Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

CVE-2023-21775

ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. Signed document download URLs can be forged due to a weak default URL signing key.

**Server**

The backend server software layer which is the part of ONLYOFFICE Document Server and ONLYOFFICE Desktop Editors and is the base for all other components.

**Document service set up**

This instruction describes document service deployment for Windows based platform.

**Installing necessary components**

For the document service to work correctly it is necessary to install the following components for your Windows system (if not specified additionally, the latest version for 32 or 64 bit Windows can be installed with default settings):

1.  Node.js version 8.0.0 or later
    
2.  Java. Necessary for the sdk build.
    
3.  Database (MySQL or PostgreSQL). When installing use the onlyoffice password for the root user.
    
    *   MySQL Server version 5.5 or later
        
    *   PostgreSQL Server version 9.1 or later
        
4.  Erlang
    
5.  RabbitMQ
    
6.  Redis
    
7.  Python 2.7
    
8.  Microsoft Visual C++ Express 2010 (necessary for the spellchecker modules build)
    

**Setting up the system**

1.  Database setup:
    
    *   Database setup for MySQL  
        Run the schema/mysql/createdb.sql script for MySQL
        
    *   Database setup for PostgreSQL
        
        1.  Enter in psql (PostgreSQL interactive terminal) with login and password introduced during installation, then enter commands:
            
            CREATE DATABASE onlyoffice;
            CREATE USER onlyoffice WITH PASSWORD 'onlyoffice';
            \\c onlyoffice
            \\i 'schema/postgresql/createdb.sql';
            GRANT ALL PRIVILEGES ON DATABASE onlyoffice to onlyoffice;
            GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO onlyoffice;
            
        2.  Delete from server\Common\config\development-windows.json option sql.
            
2.  Install the Web Monitor for RabbitMQ (see the details for the installation here)
    
3.  Open the command line cmd executable.
    
4.  Switch to the installation directory using the cd /d Installation-directory/sbin command.
    
5.  Run the following command:
    
    rabbitmq-plugins.bat enable rabbitmq\_management
    
6.  The Web Monitor is located at the http://localhost:15672/ address. Use the guest:guest for the login:password combination.
    
7.  If Redis does not start or crashes after the start for some reason, try to change the maxheap parameter in the config settings. For 64 bit version of Windows 7 the config file can be found here: C:\Program Files\Redis\redis.windows-service.conf. Find the # maxheap <bytes> line and change it to, e.g.
    
    and restart the service
    

**Running the service**

Run the run.bat script to start the service.

Notes

All config files for the server part can be found in the Common\config folder

*   default.json - common config files similar for all production versions.
*   production-windows.json - config files for the production version running on a Windows based platform.
*   production-linux.json - config files for the production version running on a Linux based platform.
*   development-windows.json - config files for the development version running on a Windows based platform (this configuration is used when running the 'run.bat' script).

In case it is necessary to temporarily edit the config files, create the local.json file and reassign the values there. It will allow to prevent from uploading local changes and losing config files when updating the repository. See Configuration Files for more information about the configuration files.

**User Feedback and Support**

If you have any problems with or questions about ONLYOFFICE Document Server, please visit our official forum to find answers to your questions: forum.onlyoffice.com or you can ask and answer ONLYOFFICE development questions on Stack Overflow.

**License**

Server is released under an GNU AGPL v3.0 license. See the LICENSE file for more information.

CVE-2021-43444: GitHub - ONLYOFFICE/server: The backend server software layer which is the part of ONLYOFFICE Document Server and is the base for all other components

A mandatory app exposed the personal information of students and teachers across the country for over a year.

A security lapse in an app operated by India’s Education Ministry exposed the personally identifying information of millions of students and teachers for over a year. 

The data was stored by the Digital Infrastructure for Knowledge Sharing app, or Diksha, a public education app launched in 2017. At the height of the Covid-19 pandemic, when the government was forced to shutter schools across the country, Diksha became a primary tool for allowing students to access materials and coursework from home. 

But a cloud server storing Diksha’s data was left unprotected, exposing millions of individuals’ data to hackers, scammers, and virtually anyone who knew where to look.

Files stored on the unsecured server contained the full names, phone numbers, and email addresses of more than 1 million teachers. According to data in the files, verified by WIRED, the teachers worked for hundreds of thousands of schools located in every state in India. Another file contained information about nearly 600,000 students. While the students’ email addresses and phone numbers were partially obscured, the data included the students’ full names and information about where they went to school, when they enrolled in a course through the app, and how much of the course they completed.  

According to a UK-based security researcher who identified the exposure, there were thousands of files like this on the server. (The researcher asked not to be named because they were not authorized to speak to the media.) 

After initially discovering the exposure in June, the researcher contacted the Diksha support email, alerting them to the data breach, identifying the source, and offering to share more information. They received no response. “There's zero chance that it hasn't been accessed and downloaded by a bunch of other people,” the employee says of the exposed data.

WIRED reached out to the Ministry of Education and did not receive a response. 

Diksha was developed by EkStep, a foundation cofounded by Nandan Nilekani, who helped develop Aadhar, the country’s national identification system. According to Deepika Mogilishetty, the chief of policy and partnerships at EkStep, while the foundation had been supporting Diksha for many years, India’s Ministry of Education ultimately implements the security and policies for how data is managed on Diksha. However, after WIRED sent Mogilishetty links to the unsecured server, it was quickly taken offline. 

