By Deeba Ahmed
Microsoft's new AI-powered Secure Future Initiative aims to assist governments, businesses, and consumers in combatting cybersecurity threats.
This is a post from HackRead.com Read the original post: Microsoft’s Secure Future Initiative Boosts Cybersecurity Against Advanced Attacks

Microsoft’s new AI-powered Secure Future Initiative aims to assist governments, businesses, and consumers in combatting cybersecurity threats.

Microsoft has announced its first-ever Secure Future Initiative to improve cybersecurity protection. This initiative will help government agencies, unsuspected users and organizations tackle cybercriminals and state-sponsored hackers with advanced response measures. The Secure Future Initiative consists of three pillars:

****AI-based cyber defences****

According to Microsoft, the future of cybersecurity is driven by artificial intelligence (AI). Therefore, the company invests heavily in innovative ways to detect and respond to cyberattacks.

Microsoft is planning to improve AI-based cyber defences in three key areas. These include threat intelligence, in which the company intends to use AI to detect/analyze cyber threats. Secondly, it will use AI to encourage analytical productivity by helping cybersecurity analysts to become more responsive. 

Thirdly, the company will utilize AI for endpoint protection by offering real-time protection against cyberattacks on endpoint services, including phones, laptops, and servers. Moreover, the company is committed to securing AI in its services based on Responsible AI principles and building more powerful AI-based protection for governments, countries, consumers, and organizations.

****Advances in fundamental software engineering:****

Through this initiative, Microsoft aims to improve its software security. In this regard, the company is developing new security technologies and incorporating security mechanisms into every phase of software development. This also entails three areas of improvement. 

Firstly, the company intends to develop a dynamic Security Development Lifecycle (dSDL) to integrate cybersecurity protection uninterruptedly to counter emerging threat patterns. It will encourage using AI-powered secure code analysis and GitHub Copilot to audit/test source code against advanced threats and offer secure default settings for MFA (multi-factor authentication) out-of-the-box.

Secondly, the company aims to strengthen identity protection against sophisticated attacks by introducing/applying the most advanced features and adopting a unified and consistent process that will verify and manage the identities and access rights of users, devices, and services across all platforms/products. 

Another addition will be making these capabilities freely available to non-Microsoft application developers. Microsoft also intends to migrate to a fully automated consumer/enterprise key management system to ensure that keys remain inaccessible even when underlying processes are compromised. Furthermore, the company will cut cloud vulnerability mitigation time by 50%.

****Advocacy for stronger application of international norms to protect civilians from cyber threats:****

According to Microsoft’s blog post, the company wants to promote international cooperation on cybersecurity. This initiative also entails advocacy for stricter norms to provide enhanced protection to innocent users against cyber threats.

To ensure this, Microsoft is calling for a new international norm that would make it illegal for governments to plant malware or create/exploit cybersecurity vulnerabilities in critical infrastructure providers’ networks. This new norm would recognize cloud services as critical infrastructure protecting against attacks under international law.

“We need governments to do more together to foster greater accountability for nation-states that cross these red lines,” the company noted.

What is an OSINT Tool – Best OSINT Tools 2023

CVSS v4.0 Released with New OT/ICS/IoT Support

Microsoft’s Windows File Recovery tool recovers your lost data

Microsoft’s new tool detects & reports pedophiles from online chats

Microsoft launches free Linux memory forensics tool for detecting malware

Microsoft’s Secure Future Initiative Boosts Cybersecurity Against Advanced Attacks

Compromised Facebook business accounts are being used to run bogus ads that employ "revealing photos of young women" as lures to trick victims into downloading an updated version of a malware called NodeStealer.
"Clicking on ads immediately downloads an archive containing a malicious .exe 'Photo Album' file which also drops a second executable written in .NET – this payload is in charge of

Online Security / Malware

Compromised Facebook business accounts are being used to run bogus ads that employ "revealing photos of young women" as lures to trick victims into downloading an updated version of a malware called **NodeStealer**.

"Clicking on ads immediately downloads an archive containing a malicious .exe 'Photo Album' file which also drops a second executable written in .NET – this payload is in charge of stealing browser cookies and passwords," Bitdefender said in a report published this week.

NodeStealer was first disclosed by Meta in May 2023 as a JavaScript malware designed to facilitate the takeover of Facebook accounts. Since then, the threat actors behind the operation have leveraged a Python-based variant in their attacks.

The malware is part of a burgeoning cybercrime ecosystem in Vietnam, where multiple threat actors are leveraging overlapping methods that primarily involve advertising-as-a-vector on Facebook for propagation.

The latest campaign discovered by the Romanian cybersecurity firm is no different in that malicious ads are used as a conduit to compromise users' Facebook accounts.

"Meta's Ads Manager tool is actively exploited in these campaigns to target male users on Facebook, aged 18 to 65 from Europe, Africa, and the Caribbean," Bitdefender said. "The most impacted demographic is 45+ males."

Besides distributing the malware via Windows executable files disguised as photo albums, the attacks have expanded their targeting to include regular Facebook users. The executables are hosted on legitimate.

The ultimate goal of the attacks is to leverage the stolen cookies to bypass security mechanisms like two-factor authentication and change the passwords, effectively locking victims out of their own accounts.

"Whether stealing money or scamming new victims via hijacked accounts, this type of malicious attack allows cybercrooks to stay under the radar by sneaking past Meta's security defenses," the researchers said.

Earlier this August, HUMAN disclosed another kind of account takeover attack dubbed Capra aimed at betting platforms by using stolen email addresses to determine registered addresses and sign in to the accounts.

The development comes as Cisco Talos detailed several scams that target users of the Roblox gaming platform with phishing links that aim to capture victims' credentials and steal Robux, an in-app currency that can be used to purchase upgrades for their avatars or buy special abilities in experiences.

"'Roblox' users can be targeted by scammers (known as 'beamers' by 'Roblox' players) who attempt to steal valuable items or Robux from other players," security researcher Tiago Pereira said.

"This can sometimes be made easier for the scammers because of "Roblox's" young user base. Nearly half of the game's 65 million users are under the age of 13 who may not be as adept at spotting scams."

