bugzilla.redhat.com/show_bug.cgi?id=2282394  
https://bugzilla.redhat.com/show_bug.cgi?id=2282400  
https://bugzilla.redhat.com/show_bug.cgi?id=2282471  
https://bugzilla.redhat.com/show_bug.cgi?id=2282472  
https://bugzilla.redhat.com/show_bug.cgi?id=2282581  
https://bugzilla.redhat.com/show_bug.cgi?id=2282609  
https://bugzilla.redhat.com/show_bug.cgi?id=2282612  
https://bugzilla.redhat.com/show_bug.cgi?id=2282653  
https://bugzilla.redhat.com/show_bug.cgi?id=2282680  
https://bugzilla.redhat.com/show_bug.cgi?id=2282698  
https://bugzilla.redhat.com/show_bug.cgi?id=2282712  
https://bugzilla.redhat.com/show_bug.cgi?id=2282735  
https://bugzilla.redhat.com/show_bug.cgi?id=2282902  
https://bugzilla.redhat.com/show_bug.cgi?id=2282920

Red Hat Security Advisory 2024-4211-03

Democratic leader Hakeem Jeffries has joined US intelligence officials in ignoring repeated inquiries about Israel’s “malign” efforts to covertly influence US voters.

Federal lawmakers in the US have dodged repeated inquiries over the past week about a covert operation ordered by the Israeli government to artificially boost support among Americans for its war in Gaza. At the same time, senior White House officials charged with advising President Joe Biden on matters of national security are claiming to have no knowledge of the operation—first disclosed publicly more than four months ago.

The operation, formally tied to the Israeli government by a New York Times reporter last week, kicked off in October 2023 following the surprise attack by Hamas in southern Israel. Researchers internationally began work to expose the campaign in February, identifying a flood of “suspicious accounts” on US-based social networking apps, most masquerading as Americans avowing support for the Israeli military response.

In addition to eroding support for the United Nations Relief and Works Agency, which provides assistance to 5.6 million Palestinian refugees, a chief aim of the Israeli operation, researchers say, was to sway the opinions of Black Americans. Per the Times—which cited four current and former Israeli officials in confirming their government had commissioned the campaign—its primary targets included the account of US congressman Hakeem Jeffries, the leader of the Democrats in the House, among others who are “Black and Democratic.”

Accounts tied to the operation—many of which, at the time of writing, remain active on X, despite being suspended on other platforms—promoted a Black Lives Matter hashtag and shared images of Martin Luther King Jr. alongside fabricated quotes. A website created for the operation included articles with titles such as “The leaders of the Civil Rights Movement and Their Support of Jewish People and Israel.”

Several examples of accounts used in the operation, many of which were created weeks prior to the Hamas attack on October 7 that killed an estimated 1,200 people, advertised themselves as “Christian.” One of the stolen identities used in the operation, first identified by a researcher in Qatar, was that of Kyle Jean-Baptiste, an up-and-coming Broadway star who died in 2015 after falling from a fire escape.

**Got a Tip?**

_If you have information about the work of the intelligence community or its congressional overseers, contact Dell Cameron at dell\_cameron@wired.com or via Signal at dell.3030._

Multiple inquiries placed with senior members of Jeffries’ staff, including his communications director, Andy Eichar, have gone unacknowledged for nearly a week. WIRED has attempted to resolve whether Jeffries ever received notification of the operation from US intelligence while Congress was in the midst of debating $14 billion in funding to supplement Israel’s war effort.

Israeli forces have killed more than 36,000 Palestinians since Hamas’ October 7 attack, according to Gaza health officials’ estimates, including dozens last Thursday at a United Nations school compound, where the Israeli military is accused of making “improper use” of a US-made bomb.

With the exception of the White House’s National Security Council, which on Thursday claimed to have no knowledge of the operation, and Senate Intelligence Committee chair Mark Warner, whose office told WIRED it planned to request a briefing on the matter, press inquiries concerning Israel’s attempts to secretly influence US opinion on the war have been met with a stonewall.

