Recently Browsing 0 members
No registered users viewing this page.
By Abhay V
Microsoft Defender bug creates "thousands" of files in the boot drive, fix rolling out now
by Abhay Venkatesh
In the past few days, numerous reports on Reddit and Microsoft’s forums began pointing towards issues with Microsoft Defender that was causing users’ boot drives to fill up. While some users complained of small files less than 2KB in size causing minor problems, other reported seeing multiple gigabytes of storage hijacked by thousands of files in the Windows Defender folder. The files were showing up in the programData\Microsoft\Windows Defender\Scans\History\Store folder, causing massive backups as well.
Guessing from a long list of responses on multiple forum threads and on Reddit, the bug was affecting users running multiple security software on Windows Server 2016 and 2019. Some users reported being unable to open the folder itself, thanks to the boot drive filling up and causing slowdowns. While some admins suggested disabling real-time protection in Defender, others began sharing command-line scripts to delete files in the History folder.
Image credit: BleepingComputer A response on another Reddit thread from a user who raised the issue with Microsoft’s support teams suggests that the firm has acknowledged the issue and is already rolling out a fix for the problem. This was corroborated by another user’s comment on the support forums. The culprit supposedly is present in the Engine version 1.1.18100.5 and is being fixed with an update, bumping the version up to 1.1.18100.6. The update has begun propagating to users in the “normal release cycles” and will make it to mainstream users tomorrow, May 6, the user adds.
The bug has understandably been a frustrating one for system admins, thanks to the system slowdowns and backup issues caused to Windows Server users. If you have been facing this issue, it is best to check for updates in Windows Update to look for the fix.
Source: Microsoft Docs forums (1)(2) via Deskmodder.de | Image credit: BleepingComputer
By Usama Jawad96
Google discloses 'medium' severity flaw in Windows following Microsoft's incomplete fix
by Usama Jawad
Google's Project Zero team is quite well-known for discovering vulnerabilities in the software developed by the company itself as well as those built by other firms. Its methodology involves identifying security flaws in software and privately reporting them to vendors, giving them 90 days to fix them before public disclosure. Depending upon the complexity of the fix required, it sometimes also offers additional days in the form of a grace period.
Over the past couple of years, the team has revealed major vulnerabilities in Windows 10 S, macOS kernel, and iOS, among others. Now, it has disclosed a "medium" severity flaw in various versions of Windows following what it claims to be an incomplete fix offered by Microsoft in yesterday's Patch Tuesday update.
The flaw which was first reported to Microsoft on May 5, 2020 allows apps to bypass network authentication via a user's credentials even when they don't have that capability.
While Google's summary of the vulnerability is full of technical jargon (and you're free to read it in-depth here), the main issue is that the legacy Windows AppContainer grants access to Enterprise Authentication via single sign-on, which is a restricted capability providing access to sensitive functions. As such, this isn't automatically approved for Windows Store apps and is primarily used in side-loaded enterprise applications.
Although this isn't a flaw by itself, the problem occurs when UWP networking incorrectly makes an exception when an application is authenticating to a network proxy. Google Project Zero's security researcher James Forshaw states that:
Forshaw explains that theoretically, a local attacker can utilize this by using Classic Edge to access localhost services due to the backdoor in Firewall APIs, and then finding a system service to escape.
Interestingly, this is only one portion of the flaw. Forshaw claims that even if Microsoft's code which handles the network address not being a proxy was correct, it could still be bypassed because it calls "DsCrackSpn2" to resolve network target names of the form Service Class/Instance:port/Service Name into individual components, but apparently even this isn't being done correctly.
A proof-of-concept (PoC) code has also been attached to show how an application could bypass Enterprise Authentication to achieve elevated privileges. The PoC attempts to list the shares of the Windows Server Message Block (SMB) and even though the OS shouldn't allow this access, the local shares are still listed.
Google Project Zero gave Microsoft the standard 90-days deadline to fix this vulnerability and also offered a grace period on July 31 so that the company could roll out the fix in August's Patch Tuesday. While Microsoft did indeed release the fix in its CVE-2020-1509 yesterday and credit James Forshaw for discovering it, the Project Zero team claims that it is an incomplete fix since it does not rectify the DsCrackSpn2 target name resolving technique. As such, Google has now publicly revealed the flaw in accordance with its policies.
While it appears that the security flaw is complex enough to not be exploited by your average script kiddie, elevation of privilege - even if local - can be dangerous. According to Microsoft's security advisory, this problem impacts numerous versions of Windows, including Windows Server 2012, 2016, 2019, Windows RT 8.1, 8.1, and Windows 10 all the way up to version 2004.
