Slashdot Mirror

An anonymous reader writes: Microsoft published today a generic "security configuration framework" that contains guidance for systems administrators about the basic security settings they should be applying in order to secure Windows 10 devices. The SECCON framework, the name Microsoft gave this framework, is are five different recommendations for securing a Windows 10 device, depending on its role inside an organization (Enterprise security, Enterprise high-security, Enterprise VIP security, DevOps, Administrator). [Note: last two docs are empty and don't include any info just yet].

For each of these security levels, Microsoft has published default templates for Windows policies that sysadmins can apply to desired PCs, based on the access levels those workstations have. Microsoft hopes this will automate a system administrator's job in deploying a basic minimum of security features to Windows 10 systems, on which custom modifications can then be made, depending on each enterprise's needs.

An anonymous reader writes: Microsoft published today a generic "security configuration framework" that contains guidance for systems administrators about the basic security settings they should be applying in order to secure Windows 10 devices. The SECCON framework, the name Microsoft gave this framework, is are five different recommendations for securing a Windows 10 device, depending on its role inside an organization (Enterprise security, Enterprise high-security, Enterprise VIP security, DevOps, Administrator). [Note: last two docs are empty and don't include any info just yet].

For each of these security levels, Microsoft has published default templates for Windows policies that sysadmins can apply to desired PCs, based on the access levels those workstations have. Microsoft hopes this will automate a system administrator's job in deploying a basic minimum of security features to Windows 10 systems, on which custom modifications can then be made, depending on each enterprise's needs.

An anonymous reader writes: Microsoft published today a generic "security configuration framework" that contains guidance for systems administrators about the basic security settings they should be applying in order to secure Windows 10 devices. The SECCON framework, the name Microsoft gave this framework, is are five different recommendations for securing a Windows 10 device, depending on its role inside an organization (Enterprise security, Enterprise high-security, Enterprise VIP security, DevOps, Administrator). [Note: last two docs are empty and don't include any info just yet].

For each of these security levels, Microsoft has published default templates for Windows policies that sysadmins can apply to desired PCs, based on the access levels those workstations have. Microsoft hopes this will automate a system administrator's job in deploying a basic minimum of security features to Windows 10 systems, on which custom modifications can then be made, depending on each enterprise's needs.

An anonymous reader writes: Microsoft published today a generic "security configuration framework" that contains guidance for systems administrators about the basic security settings they should be applying in order to secure Windows 10 devices. The SECCON framework, the name Microsoft gave this framework, is are five different recommendations for securing a Windows 10 device, depending on its role inside an organization (Enterprise security, Enterprise high-security, Enterprise VIP security, DevOps, Administrator). [Note: last two docs are empty and don't include any info just yet].

For each of these security levels, Microsoft has published default templates for Windows policies that sysadmins can apply to desired PCs, based on the access levels those workstations have. Microsoft hopes this will automate a system administrator's job in deploying a basic minimum of security features to Windows 10 systems, on which custom modifications can then be made, depending on each enterprise's needs.

An anonymous reader writes: Microsoft published today a generic "security configuration framework" that contains guidance for systems administrators about the basic security settings they should be applying in order to secure Windows 10 devices. The SECCON framework, the name Microsoft gave this framework, is are five different recommendations for securing a Windows 10 device, depending on its role inside an organization (Enterprise security, Enterprise high-security, Enterprise VIP security, DevOps, Administrator). [Note: last two docs are empty and don't include any info just yet].

For each of these security levels, Microsoft has published default templates for Windows policies that sysadmins can apply to desired PCs, based on the access levels those workstations have. Microsoft hopes this will automate a system administrator's job in deploying a basic minimum of security features to Windows 10 systems, on which custom modifications can then be made, depending on each enterprise's needs.

Mark Wilson writes: Since the arrival of USB drives, we have been warned that they need to be 'safely removed' using the correct method in Windows, rather than just being yanked out — but now this changes.