It also follows CloudSEK's discovery of a two-year-long data harvesting campaign occurring in the Middle East via a network of about 3,500 fake domains related to real estate properties in the region with the goal of collecting information about buyers and sellers, and peddling the data on underground forums.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

NodeStealer Malware Hijacking Facebook Business Accounts for Malicious Ads

In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners.


CVE-2023-5763: Eclipse GlassFish Security Guide, Release 7

7-Zip through 22.01 on Linux allows an integer underflow and code execution via a crafted 7Z archive.

*   Home
*   Browse
*   7-Zip
*   Discussion

**A free file archiver for extremely high compression**

*   Summary
*   Files
*   Reviews
*   Support
*   Wiki
*   Tickets ▾
    *   Support Requests
    *   Patches
    *   Bugs
    *   Feature Requests
*   News
*   Discussion

Menu ▾ ▴

**7-Zip 23.00**

Created: 2023-05-07

Updated: 2023-09-27

*   **7-Zip 23.00 (beta) was released.**
    
    **Download**
    
    7-Zip for 64-bit Windows x64:  
    https://7-zip.org/a/7z2300-x64.exe
    
    7-Zip for 32-bit Windows x86:  
    https://7-zip.org/a/7z2300.exe
    
    7-Zip for 64-bit Windows ARM64:  
    https://7-zip.org/a/7z2300-arm64.exe
    
    7-Zip (console version) for 64-bit Linux x86-64 (AMD64):  
    https://7-zip.org/a/7z2300-linux-x64.tar.xz
    
    7-Zip (console version) for 32-bit Linux x86:  
    https://7-zip.org/a/7z2300-linux-x86.tar.xz
    
    7-Zip (console version) for 64-bit Linux ARM64:  
    https://7-zip.org/a/7z2300-linux-arm64.tar.xz
    
    7-Zip (console version) for 64-bit Linux ARM:  
    https://7-zip.org/a/7z2300-linux-arm.tar.xz
    
    7-Zip (console version) for macOS (ARM64 and x86-64):  
    https://7-zip.org/a/7z2300-mac.tar.xz
    
    7-Zip Extra: standalone console version, 7z DLL, Plugin for Far Manager:  
    https://www.7-zip.org/a/7z2300-extra.7z
    
    **What's new after 7-Zip 22.01:**
    
    *   7-Zip now can use new ARM64 filter for compression to 7z and xz archives. ARM64 filter can increase compression ratio for data containing executable files compiled for ARM64 (AArch64) architecture.  
        Also 7-Zip now parses executable files (that have exe and dll filename extensions) before compressing, and it selects appropriate filter for each parsed file:
        *   BCJ or BCJ2 filter for x86 executable files,
        *   ARM64 filter for ARM64 executable files.  
            Previous versions by default used x86 filter BCJ or BCJ2 for all exe/dll files.
    *   Default section size for BCJ2 filter was changed from 64 MiB to 240 MiB. It can increase compression ratio for executable files larger than 64 MiB.
    *   UDF: support was improved.
    *   cpio: support for hard links.
    *   Some changes and optimizations in WIM creation code.
    *   When new 7-Zip creates multivolume archive, 7-Zip keeps in open state only volumes that still can be changed. Previous versions kept all volumes in open state until the end of the archive creation.
    *   7-Zip for Linux and macOS now can reduce the number of simultaneously open files, when 7-Zip opens, extracts or creates multivolume archive. It allows to avoid the failures for cases with big number of volumes, bacause there is a limitation for number of open files allowed for a single program in Linux and macOS.
    *   There are optimizations in code for 7-Zip's context menu in Explorer: the speed of preparing of the menu showing was improved for cases when big number of files were selected by external program for context menu that contains 7-Zip menu commands.
    *   There are changes in code for the drag-and-drop operations to and from 7-Zip File Manager.  
        And the drag-and-drop operation with right button of mouse now is supported for some cases.
    *   The bugs were fixed:
        *   ZIP archives: if multithreaded zip compression was performed with more than one file to stdout stream (-so switch), 7-zip didn't write "data descriptor" for some files.
        *   ext4 archives: 7-Zip couldn't correctly extract symbolic link to directory from ext4 archives.
        *   HFS and APFS archives: 7-Zip incorrectly decoded uncompressed blocks (64 KiB) in compressed forks.
        *   Some another bugs were fixed.
    
    Source code will be available later.
    
    There are internal changes in source code across the whole code. So some new bugs are possible in this new version. That is why this version is marked as "beta" in this forum message.  
    If you see new bugs and problems that have appeared in this 23.00 version, please write about it in this forum thread.
    
     
    
    Last edit: Igor Pavlov 2023-05-07
    

*   Thanks, Igor, I can't wait to test drive the new version.😃
    

*    
    
    Last edit: AlexS 2023-05-07
    
    *   -myx was changed.  
        7-Zip in default -myx5 mode now parses exe and dll files to select arm64 or x86 filter.  
        Also 7-Zip can select ia64 (Itanium) and armt (ARM-Thumb) filters. But these Itanium and ARM-Thumb exe and dll files now are rare cases.
        
         
        
        Last edit: Igor Pavlov 2023-05-07
        

*   Since the 7zz executable in the macOS archive above will only extract files correctly on versions of macOS that have a utimensat() system call, it would be better to describe that archive more precisely:
    
    7-Zip (console version) for macOS **10.13 or newer** (ARM64 and x86-64):  
    https://7-zip.org/a/7z2300-mac.tar.xz
    
    On versions of macOS before 10.13, only the first file of an archive is extracted, and 7zz dies when trying to set the first extracted file’s timestamp with the missing utimensat() system call.
    
     
    
    Last edit: Christian Carey 2023-05-08
    

*   Here is updated English (United Kingdom) language.
    

*   Hi, i updated my previous translation of brazilian portuguese for 23.00's release.
    

*   Great!
    
    Would be possible, for the next beta, to have an option to list supported archive files first, such as WinRar does?
    

*   Thx for the new update, Igor.
    

*   Wow, one more update with the same boring interface from 25 years ago 🥱 Thanks for reminding us of Windows 98 when we open 7zip 😮‍💨
    
    *   give him a break, he is a one man operation, as far as I know.
        