It is unclear whether Biden may have received a briefing on the operation that included information not shared with his own national security advisers. Said a spokesperson for the National Security Council: “We take all allegations of foreign malign influence seriously.”

The Office of the Director of National Intelligence, led by Avril Haines—formerly No. 2 at the CIA—declined to say whether US intelligence had any knowledge of the operation prior to the June 5 New York Times’ story. It would not reveal whether it issued any notifications to Jeffries or any other US officials targeted by Israel.

The ODNI maintains what it calls a “disclosure framework” for notifying victims of influence operations connected with US elections. It is unclear, however, whether the ODNI considers the operation election-related, despite national elections approaching and the deep political divide among US voters over Congress’ support for the Israeli war effort.

Haines has previously spoken publicly on how US intelligence responds to this scenario: “When relevant intelligence is collected concerning a foreign influence operation aimed at our election,” she said, a “notification framework” exists to ensure “appropriate notice is given to those who are being targeted so that they can take action.”

Multiple attempts to solicit comment over the past week from the House Intelligence Committee have likewise gone unacknowledged by representatives Mike Turner and Jim Himes, the committee’s chair and ranking member, respectively. It is unclear whether they are taking steps similar to their Senate counterparts to investigate the matter.

Many of the Israeli operation’s fake posts were found to have been generated using ChatGPT, the digital assistant software developed by OpenAI, which is being integrated into everything from Apple’s new iPhones to the next Microsoft Windows operating system. Notably, OpenAI’s CEO, Sam Altman, was recently appointed an adviser to the Homeland Security Department. According to the agency, his role is to advise the US government on how to “prevent and prepare for AI-related disruptions.”

Both OpenAI and social media giant Meta have publicly confirmed that the operation was launched by a Tel Aviv–based company called Stoic. Neither US company, however, has disclosed having any knowledge of Stoic being commissioned by the Israeli government.

Oft described as an Israeli “campaign marketing firm,” Stoic is reminiscent of Russia’s Internet Research Agency, which similarly used fake accounts registered on social media to promote the Kremlin’s interests, namely by working to influence the outcome of the 2016 US presidential election. OpenAI disclosed earlier this month that Stoic had similarly been tracked using fraudulent accounts in an effort to influence the outcome of India’s recent elections.

Meta and OpenAI have not responded to requests for comment.

A US intelligence assessment published in February that identified threats from foreign countries accused of launching malign influence operations against the US references Israel dozens of times; however, it strictly portrays the Middle East ally as the victim of such campaigns.

The annual assessment, published by the ODNI three days after Israel’s “multi-platform deception operation” was first revealed publicly by Marc Owen Jones—an assistant professor of Qatar University specializing in disinformation—speaks only broadly of the influence efforts of US rivals and contains few if any details about any specific operations. The report mentions, for instance, that the Chinese government “reportedly targeted” US politicians on TikTok using accounts run by a propaganda office ahead of the 2022 midterm elections.

The revelation of Israel’s involvement follows months of hearings in Washington concerning the impact of what US intelligence calls “malign foreign influence campaigns.” Much of the focus by lawmakers centered on allegations that China might potentially manipulate TikTok to sway public opinion in the US.

Jeffries, who is rumored to be the Democratic party’s next choice to become Speaker of the House, was among the 360 US representatives to support taking drastic steps in April that may soon lead to a ban on TikTok in US app stores.

Jeffries has joined other US leaders in extending an invitation to Israeli prime minister Benjamin Netanyahu to address Congress next month. A letter from Jeffries and Senate minority leader Mitch McConnell to the prime minister last week read: “To build on our enduring relationship and to highlight America's solidarity with Israel, we invite you to share the Israeli government's vision for defending democracy, combatting terror, and establishing a just and lasting peace in the region.”

