Microsoft only releases updates out of turn when there is a fire. This is the case with Office and Microsoft 365 Apps for Enterprise.

What is the issue and which specific application is affected?

Microsoft 365 Apps for Enterprise and the Office versions 2016 (version 16.0.0 to before 16.0.5539.1001), 2019 (16.0.0 to before 16.0.10417.20095), LTSC 2021 and LTSC 2024, in each case the 32-bit and 64-bit versions.

What is the problem?

There is a serious vulnerability in Microsoft 365 and several Office versions that is already being actively exploited. It is sufficient for the victim to open a correspondingly manipulated Office file for the attack to be successful. The vulnerability is listed as and is classified as "high" with a CVE value of 7.8. Immediate action must be taken against this so-called Zeroday attack.

What needs to be done?

Microsoft has been providing security updates since 26.01.2026 that fix the problem. Please install these updates as soon as possible.

The update for Office 2021 and 2024 will be installed on the server side; users only need to restart their Office applications completely to maintain protection. This must also apply to Microsoft 365 Apps for Enterprise; Microsoft has not yet commented on this and the relevant webpage has not yet been updated.

For Office 2019 installed with wholesale licenses, such as Office Professional Plus 2019, support has expired, but the software company has nevertheless issued an update. To close the security gap, it is necessary to upgrade to version 1808 build 10417.20095. For locally installed Office 2016, there is the , which replaces the update KB5002522 from February 13, 2024. Alternatively, Windows users can manually edit the system registry in the latter two cases.

How do I find out which version I have? And where can I find out about these "updates"?

To find out which version you are using and where the button for Office updates is, here is a short guide:

How do I start the search for updates?

Depending on the support status, it may be sufficient for end users to restart the Office application completely. However, if you want to check manually whether the updates have already been installed or still need to be installed: Go to your Office application, click on "File" and then on "Account" at the bottom. On the right-hand side under "Product information" you will find the "Office updates" button. If you click on it, you will get a selection - see picture on the right.

Where can I get help if I can't get any further on my own?

Contact your local IT support, the Computing Center support team or the Information Security team. We will be happy to help you!

Message found at

An update to the Microsoft Teams collaboration software, which is to be rolled out from December 2025, could make working from home a challenge for some. The IT giant is planning to use a new function to record actual presence in the office building. Specifically, Teams will recognize whether the user has connected to the company's own Wi-Fi and then automatically determine the work location according to the respective building.

Teams already offers the option of determining the work location manually. This is intended, for example, to make it easier for colleagues in a large office complex or on a campus to find their way around. With the upcoming update, this process is to be automated in that the software - probably by comparing details such as the IP address or MAC address of the router - will determine whether you are actually on site.

This innovation, which the company has announced on its current , gives managers a clear overview of where their employees are at any given time. According to the roadmap, the feature is planned for both Windows and macOS. The technology portal Tom's Guide that the update poses a potential threat to anyone who has found an oasis of peace and productivity in their home office. Teams could act as a "tattletale" in future.

Technical details still unknown

Microsoft has made it clear that the function will not initially be switched on by default. Activation is ultimately in the hands of the IT managers in the company. Consent from end users is required.

The debate about automated location recognition is reminiscent of a tactic used by Amazon employees after the coronavirus pandemic. To circumvent the controversial return to the office, some tried to change the name of their private Wi-Fi (SSID) to match that of the official company network. Tom's Guide assumes, however, that an application such as Microsoft Teams will see through this simple trick by means of checking mechanisms. The company has not yet revealed any technical details about the implementation of the new function.

What about data protection?

The automatic recording of the work location raises questions about data protection. Although the function aims to simplify hybrid collaboration, the idea of constant monitoring worries many employees. Microsoft counters this in the roadmap: The function cannot be activated secretly. Admins are not allowed to give their consent on behalf of the affected users.

Detection is based on the SSID of the office, which technicians have to store in the system. The latter therefore knows that a connection to this particular network means that the employee is located in a certain building. Microsoft Teams already uses geodata for other functions such as emergency calls and improving call quality.

The function outlined only records the location in relation to the company WLAN and sets the user's status to the stored building. It is not designed to perform permanent geolocation outside the working environment. Microsoft describes the function as "neutral". However, critics emphasize that the company's internal policy is crucial. If the feature is misused as a control instrument, it could undermine trust in the hybrid working model.

GDPR and the Works Constitution Act

In principle, the function could be compatible with the General Data Protection Regulation). In any case, this would require strict compliance with several conditions by the company wishing to use the feature. The legal admissibility essentially depends on the consent of the employees and the purpose of the data collection. The company must obtain the voluntary and informed consent of each individual employee. It may only use the function primarily to improve collaboration and not as a monitoring tool. The transparency obligations must also be fulfilled.

In Germany or a country with similar labor law that provides for a right of co-determination, the company must conclude a works agreement. This is intended to prevent abuse of control. Without the voluntary participation of employees and clear rules on use, the function would probably violate applicable European and German data protection and labor law.

Company plans of this kind would have to be examined under labor law in particular, explains Niko Härting from the Berlin law firm of the same name to heise online: "This is about personal rights in the workplace." Continuous tracking is likely to be unlawful as long as there is no significant interest on the part of the employer to justify such a profound encroachment on fundamental rights. This could be the case in the logistics sector, for example, the lawyer explains. If there is a works council, it would have to give its consent. Data protection lawyers are also likely to question the voluntary nature of consent if, for example, fears of job loss could play a role.

Found on

Phishing e-mails with a link that wants to download malware are currently rampant:

You can see from the pictures (supposedly from the Elster portal) what such an e-mail looks like.

This is NOT Elster, but a scam.

Elster is only used as an example here, but has already been spotted as an e-mail here at º£½ÇÖ±²¥ today.

Please be particularly careful and do not click on the link not click on the link!

Please also warn your superiors and colleagues.

Also think about employees working from home!

If you have any questions or need help, please do not hesitate to contact us.

Information security team (contact: Vanessa Anefeld)

Explanation:

Image 1 - In an e-mail you are asked to click on a link to a website. (PLEASE DO NOT DO THIS!)
Image 2- In order to access the website, you must first fill in or use a so-called "captcha", which requires you to confirm that you are not a robot but a human being. (Captchas are usually challenge-response tests in which the respondent has to solve a task (challenge) and send back the result (response). In captchas, the tasks are ideally set in such a way that they are easy for humans to solve, but very difficult for computers. Example: click on all the pictures with bicycles on them.)
Picture 3 - After that, a supposed error message would automatically appear (suggesting that you have made a mistake).
Picture 4- You would then be asked to enter "Win + R" and "Ctrl + V" (to correct your mistake). (THIS IS THEN GAME OVER - FOR YOU!!!)

If you then pressed Enter, a Powershell window would open and quickly close and reload and execute some malware.

+++++++++++++++++++++++++++++++++++++++++++

ENGLISH VERSION

WARNING ABOUT PHISHING SCAMS

Phishing emails with a link that attempts to load malware are currently spreading:

Win + R Captcha Virus

Based on the images (allegedly from the Elster portal), you can see what such an email might look like.

This is NOT about Elster, but a scam. Elster is used here only as an example, but today it has already been seen here at the º£½ÇÖ±²¥ as an email.
Please be especially careful and do not click on the link! Please also warn your supervisors and colleagues. Also think of employees working from home!

If you have any questions or need assistance, you are welcome to contact us. Information Security Team (Contact: Vanessa Anefeld)

Explanation:
Image 1 - In an email, you are asked to click on a link to a website. (PLEASE DO NOT DO THIS!)
Image 2 - To access the website, you would first need to complete or interact with a so-called "Captcha," where you are supposed to confirm that you are not a robot, but a human. (CAPTCHAs are usually challenge-response tests in which the respondent must solve a task (challenge) and submit the result (response). In CAPTCHAs, the tasks posed are ideally such that they are easy for humans to solve but very difficult for computers. Example: click on all images that contain a bicycle.)
Image 3 - Afterwards, an alleged error message would appear automatically (intended to make you believe that you have made a mistake).
Image 4 - You would then be prompted to enter "Win + R" and "Ctrl + V" (TO FIX YOUR ERROR - AFTER THAT, IT'S GAME OVER FOR YOU!!!)
If you then pressed Enter, a PowerShell window would open and quickly close, downloading and executing some kind of malware.

Following active attacks, Microsoft has drastically restricted the Internet Explorer mode in Edge. Attackers even used zero-days to take over systems.

Internet Explorer is still not dead. At least not really. Attackers have been actively exploiting zero-day vulnerabilities in the outdated Chakra JavaScript engine since August 2025. Microsoft has now reacted and fundamentally rebuilt the IE compatibility mode in Edge. According to the Edge security team, the attackers combined social engineering with an exploit chain to gain complete control over target systems.

IE mode allows Edge users to load websites in the old Internet Explorer environment - intended for legacy applications that rely on outdated technologies such as ActiveX or Flash. Although Internet Explorer officially reached its end of life on June 15, 2022, Compatibility Mode remains available for enterprise applications and government portals. This is not the first time that remnants of Microsoft's browser, which has a reputation as a security risk, have become a security problem.

Three steps to system takeover

The current chain of attacks began with fake websites that imitated legitimate services. Using a flyout element, the attackers asked their victims to reload the page in IE mode. There, they first exploited an unpatched vulnerability in the Chakra engine to inject and execute malicious code (remote code execution). A second exploit then made it possible to break out of the browser in order to compromise the entire system (privilege escalation).

Microsoft has neither published CVE numbers nor provided an explicit patch for the Chakra vulnerability. Instead, in response to the attacks, the company quickly removed all simple access paths to IE mode: the dedicated toolbar button, the context menu entry and the option in the so-called hamburger menu have disappeared. Whether the Cumulative Update for IE released in September will eliminate the security gaps itself is therefore still unclear.

Cumbersome way as a security measure

If you want to use IE mode in future, you have to explicitly activate it in the Edge settings under edge://settings/defaultBrowser and manually add each individual URL to an allowlist. The listed pages can only be loaded in IE mode after a browser restart. Microsoft hopes that this cumbersome process will give users more time to recognize fake URLs and make the decision more consciously.

For enterprise customers with centrally managed IE mode policies, nothing will change - they can continue to configure compatibility mode via Group Policy. However, Microsoft reiterates that organizations should accelerate their migration from legacy technologies to take advantage of the security architectures of modern browsers. Those who value security should leave IE switched off.

The decision to restrict access instead of dedicated patches in response to acute attacks is remarkable. Apparently, even Microsoft considers Internet Explorer to be unmaintainable and the risk of further zero days to be too high. The fact that a product that has officially been dead for almost three years still serves as an attack vector illustrates the dilemma of backward compatibility: what was intended as a bridge for the transition is becoming a permanent breaking point. Companies that still rely on ActiveX controls in 2025 should take this warning as a final wake-up call.

Found at

Microsoft has released the annual fall update for all Windows 11 users. The new functions are manageable, but the download is not complicated.

Windows 11 can now be updated to version 25H2. Microsoft has now released the annual fall update of its current PC operating system. New features include support for Wi-Fi 7 in the corporate environment and some AI functions, for example in File Explorer. Users receive the 25H2 update via the conventional Windows update, but Windows 11 25H2 is also available for download as a complete ISO version.

The software company announced Windows 11 25H2 at the end of June, promising that "switching to Windows 11 25H2 is as easy as rebooting". To achieve this, Microsoft is relying on "enablement packages" - small packages that activate program parts that are already installed on the computer but are still unused. This should enable a quick switch to 25H2 and not require any new installations. Settings should also be transferred. At the same time, the download of this actually large update should be less time-consuming and data-intensive.

25H2 without PowerShell 2 and WMIC, but with AI functions

As announced at the beginning of July, Microsoft is throwing Windows PowerShell 2.0 overboard. Windows 11 25H2 no longer contains this administrator tool. The WMIC tool (Windows Management Instrumentation Command-Line), which has been classified as obsolete for several years, is also no longer included. What is new, however, is that the snipping tool can record window videos. New selection options for the click-to-do function have also been introduced. The selection can now be made as a free-form selection, as a rectangular selection or by pressing the "Ctrl" key and clicking. The latter makes it possible to select several, even different content types that are to be included in further processing by the AI function.

In its own blog for Windows professionals, Microsoft also lists the introduction of an AI agent for the Windows settings under 25H2 in addition to the click-to-do function. However, these two features are reserved for users of modern PCs that are classified as "Copilot+". The company is also announcing AI functions for File Explorer, but without describing these in more detail.

Internal improvements against security vulnerabilities

The 25H2 update also resets the time for security updates. This means that Windows 11 25H2 will receive corresponding patches for the next two years. Microsoft promises this to all its annual Windows updates. 25H2 will also include some under-the-hood optimizations. "Version 25H2 offers significant improvements in build and runtime vulnerability detection and AI-powered secure coding," the Windows blog states. "We developed version 25H2 to address and mitigate security threats while adhering to robust Security Development Lifecycle (SDL) policies and requirements."

Those who have enabled their Windows settings to receive the latest updates as soon as they are available should already be able to receive the 25H2 update for Windows 11. However, if the system detects possible problems with installed applications or incompatibilities with drivers, the update will not be carried out until this has been resolved. At the same time, Microsoft is now also offering Windows 11 25H2 as a complete download for new installations.

Found at

Microsoft is pushing Office files into the cloud. From now on, content created with for Windows will automatically end up in the Microsoft cloud Onedrive. Users who do not want this must deactivate automatic saving (autosave). Alternatively, they can specify a different cloud as the automatic storage location in the settings. The settings also offer the very old-fashioned option of using your own computer or a network drive as the location for automatic saving.

If a user starts writing and then closes Word without an explicit save command, Word asks whether the content should remain saved in the cloud or be thrown away. The new default settings take effect immediately in Word for Windows from version 2509 (build 19221.20000). Microsoft plans to introduce the same default settings for Excel for Windows and PowerPoint for Windows later this year.

The co-pilot is already waiting

Microsoft's product manager Raul Munoz explains the benefits of automatic saving, namely that work done is less likely to be lost. This can otherwise happen if the program crashes, the entire Windows or if there is a power failure. Saving in the cloud is advantageous if the user wants to be able to read and edit the file themselves or third parties from other devices.

This also includes Microsoft's artificial intelligence Copilot and its agents. They also have direct access to the files automatically stored on Onedrive. Provided they have the appropriate license, users can then use the AI to evaluate or further edit the file.

Munoz does not provide any information about changes to the default settings for automatic saving in Word for MacOS in his blog post. Instead, he reveals two surprising bugs in Word for Windows: If the start screen display is disabled when Word is launched, the automatic saving of the first file of each session fails. And if a second instance of the program is called up during a running Word session, newly created files are also not saved automatically.

Found on

Google is restricting the free use of certified . From fall 2026, only applications whose publisher has previously registered with Google and then signed the respective application can be installed. This has already applied to installations via the Google Play Store since 2023; anonymity will now also be abolished for sideloading, i.e. for programs installed directly on the device without using the Play Store.

Google explicitly does not check the content of the software, for example for malicious code. Nevertheless, Google is presenting the step announced on Monday . It will be implemented through a new, mandatory Android Developer Console specifically for sideloading. Critics suspect a connection with efforts by authorities in several countries to the . By making registration mandatory, Google is also securing its influence on these data harvests.

From October 2025, selected app developers will be allowed to test the new procedure for Google, and everyone will be able to join in March 2026. In September 2026, sideloading of anonymous apps will become impossible in Brazil, Indonesia, Singapore and Thailand. The rest of the world will gradually follow from 2027.

