Windows 11 has continued to notch up known issues as Microsoft admitted to problems in the Intel Smart Sound department and Microsoft Installer following a security update.

The former turned up earlier this week, when Microsoft realised that "certain versions" of drivers for Intel Smart Sound Technology (SST) could tip Windows 11 into a blue screen (of death). The driver involved is IntcAudioBus.sys and file versions 10.29.0.5152 and earlier or 10.30.0.5152 and earlier are affected.

The workaround is, unsurprisingly, to get an updated driver from one's OEM. 10.30.00.5714 and later or 10.29.00.5714 and later should do it, according to Microsoft. Slightly confusingly, "for addressing this issue, 10.30.x versions are not newer than 10.29.x versions." The key bit is the last of the version number.

While a compatibility block was flung up to prevent any more users with sound drivers not to Windows 11's taste updating the OS, others optimistically applying the company's security patches may not have been so lucky.

KB5007215 was dispensed to the faithful on 9 November and, as well as noting problems with connecting to print servers in the patch's known issues, yesterday Microsoft had to add one of its side effects to the Windows release health dashboard. In this case the Microsoft Installer has been left unwell following the update (or its later siblings) and could "have issues repairing or updating apps."

One of the affected apps is part of Kaspersky's Endpoint Security 11 for Windows. Kaspersky noted that while its app would remain functioning correctly, problems might happen when updating or changing the scope of the application.

Kaspersky's recommendation is to temporarily hold off from the update (Microsoft said it is "working on a resolution and will provide a new update in an upcoming release"). Otherwise the mitigation appears to be an uninstall and reinstall of the afflicted application.

Very much the software equivalent of turning it off and on again. Even in 2021, the old ways remain the best, it seems.

See the rest here:
Intel audio drivers give Windows 11 the blues and Microsoft Installer borked following security update - The Register

Thousands of Firefox cookie databases containing sensitive data are available on request from GitHub repositories, data potentially usable for hijacking authenticated sessions.

These cookies.sqlite databases normally reside in the Firefox profiles folder. They're used to store cookies between browsing sessions. And they're findable by searching GitHub with specific query parameters, what's known as a search "dork."

Aidan Marlin, a security engineer at London-based rail travel service Trainline, alerted The Register to the public availability of these files after reporting his findings through HackerOne and being told by a GitHub representative that "credentials exposed by our users are not in scope for our Bug Bounty program."

Marlin then asked whether he could make his findings public and was told he's free to do so.

"I'm frustrated that GitHub isn't taking its users' security and privacy seriously," Marlin told The Register in an email. "The least it could do is prevent results coming up for this GitHub dork. If the individuals who uploaded these cookie databases were made aware of what they'd done, they'd s*** their pants."

Marlin acknowledges that affected GitHub users deserve some blame for failing to prevent their cookies.sqlite databases from being included when they committed code and pushed it to their public repositories. "But there are nearly 4.5k hits for this dork, so I think GitHub has a duty of care as well," he said, adding that he's alerted the UK Information Commissioner's Office because personal information is at stake.

Marlin speculates that the oversight is a consequence of committing code from one's Linux home directory. "I imagine in most of the cases, the individuals aren't aware that they've uploaded their cookie databases," he explained. "A common reason users do this is for a common environment across multiple machines."

GitHub dorks are not new, but they often only affect a single service, like AWS, Marlin said. This particular gaffe is troubling because it could allow an attacker to access any internet-facing website to which the GitHub user was authenticated at the time the cookie files were committed. He added that dorks for other browsers can probably also be found.

Exploitation, Marlin said, would be very easy. It's just a matter of creating a new Firefox profile on your local machine and then downloading the cookies.sqlite file and placing it within the Firefox profile folder. "You'll be authenticated on any services which the user was logged in on when they committed the database," explained Marlin.

There's a theoretical complication. Firefox offers an option to protect logins and passwords. But as far as we can tell, that doesn't apply to the cookies.sqlite file. The Register was able to examine multiple Firefox cookie databases with Marlin's guidance.

When the visibility of cookies came up five years ago as a Firefox macOS bug submission, it was closed.

And even if the cookies.sqlite file were protected by a database-specific password, it probably wouldn't offer much protection: Various open source projects offer the ability to crack .sqlite files, and there are commercial offerings of this sort too.

To underscore the seriousness of exposing these databases, consider this recently described Android PoC exploit of CVE-202015647, used to exfiltrate the Firefox cookies database.

Mozilla confirmed Marlin's claims about the risk of exposing these files in an email to The Register on Thursday.

