Recently Browsing 0 members
No registered users viewing this page.
Microsoft Weekly: Halo 4 finally on PC, more Fluent icons, and optional updates
by Florin Bodnarescu
The last week brought Halo 4 for the first time to PC players the world over, a Fluent Design upgrade for Edge icons showed up – as well as multiple new features -, plus some security fixes for a range of Windows 10 versions. You can find info about that, as well as much more below, in your Microsoft digest for the week of November 15 - 21.
Halo 4 finally on PC
After much anticipation, the final title in the Master Chief Collection, aka Halo 4, has finally arrived on PC. Bringing cross-play support and a bunch of new enhancements, the game is now live on Steam, the Microsoft Store and Xbox Game Pass for PC. If you’re curious as to what exactly the title has to offer, do take a peek at the review that’s currently up, in which our very own Pulasthi Ariyasinghe calls the FPS a “satisfying conclusion to the Master Chief Collection”.
Continuing with the first-party news, Sea of Thieves has received its November update, complete with a range of bug fixes, upgrades to Treasure Vault voyages, performance improvements, and much, much more. The update comes in at 6GB on Windows 10, Xbox One X, and Xbox Series X, with the One S and Series S owners receiving a slightly smaller 5GB update. Steam owners are the luckiest with a measly 3.6GB required to download.
And since we mentioned it, before we get back to the game news, it’s worth interjecting with the fact that new Xbox Series S orders may arrive after the holidays. This is because, unsurprisingly, the Series S is out of stock.
Returning to first-party games, Minecraft has just gotten a new Star Wars-themed DLC, and if that’s not quite what you want to be playing this week, there’s always a bunch of Deals with Gold to browse, including ones for Code Vein, Dark Souls, Ace Combat 7, and much more.
Ending this section is a bit of gameplay from both the Xbox One X and Series X for CD Projekt RED’s upcoming open-world RPG, Cyberpunk 2077. Switching between the two consoles frequently, the video highlights interiors, exteriors, combat, and other NPC interactions.
More Fluent icons
Regardless of your opinion of the new Edge, one major change in comparison to the Legacy version is that the browser gets updated more frequently than before.
As such, everybody in the Dev and Canary channels can now start using the text comments in PDFs feature. If you haven’t gotten it yet, the Dev build is 88.0.702, in case you want to try out this capability.
There are also new features added to Edge this month, like an improved copy-paste experience, better integration with Bing rewards, new shopping features, and much more.
Staying on the subject of improvements, now when you open history, it will show a pop-up window which allows you to more easily navigate through your previously opened links. Furthermore, you’re now able to pin a history icon next to the address bar for easy access.
Microsoft was also eager to share the fact that Edge WebView2 is now available for .NET. This, for folks not aware, is the Chromium Edge equivalent of Project Spartan’s (old Edge) EdgeHTML-based WebView. Additionally, the Redmond firm also aims to stop Chromium browsers from launching with elevated privileges.
Finally, for those of you who wish the company would just stop for a second and update everything to its (for now) unified Fluent Design system, there’s good news. Chromium Edge is going to be getting a new set icons to bring the entire experience more in line with the company’s design aesthetic du jour. The first phase is currently being rolled out.
If you’ve been running Windows 10 for a while, you’ll be aware that Microsoft also releases optional updates from time to time, beyond its Patch Tuesday patches.
If you’re on 1809, or the October 2018 Update, you’ll get KB4594442, which bumps up the build number to 17763.1579 and addresses a security bug with Kerberos authentication and ticket renewal. If you’re running the Anniversary Update (1607), that same fix will come through for you as KB4594441, bumping the build number up to 14393.4048, while folks on the May 2019 Update (1903) and November 2019 Update (1909) will be getting KB4594443, with builds 18362.1199 and 18363.1199, respectively.
Finally, those on either the May 2020 Update (2004) or October 2020 Update (20H2) will receive KB4594440, with builds 19041.631 and 19042.631.
Microsoft was busy releasing even more builds however, so here’s what else you need to be on the lookout for:
May 2019 Update / November 2019 Update (1903/1909): KB4586819, builds 18362.1237 / 18363.1237 – fixes a bug that causes Edge to open in the background when the device is in tablet mode, as well as bugs with USB 3.0 hubs, Narrator, and WMR headsets running in lower resolution modes. October 2018 Update (1809) Enterprise, Education: KB4586839, build 17763.1613 – fixes the same bugs for the version above, as well as the issue which may cause the HDD to fill up in certain error situations. The known issues for all updates above remain the same ones outlined in the Patch Tuesday wave of updates.