With Windows 10 1809, Microsoft is changing the default setting that's applied to USB drives and other removable media. The change means that the default policy applied to removable storage devices is Quick Removal rather than Better Performance — so you can now just pull it out without a second thought.

Starting today, Microsoft is ending all ebook sales in its Microsoft Store for Windows PCs. "Previously purchased ebooks will be removed from users' libraries in early July," reports The Verge. "Even free ones will be deleted. The company will offer full refunds to users for any books they've purchased or preordered." From the report: Microsoft's "official reason," according to ZDNet, is that this move is part of a strategy to help streamline the focus of the Microsoft Store. It seems that the company no longer has an interest in trying to compete with Amazon, Apple Books, and Google Play Books. It's a bit hard to imagine why anyone would go with Microsoft over those options anyway.

If you have purchased ebooks from Microsoft, you can continue accessing them through the Edge browser until everything vanishes in July. After that, customers can expect to automatically receive a refund. According to a newly published Microsoft Store FAQ, "refund processing for eligible customers start rolling out automatically in early July 2019 to your original payment method." If your original payment method is no longer valid (or if you used a gift card), you'll receive a credit back to your Microsoft account to use online at the Microsoft Store. Microsoft will also offer an additional $25 credit (to your Microsoft account) if you annotated or marked up any ebook that you purchased from the Microsoft Store prior to today, April 2nd. Liliputing reminds us that "if you pay for eBooks, music, movies, video games, or any other content from a store that uses DRM, then you aren't really buying those digital items so much as paying a license fee for the rights to access them... a right that can be revoked if the company decides to remove a title from your device unexpectedly or if a company shuts down a server that would normally handle the digital rights management features."

You can find DRM-free eBooks at some online stores including Smashwords and Kobo (by browsing the DRM-free selection), or from publisher websites including Angry Robot, and Baen.

An anonymous reader writes: Microsoft today announced that Visual Studio 2019 for Windows and Mac has hit general availability — you can download it now from visualstudio.microsoft.com/downloads. Visual Studio 2019 includes AI-assisted code completion with Visual Studio IntelliCode. Separately, real-time collaboration tool Visual Studio Live Share has also hit general availability, and is now included with Visual Studio 2019.

Long-time Slashdot reader theodp writes: After seeing to it that UK Prime Minister David Cameron, US President Barack Obama, and Canadian Prime Minister Justin Trudeau all received (widely-publicized) coding lessons, Code.org CEO Hadi Partovi noted in late 2016 that he was "still working on Pope Francis." GeekWire reports that Partovi was able to cross that one off his bucket list Thursday, as he helped Pope Francis become 'the first Pope to write a line of code' at a 'Programming for Peace' event organized by the Pope's foundation, Scholas Occurrentes, in Vatican City (not ready for Twitch.TV video).

"In the 21st century, computer science is a fundamental subject that all students should learn," said Partovi, whose tech-bankrolled nonprofit has entered a partnership with Scholas to introduce children to computer science. "Schools should teach computer science to prepare students for the future, empower children with creativity and teach how to harness technology and creativity." The Pontiff's programming lesson comes a month after Partovi's next-door neighbor, Microsoft President and Code.org Board member Brad Smith, had a sit-down with the Pope to discuss the ethical use of AI and ways to bridge the digital divide between rich and poor nations.

Google researcher James Forshaw discovered a new class of vulnerability in Windows before any bug had actually been exploited. The involved parts of the flaw "showed that there were all the basic elements to create a significant elevation of privilege attack, enabling any user program to open any file on the system, regardless of whether the user should have permission to do so," reports Ars Technica. Thankfully, Microsoft said that the flaw was never actually exposed in any public versions of Windows, but said that it will ensure future releases of Windows will not feature this class of elevation of privilege. Peter Bright explains in detail how the flaw works. Here's an excerpt from his report: The basic rule is simple enough: when a request to open a file is being made from user mode, the system should check that the user running the application that's trying to open the file has permission to access the file. The system does this by examining the file's access control list (ACL) and comparing it to the user's user ID and group memberships. However, if the request is being made from kernel mode, the permissions checks should be skipped. That's because the kernel in general needs free and unfettered access to every file. As well as this security check, there's a second distinction made: calls from user mode require strict parameter validation to ensure that any memory addresses being passed in to the function represent user memory rather than kernel memory. Calls from kernel mode don't need that same strict validation, since they're allowed to use kernel memory addresses.

