By Hisan Kidwai OPPO’s Find series has been a mystery to much of the world, as the last one…
The post OPPO Find X8 Review: The Ultimate Camera Experience appeared first on Fossbytes.

Source:: Fossbytes

In connection with this year’s Ignite conference, Microsoft has unveiled a new interpretation tool that will be added to Teams in the spring. What makes the voice cloning tool — currently called “Interpreter In Teams” — special is that users will be able to use your own voice to speak in other languages ​​in real time.

According to Techcrunch, users need a subscription to Microsoft 365 to have access to the technology.

Initially, the tool will support nine languages: English, French, Italian, Portuguese, Spanish, German, Japanese, Korean and Mandarin. More languages ​​are likely to be added over time.

Source:: Computer World

Among the first things Apple IT admins woke up to this morning was news of a pair of actively exploited zero-day attacks in the wild targeting Intel Macs, iPhones, iPads, and even Vision Pro users. Apple has already released software patches for the flaws, which is why the second thing admins realized is that they must rush through any necessary software verification process required before expediting installation of the update.

In these days of remotely managed devices and increasingly effective MDM systems, that’s far less a problem than it was in the past. You can usually make a policy change and push out updates to all your managed devices quickly.

Companies that don’t use these systems, or those that have employees using their own personal devices to access potentially sensitive internal data, must work harder to convince users to install security updates. So, what can they tell people about the latest threat that might help motivate them to install the patch today?

Why you should update immediately

First, Apple says it believes the attack is being actively used, which means any Intel system — including systems used by other people you interact with — is a potential target. “Apple is aware of a report that this issue may have been exploited,” the company said. 

Second, it slips in using flaws in software you use daily, including JavaScript and WebKit, the rendering engine that powers the Safari browser on Apple devices. In other words, everyone using Apple’s devices is a potential target. 

Finally — and perhaps best of all — Apple has already shipped a fix for the problem, maintaining its reputation for being ahead of threats, rather than echoing the approach taken by some other platforms and racing to keep up with attacks. It’s almost as if Apple’s systems remain more secure for a reason. The company addressed 20 zero-day attacks in 2023 and has guarded against just six so far this year.

Apple also shipped security patches for iOS 17 and iPad OS 17 systems and patches for Safari on macOS Ventura and Sonoma.

What the experts say

Michael Covington, vice president for portfolio strategy at Jamf, thinks all users should update at once.

“While Apple has warned that the vulnerabilities, also present in macOS, may be actively exploited on Intel-based systems, we recommend updating any device that is at risk,” he said. “With attackers potentially exploiting both vulnerabilities, it is critical that users and mobile-first organizations apply the latest patches as soon as they are able.” 

What are these attacks?

The attack vector makes use of two vulnerabilities found in macOS Sequoia JavaScriptCore (CVE-2024-44308) and WebKit (CVE-2024-44309). The first lets attackers achieve remote code execution (RCE) through maliciously crafted web content; the second lets attackers engage in cross-site scripting attacks.

As admins will recognize, RCE exploits can enable attackers to install malware surreptitiously on infected machines, perform denial-of-service attacks, or access sensitive information, while a cross-scripting attack can help hackers grab personal data for identity theft and other nefarious ends.  No one wants to be a victim of either form of attack.

Who is using these attacks?

No information pertaining to who has been using these flaws in their attacks has been shared. With that in mind, it’s important to note that the flaws were identified by researchers at Google’s Threat Analysis Group (TAG), which works to counter government-backed attacks. That suggests that whoever has been weaponizing these vulnerabilities is connected to a national entity of some kind.

If that is the case, recent reports from TAG suggest an upsurge in such attacks, so users in some industries and professions might want to consider locking down their devices with Apple’s Lockdown Mode to minimize their attack surface. IT, meanwhile, should review security compliance, particularly among those using older iPhones, iPads, or Intel Macs.

You can follow me on social media! Join me on BlueSky,  LinkedIn, Mastodon, and MeWe. 

Source:: Computer World

By Nick Godt Stellantis’ new platform aims to deliver driving range of up to 690 miles for extended range electric vehicles.

Source:: Digital Trends

By Siôn Geschwindt UK startup Surf Security has launched a beta version of what it claims is the world’s first browser with a built-in feature designed to spot AI-generated deepfakes.  The tool, available through Surf’s browser or as an extension, can detect with up to 98% accuracy whether the person you’re interacting with online is a real human or an AI imitation, the company said.  The London-based cybersecurity upstart uses “military-grade” neural network technology to detect deepfakes. The system uses State Space Models, which detect AI-generated clones across languages and accents by analysing audio frames for inconsistencies.   “To maximise its effectiveness, we focused…This story continues at The Next Web

Source:: The Next Web

By Siôn Geschwindt British scaleup Tokamak Energy has secured $125mn as it looks to harness fusion — the same clean, virtually limitless energy source that powers the Sun and stars.  Tokamak spun out from the UK’s Atomic Energy Authority in 2009. As its name suggests, the company is building a tokamak reactor, the most common kind of fusion design, first pioneered in the 1960s. Tokamaks use giant magnets to keep plasma moving in a loop while running an electrical current through it.  The funding brings the company’s total raised to $335 million, comprising $280m from private investors and $60m from the UK and…This story continues at The Next Web

Source:: The Next Web

It took the UK’s Competition and Markets Authority (CMA) less than a month to decide that there is no need to proceed further with a merger investigation after Google’s purchase of a $2 billion stake in Anthropic.

In a statement released on Oct. 24, the CMA indicated that it had obtained “sufficient information” to launch a preliminary investigation into the investment by Google, which was first announced last year and involved an initial sum of $500 million, with the remainder to be invested at a later date.

The regulator was then scheduled to announce on Dec. 19 whether or not a more detailed phase 2 probe would take place, a move that ended up being fast forwarded.

Scott Bickley, advisory fellow at Info-Tech Research Group, said when the initial investigation was announced that the probe sounded like a “precautionary investigation across the board to me, primarily due to the fact that the CMA just recently approved Amazon’s Anthropic investment and partnership.”

Last March, Amazon announced it was investing $2.75 billion in Anthropic, bringing its total investment in the AI startup to $4 billion.

As part of this partnership, Anthropic said it would use Amazon Web Services (AWS) as its main cloud provider for key operations, including AI safety research and the development of foundation models. Anthropic will also use AWS Trainium and Inferentia chips for building, training, and deploying future models.

The CMA ruling on that investment was released on Sept. 27, and stated that the regulator does not believe that a “relevant merger situation has been created.”

Phil Brunkard, executive counselor at Info-Tech Research Group, UK, said last month that “both Google and Amazon are trying to compete with OpenAI, but it’s interesting that the CMA is focusing on Google when Amazon was just cleared, which raises some questions about consistency.”

While investigations do create some uncertainty, he said, “Amazon’s clearance hints that Google could have a similar outcome. It seems the CMA is just being thorough, but these investments will likely continue.”

Brunkard said Tuesday he was not surprised by the ruling issued by the CMA, a non-ministerial department in the UK government that oversees business activities and flags potentially unfair competition.

“As I had mentioned previously, the CMA appeared to have been conducting a thorough review, and the latest report confirms they were satisfied after assessing their criteria,” he said, adding, “it’s essential that the CMA continues this consistent approach to ensure a fair and competitive marketplace.”

This kind of oversight, said Brunkard, is “especially important in the exponentially evolving AI sector, where investments from tech giants like Google and Amazon have the potential to shape the market significantly.”

The CMA first launched an initial review into the market for AI systems in May 2023, and in a statement announced it would focus in on three key areas: how the competitive markets for foundation models and their use could evolve; the opportunities and risks these scenarios could bring for competition and consumer protection; and what guiding principles should be introduced to support competition and protect consumers as AI models develop.

