Microsoft forgot to renew the certificate for its Windows Insider subdomain

Supply chain attacks will get worse: Microsoft Security Response Center boss

Do you know all of your software dependencies? Spoiler alert: hardly anybody is on top of it

RSA Conference Major supply-chain attacks of recent years – we’re talking about SolarWinds, Kaseya and Log4j to name a few – are “just the tip of the iceberg at this point,” according to Aanchal Gupta, who leads Microsoft’s Security Response Center.

“All of those have been big,” she said, in an interview with The Register at RSA Conference. “But I feel they will continue and there will be more. And there’s a reason I think that.”

As the head of MSRC, Gupta has a unique vantage point. Her view spans all of Microsoft’s products and services, as well as visibility across industry partners’ software and tools plus customers’ environments including government agencies. 

Microsoft seizes 41 domains tied to ‘Iranian phishing ring’

Windows giant gets court order to take over dot-coms and more

Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

“Bohrium actors create fake social media profiles, often posing as recruiters,” said Amy Hogan-Burney, GM of Microsoft’s Digital Crimes Unit. “Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target’s computers with malware.”

GitHub drops Atom bomb: Open-source text editor mothballed by end of year

Embrace, extend technology into other products … and extinguish

On December 15, Microsoft’s GitHub plans to turn out the lights on Atom, its open-source text editor that has inspired and influenced widely used commercial apps, such as Microsoft Visual Studio Code, Slack, and GitHub Desktop.

The social code biz said it’s doing so to focus on cloud-based software.

“While that goal of growing the software creator community remains, we’ve decided to retire Atom in order to further our commitment to bringing fast and reliable software development to the cloud via Microsoft Visual Studio Code and GitHub Codespaces,” GitHub explained on Wednesday.

How to find NPM dependencies vulnerable to account hijacking

Security engineer outlines self-help strategy for keeping software supply chain safe

Following the recent disclosure of a technique for hijacking certain NPM packages, security engineer Danish Tariq has proposed a defensive strategy for those looking to assess whether their web apps include dependencies tied to subvertable email domains.

NPM, acquired by Microsoft’s GitHub in March 2020, operates the NPM Registry, an online repository of code libraries that web developers include in their applications. It currently hosts almost two million packages and serves more than 174 billion downloads per month.

The attack described earlier this month by security consultant Lance Vick involves identifying NPM packages managed by email accounts tied to expired domains. By registering the expired domain, the attacker then gains control of any email addresses associated with that domain.

World Economic Forum wants a global map of online crime

Will cyber crimes shrug off Atlas Initiative? Objectively, yes

RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals’ supply chain to develop better mitigation strategies and security controls for their customers. 

Microsoft brings tabs to File Explorer

New Insider build adds a few toys, but leaves Pro X users reaching for the power button

Microsoft has treated some of the courageous Dev Channel crew of Windows Insiders to the long-awaited tabbed File Explorer.

“We are beginning to roll this feature out, so it isn’t available to all Insiders in the Dev Channel just yet,” the software giant said.

The Register was one of the lucky ones and we have to commend Microsoft on the implementation (overdue as it is). The purpose of the functionality is to allow users to work on more than one location at a time in File Explorer via tabs in the title bar.

About half of popular websites tested found vulnerable to account pre-hijacking

In detail: Ocean’s Eleven-grade ruse in which victims’ profiles are rigged from the start

Two security researchers have identified five related techniques for hijacking internet accounts by preparing them to be commandeered in advance.

And they claim that when they analyzed 75 popular internet services, almost half were vulnerable to at least one of these techniques.

Avinash Sudhodanan, an independent security researcher, and Andrew Paverd, a senior researcher at Microsoft, describe their findings in a paper titled, “Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web.”

Next major update of Windows 11 prepares for launch

Microsoft’s flagship OS still leagues behind predecessor in terms of adoption

The next major version of Windows 11 is drawing near with the code hitting the Insider Release Preview Channel.

