An anonymous reader quotes a report from Ars Technica: Hackers delivered malware to Windows and Mac users by compromising their Internet service provider and then tampering with software updates delivered over unsecure connections, researchers said. The attack, researchers from security firm Volexity said, worked by hacking routers or similar types of device infrastructure of an unnamed ISP. The attackers then used their control of the devices to poison domain name system responses for legitimate hostnames providing updates for at least six different apps written for Windows or macOS. The apps affected were the 5KPlayer, Quick Heal, Rainmeter, Partition Wizard, and those from Corel and Sogou.

Because the update mechanisms didn't use TLS or cryptographic signatures to authenticate the connections or downloaded software, the threat actors were able to use their control of the ISP infrastructure to successfully perform machine-in-the-middle (MitM) attacks that directed targeted users to hostile servers rather than the ones operated by the affected software makers. These redirections worked even when users employed non-encrypted public DNS services such as Google's 8.8.8.8 or Cloudflare's 1.1.1.1 rather than the authoritative DNS server provided by the ISP. "That is the fun/scary part -- this was not the hack of the ISPs DNS servers," Volexity CEO Steven Adair wrote in an online interview. "This was a compromise of network infrastructure for Internet traffic. The DNS queries, for example, would go to Google's DNS servers destined for 8.8.8.8. The traffic was being intercepted to respond to the DNS queries with the IP address of the attacker's servers."

In other words, the DNS responses returned by any DNS server would be changed once it reached the infrastructure of the hacked ISP. The only way an end user could have thwarted the attack was to use DNS over HTTPS or DNS over TLS to ensure lookup results haven't been tampered with or to avoid all use of apps that deliver unsigned updates over unencrypted connections. As an example, the 5KPlayer app uses an unsecure HTTP connection rather than an encrypted HTTPS one to check if an update is available and, if so, to download a configuration file named Youtube.config. StormBamboo, the name used in the industry to track the hacking group responsible, used DNS poisoning to deliver a malicious version of the Youtube.config file from a malicious server. This file, in turn, downloaded a next-stage payload that was disguised as a PNG image. In fact, it was an executable file that installed malware tracked under the names MACMA for macOS devices or POCOSTICK for Windows devices. As for the hacked ISP, the security firm said "it's not a huge one or one you'd likely know."

"In our case the incident is contained but we see other servers that are actively serving malicious updates but we do not know where they are being served from. We suspect there are other active attacks around the world we do not have purview into. This could be from an ISP compromise or a localized compromise to an organization such as on their firewall."

With Windows 10's end-of-life update coming next October, it appears that users are finally making the jump to its successor. As spotted by Neowin, Windows 11 crossed the 30% market share mark for the first time since its release. From the report: According to Statcounter's latest findings, last month, Windows 11 reached a new all-time high of 30.83%, gaining 1.08 points in just one month or 7.17 points year-over-year (it was at 23.66% in July 2023). Just as Windows 11 climbs, Windows 10 loses its market share. It is now below 65%, or 64.99%, to be precise, or -1.06 points in one month. Year-over-year change is 11.15 points (it was at 71.14% in July 2023). [...]

Other Windows versions, which are now long unsupported, still have a fair share of customers who refuse to jump-ship. Windows 7, for one, is the third most popular Windows with a 3.04% market share (+0.08 points). Windows 8.1 is fourth with 0.42% (+0.02 points), and Windows XP is fifth with 0.38% (-0.01 points).

An anonymous reader shared this report from BleepingComputer: A Chinese hacking group tracked as StormBamboo has compromised an undisclosed internet service provider (ISP) to poison automatic software updates with malware. Also tracked as Evasive Panda, Daggerfly, and StormCloud, this cyber-espionage group has been active since at least 2012, targeting organizations across mainland China, Hong Kong, Macao, Nigeria, and various Southeast and East Asian countries.

On Friday, Volexity threat researchers revealed that the Chinese cyber-espionage gang had exploited insecure HTTP software update mechanisms that didn't validate digital signatures to deploy malware payloads on victims' Windows and macOS devices... To do that, the attackers intercepted and modified victims' DNS requests and poisoned them with malicious IP addresses. This delivered the malware to the targets' systems from StormBamboo's command-and-control servers without requiring user interaction.
Volexity's blog post says they observed StormBamboo "targeting multiple software vendors, who use insecure update workflows..." and then "notified and worked with the ISP, who investigated various key devices providing traffic-routing services on their network. As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped."