    *   Funny, I was just thinking, wow, 24 years, and still creating amazing compression software, for free. The dedication is amazing. The interface is adequate for purpose. I use console version a lot as well as GUI, on Linux, Android (Termux), WSL, Windows. Everywhere I need (de)compression, automation, etc., 7-Zip is there for me, and I am grateful. If the GUI bothers you so much, get the source, modify it, share with others. Next time, try to write code for 24 years rather than complain for 24 years.
        
    *   What a dumb comment, you get 7-Zip for free and post crap like this? Why don't you just choose an alternative instead of spreading negative rubbish?
        
         
        
        Last edit: str() 2023-05-09
        
    *   but that interface is good (Extract Here and Extract To "name\" are separate options)
        

*    
    
    Last edit: HITCHER 2023-05-10
    

*   Hello Igor,
    
    I don't know if the topic has ever been discussed before. But is there any chance that 7zip will open and decompress lzip archives? I will be very grateful for your answer.
    
    Best regards  
    WT
    
    *   no plans for lzip support now.
        
        *   Thank you for the information.
            
            Best regards,  
            WT
            
    *   Hi, Witold,
        
        other developers have created their own adaptations of 7-Zip to add the ability to decompress lzip archives:
        
        *   https://github.com/mcmilk/7-Zip-zstd — 7-Zip ZS 22.01 (the full installation, not the Zstandard codec plugin), only for Windows;
        *   https://download.savannah.gnu.org/releases/lzip/7zip/ — a set of source code patches for 7-Zip 16.04, which if you’re comfortable with compiling your own software, could be adapted to patching newer source code versions of 7-Zip. (That’s what the 7-Zip ZS developers have done.)
        
        I haven’t tried either adaptation above. If you don’t use Windows and you’re not comfortable with compiling your own software, then continuing to use a standalone lzip program could be the simplest option.
        
        *   Thank you for your tip, Christian. I have tried the ZS edition. It suits me very well :-) It works very nicely under Windows desktop.
            
            Best regards,  
            WT
            

*   

*   On the About 7-Zip dialog, the version says 23.00, but it doesn't say 23.00 beta.
    
    *   "beta" marker of 23.00 is mentioned only here at forum.  
        So it's just additional warning for user before dowloading.  
        It can show to potential user that the code is new, and it's not so robust is final "non-beta" releases.  
        Next version of 7-Zip will be "23.01" or "23.01 beta".  
        There will be no any another "non-beta" 23.00.
        

*   Thanks for a great tool with a clean and easy interface!  
    One tiny wish: the cmd 7za version with the -stl switch: 'set archive timestamp from the most recently modified file' uses a folder stamp, if the folder is more recent than the most recent file stamp. Not a big thing but sometimes it is very useful to get the most recent modified file stamp instead as originally intended.  
    Please keep up the good work.
    
    *   -xtd switch can exclude directory metadata records from processing, if you don't need them by some reason.
        

Log in to post a comment.

CVE-2023-31102: 7-Zip / Discussion / Open Discussion: 7-Zip 23.00

IBM Content Navigator 3.0.13 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.  IBM X-Force ID:  259247.

  

**Summary**

Oracle Outside In Technology is used in some configurations of IBM Content Navigator as part of the document viewer. CVE-2023-35896.

**Vulnerability Details**

**CVEID:**   CVE-2023-35896  
**DESCRIPTION:**   IBM Content Navigator is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.  
CVSS Base score: 5.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259247 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)** 

IBM Content Navigator

3.0.13

**Remediation/Fixes**

**Affected Product(s)**

**Version(s)**

**Remediation/Fix/Instructions**

IBM Content Navigator

3.0.13

Download 3.0.13 IF006 and follow instructions

**Workarounds and Mitigations**

Customers who do not use Oracle Outside In Technology are not affected.

**References**

Off

**Acknowledgement**

**Change History**

01 Nov 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU056","label":"Miscellaneous"},"Product":{"code":"SSEUEX","label":"IBM Content Navigator"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}\],"Version":"3.0.14 IF2, 3.0.13 IF5, 3.0.11 IF13","Edition":"","Line of Business":{"code":"LOB18","label":"Miscellaneous LOB"}}\]

CVE-2023-35896: IBM Content Navigator is vulnerable to Server Side Request Forgery leading to Arbitrary File Read due to Oracle Outside In Technology (CVE-2023-35896)

By Waqas
Software is the backbone of modern technology, serving various purposes across different sectors. The vast array of software…
This is a post from HackRead.com Read the original post: Exploring Software Categories: From Basics to Specialized Applications

Software is the backbone of modern technology, serving various purposes across different sectors. The vast array of software types caters to the complex and specific needs of users, ranging from basic applications to highly specialized programs.

Understanding the different categories of software and their respective uses is integral to learning and understanding the technological advances and their vast applications in our daily lives.

1.  **System Software:** System software forms the foundation of computer systems. Operating systems like Windows, macOS, and Linux are vital in managing hardware resources, providing essential services to other software, and enabling users to interact with their devices. Without these operating systems, applications wouldn’t function.
2.  **Application Software:** This category covers an extensive range of programs designed to perform specific tasks for users. From productivity suites like Microsoft Office and Google Workspace for creating documents, spreadsheets, and presentations to web browsers such as Chrome, Firefox, and Safari for accessing the internet, application software encompasses tools that support everyday activities.
3.  **Programming Software:** Programming software is used by developers to create other software. This includes text editors, compilers, debuggers, and integrated development environments (IDEs) that aid in writing, testing, and debugging code. Examples include Visual Studio, Eclipse, and Sublime Text.
4.  **Driver Software:** Drivers facilitate communication between the operating system and various hardware components, ensuring that devices like printers, scanners, and graphics cards work seamlessly with the computer. They provide the necessary instructions for the system to recognize and operate connected hardware.
5.  **Utilities:** Utilities encompass a wide range of software designed for system maintenance and optimization. These tools perform tasks like disk cleanup, antivirus scans, data backup, and file compression, ensuring smooth system operations and data security.
6.  **Middleware:** Middleware acts as an intermediary between different applications, enabling seamless communication and data management across multiple systems. It is used extensively in enterprise environments and in connecting disparate systems to streamline business processes.
7.  **Firmware:** Embedded into hardware devices, the firmware provides low-level control for the specific functions of the device. It’s integral to the functioning of devices such as routers, modems, and IoT (Internet of Things) devices.
8.  **Embedded software**: Embedded software refers to computer programs or software that are specifically designed to perform specific functions within a larger mechanical or electrical system. These programs are typically written to control or monitor the operation of embedded systems, which are specialized computing systems that perform dedicated functions within a larger system. Embedded software is commonly found in various devices and systems such as consumer electronics, automotive systems, industrial machines and equipment medical devices, aerospace and defense systems.