Accordingly, the kernel API used for opening files in NT's I/O Manager component looks to see if the caller is calling from user mode or kernel mode. Then the API passes this information on to the next layer of the system: the Object Manager, which examines the file name and figures out whether it corresponds to a local filesystem, a network filesystem, or somewhere else. The Object manager then calls back in to the I/O Manager, directing the file-open request to the specific driver that can handle it. Throughout this, the indication of the original source of the request -- kernel or user mode -- is preserved and passed around. If the call comes from user mode, each component should perform strict validation of parameters and a full access check; if it comes from kernel mode, these should be skipped. Unfortunately, this basic rule isn't enough to handle every situation. For various reasons, Windows allows exceptions to the basic user-mode/kernel-mode split. Both kinds of exceptions are allowed: kernel code can force drivers to perform a permissions check even if the attempt to open the file originated from kernel mode, and contrarily, kernel code can tell drivers to skip the parameter check even if the attempt to open the file appeared to originate from user mode. This behavior is controlled through additional parameters passed among the various kernel functions and into filesystem drivers: there's the basic user-or-kernel mode parameter, along with a flag to force the permissions check and another flag to skip the parameter validation...

Microsoft has announced a form of DirectX 12 that will support Windows 7. "Now before you get too excited, this is currently only enabled for World of Warcraft; and indeed it's not slated to be a general-purpose solution like DX12 on Win10," reports AnandTech. "Instead, Microsoft has stated that they are working with a few other developers to bring their DX12 games/backends to Windows 7 as well. As a consumer it's great to see them supporting their product ten years after it launched, but with the entire OS being put out to pasture in nine months, it seems like an odd time to be dedicating resources to bringing it new features." From the report: For some background, Microsoft's latest DirectX API was created to remove some of the CPU bottlenecks for gaming by allowing for developers to use low-level programming conventions to shift some of the pressure points away from the CPU. This was a response to single-threaded CPU performance plateauing, making complex graphical workloads increasingly CPU-bounded. There's many advantages to using this API over traditional DX11, especially for threading and draw calls. But, Microsoft made the decision long ago to only support DirectX 12 on Windows 10, with its WDDM 2.0 driver stack.

Today's announcement is a pretty big surprise on a number of levels. If Microsoft had wanted to back-port DX12 to Windows 7, you would have thought they'd have done it before Windows 7 entered its long-term servicing state. As it is, even free security patches for Windows 7 are set to end on January 14, 2020, which is well under a year away, and the company is actively trying to migrate users to Windows 10 to avoid having a huge swath of machines sitting in an unpatched state. In fact, they are about to add a pop-up notification to Windows 7 to let users know that they are running out of support very soon. So adding a big feature like DX12 now not only risks undermining their own efforts to migrate people away from Windows 7, but also adding a new feature well after Windows 7 entered long-term support. It's just bizarre.

Microsoft is reportedly working on a new functionality that will automatically remove botched updates from Windows 10 to fix startup issues and other bugs preventing the PC from booting. "The support document was quietly published a couple of hours ago and for some reasons, Microsoft has also blocked the search engines from crawling or indexing the page," reports Windows Latest. "In the document, Microsoft explains that Windows may automatically install updates in order to keep your device secure and smooth." From the report: Due to various reasons, including software and driver compatibility issues, Windows Updates are vulnerable to mistakes and hardware errors. In some cases, Windows Update may fail to install. After installing a recent update, if your PC experience startup failures and automatic recovery attempts are unsuccessful, Windows may try to resolve the failure by uninstalling recently installed updates. In this case, users may receive a notification with the following message: "We removed some recently installed updates to recover your device from a startup failure."