The organization said that the review is in line with the UK government’s aim to support “open, competitive markets.”

Source:: Computer World

Cyber-attacks can cost companies millions of dollars in lost revenue, legal fees, and recovery efforts. A security breach can severely tarnish a company’s reputation and customer trust, making comprehensive internet security crucial for your small business.

Investing in effective cybersecurity measures, especially regarding business internet and email security, acts as a shield against potential threats. These internet security solutions will protect your sensitive data and maintain the trust and safety of your clients and partners.

Business Internet Security Checklist

Building a robust internet security strategy for your business may seem complex. To help you prioritize your cybersecurity threats and build a strong security solution, we’ve created an extensive checklist.

1. Secure Your Network Infrastructure

The foundation of good internet security relies on a strong, secure network infrastructure. Your network is like your office; strong walls, locked doors, and vigilant guards keep it secure.

Firewall Protection: Your First Line of Defense

Firewalls act as a barrier between your network and the outside world, blocking unauthorized access and malicious traffic. Think of it as your business’s security guard, carefully checking everyone who tries to enter. Firewalls can filter incoming and outgoing network traffic, enforcing your security rules through threat detection.

Network Segmentation for Damage Control

Imagine dividing your office into sections with different security clearances—that’s what network segmentation does. By separating your network into smaller, isolated segments, you limit the reach of any potential breach.

Even if one part of your network is compromised, the others remain safe, containing the damage and preventing a complete shutdown. Network segmentation is one of the most important security features a business can implement, even if you run a small business.

2. Strengthen Your Devices and Access Points

Each device on your business’s network, from computers to mobile phones, represents a potential point of entry for hackers. Treat connected devices as a door to your Wi-Fi networks, ensuring each one is secure enough to protect the entire structure.

Robust Passwords and Multi-Factor Authentication (MFA)

Using weak or easily guessable passwords is like leaving your office unlocked, allowing online threats to gain access. It’s an open invitation for trouble. Implement a strong password policy requiring employees to use complex passwords.

You should encourage use of a password manager and implement multi-factor authentication (MFA) on all accounts to add another layer of protection. Strong passwords are one of the easiest ways to strengthen your business cybersecurity.

Regular Software Updates

Software updates often include vital security patches that address identified vulnerabilities. Delaying updates on your security software is like ignoring a leaky roof; if left unattended, it will only get worse. Patch management and regularly updating all software on all your devices, including antivirus software and operating systems, will minimize the risk of exploitation.

Schedule updates and educate your employees about the importance of keeping their systems current. Regularly updating your software is one of the best free security solutions for your business.

Endpoint Detection and Response (EDR) Solutions

EDR solutions are your network’s security team that continuously monitors for suspicious activity. They then respond to this activity in real-time. Consider implementing an EDR solution that proactively detects, isolates, and responds to threats on individual devices within your network.

3. Safeguarding Your Data

Your business’s data—customer information, financial records, and intellectual property—is invaluable. Protecting your business data should be a top priority.

Data Encryption

Imagine losing access to all your essential documents; that’s the chaos data loss can cause. Having secure backups of your crucial data ensures business continuity, even if a cyber incident occurs.

Implement a secure data backup and recovery plan that includes regular backups, offsite storage, and disaster recovery testing. It is also vital to make sure your internet connection is secure before backing up data to the cloud.

Implement a Data Loss Prevention (DLP) Strategy

A robust DLP strategy helps detect, monitor, and prevent the unauthorized use or transmission of sensitive data. This strategy acts as a safeguard against both accidental data leaks and intentional theft.

4. Educating Your Workforce

Your employees play a critical role in maintaining strong business internet security. Equip them with the knowledge and tools they need to act as an added layer of defense through security awareness training workshops. Human error causes many data leaks and security risks.

Cybersecurity Training

Conduct regular and comprehensive cybersecurity training for all employees. Training should focus on common cyber threats like malicious sites, phishing scams, and social engineering attacks. It is also important to educate employees about security awareness and best practices for online security, especially on public networks.

Password Management

Encouraging the use of strong and unique passwords for all business accounts, such as Microsoft Exchange, is key to fortifying your first line of defense. Implement a business-wide password manager for secure storage and effortless access for your employees.

Establish Clear Communication Channels

Establishing clear communication protocols for reporting security incidents and concerns helps you address issues more rapidly and effectively. This will help mitigate potential damage. Encourage employees to use these communication channels if they have accessed any inappropriate or malicious websites on company devices.

Your Business’s Cybersecurity Journey Starts Now

With cyber threats continuing to evolve and become more sophisticated, businesses can never be complacent about internet security and protecting their private network and data.

Taking proactive steps toward securing your digital infrastructure and safeguarding sensitive data is a critical business decision. Prioritizing robust internet security measures safeguards your small business and ensures you’re well-equipped to face whatever kind of threat may come your way.

While implementing these security measures may seem daunting, partnering with the right internet service provider like Optimum can give you a head start on your cybersecurity journey.Want Internet service with cybersecurity built in? Try Optimum Business Internet.

Frequently Asked Questions About Business Internet Security

How can we protect IoT devices from becoming the entry point for security vulnerabilities into a network?

IoT devices can be particularly vulnerable to security breaches, but several measures can help protect your network:

Change default passwords immediately and use strong, unique passwords for each device

Regularly update IoT device firmware to patch security vulnerabilities

Implement network segmentation to isolate IoT devices on a separate network from critical business systems

Disable unnecessary features and ports that could be exploited

Monitor IoT device activity for unusual patterns that might indicate a breach

Use a dedicated firewall for IoT devices to control their internet access

Which security measure limits the access of outsiders to the internal network of a business?

Firewalls are the primary security measure that controls external access to your internal network. They act as a barrier between your trusted internal network and untrusted external networks, like the internet. Firewalls monitor and control incoming and outgoing network traffic based on predetermined security rules, effectively limiting unauthorized access while allowing legitimate business communications to continue.

Who in a business should be responsible for cybersecurity?

While a designated IT security team or professional may lead cybersecurity efforts, security is everyone’s responsibility. Here’s how responsibility can be distributed:

Leadership: Set security policies and allocate resources

IT Department: Implement and maintain security measures

Department Managers: Ensure compliance within their teams

Employees: Follow security protocols and report suspicious activity

External Partners: Comply with security requirements when accessing company resources

However, if you don’t have the benefit of a dedicated IT department, you can turn to Optimum for help and support.

What can we do to stay on top of cybersecurity threats?

Keeping strong cybersecurity is all about staying alert and taking proactive steps. Organizations should consider signing up for threat intelligence feeds to stay updated on new vulnerabilities and regularly assess their security to spot potential issues.

Having an ongoing routine of software updates and security patches, along with ongoing employee training on security awareness, can help build a strong cybersecurity foundation. Many organizations also find it helpful to team up with cybersecurity experts who can offer advice on new threats and suggest the best security practices.

Learn more about what Optimum can do for your business.

Source:: Computer World

By Siôn Geschwindt For the past few months, Meta has been sending recipes to a Dutch scaleup called VSParticle (VSP). These are not food recipes — they’re AI-generated instructions for how to make new nanoporous materials that could potentially supercharge the green transition.  VSP has so far taken 525 of these recipes and synthesised them into nanomaterials called electrocatalysts. Meta’s algorithms predicted these electrocatalysts would be ideal for breaking down CO2 into useful products like methane or ethanol. VSP brought the machine’s predictions to life using a nanoprinter, a machine which vaporises materials and then deposits them as thin nanoporous films. Electrocatalysts speed up…This story continues at The Next Web

Source:: The Next Web

By Nick Godt Incentives on new vehicle sales are up by 60% from year-earlier levels.

