Windows 10 Archives - Page 45 of 52 - Appunti dalla rete

NSA shares tips on securing Windows devices with PowerShell

The National Security Agency (NSA) and cybersecurity partner agencies issued an advisory today recommending system administrators to use PowerShell to prevent and detect malicious activity on Windows machines.

PowerShell is frequently used in cyberattacks, leveraged mostly in the post-exploitation stage, but the security capabilities embedded in Microsoft’s automation and configuration tool can also benefit defenders in their forensics efforts, improve incident response, and to automate repetitive tasks.

The NSA and cyber security centres in the U.S. (CISA), New Zealand (NZ NCSC), and the U.K. (NCSC-UK) have created a set of recommendations for using PowerShell to mitigate cyber threats instead of removing or disabling it, which would lower defensive capabilities.

“Blocking PowerShell hinders defensive capabilities that current versions of PowerShell can provide, and prevents components of the Windows operating system from running properly. Recent versions of PowerShell with improved capabilities and options can assist defenders in countering abuse of PowerShell”

Lower risk for abuse

Reducing the risk of threat actors abusing PowerShell requires leveraging capabilities in the framework such as PowerShell remoting, which does not expose plain-text credentials when executing commands remotely on Windows hosts.

Administrators should be aware that enabling this feature on private networks automatically adds a new rule in Windows Firewall that permits all connections.

Customizing Windows Firewall to allow connections only from trusted endpoints and networks helps reduce an attacker’s chance for successful lateral movement.

For remote connections, the agencies advise using the Secure Shell protocol (SSH), supported in PowerShell 7, to add the convenience and security of public-key authentication:

remote connections don’t need HTTPS with SSL certificates
no need for Trusted Hosts, as required when remoting over WinRM outside a domain
secure remote management over SSH without a password for all commands and connections
PowerShell remoting between Windows and Linux hosts

Another recommendation is to reduce PowerShell operations with the help of AppLocker or Windows Defender Application Control (WDAC) to set the tool to function in Constrained Language Mode (CLM), thus denying operations outside the policies defined by the administrator.

“Proper configuration of WDAC or AppLocker on Windows 10+ helps to prevent a malicious actor from gaining full control over a PowerShell session and the host”

Detecting malicious PowerShell use

Recording PowerShell activity and monitoring the logs are two recommendations that could help administrators find signs of potential abuse.

The NSA and its partners propose turning on features like Deep Script Block Logging (DSBL), Module Logging, and Over-the-Shoulder transcription (OTS).

The first two enable building a comprehensive database of logs that can be used to look for suspicious or malicious PowerShell activity, including hidden action and the commands and scripts used in the process.

With OTS, administrators get records of every PowerShell input or output, which could help determine an attacker’s intentions in the environment.

Administrators can use the table below to check the features that various PowerShell versions provide to help enable better defenses on their environment:

Security features in PowerShell — Security features present in PowerShell versions

The document the NSA released today states that “PowerShell is essential to secure the Windows operating system,” particularly the newer versions that dealt away with previous limitations.

When properly configured and managed, PowerShell can be a reliable tool for system maintenance, forensics, automation, and security.

The full document, titled “Keeping PowerShell: Security Measures to Use and Embrace” is available here [PDF].

Source :
https://www.bleepingcomputer.com/news/security/nsa-shares-tips-on-securing-windows-devices-with-powershell/

Microsoft 365 credentials targeted in new fake voicemail campaign

A new phishing campaign has been targeting U.S. organizations in the military, security software, manufacturing supply chain, healthcare and pharmaceutical sectors to steal Microsoft Office 365 and Outlook credentials.

The operation is ongoing and the threat actor behind it uses fake voicemail notifications to lure victims into opening a malicious HTML attachment.

Campaign overview

According to researchers at cloud security company ZScaler, the recently discovered campaign shares tactics, techniques, and procedures (TTPs) with another operation analyzed in mid-2020.

The threat actors leverage email services in Japan to route their messages and spoof the sender’s address, making it look like the emails come from an address belonging to the targeted organization.

The email has an HTML attachment that uses a music note character in the naming to make it appear as if the file is a sound clip. In reality, the file contains obfuscated JavaScript code that takes the victim to a phishing site.

**Message used in the phishing campaign** *(Zscaler)*

The URL format follows an assembly system that considers the targeted organization’s domain to make it appear as if the site is a legitimate subdomain.

**Phishing domain naming scheme** *(Zscaler)*

The redirection process first takes the victim to a CAPTCHA check, which is designed to evade anti-phishing tools and increases the illusion of legitimacy for the victims.

**Typical CAPTCHA step on phishing site** *(Zscaler)*

The CAPTCHA check was also used in a 2020 campaign that ZScaler’s ThreatLabZ researchers analyzed and it continues to be an effective middle step that helps increase the phishing success rate.

Once the users pass this step, they are redirected to a genuine-looking phishing page that steals Microsoft Office 365 accounts.

