Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability.

CVE-2023-21719

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

CVE-2023-21795

CVE-2023-21796

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2023-21795.

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability.

CVE-2023-21775

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. Signed document download URLs can be forged due to a weak default URL signing key.

**Server**

The backend server software layer which is the part of ONLYOFFICE Document Server and ONLYOFFICE Desktop Editors and is the base for all other components.

**Document service set up**

This instruction describes document service deployment for Windows based platform.

**Installing necessary components**

For the document service to work correctly it is necessary to install the following components for your Windows system (if not specified additionally, the latest version for 32 or 64 bit Windows can be installed with default settings):

1.  Node.js version 8.0.0 or later
    
2.  Java. Necessary for the sdk build.
    
3.  Database (MySQL or PostgreSQL). When installing use the onlyoffice password for the root user.
    
    *   MySQL Server version 5.5 or later
        
    *   PostgreSQL Server version 9.1 or later
        
4.  Erlang
    
5.  RabbitMQ
    
6.  Redis
    
7.  Python 2.7
    
8.  Microsoft Visual C++ Express 2010 (necessary for the spellchecker modules build)
    

**Setting up the system**

1.  Database setup:
    
    *   Database setup for MySQL  
        Run the schema/mysql/createdb.sql script for MySQL
        
    *   Database setup for PostgreSQL
        
        1.  Enter in psql (PostgreSQL interactive terminal) with login and password introduced during installation, then enter commands:
            
            CREATE DATABASE onlyoffice;
            CREATE USER onlyoffice WITH PASSWORD 'onlyoffice';
            \\c onlyoffice
            \\i 'schema/postgresql/createdb.sql';
            GRANT ALL PRIVILEGES ON DATABASE onlyoffice to onlyoffice;
            GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO onlyoffice;
            
        2.  Delete from server\Common\config\development-windows.json option sql.
            
2.  Install the Web Monitor for RabbitMQ (see the details for the installation here)
    
3.  Open the command line cmd executable.
    
4.  Switch to the installation directory using the cd /d Installation-directory/sbin command.
    
5.  Run the following command:
    
    rabbitmq-plugins.bat enable rabbitmq\_management
    
6.  The Web Monitor is located at the http://localhost:15672/ address. Use the guest:guest for the login:password combination.
    
7.  If Redis does not start or crashes after the start for some reason, try to change the maxheap parameter in the config settings. For 64 bit version of Windows 7 the config file can be found here: C:\Program Files\Redis\redis.windows-service.conf. Find the # maxheap <bytes> line and change it to, e.g.
    
    and restart the service
    

**Running the service**

Run the run.bat script to start the service.

Notes

All config files for the server part can be found in the Common\config folder

*   default.json - common config files similar for all production versions.
*   production-windows.json - config files for the production version running on a Windows based platform.
*   production-linux.json - config files for the production version running on a Linux based platform.
*   development-windows.json - config files for the development version running on a Windows based platform (this configuration is used when running the 'run.bat' script).

In case it is necessary to temporarily edit the config files, create the local.json file and reassign the values there. It will allow to prevent from uploading local changes and losing config files when updating the repository. See Configuration Files for more information about the configuration files.

**User Feedback and Support**

If you have any problems with or questions about ONLYOFFICE Document Server, please visit our official forum to find answers to your questions: forum.onlyoffice.com or you can ask and answer ONLYOFFICE development questions on Stack Overflow.

**License**

Server is released under an GNU AGPL v3.0 license. See the LICENSE file for more information.

CVE-2021-43444: GitHub - ONLYOFFICE/server: The backend server software layer which is the part of ONLYOFFICE Document Server and is the base for all other components

A mandatory app exposed the personal information of students and teachers across the country for over a year.

A security lapse in an app operated by India’s Education Ministry exposed the personally identifying information of millions of students and teachers for over a year. 

The data was stored by the Digital Infrastructure for Knowledge Sharing app, or Diksha, a public education app launched in 2017. At the height of the Covid-19 pandemic, when the government was forced to shutter schools across the country, Diksha became a primary tool for allowing students to access materials and coursework from home. 

But a cloud server storing Diksha’s data was left unprotected, exposing millions of individuals’ data to hackers, scammers, and virtually anyone who knew where to look.

Files stored on the unsecured server contained the full names, phone numbers, and email addresses of more than 1 million teachers. According to data in the files, verified by WIRED, the teachers worked for hundreds of thousands of schools located in every state in India. Another file contained information about nearly 600,000 students. While the students’ email addresses and phone numbers were partially obscured, the data included the students’ full names and information about where they went to school, when they enrolled in a course through the app, and how much of the course they completed.  

According to a UK-based security researcher who identified the exposure, there were thousands of files like this on the server. (The researcher asked not to be named because they were not authorized to speak to the media.) 