Source:: Digital Trends

By Nick Godt Eaton and Treehouse have partnered to accelerate the electrification of homes for EV charging and energy storage.

Source:: Digital Trends

OpenAI launched its new AI-powered online search engine — SearchGPT — with the aim of supplanting “for specific search tasks” Google, Microsoft Bing and start-up Perplexity.

But the move is also raising concerns that it could open the door to plagiarism; AI-powered search engines have been accused of intentionally or unintentionally plagiarizing web-based content because the platforms scrape material and data from all over the web in real-time.

They can also generate content that closely mimics pre-existing content, according to Alon Yamin, CEO of AI-enabled plagiarism detection platform Copyleaks. That’s because the large language model engines behind generative AI (genAI) are trained using existing content.

“The trouble with ‘unintentional plagiarism’ is that it creates a gray area that’s challenging for both content creators and search engines to navigate,” Yamin said.

SearchGPT is a front-facing interface built atop OpenAI’s genAI-based ChatGPT chatbot; it will enable real-time web access for up-to-date sports scores, stock information and news. The search engine will also allow follow-up questions in the same search window, and its answers will consider the full context of the previous chat to offer an applicable answer.

The AI-based web crawler is also being touted for its ability to allow questions in “a more natural,” conversational way, according to OpenAI.

OpenAI announced on Oct. 31 that it had launched the SearchGPT prototype after beta testing it since July. Currently, access to SearchGPT is limited, as a list of hopeful free users waits for access.

An example of a search result from SearchGPT.
OpenAI

The pilot version of the search engine will be available at chatgpt.com/search as well as being offered as a desktop and mobile app. All ChatGPT Plus and Team users, as well as SearchGPT waitlist users, will have access from here on. Enterprise and education users will get access in the next few weeks, OpenAI said, with a “rollout to all free users over the coming months.”

One standout feature is the search engine’s ability to allow follow-up questions that build on the context of the original query.

For example, a user could ask what the best tomato plants are for your region; that could be followed up by asking about the best time to plant them.

SearchGPT is also designed to offer links to publishers of information by citing and linking to them in searches. “Responses have clear, in-line, named attribution and links so users know where information is coming from and can quickly engage with even more results in a sidebar with source links,” OpenAI said in its announcement.

Search rivals beat OpenAI to the punch

Last year, Google added its own AI-based capabilities to its search tool; so did Microsoft, which integrated OpenAI’s GPT-4 into Bing. “Big hitters like Google are already developing AI detection tools to help identify AI-generated content. But the challenge lies in distinguishing between high-quality AI-assisted content and low-quality, plagiarized material,” Yamin said. “It’s undoubtedly an ongoing process that will require constant refinement of algorithms and policies.”

For its part, Perplexity said in an updated FAQ that its web crawler, PerplexityBot, will not index the full or partial text content of any site that disallows it using robots.txt code. Robots.txt files are common simple text files stored on a web server to instruct web crawlers about which pages or sections of a website they are allowed to crawl and index.

“PerplexityBot only crawls content in compliance with robots.txt,” the FAQ explained. Perplexity also said it does not build “foundation models,” (also known as large language models), “so your content will not be used for AI model pre-training.”

The bottom line, Yamin said, is that search engines are in a “tricky position” as genAI evolves. “They want to provide the best results to users, which increasingly involves AI-generated or AI-enhanced content. At the same time, they need to protect original creators and maintain the integrity of search results. We’re seeing efforts to strike this balance, but it’s a complex issue that will take time to fully address.”

ChatGPT (i.e., SearchGPT) is probably best positioned among all competitors to upset Google’s dominance in online search, according to Damian Rollison, director of market insights at marketing software company SOCi. Of all the areas where ChatGPT competes with Google, search is where the latter’s 26-year advantage is the strongest.

“The early results of Bing search integrated into ChatGPT have been shaky, and the incredibly complex requirements of maintaining a world-class search platform tap into areas of expertise where OpenAI has yet to demonstrate its capabilities,” Rollison said.