Each type of software serves distinct purposes, contributing to the advancement of technology in various fields:

**In business and industry**, Enterprise Resource Planning (ERP) software integrates various processes like finance, human resources, and supply chain management. Customer Relationship Management (CRM) software helps businesses manage interactions with customers and potential customers.

**Educational software** supports learning and teaching in classrooms and at home, offering interactive tools for various subjects and educational levels.

**Healthcare software** aids in patient management, electronic health records, diagnostic tools, and medical research.

**The entertainment industry** thrives on multimedia software for content creation, editing, and production, including video editing, animation, and music composition software.

The wide variety of software types highlights how much technology affects our daily lives. From handling simple computer tasks to running complex business operations, the software keeps changing and getting better, propelling advancements and developing how we engage with the world. Knowing about different kinds of software and what they do is essential in keeping up with the ever-growing world of technology.

****_RELATED ARTICLES_****

1.  Crucial Cybersecurity Software Features
2.  What Is Incident Management Software?
3.  The Role of Software Escrow in Mitigating Business Risks
4.  Antivirus Software: The Best Deals, Coupons and Discounts
5.  Integrating Pay-Per-Minute Chat Software in Customer Service

Exploring Software Categories: From Basics to Specialized Applications

It’s very convenient to store your passwords in your browser. But is it a good idea?

At Malwarebytes we’ve been telling people for years not to reuse passwords, and that a password manager is a secure way of remembering all the passwords you need for your online accounts.

But we also know that a password manager can be overwhelming, especially when you’re just getting started. Once you’ve stored your tens or even hundreds of passwords, a password manager is relatively convenient to use and keep updated. But you have to get to that stage first and not everyone is at the same level of computer literacy.

So, you may have wondered if there’s another way. No doubt, you’ll have seen the pop ups in your browser asking if you’d like it to save your password for next time. In fact, many browsers refer to that as their password manager.

It’s very convenient, since your browser is usually the application that needs the password, but is it a good idea?

As usual, there are pros and cons.

**Encryption.** With a browser password manager, someone with access to your browser could see your passwords in clear text, although Windows can be set to ask for authentication (the same you use at startup of your device).

_The “Show password’ option_

To see the passwords in an actual password manager, an attacker would need to know the password for the password manager or the recovery phrase, which are usually a lot harder to find out than the Windows authentication (if set).

A word of warning here, some password managers have the option to keep you logged in for hours or even days. If there is any chance that anyone may acquire physical access, such settings defeat the added security of a password manager, since the attacker could open the password manager and look at your passwords in more or less the same way as they could in your browser.

**Lookalike phishing sites.** Both a standalone password manager and the one in your browser will protect you here. They will not fill out your password if the domain doesn’t match the one you saved the password for, which could indicate a phishing site. This can be very useful and this is where it beats writing down the password on a piece of paper or storing it in a text file. I should add that the domains that are worth setting up a fake site for are usually the ones that we would advise you add multi-factor-authentication (MFA) to.

**Syncing.** If you’ve stored your passwords in the browser and have chosen to synchronize your browser between devices, your passwords will port over as well. This is obviously very convenient, but it’s also a potential danger if someone gets access to one of your devices. A true password manager doesn’t rely on syncing between the same browser on different devices. Once you have the password manager installed on a device, you have it handy to use in any browser or other apps.

**Offline.** Many password managers cache your passwords locally, so you still have access when your connection is broken. Browser password storage doesn’t allow for this.

**Business devices.** It’s hard for the IT department to keep track of which user has which passwords saved in their browser. Password managers for businesses give them a better insight and make it easier to revoke passwords when needed.

**Password stealers.** There are types of malware that are capable of harvesting passwords from your device. They know exactly where browsers store their passwords and the encryption key, so they can steal and send the credentials to the attacker. Password managers are separate to the browser so they’re not at risk in the same way.

**Data breaches.** Several password managers will warn you if they find that your credentials are involved in a data breach, so you can change them. Browser storage doesn’t do this.

**Complex passwords.** Humans are bad at creating and remembering complex passwords. A password manager and some browsers can help you create a password that meets the required complexity and store it so you don’t have to remember it.

**Side channel attacks.** As we saw with a recent bug in Safari, attackers can use the autofill feature in a browser to harvest login credentials for a site. This only works if you have autofill enabled, so to make things a bit safer you can tell your browser to wait for your OK before it fills out the data. Here’s how…

**How to disabled autofill**

*   **Brave:** Settings > Autofill and passwords > Password Manager > Settings. Toggle off “Sign in automatically”

*   **Chrome:** Settings > Autofill and passwords > Google Password Manager > Settings. Toggle off “Sign in automatically.”

*   **Edge:** Settings > Profiles > Passwords > Settings. There you can toggle off autofill for passwords and for Personal data separately.

*   **Firefox:** Settings > Privacy & Security. Scroll down to Logins and Passwords and uncheck “Autofill logins and passwords.”

*   **Opera:** Settings > Advanced Settings > Autofill > Password Manager > Settings. Toggle off “Auto Sign-in.”

*   **Safari:** Safari (in the menu bar) > Settings > Autofill. Uncheck “Usernames and passwords” and “Credit cards”.

Your browser password manager gives you “ease of use” but that costs you some of your security. Of course, password managers aren’t foolproof either, so it’s important to decide for yourself where you store your passwords.

If you’re confident the website is safe and anyone that can access it under your account will not learn anything new, feel free to store the password in your browser, but disable autofill so you are the one that is in control.

Use MFA where possible. It enormously reduces the risk should someone get hold of your password. And refrain from using the browser password manager to store your credit card details or other sensitive personally identifiable information (e.g. medical information).

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Should you allow your browser to remember your passwords? 

NVIDIA GPU Display Driver for Windows contains a vulnerability that allows Windows users with low levels of privilege to escalate privileges when an administrator is updating GPU drivers, which may lead to escalation of privileges.