Build 22621, which has been floating around the Beta Channel since May 11, arrived last night.

Back in May, Microsoft noted that the disappearance of the watermark from the desktop “doesn’t mean we’re done.” However, its arrival in the Release Preview Channel means that, fixes aside, it is pretty much feature-complete and ready to roll.

DuckDuckGo tries to explain why its browsers won’t block some Microsoft web trackers

Meanwhile, Tails 5.0 users told to stop what they’re doing over Firefox flaw

DuckDuckGo promises privacy to users of its Android, iOS browsers, and macOS browsers – yet it allows certain data to flow from third-party websites to Microsoft-owned services.

Security researcher Zach Edwards recently conducted an audit of DuckDuckGo’s mobile browsers and found that, contrary to expectations, they do not block Meta’s Workplace domain, for example, from sending information to Microsoft’s Bing and LinkedIn domains.

Specifically, DuckDuckGo’s software didn’t stop Microsoft’s trackers on the Workplace page from blabbing information about the user to Bing and LinkedIn for tailored advertising purposes. Other trackers, such as Google’s, are blocked.

Apple M1 chip contains hardware vulnerability that bypasses memory defense

MIT CSAIL boffins devise PACMAN attack to let existing exploits avoid pointer authentication

Apple’s M1 chip has been found to contain a hardware vulnerability that can be abused to disable one of its defense mechanisms against memory corruption exploits, giving such attacks a greater chance of success.

MIT CSAIL computer scientists on Friday said they have identified a way to bypass the M1 chip’s pointer authentication, a security mechanism that tries to prevent an attacker from modifying memory references without being detected.

In a paper titled “PACMAN: Attacking Arm Pointer Authentication with Speculative Execution,” Joseph Ravichandran, ​​Weon Taek Na, Jay Lang, and Mengjia Yan describe how they were able to use speculative execution – the way in which modern processors perform calculations before they may or may not be needed to accelerate execution – to discern the pointer authentication Code that allows pointer modification on a protected system.

Supply chain attacks will get worse: Microsoft Security Response Center boss

Do you know all of your software dependencies? Spoiler alert: hardly anybody is on top of it

RSA Conference Major supply-chain attacks of recent years – we’re talking about SolarWinds, Kaseya and Log4j to name a few – are “just the tip of the iceberg at this point,” according to Aanchal Gupta, who leads Microsoft’s Security Response Center.

“All of those have been big,” she said, in an interview with The Register at RSA Conference. “But I feel they will continue and there will be more. And there’s a reason I think that.”

As the head of MSRC, Gupta has a unique vantage point. Her view spans all of Microsoft’s products and services, as well as visibility across industry partners’ software and tools plus customers’ environments including government agencies. 

Microsoft seizes 41 domains tied to ‘Iranian phishing ring’

Windows giant gets court order to take over dot-coms and more

Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

“Bohrium actors create fake social media profiles, often posing as recruiters,” said Amy Hogan-Burney, GM of Microsoft’s Digital Crimes Unit. “Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target’s computers with malware.”

GitHub drops Atom bomb: Open-source text editor mothballed by end of year

Embrace, extend technology into other products … and extinguish

On December 15, Microsoft’s GitHub plans to turn out the lights on Atom, its open-source text editor that has inspired and influenced widely used commercial apps, such as Microsoft Visual Studio Code, Slack, and GitHub Desktop.

The social code biz said it’s doing so to focus on cloud-based software.

“While that goal of growing the software creator community remains, we’ve decided to retire Atom in order to further our commitment to bringing fast and reliable software development to the cloud via Microsoft Visual Studio Code and GitHub Codespaces,” GitHub explained on Wednesday.

How to find NPM dependencies vulnerable to account hijacking

Security engineer outlines self-help strategy for keeping software supply chain safe

Following the recent disclosure of a technique for hijacking certain NPM packages, security engineer Danish Tariq has proposed a defensive strategy for those looking to assess whether their web apps include dependencies tied to subvertable email domains.