Upload photo ID and invoices

software publishers must provide proof of personal data such as name, address, email address and telephone number, for example by uploading copies of invoices, and in many countries also upload a . For people living in German-speaking countries, Google also stipulates that the photo ID must be issued by an authority in the EEA or Switzerland. Anyone who does not have this is excluded.

Legal entities must also obtain a so-called DUNS number from Dun & Bradstreet (D&B). This can be done free of charge, but takes up to 30 days. In some countries, express processing is possible for a fee, which can still take several working days.

Consequences

The registration requirement increases the costs for malware distributors and similar criminals; they will have to buy certificates for the Android Developer Console on the black market. At the same time, registration makes it easier for authorities to prosecute politically undesirable programmers and makes private dabbling less attractive.

There is no mention of an exception for self-written software. The only exceptions are non-certified Android devices, of which there are very few outside the People's Republics of China and North Korea. As soon as any Google service is pre-installed, it is a certified device.

Found on

Security researchers from Barracuda report new tricks using QR codes. The attacks come via email and bypass many of the security scans commonly used in large companies. If the end user then reads their emails with HTML enabled, they can easily become a victim.

QR codes (quick response codes) are popular with criminals because they can be used to encode hyperlinks that people cannot read. This makes it easier to foist false hyperlinks on people. Under a pretext, the target is tricked into scanning the code; they quickly end up on a website controlled by the attacker. This method is used so frequently to harvest other people's access data (phishing) that there is a separate term for phishing with QR codes: Quishing.

Separate files together form an image

An amazingly simple method is to split a misleading QR code into two (or more) parts. These image files are attached to a phishing email, for example. Security systems usually try to evaluate the image files individually, but find nothing useful in the individual QR snippets and let the dangerous message pass.

Using HTML, however, the images can be arranged on the user's device in such a way that they look like a single image - both to the human eye and to the camera of a smartphone. If the target scans the virtually assembled QR code, they are redirected to a fraudulent website where malware or a phishing trap awaits them, for example.

Nesting

The idea of nesting two QR codes inside each other has been around for some time. Which of the two codes is then evaluated by a smartphone depends in particular on the distance between the code and the camera. However, an automated security system will try to evaluate the entire thing.

Barracuda has observed attacks with such interlaced QR codes. One hyperlink contained is completely harmless and points to a search engine, for example, while the other link leads to the trap. The attackers rely on the interlaced codes to mislead the security scanners. The split QR codes are a trick used by the Phishing as a Service toolkit Gabagool; the nested QR codes are a method used by the competitor product Tycoon 2FA.

ASCII code QR

Back in October, Barracuda reported on clever QR codes that do not come in the form of an image file but are made up of ASCII codes. In addition to letters and punctuation marks, the ASCII code also contains all kinds of other characters, including 32 different "blocks", for example.

These are strung together in a matrix. Combined with a Cascading Style Sheet (CSS), which changes the color of individual ASCII characters and sets them to white, for example, text structures can be created that are recognized by smartphones as QR codes but have passed the security scanner undetected. Alternatively, the white spaces can be composed of protected spaces from the ASCII repertoire.

Suspicion displayed

Outside of closed systems, QR codes are always suspicious. We recommend being suspicious of QR codes and only displaying emails as plain text. This may not look so pretty, but it makes a whole range of different monitoring and attack methods more difficult, not just QR code tricks.

Attackers benefit from a special advantage with QR codes: they cannot usually be analyzed with the same device on which they are displayed. Anyone who thinks they need to analyze a QR code displayed on their computer screen will usually reach for their smartphone (although this is not absolutely necessary). And while employers try to use security systems to prevent suspicious URLs from being accessed from work computers, the smartphone used for QR scanning is often private and bypasses the security systems.

This is how phishers achieve uncomfortably high success rates. Unfortunately, anti-phishing training has proven to be largely useless in practice.

Found on

Emergency updates close an actively exploited in , and . Users should patch urgently.

Apple has closed a dangerous security vulnerability in iOS, iPadOS and MacOS with an emergency update on August 20. As the company explains in a security announcement, there are indications that the vulnerability is already being exploited as part of an "extremely sophisticated attack on certain individuals". Users should therefore promptly install the latest security updates to protect themselves against possible attacks.

The vulnerability in question is registered as CVE-2025-43300 and, according to Apple, relates to the image I/O framework, which enables applications to read and write various image file formats. The vulnerability can result in memory corruption if a specially crafted image file is processed.

According to the information provided, this is an out-of-bounds write) flaw. Such vulnerabilities can often be exploited to manipulate memory contents such as return addresses and thus interfere with the program flow. The result is possible malicious code execution by the attacker.

No details known yet

Apple has not provided any technical details about the security vulnerability or the observed attacks in its announcement. However, this is not unusual. Such information is usually only made available to the public weeks later. This gives users enough time to apply the patches provided before other attackers can exploit the vulnerability for their own purposes.

According to Apple, the problem has been solved by an improved limit check. The patch is distributed via the operating system versions iOS and iPadOS 18.6.2, iPadOS 17.7.10 as well as MacOS Sequoia 15.6.1, Sonoma 14.7.8 and Ventura 13.7.8. Users should update their Apple devices accordingly in order to be protected against the current attacks.

Found on

On Tuesday night, Google made an unplanned update to the Chrome browser. A security vulnerability is already under attack.

Google is distributing an unplanned update for the Chrome web browser - on all supported platforms. The reason for this is a security vulnerability in the browser that is already being actively attacked on the internet.

In the version announcement, the Chrome developers write that the update only contains a security fix. It is a vulnerability of the "Type Confusion" type, in which unexpected data types are passed to program code parts. This triggers unexpected behavior and attackers can abuse this in the specific case, which affects the JavaScrip engine V8, for arbitrary read and write access by carefully prepared, malicious websites (CVE-2025-6554 / no EUVD yet, no CVSS, risk"high" according to Google).

Attacked security leak

Google already distributed countermeasures for all platforms in the stable channel on June 26 through a configuration change. The vulnerability was discovered by the Google Threat Analysis Group on June 25. However, the developers are now closing the vulnerability correctly with code changes. "Google is aware that an exploit for CVE-2025-6554 exists in the wild," the developers also add - meaning the vulnerability is already being abused by malicious actors.

The bug is ironed out in versions Chrome 138.0.7204.63 for Android, 138.0.7204.119 for iOS, 138.0.7204.96 for Linux, 138.0.7204.92/.93 for Mac and finally 138.0.7204.96/.97 for Windows. The developers have also upgraded the extended stable versions to 138.0.7204.93 for macOS and 138.0.7204.97 for Windows.

Check the current version

To check whether Chrome is already up to date, users can call up the version dialog. They can do this by clicking on the icon with the three stacked dots to the right of the address bar and then clicking on "Help" and then "About Google Chrome". This may also trigger the update process if the browser is out of date.

On other platforms, the app stores or, under Linux for example, the distribution-specific software management are responsible for updating. As the Chromium code forms the basis for other web browsers such as Microsoft's Edge, these are also likely to distribute updated versions in the near future. Users should then install these quickly.

Google last patched an already attacked vulnerability in Chrome at the beginning of June. The developers also initially mitigated this vulnerability by distributing a configuration change.

Found on

All employees at the Danish Ministry of Digital Affairs are to do without Microsoft. Linux and LibreOffice will be used instead, says the minister.

In the coming months, the Danish Ministry of Digitalization is to completely abandon Microsoft and use Linux instead of Windows and switch from Office 365 to LibreOffice. This was announced by Minister Caroline Stage (Moderaterne) in an interview with the daily newspaper Politiken. This comes just a few days after the country's two largest municipalities initiated similar steps. This summer, half of the ministry's employees will be equipped with Linux and LibreOffice. If everything goes as expected, the entire ministry will be free of Microsoft by the fall, Politiken summarizes.

Far too dependent on a few providers

The Ministry of Digitalization's move away from Microsoft is therefore taking place against the backdrop of a new digitalization strategy in which the Kingdom's "digital sovereignty" is given priority. According to newspaper reports, the opposition is also calling for a reduction in dependence on US tech companies. Just a few days ago, the administration of the capital Copenhagen announced its intention to review the use of Microsoft software. The second largest municipality, Aarhus, has already started to replace Microsoft services. Stage has now told Politiken that they should cooperate and that it is not a race. All municipalities should work together and strengthen open source.

When asked how her ministry would react if the transition was not so easy, Stage replied that they would then simply return to the old system for a transitional period and look for other options: "We won't get any closer to the goal if we don't start." So far, she has only heard from employees who welcome the move. But in her ministry, which is mainly concerned with digitalization, she expects a lot of interest anyway. She also assured them that the initiative is not about Microsoft alone, as they are generally far too dependent on a few providers.

As background for the move, the article also refers to where an e-mail account operated by Microsoft was disconnected. This caused an uproar throughout Europe. In Denmark, there is also the fact that the new US President Donald Trump has been announcing for weeks that his country wants to take over Greenland. The island in the North Atlantic is a self-governing part of Denmark, and the outrage at Trump's proposal is huge. The desire to reduce dependence on US corporations is therefore apparently even greater there than in the rest of Europe.

Found on

Since May 27, Meta has been using public Facebook and Instagram content from adult users in Germany to train its AI models. Anyone who has not actively objected to the use of data by May 26 can no longer have their previous posts excluded. However, residual protection remains possible for new content - under certain conditions.

According to the , an objection can still be lodged after the deadline - but this will only affect content that is published from the time of the objection. Earlier posts, stories, comments or images remain accessible for AI training.

The objection can be made directly online using a form - separately for and . Prerequisite: You must be logged into the respective account and enter the email address stored there. No justification is required. If your objection is successful, you will receive confirmation by email.

Calls from unknown numbers often turn out to be spam or advertising. We show you how to recognize in seconds whether the call is trustworthy or not.

Your smartphone rings, an unknown number calls and the person on the phone wants to convince you to invest in shares or change your cell phone contract. In some cases, they hang up as soon as you answer the call.

In most cases, these are unwanted spam calls from fraudsters or dubious companies who want to steal your data or lure you into a cost trap when you call back.

Many newer cell phones now recognize spam calls automatically and show a warning on the display with "potential spam". Advertising calls without explicit permission are not legally permitted in Germany, which is why scammers often change their numbers. It is therefore not always possible for the smartphone to detect dubious callers.

However, with a clever tool, you can quickly find out whether the number calling you is genuine.

Check spam calls: It works with these tools

If you are unsure whether a number comes from a call center, you can use free websites. For example:

There you can simply enter the data and check whether someone else has already been called. In addition to the phone number, you can also view the type of call (advertising, survey, competition, etc.) and decide whether it is worth calling back.

According to the , warnings are issued for the following numbers and their scams, among others:

• 03080098648
  Caller name: Apotherkerbund
  Scam: Supposed survey on health with alleged free newspaper subscription as expense allowance.
• +16465535819
  Caller name: Immobilien Anruf New York
  Scam: Call center marketing apartments with outdated real estate scout ads.
• 022166951483
  Caller name: EWE Energiezentrale
  Scam: Supposed energy provider from Cologne trying to sell dubious electricity tariffs.
• 01637875622
  Caller name: Gewinnspiel
  Fraudulent scam: The callers pretend to have a competition subscription that must be paid for immediately or else it will be extended for another 12 months at a charge.
• 069222224635
  Caller name: Energieportal
  Scam: Alleged energy company trying to advertise alternative energy sources with cold calls.
• 017688854744
  Caller name: O2
  Scam: Data fraud and "yes" scam in which bogus contracts are concluded after a "yes" is spoken. The fraudsters pretend to be O2 employees and ask you for your details.
• 053120970053
  Caller name: Law enforcement agency
  Fraud scam: Those affected are deceived with a computer message claiming to be from Europol (European Police Office). The same number is sometimes used for other scams, e.g. alleged financial and crypto advice.

Some users claim to have been put under pressure by the spam callers. If you receive a dubious call and are also pressured into signing a contract, you can dispense with the pleasantries. Simply hang up and block the number. To warn other people about being ripped off, report the data to Cleverdialer or tellows.

Our advice: If you receive a call from an unknown number, it is best not to answer it at all. Reputable companies usually leave a message on your mailbox or the number can easily be assigned to a company via Google search.

Found on CHIP.

Microsoft has provided unscheduled updates for Windows Server 2022 and Windows 10. They solve problems with Hyper-V and Bitlocker.

Microsoft has released software updates outside of the usual update intervals for Windows Server 2022 and Windows 10. Some of them correct somewhat more exotic errors, at least some of which originate from the security updates of this year's May Patchday.

At the weekend, Microsoft released an unplanned update for Windows Server 2022. In the Windows Message Center, the company writes that certain confidential virtual machines running in Hyper-V under Windows Server 2022 can suddenly and unexpectedly stop responding or restart. This has an impact on the availability of services and requires manual intervention. This primarily affects Azure Confidential VMs. Microsoft does not expect standard Hyper-V environments to be affected, "except in rare cases where preview or pre-production configurations" are used.

Out of sequence: Update for Windows Server 2022

The upgrades the operating system to version 20348.3695. It is only available in the Windows Update Catalog. Microsoft classifies the update as a non-security update. The developers also recommend using this update if the May security updates have not yet been applied. Those who are not affected by the problem do not need to install the unplanned update.

Around earlier last week, Microsoft's developers also released an update outside of the regular cycle, which is intended to fix problems with certain Intel vPro processors and activated Trusted Execution Technology (TXT) as well as Bitlocker. According to the entry in the Windows Message Center, the security update from May can unexpectedly terminate the "lsass.exe" process in this constellation, which starts the automatic repair function. On devices that use Bitlocker encryption, this leads to a prompt with a forced request for the Bitlocker recovery key.

Out of the ordinary: Update for Windows 10

The knowledgebase entry KB5061768 describes the unplanned update for Windows 10 that is intended to solve this problem. It updates the Windows 10 versions to 19044.5856 and 19045.5856 respectively - i.e. is available for Windows 10 21H2 and 22H2; the developers also mention the versions Windows 10 Enterprise LTSC 2021 and Windows 10 IoT Enterprise LTSC 2021. Microsoft is also distributing the update exclusively via the Windows Update Catalog. As Intel vPro tends not to be used in environments that use Windows Home or Pro versions, these are unlikely to be affected by the problem. In organizations where the problem does not occur, the update does not need to be installed, Microsoft's developers also explain.

Found on

Database with 184 million login details discovered

The data leak includes passwords for user accounts at Microsoft, Google, Facebook, Amazon, Apple, Nintendo, Paypal and many more.

A security researcher named Jeremiah Fowler has discovered a huge unsecured database containing login information for more than 184 million online accounts. In his own blog post, the researcher mentions 47.42 GB of access data. It is still unclear exactly where the data came from. It was probably collected by malware or from previous data leaks.

According to Fowler, the database, which has since been taken offline, contained email addresses, usernames, passwords and URLs of the services for which the respective login data is intended. The latter include those from Microsoft, Google, Facebook, Instagram, Snapchat, Roblox, Discord, Netflix, Paypal, Amazon, Apple, Nintendo, Spotify and Wordpress.

According to a report by Wired, Fowler also found access data for banking applications, wallets and government portals from 29 different countries in an extract of 10,000 data records. The passwords were probably available in plain text. Fowler contacted several of those affected and was able to verify that the login data was genuine and that at least some of the passwords were still valid.

Host intervenes

The security researcher was unable to determine how long the database had been freely accessible and who exactly owned it. After contacting the hosting provider responsible, World Host Group, the latter immediately took steps to remove the data from the network. However, it remains uncertain whether other actors discovered the database beforehand and accessed the data it contained.

Fowler assumes that the access data was collected by Infostealer malware. However, it is also conceivable that the data originated at least in part from other sources, such as previous data leaks, and was simply collected in a large database by an unknown actor.

