CNAME Collusion – Seven Exchange 0-Days, Firefox Enhanced Tracking Protection, SolarWinds Password

Seven Exchange 0-days, Firefox Enhanced Tracking Protection, SolarWinds Password.

• Chrome to default to trying HTTPS first when not specified.
• Firefox’s “Enhanced Tracking Protection” just neutered 3rd-party cookies!
• As easy as “SolarWinds123”.
• Rockwell Automation’s CVE-2021-22681 is a CRITICAL 10 out of 10.
• VMware’s vCenter troubles.
• SpinRite update.
• Microsoft issues emergency patches for 4 exploited 0-days in Exchange.
• CNAME Collusion.

This Week in Tech 606: My YouTube Cover Band

Uber’s President quits, saying that the job was not what he signed on for. Orson Wells’ “new” movie comes to Netflix. How to make money in the new music industry. Pwn2Own winners do the impossible hack. Is your vibrator tracking you? All this, and growing human flesh on robots – what could go wrong?

–Tom Merritt has a new sci-fi novel: Pilot X.
–Roberto Baldwin is in a Devo cover band.
–Steve Kovach is the Dark Knight.

Google, Microsoft, Salesforce and Verizon are all reportedly interested in buying Twitter

By Shawn Knight | TechSpot

Twitter last October brought back former CEO Jack Dorsey to once again helm the company he helped create. More importantly, they needed him to help steer the ship back on course following multiple miscues.

Twitter has been taking on water for a while but you’d never know it at first glance. The social network is seemingly preferred by every major celebrity and Internet influencer and hashtags have invaded our daily lives. You can’t even watch the evening news without hearing about what ordinary people think about a given story courtesy of Twitter.

Dig a bit deeper, however, and you’ll find a myriad of problems plaguing the microblogging platform.

The company has failed to curb the rampant bullying and abuse that takes place each and every day on its platform. User growth has remained flat for several quarters. Revenue is tough to come by as larger companies are getting the lion’s share of advertising dollars.

It’s no surprise, then, that Twitter may soon find itself under new ownership.

CNBC on Friday said that Google and Salesforce are both interested in making an offer for Twitter. What’s more, TechCrunch notes that Microsoft and Verizon are also interested although the latter may have too much on its plate right now given its recent acquisition of Yahoo (and AOL before that) as well as its interest in Vessel.

Share value in Twitter is up more than 20 percent on the buyout chatter.

In the meantime, Twitter is attempting to reinvigorate itself as a video streaming platform as evident by recent deals with organizations such as the NFL.

Oops! Microsoft accidentally teases Windows 9 ‘coming soon’ on social media


Microsoft’s internal censors seem to be sleeping on the job this year. In June, the Surface Pro 3 manual included several references to a small-screen Surface Mini despite the fact that a small-screen Surface Mini was never actually released. And now, as rumors of Windows 9 swirl, Microsoft China appears to have confirmed the impending reveal.

Posting to Weibo—a Chinese social media site—Microsoft China posed its followers a question: “Microsoft’s latest OS Windows 9 is coming soon, do you think the start menu at the left bottom will make a comeback?” (Translation courtesy of The Verge.)

Oops. And not just because Microsoft has already announced the return of the Start menu.

The post was accompanied by a screenshot of a Windows 9 logo mock-up by Shy Designs, seen above. Microsoft China appears to have quickly realized the error of its ways, as the Weibo message has since been removed, though not before Cnbeta noticed and first reported it.

Several reports from oft-reliable sources say Microsoft is prepared to announce Windows 9 in “technical preview” form at the end of September or early in October, just before Windows 7 PCs disappear from store shelves, though Microsoft itself has yet to confirm it. Leaks suggest Windows 9 will better let a PC be a PC and a tablet be a tablet, bringing several mouse-friendly changes to the desktop and possibly killing the desktop completely in tablets and phones powered by mobile ARM processors.

