Microsoft: Update Windows Server 2012 before extended support ends


BleepingComputer 15 July, 2021 - 07:00am 7 views

Is Windows 11 released?

Windows 11 isn't here yet, but will be coming later this year. If you're excited, there are some things you can do in the meantime to get ready. microsoft.comUpgrade to the New Windows 11 OS

SonicWall warns of 'critical' ransomware risk to EOL SMA 100 VPN appliances

BazarBackdoor sneaks in through nested RAR and ZIP archives

Windows 365 - Microsoft's new virtualized Cloud PC service

Google: Russian SVR hackers targeted LinkedIn users with Safari zero-day

Microsoft shares guidance on new Windows Print Spooler vulnerability

Windows 10 21H2 has been released for testing, but not for everyone

Microsoft unveils Windows 11's beautiful new context menus

Windows print nightmare continues with malicious driver packages

How to remove the PBlock+ adware browser extension

Remove Security Tool and SecurityTool (Uninstall Guide)

How to remove Antivirus 2009 (Uninstall Instructions)

How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo

How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller

Locky Ransomware Information, Help Guide, and FAQ

CryptoLocker Ransomware Information Guide and FAQ

CryptorBit and HowDecrypt Information Guide and FAQ

CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

How to make the Start menu full screen in Windows 10

How to install the Microsoft Visual C++ 2015 Runtime

How to open an elevated PowerShell Admin prompt in Windows 10

How to Translate a Web Page in Google Chrome

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Microsoft has reminded Windows Server 2012 and SQL Server 2012 users that the products will reach their extended support end dates during the next two years, urging them to update to avoid security and compliance gaps.

According to Microsoft, Windows Server 2012 and 2012 R2 Extended Support will end on October 10, 2023, while SQL Server 2012 Extended Support will end on July 12, 2022.

Even though Windows Server 2012 has reached its mainstream support end date in September 2018, the end date for extended support was pushed back five years for this exact reason: to allow organizations to migrate to newer, under-support Windows Server versions.

"We understand that SQL Server and Windows Server run many business-critical applications that may take more time to modernize," Microsoft said.

"Customers that need to remain on-premises for compliance can protect their workloads by upgrading to SQL Server 2019 and Windows Server 2019.

"Customers that cannot meet the end of support deadline and have Software Assurance or subscription licenses under an enterprise agreement enrollment will have the option to buy Extended Security Updates to get three more years of security updates for SQL Server 2012, and Windows Server 2012 and 2012 R2."

Regarding the price for Windows Server and SQL Server 2012 Extended Security Updates, Microsoft says that they will only cost for on-premises deployments:

The company says Windows Server and SQL Server 2012 Extended Security Updates will be made available for purchase later when getting closer to the end of extended support.

Additional information is available on the Extended Security Updates frequently asked questions page.

"With cyberattacks becoming more sophisticated and frequent, running apps and data on unsupported versions can create significant security and compliance risks," Microsoft added.

"It is highly recommended that customers upgrade to the most current versions for better performance, efficiency, and regular security updates."

No one is going to upgrade to 2019 when 2022 in just around the corner...

Not a member yet? Register Now

Linux version of HelloKitty ransomware targets VMware ESXi servers

SonicWall warns of 'critical' ransomware risk to EOL SMA 100 VPN appliances

To receive periodic updates and news from BleepingComputer, please use the form below.

Not a member yet? Register Now

Read our posting guidelinese to learn what content is prohibited.

Read full article at BleepingComputer

Happy sixth birthday, Windows 10: Looking at its past, present, and future

Digital Trends 15 July, 2021 - 11:11pm

On July 15, 2015, Windows 10 hit manufacturing (known as RTM) for preinstall on new laptops and tablets. That was then followed by a public retail release on July 29. In those six years, Windows 10 has managed to make its way onto 1.3 billion devices, and the number one desktop OS in the world — but it wasn’t easy.

There were a lot of lessons learned throughout the illustrious history of Windows that informed the direction of Windows 10, and even to Windows 11 today. Happy sixth birthday, Windows 10. Here’s a little look back at your journey.

Windows 10 was born at a time when Microsoft faced a lot of fallout from the release of Windows 8 and Windows 8.1. Windows 7 was still quite popular around 2015, and many people did not like the full-screen Start Menu in Windows 8.1. Changes like the Charms Bar, Live Tiles, and other touch-first design elements coming with the new “Metro UI” alienated people used to a desktop-style interface.

Windows 10 was the operating system that promised to change that. It brought back the single-row Start Menu seen in Windows 7 but also blended the Live Tiles and customization options from Windows 8. Even the aero effects from Windows 7 were back, helping make the OS look a bit more modern at the time over Apple’s OS X 10.10.