**Details**

This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

**NVIDIA GPU Display Driver**

**CVE ID**

**Description**

**Base Score**

**CWE and Vector**

CVE‑2023‑31027

NVIDIA GPU Display Driver for Windows contains a vulnerability that allows Windows users with low levels of privilege to escalate privileges when an administrator is updating GPU drivers, which may lead to escalation of privileges.

8.2

CWE-427  
AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CVE‑2023‑31019

NVIDIA GPU Display Driver for Windows contains a vulnerability in wksServicePlugin.dll, where the driver implementation does not restrict or incorrectly restricts access from the named pipe server to a connecting client, which may lead to potential impersonation to the client's secure context.

7.8

CWE-284  
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2023‑31017

NVIDIA GPU Display Driver for Windows contains a vulnerability where an attacker may be able to write arbitrary data to privileged locations by using reparse points. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

7.8

CWE: 552  
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2023‑31016

NVIDIA GPU Display Driver for Windows contains a vulnerability where an uncontrolled search path element may allow an attacker to execute arbitrary code, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

7.3

CWE-427  
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVE‑2023‑31020

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause improper access control, which may lead to denial of service or data tampering.

6.1

CWE-284  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CVE‑2023‑31022

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where a NULL-pointer dereference may lead to denial of service.

5.5

CWE: 476  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE‑2023‑31023

NVIDIA Display Driver for Windows contains a vulnerability where an attacker may cause a pointer dereference of an untrusted value, which may lead to denial of service.

5.5

CWE: 822  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

**NVIDIA vGPU Software**

**CVE ID**

**Description**

**Base Score**

**CWE and Vector**

CVE‑2023‑31018

NVIDIA GPU Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause a NULL-pointer dereference, which may lead to denial of service.

6.5

CWE: 476  
AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CVE‑2023‑31026

NVIDIA vGPU software for Windows and Linux contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where a NULL-pointer dereference may lead to denial of service.

6.0

CWE: 476  
AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

CVE‑2023‑31021

NVIDIA vGPU software for Windows and Linux contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where a malicious user in the guest VM can cause a NULL-pointer dereference, which may lead to denial of service.

5.5

CWE: 476  
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

**Security Updates for NVIDIA GPU Display Driver****CVE IDs Addressed in Each Windows Driver Branch**

The following table lists the CVE IDs addressed by the update in each Windows driver branch.

**Windows Driver Branch**

**CVE IDs Addressed**

R545, R535, R525

CVE‑2023‑31016, CVE‑2023‑31017, CVE‑2023‑31019, CVE‑2023‑31020, CVE‑2023‑31022, CVE‑2023‑31023, CVE‑2023‑31027

R470

CVE‑2023‑31017, CVE‑2023‑31019, CVE‑2023‑31020, CVE‑2023‑31022, CVE‑2023‑31023, CVE‑2023‑31027

**Security Updates for NVIDIA GPU Windows Display Driver**

The following table lists the NVIDIA software products affected, Windows driver versions affected, and the updated version available from nvidia.com that includes this security update. Download the updates from the NVIDIA Driver Downloads page.

**Software Product**

**Operating System**

**Driver Branch**

**Affected Driver Versions**

**Updated Driver Version**

GeForce

Windows

R545

All driver versions prior to 546.01

546.01

Windows 10 and 11

R470

All driver versions prior to 474.64 for support of GeForce Kepler desktop

474.64

Windows 7 and 8._x_

R470

All driver versions prior to 474.64

474.64

Studio

Windows

R545

All driver versions prior to 546.01

546.01

NVIDIA RTX,  
Quadro,  
NVS

Windows

R545

All driver versions prior to 546.01

546.01

R535

All driver versions prior to 537.70

537.70

R525

All driver versions prior to 529.19

529.19

R470

All driver versions prior to 474.64

474.64

Tesla

Windows

R535

All driver versions prior to 537.70

537.70

R525

All driver versions prior to 529.19

529.19

R470

All driver versions prior to 474.64

474.64

**CVE IDs Addressed in Each Linux Driver Branch**

The following table lists the CVE IDs addressed by the update in each Linux driver branch.

**Linux Driver Branch**

**CVE IDs Addressed**

R545, R535, R525, R470

CVE‑2023‑31022

**Security Updates for NVIDIA GPU Linux Display Driver**

The following table lists the NVIDIA software products affected, Linux driver versions affected, and the updated version available from nvidia.com that includes this security update. Download the updates from the NVIDIA Driver Downloads page.

**Software Product**

**Operating System**

**Driver Branch**

**Affected Driver Versions**

**Updated Driver Version**

GeForce

Linux

R545

All driver versions prior to 545.29.02

545.29.02

R535

All driver versions prior to 535.129.03

535.129.03

R525

All driver versions prior to 525.147.05

525.147.05

R470

All driver versions prior to 470.223.02

470.223.02

NVIDIA RTX, Quadro, NVS

Linux

R545

All driver versions prior to 545.29.02

545.29.02

R535

All driver versions prior to 535.129.03

535.129.03

R525

All driver versions prior to 525.147.05

525.147.05

R470

All driver versions prior to 470.223.02

470.223.02

Tesla

Linux

R535

All driver versions prior to 535.129.03

535.129.03

R525

All driver versions prior to 525.147.05

525.147.05

R470

All driver versions prior to 470.223.02

470.223.02

**Notes**

*   Your computer hardware vendor may provide you with Windows GPU display driver versions including 545.91, 537.70, 529.19 and 474.64, which also contain the security updates.
*   The tables above may not be a comprehensive list of all affected supported versions or branch releases and may be updated as more information becomes available.
*   Earlier software branch releases that support these products may also be affected. If you are using an earlier branch release for which an update version is not listed above, we recommend upgrading to the latest branch release.

**Security Updates for NVIDIA vGPU Software****CVE IDs Addressed in Each Windows vGPU Driver Branch**

The following table lists the CVE IDs addressed by the update in each Windows vGPU driver branch.