If Windows 9 is indeed incoming—and Microsoft China’s slip-up suggests it is—we have some suggestions for features we’d want to see. But one of the most crucial improvements Microsoft needs to make ASAP has nothing to do with the core operating system itself: The company needs to clean up the Windows Store pronto if it ever hopes to make Metro apps viable on the desktop. Fortunately, Microsoft’s already taking its first tentative steps towards fixing the mess.

via Oops! Microsoft accidentally teases Windows 9 ‘coming soon’ on social media | PCWorld.

Preview cutting-edge Internet Explorer features early with new test build browser

Developers can try out new features of the next version of Internet Explorer using a test edition Microsoft has released for their use.

The Internet Explorer Developer Channel, which can be downloaded for Windows 8.1 and Windows 7 SP1, runs independently of the user’s copy of IE, allowing programmers to test the newest browser features without disrupting their current browser setup.

The Internet Explorer Developer Channel will offer an early version of IE while it is still being worked on by Microsoft programmers. Developers can preview features planned for the upcoming editions of the browser to help them better build Web applications and pages that use the new capabilities.

Microsoft also hopes that developers will offer feedback, so the company can better implement the pending features.

The developer version offers a sandbox-like testing environment so it does not interfere with the user’s IE browser profile. The browser does not run as quickly as the standard edition of IE and because it is a beta version, should not be used in production environments. The first Developer Channel release offers automated WebDriver testing, enhanced F12 developer tools, and Xbox controller support for web-based games.

With the test version, Microsoft is replicating the fast development environments used by other browser makers.

Mozilla offers nightly builds of the next version of the Firefox browser under development. Google also offers developer versions of its Chrome browser.

Microsoft plans to issue frequent updates to the test version of IE, announcing them through the DevChannel.Modern.IE developer resource site. Microsoft’s F12 Developer Tools were designed to help debug and optimize Web pages and Web applications.

via Preview cutting-edge Internet Explorer features early with new test build browser | PCWorld.

Windows 8.1 users won’t receive any more patches unless spring update is installed

Microsoft is staying true to a promise it delivered all the way back in April: Windows 8.1 users who have yet to install the Windows 8.1 Update released this spring won’t be able to download today’s Patch Tuesday updates—or any future Patch Tuesday updates—until they get around to upgrading their operating system.

The threat only applies to Windows 8.1 users. If you’re still on Windows 8, 7, or Vista, you should continue receiving patches normally. You can see whether you’re running Windows 8 or Windows 8.1 by opening the Charms bar, heading to PC Settings > PC and devices > PC info, and looking under the “Windows” section.

If you’re on a Windows 8.1 system without the Spring Update, your computer won’t automatically download today’s patches via Windows Update. Furthermore, if you’ve altered your system settings to manually select which patches to install, you won’t even see today’s patches in Windows Update, a Microsoft spokesperson tells CNET. Don’t try to get clever, either: Trying to install the updates manually will result in a failed installation.

Microsoft postponed this deadline once, as the Windows 8.1 support end date was originally supposed to die out in May.

Most Windows users should have received the Windows 8.1 Update when it was released in April, assuming you haven’t changed the default option to install Windows updates automatically. And if you chose not to install the update, well, what are you waiting for? The Spring Update makes Microsoft’s Metro vision truly PC-friendly for the first time, by dynamically adjusting its interface and behavior to let a PC be a PC and a tablet be a tablet. Plug in a mouse and you’ll get a desktop-focused experience; touchscreen users will stick to Windows 8.1’s usual finger-friendly design.

It’s great. And if that carrot doesn’t sway you to install the Windows 8.1 Spring Update, the “No more updates” stick certainly should.

via Windows 8.1 users won’t receive any more patches unless spring update is installed | PCWorld.

Microsoft pushes out massive security update for Internet Explorer

Microsoft pushes out massive security update for Internet Explorer

Six down, six to go. Today is the Microsoft Patch Tuesday for June, and it comes with seven new security bulletins. The good news is that five of the seven are only rated as Important, but one of the two Critical security bulletins—the cumulative update for Internet Explorer—is huge.

In all, the seven security bulletins address a total of 66 specific vulnerabilities. The Cumulative Security Update for Internet Explorer (MS14-035) accounts for 59 of them—a record for a single Microsoft security bulletin.