**The final destination of the redirections is a phishing page** *(Zscaler)*

Those careful enough would notice that the domain of the login page doesn’t belong to Microsoft or their organization and is one of the following:

briccorp[.]com
bajafulfillrnent[.]com
bpirninerals[.]com
lovitafood-tw[.]com
dorrngroup[.]com
lacotechs[.]com
brenthavenhg[.]com
spasfetech[.]com
mordematx[.]com
antarnex[.]com

This is why before submitting, or even before starting to type their username and password, users should always check and confirm they are on a real login portal and not a fake one.

Typically, recipients are logged into the account, which should make suspicious a request to log in once more to listen to the voicemail.

Voicemail-themed phishing using HTML attachments has been used since at least 2019, but it is still effective, especially with careless employees.

Source :
https://www.bleepingcomputer.com/news/security/microsoft-365-credentials-targeted-in-new-fake-voicemail-campaign/

Over a Dozen Flaws Found in Siemens’ Industrial Network Management System

Cybersecurity researchers have disclosed details about 15 security flaws in Siemens SINEC network management system (NMS), some of which could be chained by an attacker to achieve remote code execution on affected systems.

“The vulnerabilities, if exploited, pose a number of risks to Siemens devices on the network including denial-of-service attacks, credential leaks, and remote code execution in certain circumstances,” industrial security company Claroty said in a new report.

The shortcomings in question — tracked from CVE-2021-33722 through CVE-2021-33736 — were addressed by Siemens in version V1.0 SP2 Update 1 as part of patches shipped on October 12, 2021.

“The most severe could allow an authenticated remote attacker to execute arbitrary code on the system, with system privileges, under certain conditions,” Siemens noted in an advisory at the time.

Chief among the weaknesses is CVE-2021-33723 (CVSS score: 8.8), which allows for privilege escalation to an administrator account and could be combined with CVE-2021-33722 (CVSS score: 7.2), a path traversal flaw, to execute arbitrary code remotely.

Another notable flaw relates to a case of SQL injection (CVE-2021-33729, CVSS score: 8.8) that could be exploited by an authenticated attacker to execute arbitrary commands in the local database.

“SINEC is in a powerful central position within the network topology because it requires access to the credentials, cryptographic keys, and other secrets granting it administrator access in order to manage devices in the network,” Claroty’s Noam Moshe said.

“From an attacker’s perspective carrying out a living-off-the-land type of attack where legitimate credentials and network tools are abused to carry out malicious activity, access to, and control of, SINEC puts an attacker in prime position for: reconnaissance, lateral movement, and privilege escalation.”

Source :
https://thehackernews.com/2022/06/over-dozen-flaws-found-in-siemens.html

Hertzbleed Attack

Hertzbleed is a new family of side-channel attacks: frequency side channels. In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously believed to be secure.

Hertzbleed takes advantage of our experiments showing that, under certain circumstances, the dynamic frequency scaling of modern x86 processors depends on the data being processed. This means that, on modern processors, the same program can run at a different CPU frequency (and therefore take a different wall time) when computing, for example, 2022 + 23823 compared to 2022 + 24436.

Hertzbleed is a real, and practical, threat to the security of cryptographic software. We have demonstrated how a clever attacker can use a novel chosen-ciphertext attack against SIKE to perform full key extraction via remote timing, despite SIKE being implemented as “constant time”.

Research Paper

The Hertzbleed paper will appear in the 31st USENIX Security Symposium (Boston, 10–12 August 2022) with the following title:

Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86

You can download a preprint from here.

The paper is the result of a collaboration between the following researchers:

Yingchen Wang (University of Texas at Austin)
Riccardo Paccagnella (University of Illinois Urbana-Champaign)
Elizabeth Tang He (University of Illinois Urbana-Champaign)
Hovav Shacham (University of Texas at Austin)
Christopher Fletcher (University of Illinois Urbana-Champaign)
David Kohlbrenner (University of Washington)

Questions and Answers

Am I affected by Hertzbleed?

Likely, yes.

Intel’s security advisory states that all Intel processors are affected. We experimentally confirmed that several Intel processors are affected, including desktop and laptop models from the 8th to the 11th generation Core microarchitecture.

AMD’s security advisory states that several of their desktop, mobile and server processors are affected. We experimentally confirmed that AMD Ryzen processors are affected, including desktop and laptop models from the Zen 2 and Zen 3 microarchitectures.

Other processor vendors (e.g., ARM) also implement frequency scaling in their products and were made aware of Hertzbleed. However, we have not confirmed if they are, or are not, affected by Hertzbleed.

What is the impact of Hertzbleed?

First, Hertzbleed shows that on modern x86 CPUs, power side-channel attacks can be turned into (even remote!) timing attacks—lifting the need for any power measurement interface. The cause is that, under certain circumstances, periodic CPU frequency adjustments depend on the current CPU power consumption, and these adjustments directly translate to execution time differences (as 1 hertz = 1 cycle per second).