This isn’t the first time Diksha has potentially mishandled sensitive information. A 2022 report from Human Rights Watch found that Diksha not only was able to track the location of students, but also shared data with Google. In many cases, the Indian government mandated that teachers and students use Diksha, and Hye Jung Han, a researcher at Human Rights Watch who authored the 2022 report, says that the government provided no alternative methods for those who may not have wanted to use the app.

“What's happening there from a child-rights lens is, you are fulfilling your responsibility to provide free education to every child, but the only type of state education that you're making available is one that inherently violates kids' rights,” says Han.

The unsecured storage server was hosted on Azure, Microsoft’s cloud storage service. It’s unknown how long the data was left unprotected, but Google indexed more than 100 files from this server as early as October 2018. In other words, information stored on this vulnerable server was likely findable through a simple Google search for at least four years. While WIRED could not find instances of sensitive student and teacher data through a Google search, files with sensitive data were available for download through Grayhat Warfare, a searchable database of unsecured servers popular with security researchers and hackers.

“If you have information about children's names, contact details, and what schools they attend, that tells you about the neighborhood where they live. This raises what we call traditional children's protection concerns,” says Han. “They can also use children as a way to get to their parents—blackmail and harassment being fairly common, unfortunately, in India, specifically around education data.”

The market for student data in India appears to be thriving. In 2020, security researchers at CloudSEK, an India-based security firm, found that personally identifying information of hundreds of thousands of students who took India’s Common Aptitude Test Exam was for sale on a forum for leaked data. A year later, India Times reported that confidential data of millions of students was for sale on a website called “studentdatabase.in.”

Han also says that in India’s burgeoning data-broker market, education data like that available via the exposed Diksha server, which can be particularly appealing for prep schools to purchase, can go for as little as 2 to 5 rupees for a single child’s data.

Flaw in Diksha App Exposed the Data of Millions of Indian Students

Categories: News
Categories: Privacy
Tags: Privacy

Tags:  browser

Tags:  VPN

Tags:  BrowserGuard

For every level of privacy awareness, there are layers you can use to protect yourself. Here are four suggestions.



(Read more...)




The post 4 ways to protect your privacy while scrolling appeared first on Malwarebytes Labs.

Privacy is a right that is yours to value and defend. Article 8 of the Human Rights Act protects your right to respect for your private and family life. One of the pillars of the article is that personal information about you (including official records, photographs, letters, diaries, and medical records) should be kept securely and not be shared without your permission, except under certain circumstances.

But we know that information is not always protected as much as it should be, and it seems like we hear about a new data breach every day. It's up to us to defend our privacy as much as we can online, so here are a few suggestions on how you can best protect your privacy when scrolling online:

**1\. Consider what you share about yourself**

Many of us are leaking information about ourselves and our online behavior almost constantly.

When posting online, consider what information you find valuable and what you are happy for everyone to know? As soon as you know where you draw your personal line, you can start working on protecting your privacy.

As a guide, if you wouldn't say it in person, don't put it online.

**2\. Check your browser settings**

Your browser is your gateway to the internet. Unfortunately, few of them have ideal privacy and security settings set by default, even if they’re present.

So it's a good idea to go ahead and tinker with your browser’s settings, carefully making sure that options are set in a way that are acceptable to you, privacy-wise.

You can read about some popular browsers' privacy settings here:

*   Google Chrome privacy settings
*   Firefox privacy and security settings
*   Microsoft Edge, browsing data, and privacy
*   Safari privacy preferences

While you’re reviewing your settings, you may want to clear out your browser history. Then review your extensions, and remove those you hardly, or have never, use. Vulnerable or malicious add-ons can easily become a privacy and security risk.

Do a browser settings review on your mobile devices as well. You can learn more about them here:

*   Chrome for Android privacy settings
*   Safari for iOS privacy

Now, if you find that what’s in there by default lacks the privacy and security settings you hope for, it’s time to ditch that browser for a new one.

Thankfully, most (if not all) desktop browsers that made taking care of your privacy their business, too, have mobile versions. Start by looking up Firefox, Brave, DuckDuckGo, and even the Tor Browser on the Google Play and Apple App stores.

**3\. Consider adding extra layers**

There are a lot of browser extensions that decrease your online privacy. But the upside of being able to use browser extensions is that there are many good ones out there that can help you establish a more private browsing experience. Ad-blockers, anti-tracking tools, and protective extensions add further protection.

You can also tighten your privacy by using a Virtual Private Network (VPN) to anonymize your traffic. In short and easy terms, a VPN acts as a middle-man between a user and the internet. When the user wants to visit a site, they send information to the VPN over an encrypted connection, the VPN visits the site, and then it sends the data to the user over the same encrypted connection. These connections are not limited to web browsing, even though that is the first one that usually comes to mind.

Personally, I also use different browsers for different purposes. This is called compartmentalization and it allows you to visit trusted (and preferably bookmarked) websites with a quick browser and do your regular surfing with a fully protected and anonymized browser.

**4\. Do periodic check-ins**

One thing to keep in mind if you are rolling out extra precautions is to stay aware of their existence and not take them for granted. Check for updates on a regular basis, make sure they are working properly, and don’t blindly rely on them.