Microsoft issued fixes for flaws in remote desktop, Lync Server, XML Core Services, Word, the TCP protocol, and the Microsoft Graphics Component that affect a range of products and services including versions of Windows and Office. The impact of a successful exploit ranges from denial of service, to information disclosure, to remote code execution, but the “star” of the show is Internet Explorer.

“Last month, IE saw a lot of activity, first with the out-of-band patch released on May 1, a point fix released as part of May’s Patch Tuesday, and a vulnerability that was publicly disclosed by the Zero-Day Initiative on May 21,” says Russ Ernst, director of product management for Lumension.

The cumulative update from Microsoft includes a fix for the vulnerability reported to ZDI. Thankfully, none of the vulnerabilities fixed by this update are actively under attack as far as we know. Even the two flaws that are already publicly disclosed are not facing any known active attacks.

That said, with 59 separate vulnerabilities in the most widely-used browser, it is an absolute certainty that malware developers will be working diligently to reverse-engineer the patches and craft exploits to target those flaws. It is absolutely imperative that you apply the patch for MS14-035 as soon as possible.

The other Critical security bulletin this month—MS14-036—addresses a couple vulnerabilities in Microsoft Graphics component that could enable remote code execution if successfully exploited. The list of affected applications is extensive, including all versions of Windows and Office.

Tyler Reguly, manager of security research for Tripwire, stresses that upgrading to more current operating systems and applications has perks from a security perspective. “MS14-034, which affects only Office 2007, is a reminder that Microsoft’s Security Development Lifecycle really does work,” he says. “It would be nice to see them shorten their support Windows, forcing consumers and enterprises to upgrade more frequently. This would remove older, more vulnerable software from the picture.”

Review the security bulletins from Microsoft and figure out which ones apply to you. I recommend you install all applicable updates to fix vulnerabilities before malware developers figure out how to exploit them. Start with the two Critical updates—MS14-035 and MS14-036—but then move as quickly as possible to implement the rest of the updates as well.

via Microsoft pushes out massive security update for Internet Explorer | PCWorld.

Mozilla kills Firefox browser for Windows 8 Metro

Shipping a final version of the Mozilla Firefox browser for the Windows 8 “Metro” environment “would be a mistake,” according to a Mozilla vice president, because of the relatively minuscule number of users on the platform.

In fact, Mozilla has never seen more than 1,000 users pre-testing the beta version of Mozilla, said Johnathan Nightingale, the vice president of Firefox, in a blog post on Friday. But on any given day, millions of of people test pre-release versions of Firefox on other platforms, he added.

“Mozilla builds software to make the world better, but we have to pick our battles,” Nightingale wrote. “We’re not as tiny as we were when we shipped Firefox 1.0, but we still need to focus on the projects with the most impact for our mission; the massive scale of our competitors and of the work to be done requires us to marshal our forces appropriately.”

Mozilla launched its Metro effort in 2012, Nightingale said, and the team “broke through” Microsoft’s controls and began developing Firefox for x86-based versions of the platform. Mozilla never developed a version of Firefox for Windows RT using ARM chips, after the company complained in 2012 that Microsoft was locking Windows users to its own browser.

It’s unclear how many users opt for the Metro version of Microsoft’s own Internet Explorer versus the version designed for its desktop mode; Microsoft has never broken the two numbers out. When Net Applications said Internet Explorer commanded 48.37 percent of the desktop browser market for February, for example, the company did not differentiate between the two versions. But, combined, Windows 8 and Windows 8.1 commanded just 10.68 percent or so of the entire PC market.

A Microsoft representative was not immediately available for comment.

If Mozilla did ship a Metro version of Firefox, it would be without the requisite amount of bug testing and subsequent fixes, leaving users to find and report bugs on a “finished” product. “To ship it without doing that follow up work is not an option,” Nightingale wrote.

“This opens up the risk that Metro might take off tomorrow and we’d have to scramble to catch back up, but that’s a better risk for us to take than the real costs of investment in a platform our users have shown little sign of adopting,” Nightingale concluded.

via Mozilla kills Firefox browser for Windows 8 Metro | PCWorld.