Microsoft also introduced a digital assistant, Cortana, to take on Siri (though Cortana was short-lived.) And, it hid the controversial tablet features into “tablet mode” area that only appeared if and when you detached your keyboard or turned your 2-in-1 over.  Other new features include Windows Hello login to a PC (using just your face) and the new Microsoft Edge browser.

More importantly, Microsoft improved the lousy app store from Windows 8.1 by introducing Universal Windows Platform apps — apps that can run with a single code on Windows 10 Mobile phones, Xbox, Surface, and even HoloLens headsets. Windows 10 Mobile is an entirely separate story, but it got big updates compared to Windows Phone 8, with the codebase for the mobile operating system being based on desktop Windows 10.

For Microsoft, Windows 10 was a brave new venture and the chance to reconnect with Windows users who are familiar with desktop experiences. That’s why the operating system was a free update. Anyone with a valid Windows 7 or 8 license could get Windows 10 for free.

The controversial update tactics and “Get Windows 10 ads” aside, it was a bold new move for Microsoft, which usually charged full price for installing its desktop operating systems on existing hardware.

With the goal of having Windows 10 on 1 billion devices within three years of release, Microsoft was on a bold venture, but things would still get messy.

As more and more people updated to Windows 10, Microsoft started selling Windows 10 as a service. That meant that (as one Microsoft employee put it) Windows 10 could be the “last version of Windows.” It would get yearly “featured” updates, without the need to pay. Buy in and get Windows 10 once, and you’re good for all future updates as long as Windows is supported. It’s what Apple did with MacOS Mavericks back in 2013.

Those updates meant that Windows 10 continued to evolve based on the feedback of Windows users. Microsoft pushed out yearly “featured” updates for Windows 10 up until 2016. The Windows 10 November Update and Windows 10 Anniversary Update introduced new performance features and major revamps for inking, Windows Hello, gaming, Cortana, and more.

After 2016, Microsoft shifted the way Windows 10 updates worked. It now got twice a year updates (spring and fall), which we still have today. Releases included the Creators Update, Fall Creators Update. Starting in 2018, updates got named for the month released — see the October 2020 Update and May 2021 Update as examples.

The rush of updates meant that Windows 10 would evolve. Microsoft constantly improved Windows with new features. They even addressed privacy concerns, putting users in control with new settings toggles. Other new features include Windows Mixed Reality headsets, the Fluent Design visual revamp, Xbox Game Bar, Dolby Atmos, a people app, improved file sharing, and more.

Later releases even introduced cross-platform features like the Your Phone app to sync up Android phones with Windows PCs. And more recently, the new Chromium-powered Edge browser, and a revamped visual update for the Start Menu.

But the big updates eventually stopped coming. After issues with the Windows 10 October 2018 update caused user’s files to be deleted, Microsoft went back to the drawing board with Windows Updates in 2019 — to get us where we are today. Since then, Windows 10’s twice-a-year updates were focused on adding smaller features and patching bugs.

Microsoft slowed down the pace of development of Windows to the point where it fell behind massive visual redesigns introduced in MacOS Big Sur, and Chrome OS. There even was a shakeup internally at Microsoft, with Panos Pany taking charge of things in a new team known as Windows + Devices. The Windows Insider program also saw changes, with “rings” being discontinued in favor of “branches.” It all shaped up things to where we are today.

Heading into the future, Windows 10 will continue to be supported by Microsoft through the year 2025. It’s been confirmed multiple times, and it’s even listed on the current support page.

But don’t forget, Windows 10 was initially supposed to evolve into a flavor of Windows 10X. The pandemic shifted those plans and that ended up becoming Windows 11 instead.

As far as we know, Windows 10 will now live alongside Windows 11. It is rumored that Windows 10 will still get twice-a-year updates, too. The next update is said to be Windows 10 21H2, as mentioned in three separate support documents for Windows Hello, Windows IT Pros, and Windows Autopilot.

But Windows 11 is the future. Windows 11 brings many changes that fans long requested in Windows 10. A sweeping visual redesign, new Start Menu, Android apps in the Microsoft Store, are just some of the changes. It’s a free update for select Windows 10 devices, and it’s all thanks to six years of Windows 10.

Copyright ©2021 Designtechnica Corporation. All rights reserved.

Windows Hello Bypass Fools Biometrics Safeguards in PCs

Threatpost 15 July, 2021 - 11:11pm

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

A Windows security bug would allow an attacker to fool a USB camera used in the biometric facial-recognition aspect of the system.

A vulnerability in Microsoft’s Windows 10 password-free authentication system has been uncovered that could allow an attacker to spoof an image of a person’s face to trick the facial-recognition system and take control of a device.

