Security flaw in Log4J – Urgent attention required

An Insecurity Inside A Common and widespread USED LOGGING LIBRARY has escalated into a full-fledged security breakdown, impacting digital communications all over the internet.

Hackers are already working to attack it, but even while solutions are developed, experts stress that the hole might have global ramifications.

The problem is with Log4J a popular open platform Apache logging framework used by programmers to keep tracking of all activities within an application.

Simultaneously, hackers are continually searching the internet for infected computers. Some have already created tools that aim to exploit the problem automatically, as well as worms that can transmit autonomously from one susceptible system to another under the correct conditions.

Log4J is a Java API, and while the computer language is becoming less popular among consumers, it is still widely used in business systems and online sites.

On Friday, researchers told WIRED that they expected many popular services to be impacted.

For example, Microsoft-owned Minecraft issued explicit instructions on Friday for how Java version gamers should fix their PCs. “This attack impacts several services, including Minecraft Java Edition,” according to the report.

CEO Matthew Prince Cloudflare said: This vulnerability raises the possibility that our machines may be get hacked. the problem was “that serious” that the internet infrastructure business will try to provide at least some security to consumers on its free tier of service.

the vulnerability allows an attacker to execute arbitrary Java code on a server, granting them control.

“It’s a catastrophic design failure,” says Free Wortley, CEO of the open-source data security platform LunaSec. On Thursday, the company’s researchers issued a warning and preliminary evaluation of the Log4j vulnerability.

Minecraft images circulating on forums purport to show people taking advantage of the Minecraft chat function’s vulnerability. Some Twitter users began altering their display names to code sequences that may trigger the attack on Friday. ‘Another person did the same thing by changing the name of his iPhone and reporting the discovery to Apple. According to the researchers, the strategy might also work with email.

The US Cybersecurity and Infrastructure Security Agency, as well as Australia’s CERT, issued a notice about the vulnerability on Friday.

According to an advisory from New Zealand’s government cybersecurity group, The vulnerability is apparently being aggressively exploited.

“It’s very awful,” Wortley admits. “There are so multiple individuals that are weak, and it’s so simple to take advantage of them.” These are some mitigating circumstances, and in the real world, there will be many firms trying to solve this issue.

Apache assesses the issue as “critical,” and fixes and mitigations were released on Friday. According to the firm, the vulnerability was discovered by Chen Zhaojun of the Ali[Censored] Cloud Security Team.

The issue highlights the difficulties of controlling risk within interconnected corporate software. Numerous firms, like Minecraft, may need to design their own fixes or will be impossible to patch instantly due to legacy software, such as earlier versions of Java.

Furthermore, patching Log4j into live services is not a casual thing to do since if something goes wrong, an organization’s logging capabilities might be jeopardized at a time when they need them the most to monitor for attempted exploitation.

Aside from installing updates for different web services as they become available, normal individuals won’t be able to do much; most of the effort will be done on the corporate side, as businesses and organizations hurry to adopt solutions.

“Security-mature firms will try to analyze their risk within hours of an exploit like this, but some will take a few weeks, and some will never look at it,” a security engineer from a prominent software company told WIRED.

The individual requested anonymity since they are collaborating with critical infrastructure response teams to resolve the risk. “The internet is on fire, and this garbage is all over the place.” And by “everywhere,” I mean “everywhere.”

While the SolarWinds breach and its aftermath showed how severely things can go wrong when attackers enter widely used software, the Log4j meltdown shows how widely the impacts of a single defect can be felt if it occurs in a core piece of code that is included in a lot of products.
“Library issues like this one create a very tough supply chain problem to tackle,” explains Katie Moussouris, founder of Luta Security and an experienced vulnerability researcher.

“Everything that makes use of the library must be tested with the updated version.” “Having previously coordinated library vulnerabilities, my heart goes out to those who are rushing right now.”

For the time being, the priority is to determine the extent of the problem. Unfortunately, security professionals and hackers alike are working around the clock to discover a solution.

Share it on Social Media:

This Office 365 email upgrade will add some colour to your calendar

Office 365 email users will soon be able to add some colour to their office calendars due to a new upgrade to the service. 

Outlook online users will soon be able to alter the colour of the events in their calendar application, allowing them to not only brighten up the display but also create greater differentiation and insight into their working week, according to an upcoming update. 