Users should act

Users who want to protect themselves from possible misuse should regularly check services such as or the Hasso Plattner Institute's to see whether their login details are included in known data leaks and change their passwords if necessary. When assigning passwords, care should also be taken to ensure that they are sufficiently complex and are not used more than once.

It is also worth making use of available two-factor authentication (2FA) methods, as a captured password alone is not sufficient to hijack the associated account.

Found on

When attackers replace letters in URLs with Unicode characters that look the same, it is difficult to detect. A new CI job provides a remedy.

In his blog, security researcher and curl maintainer Daniel Stenberg has drawn attention to a security problem caused by Unicode fraud that is difficult for reviewers, mergers and CI jobs to detect.

In his blog, Stenberg shows how an attacker replaces a common ASCII character in the code with an almost identical one from the Unicode table. This is not recognizable in the code editor, but results in a different URL, for example, behind which malicious code can be hidden. As an example, the blogger uses an Armenian g.

The number of possible mix-ups is large: the many similar characters can be listed on the Unicode.org website, here in the image using the example from heise.

Restrict Unicode

Although the diff view on GitHub shows a changed paragraph in red for the g replaced in the URL, no difference is visible to the human eye and a maintainer may be inclined to simply wave the change through. In contrast, Gitea, which specializes in code review, warns about the nature of the change: "This line has ambiguous unicode characters".

As a countermeasure, Stenberg's Curl project has added a special CI job that checks where Unicode is allowed and where it is not. According to Stenberg, GitHub has also taken on the problem and wants to fix it.

Found on

In the version announcement, Google's developers explain that they are sealing four security gaps with the updated version. As only two of these have been reported by external IT researchers, Google is only providing snippets of information on these two.

Google Chrome: Vulnerability with exploit

One vulnerability is based on insufficient policy enforcement in the "Loader" component of Chrome. The vulnerability entry adds that attackers from the network can use this to "cross-originate" information with manipulated HTML pages - one website can thus access information from another (CVE-2025-4664 / EUVD-2025-14909, CVSS 4.3, risk"high" according to Google,"medium" according to CVSS). "Google is aware of reports that an exploit for CVE-2025-4664 exists in the wild," the manufacturer continues.

A second vulnerability affects the Mojo component - used for inter-process communication, for example - which can return incorrect handles under unspecified circumstances. Google does not describe the potential effects in more detail; neither the CVE nor the EUVD entry are yet publicly available, which generally provides a half-sentence more information (CVE-2025-4609, no CVSS value, risk"high" according to Google). There is no information on the other two vulnerabilities so far, apart from the fact that they exist.

The bug-fixed browser versions are Google Chrome 136.0.7103.125 for Android, 136.0.7103.113 for Linux and 136.0.7103.113/114 for macOS and Windows.

Do a version check

The updated program versions can be installed by calling up the version dialog if the browser is not yet up to date. This can be checked by clicking on the browser menu, which is located behind the icon with the three stacked dots on the right-hand side of the address bar. The further path then goes via "Help" to "About Google Chrome".

Under Linux, the software administration of the distribution used is usually responsible for updating. The security vulnerabilities affect the Chromium base and are therefore also likely to make browsers derived from it, such as Microsoft's Edge, vulnerable. Microsoft usually provides an update for this on Friday. Users should then apply it quickly - this can also be done via the version dialog.

Found on

Microsoft warns of five zero-day vulnerabilities in Windows. There are also other dangerous vulnerabilities that allow malicious code to be executed.

Microsoft has once again closed all kinds of security gaps in its products for the May Patchday. This month, these include five vulnerabilities with a high severity level (CVSS between 7.5 and 7.8), which affect all common Windows versions and for which Microsoft has already identified active exploitation. Users and administrators who want to protect their Windows systems should patch them promptly.

Two of the actively exploited vulnerabilities and ) relate to the Windows CLFS driver, one to the DWM Core Library). All three vulnerabilities allow privilege escalation and have a low attack complexity. Attackers with simple user rights can thus gain system rights.

The vulnerability , which is also exploited, relates to Microsoft's scripting engine and allows malicious code to be executed remotely. However, the victim must use the Edge browser in IE mode and click on a link provided by the attacker. The fifth vulnerability) allows attackers with local access to gain admin rights via a Winsock driver.

Remote desktop client also vulnerable

Also worth mentioning are two buffer overflow vulnerabilities in the Windows remote desktop client. These are registered as and and also achieve a high severity level (CVSS: 8.8). In order for the vulnerabilities to be exploited, a target must connect to a server controlled by the attacker via RDP. As a result, malicious code can be executed on the victim's computer.

Microsoft has closed a total of 83 security vulnerabilities for the May Patchday. Five of the patches affect the Edge web browser and were taken from the Chromium project. Some gaps relate to Microsoft's Azure cloud platform and Microsoft Office.

Many of the patched Windows vulnerabilities affect not only the desktop versions Windows 10 and 11, but also Windows Server 2008 (R2), 2012 (R2), 2016, 2019, 2022 and 2025. To prevent possible security incidents, users and administrators should apply the available patches as soon as possible.

Found on

Attackers had added malicious code to the rand-user-agent package, which is used for automatic tests and web scraping, among other things.

Compromised variants of the "rand-user-agent" package have appeared on npm, which had a remote access Trojan (RAT) on board. Although the random user agent is marked as obsolete, it is still downloaded a good 40,000 times a week. Anyone who has used it in the past few weeks could have picked up malicious code. The package generates user agent strings, i.e. character strings that clients such as browsers send to a server. The publisher of the WebScrapingAPI package uses it for web scraping. However, it can also be used for other purposes such as automated tests or security checks.

Creeping updates with Trojans

The last official version 2.0.82 is seven months old, and the publisher WebScrapingAPI has marked the package as deprecated (obsolete). The GitHub repository linked on the npm page no longer exists.

However, aikido, a company specializing in supply chain security, has . These introduced malicious code in the dist/index.js file, which was not immediately visible in the preview on npm and was also obfuscated several times.

The code sets up a covert channel to communicate with a command-and-control server (C2) and installs modules in a folder called .node_modules. The client then sends an ID and information about the client operating system used to the server, among other things.

Windows receives a supposed Python path entry as an extra

In addition, the initialization script creates a new folder under Windows and adds it to the start of the PATH environment variable. The folder name Python3127 is intended to suggest that it is an official folder for the programming language, allowing malicious code to appear as supposed Python tools and possibly be called by official Python distributions.

The compromised packages have since been removed from npm. They had the version numbers 2.083, 2.084 and 1.0.110. Anyone who has used the package in recent months should check whether there is malicious code on the computer or whether communication with C2 has taken place.

Found at

Vulnerable Airplay devices can be completely taken over via the network. Attackers can infiltrate malware and tap into microphones, for example.

Security researchers from Oligo have uncovered several security vulnerabilities in Apple's Airplay protocol and the associated Airplay SDK. This means that not only devices from Apple itself are vulnerable, but also those from third-party providers, provided they support Airplay. Attackers can execute malicious code on vulnerable devices via the network, read data and cause failures.

The researchers summarize the vulnerabilities discovered and the attack vectors made possible by their combination in a blog post under the term Airborne. Devices with Airplay support can therefore be completely taken over by attackers, provided there is a wireless local network connection to the respective target device.

The infiltrated devices then potentially also serve as a starting point for attacks on other devices located in the same network. This should even be possible automatically due to two zero-click vulnerabilities registered as CVE-2025-24252 and CVE-2025-24132. Based on these vulnerabilities, it should be possible to develop malware that automatically infects other Airplay devices within range.

Carplay is also vulnerable

In total, the Oligo researchers claim to have reported 23 security vulnerabilities to Apple in connection with Airplay, 17 of which have been given a CVE code. Some of these are suitable for remote code execution (RCE), which the researchers demonstrate on YouTube using an Airplay-enabled speaker from Bose, among other things.

After the attack, an image injected by the researchers appears on the display of this speaker. However, an attacker should also be able to use the same method to play their own music or tap into the microphones built into the device in order to eavesdrop on conversations taking place near the speaker. The same attack vector probably also works in cars with Carplay systems.

Millions of devices affected

The security researchers assume that the discovered vulnerabilities affect not only Apple devices such as the iPhone, Mac or Apple TV, but also tens of millions of third-party devices. The researchers also point out that Carplay, which is also affected, is used in more than 800 different vehicle models worldwide.

Apple itself has already provided an updated Airplay SDK that closes the discovered security gaps. Against this background, users are advised to update the operating software of their devices to the latest version. However, it is difficult to estimate the availability of patches for third-party devices given the enormous variety of manufacturers and models.

Found on

Microsoft has released important security patches for Azure, Bitlocker and Kerberos, among others, via Windows Update.

Attackers are currently targeting Windows 10/11 and various Windows server versions. The extent of the attacks is currently unclear. Admins should quickly ensure that Windows Update is active and that PCs are up to date.

No updates for Windows 10 yet

The exploited vulnerability (CVE-2025-29824"high") affects the protocol file system driver. Not much information about the vulnerability is currently available. The little information available suggests that locally authenticated attackers can gain system privileges. As this is a memory corruption vulnerability (use-after-free), it can be assumed that attackers can trigger this error with certain inputs.

In the position after a successful attack, it is likely that attackers will execute malicious code and thus compromise entire systems. In a warning message about the vulnerability, Microsoft states that the security patches for Windows 10 32-bit and 64-bit are not yet available. It is not yet clear when they will follow.

Further dangers

Microsoft classifies several malware vulnerabilities as"critical". These include Excel (CVE-2025-27752"high"), Hyper-V (CVE-2025-27491"high") and Windows Remote Desktop Services (CVE-2025-27480"high"). In the latter case, an attacker only needs to connect to a vulnerable system via RDP and trigger a race condition to be able to push malicious code onto computers. The Hyper-V updates for Windows 10 will be released at a later date.

There are also patches for Office, SharePoint and Windows Defender. Attackers can use these points to gain unauthorized access to information, trigger DoS states or obtain higher user rights, among other things. Microsoft provides more detailed information on the vulnerabilities in the Security Update Guide.

Found on

Phishing is now a household name for many people. But did you know that there are many different types of fraudulent cyber attacks? We'll show you the main types of phishing you should know.

Whether for private individuals or companies: Phishing attacks pose a high risk to data. According to the , phishing is still the biggest digital threat for many people. The Cybersecurity & Infrastructure Security Agency in the USA even estimates that 90 percent of all successful cyberattacks begin with a phishing attack.

Phishing involves people being contacted online by cyber criminals. They pretend to be an important contact or a company that the person is dealing with. This can range from close friends and superiors to banks and online retailers. The aim of the phishing messages is to simulate a situation that is as urgent as possible and to force people to act quickly. They are then asked to enter and send sensitive data in a hurry.

This data ends up with the cybercriminals. In this way, they gain access to accounts, mailboxes or even internal company structures. Cyber criminals have now come up with a number of ways and means to deceive us. We reveal the most important types of phishing so that you can better protect yourself against them.

The classic phishing attack targets a wide range of internet users. Cyber criminals send messages in the name of various organizations to email addresses that they have often bought on the darknet. The addresses often end up there through leaks or hacking attacks. The messages claim, for example, that your bank account or account with a company has been blocked. To unblock it, all you have to do is enter sensitive data in a form. Cyber attackers often disguise their email address to make recipients believe that it is a genuine message from the company. It is often enough not to reply to the email and log into the associated account. If there are no visible problems there, you can still contact support.

Spear phishing basically works like classic phishing. The difference is that the cybercriminals only target a particularly small group of people. This could be all employees of a company or only certain departments such as IT employees. The attackers often target sensitive data from the company - or access to entire systems.

Whaling is a somewhat more precise variant of spear phishing. Instead of contacting a specific group within an organization, the cybercriminals target the most important people. These include CEOs or other employees with access to all the company's data. If a whaling attack is successful, it is often followed by further attacks. By gaining access to a CEO's mailbox, the attackers can torpedo the entire company with genuine-looking phishing emails.

Vishing is also a subtype of phishing attacks, but differs primarily in the platform of the attack. Unlike email attacks, potential targets are called by the cybercriminals. The name vishing is a combination of phishing and voice. The attackers can also pretend that they are from a company such as Microsoft and that there is supposedly a problem with the target's PC. Calls from supposed bank employees are also common, as these vishing attacks allow quick access to account data.

Smishing also differs in the platform on which the phishing attacks take place. Smishing is a shorter version of the term SMS phishing. Accordingly, the fraudulent messages are sent via SMS or messenger services such as Whatsapp. With messengers in particular, the fraudsters often try to take over your account by asking you for a code while pretending to be one of your contacts.

With clone phishing, the attackers usually already have access to a specific email account of a private individual or company. To avoid having to come up with messages that look particularly genuine, they simply intercept real emails and copy them. While the original is deleted, they only change a link in the copy. For example, you might receive an email from your colleagues about the latest quarterly report. The attachment contains a link to a Google Doc. However, the malicious link does not lead to the document, but to a page that captures your login data or downloads malware.

Angler phishing makes use of social media platforms. Cyber criminals create fake accounts that are modeled on those of well-known companies or celebrities. They then make direct contact with private individuals, reply to their comments or like their posts. This is how they create trust. This can be particularly damaging if the attackers pretend to be customer support. They then send links to supposed support websites with possible solutions. In reality, they either intercept sensitive data or infect the target's devices with malware.

In pharming, the attackers manipulate access to websites. To achieve this, malware is often loaded onto the target's device by other means. When websites are accessed, the malware then manipulates the redirection and leads users to fake pages. All the data that users then enter on the page ends up with the cybercriminals.

The evil twin of Evil Twin phishing is the copy of a Wi-Fi access. If you are in a café with public Wi-Fi, for example, attackers can create a hotspot on their end device and give it a similar name. The hotspots are often not protected compared to the real access points, so users can log in without any obstacles. By connecting directly to the hackers' devices, a lot of data can be stolen from your devices.

Found on

Google has released an update for the Chrome web browser. It closes a zero-day vulnerability that is already under attack.

Google released an update for the Chrome web browser on Wednesday night. It plugs a zero-day security vulnerability that attackers are already abusing in the wild. Anyone using Chrome should quickly check whether the bug-fixed version is already installed and active.

In the version announcement, Google's developers write that under undisclosed circumstances, an incorrect handle (CVE-2025-2783, no CVSS, risk"high" according to Google) is assigned by Chrome under Windows in the Mojo component, which provides functions for inter-process communication. A handle provides access to resources, but in this case to the wrong ones, which can be abused by attackers - and they are already doing so, which Google also mentions in the version announcement: "Google is aware of reports that an exploit for CVE-2025-2783 exists on the web".

Abused zero-day vulnerability discovered by Kaspersky

The attacked zero-day vulnerability was discovered by IT researchers from Kaspersky. In a blog post, they describe the observed attacks of the "Operation ForumTroll" APT. According to the article, the attack begins with a phishing email purporting to be an invitation to an event of the International Economic and Political Science Forum and leading to a program and registration form. However, both links lead to a malware infection in the Chrome web browser under Windows without any further interaction on the part of the victim.

Kaspersky is not yet willing to explain the details of the vulnerability, but describes the flaw as a logic error between Chrome and the Windows operating system that allows Chrome's sandbox protection to be bypassed. The observed attacks were directed in particular against Russian media representatives, employees of educational institutions and government organizations. Kaspersky assumes that the attackers want to spy on the victims. The links from the phishing emails are currently no longer active, but attackers can use the exploit elsewhere at any time.

The current bug-fixed versions are Chrome 134.0.6998.177/.178 for Windows. The extended stable version is 134.0.6998.178 for Windows, which is the same as the fixed version.