Windows Hello is a feature in Windows 10 that allows users to authenticate themselves without a password, using a PIN code or biometric identity—either a fingerprint or facial recognition—to access a device or machine. According to Microsoft, about 85 percent of Windows 10 users use the system.

The Windows Hello bypass vulnerability, tracked as CVE-2021-34466, requires an attacker to have physical access to a device to exploit it, according to researchers at CyberArk Labs who discovered the flaw in March.

From there, they can go on “to manipulate the authentication process by capturing or recreating a photo of the target’s face and subsequently plugging in a custom-made USB device to inject the spoofed images to the authenticating host,” Omer Tsarfati, cybersecurity researcher at CyberArk Labs, wrote in a report about the vulnerability published Tuesday.

Further, exploitation of the bypass can extend beyond Windows Hello systems to “any authentication system that allows a pluggable third-party USB camera to act as biometric sensor,” Tsarfati noted.

Researchers have no evidence that anyone has tried or used the attack in the wild, but someone with motive could potentially use it on a targeted espionage victim, such as “a researcher, scientist, journalist, activist or privileged user with sensitive IP on their device, for example,” according to the analysis.

Microsoft addressed the vulnerability — which affects both consumer and business versions of the feature — in its July Patch Tuesday update. Also, Windows users with Windows Hello Enhanced Sign-in Security — a new security feature in Windows that requires specialized and pre-installed hardware, drivers and firmware — are protected against the any attacks “which tamper with the biometrics pipeline,” according to Microsoft.

However, Tsarfati said that the solution may not fully mitigate the issue.

“Based on our preliminary testing of the mitigation, using Enhanced Sign-in Security with compatible hardware limits the attack surface but is dependent on users having specific cameras,” he said. “Inherent to system design, implicit trust of input from peripheral devices remains. To mitigate this inherent trust issue more comprehensively, the host should validate the integrity of the biometric authentication device before trusting it.”

CyberArk researchers posted a video of a proof-of-concept (PoC) for how to exploit the vulnerability, which can be used on both the consumer version, Windows Hello, and an enterprise version of the feature called Windows Hello for Business (WHfB) that businesses use with ActiveDirectory.

The bypass itself exploits a weakness in the biometric sensor of Windows Hello, which “transmits information on which the OS … makes its authentication decision,” he wrote. “Therefore, manipulating this information can lead to a potential bypass to the whole authentication system,” Tsarfati said.

For facial recognition, the biometric sensor is either a camera embedded in a device, such as a laptop, or connected to a computer via USB. Therefore, the entire process depends on this camera for proof of identity–which is where the vulnerability lies, particularly when a USB camera is used for authentication, he wrote.

“The answer lies in the input itself,” Tsarfati wrote. “Keyboard input is known only to the person who is typing before the information is entered into the system, while camera input isn’t.”

Therefore, using a camera to access “public” information—i.e., a person’s face—for authentication can easily be hijacked, he explained.

“It is similar to stealing a password, but much more accessible since the data (face) is out there,” Tsarfati wrote. “At the heart of this vulnerability lies the fact that Windows Hello allows external data sources, which can be manipulated, as a root of trust.”

Researchers detailed a somewhat complex way for an attacker to capture someone’s image, save the captured frames, impersonate a USB camera device, and eventually send those frames to the Windows hello system for verification.

To prove the concept, they created a custom USB device that acts as a USB camera with both infrared (IR) and Red Green Blue (RGB) sensors, using an evaluation board manufactured by NXP. They used this custom camera to transmit valid IR frames of the person they were targeting, while sending the RGB frames image of the cartoon character SpongeBob SquarePants.

“To our surprise, it worked!” Tsarfati wrote.

Based on this understanding, an attacker would only need to  implement a USB camera that supports RGB and IR cameras and then send only one genuine IR frame of a victim to bypass the login phase of the device, while the RGB frames can contain any random image, he explained.

The entire process depends on an attacker having an IR frame of a potential victim to use in an attack, which can be done either by capturing one or converting one of the person’s regular RBG frames to an IR one, Tsarfati explained.

“Our findings show that any USB device can be cloned, and any USB device can impersonate any other USB device,” he said.  “We used the IR frames of a person to ‘bypass’ the face recognition mechanism. We believe that those IR frames can be created out of regular color images.”

The popular e-commerce platform for WordPress has started deploying emergency patches.

First comes spear-phishing, next download of malicious DLLs that spread to removable USBs, dropping Cobalt Strike Beacon, and then, sometimes, a fake Zoom app.

SonicWall issued an urgent security alert warning customers that some of its current and legacy secure VPN appliances were under active attack.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Join thousands of people who receive the latest breaking cybersecurity news every day.

Get the latest breaking news delivered daily to your inbox.

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

Technology Stories