Second, Hertzbleed shows that, even when implemented correctly as constant time, cryptographic code can still leak via remote timing analysis. The result is that current industry guidelines for how to write constant-time code (such as Intel’s one) are insufficient to guarantee constant-time execution on modern processors.

Is there an assigned CVE for Hertzbleed?

Yes. Hertzbleed is tracked under CVE-2022-23823 and CVE-2022-24436 in the Common Vulnerabilities and Exposures (CVE) system.

Is Hertzbleed a bug?

No. The root cause of Hertzbleed is dynamic frequency scaling, a feature of modern processors, used to reduce power consumption (during low CPU loads) and to ensure that the system stays below power and thermal limits (during high CPU loads).

When did you disclose Hertzbleed?

We disclosed our findings, together with proof-of-concept code, to Intel, Cloudflare and Microsoft in Q3 2021 and to AMD in Q1 2022. Intel originally requested our findings be held under embargo until May 10, 2022. Later, Intel requested a significant extension of that embargo, and we coordinated with them on publicly disclosing our findings on June 14, 2022.

Do Intel and AMD plan to release microcode patches to mitigate Hertzbleed?

No. To our knowledge, Intel and AMD do not plan to deploy any microcode patches to mitigate Hertzbleed. However, Intel provides guidance to mitigate Hertzbleed in software. Cryptographic developers may choose to follow Intel’s guidance to harden their libraries and applications against Hertzbleed. For more information, we refer to the official security advisories (Intel and AMD).

Why did Intel ask for a long embargo, considering they are not deploying patches?

Ask Intel.

Is there a workaround?

Technically, yes. However, it has a significant system-wide performance impact.

In most cases, a workload-independent workaround to mitigate Hertzbleed is to disable frequency boost. Intel calls this feature “Turbo Boost”, and AMD calls it “Turbo Core” or “Precision Boost”. Disabling frequency boost can be done either through the BIOS or at runtime via the frequency scaling driver. In our experiments, when frequency boost was disabled, the frequency stayed fixed at the base frequency during workload execution, preventing leakage via Hertzbleed. However, this is not a recommended mitigation strategy as it will significantly impact performance. Moreover, on some custom system configurations (with reduced power limits), data-dependent frequency updates may occur even when frequency boost is disabled.

What is SIKE?

SIKE (Supersingular Isogeny Key Encapsulation) is a decade old, widely studied key encapsulation mechanism. It is currently a finalist in NIST’s Post-Quantum Cryptography competition. It has multiple industrial implementations and was the subject of an in-the-wild deployment experiment. Among its claimed advantages are a “well-understood” side channel posture. You can find author names, implementations, talks, studies, articles, security analyses and more about SIKE on its official website.

What is a key encapsulation mechanism?

A key encapsulation mechanism is a protocol used to securely exchange a symmetric key using asymmetric (public-key) cryptography.

How did Cloudflare and Microsoft mitigate the attack on SIKE?

Both Cloudflare and Microsoft deployed the mitigation suggested by De Feo et al. (who, while our paper was under the long Intel embargo, independently re-discovered how to exploit anomalous 0s in SIKE for power side channels). The mitigation consists of validating, before decapsulation, that the ciphertext consists of a pair of linearly independent points of the correct order. The mitigation adds a decapsulation performance overhead of 5% for CIRCL and of 11% for PQCrypto-SIDH.

Is my constant-time cryptographic library affected?

Affected? Likely yes. Vulnerable? Maybe.

Your constant-time cryptographic library might be vulnerable if is susceptible to secret-dependent power leakage, and this leakage extends to enough operations to induce secret-dependent changes in CPU frequency. Future work is needed to systematically study what cryptosystems can be exploited via the new Hertzbleed side channel.

Can I use the logo?

Yes. The Hertzbleed logo is free to use under a CC0 license.

Download logo: SVG, PNG
Download logo with text: SVG, PNG

Did we really need another vulnerability logo?

We know some of you don’t really like vulnerability logos, and we hear you. However, we really like our logo (and hope you do too!).

Did you release the source code of the Hertzbleed attack?

Yes, for full reproducibility. You can find the source code of all the experiments from our paper at the link: https://github.com/FPSG-UIUC/hertzbleed

source :
https://www.hertzbleed.com/

Windows 10 KB5014023 update fixes slow copying, app crashes

Microsoft has released optional cumulative update previews for Windows 10 versions 20H2, 21H1, and 21H2, fixing slow file copying and applications crashing due to Direct3D issues.

Today’s KB5014023 update is part of Microsoft’s scheduled May 2022 monthly “C” updates which allow Windows customers to test bug fixes and performance improvements before the general release on June 15 during Patch Tuesday.

Unlike regular Patch Tuesday cumulative updates, these scheduled non-security preview updates are optional.

To install KB5014023, you have to go to Settings > Windows Update and manually ‘Check for updates.’ Because they’re optional updates, Windows will not install them until you click the ‘Download now’ button.