Version check

The version dialog reveals whether Chrome is already up to date. This opens after clicking on the browser menu, which is located behind the three stacked dots to the right of the address bar. From there, click on "Help" to go to "About Google Chrome". If the update has not yet been installed, the dialog offers the update and then the browser restart required to activate the new software.

Under Linux, the software management of the distribution used usually carries out the update - however, as the vulnerability occurs under Windows, an update is not urgent here. Other Chromium-based web browsers such as Microsoft Edge are also likely to provide an update shortly, which users should also apply promptly.

Exactly one week ago, Google released an important update for the Chrome browser. It patched a security vulnerability classified as a critical risk.

Found at htps://www.heise.de/news/Jetzt-updaten-Zero-Day-Sicherheitsluecke-in-Chrome-wird-angegriffen-10328773.html

Zoom Rooms Controller, Workplace & Co. are vulnerable under various operating systems.

Attackers can exploit security vulnerabilities in Zoom Meetings SDK, Rooms Client, Rooms Controller, Workplace App, Workplace Desktop App and Workplace VDI Client. If attacks are successful, they have higher user rights. Updated editions close the vulnerabilities.

Install security updates

the threatened applications. So far, there have been no reports of attackers exploiting vulnerabilities.

If attackers have network access and are authenticated, they can use a vulnerability (CVE-2025-0151"high"), for example, to increase their rights. How such an attack works in detail is not yet known.

Attackers can also provoke crashes via DoS attacks (CVE-2025-0150"high"). The operating systems Android, iOS, Linux, macOS and Windows are threatened by the vulnerabilities. Admins should ensure that the latest versions protected against the attacks described are installed. These can be found of the Zoom website.

Found on

Attackers can potentially execute in using specially crafted hyperlinks in documents.

There is a vulnerability in the widely used free office suite Libreoffice that allows attackers to execute malicious code on third-party Windows systems. All that is required is to open a specially crafted hyperlink in a document on the target system. The vulnerability is registered as and has a high severity level with a CVSS value of 7.2.

Libreoffice is known to have a function that allows hyperlinks to be opened directly with one click by holding down the Ctrl key. As the developers of the office suite explain , the respective link is transferred to the of the Windows operating system.

Links to executable files are blocked by Libreoffice so that the mere opening of a link cannot lead to potentially dangerous code execution. However, CVE-2025-0514 may allow the mechanism responsible for this to be bypassed, for example to execute malware.

A patch is available

According to the security report, the vulnerability can be exploited by using special non-file URLs, which are interpreted by Shellexecute as Windows file paths. However, the Libreoffice developers do not explain what these URLs look like in detail. According to the information, Libreoffice versions 24.8.0 up to and including 24.8.4 are affected.

The vulnerability was closed with . Users are advised to update the Office suite promptly in order to protect themselves against possible attacks. The latest version can be downloaded . The developers do not provide any information about the newer Libreoffice 25.2 being affected.

Found on

Federal Health Minister Karl Lauterbach (SPD) has to take what and who he can get. Shortly before the launch of the electronic patient file for all (ePA), Alena Buyx has come out as a fan of the project. In an interview with Zeit-Online (behind paywall): "I'm happy about it and won't contradict it." Buyx of all people! In coronavirus times, as Chair of the German Ethics Council, she went along with every politically imposed violation of fundamental rights. She demanded a general vaccination obligation. We had to because "we know everything about safety" and those who didn't participate didn't deserve solidarity. At least in retrospect, the 47-year-old advocate of values was quite often wrong when it came to the pandemic - to put it mildly. Now she says of the EPA: "There will never be a perfect system, and striving for perfect risk minimization means that something will never be finished." And when asked about the glaring security gaps in the system, she adds: "That doesn't change much for me."

For a very significant group of experts, this changes a great deal. For weeks, players in the healthcare sector have been speaking out again and again - doctors, clinic operators, pharmacists, data protectionists - criticizing the project, casting doubt on it, rejecting it outright or at least arguing for a delay. For example, the Association of Pediatricians and Adolescent Doctors (BVKJ) advises parents to The Freie Ärzteschaft warns of an "abolition of confidentiality", "deception of patients and doctors" and . The Professional Association of German Psychologists (BDP e.V.) speaks of , stigmatization and therefore incorrect treatments if sensitive data on mental illnesses falls "into the wrong hands".

Thumbs down from the President of the Medical Association

Not least the President of the German Medical Association (BÄK), Klaus Reinhardt, is giving the simulation games a thumbs down. At his association's New Year's conference, he advised consumers not to take advantage of the offer as long as there are risks. At the moment, the are simply too big. In any case, there is hardly anyone who still gives Lauterbach's "revolution" the thumbs up, apart from the lobbyists of the health and data economy and the so-called medical ethicist Buyx. But the minister is not bothered by the massive criticism. At the beginning of the week, web.de asked him whether he could recommend the ePA with a clear conscience. Answer: citizens' data "is safe from hackers".

Really? Before the turn of the year, IT specialists from the Chaos Computer Club (CCC) demonstrated at its annual congress how it is possible to access already stored ePA data with little effort and in various ways, completely without the health card of the person concerned. As things stand, this will be possible in future for all 70 million files. But while the security researchers were "digging through the ePA, the security concept was read by an AI at the Fraunhofer Institute and found to be 'secure' with minor flaws", according to a from the association. The procedure can only "raise eyebrows" and the happy statement that the ePA for everyone is secure must be regarded as a "hallucinated misdiagnosis".

Outrageous potential for blackmail

The Minister of Health also later played down the CCC's findings to a . The Association of Independent Doctors reads things quite differently, accusing Lauterbach and the responsible National Agency for Digital Medicine (gematik) of "irresponsible obfuscation tactics". What deputy federal chairwoman Silke Lüder said in a on Monday is revealing. "The medical data is not stored on the card, but in the cloud at the companies IBM and Rise - in plain text, not even end-to-end encrypted." The access key is "simply the insurance card", without checking whether the card has been issued to the right person. All that is needed is the name, insurance number and date of birth of the insured person, then the card is delivered to practically any address. "As the new version of the ePA 3.0 has also done away with the associated PIN number, it will be very easy to access the entire medical history with any card in future," says Lüder. Two-factor authentication is used for every online banking action, "only the most sensitive data we have does not have this security".

"At least as serious" for association head Wieland Dietrich are "possible illegal accesses" by practically all professional groups in the healthcare sector. In total, around two million people are entitled to access. "That's unacceptable." Any employee of a pharmacy or pedicure practice, for example, can see whether the patient has erectile dysfunction, psychological problems or a sexually transmitted disease after swiping the card. "The potential for blackmail is outrageous," says Dietrich, who insists "that this dangerous project be stopped immediately in its current form", and continues: "As doctors, we are to be forced by the state, under threat of financial penalties, to effectively make our patients' medical records public. That borders on coercion."

Profiteers before the raid

Coercion is the defining motive of the entire undertaking. On November 20, NachDenkSeiten published an article . The ePA has been around for four years, but was a slow seller. Hardly anyone wanted it. Now those with statutory health insurance are being forced into their "happiness". It will be set up automatically for everyone, unless they actively object according to the so-called opt-out model. However, very few people do this out of ignorance or convenience. According to the major health insurance companies, the number of refusals is negligible.

The main beneficiaries will be the large pharmaceutical companies, who hope to gain lucrative, but often useless innovations from the change. The main reason why the German healthcare system is so expensive is that it is and relies on costly medical devices, often pointless operations and a sea of drugs with dubious effects. The ePA promises completely new possibilities in this respect. In future, the data stored in it will be made available to research, both public and private. However, according to the law, the data will only be pseudonymized and not anonymized. Experts complain that this would make it very difficult to assign the information to the relevant individual. This opens the door to possible misuse and practically programs scenarios in which insurers, criminals, security authorities and secret services also gain access.

A Like from Facebook

Powerful IT companies should also be able to make free use of the technology. At the Digital Health Conference in Berlin at the end of November, Lauterbach enthused about the huge and valuable treasure trove of data that the project would unearth and store at the Federal Research Data Center (FDZ). All the tech giants are interested in using it to train their AI systems and build "generative AI". and Israel has been consulted, the minister noted. He has other breakthroughs in mind, such as in the field of telemedicine. In future, patients could be treated via video link and doctors could "view all findings directly and decide whether the patient needs to come to the practice after all". He believes that this could save "up to a third" of the one billion doctor-patient contacts.

That fits. As has been reported several times, Lauterbach's recently approved major hospital reform amounts to a radical . The accelerated digitalization of medicine and the associated ePA are also intended to promote this by "relieving" emergency outpatient clinics, for example. The fact that these are often visited prematurely and wrongly is an obvious grievance. However, the hospital reform will not improve the situation of emergency departments. On the contrary, they are being dismantled on a large scale, as are . In the aforementioned interview with web.de, the SPD politician very impressively exposes his very limited understanding of medicine at one point. Nothing would influence the "costs and quality of our healthcare system more than functioning preventive care", he stated very accurately. But then his example: "Half of people with high blood pressure in Germany are still not being treated with medication." Measures to keep people healthy at a younger age, more exercise, sport and better eating do not even occur to Lauterbach.

Shrivel banana software

Today, Wednesday, the "ePA for all" enters the pilot phase. The system will initially be tested for suitability in practice in three model regions in North Rhine-Westphalia, Franconia (Bavaria) and Hamburg and with around 270 service providers. Critics have coined the term "deep green shrivel banana software" for the project. According to those responsible, this should only gradually mature during operation - despite all the dangers and uncertainties. The nationwide rollout will only start "once mass data misuse has been technically ruled out", assures Lauterbach. "I can assure you of that." At the same time, however, he does not want to question the announced date of February 15, no doubt also out of concern that the imminent change of government could throw a spanner in the works for him and his clients.

The former chief ethicist and recipient of the Order of Merit of the Federal Republic of Germany, Buyx, is of course supporting the project. "It makes sense to get the project on the road now and at the same time build up further security structures if they prove necessary" - in other words, if the baby has fallen into the well ... In the UK, for example, from patients surfaced on the darknet on a large scale last year. In the USA, the - insurance information, medical documents, payment data and social security numbers - fell into the hands of hackers almost a year ago. The attackers exploited a security vulnerability at Change Healthcare, the largest payment service provider in the healthcare sector.

But in Germany, everything is under control and a health minister with an affinity for Big Pharma wants to plug a huge security hole in just one month. Better not rely on it. You can still object to the ePA, even retrospectively. Atexplains how to do this.

Found at

From February 11, 2025, Microsoft also wants to distribute the new Outlook together with security updates for Windows 10 - there is no way to prevent this. However, you can remove the mail program at a later date.

Microsoft is migrating millions of systems to . Windows 11 users have been equipped and this has not exactly caused great enthusiasm among users.

The main criticism: the new mailer can't do very much and is rather . Microsoft that the new Outlook will soon be distributed on Windows 10. The effective date is February 11, 2025, and millions of PCs worldwide will be affected.

In the course of the in the fall, there are fresh figures on the distribution of Windows 10 in Germany. Around 32 million PCs in this country are still said to be running the operating system.

The new Outlook cannot be blocked, as Microsoft delivers it with the monthly security updates. It is not advisable to ignore these updates and it would not help at all. This is because the new Outlook will arrive at the latest when you install security updates.

You have to proceed differently if you don't want the new Outlook.

Install the security updates offered for Windows 10 in February. This will also install the new Outlook, which you simply have to let happen. Two steps are now required to get rid of the mailer and block a future installation:

• In PowerShell, type the command Remove-AppxProvisionedPackage -AllUsers -Online -PackageName (Get-AppxPackage Microsoft.OutlookForWindows).PackageFullName. This will remove the new Outlook.

• Windows 10 users must now go to the registry branch HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\ and then Orchestrator\UScheduler_Oobe\OutlookUpdate. Create a new string there called BlockedOobeUpdaters. Double-click to set the value to MS_Outlook. Complete the action with a Windows restart.

Found on

An employee of the RHRZ has just said:

"Just received a call (private) with a tape message, allegedly from Paypal. There would be an outstanding payment with amount x. You are asked to press buttons to prevent/allow. Behind this is a scam:

As you should warn friends, relatives, acquaintances, etc., please be vigilant and pass on the information."

Countermeasures:

• End the call.

• Ignore the request to press a button.

• Never share personal data! Any information can help the perpetrators in future abuses!

Researchers crack Microsoft's multi-factor authentication

Parallel sessions enabled the research team to make incorrect entries. Access was often gained within just one hour.

Security researchers from Oasis Security have found a way to bypass multi-factor authentication (MFA), which Microsoft has implemented for access to services such as Outlook, Onedrive, Teams or the Azure Cloud, with comparatively little time and without any user interaction. As the researchers explain , they carried out a brute force attack on the 6-digit MFA codes that are requested when logging in.

These (Time-based One-time Password) are requested as an additional authentication factor after entering a valid email address and the corresponding user password. Users receive these codes from the respective Authenticator apps that they have linked to the Microsoft login service.

The codes are regenerated on a regular basis, with recommended intervals of 30 seconds in accordance with . As a rule, however, previous TOTP codes are not invalidated immediately after the change, but are accepted for a little longer to compensate for possible time lags and delays. According to the researchers, the total validity period of the individual codes at Microsoft was three minutes.

Flood of requests with parallel sessions

The research team explains that up to 10 incorrect entries are permitted per session. However, this limit could be circumvented by creating multiple parallel sessions, so that many input attempts could be made simultaneously. " During this period, account owners received no warning about the large number of failed attempts, making this vulnerability and attack technique dangerously inconspicuous," the report states.

The 6-digit numeric codes have a maximum of one million possible combinations. For their methodology, the researchers determined a probability of three percent of guessing an MFA code within its validity period. With 24 such attacks in succession (duration: around 70 minutes), the probability increases to over 50 percent, according to the data.

The research team claims to have successfully carried out the attack several times. Access was often achieved within just one hour. The researchers reported their observations to Microsoft. According to the report, there was initially a temporary fix in July and a permanent solution since October. According to Oasis Security, Microsoft introduced a "much stricter rate limit", although no further details are given.

Found on

From January 6, Microsoft will automatically switch business customers from the classic Outlook to the new Outlook. This is likely to cause problems.

Microsoft has announced in the Microsoft 365 Admin Center that from 6 January 2025, customers with Microsoft 365 Business and Premium licenses will automatically switch from classic Outlook to the new Outlook.

In the (log-in with appropriate access rights required), the company writes that from January 6, users with Microsoft 365 Business Standard and Premium licenses will be switched from classic Outlook to the new Outlook in the following months. Users will be converted once during this rollout, but with the option of triggering the conversion again at a later date. However, those affected should have the option of switching back to classic Outlook.

Appealing marketing to make the move palatable

"Our goal with this change is to give users the opportunity to try out the new Outlook, which millions have already done," says Microsoft about the project. "New Outlook gives users the most modern experience with Copilot features, themes and a host of time-saving features like pinning and snoozing emails".

Users will receive a notification in the app before the changeover and will have the option to switch it off in "Options" - "General". Anyone who has already switched over can also choose to switch back. If the New Outlook switch has been hidden by means of guidelines or an unlimited license exists, the changeover will not take place. In the "Admin-Controlled Migration to New Outlook" policy, admins can influence the migration of users. It is not set by default, which means that users can control themselves whether the switch to the new Outlook takes place. The value "1", on the other hand, ensures that the migration is permitted and users cannot intervene, while the value "0" prevents the automatic migration and users cannot change this either.

By setting the registry key NewOutlookMigrationUserSetting as dword:00000001 or 00000000 under the branch HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\outlook\preferences, it should also be possible to implement this locally. Later, the policy will also be available as a Group Policy Object (GPO), as a cloud policy and via Intune.