Microsoft says that Windows will also automatically block the problematic updates from installing automatically for the next 30 days. During these 30 days, Microsoft and its partners will investigate the failure and attempt to fix the issues. When the issues are fixed, Windows will again try to install the updates. Users still have the freedom to reinstall the updates. If you believe that the update should not be removed, you can manually reinstall the driver or quality updates which were uninstalled earlier.

An anonymous reader quotes a report from Bleeping Computer: Microsoft has started to display notifications in the Windows 10 Action Center asking users to have a phone call with Microsoft developers and provide direct feedback about the ALT+TAB feature in Windows. While using a Windows 10 Insider build today, I was shown a Feedback Hub notification stating that "Microsoft wants to hear your opinions! To set up a phone call with Windows engineers, go to: http://www.aka.ms/alttab." This link then redirects to a web page at https://ux.microsoft.com/?AltTab. It is not known if this is only being shown to Windows Insiders users at this time.

When users visit this link they will be shown a Microsoft User Research page stating that a Windows 10 product team is looking to "understand our customer needs" and would like to have an anonymous 5-10 minute phone call with the user. In this particular case, the phone call will be with Microsoft engineers to discuss how users use the ALT+TAB feature to switch between apps. Microsoft states they are performing these calls in order to get a better understanding of how a feature is being used while they are in development. According to the web site, Windows engineers will be available on 3/11/2019 between 11:15 AM and 1:00 PM PST and on 3/12/2019 between 9:30 AM and 11:30 AM PST to schedule a call. The page goes on to say that users can expect a 5-10 minute call, but that it could last longer if there is more to discuss. They also state that the calls are not being recorded, are anonymous, and the content of the call will not be stored.

Microsoft today introduced the AI Business School, a series of case studies and free instructional videos made to help business executives design and successfully implement an AI strategy within their organization. From a report: The Microsoft AI Business School is born out of three years of conversations with customers and follows the launch of an AI school for developers and AI School first introduced last year. The AI Business School follows the lead of similar instructional guides, such as the AI Transformation Playbook from Andrew Ng. Unlike others, AI Business School material draws on three years of conversations with customers implementing AI, as well as lessons learned from AI solutions Microsoft introduced internally, Microsoft vice president of AI marketing and productization Mitra Azizirad told VentureBeat in a phone interview. Course content will focus on four main areas: strategy, culture, technology basics, and responsible AI. And courses will include tools for things like evaluating a business' AI maturity level to understand what's required to successfully implement AI.

Microsoft is officially killing off its Microsoft Band and Microsoft Health Dashboard apps and services on May 31st. "The software giant already discontinued its wrist-worn Band fitness tracker more than two years ago, but the company has kept the Band apps running to support existing users," reports The Verge. "That will now change on May 31st, with the backend services ending and the apps being removed from the Microsoft Store, Google Play, and Apple's App Store." From the report: Existing Band users will be able to export their data before the end of May, and services powered by the cloud will cease to function in June. Band users should still be able to record daily steps, heart rate, and workouts, alongside activity data, sleep tracking, and alarm functionality. If a Band user resets a device then it will be "impossible to set up the device again" according to Microsoft.

Some Microsoft Band users will be eligible for a refund from the software giant, though. Microsoft is letting active users who have synced data from a Band to the Health Dashboard between December 1st 2018 and March 1st 2019 apply for a refund on their hardware. Surprisingly, Microsoft is offering $79.99 for Band 1 owners, and $175 for Band 2 devices. If your Microsoft Band is also covered under warranty, the same refund values will be available.