You can also manually download and install the KB5014023 cumulative update preview from the Microsoft Update Catalog.

Fixes app crashes, file copying, memory leak issues

Today’s optional update fixes several issues that might trigger various problems or cause some Windows applications to crash.

This cumulative update fixes a known issue affecting specific GPUs that could “cause apps to close unexpectedly or cause intermittent issues that affect some apps that use Direct3D 9.”

Microsoft also fixed an issue that might cause file copying to be slower and one more that would prevent BitLocker from encrypting when using the silent encryption option.

KB5014023 addresses other known issues impacting Windows systems in use 24/7, leading to a memory leak and causing the deduplication driver to deplete all physical memory and cause the machine to stop responding.

Last but not least, after applying today’s preview update, Windows systems will no longer stop responding when users sign out when Microsoft OneDrive is in use.

What’s new in today’s Windows update preview

After installing the KB5014023 non-security cumulative update preview, Windows 10 21H2 will have the build number changed to 19044.1741.

The Windows 10 update preview includes a lot more quality improvements and fixes, including:

Addresses an issue that causes a yellow exclamation point to display in Device Manager. This occurs when a Bluetooth remote device advertises the Advanced Audio Distribution Profile (A2DP) source (SRC).
Addresses a rare issue that prevents Microsoft Excel or Microsoft Outlook from opening.
Addresses a known issue that might prevent recovery discs (CD or DVD) from starting if you created them using the Backup and Restore (Windows 7) app in Control Panel. This issue occurs after installing Windows updates released January 11, 2022 or later.

Source :
https://www.bleepingcomputer.com/news/microsoft/windows-10-kb5014023-update-fixes-slow-copying-app-crashes/

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

Workarounds

To disable the MSDT URL Protocol

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:

Run Command Prompt as Administrator.
To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

How to undo the workaround

Run Command Prompt as Administrator.
To restore the registry key, execute the command “reg import filename”

Microsoft Defender Detections & Protections

Customers with Microsoft Defender Antivirus should turn-on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.

Customers of Microsoft Defender for Endpoint can enable attack surface reduction rule “BlockOfficeCreateProcessRule” that blocks Office apps from creating child processes. Creating malicious child processes is a common malware strategy. For more information see Attack surface reduction rules overview.

Microsoft Defender Antivirus provides detections and protections for possible vulnerability exploitation under the following signatures using detection build 1.367.719.0 or newer:

Trojan:Win32/Mesdetty.A  (blocks msdt command line)
Trojan:Win32/Mesdetty.B  (blocks msdt command line)
Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line)

Microsoft Defender for Endpoint provides customers detections and alerts. The following alert title in the Microsoft 365 Defender portal can indicate threat activity on your network:

Suspicious behavior by an Office application
Suspicious behavior by Msdt.exe

FAQ

Q: Does Protected View and Application Guard for Office provide protection from this vulnerability?

A: If the calling application is a Microsoft Office application, by default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office, both of which prevent the current attack.

For information about Protected View, see What is Protected View?
For information about Application Guard for Office, see Application Guard for Office.

We will update CVE-2022-30190 with further information.

The MSRC Team

Source :
https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

Expansion of FIDO standard and new updates for Microsoft passwordless solutions

Howdy folks,

Happy World Password Day! Today, I’m super excited to share some great news with you: Together, with the FIDO Alliance and other major platforms, Microsoft has announced support for the expansion of a common passwordless standard created by the FIDO Alliance and the World Wide Web consortium. These multi-device FIDO credentials, sometimes referred to as passkeys, represent a monumental step toward a world without passwords. We also have some great updates coming to our passwordless solutions in Azure Active Directory (Azure AD) and Windows that will expand passwordless to more use cases.

Passwords have never been less adequate for protecting our digital lives. As Vasu Jakkal reported earlier today, there are over 921 password attacks every second. Lots of attackers want your password and will keep trying to steal it from you. It’s better for everyone if we just cut off their supply.

Replacing passwords with passkeys

Passkeys are a safer, faster, easier replacement for your password. With passkeys, you can sign in to any supported website or application by simply verifying your face, fingerprint or using a device PIN. Passkeys are fast, phish-resistant, and will be supported across leading devices and platforms. Your biometric information never leaves the device and passkeys can even be synced across devices on the same platform – so you don’t need to enroll each device and you’re protected in case you upgrade or lose your device. You can use Windows Hello today to sign in to any site that supports passkeys, and in the near future, you’ll be able to sign in to your Microsoft account with a passkey from an Apple or Google device.

We enthusiastically encourage website owners and app developers to join Microsoft, Apple, Google, and the FIDO Alliance to support passkeys and help realize our vision of a truly passwordless world.

thumbnail image 1 of blog post titled

Expansion of FIDO standard and new updates for Microsoft passwordless solutions

Going passwordless

We’re proud to have been one of the earliest supporters of the FIDO standards, including FIDO2 certification for Windows Hello. We’re thrilled to evolve the FIDO standards ecosystem to support passkeys and that passwordless authentication continues to gain momentum.