NPM, acquired by Microsoft’s GitHub in March 2020, operates the NPM Registry, an online repository of code libraries that web developers include in their applications. It currently hosts almost two million packages and serves more than 174 billion downloads per month.

The attack described earlier this month by security consultant Lance Vick involves identifying NPM packages managed by email accounts tied to expired domains. By registering the expired domain, the attacker then gains control of any email addresses associated with that domain.

World Economic Forum wants a global map of online crime

Will cyber crimes shrug off Atlas Initiative? Objectively, yes

RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals’ supply chain to develop better mitigation strategies and security controls for their customers. 

Microsoft brings tabs to File Explorer

New Insider build adds a few toys, but leaves Pro X users reaching for the power button

Microsoft has treated some of the courageous Dev Channel crew of Windows Insiders to the long-awaited tabbed File Explorer.

“We are beginning to roll this feature out, so it isn’t available to all Insiders in the Dev Channel just yet,” the software giant said.

The Register was one of the lucky ones and we have to commend Microsoft on the implementation (overdue as it is). The purpose of the functionality is to allow users to work on more than one location at a time in File Explorer via tabs in the title bar.

About half of popular websites tested found vulnerable to account pre-hijacking

In detail: Ocean’s Eleven-grade ruse in which victims’ profiles are rigged from the start

Two security researchers have identified five related techniques for hijacking internet accounts by preparing them to be commandeered in advance.

And they claim that when they analyzed 75 popular internet services, almost half were vulnerable to at least one of these techniques.

Avinash Sudhodanan, an independent security researcher, and Andrew Paverd, a senior researcher at Microsoft, describe their findings in a paper titled, “Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web.”

Next major update of Windows 11 prepares for launch

Microsoft’s flagship OS still leagues behind predecessor in terms of adoption

The next major version of Windows 11 is drawing near with the code hitting the Insider Release Preview Channel.

Build 22621, which has been floating around the Beta Channel since May 11, arrived last night.

Back in May, Microsoft noted that the disappearance of the watermark from the desktop “doesn’t mean we’re done.” However, its arrival in the Release Preview Channel means that, fixes aside, it is pretty much feature-complete and ready to roll.

DuckDuckGo tries to explain why its browsers won’t block some Microsoft web trackers

Meanwhile, Tails 5.0 users told to stop what they’re doing over Firefox flaw

DuckDuckGo promises privacy to users of its Android, iOS browsers, and macOS browsers – yet it allows certain data to flow from third-party websites to Microsoft-owned services.

Security researcher Zach Edwards recently conducted an audit of DuckDuckGo’s mobile browsers and found that, contrary to expectations, they do not block Meta’s Workplace domain, for example, from sending information to Microsoft’s Bing and LinkedIn domains.

Specifically, DuckDuckGo’s software didn’t stop Microsoft’s trackers on the Workplace page from blabbing information about the user to Bing and LinkedIn for tailored advertising purposes. Other trackers, such as Google’s, are blocked.

Apple M1 chip contains hardware vulnerability that bypasses memory defense

MIT CSAIL boffins devise PACMAN attack to let existing exploits avoid pointer authentication

Apple’s M1 chip has been found to contain a hardware vulnerability that can be abused to disable one of its defense mechanisms against memory corruption exploits, giving such attacks a greater chance of success.

MIT CSAIL computer scientists on Friday said they have identified a way to bypass the M1 chip’s pointer authentication, a security mechanism that tries to prevent an attacker from modifying memory references without being detected.

In a paper titled “PACMAN: Attacking Arm Pointer Authentication with Speculative Execution,” Joseph Ravichandran, ​​Weon Taek Na, Jay Lang, and Mengjia Yan describe how they were able to use speculative execution – the way in which modern processors perform calculations before they may or may not be needed to accelerate execution – to discern the pointer authentication Code that allows pointer modification on a protected system.