Andy Thurai, a vice president analyst at Constellation Research, noted that Google still owns about 90% of the search engine market, meaning it won’t to be easy for anyone to encroach on that dominance.

An example of a follow-on question in SearchGPT that began with asking: ”What are the best tomatos for my region?”
OpenAI

But Thurai said SearchGPT’s ease of use and conversational interface, which provides synthesized and more prose-like answers instead of traditional search results like Google, could attract more users in the future.

While Google can provide a personalized search result based on location, and previous searches, it still has limitations in terms of offering concise and conversational-style answers that remain on point, according to Thurai. “The concise nature of the answers, whether accurate or not, might be appealing to some users versus combing through many page search engines like those Google returns.”

Ironically, when ChatGPT was asked the question: Is SearchGPT as good as Google search? ChatGPT’s reply was nuanced.

“Google is great for quickly finding specific, current resources and ChatGPT is better for having interactive conversations, asking detailed questions, or seeking explanations on a wide range of topics,” SearchGPT responded. “The two can actually complement each other depending on what you need!”

When asked whether it’s as good or better than Bing, ChatGPT replied: “In short, if you’re looking for real-time information or need to browse the web, Bing is likely better. If you need detailed, conversational, or creative assistance, ChatGPT tends to be more helpful. Each tool excels in different areas!”

The murky issue of plagiarism

Thurai said he’s unsure whether AI-based search engines or “answer engines” will invite plagiarism on their own.

“They are not all that different from Google search, in which you get many answers instead of the most relevant answer that AI thinks is relevant to your question,” he said. “However, AI for content creation is a big concern for plagiarism. What is more concerning is that the current plagiarism tools don’t catch AI-produced content correctly. They are mostly useless.”

There are, however, tools that can create digital watermark/credentials such as C2PA, which can provide some content provenance and/or authenticity mechanisms, Thurai noted.

He also argued that text-based content production via AI-search engines is virtually impossible to catch. And people are getting unfairly penalized for plagiarism by using AI when in reality they didn’t, he said.

“As AI tools become more sophisticated and part of our day-to-day lives, distinguishing between AI-generated and human-created content, properly attributing original sources or authors, and empowering overall originality becomes even more critical,” Copyleak’s Yamin said. “This is precisely where the focus needs to remain — providing robust content integrity solutions that are evolving alongside the demands of the AI landscape.”

Source:: Computer World

By Nick Godt Ford is boosting incentives on its best-selling electric vehicles, the 2024 F-150 Lightning and Mustang Mach-E models.

Source:: Digital Trends

By Nick Godt The Zero Emission Transportation Association (ZETA), a trade group whose members include the likes of Tesla, Waymo, Rivian, and Uber, is coming out in support of tax incentives for both the production and the sale of electric vehicles (EVs).

Source:: Digital Trends

By Nick Godt Even as sales slow, it’s likely that 57% of drivers will have an EV in 10 years.

Source:: Digital Trends

By Nick Godt Hertz is selling used Teslas for under $20,000 and Chevrolet Bolt EVs for under $14,000.

Source:: Digital Trends

By Deepti Pathak Tired of adding the same email addresses every time you want to send a message to…
The post How to Create a Distribution List in Gmail? appeared first on Fossbytes.

Source:: Fossbytes

By Deepti Pathak Understanding the different check marks on WhatsApp makes it much easier to track whether a person…
The post What Does One Check Mark Mean on WhatsApp? appeared first on Fossbytes.

Source:: Fossbytes

Microsoft’s November Patch Tuesday release addresses 89 vulnerabilities in Windows, SQL Server, .NET and Microsoft Office — and three zero-day vulnerabilities (CVE-2024-43451, CVE-2024-49019 and CVE-2024-49039) that mean a patch now recommendation for Windows platforms. Unusually, there are a significant number of patch “re-releases” that might also require administrator attention. 