"Protecting the privacy of internet users is at the core of Mozillas work," a Mozilla spokesperson said. "When using code hosting services, we encourage users to use caution when considering the sharing of private data directly on public websites. When choosing to backup sensitive Firefox profile data, Mozilla recommends Firefox Sync, which encrypts and safely stores files within Firefox servers."

One mitigating factor at least is that sessions and associated cookies tend to expire relatively quickly.

There's precedent for GitHub to take action to help those who have been unwittingly publishing their cookie databases. The social code biz has been scanning for exposed credentials in repos since 2015 and now scans for more than 70 different types of secrets. Here's one more to add to the list.

GitHub did not respond to a request for comment.

See the original post:
Thousands of Firefox users accidentally commit login cookies on GitHub - The Register

US-sanctioned Positive Technologies has pointed out three vulnerabilities in Zoom that can be exploited to crash or hijack on-prem instances of the videoconferencing system.

One of the trio of bugs is an input validation flaw, which can be abused by a malicious Zoom portal administrator to inject and execute arbitrary commands on the machine hosting the software. We imagine a scenario in which someone in, say, HR is made an admin of the company Zoom installation, and their work PC is hijacked by a miscreant who then exploits this vulnerability to get a foothold on an internal server system, and go exploring from there.

The vulnerability, tracked as CVE-2021-34414, was patched in September.

"You can often encounter vulnerabilities of this class in apps to which server administration tasks have been delegated," Positive Technologies researcher Egor Dimitrenko said of the vuln.

"This vulnerability always leads to critical consequences and, in most instances, it results in intruders gaining full control over the corporate network infrastructure."

Zoom offers an on-premise option for enterprises and one of its main advantages, said the company in marketing literature, is that meeting traffic (but not user metadata) stays within the host org's private cloud. Its three components are the On-Premise Meeting Connector, Virtual Room Connector, and Recording Connector.

Dimitrenko and his Positive Technologies comrades were able, so they said, to exploit improper input validation in the on-prem component of Zoom to obtain server-level access. Two related holes, CVE-2021-34415 and CVE-2021-34416, could be exploited to crash Zoom.

The vulns affected:

If your org has an on-prem Zoom deployment, now is a good time to check its update status.

Zoom spokesman Matt Nagel told The Register: "Zoom takes the security of its platform very seriously, and has addressed these issues. We recommend users stay up to date with the latest version of Zoom to take advantage of our newest features and security updates."

Positive Technologies is a Russian infosec company that was repeatedly targeted by the US government for sanctions this year. In April the firm was accused of helping recruit people into Russian state hacking agencies, while earlier this month Positive joined Israeli spyware vendor NSO Group on the US State Department's Entity List, a naughty step for firms banned from conducting financial transactions with American companies.

This doesn't appear to have slowed the outfit's enthusiasm for security research: when the sanctions were initially slapped on it, Positive described them as "groundless accusations," making comparisons with US attitudes to Chinese tech vendor Huawei.

In October Positive did the world a genuine favor by revealing a vulnerability in ancient shareware file compression utility WinRAR, still used today by those who rely on the .rar format.

See the rest here:
America, when you're done hitting us with the ban hammer, see these on-prem Zoom vulns, says Positive - The Register

China's decision to limit minors to three hours of gaming each week has proven problematic for the nation's clouds, which find themselves with unused capacity.

So said Steve Brazier, CEO of channel-centric analyst firm Canalys, at the company's Asia-Pacific Forum

"25 to 30 per cent of Chinese cloud capacity was for gaming," Brazier said. Chinese clouds like Alibaba are now trying to figure out what to do with that capacity. Some have even deferred datacentre builds as a result, Brazier said.

The CEO rated China's increasingly strong data privacy regulations, and actions to limit the market power of local tech giants, as "bold" and suggested the global tech industry should brace for more regulations in more nations.

Brazier also added a little to his remarks at the EMEA version of the Forum in October 2021, suggesting that as the pandemic wanes and businesses resume attendance in their offices, spending on Wi-Fi and collaboration kit will soar. Supply chain challenges, however, will mean that vendors pick and choose whose orders they fulfil.

Enterprises, Brazier said, are generally higher up the pecking order as vendors sell direct when they can a trend illustrated by smartphone vendors choosing to deal with their giant carrier customers before they send product to distributors that serve smaller resellers.

Small to medium businesses must make do with whatever kit their preferred resellers can secure if those resellers can develop the procurement skills needed to get kit through the door at all.