_Update 1 pm ET, June 11, 2024: Added additional details about the Israeli influence campaign._

US Leaders Dodge Questions About Israel’s Influence Campaign

In response to recent public outcry, Recall is getting new security accouterments. Will that be enough to quell concerns?

Source: Photo 12 via Alamy Stock Photo

Microsoft is adding new security measures to assuage widely publicized concerns over its new "Recall" AI feature. Some, though, still aren't convinced the company went far enough.

It's now just eight days until Microsoft releases Recall, a new artificial intelligence (AI)-driven program that will periodically take, store, and analyze screenshots of Copilot+ PCs as they're being used day-to-day. Recall is supposed to act like a kind of memory bank, allowing users to instantly find and reference things they've come across recently: apps, websites, images, and documents.

From the outset, Recall has been criticized as a potential goldmine for personal data theft. The noise got loud enough that, on Friday, Microsoft announced three new security-oriented updates for it:

*   In a reversal of its initial stance, Microsoft will now ship Recall turned off by default.
    
*   Users will need to enroll in Windows Hello in order to enable it, and so-called "proof of presence" will be required to use its primary features.
    
*   Recall data will be encrypted, and only decrypted and accessible once a user authenticates via Windows Hello.
    

Though they may represent a step in the right direction, experts remain skeptical that these changes will be enough to protect users' most sensitive passwords, photos, personally identifying information (PII), and financial information from hackers.

**Risks in Recall: A Case Study**

Many security experts cringed when Recall was announced, but few more than Marc-André Moreau, CTO of Devolutions. He worried that Windows' newest toy would inevitably capture and store visible passwords from his company's software for managing remote connections. With such passwords in hand, hackers would be able to easily connect to and manipulate any victim PC.

"Looking at documentation for how Recall works," he recalls, "it literally said that it wouldn't make an effort of removing sensitive information, credentials, or PII — anything which you would want scraped out, it would just keep in local files."

Microsoft's logic, it seemed, was that because Recall screenshots were stored only on the user's machine, they would remain safe from remote access. "Microsoft has this new chip which makes it possible to do the processing locally, and they thought that everybody would be fine since the data isn't uploaded to the cloud," Moreau explains. "But you wouldn't install a keylogger on your machine just because the files are stored locally. Files can be grabbed by malware. So why would you enable Recall?"

To demonstrate the point, he performed a simple red team exercise. In his telling, "I didn't have to do much. I just set up an environment, used some tool that somebody made online to force-install it, and then I installed \[Devolutions'\] Remote Desktop Manager. I clicked 'view password,' then 'record,' and then I found the database. I opened it, and I could see the extracted password alongside the screenshot that includes the password."

> Here's Recall capturing temporarily visible passwords from Remote Desktop Manager in a test Azure VM. It's less effective that I would have thought, the search results are screenshots, and it's unclear how one can obtain the full OCR text it used for the match pic.twitter.com/RUiLs57bKz  
> — Marc-André Moreau (@awakecoding) June 3, 2024

Other researchers have also found simple ways of accessing sensitive data in Recall screenshots. One has already developed and released an open source tool to help speed up the job.

To try to protect his customers, Moreau next looked for a way to exclude his company's software from Recall by default. He came up short.

**Are Microsoft's New Updates Enough?**

Users will have more control over their data privacy now, thanks to Microsoft's turning off Recall by default.

Moreau is skeptical, though, that Windows Hello can be fully and properly integrated into Recall without delaying its preview release, which is mere days away. "I'm in software, things don't happen that fast," he says.

Dark Reading reached out to Microsoft for comment on how it will be able to marry Windows Hello and Recall in time for June 18. In response, Microsoft said in a statement: "As we shared in our May 3 blog, security is our top priority at Microsoft, in line with our ⁠Secure Future Initiative (SFI), and we are evaluating Recall through that lens. As we implement SFI across Microsoft, we may shift some feature release dates and will update our public roadmaps as this happens."

In the barely a month since that blog post, and Satya Nadella's letter "prioritizing security above all else," for some critics, Recall recalls other AI products that are getting rushed to market.

Ironically, AI could well solve these programs' most pressing security flaws. "I could upload a Recall screenshot to ChatGPT today and tell it to identify the data which looks sensitive, and it will be able to," Moreau notes. "They could have used their AI chip to help solve this \[data leakage\] but they didn't even try. They were too eager to ship."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft Modifies 'Recall' AI Feature Amid Privacy, Security Failings

After weeks of withering criticism and exposed security flaws, Microsoft has vastly scaled back its ambitions for Recall, its AI-enabled silent recording feature, and added new privacy features.

When Microsoft named its new Windows feature Recall, the company intended the word to refer to a kind of perfect, AI-enabled memory for your device. Today, the other, unintended definition of “recall”—a company's admission that a product is too dangerous or defective to be left on the market in its current form—seems more appropriate.

On Friday, Microsoft announced that it would be making multiple dramatic changes to its rollout of its Recall feature, making it an opt-in feature in the Copilot+ compatible versions of Windows where it had previously been turned on by default, and introducing new security measures designed to better keep data encrypted and require authentication to access Recall's stored data.

“We are updating the set-up experience of Copilot+ PCs to give people a clearer choice to opt-in to saving snapshots using Recall,” reads a blog post from Pavan Davuluri, Microsoft's corporate vice president for Windows and devices. “If you don’t proactively choose to turn it on, it will be off by default.”

The changes come amid a mounting barrage of criticism from the security and privacy community, which has described Recall—which silently stores a screenshot of the user's activity every five seconds as fodder for AI analysis—as a gift to hackers: essentially unrequested, preinstalled spyware built into new Windows computers.

In the preview versions of Recall, that screenshot data, complete with the user's every bank login, password, and porn site visit would have been indefinitely collected on the user's machine by default. And though that highly sensitive data is stored locally on the user's machine and not uploaded to the cloud, cybersecurity experts have warned that it all remains accessible to any hacker who so much as gains a temporary foothold on a user's Recall-enabled device, giving them a long-term panopticon view of the victim's digital life.

"It makes your security very fragile,” as Dave Aitel, a former NSA hacker and founder of security firm Immunity, described it—more charitably than some others—to WIRED earlier this week. “Anyone who penetrates your computer for even a second can get your whole history. Which is not something people want.”

In addition to making Recall an opt-in feature, Microsoft’s Davuluri also writes that the company will make changes to better safeguard the data Recall collects and more closely police who can turn it on, requiring that users prove their identity via its Microsoft Hello authentication function any time they either enable Recall or access its data, which can require a PIN or biometric check of the user’s face or thumbprint. Davuluri says Recall’s data will remain encrypted in storage until the user authenticates.

All of that is a “great improvement,” says Jake Williams, another former NSA hacker who now serves as VP of R&D at the cybersecurity consultancy Hunter Strategy, where he says he's been asked by some of the firm's clients to test Recall's security before they add Microsoft devices that use it to their networks. But Williams still sees serious risks in Recall, even in its latest form.

Many users will turn on Recall, he points out, partly due to Microsoft’s high-profile marketing of the feature. And when they do, they’ll still face plenty of unresolved privacy problems, from domestic abusers that often demand partners give up their PINs to subpoenas or lawsuits that compel them to turn over their historical data. “Satya Nadella has been out there talking about how this is a game changer and the solution to all problems,” Williams says, referring to Microsoft's CEO. “If customers turn it on, there’s still a huge threat of legal discovery. I can’t imagine a corporate legal team that’s ready to accept the risk of all of a user’s actions being turned over in discovery.”

For Microsoft, the Recall rollback comes in the midst of an embarrassing string of cybersecurity incidents and breaches—including a leak of terabytes of its customers' data and a shocking penetration of government email accounts enabled by a cascading series of Microsoft security slipups—that have grown so problematic as to become a sticking point given its uniquely close relationship with the US government.