Since we started introducing passwordless sign-in nearly 5 years ago, the number of people across Microsoft services signing in each month without using their password has reached more than 240 million. And in the last six months, over 330,000 people have taken the next step of removing the password from their Microsoft Account. After all, you’re completely safe from password-based attacks if you don’t have one.

Today, we’re also announcing new capabilities that will make it easier for enterprises to go completely passwordless:

Passwordless for Windows 365, Azure Virtual Desktop, and Virtual Desktop Infrastructure

Now that remote or hybrid work is the new norm, lots more people are using a remote or virtualized desktop to get their work done. And now, we’ve added passwordless support for Windows 365, Azure Virtual Desktop, and Virtual Desktop Infrastructure. This is currently in preview with Windows 11 Insiders, and is on the way for Windows 10 as well.

Windows Hello for Business Cloud Trust

Windows Hello for Business Cloud Trust simplifies the deployment experience of Windows Hello for hybrid environments. This new deployment model removes previous requirements for public key infrastructure (PKI) and syncing public keys between Azure AD and on-premises domain controllers. This improvement eliminates delays between users provisioning Windows Hello for Business and being able to authenticate and makes it easier than ever to use Windows Hello for Business for accessing on-premises resources and applications. Cloud Trust is now available in preview for Windows 10 21H2 and Windows 11 21H2.

Multiple passwordless accounts in Microsoft Authenticator

When we first introduced passwordless sign-in for Azure AD (work or school accounts), Microsoft Authenticator could only support one passwordless account at a time. Now that limitation has been removed and you can have as many as you want. iOS users will start to see this capability later this month and the feature will be available on Android afterwards.

thumbnail image 2 captioned Passwordless phone sign in experience in Microsoft Authenticator for Azure AD accounts. Passwordless phone sign in experience in Microsoft Authenticator for Azure AD accounts.

Temporary Access Pass in Azure AD

Temporary Access Pass in Azure AD, a time-limited passcode, has been a huge hit with enterprises since the public preview, and we’ve been adding more ways to use it as we prepare to release the feature this summer. Lots of customers have told us they want to distribute Temporary Access Passes instead of passwords for setting up new Windows devices. You’ll be able to use a Temporary Access Pass to sign in for the first time, to configure Windows Hello, and to join a device to Azure AD. This update will be available next month.

thumbnail image 3 captioned End user experience for Temporary Access Pass in Windows 11 onboarding. End user experience for Temporary Access Pass in Windows 11 onboarding.

Customers implementing passwordless today

We already have several great examples of large Microsoft customers implementing passwordless solutions, including Avanade, who went passwordless with help from Feitian to protect their clients’ data against security breaches. Amedisys, a home healthcare and hospice care provider, went passwordless to keep patient personal information secured. Both organizations are committed to using passwordless authentication not only to strengthen security, but also to make the sign-in experience easier for end users.

We’d love to hear your feedback, so please leave a comment, check out the documentation, and visit aka.ms/gopasswordless for more information.

Best regards, 

Alex Simons (Twitter: @Alex_A_Simons)

Corporate Vice President of Program Management

Microsoft Identity Division

Source :
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/expansion-of-fido-standard-and-new-updates-for-microsoft/ba-p/3290633

Microsoft Edge really wants to import your data from Google Chrome more often

Microsoft has been quite aggressive in its moves to get people away from Google Chrome and over to its revamped Edge browser. In its latest move, Microsoft Edge is adding a feature that imports data from Google Chrome constantly.

As highlighted by the folks over at Windows Latest, Microsoft Edge has an option to automatically import data from another browser, specifically Google Chrome. The previous “import browser data” page in Edge’s Settings menu used to simply offer a one-time import option for your data, syncing over bookmarks, passwords, your browsing history, and more. Clicking the option to import browser data would simply open a menu for a one-time import from any other browser on your computer.

But now, Microsoft has been allowing users to import browser data from Google Chrome on every launch. From what we can tell, the feature has been available in some capacity for at least a few months, but went largely under the radar until now, even as it’s live on Edge 101. It seems that new updates may be putting more emphasis on the feature. u/Leopeva64 notes that Edge 104, now in the Canary channel, redesigns the import page with a new look for this tool that puts much more emphasis on this setting.

microsoft edge chrome import data — Edge 104

Chrome is, notably, the only option for this automatic import setting, with Mozilla Firefox not showing up as an option as it does on the manual import option. Microsoft explains the feature:

Import browser data on each launch
Always have access to your recent browsing data each time you browse on Microsoft Edge

Importing data from another browser on your computer isn’t a new idea, and it’s certainly something Edge is more than happy to do. This latest change will simply do that automatically, in what’s clearly a move to make it easier for Google Chrome users to use Edge more often.