If resellers can't get the product end users want, Brazier said, they'll offer customers equivalents and charge like wounded bulls.

"We have taken price out the equation for the first time in years," he told resellers.

The ability to charge more means the IT services industry has decoupled its growth from trends in gross domestic product. Despite inflation, stock market uncertainty, and the lingering effects of the pandemic, Brazier predicted IT services businesses will thrive in coming years. And end users will pay for it to happen although perhaps not China's cloud providers.

Link:
Ready, player anyone? China's gaming ban left cloud providers looking for someone to play with - The Register

Amazon Web Services has added support for streaming Linux applications and desktops to its AppStream service, which was previously Windows-only, claiming that it will "greatly lower the total streaming cost."

AppStream 2.0 has been running since late 2016 and enables users to stream GUI applications or entire desktops to a local PC either via a web browser or using a Windows client. Although running applications remotely has some drawbacks such as latency, dependency on a strong internet connection, and potential snags accessing local resources like printers and storage it also has advantages.

Benefits include isolation from the local PC and some security risks, the ability to run Windows applications from any OS, and full control of the remote environment. In the case of demanding applications that perform intensive data processing or need high-end GPUs, renting a PC from AWS may work out cheaper than buying the hardware, if usage is only occasional.

GUI applications on Amazon Linux, now supported in the AppStream 2.0 service

Another use case is for software vendors wishing to offer a Windows desktop application as a service. The vendor handles the system requirements, application install, updates and data storage, so users can simply navigate to the application using a web browser.

The dominance of Windows in the desktop world is such that the demand for streaming is mainly for Windows applications. That has hitherto been the assumption in AppStream 2.0, but AWS has now introduced Linux application support.

"You can now stream Linux applications and desktops to your users, and greatly lower the total streaming cost by migrating Matlab, Eclipse, Firefox, PuTTY, and other similar applications from Windows to Linux on Amazon AppStream 2.0," the company said. Use cases offered are delivering software as a service (SaaS), remote Linux development environments, CAD applications that require high performance GPUs, and remote Linux learning environments.

How much will users save? A quick look at the pricing shows a potentially misleading example where Windows streaming costs $22.72 for a week versus $8.85 for Linux. The main reason is that Microsoft charges an RDS (Remote Desktop Services) fee for Windows streaming, in this case $4.19 per month or any part of a month, and making the calculation for a small number of hours for just one week makes this disproportionately large.

Pricing is based on instance costs and stream.standard.large (2 vCPU and 8GB RAM) costs $0.24 per hour for Windows, or $0.214 for Linux, for example, using current UK region prices. There is also a "stopped fee" of $0.029 per hour for either OS, and then the RDS fee on top in the case of Windows. This means the saving for using Linux will be relatively small in most scenarios. We may conclude that AWS is keen to make Linux look much cheaper than Windows, perhaps for strategic reasons.

There is more to this than cost savings. HP has been touting the advantages of running Linux applications on Windows because in the world of data science, Linux may be the better-supported environment. AWS has made sure to include GPU-oriented machine instances in its new AppStream 2.0 support. If the applications users require can be run on Linux, there may also be gains in efficiency and manageability as well as cost.

Linux images have appeared in the AppStream 2.0 image registry

How is AppStream 2.0 for Linux deployed? The starting point for any AppStream deployment is an OS image which admins can then customise, so the main change is that Linux images have now appeared in the list of AppStream 2.0 images available. These images are based on Amazon Linux 2.0, which is in the Red Hat family and perhaps most similar to Fedora.

Users may not be familiar with the idea of running GUI applications on Amazon Linux 2.0, which is popular for EC2 (Elastic Compute Cloud) virtual machines, but it can be done and there is documentation. We tried installing the recommended Mate desktop on an Amazon Linux 2.0 instance downloaded for on-premises use, which is also supported, and added the Chromium web browser to perhaps get a flavour of how this might look.

Most of the documentation for AppStream 2.0 remains Windows-only so it still feels bleeding-edge; we even noticed a bug in the Excel pricing tool which has been updated for Linux but breaks if one tries to choose Linux as the operating system.

The major difficulty is that as soon as users want to run, for example, the Microsoft Office desktop applications, or one of countless Windows-only business applications, Linux is no use to them. Nevertheless, the combination of WSL (Windows Subsystem for Linux), which now supports GUI applications, and AWS AppStream 2.0 adding Linux support, means that the obstacles to running Linux desktop applications in mainstream business environments are falling away.

More:
AWS adds Linux app streaming alongside Windows to 'greatly lower' cost - The Register