**Windows Driver Branch**

**CVE IDs Addressed**

R535

CVE‑2023‑31016, CVE‑2023‑31017, CVE‑2023‑31018, CVE‑2023‑31019, CVE‑2023‑31020, CVE‑2023‑31021, CVE‑2023‑31022, CVE‑2023‑31023, CVE‑2023‑31027

R525

CVE‑2023‑31016, CVE‑2023‑31017, CVE‑2023‑31018, CVE‑2023‑31019, CVE‑2023‑31020, CVE‑2023‑31022, CVE‑2023‑31023, CVE‑2023‑31027

R470

CVE‑2023‑31017, CVE‑2023‑31018, CVE‑2023‑31019, CVE‑2023‑31020, CVE‑2023‑31022, CVE‑2023‑31023, CVE‑2023‑31027

**CVE IDs Addressed in Each Linux vGPU Driver Branch**

The following table lists the CVE IDs addressed by the update in each Linux vGPU driver branch.

**Linux Driver Branch**

**CVE IDs Addressed**

R535, R525, R470

CVE‑2023‑31018, CVE‑2023‑31022

**CVE IDs Addressed in Each vGPU Manager Driver Branch**

The following table lists the CVE IDs addressed by the update in each vGPU Manager driver branch.

**vGPU Manager Driver Branch**

**CVE IDs Addressed**

R535

CVE‑2023‑31018, CVE‑2023‑31021, CVE‑2023‑31022, CVE‑2023‑31026

R525

CVE‑2023‑31018, CVE‑2023‑31022, CVE‑2023‑31026

R470

CVE‑2023‑31018, CVE‑2023‑31022

**Affected Components, Affected Versions, and Updated Versions**

The following table lists NVIDIA vGPU software components affected, versions affected, and the updated version that includes this security update.

**CVE IDs Addressed**

**vGPU Software Component**

**Operating System**

**Affected Versions**

**Updated Version**

**vGPU Software**

**Driver**

**vGPU Software**

**Driver**

CVE‑2023‑31016  
CVE‑2023‑31017  
CVE‑2023‑31018  
CVE‑2023‑31019  
CVE‑2023‑31020  
CVE‑2023‑31022  
CVE‑2023‑31023  
CVE‑2023‑31027

Guest driver

Windows

All versions prior to and including 16.1

537.13

16.2

537.70

All versions prior to and including 15.3

529.11

15.4

529.19

All versions prior to and including 13.8

474.44

13.9

474.64

CVE‑2023‑31018  
CVE‑2023‑31022

Guest driver

Linux

All versions prior to and including 16.1

535.104.05

16.2

535.109.03

All versions prior to and including 15.3

525.125.06

15.4

525.147.05

All versions prior to and including 13.8

470.199.02

13.9

470.223.02

CVE‑2023‑31018  
CVE‑2023‑31021  
CVE‑2023‑31022  
CVE‑2023‑31026

Virtual GPU Manager

Citrix Hypervisor,  
VMware vSphere,

Red Hat Enterprise Linux KVM,

Ubuntu

All versions prior to and including 16.1

535.104.06

16.2

535.109.03

All versions prior to and including 15.3

525.125.03

15.4

525.147.01

All versions prior to and including 13.8

470.199.03

13.9

470.223.02

CVE‑2023‑31018  
CVE‑2023‑31021  
CVE‑2023‑31022

Virtual GPU Manager

Azure Stack HCI

All versions prior to and including 16.1

537.13

16.2

537.70

All versions prior to and including 15.3

529.06

15.4

529.19

**Notes**

*   The table above may not be a comprehensive list of all affected supported versions or branch releases and may be updated as more information becomes available.
*   Earlier software branch releases that support these products may also be affected. If you are using an earlier branch release for which an update version is not listed above, we recommend upgrading to the latest branch release.

**Security Updates for NVIDIA Cloud Gaming****CVE IDs Addressed in Each Windows Cloud Gaming Driver Branch**

The following table lists the CVE IDs addressed by the update in each Windows Cloud Gaming driver branch.

**Windows Driver Branch**

**CVE IDs Addressed**

R545, R535

CVE‑2023‑31016, CVE‑2023‑31017, CVE‑2023‑31018, CVE‑2023‑31019, CVE‑2023‑31020, CVE‑2023‑31021, CVE‑2023‑31022, CVE‑2023‑31023, CVE‑2023‑31027

R525

CVE‑2023‑31016, CVE‑2023‑31017, CVE‑2023‑31018, CVE‑2023‑31019, CVE‑2023‑31020, CVE‑2023‑31022, CVE‑2023‑31023, CVE‑2023‑31027

R470

CVE‑2023‑31017, CVE‑2023‑31018, CVE‑2023‑31019, CVE‑2023‑31020, CVE‑2023‑31022, CVE‑2023‑31023, CVE‑2023‑31027

**CVE IDs Addressed in Each Linux Cloud Gaming Driver Branch**

The following table lists the CVE IDs addressed by the update in each Linux Cloud Gaming driver branch

**Linux Driver Branch**

**CVE IDs Addressed**

R545, R535, R525, R470

CVE‑2023‑31018, CVE‑2023‑31022

**CVE IDs Addressed in Each Cloud Gaming Manager Driver Branch**

The following table lists the CVE IDs addressed by the update in each Cloud Gaming Manager driver branch

**Gaming Manager Driver Branch**

**CVE IDs Addressed**

R545, R535

CVE‑2023‑31018, CVE‑2023‑31021, CVE‑2023‑31022, CVE‑2023‑31026

R525

CVE‑2023‑31018, CVE‑2023‑31022, CVE‑2023‑31026

R470

CVE‑2023‑31018, CVE‑2023‑31022

**Affected Components, Affected Versions, and Updated Versions**

The following table lists the NVIDIA software products affected, versions affected, and the updated version that includes this security update.