There are also a couple of new options for this. Microsoft Edge can import data from Chrome as usual, with bookmarks (though not automatically, right now), passwords, browsing history, settings, saved passwords, personal information, and payment details. But now, Edge can also pull open tabs and extensions over from Chrome. This would effectively mean that Edge can pick up where Chrome left off. Extensions, though, are also not available automatically at this point.

Windows Latest notes that imported tabs are marked as such, and Microsoft mentions on a support page that it can import up to 50 tabs at once. Microsoft has yet to update that same page with this automatic import option.

9to5Google’s Take

Being able to use Microsoft Edge as a mirror of Google Chrome is a pretty great idea, admittedly. The idea of being able to use Chrome with a specific set of extensions, settings, and more while essentially having a backup of that data in Edge is nice. It removes a barrier from switching between the two.

However, it still feels like Microsoft is trying too hard – again. Edge is a great browser on its own, and tools like this are indeed very helpful. But is this targeted behavior really necessary? At a technical level, this might only be possible with Chrome, but it’s surely no coincidence that Microsoft is clearly marking the feature as something you can do only with Chrome. It wouldn’t be surprising if, in the future, Microsoft turned on this feature by default either during or after setup.

Source :
https://9to5google.com/2022/05/30/microsoft-edge-google-chrome-data/

Watch Out! Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild

Cybersecurity researchers are calling attention to a zero-day flaw in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems.

The vulnerability came to light after an independent cybersecurity research team known as nao_sec uncovered a Word document (“05-2022-0438.doc“) that was uploaded to VirusTotal from an IP address in Belarus.

“It uses Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code,” the researchers noted in a series of tweets last week.

According to security researcher Kevin Beaumont, who dubbed the flaw “Follina,” the maldoc leverages Word’s remote template feature to fetch an HTML file from a server, which then makes use of the “ms-msdt://” URI scheme to run the malicious payload.

The shortcoming has been so named because the malicious sample references 0438, which is the area code of Follina, a municipality in the Italian city of Treviso.

MSDT is short for Microsoft Support Diagnostics Tool, a utility that’s used to troubleshoot and collect diagnostic data for analysis by support professionals to resolve a problem.https://www.youtube.com/embed/GybD70_rZDs

“There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled,” Beaumont explained.

“Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,” the researcher added.

In a standalone analysis, cybersecurity company Huntress Labs detailed the attack flow, noting the HTML file (“RDF842l.html”) that triggers the exploit originated from a now-unreachable domain named “xmlformats[.]com.”

“A Rich Text Format file (.RTF) could trigger the invocation of this exploit with just the Preview Pane within Windows Explorer,” Huntress Labs’ John Hammond said. “Much like CVE-2021-40444, this extends the severity of this threat by not just ‘single-click’ to exploit, but potentially with a ‘zero-click’ trigger.”

Multiple Microsoft Office versions, including Office, Office 2016, and Office 2021, are said to be affected, although other versions are expected to be vulnerable as well.

What’s more, Richard Warren of NCC Group managed to demonstrate an exploit on Office Professional Pro with April 2022 patches running on an up-to-date Windows 11 machine with the preview pane enabled.

“Microsoft are going to need to patch it across all the different product offerings, and security vendors will need robust detection and blocking,” Beaumont said. We have reached out to Microsoft for comment, and we’ll update the story once we hear back.

Source :
https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html

Best Active Directory Management Tools

IT teams rely on Active Directory (AD) to keep networks secure and maintain user accounts — but they often need to adhere to strict budget limitations when it comes to selecting software to help. That’s why we’ve put together this list of the top free Active Directory management tools.

Our picks focus on AD tools that will help you complete routine AD management tasks much faster so your team has time to focus on other priorities. We’ve grouped these free Active Directory tools into three categories:

Active Directory reporting, monitoring and auditing tools
Active Directory management tools
Active Directory utility tools

Active Directory Reporting, Monitoring and Auditing Tools

Microsoft Active Directory Explorer

Microsoft Active Directory Explorer is an advanced administration tool that makes it easy to search for, view and edit extended information about AD objects. It is similar to AD Users and Computers but has at least one key additional benefit — it allows you to view object properties and attributes without opening additional dialog boxes.

AD Explorer also enables you to save snapshots of an AD database for offline viewing and database version comparisons. When you load a saved snapshot, you can work with it as you would use a live database.

Other features include:

Defining favorite locations
Editing permissions
Viewing an object’s scheme
Executing sophisticated searches that you can save and re-execute

Handpicked related content:

[Free Guide] Active Directory Group Management Best Practices

Netwrix Auditor for Active Directory

Netwrix Auditor for Active Directory (free community edition) gives you visibility into what’s happening inside domains while eliminating the time-consuming tasks of analyzing endless native logs. Netwrix Auditor tracks logons and all changes to Active Directory users, groups, organizational units and Group Policy. It generates a daily activity summary that details all changes and logon activity that occurred during the previous 24 hours, including the before and after values for each modification.