As per the published article in the Microsoft 365 roadmap, customers of the email service will be allowed to choose custom colours for their calendar events by utilizing hexadecimal numbers, RBG values, or colour picker control. 

The upgrade is still in progress, but Microsoft known for Microsoft Teams expects it to be released in February this year. It will initially be accessible solely to online users, but it may soon be made accessible elsewhere. 

The change brings Office 365 email up to pace with several of its main competitors, like Google Calendar, which also allows users to pick a variety of different colours for meetings. 

Microsoft has released a number of important Outlook upgrades in recent months in order to help folks who are adopting the hybrid working lifestyle. 

With the advent of spelling and grammatical checks for its Outlook on a smartphone, this contains a feature that will assist users to remove errors from their communications. 

Another upgrade will allow employees to put a notification indicating where they are working, whether it be at home, the workplace, or elsewhere. 

In August last year, Google Calendar acquired a similar function, enabling users to mark where they will be working, with the options of a home, workplace, or a specified other location. 

Users may also construct a weekly working location schedule if they want to work in the office on some days and work remotely on others, which can be altered at any moment if the situation changes. There’s no word on whether Microsoft’s Office 365’s email upgrade will be doing the same, but we’re hoping so. 

Share it on Social Media:

Microsoft’s new security chip will not limit computers to Windows 11

New Computers introduced in 2022 that include Microsoft’s Pluton security chip will be allowed to run operating systems apart from Windows 11. 

The Microsoft Pluton is a security chip that was pioneered in Xbox and Azure Sphere. It is developed to safely store sensitive data, such as encryption keys, inside the Pluton hardware, which is incorporated into the die of a computer’s Central processing unit hence more complicated for hackers to reach, even if they have actual custody of a device. 

Whilst the open-source community and many others first thought that Pluton will be used to tie devices to the current Windows 11, this is not the truth. Rather than being required to activate Linux and BSD, PC manufacturers and even consumers will be able to disable the capability totally. 

The very first Windows 11 Computers with Pluton were displayed at CES 2022, and Intel, AMD, and Qualcomm are all expected to include Microsoft’s security technology in their newest or next microprocessors. 

As per a new article, Pluton may function as a Trusted Platform Module (TPM) or as a non-TPM security coprocessor. Basically, the new security chip is being used by Microsoft known for products like Microsoft Teams to demonstrate to chip manufacturers how it intends TPM to be included in microprocessors in the future. 

Computer manufacturers will be permitted to sell their new Windows 11 Computers with Pluton activated or deactivated, but end users will be able to rectify this situation if they desire. 

The Pluton design from Microsoft known for products like Office 365 was implemented into AMD’s newest Ryzen 6000 CPUs, although customers will be able to deactivate the security chip on devices that utilize the chipmaker’s standard software. This is possible in the company’s reference BIOS. 

According to a Lenovo representative, Pluton will be deactivated by default on the company’s upcoming Z13, Z16, T14, T16, T14s, P16s, and X13 ThinkPad’s with Ryzen 6000-series CPUs. Customers, on the other hand, will be able to activate Pluton on their own. 

However, Intel’s next Alder Lake CPUs will have a Pluton-equivalent technology dubbed Intel Platform Trust Technology, which is TPM 2.0 compliant. 

Share it on Social Media:

Microsoft has released an out-of-band Windows Server Preview build

Microsoft known for Microsoft Teams has begun distributing an out-of-band upgrade for Windows Server 2019. The same KB5010791 fix resolves a few of the significant problems identified with Patch Tuesday upgrades in January last year. 

This upgrade, as per the release notes, resolves a problem that causes unplanned restarts on Windows Server domain controllers. Microsoft also fixed a fault that caused ReFS (Resilient File System) formatted hard drives to either not appear at all or to appear as raw, unformatted discs. This version also provides fixes for problematic VPN connections on Windows Server computers. The complete list of enhancements may be seen in the changelog below: 

  • Addresses a known problem that might make IP Security (IPSEC) connections with a Vendor ID to fail. VPN connections utilizing Layer 2 Tunneling Protocol (L2TP) or IP security Internet Key Exchange (IPSEC IKE) may be impacted as well. 
  • Addresses a known problem that may result in Windows Servers restarting abruptly after downloading the January 11, 2022 upgrade on domain controllers (DCs). 
  • When you perform many attribute modifications, a problem arises that prohibits Active Directory (AD) attributes from being correctly written during a Lightweight Directory Access Protocol (LDAP) edit operation. 
  • Addresses a problem that may prohibit removable media that is formatted using the Resilient File System (ReFS) from mounting or allow the removable media to mount in RAW file format. This problem arises after downloading the Windows update dated January 11, 2022. 