**CVE IDs Addressed**

**Cloud Gaming Component**

**Operating System**

**Affected Versions**

**Updated Version**

**Cloud Gaming Software**

**Driver**

**Cloud Gaming Software**

**Driver**

CVE‑2023‑31016  
CVE‑2023‑31017  
CVE‑2023‑31018  
CVE‑2023‑31019  
CVE‑2023‑31020  
CVE‑2023‑31022  
CVE‑2023‑31023  
CVE‑2023‑31027

Guest driver

Windows

All versions prior to and including September 2023 release

537.42

October 2023 release

546.01

CVE‑2023‑31018  
CVE‑2023‑31022

Guest driver

Linux

All versions prior to and including September 2023 release

535.113.01

October 2023 release

545.29.02

CVE‑2023‑31018  
CVE‑2023‑31021  
CVE‑2023‑31022  
CVE‑2023‑31026

Virtual GPU Manager

Red Hat Enterprise Linux KVM,

VMware vSphere

All versions prior to and including September 2023 release

535.113.01

October 2023 release

545.29.02

**Acknowledgements**

NVIDIA thanks the following people for reporting the issues to us:

CVE‑2023‑31027: Patryk Nowakowski

CVE‑2023‑31017: Lockheed Martin Red Team

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

1.1

November 1, 2023

Updated Windows Studio Display Driver version to 546.01

1.0

October 31, 2023

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Frequently Asked Questions (FAQs)**

How do I determine which NVIDIA display driver version is currently installed on my PC?

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2023-31027: NVIDIA Support

The Arid Viper threat actor is actively trying to install spyware on targeted devices in the Middle East, using fake dating apps as lures.

Thursday, November 2, 2023 14:11

Windows CE — an operating system that, despite being out for 27 years, never had an official explanation for why it was called “CE” — finally reached its official end-of-life period this week. 

This was Microsoft’s first operating system for embedded and pocket devices, making an appearance on personal pocket assistants, some of the first BlackBerry-likes, laptops and more during its lifetime.  

In 2020, Microsoft announced a clear migration path for devices using Windows CE and warned of its impending end-of-life (meaning there’d be no more support, security patches, etc.) by telling users to run a container on top of Windows 10 IoT. 

However, Microsoft says it will continue license sales for Windows Embedded Compact 2013 (the last time Windows CE received a full version update until 2028). I’ve written before about the dangers of people thinking it’s cool to still run Windows 7, which was already a surprise to me, but then by reading more about Windows CE this week, I found that some of the most important hardware the U.S. relies on still use Windows CE: voting machines. 

A Windows CE phone was at the center of the “Hillary Clinton emails” drama during the 2016 presidential election, and since then, security researchers have found that some voting machines using Windows CE are vulnerable to various exploits.   

I found one DEF CON 25 attendee in 2017 who went to the conference’s first-ever “Voting Village” where researchers poked and prodded various voting systems, including the ExpressPoll 5000 voter registration system that used Windows CE 5.0. Needless to say, the ExpressPoll 5000 didn’t stand a chance. 

I couldn’t find any information on if there are still any ExpressPoll 5000s in the wild, but the Maryland State Board of Elections was still accepting the devices into their pool of devices that could be certified to be used in elections with an “acceptance test” as of 2016. 

Other Diebold voting machines used in the 2016 presidential election also ran outdated versions of Windows CE. (Vice News had a video segment on this topic that’s since been scrubbed from the internet, but there’s a great written recap of the segment here.)  

Again, there is no real proof that these systems are still being used in the wild. After the security concerns stemming from the 2016 election, the U.S. took a much tougher look at election security and continues to invest heavily in more secure voting machines, so there’s a possibility these devices are all now out of service, patched, or hopefully just buried in a ditch somewhere.  

But it does get to a larger point, that a lot of the technology our government relies on is \*old\*. Many voting systems used in the 2020 presidential election relied on Windows 7, which also is now at its end-of-life and isn’t receiving any security updates. Support for Windows 8.1 ended at the beginning of this year, and who knows what devices are floating out there still using versions of that OS, and Windows 10 will reach its end-of-life period in October 2025, so by the time we get to the 2028 election (I can’t even fathom that as a real year still), I suspect we’ll be seeing lots of stories of all the voting devices relying on that.  

**The one big thing **

The Arid Viper threat actor is actively trying to install spyware on targeted devices in the Middle East, using fake dating apps as lures. Although Arid Viper is believed to be based out of Gaza, Talos has no evidence indicating or refuting that this campaign is related in any way to the Israel-Hamas war. The malicious apps Arid Viper uses are very similar to other legitimate apps, so it’s fairly easy for an unsuspecting user to get hit.  

**Why do I care? **

Spyware is very dangerous no matter how you twist it, but in this particular case, Arid Viper’s spyware collects the target’s sensitive personal information off their devices and disables security notifications so the actor can install more malware. The use of spyware across the globe continues to be a major issue that governments have had a hard time reigning in (and sometimes the governments themselves are the ones using it). 

**So now what? **

Our blog post has more details on the malicious apps being used in this campaign, so potential targets know what to be on the lookout for. We also have several new IOCs available for defenders to add to their blocklists. Potentially sensitive targets like politicians, journalists or activists may want to enable “safe” modes on their mobile devices, which can help protect against all types of spyware.  

**Top security headlines of the week **

**U.S. President Joe Biden signed a sweeping Executive Order this week attempting to regulate the use of AI and put several privacy safeguards in place.** The order also calls on Congress to pass national AI privacy legislation. Under the new rules, leading AI developers will need to share safety test results and other information about their software with the government. The National Institute of Standards and Technology will also create new standards to ensure AI tools are safe and secure before they’re publicly released. Federal agencies will now also need to change the way they use AI, with the hopes that the private sector will follow suit. Federal benefits programs and contractors will need to ensure that any AI tools they rely on do not deepen any racial biases in their activities. However, privacy experts only view the Executive Order as a small first step that needs to be augmented by national legislation and enforcement. (AP News, ABC News) 

**The U.S. government is preparing for an influx of Iranian-backed cyber attacks in retaliation for the U.S.’ support of Israel in its war against Hamas.** FBI Director Christopher Wray told a Congressional committee this week that, “The cyber targeting of American interests and critical infrastructure that we already see conducted by Iran and non-state actors alike we can expect to get worse if the conflict expands.” New research also indicates that Iranian threat actors have carried out a range of cyber espionage activities across the Middle East, looking to collect sensitive intelligence and disrupt important services. There may be up 15 different hacking groups affiliated directly with, or serving as a proxy for, the Iranian Revolutionary Guard Corps or the Iranian Ministry of Intelligence. (Politico, The New York Times) 

**Cloud computing company Citrix is warning of the mass exploitation of a critical vulnerability in its NetScaler ADC/Gateway devices.** Known as “Citrix Bleed,” CVE-2023-4966 is an information disclosure vulnerability that could allow attackers to steal valid session tokens from internet-facing Netscaler devices running vulnerable software. Citrix disclosed the vulnerability on Oct. 10, warning users to update affected devices immediately. However, security researchers soon found that attackers had been exploiting the vulnerability since August. Researcher Kevin Beaumont reported on his personal social media channels that he found an estimated 20,000 instances of exploited Citrix devices where session tokens were stolen. (HelpNet Security, Ars Technica) 

**Can’t get enough Talos? **

*   Beers with Talos Ep. #140: Chicken Soup and Contact Centers 
*   Talos Takes Ep. #160: Patching 101 
*   Cisco Talos Incident Response On Air for Q3 2023 
*   Arid Viper Campaign Targets Arabic-Speaking Users 
*   Kazakhstan-based hackers targeting gov’t websites in Central Asia, Cisco says 

**Upcoming events where you can find Talos **

**Black Hat Middle East and Africa** **(Nov. 16)** 

Riyadh, Saudi Arabia 

> _Rami Atalhi from Talos Incident Response will discuss how generative AI affects red and blue teams in cybersecurity. Discover how generative AI creates a bridge between these teams, fostering teamwork and innovative strategies. Real-world cases will demonstrate how generative AI drives success, providing insights for building resilient cybersecurity plans._ 

**misecCON** **(Nov. 17)** 

Lansing, Michigan 

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 21d709b0593c19ad2798903ae02de7ecdbf8033b3e791b70d7595bca64b99721**   
**MD5:** af8a072f20c8e647f53eb735528f070d   
**Typical Filename:** Head Office.exe   
**Claimed Product:** Head Office   
**Detection Name:** Win.Dropper.Pykspa::100.sbx.vioc 

**SHA 256:** 032f2e845d2b9832c7845bc6a7de650ee2148891c8ee442fe3f3a8478e588dbe   
**MD5:** a5cc0738a563489458f6541c3d3dc722   
**Typical Filename:** wuauclt.exe   
**Claimed Product:** Microsoft® Windows® Operating System   
**Detection Name:** Win.Dropper.Vools::100.sbx.tg 

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c      
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c      
**Typical Filename:** AAct.exe      
**Claimed Product:** N/A        
**Detection Name:** PUA.Win.Tool.Kmsauto::1201 

**SHA 256:** b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59   
**MD5:** 3b100bdcd61bb1da816cd7eaf9ef13ba   
**Typical Filename:** vt-upload-C6In1   
**Claimed Product:** N/A    
**Detection Name:** Backdoor:KillAV-tpd

You’d be surprised to know what devices are still using Windows CE

Following a string of serious security incidents, Microsoft says it has a plan to deal with escalating threats from cybercriminals and state-backed hackers.

Today, in a blog post and email to employees, Microsoft is announcing a broad vision for tackling the cybersecurity challenges that have increasingly plagued the company and its customers in recent years. Known as the Secure Future Initiative, the plan leans heavily on artificial intelligence tools as a “game changer” and also includes a call for international cyberspace norms, an expansion of the company's 2017 Digital Geneva Convention.

The most tangible and immediately applicable component of the strategy, though, relates to improvements in Microsoft's software development and engineering approach. In Thursday's email, executive vice president for Microsoft security Charlie Bell and colleagues Scott Guthrie and Rajesh Jha lay out a plan to further safeguard identity management systems in Microsoft products, improve security software development, and shorten response and patch release times for addressing vulnerabilities, specifically those in the cloud.

The announcement comes as Microsoft has faced scrutiny over situations where vulnerabilities in its products have enabled attackers—both financially-motivated cybercriminals and state-backed hackers—to rampage through the company's own systems and those of customers. And the climate around accountability is evolving as regulators and law enforcement look for new paths to deterring, but also preventing, damaging hacks. On Monday, for example, the United States Securities and Exchange Commission (SEC) announced charges against the IT management company SolarWinds and its chief information security officer over “cybersecurity risks and vulnerabilities” that the SEC alleges were known and should have been addressed.

Microsoft said on Thursday that its Secure Future Initiative comes in response to wildly escalating threats from attackers. “In recent months, we’ve concluded within Microsoft that the increasing speed, scale, and sophistication of cyberattacks call for a new response," company vice chair and president Brad Smith wrote.

In an interview with WIRED, Microsoft's Bell emphasized that both cybercriminal and state-backed actors are professionalizing and homing in on phishing and creative approaches to credential theft as the most direct and effective method for infiltrating organizations of all sorts. He noted that while it is difficult to get an accurate accounting of total global economic losses due to cybercrime and cyberattacks, Microsoft believes that total losses have been greater than $6 trillion and could close in on $10 trillion by 2025.

“The threat is growing,” he tells WIRED. “It's a huge drag on the world. So when you look at all of this going on and you say well what can we do? Microsoft is in the center of much of the ability to defend. It caused us to step back.”

Speeding vulnerability response times by 50 percent and moving toward mandating secure default settings for customers are two aggressive steps Microsoft says it plans to take to make a tangible impact on customer security. Bell says that multi-factor authentication adoption among Microsoft customers is at roughly 34 percent, but “it should be 100 percent.”

The changes come as other giants across the industry, including Google, are acknowledging the need to push secure defaults, particularly around authentication. The software development platform GitHub, which Microsoft owns, has been working on rolling out mandatory two-factor for months. Apple has long mandated two-factor for most accounts, and Google has been publicly working toward the goal for years.

On many components of the Secure Future Initiative, Microsoft is not exactly late to the party on hardline changes, but is noticeably behind the early advocates. And in general, concepts of engineering software to be secure by design or building system architecture to be zero trust were prominent features of the past decade. Yet, between cloud services and all of the legacy Windows systems around the world, Microsoft is at the very heart of IT infrastructure, and in many ways, global cybersecurity moves at Microsoft’s pace.

“It’s an absolutely terrible world if we don’t get ahead of it,” Bell says. “We have all the data right now that the threat actors—they’re poking from the outside, they see a little bit. We know everything because we’re on the inside. If we’re gonna tackle the security problem we’ve got to be real about the fact that you’re not going to flip a light switch and everybody’s running in the cloud. There’s a lot of operational ground to cover between here and there. And Microsoft is the company that supports that world, that critical infrastructure that’s out there.”

Tag

#windows