An anonymous reader quotes Business Insider's update on Microsoft Clippy, the animated cartoon paperclip that was Office's virtual assistant until the early 2000s, that "everyone loved to hate."

After 18 years, has it become retro chic? When Chloe Condon, a newly hired Microsoft cloud evangelist, ordered new business cards, she avoided the standard corporate look and instead went with Clippy-themed cards and tweeted them out... They've got a picture of Clippy on the front and on the back they say, "It looks like you are trying to get in touch with Chloe," with her contact info listed below...

Naturally, the Clippy The Paperclip Twitter account loved these cards. He tweeted, "@chloecondon It looks like you're using my likeness on your new business cards. Would you like help with WAIT I'M ON BUSINESS CARDS NOW?!" And then former Microsoft exec Steven Sinofsky, the man credited for developing Microsoft Office into a massive hit, noticed the cards and tweeted, "I suppose if you live long enough, others will wear your failures as a badge of honor...."

After four years of scorn, Clippy was officially retired in 2001. Sinofsky tells Business Insider that the company even issued a funny press release about it.... Microsoft even held an official retirement party for him in San Francisco, too. Sinfosky shared a photo from that party with us... If you look closely, you'll see unemployed Clippy is actually using the party thrown in his honor to collect charity for himself and beg for food.

HashCat, an open-source password recovery tool, can now crack an eight-character Windows NTLM password hash in less than 2.5 hours. "Current password cracking benchmarks show that the minimum eight character password, no matter how complex, can be cracked in less than 2.5 hours" using a hardware rig that utilizes eight Nvidia GTX 2080Ti GPUs, explained a hacker who goes by the pseudonym Tinker on Twitter in a DM conversation with The Register. "The eight character password is dead." From the report: It's dead at least in the context of hacking attacks on organizations that rely on Windows and Active Directory. NTLM is an old Microsoft authentication protocol that has since been replaced with Kerberos. According to Tinker, it's still used for storing Windows passwords locally or in the NTDS.dit file in Active Directory Domain Controllers. It's dead at least in the context of hacking attacks on organizations that rely on Windows and Active Directory. NTLM is an old Microsoft authentication protocol that has since been replaced with Kerberos. Tinker estimates that buying the GPU power described would require about $10,000; others have claimed the necessary computer power to crack an eight-character NTLM password hash can be rented in Amazon's cloud for just $25.

NIST's latest guidelines say passwords should be at least eight characters long. Some online service providers don't even demand that much. When security researcher Troy Hunt examined the minimum password lengths at various websites last year, he found that while Google, Microsoft and Yahoo set the bar at eight, Facebook, LinkedIn and Twitter only required six. Tinker said the eight character password was used as a benchmark because it's what many organizations recommend as the minimum password length and many corporate IT policies reflect that guidance. So how long is long enough to sleep soundly until the next technical advance changes everything? Tinker recommends a random five-word passphrase, something along the lines of the four-word example popularized by online comic XKCD, "correcthorsebatterystaple." That or whatever maximum length random password via a password management app, with two-factor authentication enabled in either case.

While social media may feel like a trash heap at times, Microsoft released a new study on Tuesday that claims civility is spreading on the Internet... at least slightly. From a report: Microsoft's Digital Civility Index fell two points, to 66, in 2018, signaling that Internet users around the world are treating each other slightly better, although there's still plenty of room for improvement. The closer the index is to zero, the more civil people are toward each other. The survey measured the perceptions of teens and adults in 22 countries about their online experiences and the risks they face when spending time online. If the news that the internet is apparently becoming more civil comes as a surprise, U.S. readers may want to hold onto their seats. The civility index in the U.S. fell ten points in the past year to 51, showing the biggest improvement, according to a blog post from Microsoft.