Admins need to take action

IT managers with the listed licenses must therefore take action. The changeover is likely to lead to an increase in user inquiries, and "real" problems are also to be expected. Firstly, there is the lack of support for POP3 or, more importantly, Exchange in the on-premises version. Anyone using a local Exchange server will no longer be able to process emails. A shows other missing functions, such as shared mailboxes as accounts.

On the other hand, the fact that the new Outlook transfers access data for IMAP accounts to Microsoft's servers, which then copy the emails from the accounts to the Microsoft Cloud, is also likely to weigh heavily. The advertised functions run on the server side and not locally. .pst files are also not yet supported. This could also be a data protection problem for some organizations.

The new Outlook has been causing discontent for some time. Microsoft is constantly trying to win over users for the software. In the Windows clients in the Home and Pro licenses, for example, it is now replacing the previously popular Windows Mail, Calendar and Contacts apps. However, many people do not realize that the new Outlook is essentially a web app that accesses Microsoft's server-side functions and retrieves users' emails via Microsoft servers for this purpose.

Found at

You can also read

More and more authorities want to use the Microsoft cloud, the German Informatics Society is sounding the alarm. Germany is in danger of ending up "in the golden Microsoft cage".

With the preference of some states and the federal government for Microsoft cloud services, "increasingly sensitive citizen data is also being transferred to the care of the tech company", warn the Presidential Working Group on Digital Sovereignty and the Data Protection and IT Security Working Group of the German Informatics Society (GI). They see "unacceptable risks for Germany's digital independence" and the protection of citizens' and companies' data: "The worrying dependence on Microsoft is not only being cemented, but further expanded."

One trigger for the : according to including Bavaria, Lower Saxony and North Rhine-Westphalia introduce the Teams video conferencing system or the complete Microsoft 365 cloud office package in their administration. Federal Chancellor Olaf Scholz (SPD) also recently backed the , which, however, advertises more "sovereignty" than pure US solutions. Such efforts lead the GI to fear that "Germany could soon be trapped in the golden Microsoft cage".

MI6 chief speaks of "data trap"

The GI quotes an interview with British intelligence chief Richard Moore from MI6 from 2021. The espionage expert spoke of a "data trap": "If you allow another country to get access to really critical data about your society, that will erode your sovereignty over time." According to the IT experts, the data trap will close in Germany if the plans of some federal states to migrate to the Microsoft cloud are realized.

This has to do with the , the authors explain. It authorizes US authorities to "legitimately access data held in data centers of US service providers outside the USA". The providers are obliged to maintain confidentiality. 2019 auditors referred . Digital monopolies could brutally increase their prices, it continues. A further explosion is to be expected in the administration. The federal government has . A large chunk of this will go to Microsoft.

Doubts about security and legal compliance

The GI is pessimistic about . There are also doubts about the legal compliance of awarding contracts of this size without a prior EU-wide tender. Alternative solutions are sufficiently well known and would be preferable for reasons of data protection, IT security and costs. Schleswig-Holstein . "Germany's future must not depend on the arbitrariness of large foreign corporations," emphasize the computer scientists. It is crucial "that we can shape our digital future independently, self-determinedly and securely". The German government must finally implement . The federal states also have a special responsibility here.

Found on

The user is asked by e-mail to enter his password in order to open an encrypted file, which in turn is stored in OneDrive - see picture.

PLEASE DO NOT ENTER YOUR PASSWORD!

Please also warn your colleagues about this wave of phishing.

You can report such phishing emails as attachments to antivirus@rptu.de.

The preview of the Windows 11 updates leads to blue screens or reboot loops on some systems.

Anyone who has installed the preview version of the Windows updates for Windows 11 from last week with the KB entry KB5043145 could then experience problems with the system. Reboot loops, blue or green screens may occur as a result.

In the points out that the company has received reports of problems with the update previews. "Microsoft has received several customer reports of devices rebooting multiple times or becoming unresponsive and displaying a blue or green screen after attempting to install the non-security September 2024 Windows updates," the developers write there.

Several reports from those affected

Those affected reported that some devices automatically opened the Automatic Repair Tool after repeated restart attempts. The tool attempts to detect and solve common problems that prevent the device from starting properly. In some cases, Bitlocker recovery could also be triggered.

As Microsoft is still investigating the issues, the developers are asking for feedback via the Feedback Hub to submit a report and more details to help with the analysis. The Feedback Hub can be accessed via a .

Windows 11 22H2 and 23H2, for which the update preview is available, are affected. Microsoft is currently investigating the problem and promises an update if more information becomes available.

Last Friday, the preview of the non-security changes in the upcoming Windows 11 updates was released. They didn't bring too many improvements. One of the highlights Microsoft highlighted was that it will be possible to share local files directly from the taskbar when searching.

Found on

• New scam from cyber criminals: Fake QR codes
• Be careful with codes sent by post, charging stations for electric cars and on "fake" parking tickets
• Only scan a QR code if you are sure it is genuine

QR code: What is it actually?

QR is the abbreviation for Quick Response. Complex information is displayed in abbreviated form so that users can access it quickly. Barcodes or barcodes work on the same principle.

Quishing is a scam in which criminals manipulate QR codes in order to obtain sensitive data such as credit card information.

Fake letters from banks

Requests for payment as fraud attempts by e-mail are not new - although rarely with a QR code. Recently, criminals have been sending their text printed out with a QR code and sending it by post.

Be careful when you receive letters from banks. The fake letters often address you as "Dear account holder", but not with your real name.

You can read more information about this scam on the .

Bottle QR codes on electric car charging stations

Fraudsters cover the real QR codes with fake ones that lead to deceptively genuine websites. Drivers of electric cars who want to pay for their charging process using a QR code at the charging station are unwittingly disclosing their account details.

The , among other things, not to scan a pasted-over QR code. If the charging station has a display, scan the code there. In most cases, charging stations can also be used with an app or charging card from another provider. You do not have to scan an existing QR code.

Fake parking tickets on the car

Public order offices in some municipalities or cities offer drivers the opportunity to pay their parking tickets directly. This is done via a QR code. Here too, criminals exploit this method by attaching fake tickets with false QR codes under the windshield wipers of cars. Check the ticket very carefully. Are you unsure whether it is genuine? Then check with the police.

Protection against quishing

• Be vigilant: Do not scan the QR code without checking it if you are supposed to enter payment details. Be sure to check the Internet address to see if it is the address of your bank.
• Do not open content automatically: If possible, switch off the function for opening a scanned QR code immediately. Some QR code scanners display the link first: If the source is abroad, this can be an indication of a malicious QR code (for example ".ru"). Caution is also advised with short links, as the actual destination of the link is not displayed.
• Contacting the bank: Do you doubt that the letter and the QR code on it are genuine? Do not use the contact details given on the letter, but research them yourself.
• General formulations: Be careful if a letter uses a general form of address ("Dear account holder").
• QR code pasted over: If the QR code on a charging station is possibly pasted over, do not scan it. If, for example, a charging station has a display, the code should be scanned from there.

Found on

There are high-risk security gaps in the Teamviewer remote maintenance software that allow attackers to extend their rights in the system. The manufacturer released updated software on Tuesday of this week that plugs the security leaks.

the vulnerabilities in a . In the Teamviewer remote clients, attackers can abuse insufficient cryptographic verification of driver installations to escalate their rights and install drivers (CVE-2024-7479, CVE-2024-7481; both CVSS 8.8, risk"high").

Teamviewer Remote Full Client and Teamviewer Remote Host affected

The vulnerabilities affect the TeamViewer_service.exe component in both Teamviewer Remote Host and Teamviewer Remote Full Client, both for Windows. or newer, since Tuesday of this week, closes these vulnerabilities.

Affected are the TeamViewer Remote Full Client and Teamviewer Remote Host for Windows in versions prior to 15.58.4, 14.7.48796, 13.2.36225, 12.0.259312 and 11.0.259311. The bug-fixed software versions are available . Anyone using Teamviewer should update as soon as possible.

Teamviewer does not mention any temporary countermeasures. Whether it is already being abused in the wild also remains unclear. However, it has been reported by Trend Micro's Zero Day Initiative as part of a Responsible Disclosure. Teamviewer does not discuss how to recognize a successful attack.

At the end of June this year, suspected Russian attackers were able to access Teamviewer's internal IT environment. The software itself was not compromised, a spokesperson said at the beginning of July when the results of the investigation into the incident were published. Teamviewer had brought in expertise from Microsoft to investigate the intrusion and respond appropriately.

Found on

Attackers can remotely execute on using special . An exploit code for this is now publicly available.

On August 13, Microsoft released that allows attackers to remotely execute malicious code on various Windows systems using specially crafted IPv6 packets without any user interaction. A security researcher known under the pseudonym Ynwarcs has now published (proof of concept) for this vulnerability .

The vulnerability, registered as and classified as critical with a CVSS of 9.8, was discovered by a researcher named Wei from the Chinese company Cyber Kunlun. he declared that he would not publish any details about the vulnerability for the time being in view of the danger it poses.

PoC publication was foreseeable

Microsoft itself certifies that CVE-2024-38063 has a low attack complexity and believes that future exploitation of the vulnerability is likely. It was therefore only a matter of time before someone other than Wei would find a way to exploit the vulnerability. Now that Ynwarcs has succeeded in doing so and the associated exploit code is publicly available, cyberattacks based on the vulnerability are unlikely to be long in coming.

Anyone who wants to protect themselves against such attacks should update their Windows systems immediately if they have not already done so. Patches are not only available for the desktop operating systems Windows 10 and Windows 11, but also for Windows Server 2008 (R2), 2012, 2016, 2019 and 2022.

F

n the event that the August updates cannot yet be installed, for example due to , Microsoft recommends disabling IPv6 for the time being if possible in order to reduce the risk of a successful attack.

Small change with a big impact

In its Github repository for CVE-2024-38063, Ynwarcs refers to an , in which further details on the vulnerability can be found. He worked this out on the basis of adjustments that Microsoft had made to the driver file tcpip.sys in order to patch the vulnerability. There were only minor changes to a single function.

Hutchins himself did not publish a PoC, as reliable exploitation of the bug "proved extremely difficult" for him. According to Ynwarcs, the target system must be made to bundle received packets to a certain degree. "Some adapter and driver pairs are very happy to do this, while others seem to be more reluctant," explains the researcher on Github.

Found at

Additional information at

Attackers can exploit several vulnerabilities in Chrome to compromise PCs.

Google's Chrome web browser has been released in a version that is secured against possible attacks. Users should ensure that the latest version is installed.

The threats

that the developers have closed a"critical" vulnerability (CVE-2024-6990), among other things. It affects the Dawn component, which can perform calculations on graphics cards via WebGPU.

It is not clear from the warning message how attackers can exploit the vulnerability and what the result of successful attacks is. However, if the vulnerability is classified as critical, it can be assumed that attackers can execute their own commands or even malicious code.

The remaining vulnerabilities (CVE-2024-7255, CVE-2024-7256) are classified as"high". Among other things, malicious code can get onto systems here.

Patch now!

The developers state that they have closed the gaps in Chrome 127.0.6533.88/89 for macOS and Windows and 127.0.6533.88 for Linux. , which are of course no longer present in the current version.

As a rule, updates are installed automatically under macOS and Windows, for example. You can check the installed version under Help/About Google Chrome and trigger a manual update using the three overlapping dots at the top right of the window.

Look in password-protected archives

. But for even more in-depth investigations, users have to share data. Chrome can even look into archives that are protected with a password.

Security researchers warn of ongoing attacks on systems with ESXi hypervisors. This is how ransomware Trojans get onto computers.

Attackers are currently targeting servers with the VMware ESXi hypervisor. If attacks are successful, they elevate themselves to admin status and install ransomware. Security updates are available.

Admin vulnerability

. However, they do not specify the extent of the attacks. However, several ransomware groups such as Octo Tempet and Storm-0506, which install Trojans such as Akira and Black Basta, are involved. These encrypt data and demand a ransom.

The exploited vulnerability (CVE-2024-37085"medium") affects VMware ESXi and claim to have solved the security problem in version ESXi80U3-24022510. As a prerequisite for an attack, attackers must have access to the Active Directory with an ESXi host. If this is the case, they can exploit the gap without further authentication and become the admin.

The attack

Microsoft states that it has documented three attack patterns. As ESXi authentication can be bypassed due to the vulnerability, attackers are currently creating the "ESX Admins" group and elevating themselves to admin status. This can be done using the following commands:

net group "ESX Admins" /domain /add

net group "ESX Admins" username /domain /add

Alternatively, attackers can rename an existing group to "ESX Admins". If admins revoke rights from a group, these rights are not immediately removed and attackers can still abuse them. However, according to Microsoft, this method has not yet been observed.

Protection against attacks

To protect themselves from attacks, admins must install the security update quickly. They should also restrict access as far as possible so that only selected users have access. In addition to strong passwords, multi-factor authentication (MFA) should also be used. Admins should also keep an eye on the logs at all times so that they can react quickly.

Found at

Long-known vulnerabilities can be fatal to the RADIUS protocol, which is used in many networks, especially in the enterprise environment.

Security researchers at two universities in the USA and at Microsoft have published a vulnerability in the RADIUS network authentication protocol (CVE-2024-3596), which allows an attacker to log into a network with arbitrary privileges without knowing the required password. To do this, the attacker must connect as a man-in-the-middle (MITM) between the local and central server of the RADIUS installation, which must not handle its authentication via the Extensible Authentication Protocol (EAP). The researchers have named the new vulnerability Blast-RADIUS.

So far, the attack is more of a theoretical nature, as the researchers have not managed to carry it out in the time that a typical RADIUS installation allows for such an attack. However, this could quickly change if a determined attacker were to use the appropriate hardware resources to speed up the necessary calculations. In order not to make it too easy for any attackers, the researchers have so far kept their specific attack code secret.

The RADIUS protocol is primarily used in the corporate environment to manage devices in large networks - including for LAN and WLAN logins of computers and mobile devices, to manage VPN access and to restrict access to security-critical network infrastructure. Internet service providers use RADIUS to perform logins for DSL, fiber optic and mobile connections. The protocol is also used by Eduroam and OpenRoaming to provide users with dynamic access to WLAN networks. For example, students and university staff with Eduroam access can log their devices into the WLAN at thousands of universities around the world using their home access data. Fortunately, the Blast RADIUS vulnerability does not affect the Eduroam network, as it has long prescribed security precautions that take the wind out of the sails of the current vulnerability.

Structure of the RADIUS protocol

A Radius installation usually consists of a local server that communicates (usually via the Internet) with a central server that manages all known user accounts in the installation. The server in the local network is referred to as a client or network access server (NAS) in the context of the RADIUS protocol. To log in to a specific network, the network device that wants to log in sends a request with its user name and password to the client. The client then sends this data to the server in a so-called access request.

The server checks the user name and password and then either sends an Access Accept message back to the client or, if the data is incorrect or the user's access to the infrastructure has been revoked, an Access Reject message. The client then allows the device to join the network or not, depending on whether an accept or reject was received. In addition to access to the network, the server also tells the client which privileges the respective device has - i.e. which resources in the network it is allowed to access and how.

Various protocols can be used for authentication between client and server. Some of them use the outdated MD5 hashing algorithm without protective measures against hash collisions. The vulnerability discovered by researchers at Boston University, UC San Diego and Microsoft Research exploits long-known weaknesses in the MD5 algorithm to interfere with and manipulate this communication.