After initially discovering the exposure in June, the researcher contacted the Diksha support email, alerting them to the data breach, identifying the source, and offering to share more information. They received no response. “There's zero chance that it hasn't been accessed and downloaded by a bunch of other people,” the employee says of the exposed data.

WIRED reached out to the Ministry of Education and did not receive a response. 

Diksha was developed by EkStep, a foundation cofounded by Nandan Nilekani, who helped develop Aadhar, the country’s national identification system. According to Deepika Mogilishetty, the chief of policy and partnerships at EkStep, while the foundation had been supporting Diksha for many years, India’s Ministry of Education ultimately implements the security and policies for how data is managed on Diksha. However, after WIRED sent Mogilishetty links to the unsecured server, it was quickly taken offline. 

This isn’t the first time Diksha has potentially mishandled sensitive information. A 2022 report from Human Rights Watch found that Diksha not only was able to track the location of students, but also shared data with Google. In many cases, the Indian government mandated that teachers and students use Diksha, and Hye Jung Han, a researcher at Human Rights Watch who authored the 2022 report, says that the government provided no alternative methods for those who may not have wanted to use the app.

“What's happening there from a child-rights lens is, you are fulfilling your responsibility to provide free education to every child, but the only type of state education that you're making available is one that inherently violates kids' rights,” says Han.

The unsecured storage server was hosted on Azure, Microsoft’s cloud storage service. It’s unknown how long the data was left unprotected, but Google indexed more than 100 files from this server as early as October 2018. In other words, information stored on this vulnerable server was likely findable through a simple Google search for at least four years. While WIRED could not find instances of sensitive student and teacher data through a Google search, files with sensitive data were available for download through Grayhat Warfare, a searchable database of unsecured servers popular with security researchers and hackers.

“If you have information about children's names, contact details, and what schools they attend, that tells you about the neighborhood where they live. This raises what we call traditional children's protection concerns,” says Han. “They can also use children as a way to get to their parents—blackmail and harassment being fairly common, unfortunately, in India, specifically around education data.”

The market for student data in India appears to be thriving. In 2020, security researchers at CloudSEK, an India-based security firm, found that personally identifying information of hundreds of thousands of students who took India’s Common Aptitude Test Exam was for sale on a forum for leaked data. A year later, India Times reported that confidential data of millions of students was for sale on a website called “studentdatabase.in.”

Han also says that in India’s burgeoning data-broker market, education data like that available via the exposed Diksha server, which can be particularly appealing for prep schools to purchase, can go for as little as 2 to 5 rupees for a single child’s data.

Flaw in Diksha App Exposed the Data of Millions of Indian Students

Categories: News
Categories: Privacy
Tags: Privacy

Tags:  browser

Tags:  VPN

Tags:  BrowserGuard

For every level of privacy awareness, there are layers you can use to protect yourself. Here are four suggestions.



(Read more...)




The post 4 ways to protect your privacy while scrolling appeared first on Malwarebytes Labs.

Privacy is a right that is yours to value and defend. Article 8 of the Human Rights Act protects your right to respect for your private and family life. One of the pillars of the article is that personal information about you (including official records, photographs, letters, diaries, and medical records) should be kept securely and not be shared without your permission, except under certain circumstances.

But we know that information is not always protected as much as it should be, and it seems like we hear about a new data breach every day. It's up to us to defend our privacy as much as we can online, so here are a few suggestions on how you can best protect your privacy when scrolling online:

**1\. Consider what you share about yourself**

Many of us are leaking information about ourselves and our online behavior almost constantly.

When posting online, consider what information you find valuable and what you are happy for everyone to know? As soon as you know where you draw your personal line, you can start working on protecting your privacy.

As a guide, if you wouldn't say it in person, don't put it online.

**2\. Check your browser settings**

Your browser is your gateway to the internet. Unfortunately, few of them have ideal privacy and security settings set by default, even if they’re present.

So it's a good idea to go ahead and tinker with your browser’s settings, carefully making sure that options are set in a way that are acceptable to you, privacy-wise.

You can read about some popular browsers' privacy settings here:

*   Google Chrome privacy settings
*   Firefox privacy and security settings
*   Microsoft Edge, browsing data, and privacy
*   Safari privacy preferences

While you’re reviewing your settings, you may want to clear out your browser history. Then review your extensions, and remove those you hardly, or have never, use. Vulnerable or malicious add-ons can easily become a privacy and security risk.

Do a browser settings review on your mobile devices as well. You can learn more about them here:

*   Chrome for Android privacy settings
*   Safari for iOS privacy

Now, if you find that what’s in there by default lacks the privacy and security settings you hope for, it’s time to ditch that browser for a new one.

Thankfully, most (if not all) desktop browsers that made taking care of your privacy their business, too, have mobile versions. Start by looking up Firefox, Brave, DuckDuckGo, and even the Tor Browser on the Google Play and Apple App stores.

