English - French - Italian

Microsoft

Dual-Boot Linux broken after Windows security update

Peter • Sunday, August 25, 2024 • 2 mins read (300)

The issue:

A monthly Windows update pushed on August 13 has disrupted dual-boot systems running both Windows and Linux.
The update, released on August 13, aimed to fix a two-year-old vulnerability (!) (CVE-2022-2601) related to the GRUB bootloader but, according to Microsoft, inadvertently caused boot failures for many users:

"the update would apply to "dual-boot systems that boot both Windows and Linux and should not affect these systems."
But in fact... after update several users, reported that they were shown the following (lovely and generic) error: Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation'

Microsoft

MFA mandatory for Azure services, soon

Peter • Friday, August 23, 2024 • 1 min read (205)

The good intention:

Microsoft will implement mandatory multi-factor authentication (MFA) for all Azure services starting October 2024. This move aims - of course - to enhance security by ensuring that users verify their identity through multiple methods before accessing services. The requirement will apply to all Azure users, including those with existing accounts.

Networking

New TLD is now reserved from ICANN for internal networks

Peter • Monday, August 12, 2024 • 1 min read (104)

The point:

The Internet Corporation for Assigned Names and Numbers (ICANN) has officially reserved the top-level domain “.INTERNAL” for private-use applications.

emails

Roundcube mail server fix

Peter • Thursday, August 8, 2024 • 1 min read (101)

The issue:

A critical Cross-Site Scripting (XSS) vulnerability was discovered in Roundcube, an open-source webmail software widely used by government agencies and universities.

This vulnerability allows attackers to execute arbitrary JavaScript in the victim's browser simply by having them view a malicious email.
Attackers can 'easily' exploit these vulnerabilities, since no user interaction beyond opening the attacker's email is needed or just one click is required, making them particularly dangerous.
WHY? vulnerabilities leading to the theft of emails, contacts, and passwords, as well as unauthorized email sending from the victim's account !

Microsoft

Simple CSS can be used to bypass anti-phishing Outlook warning...

Peter • Wednesday, August 7, 2024 • 2 mins read (228)

The issue:

To help user to pay better attention to email from unfamiliar addresses, Microsoft 365 add a warning to the email stating “You don't often get email from xyz@example.com. Learn why this is important”.
The so called "First Contact Safety Tip" (from Exchange Online Protection (EOP) and Microsoft Defender).

Microsoft

New Outlook flaw: MonikerLink

Peter • Monday, February 19, 2024 • 1 min read (142)

The good:

Microsoft Outlook attachments and links cannot be downloaded by default to prevent exploit (let say a malicious script execution).
A (wellknown) readonly feature called Office Protected View.