How the Blast RADIUS attack works

To carry out the attack, the attacker must place himself in a man-in-the-middle position between the RADIUS client and the RADIUS server. To do this, he must first break any encryption that supports the data traffic between these two locations. Then he enters the network of the RADIUS installation to be attacked with another device and sends the client there a login request with any password. When the client communicates with the server to check this request, the attacker's system in the MITM position intercepts this request.

The attacker then calculates a hash collision using . The researchers have . The calculated hash allows the attacker to forge a matching access-accept message instead of the access-reject message that the server actually sends to the client. The MITM system deletes the reject message and sends the accept message to the client instead. Thanks to the valid hash, the client now thinks that the server has waved the login through. It lets the attacker's network device into the local network. Thanks to this trick, the attacker can not only log in the device, but also assign it any rights in the network - depending on what is provided for in the local RADIUS infrastructure.

According to the researchers, common RADIUS installations use a timeout of 30 to 60 seconds for this authentication process. However, the researchers needed 3 to 6 minutes for their hash collision. However, they assume that the calculation of the corresponding hashes can be significantly accelerated by using graphics cards or field-programmable gate arrays (FPGAs). Exact technical details of the attack can be found on that the researchers have created for the vulnerability. Proof-of-concept code is not yet available.

Possible protection

Users cannot protect themselves from this security vulnerability; network administrators must secure the RADIUS installation themselves. All major RADIUS software manufacturers have already released updates for this purpose, which should be installed as soon as possible. Administrators who can force the message authenticator attribute for all packets in their installation should do so, as this prevents the security gap, according to the researchers. A corresponding change to the RADIUS protocol has been suggested by the researchers and is to be incorporated into an upcoming RFC so that new versions of the RADIUS protocol are secured accordingly by default.

To further increase the security of RADIUS installations, connections between client and server should be secured with modern encryption (such as TLS 1.3). This makes man-in-the-middle attacks such as the vulnerability described here more difficult. RADIUS installations that use EAP for authentication are, according to the current state of knowledge, not vulnerable via Blast-RADIUS - this is the case in the Eduroam network or when using WPA-Enterprise, for example.

Found at

How do I find out if I need to do something?
If you are running a Linux computer, whether on the Internet, departmental network, on a laptop and/or server, it is highly likely that an SSH service is also active. As soon as an SSH service is installed, it is highly likely that an update needs to be installed.

Who needs to act:
IT admins of the operating organizational unit. Organizational units managed by the RHRZ do not have to act.

What to do:
Forward this information to the IT admins in your area and pass on the following information or recommended action. If an affected distribution is used, please install the updated SSH packages immediately. Quote: "Admins should check whether their Linux systems have the latest SSH versions. Both and have new packages in stock, Red Hat is still researching, but suggests that only Red Hat Enterprise Linux 9 is affected, as all other versions of Red Hat Linux come with older OpenSSH versions."

Further information can be found at:

Former employee says the software giant dismissed his warnings about a critical flaw for fear of losing government business. Russian hackers later used the vulnerability to penetrate the National Nuclear Security Administration, among others.

Microsoft hired Andrew Harris for his exceptional ability to keep hackers out of the country's most sensitive computer networks. In 2016, Harris worked hard on a mysterious incident where intruders had somehow infiltrated a major US technology company.

The breach troubled Harris for two reasons. First, it involved the company's cloud - a virtual warehouse that typically contains an organization's most sensitive data. Second, the attackers had done it in a way that left hardly any trace.

He retreated to his home office to simulate possible scenarios and stress test the various software products that could have been compromised.

Early on, he focused on a Microsoft application that ensured users had permission to log in to cloud-based programs, the cyber equivalent of an official checking passports at a border. There, after months of research, he found something seriously wrong.

The product, used by millions of people to log in to their work computers, contained a flaw that could allow attackers to impersonate legitimate employees and rifle through victims' "crown jewels" - national security secrets, corporate intellectual property, embarrassing personal emails - all without raising the alarm.

For Harris, who had previously worked for the Department of Defense for nearly seven years, it was a security nightmare. Anyone using the software was exposed, regardless of whether they used Microsoft or another cloud provider like Amazon. But Harris was most concerned about the federal government and the national security implications of his discovery. He pointed out the problem to his colleagues.

They saw it differently, Harris said. The federal government was preparing to invest heavily in cloud computing, and Microsoft wanted the business. Harris acknowledged that this security vulnerability could jeopardize the company's opportunities, and recalled a product manager telling him. The financial implications were huge. Microsoft could not only lose a multibillion-dollar deal, but also the race to dominate the cloud computing market.

Harris said he pleaded with the company for several years to fix the flaw in the product, according to an investigation by ProPublica. But Microsoft dismissed his warnings at every turn, telling him they were working on a long-term alternative - making cloud services around the world vulnerable to attack in the meantime.

Harris was sure someone would figure out how to exploit the weakness. He came up with a temporary fix, but it required customers to disable one of Microsoft's most convenient and popular features: the ability to use a single sign-on to access almost any program used at work.

He rushed to warn some of the company's most sensitive customers about the threat and personally oversaw the fix for the New York Police Department. Frustrated by Microsoft's inaction, he left the company in August 2020.

Within a few months, his fears became reality. US officials confirmed reports that a state-sponsored team of Russian hackers had carried out SolarWinds, one of the largest cyberattacks in US history.They used the flaw Harris identified to siphon sensitive data from a number of federal agencies, including, ProPublica has learned, the National Nuclear Security Administration, which maintains the United States' nuclear arsenal, and the National Institutes of Health, which was involved with COVID-19 research and vaccine distribution at the time. The Russians also used the vulnerability to compromise dozens of email accounts at the Treasury Department, including those of its highest-ranking officials. One federal official described the breach as "an espionage campaign aimed at long-term intelligence collection."

Harris' account, told here for the first time and supported by interviews with former colleagues and employees as well as social media posts, turns the prevailing public understanding of the SolarWinds hack on its head.

From the moment the hack surfaced, Microsoft insisted it was innocent. Microsoft President Brad Smith assured Congress in 2021 that "there was no vulnerability in any Microsoft product or service that was exploited" in SolarWinds.

He also said that customers could have done more to protect themselves.

Harris said they never got the chance.

"The decisions are not based on what's best for Microsoft's customers, but what's best for Microsoft," said Harris, who now works for CrowdStrike, a cybersecurity company that competes with Microsoft.

Microsoft declined to make Smith and other high-ranking officials available for interviews for this story, but did not dispute ProPublica's findings. Instead, the company issued a statement in response to written questions. "Protecting customers is always our top priority," a spokesperson said. "Our security response team takes all security issues seriously and reviews each case with a thorough manual assessment as well as cross-confirmation with engineering and security partners. Our assessment of this issue was reviewed multiple times and was in line with industry consensus."

ProPublica's investigation comes at a time when the Pentagon is seeking to expand its use of Microsoft products - a move that has come under scrutiny from federal lawmakers in light of a series of cyberattacks on the government.

Smith is scheduled to testify Thursday before the House Homeland Security Committee, which is investigating Microsoft's role in a breach committed last year by hackers with ties to the Chinese government. Attackers exploited Microsoft vulnerabilities to gain access to the emails of high-ranking US officials. In investigating the attack, the Cyber Safety Review Board found that Microsoft's "security culture was inadequate and in need of an overhaul".

For its part, Microsoft has said that work has already begun, stating that the company's top priority is security "above all else." Part of the effort is to adopt the board's recommendations. "If you're faced with the trade-off between security and another priority, your answer is clear: Do security," the company's CEO Satya Nadella told employees after the board's report, which found a "corporate culture that neglected both investment in enterprise security and rigorous risk management."

ProPublica's investigation adds new details and crucial context about this culture, offering a troubling glimpse into how the world's largest software provider handles the security of its own ubiquitous products. It also offers important insights into how the pursuit of profits can drive these security decisions, especially as tech giants push to dominate the newest - and most lucrative - frontiers, including the cloud market.

"That's part of the problem in the industry as a whole," said Nick DiCola, who was one of Harris' bosses at Microsoft and now works at Zero Networks, a network security firm. Publicly traded tech giants "are beholden to stock price, not always doing the right thing for the customer. That's just a reality of capitalism. You're never going to change that in a publicly traded company because at the end of the day, they want shareholder value to go up."

A "cloud-first world"

...

A clash with the "won't fix" culture

...

Business before security

...

Killing the competition

...

Another important warning

...

Defusing a ticking bomb

...

More disturbing revelations

...

SolarWinds attack

...

"Microsoft is back in the lead"

...

Found on

There is a vulnerability in the widely used and free media player software VLC º£½ÇÖ±²¥ Player that allows attackers to crash the software and potentially even execute malicious code. According to a , this is a DoS (Denial of Service) vulnerability based on a heap-based integer overflow.

The vulnerability can be exploited through a specially crafted MMS (Microsoft º£½ÇÖ±²¥ Server) stream that must be actively opened by the user in VLC. "If successful, a malicious third party could trigger either a crash of VLC or arbitrary code execution with the rights of the target user," explains the developer of the software.

VideoLAN assumes that exploitation of the vulnerability will most likely only lead to a crash of the software. Nevertheless, it cannot be ruled out that an attacker could use it to access user information or remotely execute arbitrary code (RCE), according to the bulletin.

Although ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) help to "reduce the probability of code execution, they can be circumvented", according to the developer.

A patch is available

All VLC versions up to and including 3.0.20 are vulnerable. Details on how the vulnerability can be exploited are not yet known. VideoLAN does not provide a CVE number or classification of the severity of the vulnerability. However, the developer emphasizes that he has not yet seen any exploits that would allow malicious code to be executed.

Anyone wishing to protect themselves against possible attacks can do so by updating the software. According to VideoLAN, the problem has been fixed with the recently released version 3.0.21 of VLC º£½ÇÖ±²¥ Player. All those who have not yet installed the update are advised to avoid opening MMS streams from untrusted sources until the software has been updated.

VideoLAN names Andreas Fobian from the German IT security service provider Mantodea Security GmbH as the discoverer of the vulnerability.

Found on

Google once again has to seal a zero-day gap in the with an emergency update out of turn. An exploit for this is already circulating in the wild - the fourth time this has happened in the past two weeks. Anyone using Chromium-based should quickly check whether an update is available and install it.

In the that the vulnerability is caused by a "type confusion" in the Javascript engine V8. This means that the data types actually used do not match those intended in the program code, which can lead to access to memory areas not intended for this purpose and, in some cases, the execution of malicious code. The CVE entry has not yet been published, but this vulnerability can probably be exploited by displaying a carefully crafted web page (CVE-2024-5274, no CVSS value,"high" risk according to Google).

Chrome zero-day vulnerability already attacked

"Google is aware that an exploit for CVE-2024-5274 exists in the wild," the authors write in the press release. As the vulnerability was discovered by Clément Lecigne from Google's Threat Analysis Group (TAG), among others, this indicates that attacks are already underway. Google's TAG usually examines attacks that have already taken place for security vulnerabilities.

The current versions of Google Chrome that correct the bug are 125.0.6422.112/.113 for Android, 125.0.6422.112 for Linux and 125.0.6422.112/.113 for macOS and Windows. In addition, the extended stable version with the number 124.0.6367.233 under macOS and Windows is up to date.

Version check

The version dialog, which can be found in the browser's settings menu behind the icon with the three stacked dots, tells you whether Chrome is up to date. It can be accessed there under "Help" - "About Google Chrome". It shows the currently running software version and starts the update process when available.

On Linux, the software management of the distribution used is usually responsible for updating the Chrome browser. The vulnerability affects the Chromium browser, on which other web browsers such as Microsoft's Edge are also based. Urgent updates should therefore also be available for these shortly, which users should apply quickly.

In the past two weeks, Google has already had to seal three other zero-day vulnerabilities in the Chromium browser. They were also attacked with exploits.

Found on

The State Criminal Police Office of North Rhine-Westphalia warns of possible cyber attacks via Outlook and Office 365 document management.

Based on current investigations, the State Criminal Police Office of North Rhine-Westphalia (LKA NRW) is warning of possible cyberattacks via Office 365, specifically on the Outlook email program and document management. The attacks not only endanger the affected companies, but also their customers and communication partners. The aim of the perpetrators is to take over email accounts and then send messages containing dangerous attachments or links in the name of the company. The phishing emails often appear authentic as they contain real conversation histories.

Targeted search for VPN access data

Clicking on the links can lead to attacks on IT systems and, among other things, to data leaks. The cybercriminals specifically search the hijacked email accounts for information from the early days of the coronavirus crisis, when some employees were obliged to work from home - in particular VPN access data for non-public IT networks. With this information, the perpetrators can gain direct access to the IT infrastructure of companies. They can also access documents in the emails.

"Thanks to the investigations by the State Criminal Police Office of North Rhine-Westphalia, it has already been possible to protect some companies from further attacks such as encryption by ransomware and the associated blackmail. Otherwise, such cyberattacks regularly cause damage running into millions," writes the LKA in a press release. Due to the developments, it also emphasizes the importance of comprehensive security concepts and raising employee awareness. The LKA also recommends that affected companies contact the cybercrime hotline on 0211/ 939-4040 or contact employees of the Cybercrime Competence Center via cybercrime.lka@polizei.nrw.de. Here you will also find a general overview of the" for companies.

Found on

The tech company Microsoft is selling its new AI applications with Copilot as a "photographic memory" for the PC. The PC takes a screenshot every few seconds.

May is already characterized by major announcements from US tech companies on (AI): first OpenAI and presented updates to their respective chatbots.

Now it's s turn: unlike Google and OpenAI, this time it's about the fusion of artificial intelligence and computers.

The US start-up Eternos has developed an AI that leaves relatives a digital twin of a deceased person. º£½ÇÖ±²¥ ethicists fear the consequences for coping with grief.

Copilot+ PCs - what's behind the announcement

Microsoft's AI assistant is called Copilot, developed using the same basic model as OpenAI's , and is now set to become a permanent feature of Windows computers. A new additional chip is to be used exclusively for AI applications.

• Chatbot conversations in real time:
• Google is changing its search engine:

Microsoft calls this "Copilot+ PCs". It is designed to make computers significantly faster and also extend battery life. According to Microsoft, this should enable applications "that are not possible on any other PC".

Find and remember everything you've ever seen on your PC with 'Recall'.

Microsoft

With the new "Recall" search function, Microsoft wants to make it easier to find files, photos and other elements on the PC, not just with a pure keyword search, but as a semantic search, which should make it easy to find images, for example, and you should no longer have to remember the exact file name of documents.

This is how it should work:

• The computer takes screen recordings at short intervals
• These are then analyzed using artificial intelligence
• The search uses functions such as image and text recognition

A video on shows how a person searches for a brown bag on "Recall" and arrives at the desired result - a picture of a brown bag.

"Recall" - is that safe?

This is more in line with how human memory works, Microsoft argues: "You can scroll through time to find the content you need in your timeline in any application, website, document or more."

The goal in the computer industry has always been to "build computers that understand us, rather than us having to understand computers", said Microsoft CEO Satya Nadella during the presentation at the company's headquarters on Monday.

With Recall, you can now access everything you've seen or done on your PC as if you had a photographic memory.

Microsoft

Storage only for a few months

To ensure that this works smoothly, also works offline and the user's data is secure, these screen recordings are stored locally: "You can delete individual screenshots, adjust and delete time ranges in the settings or pause them at any time directly via the icon in the taskbar," writes Microsoft.

However, local storage also has disadvantages: On AI PCs with the minimum memory of 256 gigabytes, the function's memory will only go back about three months. More than 18 months is therefore not possible, even with a larger memory. At the same time, Mehdi assures that the range of functions will be expanded over time.

The EU Parliament votes in favor of the AI Act by a large majority. The law is the first of its kind and provides for the classification of AI systems into different risk groups.