It’s like speeding in a car, just because you have a seatbelt on. It does make it safer, but you still don’t want to get involved in an accident.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

4 ways to protect your privacy while scrolling

Categories: News
Tags: windows 10

Tags:  windows 11

Tags:  microsoft

Tags:  license

Tags:  sale

Tags:  third party

Tags:  desktop

Tags:  upgrade

Tags:  hardware

We take a look at reports that Microsoft will shortly be ending the direct sale of Windows 10 licenses.



(Read more...)




The post Microsoft to end direct sale of Windows 10 licenses at the end of January appeared first on Malwarebytes Labs.

Windows 10 is slowly coming to an end, with one more way to purchase the operating system riding off into the sunset. Microsoft is posting notices in a variety of locations to confirm it will no longer sell Windows 10 licenses directly. Support remains in place for the time being, as is the usual strategy when an operating system is gradually phased out.

**Announcing the end times**

All Microsoft products have their own life cycle, and all of these products inevitably meet their demise at the hands of the next incarnation. Those policies fall under two types, modern, for products and services serviced and supported continuously, and fixed, for certain products bought at retail, or volume licensing.

While businesses often have the ability to pay to keep themselves patched against specific threats even after the shutters come down, this isn’t an option for everyone and a change of software and hardware is needed across the board eventually.

Windows 10 download pages now say this at the bottom of the promotional text:

_January 31, 2023 will be the last day this Windows 10 download is offered for sale. Windows 10 will remain supported with security updates that help protect your PC from viruses, spyware and other malware until October 14, 2025._

Whether or not you decide to buy Windows 10 before January 31, or ignore the warning and purchase from a third party retailer, January 31, 2025 looms on the horizon like a rather large banner advert for Windows 11. That tiny uptake of users back in 2021 is likely going to experience a spike over the next year or so.

**Windows 11: A significant boost in security...**

We’ve covered many of the security improvements which Windows 11 holds over Windows 10. There’s the multiple features and functionality of the hypervisor, the secure boot practices to help ward off boot kit malware, and the hardware enforced stack protection which protects various forms of running code.

Elsewhere we have custom made phishing alerts for users of Windows 11(but not Windows 10), and a default remote desktop protocol lock out. This is before you get to the other additions and improvements which you won’t find elsewhere.

Tabs? In my Notepad? The future is now.

**...and a bit of a problem for hardware**

One of the few remaining sticking points for people wary of upgrading remains the hardware issue. Microsoft has experienced quite a bit of backlash due to how the promotion of Windows 11 was handled. Nobody wants to find out their recently purchased powerhouse of a gaming PC inexplicably does not support the new operating system, nor does anyone want to discover their fairly new fleet of Windows 10 business PCs aren’t up to standard. Unfortunately, this is the exact situation far too many people found themselves in. Poor descriptions of secure boot and Trusted Platform Module (TPM) did not help at all.

My own home PC is a very powerful gaming rig, it will run anything thrown at it from games on their highest settings to rendering tools which will bring other high spec systems to their knees.

It’s _still_ not compatible with Windows 11 because (insert convoluted technical explanation here). People don’t want to hear about inserted convoluted technical explanations, they just want to know why they’re suddenly faced with the prospect of potentially expensive hardware upgrades or replacements. This is _not_ how you achieve high buy-in rates.

**Playing the waiting game**

For now, it’s fine to linger on Windows 10, and support is going to be around for some time to come. If you think you’re going to be putting together a bunch of self-built machines in the near future, or simply buying in bulk, this may be the time to do some emergency sort-of-last-minute shopping before it becomes increasingly more difficult to obtain a license. Given the leap in demands from Windows 10 hardware to Windows 11 hardware, you don’t want to be left in a situation where you have a pile of cases, hard drives, and RAM sticks in the corner of a room and nothing to make them all come alive.

Hang fire if you need to, but the clock is most definitely ticking.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Microsoft to end direct sale of Windows 10 licenses at the end of January

Encrypting files, folders, and drives on your computer means that no one else can make sense of the data they contain without a particular decryption key—which in most cases is a password known only to you. 

So while someone could get at your files if they know your password (the decryption key), they won't be able to take out a drive from your system and access what's on it, or use a second computer to read your data—it'll all be gibberish. It means that if your Windows or macOS machine gets lost or stolen, you don't have to worry about someone using the data on it.

How the most popular operating systems have handled encryption has changed over the years, and there are third-party tools that give you more encryption options to choose from. We'll guide you through everything you need to know about these options to help you pick the right one.

Built-in Options for Windows

Device encryption is available in the Home versions of Windows.

Windows via David Nield

Encryption on Windows is a little more complicated than perhaps it should be. First of all, there are differences between the Windows Home and Windows Pro editions: Pro users get a powerful tool called BitLocker for encryption, but with the Home edition, there's a more basic alternative. It's simply referred to as device encryption, and you can find it by choosing **Privacy & security** and then **Device encryption** from the Settings panel in Windows.

Not so fast though, as this option won't appear for everyone: It requires a certain level of hardware security support from your desktop or laptop computer. It's all rather complex, and we don't have room to go into everything in detail here, but The Windows Club has an excellent explainer. If you search the Start menu for a tool called "system information," then right-click and run it as an administrator, you can see why your computer does or doesn't support this feature via the Device Encryption Support entry.