BleepingComputer notes that "âAfter compromising the target's systems, the threat actors installed a malicious Google Chrome extension (ReloadText), which allowed them to harvest and steal browser cookies and mail data."

Microsoft is making Skype ad-free in an update that will rollout to users across all platforms soon. From a report: The update also includes improved AI image creation tools on Skype for Windows and macOS, and the ability to sign in automatically on iOS if you're already signed into another Microsoft app. "Our latest update removes all ads from Skype channels and the entire Skype platform, ensuring a smoother, decluttered and more enjoyable user experience," says Skype product manager Irene Namuganyi. The removal of ads in Skype means you'll no longer see ads in the main chat interface, or in the channels section. Microsoft says it has listened to feedback around ads in Skype, and decided to "focus on your chats without any ad distractions, making your Skype experience cleaner and more user-friendly."

Microsoft has revealed that the global computer outage caused by a faulty CrowdStrike software update, which impacted numerous major corporations, affected far more devices than initially reported, with the tech giant stating that the previously announced figure of 8.5 million affected Windows machines represents only a "subset" of the total impact. Microsoft has refrained from providing a revised estimate of the full scope of the disruption.

The revelation comes as the technology sector continues to grapple with the fallout from the incident, which occurred 10 days ago and led to widespread disruptions across various industries, prompting Microsoft to face criticism despite the root cause being traced back to a third-party cybersecurity provider's error. Microsoft clarified that the initial 8.5 million figure was derived solely from devices with enabled crash reporting features, suggesting that the true extent of the outage could be substantially higher, given that many systems do not have this optional feature activated.

Further reading: Delta Seeks Damages From CrowdStrike, Microsoft After Outage.

Microsoft has intensified its push for OneDrive adoption in Windows 11, introducing a full-screen pop-up that prompts users to back up their files to the cloud service, according to a report from Windows Latest. The new promotional message, which appears after a recent Windows update, mirrors the out-of-box experience typically seen during initial system setup and highlights OneDrive's features, including file protection, collaboration capabilities, and automatic syncing.

An unexpected disapperance of saved passwords "impacted Chrome web browser users from all over the world," writes Forbes, "leaving them unable to find any passwords already saved using the Chrome password manager." Newly saved passwords were also rendered invisible to the affected users. Google, which has now fixed the issue, said that the problem was limited to the M127 version of Chrome Browser on the Windows platform.

The precise number of users to be hit by the Google password manager vanishing act is hard to pin down. However, working on the basis that there are more than 3 billion Chrome web browser users, with Windows users counting for the vast majority of these, it's possible to come up with an estimated number. Google said that 25% of the user base saw the configuration change rolled out, which, by my calculations, is around 750 million. Of these, around 2%, according to Google's estimation, were hit by the password manager issue. That means around 15 million users have seen their passwords vanish into thin air.

Google said that an interim workaround was provided at the time, which involved the particularly user-unfriendly process of launching the Chrome browser with a command line flag of " — enable-features=SkipUndecryptablePasswords." Thankfully, the full fix that has now been rolled out just requires users to restart their Chrome browser to take effect.

"As free software activists, we ought to take the opportunity to look at the situation and see how things could have gone differently," writes FSF campaigns manager Greg Farough: Let's be clear: in principle, there is nothing ethically wrong with automatic updates so long as the user has made an informed choice to receive them... Although we can understand how the situation developed, one wonders how wise it is for so many critical services around the world to hedge their bets on a single distribution of a single operating system made by a single stupefyingly predatory monopoly in Redmond, Washington. Instead, we can imagine a more horizontal structure, where this airline and this public library are using different versions of GNU/Linux, each with their own security teams and on different versions of the Linux(-libre) kernel...

As of our writing, we've been unable to ascertain just how much access to the Windows kernel source code Microsoft granted to CrowdStrike engineers. (For another thing, the root cause of the problem appears to have been an error in a configuration file.) But this being the free software movement, we could guarantee that all security engineers and all stakeholders could have equal access to the source code, proving the old adage that "with enough eyes, all bugs are shallow." There is no good reason to withhold code from the public, especially code so integral to the daily functioning of so many public institutions and businesses. In a cunning PR spin, it appears that Microsoft has started blaming the incident on third-party firms' access to kernel source and documentation. Translated out of Redmond-ese, the point they are trying to make amounts to "if only we'd been allowed to be more secretive, this wouldn't have happened...!"