Supply chain attacks will get worse: Microsoft Security Response Center boss

Do you know all of your software dependencies? Spoiler alert: hardly anybody is on top of it

RSA Conference Major supply-chain attacks of recent years – we’re talking about SolarWinds, Kaseya and Log4j to name a few – are “just the tip of the iceberg at this point,” according to Aanchal Gupta, who leads Microsoft’s Security Response Center.

“All of those have been big,” she said, in an interview with The Register at RSA Conference. “But I feel they will continue and there will be more. And there’s a reason I think that.”

As the head of MSRC, Gupta has a unique vantage point. Her view spans all of Microsoft’s products and services, as well as visibility across industry partners’ software and tools plus customers’ environments including government agencies. 

Microsoft seizes 41 domains tied to ‘Iranian phishing ring’

Windows giant gets court order to take over dot-coms and more

Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

“Bohrium actors create fake social media profiles, often posing as recruiters,” said Amy Hogan-Burney, GM of Microsoft’s Digital Crimes Unit. “Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target’s computers with malware.”

GitHub drops Atom bomb: Open-source text editor mothballed by end of year

Embrace, extend technology into other products … and extinguish

On December 15, Microsoft’s GitHub plans to turn out the lights on Atom, its open-source text editor that has inspired and influenced widely used commercial apps, such as Microsoft Visual Studio Code, Slack, and GitHub Desktop.

The social code biz said it’s doing so to focus on cloud-based software.

“While that goal of growing the software creator community remains, we’ve decided to retire Atom in order to further our commitment to bringing fast and reliable software development to the cloud via Microsoft Visual Studio Code and GitHub Codespaces,” GitHub explained on Wednesday.

How to find NPM dependencies vulnerable to account hijacking

Security engineer outlines self-help strategy for keeping software supply chain safe

Following the recent disclosure of a technique for hijacking certain NPM packages, security engineer Danish Tariq has proposed a defensive strategy for those looking to assess whether their web apps include dependencies tied to subvertable email domains.

NPM, acquired by Microsoft’s GitHub in March 2020, operates the NPM Registry, an online repository of code libraries that web developers include in their applications. It currently hosts almost two million packages and serves more than 174 billion downloads per month.

The attack described earlier this month by security consultant Lance Vick involves identifying NPM packages managed by email accounts tied to expired domains. By registering the expired domain, the attacker then gains control of any email addresses associated with that domain.

World Economic Forum wants a global map of online crime

Will cyber crimes shrug off Atlas Initiative? Objectively, yes

RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals’ supply chain to develop better mitigation strategies and security controls for their customers. 

Microsoft brings tabs to File Explorer

New Insider build adds a few toys, but leaves Pro X users reaching for the power button

Microsoft has treated some of the courageous Dev Channel crew of Windows Insiders to the long-awaited tabbed File Explorer.

“We are beginning to roll this feature out, so it isn’t available to all Insiders in the Dev Channel just yet,” the software giant said.

The Register was one of the lucky ones and we have to commend Microsoft on the implementation (overdue as it is). The purpose of the functionality is to allow users to work on more than one location at a time in File Explorer via tabs in the title bar.

About half of popular websites tested found vulnerable to account pre-hijacking

In detail: Ocean’s Eleven-grade ruse in which victims’ profiles are rigged from the start

Two security researchers have identified five related techniques for hijacking internet accounts by preparing them to be commandeered in advance.

And they claim that when they analyzed 75 popular internet services, almost half were vulnerable to at least one of these techniques.

Avinash Sudhodanan, an independent security researcher, and Andrew Paverd, a senior researcher at Microsoft, describe their findings in a paper titled, “Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web.”

Next major update of Windows 11 prepares for launch

Microsoft’s flagship OS still leagues behind predecessor in terms of adoption

The next major version of Windows 11 is drawing near with the code hitting the Insider Release Preview Channel.