In other news, Microsoft will not release any optional Windows 10 cumulative updates in December. This applies to preview updates (so basically A, C, and D wave updates, rather the B wave ones which come with Patch Tuesday every month). This is due to “minimal operations during the holidays and the upcoming Western new year”.
Over in the Insider Dev channel, the company unleashed build 20262 with a number of fixes, as well as 20262.1010, the of which was simply a Cumulative Update to test out the servicing pipeline.
Polls in Teams meetings have now started rolling out. New Power Apps and Dataverse are now generally available for Teams. Photoshop Beta is now available for ARM-based Windows 10 and macOS devices. WinUI 3 Preview 3 is now out, featuring ARM64 support. Dynamics 365 Project Operations has been announced, aimed at service-based businesses in India. Microsoft 365 is now available from datacenters in Brazil. The November updates for Microsoft 365 include new Teams apps, among other features. Teams personal features are now rolling out on desktop and the web. The Surface Studio 2 has gotten new firmware updates to fix audio performance and stability, with the Go 2 and Book 3 now available for purchase in India. Logging off
We cap things off with a new security chip that Microsoft intends to introduce for Windows-based devices.
In what the firm will be dubbing Pluton going forward, Microsoft has announced essentially the Trusted Platform Module (TPM) chip equivalent, but integrated on the SoC.
Seen in other solutions like the Xbox consoles or Azure Sphere, this is basically an intersection of software and hardware to provide the benefits of TPM chips in terms of security, but (currently) none of the drawbacks. Specifically, since TPM is separate from the CPU, perpetrators are able to target the channel between the CPU and TPM chip with their attacks.
Working with AMD, Intel, and Qualcomm on the solution – with AMD being the first to use it -, Microsoft says that the Pluton chip will work with BitLocker and System Guard, and that information can’t be removed from the chip via malware or any other way.
Integrated with Windows Update in the same way Azure Sphere Security Service integrates with IoT devices, the chip will make sure that firmware updates come directly from Microsoft.
There’s currently no word as to when we’ll be seeing the chip’s debut in PCs.
Missed any of the previous columns? Be sure to have a look right here.
By Usama Jawad96
GitHub finally fixes 'high' severity security flaw reported by Google Project Zero
by Usama Jawad
Google's Project Zero team is dedicated to finding security vulnerabilities in the company's own software as well as those developed by other firms. Its methodology involves privately reporting flaws to vendors and giving them 90 days to fix them before public disclosure. Depending upon the severity of the situation, this deadline may be extended or brought closer according to the group's standard guidelines.
At the start of November, Google publicly disclosed a "high" severity security issue in GitHub following the latter's inability to fix it in 104 days - more than the standard time frame. However, GitHub users will now be pleased to know that the security hole has finally been filled.
The security flaw in question was that workflow commands - which act as a communication channel between executed actions and the Action Runner - in GitHub Actions are extremely vulnerable to injection attacks. Google Project Zero's Felix Wilhelm, who originally reported the security flaw, stated that the way workflow commands are implemented is "fundamentally insecure". A short-term solution would be to deprecate the command syntax, whereas a long-term fix would involve moving workflow commands to some out-of-bound channel, but that is also tricky because it would break dependent code. Google publicly disclosed the issue on November 2 following GitHub's failure to fix the issue in the allotted 104 days.
Apparently, this has put some pressure on the company as the vulnerability has now been patched. The patch notes indicate that the fix is in line with Wilhelm's proposed short-term solution:
The problem was fixed by GitHub a few days ago but has now been validated by the Google Project Zero team, and has been marked as such on the issue repository. This brings the list of open issues reported by the security team down to nine. It includes software developed by numerous vendors including Microsoft, Qualcomm, and Apple. The only open issue present in Google's own software is related to a pointer leak on Android, but the status of this "medium" severity flaw has been open since September 2016.