The out-of-band upgrade comes on the heels of the introduction of emergency updates for Windows Server 2022, 20H2, 20H1, 2016, and 2012 R2. All of the above vulnerabilities were fixed by these Windows Server upgrades, which were issued on January 17. Microsoft has released patches for Windows 11, Windows 10, Windows 8, and Windows 7 to address the L2TP VPN connection issues. 

Microsoft famous for Office 365 advises users to apply the latest patch on their Windows Server 2019 computers as soon as feasible. Keep in mind that the KB5010791 upgrade is accessible via Windows Update, as well as through standalone packages offered on the Microsoft Update Catalog. 

Share it on Social Media:

Microsoft Teams now enables you to conceal your video during meetings

 One of the most inconvenient aspects of video meetings may soon be eradicated for Microsoft Teams customers, owing to a major upgrade to the video conferencing platform. 

The business communication platform has announced that it is developing a new function that will allow people to conceal their own video stream while on a call. 

This implies that Microsoft Teams users will no longer see their own face trying to pay more attention (or losing interest), but will instead be able to see other colleagues. 

The official article on the Microsoft 365 roadmap states, “Presently, the user’s video is presented at the bottom right-hand corner of the meeting screen.” “Users can utilize this functionality to conceal their own video throughout a call. This can assist eliminate interruptions during the conversation while still allowing other attendees to view your video.” 

The function is now listed as “under progress” on Microsoft’s roadmap, however, the item does promise a January 2022 delivery date. When it is released, the functionality will be accessible to all Microsoft Teams users globally, spanning online and computer platforms. 

The upgrade is the latest in a series of innovations introduced by Microsoft famous for products like SharePoint in an effort to assist Teams users in increasing productivity and efficiency as the age of hybrid working continues. 

This explains the current statement that Teams would eventually enable users to silence messages when in a video conferencing call or otherwise not wanting to be bothered. 

This should imply that you will no longer get annoying messages or notifications while in the midst of an essential meeting. 

According to recent statistics gathered by a software firm, virtually all (97 percent) firms now consider platforms like Zoom, Webex, and Microsoft Teams to be crucial to their business. 

More than half (57%) of the 2,000 UK-based respondents said their organization could not function for much more than 60 minutes without access to its communication tools, while 27percent said they couldn’t operate for even 30 minutes. 

Share it on Social Media:

Using the Gmail mobile app on an iPhone will now be a lot simpler

Google has announced a slew of improvements and enhancements for Apple devices, particularly new capabilities for Google Meet and Gmail mobile app for iPhone and iPad. 

The new Google Workspace features provide a home screen widget for Gmail, allowing users to swiftly access, modify, and respond to emails while on the go. 

Being launched now Gmail version 6.0.211226, initially announced in November last year, now features a new “Email updates” widget that provides quick access to your emails without opening the complete mobile app – helpful if you’re rushing to a meeting or getting on a train. 

According to Google, the new widget will let users see the senders and subject lines of their latest emails immediately on their Home Screen. 

It will be added to the current “Quick email actions” home screen feature and will provide users the opportunity to create new emails instantaneously – and will also be accessible in dark mode. 

The iOS Gmail widget lacks the versatility of the Android Gmail widget. But, on the other hand, Apple may have some catching up to do when it comes to widgets.  

Apple presently does not allow app developers to incorporate any functionality into iOS widgets. So, eliminating that constraint may be the first step the Cupertino team might take to improve iOS widgets. 

Another notable innovation is Google Meet’s picture-in-picture mode, which allows users to have numerous applications open and visible while on a video conference session, which might be highly beneficial for business users. 

Users of the iPhone and iPad will be able to join into a meeting on their phone in the future, but they will also be capable of passing an email, sharing a document, or simply conducting some more research while the conversation is in progress. Navigating away from Google Meet will minimize the mobile app, which may be adjusted and moved about the Home Screen as desired. 

“If you are using Google apps to get work done on your iPhone or iPad, we’re introducing some enhancements to help you stay organized and productive,” said Luke Wroblewski, Google’s Director of iOS, in a blog article. 

Share it on Social Media: