Microsoft dropped the last ever Patch Tuesday update – at least in its current form – yesterday evening, but security researchers are voicing growing concerns that the Microsoft Security Response Centre (MSRC) is repeatedly dropping the ball when it comes to handling disclosures appropriately.
Via emailed comments, Tenable senior research engineer Claire Tills told Computer Weekly: “On the subject of Microsoft’s troubling pattern of dismissing legitimate security concerns, Tenable researcher Jimi Sebree discovered and disclosed two vulnerabilities in Microsoft’s Azure Synapse Analytics, one of which has been patched and one which has not. Neither of these vulnerabilities were assigned CVE numbers or documented in Microsoft’s security update guide for June.”
Sebree wrote of a “major communications disconnect” between MSRC and the team responsible for Azure Synapse.
The researchers’ concerns take on an added sense of urgency given Microsoft’s well-documented response to CVE-2022-30190, the zero-day known as Follina, which was uncovered in late May.
According to the anonymous hacker who uncovered it, a member of the Shadow Chaser threat hunting collective who goes by the handle Crazyman, MSRC dismissed Follina, a zero-click vulnerability in Microsoft Office that enables an attacker to execute PowerShell commands without user interaction, closed Crazyman’s ticket, and said it was “not a security-related issue”. Being a zero-day, this proved to be demonstrably not the case in short order.
Computer Weekly reached out to Microsoft with questions about its disclosure procedures but had not received a response at the time of publication.
Final fling fixes Follina folly
Fortunately for Follina fearers, the vulnerability was indeed fixed in the last Patch Tuesday update, one of 61 unique vulnerabilities, and the only zero-day to have come under active exploitation. However, according to Todd Schell of Ivanti, it may have been a somewhat rushed addition to the list.
“This vulnerability has been under attack for several months.This vulnerabilityfix must have been a late addition this month, because although it shows up in the vulnerabilities list of the Security Guide, it was not shown in the breakdown of CVEs for each patch,” said Schell.
Some of the other more impactful vulnerabilities addressed in Patch Tuesday’s swansong are CVE-2022-30137, a remote code execution (RCE) vulnerability in Windows Network File System, which carries a sky-high CVSS score of 9.8, but may be considered more difficult to exploit because an attacker typically needs to already have network access to take advantage of it.
Also worthy of note are CVE-2022-30157 and CVE-2022-30158, both RCE vulnerabilities in Microsoft SharePoint Server, which again require an attacker to have established initial access to exploit.
Perhaps more likely to be exploited is CVE 2022-30147, a privilege escalation vulnerability in Windows Installer affecting both desktop and server environments, which could prove useful to attackers seeking admin privileges to – for example – exfiltrate data prior to deploying ransomware.
Kev Breen, Immersive Labs
Security teams may also want to prioritise CVE-2022-30163, an RCE vulnerability in Windows Hyper-V. Kev Breen of Immersive Labs commented: “A remote code execution vulnerability in Hyper-V sounds scary when you consider that, if exploited, an attacker could move from a guest virtual machine to the host, accessing all running virtual machines.
“However, Microsoft has marked this vulnerability as less likely to be exploited. This is probably because the complexity is high and requires an attacker to win a race condition. What that condition is, is not disclosed. This one will be of high value to attackers if a method of easily exploiting it is discovered.”
Meanwhile, Allan Liska of Recorded Future reflected on nearly two decades of Patch Tuesday history. He said: “The first Patch Tuesday was released 14 October 2003. Patch Tuesday was originally designed as a way for Microsoft to release all of their patches at the same time and Tuesday was chosen because it gave system administrators time to review and test the patches then get them installed before the weekend.
“The more things change, the more they stay the same. For almost 20 years, Patch Tuesday has been a staple for system administrators, IT staff, home users and analysts, but it has also long outlived its usefulness,” he said.
“Microsoft is increasingly reliant on out-of-cycle patch releases because the bad guys are getting better at weaponising vulnerabilities and exploiting those vulnerable systems faster. Abandoning Patch Tuesday will, hopefully, allow Microsoft to respond to new vulnerabilities faster and get patches pushed out sooner,” added Liska.
Autopatch repair, Autopatch replace
From here on out, as previously reported, Patch Tuesday will be replaced by a new automated service, Windows Autopatch, available for Windows Enterprise E3 licences and covering Windows 10, 11 and Windows 365.
This service, which will keep Windows and Office software on enrolled endpoints up to date at no additional cost, was developed in response to the growing complexity of IT environments, which has massively increased the number and scope of vulnerabilities security teams have to deal with, and makes the second Tuesday of the month somewhat fraught.
Microsoft believes that by automating patch management, it can provide more timely response to changes. Furthermore, thanks to a dedicated feature called Rings, which will “cascade” updates down through a core set of the user’s test devices for testing and validation (including the possibility of rolling the update back should things go pear shaped), security teams can supposedly be more confident about introducing new patches without causing problems.
Read more on Application security and coding requirements
For years, USB technologies have been an alphabet soup of terminology—when, really, all consumers care about is how fast the USB connection is. But now, finally, a new USB logo scheme solves this problem.
The USB Implementors Forum unveiled new logos on Friday for laptop ports, chargers, and cables that actually try to communicate what each one does. It’s a far cry from the nightmare naming scheme that the USB-IF implemented in 2009. It’s worth noting that the names of each specification apparently haven’t changed, but the logos have, and that’s all that matters.
USB-IF executives said the new logos were established alongside the new 240W USB-C power specification, which can now charge USB-C powered laptops at the levels required by even some gaming laptops. Now, the various USB specifications are defined by their speed. Charging specifications are defined by their wattage, with logos that actually indicate this.