Those scandals have escalated to the degree that Microsoft's Nadella issued a memo just last month declaring that Microsoft would make security its first priority in any business decision. “If you’re faced with the trade-off between security and another priority, your answer is clear: **Do security**,” Nadella's memo read (emphasis his). “In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems.”

By all appearances, Microsoft's rollout of Recall—even after today's announcement—displays the opposite approach, and one that seems more in line with business as usual in Redmond: Announce a feature, get pummeled for its glaring security failures, then belatedly scramble to control the damage.

Microsoft Will Switch Off Recall by Default After Security Backlash

A security vulnerability in Ariane Allegro Hotel Check-In Kiosks exposed guest data and potentially compromised room access. However,…

A security vulnerability in Ariane Allegro Hotel Check-In Kiosks exposed guest data and potentially compromised room access. However, a patch has been developed and is now available to address this issue, enhancing the security of the system

Pentagrid, a Swiss cybersecurity firm, recently uncovered a vulnerability in Ariane Allegro Scenario Player, a widely used software program in hotel check-in kiosks. The vulnerability could allow someone to exit the kiosk’s intended use (kiosk mode) and access the underlying Windows Desktop OS. 

The software vendor, Ariane Systems, is a world leader in self-check-in and out solutions, serving 3,000 hotels and 500,000 rooms in over 25 countries. 

During a threat modelling workshop at a hospitality brand in Liechtenstein and Switzerland, Pentagrid’s Martin Schobert revealed that the app crashed in Kiosk mode after entering a single quote character into the guest search. 

The hotel brand uses this check-in terminal, likely a type Ariane Duo 6000 series, for smaller locations to facilitate room booking/check-in, initiate payment via a POS terminal, provision RFID transponders to open the booked hotel room, and print invoices.

Schobert found that guests/users have to search for room reservations by entering booking code or surname. If the name contains a single-quote, such as “O’YOLO,” the application hangs, the Windows OS prompts the user to wait or stop the task, and selecting stop terminates the kiosk mode application.

Screenshot: Pentagrid

When stopped, the Windows OS becomes accessible, which may have adverse consequences. such as allowing hotel network attacks, access to data stored on the terminal, including PII, reservations, and invoices, and RFID transponder allowing room keys to be created for other rooms. However, to exploit the flaw, the user must have physical access to the system, and the terminal must be in a self-service state, which hotels typically enable during specific times.

A CVE for the vulnerability is yet to be assigned whereas Kiosk Mode Bypass severity has been given as 6.3 (Medium). The vulnerability, discovered in March 2024, was promptly communicated to the vendor.

Ariane Systems clarified that these are “legacy systems,” in which the USB ports are disabled and “no PII or exploitable data can be retrieved from the kiosk.” Moreover, it believed the hotel must be using an outdated version of the software. However, Pentagrid asserted that the system’s design lets “the kiosk produces and keeps accessible invoice files.”  

Nevertheless, Ariane Systems confirmed the issue has been fixed. However, the exact version fixing the issue isn’t publicly known. Hackread suggests contacting the vendor directly for clarification and installing the latest version immediately to stay protected. 

John Bambenek, President of Cybersecurity and Threat Intelligence Consulting firm Bambenek Consulting commented on the issue emphasising the dangers of the potential access to victims’ rooms in domestic violence cases, theft of credit card data due to terminals doubling as POS devices.

_“_The biggest risk involves various domestic violence and stalking scenarios where unwanted guests could get keys to open a victim’s room. As these devices are also used as POS terminals to facilitate payments of hotel rooms, presumably the biggest risk there is stolen credit card information._“_

_“_The underlying issue seems to be that the specific terminals at this specific location had the vulnerability (albeit, a very simple one to find) and later versions did not. Kiosks tend to be “set and forget” devices which means operators may not know they need to be updated on a routine basis…or if they are updated at all,_“_ he added.