Shadow Defender 188.8.131.526
by Razvan Serea
Shadow Defender is an easy-to-use security solution (for Windows operating systems) that protects your PC/laptop real environment against malicious activity and unwanted changes. Shadow Defender can run your system in a virtual environment called 'Shadow Mode'. 'Shadow Mode' redirects each system change to a virtual environment with no change to your real environment. If you experience malicious activity and/or unwanted changes, perform a reboot to restore your system back to its original state, as if nothing happened.
With Shadow Defender, you have the flexibility to specify which files and folders are permanently saved to the real environment. This ensures important files and folders are kept after a reboot.
Shadow Defender features:
Prevent viruses and malware. Surf the internet safely and eliminate unwanted traces. Protect your privacy. Eliminate system downtime and maintenance costs. Reboot to restore your system back to its original state. Shadow Defender uses:
Maintain a system free from malicious activity and unwanted changes. Test software and game installations in a safe environment. Protect against unwanted changes by shared users (suitable for workplaces and educational institutions). vShadow Defender 184.108.40.2066 changelog:
Fix a bug related to Exclusion List on Windows 10. Download: Shadow Defender 220.127.116.116 | 3.5 MB (Shareware, 30-day trial)
View: Shadow Defender Website
Get alerted to all of our Software updates on Twitter at @NeowinSoftware
Microsoft acknowledges Windows vulnerability that allows remote code execution
by João Carrasqueira
Microsoft today acknowledged the existence of a critical security vulnerability in multiple versions of Windows and Windows Server. In a new security advisory, ADV200006, Microsoft explains that there are actually two remote code execution vulnerabilities that can crop up when the Adobe Type Manager Library tries to handle an Adobe Type 1 PostScript font. This can happen when a specially-crafted document is opened or even just previewed in the Windows Explorer Preview pane.
Regarding which versions of Windows are affected by the vulnerability, it seems that most recent versions of Windows - from Windows 7 to Windows 10 version 1909, including versions for ARM-based devices - are affected. Likewise, most recent versions of Windows Server, from Windows Server 2008 to Windows Server 2019, as well as Windows Server versions 1803, 1903, and 1909, are all affected. However, Microsoft says that, for supported versions of Windows 10, an attack could only allow for code execution within an AppContainer context, which has limited capabilities and privileges.
As you'd expect, Microsoft is working on a fix, but it's not promising a specific date for the fix to be released. In the meantime, there are a handful of workarounds. For example. disabling the Details and Preview panes of Windows Explorer can prevent malicious files from being viewed before they're opened, so it isn't as easy to be attacked. Disabling the WebClient service is also a possible workaround, and finally, renaming the ATMFD.DLL file may also help.
New security updates are typically released on the second Tuesday of each month, which is known as Patch Tuesday. That means you probably shouldn't expect a fix until the second Tuesday of April at the earliest.
By Rich Woods
Office 365 ProPlus and OneDrive Files On-Demand coming to Windows Server 2019
by Rich Woods
Today, Microsoft announced a bunch of new Microsoft 365 features for those running Windows in virtual environments. Mostly, it has to do with running virtualized Office apps on Windows Server 2019.
The company says that FSLogix containers are now fully integrated into Office apps that run in virtual environments, and that should result in a big boost in performance. It should be as fast and responsive as if you were using it on a dedicated machine. It's now available on Microsoft 365 E3, E5, A3, A5, Student Use Benefits, F1, and Business SKUS, along with Windows 10 Enterprise E3/E5 and Education A3/A5 SKUs, Windows 10 VDA per user, and RDS Client Access License and Subscriber Access License.
Windows Server 2019 is getting support for both OneDrive Files On-Demand and Office 365 ProPlus. With the latter, this is a big deal for anyone that's migrating from Windows Server 2008 or 2012, the former of which won't be supported after January and the latter of which won't be supported for connecting to Office 365 data after October 2020. Naturally, you'll want to use OneDrive Files On-Demand with the Office apps in your virtual environments, which allow you to access all of your cloud-stored files, while still choosing which ones to store locally.
There are a bunch more improvements for running Office in virtual environments. There's Outlook Cached Mode which allows you to get to your email and calendar faster, and you can also set Outlook to sync your inbox before your calendar. OneDrive now lets people share one installation of the app, while still letting the users access their own accounts. Teams is offering something similar.