Assuming your hardware does meet all of the requirements, and the **Device encryption** entry is visible, you can click through it to see if your system drives are encrypted—they should be, by default, if you log in to your computer with a Microsoft account. It means that anyone who accesses your hard drives without that authorization won't be able to see the data on them, because it'll be encrypted and protected. If encryption isn't enabled for whatever reason, you can turn the toggle switch to **On**.

When it comes to external drives and USB sticks, if you have the Pro version of Windows you can use BitLocker: Just right-click on the drive in File Explorer, pick **Show more options** and **Turn on BitLocker**, and set a password. For those on the Home edition though, this option isn't available—you're going to have to use a third-party tool for the job of encrypting external drives, and we'll get on to those later on in this article.

Built-in Options for macOS

Use FileVault for maximum protection on a Mac.

Apple via David Nield

Encryption on macOS isn't quite as confusing as it is on Windows, but it still needs some explaining. If you have a Mac with a T2 security chip or Apple silicon inside (so one from late 2017 or later), then the contents of your system disk are encrypted by default. Your account password is required to get into the computer and at all of the data secured on the drive.

However, without getting into too much technical detail (which you can access here if you want to dive deeper), you can add an extra layer of encryption protection by enabling a tool called FileVault. Enabling FileVault means the information required to decrypt your Mac drive is harder to get at—if, for example, someone steals your computer and connects a second computer to it. Traditionally, this could impact speed and performance, but in recent years that's become less and less of a problem and is practically unnoticeable on the newest Macs.

You'll be asked to enable FileVault when you first set up macOS on a new machine, and it's something we'd recommend. You can also turn FileVault on (or off) whenever you like by opening the **Apple** menu and choosing **System Settings** then **Privacy & Security**. There's a FileVault option there, together with some details about what it does. You'll also need to specify your preferred way of unlocking the system disk if you ever forget your password, either through iCloud or through a dedicated recovery key.

You can encrypt external drives with a password from Finder: Just right-click on them and choose **Encrypt**. If the encryption option doesn't appear, the drive needs to be wiped and reformatted to be compatible—open the Disk Utility tool in macOS, click **View** and **Show All Devices**, then select the relevant external drive and click **Erase**. Give the drive a name, choose an encrypted option under **Format** (the options are explained here) and choose **GUID Partition Map** under **Scheme**. Pick your password, then click **Erase**, and the drive is ready to go.

Third-party Options for Windows and macOS

VeraCrypt makes it simple to encrypt an external drive.

VeraCrypt via David Nield

There are a variety of free and paid third-party encryption tools available if the options built into Windows and macOS don't suit your needs, including Cryptomator, NordLocker, and AxCrypt. However, we recommend one in particular, VeraCrypt: It's available for Windows and macOS (and indeed Linux,) it's not difficult to use, and it's free.

We also recommend reading through the online documentation that accompanies the program, but getting started is quite straightforward. Say you're encrypting an external drive, for example: With the drive plugged in and formatted, open VeraCrypt and choose **Create Volume**. Next, select **Encrypt a non-system partition/drive** and select **Next**. Select the drive you want to encrypt and follow the instructions on the screen.

During the configuration process, you'll be asked whether you want to encrypt the existing data already on the drive, or format it ready for files to be added—if you already have files on the drive that you don't want to be wiped, make sure you pick the former option. You'll also be asked to specify a password to lock the drive, which you should make sure you won't forget (you won't be able to access the drive without it).

VeraCrypt also lets you create containers, or sections of a drive that are encrypted. If you need to lock up specific files and folders without encrypting an entire disk for whatever reason, then this is one of the ways of going about it. From the main VeraCrypt screen, click **Create Volume**, then **Create an encrypted file container**. You'll be asked to specify a file on disk that then acts as the encrypted container for other files and folders.

How to Encrypt any File, Folder, or Drive on Your System

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 13 and Jan. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for January 13 to January 20

CRYSTALS-DILITHIUM (in Post-Quantum Cryptography Selected Algorithms 2022) in PQClean d03da30 may allow universal forgeries of digital signatures via a template side-channel attack because of intermediate data leakage of one vector.

**PQClean**

_See the build status for each component here_

**PQClean**, in short, is an effort to collect **clean** implementations of the post-quantum schemes that are in the NIST post-quantum project. The goal of PQClean is to provide _standalone implementations_ that

*   can easily be integrated into libraries such as liboqs.
*   can efficiently upstream into higher-level protocol integration efforts such as Open Quantum Safe;
*   can easily be integrated into benchmarking frameworks such as SUPERCOP;
*   can easily be integrated into frameworks targeting embedded platforms such as pqm4;
*   are suitable starting points for architecture-specific optimized implementations;
*   are suitable starting points for evaluation of implementation security; and
*   are suitable targets for formal verification.

What PQClean is **not** aiming for is

*   a build system producing an integrated library of all schemes;
*   including benchmarking of implementations; and
*   including integration into higher-level applications or protocols.

As a first main target, we are collecting C implementations that fulfill the requirements listed below. We also accept optimised implementations, but still requiring high-quality, tested code.

Please also review our guidelines for contributors if you are interested in adding a scheme to PQClean.