Build 22621, which has been floating around the Beta Channel since May 11, arrived last night.

Back in May, Microsoft noted that the disappearance of the watermark from the desktop “doesn’t mean we’re done.” However, its arrival in the Release Preview Channel means that, fixes aside, it is pretty much feature-complete and ready to roll.

DuckDuckGo tries to explain why its browsers won’t block some Microsoft web trackers

Meanwhile, Tails 5.0 users told to stop what they’re doing over Firefox flaw

DuckDuckGo promises privacy to users of its Android, iOS browsers, and macOS browsers – yet it allows certain data to flow from third-party websites to Microsoft-owned services.

Security researcher Zach Edwards recently conducted an audit of DuckDuckGo’s mobile browsers and found that, contrary to expectations, they do not block Meta’s Workplace domain, for example, from sending information to Microsoft’s Bing and LinkedIn domains.

Specifically, DuckDuckGo’s software didn’t stop Microsoft’s trackers on the Workplace page from blabbing information about the user to Bing and LinkedIn for tailored advertising purposes. Other trackers, such as Google’s, are blocked.

Apple M1 chip contains hardware vulnerability that bypasses memory defense

MIT CSAIL boffins devise PACMAN attack to let existing exploits avoid pointer authentication

Apple’s M1 chip has been found to contain a hardware vulnerability that can be abused to disable one of its defense mechanisms against memory corruption exploits, giving such attacks a greater chance of success.

MIT CSAIL computer scientists on Friday said they have identified a way to bypass the M1 chip’s pointer authentication, a security mechanism that tries to prevent an attacker from modifying memory references without being detected.

In a paper titled “PACMAN: Attacking Arm Pointer Authentication with Speculative Execution,” Joseph Ravichandran, ​​Weon Taek Na, Jay Lang, and Mengjia Yan describe how they were able to use speculative execution – the way in which modern processors perform calculations before they may or may not be needed to accelerate execution – to discern the pointer authentication Code that allows pointer modification on a protected system.

Supply chain attacks will get worse: Microsoft Security Response Center boss

Do you know all of your software dependencies? Spoiler alert: hardly anybody is on top of it

RSA Conference Major supply-chain attacks of recent years – we’re talking about SolarWinds, Kaseya and Log4j to name a few – are “just the tip of the iceberg at this point,” according to Aanchal Gupta, who leads Microsoft’s Security Response Center.

“All of those have been big,” she said, in an interview with The Register at RSA Conference. “But I feel they will continue and there will be more. And there’s a reason I think that.”

As the head of MSRC, Gupta has a unique vantage point. Her view spans all of Microsoft’s products and services, as well as visibility across industry partners’ software and tools plus customers’ environments including government agencies. 

Microsoft seizes 41 domains tied to ‘Iranian phishing ring’

Windows giant gets court order to take over dot-coms and more

Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

“Bohrium actors create fake social media profiles, often posing as recruiters,” said Amy Hogan-Burney, GM of Microsoft’s Digital Crimes Unit. “Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target’s computers with malware.”

GitHub drops Atom bomb: Open-source text editor mothballed by end of year

Embrace, extend technology into other products … and extinguish

On December 15, Microsoft’s GitHub plans to turn out the lights on Atom, its open-source text editor that has inspired and influenced widely used commercial apps, such as Microsoft Visual Studio Code, Slack, and GitHub Desktop.

The social code biz said it’s doing so to focus on cloud-based software.

“While that goal of growing the software creator community remains, we’ve decided to retire Atom in order to further our commitment to bringing fast and reliable software development to the cloud via Microsoft Visual Studio Code and GitHub Codespaces,” GitHub explained on Wednesday.

How to find NPM dependencies vulnerable to account hijacking

Security engineer outlines self-help strategy for keeping software supply chain safe

Following the recent disclosure of a technique for hijacking certain NPM packages, security engineer Danish Tariq has proposed a defensive strategy for those looking to assess whether their web apps include dependencies tied to subvertable email domains.

NPM, acquired by Microsoft’s GitHub in March 2020, operates the NPM Registry, an online repository of code libraries that web developers include in their applications. It currently hosts almost two million packages and serves more than 174 billion downloads per month.

The attack described earlier this month by security consultant Lance Vick involves identifying NPM packages managed by email accounts tied to expired domains. By registering the expired domain, the attacker then gains control of any email addresses associated with that domain.

World Economic Forum wants a global map of online crime

Will cyber crimes shrug off Atlas Initiative? Objectively, yes

RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals’ supply chain to develop better mitigation strategies and security controls for their customers. 

Microsoft brings tabs to File Explorer

New Insider build adds a few toys, but leaves Pro X users reaching for the power button

Microsoft has treated some of the courageous Dev Channel crew of Windows Insiders to the long-awaited tabbed File Explorer.

“We are beginning to roll this feature out, so it isn’t available to all Insiders in the Dev Channel just yet,” the software giant said.

The Register was one of the lucky ones and we have to commend Microsoft on the implementation (overdue as it is). The purpose of the functionality is to allow users to work on more than one location at a time in File Explorer via tabs in the title bar.

About half of popular websites tested found vulnerable to account pre-hijacking

In detail: Ocean’s Eleven-grade ruse in which victims’ profiles are rigged from the start

Two security researchers have identified five related techniques for hijacking internet accounts by preparing them to be commandeered in advance.

And they claim that when they analyzed 75 popular internet services, almost half were vulnerable to at least one of these techniques.

Avinash Sudhodanan, an independent security researcher, and Andrew Paverd, a senior researcher at Microsoft, describe their findings in a paper titled, “Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web.”

Next major update of Windows 11 prepares for launch

Microsoft’s flagship OS still leagues behind predecessor in terms of adoption

The next major version of Windows 11 is drawing near with the code hitting the Insider Release Preview Channel.

Build 22621, which has been floating around the Beta Channel since May 11, arrived last night.

Back in May, Microsoft noted that the disappearance of the watermark from the desktop “doesn’t mean we’re done.” However, its arrival in the Release Preview Channel means that, fixes aside, it is pretty much feature-complete and ready to roll.

DuckDuckGo tries to explain why its browsers won’t block some Microsoft web trackers

Meanwhile, Tails 5.0 users told to stop what they’re doing over Firefox flaw

DuckDuckGo promises privacy to users of its Android, iOS browsers, and macOS browsers – yet it allows certain data to flow from third-party websites to Microsoft-owned services.

Security researcher Zach Edwards recently conducted an audit of DuckDuckGo’s mobile browsers and found that, contrary to expectations, they do not block Meta’s Workplace domain, for example, from sending information to Microsoft’s Bing and LinkedIn domains.

Specifically, DuckDuckGo’s software didn’t stop Microsoft’s trackers on the Workplace page from blabbing information about the user to Bing and LinkedIn for tailored advertising purposes. Other trackers, such as Google’s, are blocked.

Apple M1 chip contains hardware vulnerability that bypasses memory defense

MIT CSAIL boffins devise PACMAN attack to let existing exploits avoid pointer authentication

Apple’s M1 chip has been found to contain a hardware vulnerability that can be abused to disable one of its defense mechanisms against memory corruption exploits, giving such attacks a greater chance of success.

MIT CSAIL computer scientists on Friday said they have identified a way to bypass the M1 chip’s pointer authentication, a security mechanism that tries to prevent an attacker from modifying memory references without being detected.

In a paper titled “PACMAN: Attacking Arm Pointer Authentication with Speculative Execution,” Joseph Ravichandran, ​​Weon Taek Na, Jay Lang, and Mengjia Yan describe how they were able to use speculative execution – the way in which modern processors perform calculations before they may or may not be needed to accelerate execution – to discern the pointer authentication Code that allows pointer modification on a protected system.