The team at Readiness has provided this infographic outlining the risks associated with each of the updates for this cycle.  (For a rundown of recent Patch Tuesday updates, see Computerworld‘s round-up here.

Known issues 

There were a few reported issues for the September update that have been addressed now, including:

Enterprise customers are reporting issues with the SSH service failing to start on updated Windows 11 24H2 machines. Microsoft recommended updating the file/directory level permissions on the SSH program directories (remember to include the log files). You can read more about this official workaround here. 

It looks like we are entering a new age of ARM compatibility challenges for Microsoft. However, before we get ahead of ourselves, we really need to sort out the (three-month old) Roblox issue.

Major revisions 

This Patch Tuesday includes the following major revisions: 

CVE-2013-390: WinVerifyTrust Signature Validation Vulnerability. This update was originally published in 2013 via TechNet. This update is now made available and is applicable to Windows 10 and 11 users due to a recent change in the EnableCertPaddingCheck Windows API call. We highly recommend a review of this CVE and its associated Q&A documentation. Remember: if you must set your values in the registry, ensure that they are type DWORD not Reg SZ.

CVE-2024-49040: Microsoft Exchange Server Spoofing Vulnerability. When Microsoft updates a CVE (twice) in the same week, and the vulnerability has been publicly disclosed, it’s time to pay attention. Before you apply this Exchange Server update, we highly recommend a review of the reportedheader detection issues and mitigating factors.

And unusually, we have three kernel mode updates (CVE-2024-43511, CVE-2024-43516 and CVE-2024-43528 that were re-released in October and updated this month.  These security vulnerabilities exploit a race condition in Microsoft’s Virtualization Based Security (VBS). It’s worth a review of the mitigating strategies while you thoroughly test these low-level kernel patches. 

Testing guidance

Each month, the Readiness team analyzes the latest Patch Tuesday updates and provides detailed, actionable testing guidance based on a large application portfolio and a detailed analysis of the patches and their potential impact on Windows platforms and application installations.

For this release cycle, we have grouped the critical updates and required testing efforts into separate product and functional areas including:

Networking: 

Test end-to-end VPN, Wi-Fi, sharing and Bluetooth scenarios. 

Test out HTTP clients over SSL.

Ensure internet shortcut files (ICS) display correctly

Security/crypto: 

After installing the November update on your Certificate Authority (CA) servers, ensure that enrollment and renewal of certificates perform as expected.

Test Windows Defender Application Control (WDAC) and ensure that line-of-business apps are not blocked. Ensure that WDAC functions as expected on your Virtual Machines (VM).

Filesystem and logging:

The NTFileCopyChunk API was updated and will require internal application testing if directly employed. Test the validity of your parameters and issues relating to directory notification.

I cannot claim to have any nostalgia for dial-up internet access (though I do have a certain Pavlovian response to the dial-up handshake sound). For those who are still using this approach to access the internet, the November update to the TAPI API has you in mind. A “quick” (haha) test is required to ensure you can still connect to the internet via dial-up once you update your system.

Windows lifecycle and enforcement updates

There were no product or security enforcements this cycle. However, we do have the following Microsoft products reaching their respective end of servicing terms:

Oct. 8, 2024: Windows 11 Enterprise and Education, Version 21H2, Windows 11 Home and Pro, Version 22H2, Windows 11 IoT Enterprise, Version 21H2.

Oct. 9, 2024: Microsoft Project 2024 (LTSC)

Mitigations and workarounds 

Microsoft published the following mitigations applicable to this Patch Tuesday.

CVE-2024-49019: Active Directory Certificate Services Elevation of Privilege Vulnerability. As this vulnerability has been publicly disclosed, we need to take it seriously. Microsoft has offered some mitigation strategies during the update/testing/deployment for most enterprises that include:

Remove overly broad enroll or auto-enroll permissions.

Remove unused templates from certification authorities.

Secure templates that allow you to specify the subject in the request.