“With the new higher power capabilities enabled by the USB PD 3.1 Specification, which unlocks up to 240W over a USB Type-C cable and connector, USB-IF saw an opportunity to further strengthen and simplify its Certified Logo Program for the end user,” said Jeff Ravencraft, USB-IF President and chief operating officer, in a statement. “With our updated logos, consumers can easily identify the USB4 performance and USB Power Delivery capabilities of Certified USB-C cables, which support an ever-expanding ecosystem of consumer electronics from laptops and smartphones to displays and chargers.”
Check out the new logos, which will be used on packaging, ports, and device power ports:
About the only drawback? There’s no obligation for device makers to actually inscribe the logo on their laptops, which could mean a continuation of the confusion around ports.
The new USB cable logos also feature clear communication of their speed as well as their charging capabilities. The big question is whether these cables will support Thunderbolt, or DisplayPort, or USB4 —any of the protocols, that is.
OLED monitors, with their vibrant colors and perfect black levels, are some of the very best screens you can connect to your PC. Unfortunately, they’re also crazy expensive: with only a few models on the market, the cheapest is still more than a thousand bucks. That might be changing soon, if a report on OLED mega-manufacturer LG Display is accurate.
OLED-info.com quotes unconfirmed news out of China’s manufacturing sector, saying that LG is ready to start manufacturing smaller OLED panels for smaller TVs and computer monitors. Specifically, it’s preparing to ramp up smaller displays using the cheaper WOLED panel technology, which can be produced much more economically than the older types of OLED panels seen in high-end televisions.
Despite being ubiquitous on smaller gadgets like phones and smartwatches, and extremely popular in high-end televisions, OLEDs have been slow to come to the PC market. We’re just starting to see them become a popular option on more and more laptops, but you can count the number of commercially available desktop OLED monitors on one hand. And, of those, LG’s own offerings have been focused on the ultra-high-end professional media market — it’s only this year that the company has begun supplying panels for gaming monitors to companies like Alienware and Corsair.
While we can’t verify the news without a more conventional source, it makes sense. The high-end television market is currently saturated (no pun intended) with OLED screens since there’s been relatively little innovation in the last few years and huge numbers of consumers upgraded their home theaters during the pandemic. OLED manufacturing technology is poised to go bigger (or rather, poised to hit the midrange between small and big) after spending a decade maturing in the mobile electronics market.
If all goes well, we might begin to see more affordable OLED monitors announced at trade shows like CES, E3, and Computex in 2023, with models hitting the market in the summer or fall. Keep your fingers crossed for some display bargains.
Michael is a former graphic designer who’s been building and tweaking desktop computers for longer than he cares to admit. His interests include folk music, football, science fiction, and salsa verde, in no particular order.
The Google Pixel Watch is incoming (Image credit: Google)
We’re expecting the Google Pixel Watch to make its full debut on Thursday, October 6 – alongside the Pixel 7 and the Pixel 7 Pro – but in the meantime a major leak has revealed much more about the upcoming smartwatch.
Seasoned tipster @OnLeaks (opens in new tab) has posted the haul, which shows off some of the color options and band styles that we can look forward to next week. We also get a few shots of the watch interface and a picture of it being synced with a smartphone.
Watch faces are included in the leak too, covering a variety of different approaches to displaying the time – both in analog and digital formats. Another image shows the watch being used to take an ECG reading to assess heartbeat rate.
Just got my hands on a bunch of #Google #PixelWatch promo material showing all color options and Watch Bands for the first time. Some details revealed as well…@Slashleaks 👉🏻 https://t.co/HzbWeGGSKP pic.twitter.com/N0uiKaKXo0October 1, 2022
If the leak is accurate, then we’ve got four silicone straps on the way: black, gray, white, and what seems to be a very pale green. Leather straps look to cover black, orange, green and white, while there’s also a fabric option in red, black and green.
We already know that the Pixel Watch is going to work in tandem with the Fitbit app for logging all your vital statistics, and included in the leaked pictures is an image of the Pixel Watch alongside the Fitbit app running on an Android phone.
There’s plenty of material to look through here if you can’t wait until the big day – and we will of course be bringing you all the news and announcements as the Google event unfolds. It gets underway at 7am PT / 10am ET / 3pm BST / 12am AEDT (October 7).
Analysis: a big moment for Google
It’s been a fair while since Google launched itself into a new hardware category, and you could argue that there’s more riding on the Pixel Watch than there is on the Pixel 7 and Pixel 7 Pro – as Google has been making phones for years at this point.
While Wear OS has been around for a considerable amount of time, Google has been leaving it to third-party manufacturers and partners to make the actual hardware. Samsung recently made the switch back to Wear OS for the Galaxy Watch 5 and the Galaxy Watch 5 Pro, for example.
Deciding to go through with its own smartwatch is therefore a big step, and it’s clear that Google is envious of the success of the Apple Watch. It’s the obvious choice for a wearable for anyone who owns an iPhone, and Google will be hoping that Pixel phones and Pixel Watches will have a similar sort of relationship.
What’s intriguing is how Fitbit fits in – the company is now run by Google, but so far we haven’t seen many signs of the Fitbit and the Pixel lines merging, even if the Pixel Watch is going to come with support for the Fitbit app.
Dave is a freelance tech journalist who has been writing about gadgets, apps and the web for more than two decades. Based out of Stockport, England, on TechRadar you’ll find him covering news, features and reviews, particularly for phones, tablets and wearables. Working to ensure our breaking news coverage is the best in the business over weekends, David also has bylines at Gizmodo, T3, PopSci and a few other places besides, as well as being many years editing the likes of PC Explorer and The Hardware Handbook.