Netwrix Account Lockout Examiner

Netwrix Account Lockout Examiner is well known as one of the best Active Directory tools for quickly resolving one of the most pressing issues with AD: account lockouts. It enables you to identify the root cause of lockouts in a single keystroke, slashing troubleshooting time by up to 90 percent. This lightweight and intuitive tool empowers you to investigate issues like why the same account repeatedly locks out without having to slog through a mountain of cryptic event logs — just enter the username and click a button.

Netwrix Effective Permissions Reporting Tool

Netwrix Effective Permissions Reporting Tool simplifies auditing of access permissions in Active Directory. You can view a user’s account group membership, the permissions the account has to every AD object and how those permissions are granted. It also shows file and folder effective permissions, so you can determine who has access to your data and how their access was gained. You can export this information to an HTML file.

Netwrix Bulk Password Reset

Netwrix Bulk Password Reset enables you to reset local admin and user passwords across multiple workstations at once, remotely, without actually logging into them. This functionality enhances Windows Server security.

Netwrix Inactive User Tracker

Netwrix Inactive User Tracker provides insight into stale Active Directory user accounts so you can disable or delete unneeded accounts before malicious actors can exploit them to gain access to resources and services on your network.

Netwrix Password Expiration Notifier

Netwrix Password Expiration Notifier automatically sends notifications about upcoming AD password expiration to users and their managers. This proactive approach enables you to remain in compliance with password security best practices without sacrificing user productivity or increasing helpdesk workload.

Cjwdev Active Directory Info

Cjwdev Active Directory Info is a free Active Directory reporting and analysis tool that enables you to review the configuration settings of AD objects. You can quickly generate CSV, HTML or TXT reports to gain insight into things like:

Locked accounts
Users who have never logged on
Users with the “password never expires” flag
Enabled and disabled users
Deleted groups
Computers deleted in the last 30 days
Group Policy objects modified in the last 30 days

Cjwdev Active Directory Permissions Reporter

Cjwdev Active Directory Permissions Reporter extracts all permissions for every object in your domain. Note that the free edition of Cjwdev AD Permissions Reporter does not support the command line and you cannot filter or export results.

ENow Compass

ENow Compass provides real-time network monitoring to help you identify issues that could evolve into bigger problems. ENow Compass is a powerful toolset, but the company does not offer a free version. Users can start with a 14-day free trial with registration.

MaxPowerSoft Active Directory Reports Lite

MaxPowerSoft Active Directory Reports Lite allows you to load up to 200 objects from Active Directory and generate auditing reports on users, groups, organizational units, computers and GPOs. The paid version of grants access to more reports and many more features.

Active Directory FastReporter

Active Directory FastReporter generates a variety of predefined reports on your AD infrastructure. The free version doesn’t allow you to create custom reports, export reports or use automation features.

LDAPSoft Active Directory Browser

LDAPSoft Active Directory Browser simplifies SSL communication and streamlines the process of browsing your AD hierarchy. You can search for entries, view all available attributes and run SQL-LDAP statements.

Softerra Browser for LDAP

Softerra Browser for LDAP is a lightweight tool that allows you to view, browse, search and export information from LDAP. It is free to use for 30 days — you’ll need to register a paid account to use it past this point.

WiseSoft Password Control

WiseSoft Password Control can reset user passwords in bulk, which saves time and effort when managing service account passwords. It also includes the ability to make other bulk changes, such as enabling and disabling user accounts, group membership functions, descriptions and departments.Handpicked related content:

Active Directory Auditing

Active Directory Management Tools

Albus Bit Active Directory Administrator

Albus Bit Active Directory Administrator enables you to manage user and computer accounts across your Active Directory domain from a single interface. You can use the built-in search templates or create your own, and use the results to disable inactive accounts, move accounts to different organizational units or remove users from groups.

CjWdev Active Directory Tidy

CjWdev Active Directory Tidy allows you to easily manage your AD accounts in bulk. For example, you can add multiple accounts to a specific security group, or set random passwords or a particular expiry date for a set of accounts.

The tool’s filtering functionality makes it easy to clean up your AD. For example, you can filter by last login date to find all inactive user and computer accounts to determine whether you should remove them from your domain. The paid version of this tool also enables you to export AD settings to XML.

Spiceworks People View

Spiceworks People View allows you to view and update AD user account properties, such as email, phone number, title and department. You can also add devices to user profiles to monitor installed software programs and update it when needed. You can also reset passwords and enable or disable user accounts. The tool also offers self-administered password and user profile management on a self-service web portal, and real-time status monitoring of all your devices.

Spiceworks offers other useful tools. For example, Network Monitor performs real-time status monitoring of all your devices.

Microsoft AdRestore

Microsoft AdRestore is a single-task tool that enumerates all tombstoned objects in your AD domain and enables you to restore them individually as needed.