An anonymous reader quotes a report from The Register: Microsoft has warned that it isn't only Windows 7 for the chop in 2020. Unloved Internet Explorer 10 will be joining it. Finally. Internet Explorer 10 first appeared back in 2012 and in 2016 Microsoft made a concerted effort to kill the thing by focusing its support efforts on Internet Explorer 11. Anything not Edge-related or without "11" after it would no longer be supported. However, not every operating system was capable of actually running Internet Explorer 11 and Microsoft infamously restricted its Edge browser to Windows 10 (and later iOS and Android). Notable exceptions to the IE10 crackdown were Windows Server 2012 and Windows 8 Embedded.

At this point administrators will doubtless be shuddering at the memory of having to run Internet Explorer in their pristine Server environment in order to get access to some recalcitrant function or component. Alas, the shuddering must resume since after a two-year stay of execution, Microsoft has decided that IE10 must be stamped out completely. Windows Embedded 8 Standard and Windows Server 2012 will remain supported until 2023 after all, and keeping IE10 patched for another four years is doubtless keeping the engineers awake at night. Microsoft has therefore warned that as well killing off Windows 7 in 2020, enterprises that prefer to take a slower path will have to update IE on their 2012 Servers, since IE10 support will finally end for everything in January 2020. Unlike Windows 7, you won't even be able to pay for patches.

An anonymous reader quotes a report from The Register: Microsoft has warned that it isn't only Windows 7 for the chop in 2020. Unloved Internet Explorer 10 will be joining it. Finally. Internet Explorer 10 first appeared back in 2012 and in 2016 Microsoft made a concerted effort to kill the thing by focusing its support efforts on Internet Explorer 11. Anything not Edge-related or without "11" after it would no longer be supported. However, not every operating system was capable of actually running Internet Explorer 11 and Microsoft infamously restricted its Edge browser to Windows 10 (and later iOS and Android). Notable exceptions to the IE10 crackdown were Windows Server 2012 and Windows 8 Embedded.

At this point administrators will doubtless be shuddering at the memory of having to run Internet Explorer in their pristine Server environment in order to get access to some recalcitrant function or component. Alas, the shuddering must resume since after a two-year stay of execution, Microsoft has decided that IE10 must be stamped out completely. Windows Embedded 8 Standard and Windows Server 2012 will remain supported until 2023 after all, and keeping IE10 patched for another four years is doubtless keeping the engineers awake at night. Microsoft has therefore warned that as well killing off Windows 7 in 2020, enterprises that prefer to take a slower path will have to update IE on their 2012 Servers, since IE10 support will finally end for everything in January 2020. Unlike Windows 7, you won't even be able to pay for patches.

Windows 10 Mobile devices will be officially unsupported starting on December 10, 2019. As a result, Microsoft is recommending users move to an Android or iOS device instead. Mac Rumors reports: Microsoft made the recommendation in a Windows 10 Mobile support document (via Thurrott) explaining its plans to stop offering security updates and patches for Windows 10 Mobile: "With the Windows 10 Mobile OS end of support, we recommend that customers move to a supported Android or iOS device. Microsoft's mission statement to empower every person and every organization on the planet to achieve more, compels us to support our Mobile apps on those platforms and devices." All customers who have a Windows 10 Mobile device will be able to keep using it after December 10, 2019, but no further updates will be available.

An anonymous reader quotes a report from Ars Technica: Windows 7's five years of extended support will expire on January 14, 2020 -- exactly one year from today. After this date, security fixes will no longer be freely available for the operating system that's still widely used. As always, the end of free support does not mean the end of support entirely. Microsoft has long offered paid support options for its operating systems beyond their normal lifetime, and Windows 7 is no different. What is different is the way that paid support will be offered. For previous versions of Windows, companies had to enter into a support contract of some kind to continue to receive patches. For Windows 7, however, the extra patches will simply be an optional extra that can be added to an existing volume license subscription -- no separate support contract needed -- on a per-device basis. These Extended Security Updates (ESU) will be available for three years after the 2020 cut-off, with prices escalating each year.