_“_These devices probably cannot be completely isolated from the main hotel network as part of the point is to issue keys and handle room management, however, the devices should be limited to sending only required machines and ports with everything else filtered,_“_ Bambenek advised.

1.  Vietnamese Group Hacks and Sells Bedroom Camera Footage
2.  Hotel reservation platform leaked data from online booking sites
3.  Vulnerability Exposed Ibis Budget Guest Room Codes to Hackers

Hotel Kiosks Vulnerability Exposed Guest Data, Room Access

A new discovery that the AI-enabled feature’s historical data can be accessed even by hackers without administrator privileges only contributes to the growing sense that the feature is a “dumpster fire.”

Microsoft's CEO Satya Nadella has hailed the company's new Recall feature, which stores a history of your computer desktop and makes it available to AI for analysis, as “photographic memory” for your PC. Within the cybersecurity community, meanwhile, the notion of a tool that silently takes a screenshot of your desktop every five seconds has been hailed as a hacker's dream come true and the worst product idea in recent memory.

Now, security researchers have pointed out that even the one remaining security safeguard meant to protect that feature from exploitation can be trivially defeated.

Since Recall was first announced last month, the cybersecurity world has pointed out that if a hacker can install malicious software to gain a foothold on a target machine with the feature enabled, they can quickly gain access to the user's entire history stored by the function. The only barrier, it seemed, to that high-resolution view of a victim's entire life at the keyboard was that accessing Recall's data required administrator privileges on a user's machine. That meant malware without that higher-level privilege would trigger a permission pop-up, allowing users to prevent access, and that malware would also likely be blocked by default from accessing the data on most corporate machines.

Then on Wednesday, James Forshaw, a researcher with Google's Project Zero vulnerability research team, published an update to a blog post pointing out that he had found methods for accessing Recall data _without_ administrator privileges—essentially stripping away even that last fig leaf of protection. “No admin required ;-)” the post concluded.

“Damn,” Forshaw added on Mastodon. “I really thought the Recall database security would at least be, you know, secure.”

Forshaw's blog post described two different techniques to bypass the administrator privilege requirement, both of which exploit ways of defeating a basic security function in Windows known as access control lists that determine which elements on a computer require which privileges to read and alter. One of Forshaw's methods exploits an exception to those control lists, temporarily impersonating a program on Windows machines called AIXHost.exe that can access even restricted databases. Another is even simpler: Forshaw points out that because the Recall data stored on a machine is considered to belong to the user, a hacker with the same privileges as the user could simply rewrite the access control lists on a target machine to grant themselves access to the full database.

That second, simpler bypass technique “is just mindblowing, to be honest,” says Alex Hagenah, a cybersecurity strategist and ethical hacker. Hagenah recently built a proof-of-concept hacker tool called TotalRecall designed to show that someone who gained access to a victim's machine with Recall could immediately siphon out all the user's history recorded by the feature. Hagenah's tool, however, still required that hackers find another way to gain administrator privileges through a so-called “privilege escalation” technique before his tool would work.

With Forshaw's technique, “you don’t need any privilege escalation, no pop-up, nothing,” says Hagenah. “This would make sense to implement in the tool for a bad guy.”

In fact, just an hour after speaking to WIRED about Forshaw's finding, Hagenah added the simpler of Forshaw's two techniques to his TotalRecall tool, then confirmed that the trick worked by accessing all the Recall history data stored on another user's machine for which he didn't have administrator access. “So simple and genius,” he wrote in a text to WIRED after testing the technique.

That confirmation removes one of the last arguments Recall's defenders have had against criticisms that the feature acts as, essentially, a piece of pre-installed spyware on a user's machine, ready to be exploited by any hacker who can gain a foothold on the device. “It makes your security very fragile, in the sense that anyone who penetrates your computer for even a second can get your whole history,” says Dave Aitel, the founder of the cybersecurity firm Immunity and a former NSA hacker. “Which is not something people want.”