When the co-pilot helps with gaming

Another use case is the co-pilot as a live assistant when working or playing on the computer. A demonstration shows how the AI talks to the user in real time while gaming: the user asks detailed questions about the game and chats away. The co-pilot explains, gives tips - and also shows emotions when the player is being chased by dangerous zombies.

New Windows AI PCs from mid-June

The AI applications will run on new Microsoft Surface devices as well as on PCs from Acer, Asus, Dell, HP, Lenovo and Samsung. According to Microsoft, the new devices will be available from June 18 and start at 999 US dollars.

Found at

The Federal Office for Information Security has apparently initiated official proceedings against Microsoft - and is still waiting for answers.

The highest German IT security authority is not as inactive as it seemed. Since last fall, the Federal Office for Information Security (BSI) has apparently been at Microsoft's door to obtain information on its security precautions. After Microsoft failed to deliver and continued to delay communication, the BSI then resorted to its sharpest sword: Section 7a of the BSI Act, which allows it to sue for the release of information, among other things. This has now become known through a leak from the Bundestag's Digital Committee.

The request for information comes in the context of the blatant security incidents at Microsoft, in which state attackers were able to access information from Microsoft itself, as well as from its cloud customers, on several occasions. Specifically, it concerns the theft of the master key to the Microsoft cloud. The investigative commission set up by the US Department of Homeland Security (DHS) has already diagnosed in this case. Microsoft at least spoke to them; however, the flow of information to the BSI was so poor that the German authority gradually escalated its inquiries.

Harsh criticism of Microsoft

"The BSI took the formal route of issuing an order in the further course of the technical dispute with Microsoft because the information that the BSI had previously received in a regular exchange was not satisfactory," a BSI spokesperson explained the procedure to heise Security. Specifically, the BSI was concerned, among other things, with the use of so-called double key encryption, which could actually have prevented data leaks, at least in specially secured environments. With this method, the data is encrypted with two keys, one of which always remains with the customer. However, the details are so unclear that the BSI is apparently unable to assess whether the attackers were able to access plain text data after all.

Even after repeated requests and threats of legal action, Microsoft did not provide the requested information. Therefore, the BSI is now using the legal instruments at its disposal, explains the BSI spokesperson, who still sees a need for information. He also explicitly refers to the harsh criticism of the US Cyber Security Review Board, whose assessment the BSI shares. "The BSI sees that other cloud providers are better positioned when it comes to the technical implementation of security and how they react if an IT security incident occurs," he concludes.

Section 7 of the BSIG

Section 7 of the BSI Act deals with warnings from the BSI. Section 7a regulates the necessary "investigation of security in information technology"; according to this, the Federal Office can "demand all necessary information from manufacturers of information technology products and systems, in particular technical details". The BSI has apparently done just that and reported on this to the Digital Committee of the German Bundestag. From there, the information apparently leaked to Der Spiegel, which reported further details.

Note on my own behalf: The author of this article had warned of a in view of the activities of the US CISA and the apparent inactivity of the BSI. I would like to take that back - I am "officially impressed" by the current approach and very curious to see what comes out of it.

Found on

Google is updating the Chrome web browser for the third time in a week. Once again, an exploit for a zero-day vulnerability is circulating in it.

Google is once again releasing an emergency security update for the web browser. An exploit for a new zero-day vulnerability in the browser is once again circulating in the wild. The provider is also making the version jump to the 125 development branch.

In the that the new version seals a total of nine security vulnerabilities. They only provide brief information on four of them, five of which were found internally. Two were classified as high risk, one as medium and one as low threat.

Zero-day vulnerability with exploit

One type-confusion vulnerability affects the Javascript engine V8. Here, processed data types do not match those provided in the program code, which can lead to memory limits being exceeded and, in some cases, to the execution of subverted code. In this case, attackers can abuse the vulnerability, for example with a maliciously manipulated website, to execute arbitrary code within a sandbox, no CVSS value, risk"high" according to Google). Google is aware of exploits for this vulnerability that are circulating in the wild.

The new versions also close a use-after-free vulnerability in the Dawn browser component (CVE-2024-4948, high) and one in the V8 JavaScript engine (CVE-2024-4949, medium) as well as an inappropriate implementation in downloads (CVE-2024-4950, low).

The secured browser versions are now Chrome 125.0.6422.53 for Android, 125.0.6422.60 for Linux and 125.0.6422.60/.61 for macOS and Windows. The extended stable version has also been updated to 124.0.6367.221 for macOS and Windows. Anyone using Google Chrome should ensure that the latest version is installed and active.

Ensure that the latest version is running

The Google Chrome version dialog shows the current software version and starts the update process if necessary. Users can get there by clicking on the web browser's settings menu, which is located behind the icon with the three stacked dots to the right of the address bar, and continuing via "Help" - "About Google Chrome".

If you use Chrome under Linux, you usually start the software management of the distribution used to search for updates. As the errors affect the Chromium web browser, on which other browsers such as Microsoft's Edge are also based, an update should also be available shortly for the other derived web browsers. Users should install this immediately.

There is currently an unusual accumulation of exploits in circulation that can be used to attack previously unknown vulnerabilities in Chrome, so-called zero-day vulnerabilities. Google had already released emergency updates on Friday last week and Tuesday this week that plugged such vulnerabilities.

Google is updating the Chrome web browser for the third time in a week. Once again, an exploit for a zero-day vulnerability is circulating in it.

Google is once again releasing an emergency security update for the web browser. An exploit for a new zero-day vulnerability in the browser is once again circulating in the wild. The provider is also making the version jump to the 125 development branch.

In the that the new version seals a total of nine security vulnerabilities. They only provide brief information on four of them, five of which were found internally. Two were classified as high risk, one as medium and one as low threat.

Zero-day vulnerability with exploit

One type-confusion vulnerability affects the Javascript engine V8. Here, processed data types do not match those provided in the program code, which can lead to memory limits being exceeded and, in some cases, to the execution of subverted code. In this case, attackers can abuse the vulnerability, for example with a maliciously manipulated website, to execute arbitrary code within a sandbox, no CVSS value, risk"high" according to Google). Google is aware of exploits for this vulnerability that are circulating in the wild.

The new versions also close a use-after-free vulnerability in the Dawn browser component (CVE-2024-4948, high) and one in the V8 JavaScript engine (CVE-2024-4949, medium) as well as an inappropriate implementation in downloads (CVE-2024-4950, low).

The secured browser versions are now Chrome 125.0.6422.53 for Android, 125.0.6422.60 for Linux and 125.0.6422.60/.61 for macOS and Windows. The extended stable version has also been updated to 124.0.6367.221 for macOS and Windows. Anyone using Google Chrome should ensure that the latest version is installed and active.

Ensure that the latest version is running

The Google Chrome version dialog shows the current software version and starts the update process if necessary. Users can get there by clicking on the web browser's settings menu, which is located behind the icon with the three stacked dots to the right of the address bar, and continuing via "Help" - "About Google Chrome".

If you use Chrome under Linux, you usually start the software management of the distribution used to search for updates. As the errors affect the Chromium web browser, on which other browsers such as Microsoft's Edge are also based, an update should also be available shortly for the other derived web browsers. Users should install this immediately.

There is currently an unusual accumulation of exploits in circulation that can be used to attack previously unknown vulnerabilities in Chrome, so-called zero-day vulnerabilities. Google had already released emergency updates on Friday last week and Tuesday this week to patch such vulnerabilities.

Found on

On Tuesday, Microsoft released a patch for a zero-day vulnerability in Windows that is already being actively exploited to spread malware. The vulnerability is registered as and allows an attacker with local access to gain system rights. Only low privileges are required in advance. The complexity of the attack is classified as low.

The vulnerability is based on a buffer overflow in the core library of the Desktop Window Manager (DWM) - a window manager introduced with Windows Vista. Windows 10 and 11 as well as Windows Server 2016, 2019 and 2022 are vulnerable. Patches have been available for all affected systems since May 14 and should be installed promptly in view of the active exploitation.

Discovered in an upload on Virustotal

CVE-2024-30051 was discovered by security researchers at Kaspersky while investigating another vulnerability registered as in early April. The latter is also a zero-day vulnerability in the DWM core library that allows privilege escalation and was discovered and patched in 2023.

During their investigations, the researchers became aware of a file uploaded to Virustotal on April 1. It contained a brief description of a security vulnerability in DWM, including an explanation of how it could be exploited to gain system privileges. The procedure was similar to the one used to exploit CVE-2023-36033, but the vulnerability was different.

The research team immediately informed Microsoft of its discovery, according to the Kaspersky report. The team then began searching for available exploits and attacks. The researchers then found what they were looking for in mid-April: "We have seen the vulnerability being used in conjunction with Qakbot and other malware and believe that multiple threat actors have access to it," the researchers said.

Qakbot is a malware that integrates infected systems into a botnet and misuses them for ransomware attacks, among other things. The FBI announced the successful in August 2023. However, it later emerged that the people behind it had apparently not been caught. In October 2023, security researchers from Cisco Talos discovered that was linked to the Qakbot actors.

Kaspersky is still holding back on technical details about CVE-2024-30051. The research team wants to give users time to patch their Windows systems first, they say.

Found on

A security vulnerability in the open source LibreOffice allows attackers to inject malicious code into victims. They only have to click once.

The open source office software suite is affected by a security vulnerability. By tricking victims into opening a maliciously crafted document and clicking on it, attackers can apparently inject them with malicious code that will be executed.

In a that the office software supports the linking of scripts with click events on graphics. "For affected versions of LibreOffice, there are scenarios in which embedded scripts are executed without warning when users click on a document with such on-click handlers", the programmers describe the problem (CVE-2024-3044, CVSS 8.8, risk"high").

LibreOffice: Risk classification of the vulnerability

While the LibreOffice project has been careful not to give a concrete classification of the threat level, the ) has classified the vulnerability as high-risk with a CVSS value of 8.8, just short of "critical" status.

In early versions of LibreOffice, such scripts were classified as trustworthy, but are now considered insecure. The error correction is such that the rights granted by users to execute macros when loading a document are now also used for these on-click handlers.

As a solution to the security problem, the project recommends updating to the bug-fixed LibreOffice versions. available for project's . Linux users should start their software administration and check whether the bug-fixed versions have already been installed.

Around a year ago, the Ghostscript package caused a security vulnerability in various software installations. This included LibreOffice, which comes with Ghostscript. The vulnerability could also be exploited back then by opening manipulated documents.

Found on

Not only and are vulnerable, but also Windows Server 2016, 2019 and 2022. Hackers are exploiting the zero-day to gain system rights.

On Tuesday, Microsoft released a patch for a zero-day vulnerability in Windows that is already being actively exploited to spread malware. The vulnerability is registered as and allows an attacker with local access to gain system rights. Only low privileges are required in advance. The complexity of the attack is classified as low.

The vulnerability is based on a buffer overflow in the core library of the Desktop Window Manager (DWM) - a window manager introduced with Windows Vista. Windows 10 and 11 as well as Windows Server 2016, 2019 and 2022 are vulnerable. Patches have been available for all affected systems since May 14 and should be installed promptly in view of the active exploitation.

Discovered in an upload on Virustotal

CVE-2024-30051 was discovered by security researchers at Kaspersky while investigating another vulnerability registered as in early April. The latter is also a zero-day vulnerability in the DWM core library that allows privilege escalation and was discovered and patched in 2023.

During their investigations, the researchers became aware of a file uploaded to Virustotal on April 1. It contained a brief description of a security vulnerability in DWM, including an explanation of how it could be exploited to gain system privileges. The procedure was similar to the one used to exploit CVE-2023-36033, but the vulnerability was different.

The research team immediately informed Microsoft of its discovery, according to the Kaspersky report. The team then began searching for available exploits and attacks. The researchers then found what they were looking for in mid-April: "We have seen the vulnerability being used in conjunction with Qakbot and other malware and believe that multiple threat actors have access to it," said the researchers.

Qakbot is a malware that integrates infected systems into a botnet and misuses them for ransomware attacks, among other things. The FBI announced the successful in August 2023. However, it later emerged that the people behind it had apparently not been caught. In October 2023, security researchers from Cisco Talos discovered that was linked to the Qakbot actors.

Kaspersky is still holding back on technical details about CVE-2024-30051. The research team wants to give users time to patch their Windows systems first, they say.

Found on

Google is once again releasing an emergency update for the Chrome web browser. There is already an exploit for the zero-day vulnerability.

Just last Friday, Google released an emergency update for the web browser, as an exploit for a previously unknown vulnerability was circulating. The same thing happened again on Tuesday night: Google releases an emergency update to close a vulnerability in Chrome for which an exploit was discovered in the wild.

In the that the vulnerability consists of attackers being able to provoke potential write accesses outside the intended memory limits in the JavaScript engine V8 (CVE-2024-4761, no CVSS value yet, risk"high" according to Google). Google does not provide any further details, but merely states: "Google is aware that an exploit for CVE-2024-4761 exists in the wild".

Apparently exploitable security vulnerability

Although Google does not provide any more detailed information, such vulnerabilities can often be misused to inject and execute malicious code. To do this, it is usually sufficient to display a carefully prepared website. Due to the urgency that Google obviously sees, it can be deduced that this is the case here.

The vulnerability is now closed by Chrome versions 124.0.6367.179 for Android, 124.0.6367.207 for Linux (also the new version for the extended stable releases) and 124.0.6367.207/.208 for macOS and Windows.

Everything up to date?

The version dialog reveals whether the web browser is already up to date. This opens after clicking on the settings menu, which is located behind the icon with the three stacked dots to the right of the browser's address bar, and continuing via "Help" - "About Google Chrome".

If the update is still missing, this starts the update process. On Linux, users usually have to start the software management of the distribution used and check for updates. On mobile devices, it is possible to search for updates in the respective app store. As the vulnerability was found in the Chromium browser, other web browsers based on it, such as Microsoft's Edge, are also affected. If updates are available, users should install them quickly.

Last Friday, Google had already closed a zero-day vulnerability in Chrome. It affected the Visuals component of the browser and reached a risk rating of "high".

Found on

With a 22-year-old DHCP option, attackers can cause data traffic to bypass the VPN. Neither users nor VPN operators are aware of this.

If you are in an untrusted network environment, use a VPN - this is a much-quoted security mantra. A team of two researchers has now discovered a way to analyze data traffic despite a VPN. The trick: by interfering with the victim's routing, they simply route the data traffic past the VPN. Under certain circumstances, attackers can thus obtain unencrypted data packets from their victims. The attack works if the victim and attacker are in the same local network (LAN), but is difficult to detect. Only Android is not inherently vulnerable - other operating systems require additional protective measures.

All tested by the researchers are affected by the "TunnelVision" vulnerability - they claim to have informed over 50 manufacturers about the security problem. The starting point for the attack is "Option 121", introduced in 2002, in the Dynamic Host Configuration Protocol (DHCP), which regulates the dynamic allocation of IP addresses. A DHCP server can use this option to provide devices with routing information in addition to their IP address in order to send data traffic to a specific target network via a route other than the standard route.

If the user uses a VPN - for example in an unsecured hotel WLAN - all data packets are first encrypted before they leave the computer in the direction of the VPN gateway. This decrypts them and forwards them to their actual recipient addresses. Under normal conditions, an opponent in an insecure WLAN can snoop on packets but cannot crack the VPN encryption. However, if he controls the responsible DHCP server, he can simply command end devices to send their data past the VPN. To do this, it sends the DHCP option 121 with a corresponding route - for example, to redirect all DNS queries. The VPN's own encryption is omitted, but the VPN connection is maintained so that the user is unaware of the attack.