**Requirements on C implementations that are automatically checked**

_The checking of items on this list is still being developed. Checked items should be working._

*   Code is valid C99
*   Passes functional tests
*   API functions do not write outside provided buffers
*   api.h cannot include external files
*   Compiles with -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes with gcc and clang
*   #if/#ifdefs only for header encapsulation
*   Consistent test vectors across runs
*   Consistent test vectors on big-endian and little-endian machines
*   Consistent test vectors on 32-bit and 64-bit machines
*   const arguments are labeled as const
*   No errors/warnings reported by valgrind
*   No errors/warnings reported by address sanitizer
*   Only dependencies: fips202.c, sha2.c, aes.c, randombytes.c
*   API functions return 0 on success
*   No dynamic memory allocations (including variable-length arrays)
*   No branching on secret data (dynamically checked using valgrind)
*   No access to secret memory locations (dynamically checked using valgrind)
*   Separate subdirectories (without symlinks) for each parameter set of each scheme
*   Builds under Linux, MacOS, and Windows
    *   Linux
    *   MacOS
    *   Windows
*   Makefile-based build for each separate scheme
*   Makefile-based build for Windows (nmake)
*   All exported symbols are namespaced with PQCLEAN_SCHEMENAME_
*   Each implementation comes with a LICENSE file (see below)
*   Each scheme comes with a META.yml file giving details about version of the algorithm, designers
    *   Each individual implementation is specified in META.yml.

**Requirements on C implementations that are manually checked**

*   Minimalist Makefiles
*   No stringification macros
*   Output-parameter pointers in functions are on the left
*   All exported symbols are namespaced in place
*   Integer types are of fixed size where relevant, using stdint.h types (optional, recommended)
*   Integers used for indexing memory are of size size_t (optional, recommended)
*   Variable declarations at the beginning (except in for (size_t i=...) (optional, recommended)

**Schemes currently in PQClean**

For the following schemes we have implementations of one or more of their parameter sets. For all of these schemes we have clean C code, but for some we also have optimised code.

**Key Encapsulation Mechanisms**

**Finalists:**

*   Kyber

**Alternate candidates:**

*   HQC
*   Classic McEliece

**Signature schemes**

**To-be standards:**

*   Dilithium
*   Falcon
*   SPHINCS+

**Alternate candidates:**

*   No participants yet.

Implementations previously available in PQClean and dropped in Round 3 of the NIST standardization effort are available in the round2 tag.

Implementations previously available in PQClean and dropped in Round 4 of the NIST standardization effort are available in the round3 tag.

**API used by PQClean**

PQClean is essentially using the same API as required for the NIST reference implementations, which is also used by SUPERCOP and by libpqcrypto. The only differences to that API are the following:

*   All functions are namespaced;
*   All lengths are passed as type size_t instead of unsigned long long; and
*   Signatures offer two additional functions that follow the "traditional" approach used in most software stacks of computing and verifying signatures instead of producing and recovering signed messages. Specifically, those functions have the following name and signature:

int PQCLEAN\_SCHEME\_IMPL\_crypto\_sign\_signature(
    uint8\_t \*sig, size\_t \*siglen,
    const uint8\_t \*m, size\_t mlen,
    const uint8\_t \*sk);
int PQCLEAN\_SCHEME\_IMPL\_crypto\_sign\_verify(
    const uint8\_t \*sig, size\_t siglen,
    const uint8\_t \*m, size\_t mlen,
    const uint8\_t \*pk);

**Building PQClean**

As noted above, PQClean is **not** meant to be built as a single library: it is a collection of source code that can be easily integrated into other libraries. The PQClean repository includes various test programs which do build various files, but you should not use the resulting binaries.

List of required dependencies: gcc or clang, make, python3, python-yaml library, valgrind, astyle (>= 3.0).

**Using source code from PQClean in your own project**

Each implementation directory in PQClean (e.g., crypto\_kem/kyber768\\clean) can be extracted for use in your own project. You will need to:

1.  Copy the source code from the implementation's directory into your project.
2.  Add the files to your project's build system.
3.  Provide instantiations of any of the common cryptographic algorithms used by the implementation. This likely includes common/randombytes.h (a cryptographic random number generator), and possibly common/sha2.h (the SHA-2 hash function family), common/aes.h (AES implementations), common/fips202.h (the SHA-3 hash function family) and common/sp800-185.h (the cSHAKE family).

Regarding #2, adding the files to your project's build system, each implementation in PQClean is accompanied by example two makefiles that show how one could build the files for that implementation:

*   The file Makefile which can be used with GNU Make, BSD Make, and possibly others.
*   The file Makefile.Microsoft_nmake which can be used with Visual Studio's nmake.

**Projects integrating PQClean-distributed source code**

The following projects consume implementations from PQClean and provide their own wrappers around the implementations. Their integration strategies may serve as examples for your own projects.

*   **pqcrypto crate**: Rust integration that automatically generates wrappers from PQClean source code.
*   **mupq**: Runs the implementations from PQClean as reference implementations to compare with microcontroller-optimized code.
*   **Open Quantum Safe**: The Open Quantum Safe project integrates implementations from PQClean into their liboqs C library, which then exposes them via C++, C# / .NET, and Python wrappers, as well as to forks of OpenSSL and OpenSSH.

**License**

Each subdirectory containing implementations contains a LICENSE file stating under what license that specific implementation is released. The files in common contain licensing information at the top of the file (and are currently either public domain or MIT). All other code in this repository is released under the conditions of CC0.

**Running tests locally**

See https://github.com/PQClean/PQClean/wiki/Test-framework for details about the PQClean test framework.

While we run extensive automatic testing on Github Actions ((emulated) Linux builds, MacOS and Windows builds) and Travis CI (Aarch64 builds), and most tests can also be run locally. To do this, make sure the following is installed:

*   Python 3.6+
*   pytest for python 3.

We also recommend installing pytest-xdist to allow running tests in parallel.

You will also need to make sure the submodules are initialized by running:

    git submodule update --init
    

Run the Python-based tests by going into the test directory and running pytest -v or (recommended) pytest -n=auto for parallel testing.

You may also run python3 <testmodule> where <testmodule> is any of the files starting with test_ in the test/ folder.

CVE-2023-24025: GitHub - PQClean/PQClean at d03da3053491e767ef842deaef43fc5bdb6bc911

In DPA 2022.4 and older releases, generated heap memory dumps contain sensitive information in cleartext.

Release date: January 18, 2023

These release notes describe the new features, improvements, and fixed issues in Database Performance Analyzer 2023.1. They also provide information about upgrades and describe workarounds for known issues.

**Learn more**

*   For information on the latest hotfixes, see DPA hotfixes.
*   For release notes for previous DPA versions, see Previous Version documentation.
*   For information about requirements, see DPA system requirements.
*   For information about working with DPA, see the DPA Administrator Guide.

**New features and improvements in DPA**

Return to top

DPA 2023.1 offers new features and improvements compared to previous releases of DPA.

**Improvements to importing alerts, rules, and custom properties**

DPA 2022.4 introduced the ability to export the alerts, rules, and custom properties that are configured on one DPA server and import them to another server. DPA 2023.1 improves the import functionality in the following ways:

*   You can specify which entities to import. The import wizard displays a list of the alerts, rules, and custom properties to be imported. Clear the checkbox next to any entity you don't want to import.
    
*   You can choose to overwrite existing entities with the same name. If you overwrite an entity, the existing entity is replaced by the imported entity.
    

**Additions to systems requirements and monitored instances**

 

Category

Vender and version

Repository database

Microsoft SQL Server 2022, Windows or Linux

Monitored database instances

Microsoft SQL Server 2022, Windows or Linux

VMware

VMware vCenter Server 7.0

VMware ESX/ESXi Host 7.0

For more information, see the DPA 2023.1 system requirements and Database instances DPA can monitor.

**Fixed issues in DPA 2023.1**

Return to top

DPA 2023.1 fixes the following issues.

 

Case number

Description

01144021, 01233510, 01234275

In deployments with an Oracle repository that monitor Oracle database instances, index analysis runs successfully. Logs no longer include the error message Unable to run index analysis.

01080326, 01129290, 01234534, 01236488

Files in the /tomcat/logs/ directory, such as catalina.out, stderr.log, and catalina._YYYY-MM-DD_.log, no longer grow quickly and consume a large amount of space.

00978208, 01076887

Collecting a large number of metrics (for example, because you have configured many custom metrics), can sometimes cause DPA monitoring to stop periodically. DPA 2023.1 includes metrics setting in the system.properties files that can be adjusted to avoid this issue. For information on adjusting these properties, see Scale DPA for the number of databases being monitored and the number of custom metrics.

00560405, 00850966, 01061361, 01128672

In previous versions, when DPA was installed on Windows the installer ran a VBS script to create the Windows service. If an organization had a security policy that prevented VBS scripts from running, the service was not created and DPA would not start. To prevent this issue, DPA 2023.1 runs a Powershell script instead of a VBS script.

**SolarWinds CVEs**

SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

   

CVE-ID

Vulnerability Title

Description

Severity

CVE-2022-38110

Reflected Cross-Site Scripting Vulnerability

In DPA 2022.4 and older releases, certain URL vectors are susceptible to authenticated reflected cross-site scripting.

6.3 Medium

CVE-2022-38112

Sensitive Information Disclosure Vulnerability

In DPA 2022.4 and older releases, generated heap memory dumps contain sensitive information in cleartext.

6.3 Medium

**Notes - BugCrowd**

SolarWinds would like to additionally thank our Bugcrowd community for their continued help in testing our products and keeping them secure

**New customer installation**

Return to top

For information about installing DPA, see the DPA Installation and Upgrade Guide. You can download a free trial from the SolarWinds website.

**Before you upgrade!**

If you are upgrading from DPA 2022.3 and you configured that version for SAML authentication, be aware that 2022.4 and later versions include changes to the SAML configuration. After the upgrade, no one will be able to log in with SAML until you update the configuration.

*   **Before** you upgrade, make sure you have a local login available.
    
*   **After** the upgrade, log in as a local user and complete the steps under SAML configuration changes in the DPA 2022.3 release notes to update the SAML configuration.
    

**How to upgrade**

If you are upgrading from an earlier version, use the following resources to plan and implement your upgrade:

*   Use the DPA Installation and Upgrade Guide to help you plan and execute your upgrade.
*   When you are ready, download the upgrade package from the SolarWinds Customer Portal.

**Known issues**

Return to top

 

Importing an alert definition without the associated database assignment rule

**Issue**

In some situations, the log file shows the status of an imported alert definition as both Imported and Failed. This occurs when the alert definition uses a database assignment rule, but the rule was not imported and did not already exist on the server.

The two statuses indicate that the alert definition was imported but the attempt to associate the database assignment rule failed.

**Resolution or Workaround**

When you import an alert definition that uses a database assignment rule, either import the rule or ensure that it already exists on the server.

If you imported an alert definition and the associated rule is missing, you must edit the alert definition to specify the database instances. (You can specify instances by manually selecting them or by applying a rule.)

 

REST API does not work when you access DPA with SAML login credentials

**Issue**

If you access DPA with SAML login credentials and you generate a refresh token, the following message is displayed when you attempt to use that refresh token to access the REST API:

You are not authorized to perform this action. Contact your DPA administrator.

**Resolution or Workaround**

Access DPA with a local login when you generate the refresh token.

 

The database name is not updated for stored procedures

**Issue**

If a stored procedure name includes the name of a database and it is copied to a different database, the database name is not updated. When DPA shows information about the copied stored procedure, the hash is the same as the first and the information appears to be incorrect.

**Resolution or Workaround**

If you experience this issue, complete the following steps:

1.  Run the following command against the DPA repository database (replacing <HashValue> with the stored procedure's hash value):
    
    delete from ignite.CONST_<DBID> where H = '<HashValue>'
    
2.  Restart DPA.

 

Registering an Azure SQL database instance fails when the privileged user is an Azure AD user

**Issue**

When registering an Azure SQL database, if you let DPA create the monitoring user and select an Azure Active Directory (AD) user as the privileged user, registration fails on the last step with the message Connection test to database as monitoring user failed.

**Resolution or Workaround**

Select the option 'I'll create the contained user or login', and follow the instructions to create the monitoring user manually.

 

Adding a distributed AG to a server prevents DPA from monitoring non-distributed AGs on the server

**Issue**

If DPA is monitoring non-distributed SQL Server Availability Groups (AGs) on a server and you add a distributed AG to the server, DPA stops monitoring the non-distributed AGs.

**Resolution or Workaround**

Do not add a distributed AG to the server.

 

Microsoft reports incorrect metric values for SQL Server on Linux

**Issue**

When you monitor a **SQL Server 2017** database instance that runs on a Linux server:

*   The O/S CPU Utilization resource always shows usage at 100%.
*   The Instance CPU Utilization resource always shows usage at 100%.
*   The O/S Memory Utilization resource always shows usage at 0%.

When you monitor a **SQL Server 2019** database instance that runs on a Linux server:

*   The O/S CPU Utilization resource always shows usage at 100%.
*   In some cases, the Instance CPU Utilization resource always shows usage at 100%.

Microsoft reports these values.

**Resolution or Workaround**

Disregard the values that are incorrect on your version of SQL Server. You can also disable the collection of a metric that shows incorrect data.

 

DPA fails to reconnect after losing its connection to a SQL Server instance

**Issue**

When DPA loses its connection to a monitored SQL Server instance (for example, when the DPA server is rebooted), and Windows authentication is used, DPA is sometimes unable to reconnect to the instance. This can happen if DPA attempts to connect before SQL Server has been able to connect to Active Directory. DPA interprets the rejected connection attempt as possibly occuring because the credentials were incorrect. To avoid being locked out of the account, DPA does not keep trying to reconnect. Messages such as the following appear in the logs:

Monitor for database [databaseName] failed to start due to [username and/or password must be updated due to previous login failure; if the credentials have not changed for this database, stop the monitor, wait for the monitor to stop, then start the monitor.].

**Resolution or Workaround**

When the monitored instance is fully initialized, manually restart monitoring. On the DPA home page, click the Action drop-down menu for the instance and select Start Monitor.

**End of life**

Return to top

   

Version

EoL Announcement

EoE Effective Date

EoL Effective Date

DPA 2022.1

**January18, 2022** End-of-Life (EoL) announcement - Customers on DPA version 2022.1 or earlier should begin transitioning to the latest version of DPA.

**April18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version2022.1 or earlier will no longer actively be supported by SolarWinds.

**April18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2022.1 or earlier.

DPA 2021.3

**October 18, 2022** End-of-Life (EoL) announcement - Customers on DPA version 2021.3 or earlier should begin transitioning to the latest version of DPA.

**January 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2021.3 or earlier will no longer actively be supported by SolarWinds.

**January 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2021.3 or earlier.

DPA 2021.1

**October 18, 2022** End-of-Life (EoL) announcement - Customers on DPA version 2021.1 or earlier should begin transitioning to the latest version of DPA.

**January 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2021.1 or earlier will no longer actively be supported by SolarWinds.

**January 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2021.1 or earlier.

DPA 2020.2

**October 18, 2022** End-of-Life (EoL) announcement - Customers on DPA version 2020.2 or earlier should begin transitioning to the latest version of DPA.

**January 18, 2023** End-of-Engineering (EoE) - Service releases, bug fixes, workarounds, and service packs for DPA version 2020.2 or earlier will no longer actively be supported by SolarWinds.

**January 18, 2024** End-of-Life (EoL) - SolarWinds will no longer provide technical support for DPA version 2020.2 or earlier.

**Deprecation notices**

Return to top

This version of Database Performance Analyzer deprecates the following platforms and features.

Deprecated platforms and features are still supported in the current release. However, they will be unsupported in a future release. Plan on upgrading deprecated platforms, and avoid using deprecated features. 

 

Type

Details

DPA server OS

Installing DPA on a server with a **Windows Server 2012 R2** operating system is still supported in 2022.4, but support will be removed in an upcoming release.

_The scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation_.

**Legal notices**

Return to top

© 2023 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

CVE-2022-38112: DPA 2023.1 Release Notes

By Owais Sultan
This article will highlight some of the most significant Microsoft innovations that could make an impact in 2023 and beyond.
This is a post from HackRead.com Read the original post: Microsoft Innovations for 2023: What to Look Out for This Year

Over the past several decades, **Microsoft** has continually been a leader in computer and technological innovations. As we enter into 2023, Microsoft continues to innovate by introducing new products and services that are reshaping our lives. This article will highlight some of the most significant Microsoft innovations that could make an impact in 2023 and beyond.

**Windows 11 Updates**

Microsoft Windows 11 is the latest operating system available for PCs. With **Windows 11 version** 22H2 Microsoft has launched a new system called “Moments.” The purpose is to provide continuous innovations to Windows users.

So, instead of waiting for annual updates to the Windows system, users can experience new features every few months. The next Windows update, which is **Moments 2**, is expected to be released in February and March of 2023.

If you’re a Windows 11 user, you can expect new features like:

*   Table mode taskbar
*   System tray updates
*   More search bar options
*   Full-screen widgets panel
*   Voice access enhancements

Alongside a major user interface redesign, one other big update found inside Windows 11 is Cortana – Microsoft’s voice-activated digital assistant originally designed for mobile phones.

Users can use Cortana to quickly locate files stored or their **email client** anywhere on their machines, as well as ask questions about anything related to information found online.

Furthermore, Microsoft is planning a Moment 3 release during late spring or early summer. However, it’s too early to say what the innovations will include for this launch. On the other hand, there are rumours that the brand is considering significant improvements for laptops. There may also be some improvements to apps and the launch of the **Outlook web app**. 

One of the key advantages of upgrading to Windows 11 is its improved performance over earlier versions of the OS. This includes faster boot times, quicker app loading times, and better overall responsiveness from your PC or laptop when switching between tasks and running multiple programs simultaneously.

**Microsoft Teams for Education**

**Microsoft Teams** for Education is a digital social hub that brings apps, conversations, and content together on a streamlined platform. With this platform, educators can create collaborative classrooms and even communicate with school staff.

2023 has kicked off to a good start for the platform as Microsoft has introduced new features to make it easier for educators to organize their work.

**Jupyter Notebook Integration**

The first notable integration is that Python script files and **Python Jupyter Notebooks** can now be rendered in Teams Assignments.

Students and teachers can now distribute, edit and execute Python code on the platform. This means users don’t have to set up a separate coding environment. Help or feedback can be given under Python Notebooks to assist team members.

**Team Meetings**

Microsoft Teams has made it easier for the deaf community to communicate with team members. In Meetings, there is now a **Sign Language View option**. Hosts are able to prioritize two other videos, so they are always visible during the meeting.

When Sign Language View is activated, the video streams automatically on the right-hand side of the viewer’s screen. Sign Language View is personal to you, so it won’t affect what other team members see in the meeting.

**Quizzes or Polls**

Some teachers use quizzes or questionnaires to test their student’s knowledge of the work they’ve learned. Educators can now expand these check-ins by creating multiple questions under one poll.

Additionally, teachers can add images to polls to help students process questions. Students can select these images to enlarge them in a new browser for better visibility.

**Parent Meetings**

Some parents can’t travel to meet teachers regularly. So to save time, there is a parent meetings scheduler that allows for improved communication between educators and parents. Educators can create individual profiles for each student’s parent or guardian. The teacher can then schedule meetings at times that are convenient for all parties involved.

**Microsoft Forms**

Microsoft has made several improvements to Forms. Most notably, there is a change in cover page designs and more ways to distribute your forms. So if you want to design a survey or a registration form, you now have more options to design your cover pages.

With regards to form distributions, you can now send your forms through multiple channels **like Facebook**, Twitter, Teams, or through QR codes.

Users can also add images as an answer in **Microsoft Forms**. This feature is available to all Business and Education accounts. You can also create multi-question polls to collect valuable data from your audience. Create multiple polls and then schedule them at different times during your meetings.

**Final Thoughts**

Microsoft is constantly creating new and innovative ways to improve technology for users. This makes it easier for people to run businesses or collaborate on large projects. It’s going to be an exciting year for Microsoft users, especially for those who use Teams regularly.

Those who use Windows 11 operating systems can expect regular updates and added features throughout the year. These updates can improve device performance and boost productivity. Keep an eye out for more Microsoft innovations to come in 2023.

1.  Will Microsoft add Android support to Windows 10?
2.  Microsoft patent reveals chatbot to talk to dead people
3.  Microsoft Windows PCs protection with Pluton security chip

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Tag

#microsoft