We also need to see that calling for a diversity of providers of nonfree software that are mere front ends for "cloud" software doesn't solve the problem. Correcting it fully requires switching to free software that runs on the user's own computer.The Free Software Foundation is often accused of being utopian, but we are well aware that moving airlines, libraries, and every other institution affected by the CrowdStrike outage to free software is a tremendous undertaking. Given free software's distinct ethical advantage, not to mention the embarrassing damage control underway from both Microsoft and CrowdStrike, we think the move is a necessary one. The more public an institution, the more vitally it needs to be running free software.

For what it's worth, it's also vital to check the syntax of your configuration files. CrowdStrike engineers would do well to remember that one, next time.

Long-time Slashdot reader sandbagger writes: Have you ever wondered if it's true you can instantly get malware? In this video, a person connects an XP instance directly to the internet with no firewall to see just how fast it gets compromised by malware, rootkits, malicious services and new user accounts. The answer — fast!
Malwarebytes eventually finds eight different viruses/Trojan horses -- and a DNS changer. (One IP address leads back to the Russian federation.) Itâ(TM)s fun to watch -- within just a few hours a new Windows user has even added themself. And for good measure, he also opens up Internet Explorer...

âoeWindows XP -- very insecure,â they conclude at the end of the video. âoeVery easy for random software from the internet to get more privileges than you, and it is very hard to solve that.

âoeAlso, just out of curiosity I tried this on Windows 7. And even with all of the same settings, nothing happened. I let it run for 10 hours. So it seems like this may be a problem in historical Windows.â

Slashdot reader Seven Spirals brings news about the lossless compression algorithm LZ4: The already wonderful performance of the LZ4 compressor just got better with multi-threaded additions to it's codebase. In many cases, LZ4 can compress data faster than it can be written to disk giving this particular compressor some very special applications. The Linux kernel as well as filesystems like ZFS use LZ4 compression extensively. This makes LZ4 more comparable to the Zstd compression algorithm, which has had multi-threaded performance for a while, but cannot match the LZ4 compressor for speed, though it has some direct LZ4.
From Linuxiac.com: - On Windows 11, using an Intel 7840HS CPU, compression time has improved from 13.4 seconds to just 1.8 seconds — a 7.4 times speed increase.
- macOS users with the M1 Pro chip will see a reduction from 16.6 seconds to 2.55 seconds, a 6.5 times faster performance.
- For Linux users on an i7-9700k, the compression time has been reduced from 16.2 seconds to 3.05 seconds, achieving a 5.4 times speed boost...

The release supports lesser-known architectures such as LoongArch, RISC-V, and others, ensuring LZ4's portability across various platforms.

An anonymous reader quotes a report from The Register: Not long after Windows PCs and servers at the Australian limb of audit and tax advisory Grant Thornton started BSODing last Friday, senior systems engineer Rob Woltz remembered a small but important fact: When PCs boot, they consider barcode scanners no differently to keyboards. That knowledge nugget became important as the firm tried to figure out how to respond to the mess CrowdStrike created, which at Grant Thornton Australia threw hundreds of PCs and no fewer than 100 servers into the doomloop that CrowdStrike's shoddy testing software made possible. [...] The firm had the BitLocker keys for all its PCs, so Woltz and colleagues wrote a script that turned them into barcodes that were displayed on a locked-down management server's desktop. The script would be given a hostname and generate the necessary barcode and LAPS password to restore the machine.

Woltz went to an office supplies store and acquired an off-the-shelf barcode scanner for AU$55 ($36). At the point when rebooting PCs asked for a BitLocker key, pointing the scanner at the barcode on the server's screen made the machines treat the input exactly as if the key was being typed. That's a lot easier than typing it out every time, and the server's desktop could be accessed via a laptop for convenience. Woltz, Watson, and the team scaled the solution -- which meant buying more scanners at more office supplies stores around Australia. On Monday, remote staff were told to come to the office with their PCs and visit IT to connect to a barcode scanner. All PCs in the firm's Australian fleet were fixed by lunchtime -- taking only three to five minutes for each machine. Watson told us manually fixing servers needed about 20 minutes per machine.

Microsoft has started testing a new way to access your Android phone from directly within Windows 11's File Explorer. From a report: Windows Insiders are now able to test this new feature, which lets you wirelessly browse through folders and files on your Android phone. The integration in File Explorer means your Android device appears just like a regular USB device on the left-hand side, with the ability to copy or move files between a PC and Android phone, and rename or delete them. It's certainly a lot quicker than using the existing Phone Link app.

In the wake of a major incident that affected millions of Windows PCs, Microsoft is calling for significant changes to enhance the resilience of its operating system. John Cable, Microsoft's vice president of program management for Windows servicing and delivery, said there was a need for "end-to-end resilience" in a blog post, signaling a potential shift in Microsoft's approach to third-party access to the Windows kernel.

While not explicitly detailing planned improvements, Cable pointed to recent innovations like VBS enclaves and the Azure Attestation service as examples of security measures that don't rely on kernel access. This move towards a "Zero Trust" approach could have far-reaching implications for the cybersecurity industry and Windows users worldwide, as Microsoft seeks to balance system security with the needs of its partners in the broader security community.

The comment follows a Microsoft spokesman revealed last week that a 2009 European Commission agreement prevented the company from restricting third-party access to Windows' core functions.

A little-known spyware maker based in Minnesota has been hacked, TechCrunch reports, revealing thousands of devices around the world under its stealthy remote surveillance. From the report: A person with knowledge of the breach provided TechCrunch with a cache of files taken from the company's servers containing detailed device activity logs from the phones, tablets, and computers that Spytech monitors, with some of the files dated as recently as early June.

TechCrunch verified the data as authentic in part by analyzing some of the exfiltrated device activity logs that pertain to the company's chief executive, who installed the spyware on one of his own devices. The data shows that Spytech's spyware -- Realtime-Spy and SpyAgent, among others -- has been used to compromise more than 10,000 devices since the earliest-dated leaked records from 2013, including Android devices, Chromebooks, Macs, and Windows PCs worldwide. Spytech is the latest spyware maker in recent years to have itself been compromised, and the fourth spyware maker known to have been hacked this year alone, according to TechCrunch's running tally.

Researchers at Check Point have uncovered a clandestine network of approximately 3,000 "ghost" accounts on GitHub, manipulating the platform to promote malicious content. Since June 2023, a cybercriminal dubbed "Stargazer Goblin" has been exploiting GitHub's community features to boost malicious repositories, making them appear legitimate and popular.

Antonis Terefos, a malware reverse engineer at Check Point, discovered the network's activities, which include "starring," "forking," and "watching" malicious pages to increase their visibility and credibility. The network, named "Stargazers Ghost Network," primarily targets Windows users, offering downloads of seemingly legitimate software tools while spreading various types of ransomware and info-stealer malware.

In a response to the UK's Competition and Markets Authority's investigation into cloud services and licensing, Microsoft has defended its practices, asserting that its terms "do not meaningfully raise cloud rivals' costs." The Windows-maker emphasized Amazon's continued dominance in the UK hyperscale market and noted Google's quarter-on-quarter growth, while also highlighting the declining share of Windows Server relative to Linux in cloud operating systems and SQL Server's second-place position behind Oracle.

[...] The CMA's inquiry primarily focuses on the pricing disparity between using Microsoft products on Azure versus rival cloud platforms, with most surveyed customers perceiving Azure as the more cost-effective option for Microsoft software deployment. The Register adds: Microsoft's bullish take on this is that AWS and Google should be grateful that they even get to run its software. In its response, the company said: "This dispute on pricing terms only arises because Microsoft grants all rivals IP licenses in the first place to its software that is of most popularity for use in the cloud. It does this not because there is any legal obligation to share IP with closest rivals in cloud, but for commercial reasons."

According to the Washington Post (paywalled), the House Homeland Security Committee has called on the CrowdStrike CEO to testify over the major outage that brought flights, hospital procedures, and broadcasters to a halt on Friday. The outage was caused by a defective software update from the company that primarily affected computers runnings Windows, resulting in system crashes and "blue screen of death" errors. From the report: Republican leaders of the House Homeland Security Committee demanded that CrowdStrike CEO George Kurtz commit by Wednesday to appearing on Capitol Hill to explain how the outages occurred and what "mitigation steps" the company is taking to prevent future episodes. [...] Reps. Mark Green (R-Tenn.) and Andrew R. Garbarino (R-N.Y.), chairs of the Homeland Security Committee and its cybersecurity subcommittee, respectively, wrote in their letter that the outages "must serve as a broader warning about the national security risks associated with network dependency. Protecting our critical infrastructure requires us to learn from this incident and ensure that it does not happen again," the lawmakers wrote. CrowdStrike spokesperson Kirsten Speas said in an emailed statement Monday that the company is "actively in contact" with the relevant congressional committees and that "engagement timelines may be disclosed at Members' discretion," but declined to say whether Kurtz will testify.

The committee is one of several looking into the incident, with members of the House Oversight Committee and House Energy and Commerce Committee separately requesting briefings from CrowdStrike. But the effort by Homeland Security Committee leaders marks the first time the company is being publicly summoned to testify about its role in the disruptions. CrowdStrike has risen to prominence as a major security provider partly by identifying malicious online campaigns by foreign actors, but the outages have heightened concern in Washington that international adversaries could look to exploit future incidents. "Malicious cyber actors backed by nation-states, such as China and Russia, are watching our response to this incident closely," Green and Garbarino wrote. The outages, which disrupted agencies at the federal and state level, are also raising questions about how much businesses and government officials alike have come to rely on Microsoft products for their daily operations.

Azure used to be a cloud platform dedicated to Windows. Now, it's the most widely used operating system on Microsoft Azure. The New Stack's Joab Jackson writes: These days, Microsoft expends considerable effort that Linux runs as smoothly as possible on Azure, according to a talk given earlier this year at the Linux Foundation Open Source Summit given by two Microsoft Azure Linux Platforms Group program managers, Jack Aboutboul, and Krum Kashan. "Linux is the #1 operating system in Azure today," Aboutoul said. And all must be supported in a way that Microsoft users have come to expects. Hence, the need for the Microsoft's Linux Platforms Group, which provides support Linux to both the internal customers and to Azure customers. These days, the duo of engineers explained, Microsoft knows about as much as anyone about how to operate Linux at hyperscale. [...]

As of today, there are hundreds of Azure and Azure-based services running on Linux, including the Azure Kubernetes Service (AKS), OpenAI, HDInsight, and many of the other database services. "A lot of the infrastructure powering everything else is running on Linux," Aboutoul said. "They're different flavors of Linux running all over the place," Aboutoul said. To run these services, Microsoft maintains its own kernel, Azure Linux, and in 2023 the company released its own version of Linux, Azure Linux. But Azure Linux is just a small portion of all the other flavors of Linux running on Azure, all of which Microsoft must work with to support.

Overall, there are about 20,000 third-party Software as a Service (SaaS) packages in the Azure marketplace that rely on some Linux distribution. And when things go wrong, it is the Azure service engineers who get the help tickets. The company keeps a set of endorsed Linux distributions, which include Red Hat Enterprise Linux, Debian, Flatcar, Suse, Canonical, and Oracle Linux and CentOS (as managed by OpenLogic, not Red Hat). [...] Overall, the company gets about 1,000 images a month from these endorsed partners alone. Many of the distributions have multiple images (Suse has a regular one, and another one for high-performance computing, for instance).

An anonymous reader writes: Windows users are being notified that their systems aren't backed up with the built-in Windows backup solution. A corresponding message appears with the advice that it's best to make backups so that all data is stored "in case something happens to the PC." It almost reads like an indirect threat, but Microsoft is actually just pointing out the option to store file backups on its own OneDrive cloud service. And it's also advertising more storage space.

A Microsoft spokesman says that a 2009 European Commission agreement prevents the company from restricting third-party access to Windows' core functions, shedding light on factors contributing to Friday's widespread outage that affected millions of computers globally. The disruption, which caused the infamous "blue screen of death" on Windows machines across various industries, originated from a faulty update by cybersecurity firm CrowdStrike. The incident highlighted the vulnerability of Microsoft's open ecosystem, mandated by the EU agreement, which requires the tech giant to provide external security software developers the same level of system access as its own products. This policy stands in stark contrast to more closed systems like Apple's.