By Abhay V
Microsoft aims to stop Chromium browsers from launching with elevated privileges
by Abhay Venkatesh
Microsoft’s recent Chromium commit suggests that the company is working to add a way to “de-elevate” browsers, meaning that it does not want users to launch the browser with elevated or administrative privileges owing to security concerns. The commit termed “Automatically de-elevate browser when launched as elevated” was submitted to Chromium Gerrit (spotted by WindowsLatest) and has had some interesting responses.
The Redmond firm argues that the browser’s ability to automatically switch out of elevated privileges and re-launch under normal user privileges will help it solve problems such as executables downloaded from elevated browsers running with admin privileges, leading to easy access to system files. The company says that browser elevation is “unnecessary” and can cause problems.
However, the idea was met with skepticism from Google engineers who suggested that the choice must be with users and that a prompt to let users know of the elevated browser could be a better idea. Microsoft says that it experimented with a “bubble dialog” warning in the corner, but noticed that the prompt was displayed “way more often” when the browser was launched from an installed or other elevated programs, which led to many user complaints.
Currently, the discussions between the engineers point towards working on a feature to automatically de-elevate downloads and executables run from a browser with elevated privileges. This will ensure that users will explicitly run installers or other programs with elevated privileges if required, and avoid letting the browser automatically run elevated programs.
By Rich Woods
Microsoft Pluton is a new security chip for Windows PCs
by Rich Woods
Today, Microsoft announced Pluton, its new security chip for Windows 10 PCs. It's meant to provide hardware and software integration that we've already seen in the Xbox One and Azure Sphere, but now it will be on upcoming computers. Yes, this is a hardware-based solution, so you'll absolutely need a new PC to get it.
Right now, hardware-based security comes from the Trusted Platform Module (TPM), which is separate from the CPU. The problem with this method is that while the TPM is effective, attackers can target the channel between the TPM and the CPU. That's the weak point.
That's one thing that's being solved by Pluton. The Pluton security chip will be built directly into the CPU, and Microsoft said that it's working with Intel, AMD, and Qualcomm on this. In fact, AMD said it will be the first to use it.
"At AMD, security is our top priority and we are proud to have been at the forefront of hardware security platform design to support features that help safeguard users from the most sophisticated attacks," said Jason Thomas, head of product security at AMD. "As a part of that vigilance, AMD and Microsoft have been closely partnering to develop and continuously improve processor-based security solutions, beginning with the Xbox One console and now in the PC. We design and build our products with security in mind and bringing Microsoft’s Pluton technology to the chip level will enhance the already strong security capabilities of our processors."
Pluton will work with things that currently require a TPM, such as BitLocker and System Guard. In fact, Microsoft says that this information can't be removed from the Pluton chip by way of malware or anything else.
Another thing that's kind of a big deal is that firmware updates are going to come directly from Microsoft. Right now, your firmware updates can come from a variety of places. They could come from Windows Update, Lenovo has its Vantage app, HP has Support Assistant, Dell has SupportAssist, and there's more. This is hard to manage, and Microsoft says that Pluton for Windows PCs will be "integrated with the Windows Update process in the same way that the Azure Sphere Security Service connects to IoT devices."
Microsoft didn't say exactly when we're going to see PCs shipping with CPUs that have Pluton, but it's probably going to be a little while. After all, if AMD is going to be the first, we'll have to wait at least for Ryzen 5000 mobile processors.
By Jay Bonggolto
NordVPN launches new feature to scan the dark web for compromised credentials
by Jay Bonggolto
NordVPN today unveiled a new feature designed to protect your personal information beyond its virtual private network capabilities. The Dark Web Monitor tool works to scan the dark web in order to check for your personal credentials that have been exposed.
The feature determines when your private information like usernames and passwords may have been sold on the dark web. It will then send you an alert in real-time to help you take action to protect your accounts before cybercriminals can access them. NordVPN noted that "awareness is the first step towards security".
The new feature is available in NordVPN's iOS app. To turn it on, you can simply go to the app's Settings and switch on Dark Web Monitor. It will then continuously start scanning the dark web for personal information that may belong to you such as the email address you used to sign up for NordVPN.
The feature runs in the background so it won't get in the way of your other tasks. It will send you an alert when it detects your exposed credentials, including the compromised service. This should prompt you to secure your account by changing your password, for example. NordVPN vows to roll out the feature to Android devices soon.