As most enterprises employ Microsoft Active Directory, we highly recommend a review of this knowledge note from Microsoft. 

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

Browsers (Microsoft IE and Edge);

Microsoft Windows (both desktop and server); 

Microsoft Office;

Microsoft Exchange Server;

Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core);

Adobe (if you get this far).

Browsers 

Microsoft released a single update specific to Microsoft Edge (CVE-2024-49025), and two updates for the Chromium engine that underpins the browser (CVE-2024-10826 and CVE-2024-10827). There’s a brief note on the browser update here. We recommend adding these low-profile browser updates to your standard release schedule.

Windows 

Microsoft released two (CVE-2024-43625 and CVE-2024-43639) patches with a critical rating and another 35 patches rated as important by Microsoft. This month the following key Windows features have been updated:

Windows Update Stack (note: installer rollbacks may be an issue);

NT OS, Secure Kernel and GDI;

Microsoft Hyper-V;

Networking, SMB and DNS;

Windows Kerberos.

Unfortunately, these Windows updates have been publicly disclosed or reported as exploited in the wild, making them zero-day problems:

CVE-2024-43451: NTLM Hash Disclosure Spoofing Vulnerability.

CVE-2024-49019: Active Directory Certificate Services Elevation of Privilege.

CVE-2024-49039: Windows Task Scheduler Elevation of Privilege Vulnerability.

Add these Windows updates to your Patch Now release cadence. 

Microsoft Office 

Microsoft pushed out six Microsoft Office updates (all rated important) that affect SharePoint, Word and Excel. None of these reported vulnerabilities involve remote access or preview pane issues and have not been publicly disclosed or exploited in the wild. Add these updates to your standard release schedule.

Microsoft SQL (nee Exchange) Server 

You want updates to Microsoft SQL Server? We got ‘em: 31 patches to the SQL Server Native client this month. That’s a lot of patches, even for a complex product like Microsoft SQL Server. These updates appear to be the result of a major clean-up effort from Microsoft addressing the following reported security vulnerabilities:

CWE-122: Heap-based Buffer Overflow

CWE-416: Use After Free

The vast majority of these SQL Server Native Client updates address the CWE-122 related buffer overflow issues. Note: these patches update the SQL Native client, so this is a desktop, not a server, update. Crafting a testing profile for this one is a tough call. No new features have been added, and no high-risk areas have been patched. However, many internal line-of-business applications rely on these SQL client features. We recommend that your core business applications be tested before this SQL update, otherwise add it to your standard release schedule. 

Boot note: Remember that there is a major revision to CVE-2024-49040 — this could affect the SQL Server “server” side of things.

Microsoft development platforms

Microsoft released one critical-rated update (CVE-2024-43498) and three updates rated as important for Microsoft .NET 9 and Visual Studio 2022. These are pretty low-risk security vulnerabilities and very specific to these versions of the development platforms. They should present a reduced testing profile. Add these updates to your standard developer schedule this month.

Adobe Reader (and other third-party updates)

Microsoft did not publish any Adobe Reader-related updates this month. The company  released three non-Microsoft CVEs covering Google Chrome and SSH (CVE-2024-5535). Given the update to Windows Defender (as a result of the SSH issue), Microsoft also published a list of Defender vulnerabilities and weaknesses that might assist with your deployments.  

Source:: Computer World

By Siôn Geschwindt London-based startup Gendo has secured €5.1mn amid booming demand for its generative AI software built for architects.  British architectural designer George Proud and software engineer Will Jones founded Gendo in 2022. The platform transforms simple inputs like sketches, 2D drawings, or text descriptions into hypereal building designs.  It works a bit like Midjourney or DALL-E, except it’s built by architects for architects. The tool allows you to precisely edit specific details of your design, such as colours, lighting, structural elements, or furniture. The model produces more life-like results than more general AI algorithms.    What’s more, Gendo claims it can…This story continues at The Next Web

Source:: The Next Web