The DHCP server is normally under the control of the system administrator and cannot be manipulated by third parties. Nevertheless, an attacker could infiltrate a second DHCP server into the LAN - but he must silence the actual, "authoritative" DHCP server. The simplest method is probably to request IP addresses en masse from this server until its address pool is exhausted. The infiltrated DHCP server can then jump into the breach and allocate addresses itself. Once it has bound the target device to itself, it redirects its traffic before VPN encryption has taken place and can then read it.

If the data traffic is already encrypted before it is routed to the VPN, as is the case when accessing websites via https, for example, this encryption remains in place; the attacker cannot read the plain text data. However, they can determine which destinations the victim visits, which can have devastating consequences. for accessing or distributing .

Anyone can play DHCP

The basic problem with Tunnelvision is that there is no DHCPsec. DHCP servers do not authenticate themselves to their clients; the winner is the one who assigns an IP address to the user the fastest. A was proposed in 1997 by the then Intel employee Baiju V. Patel, but nothing came of it. An proposed in 2001 does recognize a rudimentary form of DHCP authentication, but this only protects against accidental collisions between several DHCP servers and not against deliberate attacks.

The Tunnelvision attack is successful even if the VPN connection already exists. The attacker only has to wait until the end device to be attacked has to renew the assignment of its IP address and send a corresponding request to the DHCP server. Leviathan Security has reproduced the problem with Windows, Linux, iOS and MacOS - the attack only does not work with Android because Android ignores the DHCP option 121.

Remedy: Partition, block, ignore

Android users have it particularly easy: as the mobile operating system simply ignores the DHCP option 121, it is not susceptible to TunnelVision. However, users of other operating systems must take countermeasures to avoid falling into the trap. The team of authors from Leviathan Security suggests various steps for users and VPN providers.

Those who value anonymity and privacy should avoid connections to untrusted networks, use their smartphone's hotspot function or establish a VPN connection via a virtual machine without a bridged network adapter. VPN providers can use additional technical measures to protect their customers.

Linux has known so-called network namespaces since kernel 2.6.24 (2008). This allows the network to be partitioned in such a way that the Tunnelvision attack no longer leads to the disclosure of unencrypted data traffic. However, a device partitioned in this way cannot access resources in the LAN.

Otherwise, it may be possible to secure the VPN connection using classic firewall rules so that data packets are not dropped via the VPN. However, even this is not complete protection, according to the researchers: With a statistical side-channel attack, it is still possible to draw conclusions about IP addresses that the victim is accessing. To do this, however, the attacker must be able to intercept the data traffic, for example in an unencrypted WLAN.

Is this even a security vulnerability?

The discovery is not entirely new. The German hacker jomo pointed out the redirection procedure using DHCP option 121 back in 2017 and warned that it compromises VPN data traffic.

The Leviathan team, consisting of Lizzie Moratti and Dani Cronce, has now the problem for the first time (including a proof of concept video, and ). Leviathan has also obtained the CVE number CVE-2024-3661 (Common Vulnerabilities and Exposures).

The two researchers admit that Tunnelvision does not necessarily have to be seen as a security vulnerability. After all, the attack is based on an option that works as it was designed. Nevertheless, VPN operators as well as operating system developers and system administrators are challenged. It is more important than ever to avoid public WLAN hotspots. After all, all it takes for an attack to be successful is for the attacker to be on the same network.

Prior to publication, Leviathan Security informed several dozen well-known VPN providers, also with the help of the Electronic Frontier Foundation (EFF) and the US cyber security authority CISA. The researchers fear that the redirection with DHCP option 121 may have been practiced since 2002. As a next step, the researchers plan to publish their "ArcaneTrickster" tool, which should make attacks considerably easier and thus convince the last doubters in the VPN industry.

Attackers see virtual private networks as a worthwhile target. Crafty cyber crooks had embedded themselves so that CISA had them taken offline by decree. The US authorities suspect that the intruders from are .

Found on

There are currently various vulnerabilities in Citrix Xenserver and Hypervisor. Updates are already available and should be installed as soon as possible. The vulnerabilities allow attackers to take over entire systems.

is currently in the Xenserver and Hypervisor products. Updates are already available, which admins should install as soon as possible.

The security messages run under the identifiers , CVE-2024-2201 and CVE-2024-31142. The identified vulnerabilities allow malicious code in a guest VM to read the memory contents of other VMs on the same host. CVE-2024-2201 only affects systems with Intel CPUs, while CVE-2024-31142 is only applicable to AMD CPUs.

Additionally, another , labeled CVE-2023-46842, has been discovered that allows privileged malicious code in a guest VM to crash the host. This vulnerability affects all deployment configurations.

Citrix provides updates

Citrix has provided updates and a hotfix for affected versions. XenServer 8 users should install the update from the Early Access or Normal channels as described in the update instructions on the Citrix website. For users of Citrix Hypervisor 8.2 CU1 LTSR, a hotfix is available for download and installation from the Citrix support page. The updates are available on the . The installation should be done as soon as possible.

Found on

It is often recommended that a good should be at least 8 characters long. However, new studies show that the time has come for more.

Passwords with a length of at least 8 characters have been considered secure for years, as long as they are also highly complex. However, a shows that 8-character passwords can now be cracked in a reasonable amount of time, depending on the hashing algorithm used and the GPU power available.

For example, anyone in possession of an Nvidia RTX 4090 graphics card can reconstruct a randomly generated 8-character password with upper and lower case letters as well as numbers and special characters from the corresponding MD5 hash in just 59 minutes. If bcrypt (with 32 iterations) is used as the hashing algorithm instead, the same process takes a much longer 99 years.

The problem with this is that users generally do not know which algorithm is used by the services they use. Although MD5 has long been considered insecure, the method is still used by many online services. What's more, not every user uses the maximum possible password complexity, unless this is enforced by guidelines.

It can also be faster with bcrypt

Even if the more secure bcrypt algorithm is used, this is no guarantee that the password cannot be cracked within a few days. Hive Systems illustrates an extreme case in this respect: with 10,000 A100 GPUs from Nvidia, the bcrypt hash of an 8-character password with high complexity can be calculated back within 5 days.

For people who have a lot of money for the corresponding computing resources and are hoping for a lot from a password to be cracked, 8 characters are no longer too big a hurdle. With only 12 A100 GPUs, the same process still takes 12 years. The researchers consider this to be reasonable, provided that users generate their passwords randomly and change them from time to time.

People are predictable

However, Hive Systems points out that "people are quite predictable" and often . Reconstruction is therefore often much easier and quicker to carry out in reality. The times determined by the security experts are to be understood as a best-case scenario.

In addition, there are other factors that massively reduce the computing time - for example, if a password contains dictionary entries or has already appeared in a known data leak. In such cases, passwords can be cracked immediately, no matter how long or complex they are.

The BSI still recommends that "a good password" should be at least 8 characters long, but "the longer, the better". Hive Systems' research shows that, in view of increasingly powerful GPUs, it may well be worth opting for longer passwords. Many services already .

Recommendation

The RHRZ at º£½ÇÖ±²¥ even suggests a minimum length of 15 characters: "The simplest option is to use a password that is at least 15 characters long. In this case, Windows stores an LM hash value that cannot be used to authenticate the user."

Found on

Further information on LM hash value at

Microsoft has released important security updates for Bitlocker, Office and Windows Defender, among others. Attackers are already exploiting two vulnerabilities.

Anyone using Microsoft software should ensure that Windows Update is active and the latest security patches are installed. Otherwise, systems are vulnerable and, in the worst case, attackers can completely compromise PCs via malicious code attacks.

Attacks on Windows

Attackers are currently targeting a vulnerability (CVE-2024-29988"high") in the Windows security function SmartScreen-Filter. The system uses this to identify whether downloaded files originate from a trustworthy source (Mark-of-the-Web marking, MoTW). If the check raises an alarm, the protection mechanism prevents the file from being executed.

Attackers are currently bypassing precisely this check in ongoing attacks. Victims think they are safe because of SmartScreen filters and trust a downloaded file, but when they execute it, they get a Trojan on their computer. However, an attacker still has to persuade the victim to open the file containing the malicious code. Attacks are therefore not possible without further ado. , current Windows and Windows Server versions are at risk. .

The second currently exploited vulnerability (CVE-2024-26234"medium") also affects current Windows desktop and Windows Server versions. Attackers can target these vulnerable systems with a proxy driver spoofing attack. Microsoft is not currently specifying concrete attack scenarios and the effects of attacks.

Further dangers

Microsoft classifies three vulnerabilities (CVE-2024-21322"high", CVE-2024-21323"high", CVE-2024-29053"high") in Defender for IoT as critical, .

In Azure, attackers can gain unauthorized access to information via a vulnerability in the AI search). A vulnerability in Azure CycleCloud) allows attackers to gain higher user rights.

Microsoft lists further vulnerabilities in its .

Found on

The open source provider Red Hat announced on March 29, 2024 that malicious code has been discovered in versions 5.6.0 and 5.6.1 of the "xz" tools and libraries , which makes it possible to bypass authentication in sshd via systemd. The vulnerability has been published as CVE-2024-3094.

Recommendation and measures:

Measures IT security managers should stop using Fedora 41 and Fedora Rawhide immediately. xz itself should be reverted to an older, stable version such as 5.4.6. SUSE has published a downgrade procedure. Even when using other distributions, it is recommended not to upgrade to xz versions 5.6.x or to revert to the secure versions.

Found on

ALERT: Backdoor in xz library compromises SSH connections

The attack was apparently planned long in advance. A possible state actor hid a backdoor in the liblzma library.

The security community is alarmed: As a developer discovered rather by chance - he was researching the cause of mysterious performance problems with SSH connections - there is a backdoor in the liblzma library. Although the major Linux distributions gave the all-clear for their stable versions, the backdoor was still present in various Linux versions, unstable versions and in the Homebrew tool collection for macOS. However, it is not necessarily exploitable there.

The "liblzma" library is certainly not one of the best-known collections of functions for open operating systems - it is used to process packed files in xz format. Nevertheless, it is an inseparable part of every Linux distribution based on systemd, as the system service uses the library. Various package formats such as .deb and Fedora RPMs also use the xz packer to compress package data.

As the discoverer Andres Freund found out, the backdoor can only be found in the source code packages for various liblzma versions, i.e. it cannot be found in the project's Git repository. What exactly the backdoor does and whether it is already being actively exploited by attackers is still unclear at the moment. However, the author is known, a developer named "Jia Tan", who was a very active contributor to the liblzma project along with several other - possibly fake - developer accounts.

The alleged conspiracy exerted strong pressure on the main developer of liblzma in June 2022 to leave the project in "more active hands", which then happened. In February of this year, Jia Tan then hid the well-disguised backdoor, which presumably weakens or disables the authentication function of OpenSSH. The backdoor only activates when it detects the program name "/usr/sbin/sshd". At the moment there is no complete analysis of the backdoor code, but the editors are following up the analysis. There is an on Github. There is also already a CVE ID for the backdoor: .

The major Linux distributions , and have only delivered the malicious code in their test versions, such as Debian Sid, and have reverted to secure versions. To be on the safe side, Fedora is also calling on users of version 40 to update. The macOS package manager Homebrew, however, also used the Trojanized version of the xz tools in various applications - the developers have also here.

Kali, Arch and others affected

The pentesting Linux and are also warning users about backdoors in current versions of their distributions and urging them to update quickly. Other distributions are taking a similar approach, such as Gentoo, which . Other distributions are likely to follow - administrators will have to keep an eye on developments in their favorite Linux flavor over the Easter weekend. Presumably, the backdoor was not exploitable or even active in many of these cases, because various circumstances have to come together for this to happen. Nevertheless, users are well advised to install available updates as soon as possible, especially because the functionality of the backdoor is not yet fully understood. The backdoor finder has written to find a potentially vulnerable liblzma version on its own system. Although it does not offer complete security, it does provide a first clue.

Meanwhile, the security scene is still on the alert. The fact that an unknown person can take control of an open source project with the help of possibly fake henchmen and inject malicious code highlights the precarious situation of many projects, especially smaller ones. The fact that a single project participant is responsible for the entire program code and does so on a voluntary basis is not unusual, but it is a potentially harmful situation.

(Editor's note: The situation surrounding the liblzma vulnerability is developing very quickly and is currently very confusing. We will update this report over the next few hours to include a should there be any further developments).

Found on

Malware that steals data on a grand scale is nothing unusual. Using an example of a currently active data thief, security researchers are now explaining the attackers' principle and warning of its spread.

Cyber criminals are making money with malware-as-a-service (MaaS). They offer malicious code for "rent", which can then spy on a victim's PC. As the reports, another such network has now at the security service provider . It is a so-called Infostealer, i.e. a data thief called Raccoon. The malware is also active under the names Legion, Mohazo and Racealer.

Malware-As-A-Service

The new thing about these malware programs is that they are distributed as a Malware-As-A-Service with low entry barriers: Anyone who finds the offer only needs a little money. No prior knowledge is required. In the past, such tools were reserved for more sophisticated attackers at best, explains CyberArk. Now, even beginners can buy data thieves like Raccoon to gain access to the sensitive data of an organization or any target.

Raccoon specializes in extracting sensitive data from around 60 applications on a target computer. These include popular web browsers such as Google , Internet Explorer and , as well as niche clients such as TorBro, Mustang and Torch.

Spread is increasing

Raccoon was first discovered around a year ago, when it was still being distributed via Russian-language forums. Now, according to CyberArk, the tool can also be found in English-speaking countries. An analysis by CyberArk revealed that the Infostealer is written in C++ and is far from being a complex tool. However, it can steal sensitive and confidential information from almost 60 programs (browsers, crypto wallets, email and FTP clients). This includes cookies, history and autofill information.

Raccoon reaches its victims via exploit kits and phishing, among other things. Despite the simplicity of the malware, it has already infected hundreds of thousands of computers worldwide.

Applications that Raccoon steals from:

• Browsers:
• Google Chrome, Google Chrome (Chrome SxS), Chromium, Xpom, Comodo Dragon, Amigo, Orbitum, Bromium, Nichrome, RockMelt, 360Browser, Vivaldi, Opera, Sputnik, Kometa, Uranium, QIP Surf, Epic Privacy, CocCoc, CentBrowser, 7Star, Elements, TorBro, Suhba, Safer Browser, Mustang, Superbird, Chedot, Torch
• , Microsoft Edge
• Firefox, WaterFox, SeaMonkey, PaleMoon
• Email clients:
• ThunderBird, Outlook, Foxmail
• Crypto wallets:
• Electrum, Ethereum, Exodus, Jaxx, Monero, Bither

Found on

Microsoft has confirmed that the March security updates can paralyze Windows servers with Active Directories.

If you operate a Windows server and manage an Active Directory with it, you may have a problem after applying the updates from Microsoft's March Patchday. The server may stop and restart.

In the , Microsoft's developers write that after installing the March security update , the Local Security Authority Subsystem Service (LSASS) may have memory leaks on domain controllers (DCs). This can be observed if on-premise or cloud-based Active Directory domain controllers send Kerberos authentication requests.

Windows Server: Crashes after "extreme memory leaks"

Memory leaks often lead to performance losses. The developers explain that the LSASS service can crash after "extreme memory leaks", which triggers an unplanned restart of the underlying domain controller. Microsoft emphasizes that this does not occur on home devices, but only in environments in organizations that use the Windows Server platform.

The good news

The programmers have reportedly tracked down the root of the problem and are working on a solution that will be released in the coming days.

The systems specifically affected are Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022, both in the local network and in the cloud.

Microsoft already had problems with the Windows updates on Patchday in January. They could . The company then provided tips on how to apply the update successfully after all.

Found on