Windows PowerShell

Windows PowerShell is undoubtedly the most powerful Active Directory tool. However, it can be challenging to use because it lacks a graphical interface. To accomplish your tasks, you’ll need to use cmdlets and scripts like the following:

Disable a user account: Disable-ADAccount username
Enable a user account: Enable-ADAccount username
Unlock a user account: Unlock-ADAccount username
Delete a user account: Remove-ADUser username
Find all empty groups: Get-adgroup -filter * | where {-Not ($_ | get-adgroupmember)} | Select Name
Add a member to a group: Add-adgroupmember “groupname” –username
Enumerate the members of a group: Get-ADGroupMember “groupname”
See what groups a user account is a member of: Get-aduser username -property Memberof | Select -ExpandProperty memberOf
Disable a computer account: Disable-ADAccount -Identity “computername”
Find computers by type: Get-ADComputer -Filter * -Properties OperatingSystem | Select OperatingSystem -unique | Sort OperatingSystem
Create an organizational unit: New-ADOrganizationalUnit -Name OUname -Path “dc=domainname,dc=com”
Create a computer account: New-ADComputer -Name username -Path “ou=OUname,dc=DCname,dc=com”
Create a user account: New-ADUser -Name username -Path “ou=OUname,dc=DCname,dc=com”

Adaxes

Adaxes streamlines routine management functions in Active Directory, Microsoft Exchange and Microsoft 365 environments. You can use it to delegate privileges, control authorizations and stay in compliance with data mandates. Softerra offers a 30-day free trial.

CENTREL Solutions XIA Automation

CENTREL Solutions XIA Automation helps you automate IT management tasks, such as account provisioning, user management and password changes. It includes time-saving features like bulk provisioning of accounts from CSV to AD, Exchange, Google or Office 365.

Dameware Remote Everywhere

Dameware Remote Everywhere is a pricey commercial-grade tool at $540 (and up), but it is notable for its powerful functionality — especially for enterprise-level network needs.

“Remote Everywhere” refers to the tool’s cloud-based solutions. Users enjoy safe, remote support with advanced encryption and multifactor authentication, essential endpoint support for any computer or device, and a reporting engine that can handle virtually any reporting task. New users can get a fully functional version of Dameware Remote Everywhere for 14 days.

Active Directory Utility Tools

Microsoft Active Directory Replication Status (ADREPLSTATUS) Tool

Microsoft ADREPLSTATUS Tool is a single-purpose tool that helps you analyze the replication of domain controllers in your network.

Cjwdev Group Manager

Cjwdev Group Manager allows the manager of a group to manage roles and settings for the group, including adding and removing other users and exporting group members to a CSV file. The free edition enables you to manage only a single group, and you cannot or add new members from other domains.

Cjwdev Active Directory Photo Edit

Cjwdev Active Directory Photo Edit enables you to import and upload images to an AD attribute that can be displayed in Outlook 2010, Lync and SharePoint. The free edition can’t process pictures for users and contacts in bulk, but the paid version offers this feature.

Cjwdev Managed Service Accounts GUI

Cjwdev Managed Service Accounts GUI helps you configure managed service accounts using an intuitive GUI that eliminates the need for PowerShell commands.

Specops Password Auditor

Specops Password Auditor scans your Active Directory and identifies password-related vulnerabilities so you can reduce your attack surface and maintain compliance.

Specops Software Gpupdate

Specops Software Gpupdate enables remote administration of computers and organizational units. For example, you can refresh Group Policy or wake up, shut down or restart a PC remotely.

Specops Command

Specops Command is a PowerShell and VBScript interface that helps you automate many Active Directory administrative tasks.

Zohno Z-Hire and Z-Term

Zohno Z-Hire and Z-Term are single-task tools. Z-Hire speeds the user account creation process for new hires, while Z-Term helps with account removal when an employee leaves the organization.

SysOpsTools Active Directory Query

SysOpsTools Active Directory Query is a free executable tool — no installation required — that can be used to quickly search AD for information about a specific user or computer, including schema attributes that are normally not readable.

RIA-Media SysAdmin and SysAdmin Anywhere

RIA-Media SysAdmin and RIA-Media SysAdmin Anywhere are helpful for facilitating a long list of activities:

Resetting user passwords
Adding, editing and deleting AD objects
Adding photos
Shutting down and restarting computers remotely
Checking for updates
Monitoring hardware and computers

SysAdmin and SysAdmin Anywhere both offer a free trial.

Codeplex ADModify.NET

Codeplex ADModify.NET is a single-use tool that allows you to modify multiple user attributes at once.

WiseSoft Bulk Password Control

WiseSoft Bulk Password Control enables you to change passwords on multiple accounts at the same time using the tool’s password generator feature. You can also enable, disable and unlock AD accounts in bulk.

Conclusion

With so many options to choose from, it can be challenging to find the right mix of AD management tools for your needs. The most effective way to make that choice is to install different tools and try them out in your AD environment. This will give you insight into how well they will work for your specific needs and preferences.

Source :
https://blog.netwrix.com/2021/03/10/active-directory-tools/