In the next major release of Windows 10, Microsoft will reserve 7GB of your device's storage to resolve a Windows 10 bug thrown up by Windows Update not checking whether a PC has enough storage space before launching after big updates. From a report: As Microsoft warned ahead of the Windows 10 October 2018 Update, systems that don't have enough space to install Microsoft's 'quality updates' or new versions of the OS will see an error message explaining there is insufficient storage space. That happens because Windows doesn't check if a device has enough space before initializing. Microsoft's current solution is for users to manually delete unnecessary temporary files and temporarily move important files like photos and videos to external storage devices to make enough space for the update. This problem is more acute for devices with little storage capacity, such as many of the cheap 32GB flash-drive PCs on the market today.

LinkedIn had 590 million members -- though back in 2016 Microsoft conceded that less than 25% of the service's members were active. Yet CNBC recently shared estimates that 95% of recruiters are using LinkedIn to find candidates, and touted a new tool called "LinkedIn Hashtags" which lets companies highlight policies like "#dogfriendly" or "#freelunch".

But is LinkedIn really helpful for job-seekers? An anonymous Slashdot reader writes: I'm on unemployment and am looking for a new job, and I've been told "Oh, you need to be on LinkedIn if you want to be taken seriously!" So I go there, and it looks like Facebook or something, wants to scrape my email contacts, upload pictures, and so on.

Is LinkedIn really necessary, or is it just a ruse to get me to give them all sorts of personal information like all other social media sites?
"I'm also unemployed and looking for a job," adds another anonymous Slashdot reader, "and have all my crap on Linkedin and Indeed, and have been using them to apply left and right. If they aren't useful anymore I'm essentially sitting on my hands doing nothing." But Slashdot reader tomhath insists that LinkedIn "was never relevant. Their motto was that you didn't exist if you're not there -- but that was only their marketing hype, not reality."

Leave your own thoughts in the comments. Is LinkedIn still relevant?

An anonymous reader quotes a report from Bleeping Computer: Microsoft has released an out-of-band security update that fixes an actively exploited vulnerability in Internet Explorer. This vulnerability has been assigned ID CVE-2018-8653 and was discovered by Google's Threat Analysis Group when they saw the vulnerability being used in targeted attacks. According to Microsoft's security bulletin this is vulnerability in how the Internet Explorer scripting engine handles objects in memory. Attackers can use this vulnerability to corrupt memory in such a way that attackers could execute code under the security privileges of the logged in user. This vulnerability can also be used to launch attacks through specially crafted web sites that utilize the exploit code. This means that attackers can utilize this feature in exploit kits or by compromising legitimate sites and adding code that exploits the vulnerability.

"A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer," states Microsoft's advisory. "The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Microsoft has been looking for ways to simplify the way users log into Office and find their documents via its Office.com portal. On December 19, the company is taking another step in this area by introducing something it's calling simply the Office app for Windows 10. ZDNet: This new Office app is the successor to the existing "My Office" app that's already available to Windows users. Starting today, Windows Insider testers in the Fast ring can download this new app to test it and it will roll out to all Windows 10 users "soon," officials said. My Office allows users to find and install all their Office 356 subscription-related components from a single place. It allows users to view and edit their recent documents, find tips, see their subscription benefits and more. The coming free Office for Windows 10 app can be used in conjunction with any Office variant -- Office 365 Commercial, Office 365 Consumer, a perpetual version of Office (like Office 2016 and 2019) or the web-based Office Online.

Microsoft has officially unveiled "Windows Sandbox," a feature that was expected to be unveiled next year. Windows Sandbox, the company says, creates "an isolated, temporary desktop environment" where users can run potentially suspicious software. From a report: Windows Sandbox is an isolated desktop environment which functions much like a virtual machine; any software installed to it is completely sandboxed from the host operating system. Aimed at businesses, enterprises and security-conscious home users, Windows Sandbox will be part of Windows 10 Pro and Windows 10 Enterprise. It is not clear exactly when the feature will debut, but it could make an appearance in Windows 10 19H1 next year.