**3\. Consider adding extra layers**

There are a lot of browser extensions that decrease your online privacy. But the upside of being able to use browser extensions is that there are many good ones out there that can help you establish a more private browsing experience. Ad-blockers, anti-tracking tools, and protective extensions add further protection.

You can also tighten your privacy by using a Virtual Private Network (VPN) to anonymize your traffic. In short and easy terms, a VPN acts as a middle-man between a user and the internet. When the user wants to visit a site, they send information to the VPN over an encrypted connection, the VPN visits the site, and then it sends the data to the user over the same encrypted connection. These connections are not limited to web browsing, even though that is the first one that usually comes to mind.

Personally, I also use different browsers for different purposes. This is called compartmentalization and it allows you to visit trusted (and preferably bookmarked) websites with a quick browser and do your regular surfing with a fully protected and anonymized browser.

**4\. Do periodic check-ins**

One thing to keep in mind if you are rolling out extra precautions is to stay aware of their existence and not take them for granted. Check for updates on a regular basis, make sure they are working properly, and don’t blindly rely on them.

It’s like speeding in a car, just because you have a seatbelt on. It does make it safer, but you still don’t want to get involved in an accident.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

4 ways to protect your privacy while scrolling

Categories: News
Tags: windows 10

Tags:  windows 11

Tags:  microsoft

Tags:  license

Tags:  sale

Tags:  third party

Tags:  desktop

Tags:  upgrade

Tags:  hardware

We take a look at reports that Microsoft will shortly be ending the direct sale of Windows 10 licenses.



(Read more...)




The post Microsoft to end direct sale of Windows 10 licenses at the end of January appeared first on Malwarebytes Labs.

Windows 10 is slowly coming to an end, with one more way to purchase the operating system riding off into the sunset. Microsoft is posting notices in a variety of locations to confirm it will no longer sell Windows 10 licenses directly. Support remains in place for the time being, as is the usual strategy when an operating system is gradually phased out.

**Announcing the end times**

All Microsoft products have their own life cycle, and all of these products inevitably meet their demise at the hands of the next incarnation. Those policies fall under two types, modern, for products and services serviced and supported continuously, and fixed, for certain products bought at retail, or volume licensing.

While businesses often have the ability to pay to keep themselves patched against specific threats even after the shutters come down, this isn’t an option for everyone and a change of software and hardware is needed across the board eventually.

Windows 10 download pages now say this at the bottom of the promotional text:

_January 31, 2023 will be the last day this Windows 10 download is offered for sale. Windows 10 will remain supported with security updates that help protect your PC from viruses, spyware and other malware until October 14, 2025._

Whether or not you decide to buy Windows 10 before January 31, or ignore the warning and purchase from a third party retailer, January 31, 2025 looms on the horizon like a rather large banner advert for Windows 11. That tiny uptake of users back in 2021 is likely going to experience a spike over the next year or so.

**Windows 11: A significant boost in security...**

We’ve covered many of the security improvements which Windows 11 holds over Windows 10. There’s the multiple features and functionality of the hypervisor, the secure boot practices to help ward off boot kit malware, and the hardware enforced stack protection which protects various forms of running code.

Elsewhere we have custom made phishing alerts for users of Windows 11(but not Windows 10), and a default remote desktop protocol lock out. This is before you get to the other additions and improvements which you won’t find elsewhere.

Tabs? In my Notepad? The future is now.

**...and a bit of a problem for hardware**

One of the few remaining sticking points for people wary of upgrading remains the hardware issue. Microsoft has experienced quite a bit of backlash due to how the promotion of Windows 11 was handled. Nobody wants to find out their recently purchased powerhouse of a gaming PC inexplicably does not support the new operating system, nor does anyone want to discover their fairly new fleet of Windows 10 business PCs aren’t up to standard. Unfortunately, this is the exact situation far too many people found themselves in. Poor descriptions of secure boot and Trusted Platform Module (TPM) did not help at all.

My own home PC is a very powerful gaming rig, it will run anything thrown at it from games on their highest settings to rendering tools which will bring other high spec systems to their knees.

It’s _still_ not compatible with Windows 11 because (insert convoluted technical explanation here). People don’t want to hear about inserted convoluted technical explanations, they just want to know why they’re suddenly faced with the prospect of potentially expensive hardware upgrades or replacements. This is _not_ how you achieve high buy-in rates.

**Playing the waiting game**

For now, it’s fine to linger on Windows 10, and support is going to be around for some time to come. If you think you’re going to be putting together a bunch of self-built machines in the near future, or simply buying in bulk, this may be the time to do some emergency sort-of-last-minute shopping before it becomes increasingly more difficult to obtain a license. Given the leap in demands from Windows 10 hardware to Windows 11 hardware, you don’t want to be left in a situation where you have a pile of cases, hard drives, and RAM sticks in the corner of a room and nothing to make them all come alive.

Hang fire if you need to, but the clock is most definitely ticking.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#microsoft