For now, security researchers have been testing Recall in preview versions of the tool ahead of its expected launch later this month. Microsoft said it plans to integrate Recall on compatible Copilot+ PCs with the feature turned on by default. WIRED reached out to the company for comment on Forshaw's findings about Recall's security issues, but the company has yet to respond.

The revelation that hackers can exploit Recall without even using a separate privilege escalation technique only contributes further to the sense that the feature was rushed to market without a proper review from the company's cybersecurity team—despite the company's CEO Nadella proclaiming just last month that Microsoft would make security its first priority in every decision going forward. “You cannot convince me that Microsoft's security teams looked at this and said ‘that looks secure,’” says Jake Williams, a former NSA hacker and now the VP of R&D at the cybersecurity consultancy Hunter Strategy, where he says he's been asked by some of the firm's clients to test Recall's security before they add Microsoft devices that use it to their networks.

“As it stands now, it’s a security dumpster fire,” Williams says. “This is one of the scariest things I’ve ever seen from an enterprise security standpoint.”

Microsoft’s Recall Feature Is Even More Hackable Than You Thought

A data breach at Tech in Asia has exposed the personal information of 221,470 users. Learn more about…

A data breach at Tech in Asia has exposed the personal information of 221,470 users. Learn more about the hack attributed to IntelBroker and the ongoing response to secure user data.

A database owned by Tech in Asia, a prominent technology news outlet focusing on startups and technological innovations across Asia, has been compromised. The breach was announced by a hacker known by the pseudonym “Sanggiero,” linked to the infamous hacking collective, IntelBroker.

Screenshot from the hacker’s post on Breach Forums (Credit: Hackread.com)

Tech in Asia, which has received backing from Eduardo Saverin, the co-founder of Facebook, operates from bases in Singapore and Jakarta. The platform is a critical resource for news on technological advancements and entrepreneurial ventures in the region.

Details of the breach were disclosed late last night on several dark web forums, including the infamous cybercrime and data leak forum Breach Forums. Sanggiero claimed responsibility for the hack, stating that it occurred in June 2024 and impacted over 221,470 individuals.

As seen by Hackread.com, the leaked information includes user data such as the following:

*   **Roles**
*   **Full names**
*   **Display names**
*   **Email addresses**
*   **Date of registration.**

Hackread.com analysed the leaked data

As confirmed by Tech in Asia to Hackread.com in an exclusive statement, these records belong to its users. However, the good news is that no passwords were leaked. According to Sanggiero, the data was accessed by exploiting several critical vulnerabilities in Tech in Asia’s API and other bugs that allowed access to the internal services of the website.

> _“We confirm that the Tech in Asia Indonesia site was compromised, but the main Tech in Asia site remains secure. The situation has been contained. We apologise to users affected by this incident and will contact them with safety measures. Only email addresses and names were leaked; account passwords remain secure. We are taking further measures to ensure that our users’ data remains safe.”_
> 
> Tech in Asia

The motives behind the breach are obvious. Additionally, IntelBrokers has been known for targeting high-profile companies and top security agencies. Some of the group’s previous hacks include Europol, Home Depot, ICE, USCIS, HSBC and Barclays Bank.

This incident leaves a critical lesson for all companies: Cybersecurity isn’t a one-time setup but a continual process. As cyber threats become more complex and frequent, it’s vital that businesses consistently enhance security. Doing so not only protects sensitive data but also builds and maintains the trust of its users.

_Follow our dedicated cybersecurity news coverage for updates on this story and more._

1.  AT&T Confirms Data Breach Affecting 73 Million Users
2.  Massive Data Breach Exposes Info of 43 Million French Workers
3.  API Misuse: Hacker Exposes 2.6M Duolingo Users’ Emails & Names
4.  American Express Cardholders Impacted by 3ed-Party Data Breach
5.  Dell Discloses Data Breach As Hacker Sells 49 Million Customer Data
6.  Ticketmaster Suffers Data Breach: 560M Users’ Info for Sale at $500K

Tag

#dell