The company touts the following features of Windows Sandbox in a detailed blog post introducing the new feature:
Part of Windows -- everything required for this feature ships with Windows 10 Pro and Enterprise. No need to download a VHD!
Pristine -- every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
Disposable -- nothing persists on the device; everything is discarded after you close the application.
Secure -- uses hardware-based virtualization for kernel isolation, which relies on the Microsoft's hypervisor to run a separate kernel which isolates Windows Sandbox from the host.
Efficient -- uses integrated kernel scheduler, smart memory management, and virtual GPU.

Microsoft is working on a new "Microsoft 365 Consumer" bundle that "will be the consumer-focused complement to Microsoft's existing Microsoft 365 subscription bundle for business users," reports ZDNet. From the report: A couple of recent Microsoft job postings mention the consumer subscription bundle, which Microsoft has yet to announce publicly. One job posting for a Product Manager for the "M365 Consumer Subscription" notes: "The Subscription Product Marketing team is a new team being created to build and scale the Microsoft 365 Consumer Subscription." The job description says the product manager for this service will help "identify, build, position and market a great new Microsoft 365 Consumer Subscription."

The job post notes that the team behind Microsoft 365 Consumer oversees the Windows platform, the Microsoft Surface device portfolio, Office 365 consumer plans, Skype, Cortana, Bing search, as well as the Microsoft Education team. If I were betting on what Microsoft 365 Consumer might include, I'd think some variant of Windows 10, Office 365 Home, Skype, Cortana, Bing, Outlook Mobile, Microsoft To-Do and maybe MSN apps and services could figure into the picture. Maybe this subscription will be tied to Surface devices only? Maybe a monthly leasing fee for Surfaces will be part of the bundle itself?

Long time reader theodp writes: At Monday's kickoff event with Melinda Gates for Computer Science Education Week 2018, Microsoft President Brad Smith revealed how a 2013 driveway encounter led to Microsoft's decision to commit $25 million to Code.org, whose CEO Hadi Partovi happens to live next door to Smith. "At the top of the hill, we share a common driveway," Smith said. "I can't even drive into the garage at night if he is standing in the way. Well, actually I can, but running him over is not the right path." Five years ago, Smith recalled, Partovi was in his driveway (King of the Hill-inspired artist's impression), "and he said, 'I have an idea [for then-nascent Code.org]. There is an important problem that we can help solve, because for too many people they look at these opportunities in computer science, and they don't appreciate that in truth anybody can aspire to be the next Melinda Gates or the next Bill Gates or the next Jeff Bezos or the next Sheryl Sandberg or Mark Zuckerberg. What they need, what they deserve, is the opportunity to learn this fundamental field.'"

Earlier this year, Code.org celebrated its 5th anniversary and thanked Microsoft and other tech donors for making it possible for the nonprofit to change U.S. K-12 public education. Smith also announced Monday that Microsoft would invest an additional $10 million in Code.org to help expand the tech-bankrolled nonprofit's work. "The renewed partnership," Microsoft explained, "will focus on ensuring that by 2020 every state will have passed policies to expand access to computer science and every school in the U.S. will have access to Code.org professional development."

An anonymous reader writes: At its Microsoft Connect(); 2018 virtual event today, Microsoft announced the initial public preview of Visual Studio 2019 -- you can download it now for Windows and Mac. Separately, .NET Core 2.2 has hit general availability and .NET Core 3.0 Preview 1 is also available today.

At the event today, Microsoft also made some open-source announcements, as is now common at the company's developer shindigs. Microsoft open-sourced three popular Windows UX frameworks on GitHub: Windows Presentation Foundation (WPF), Windows Forms, and Windows UI XAML Library (WinUI). Additionally, Microsoft announced the expansion of the .NET Foundation's membership model.

An anonymous reader writes: At its Microsoft Connect(); 2018 virtual event today, Microsoft announced the initial public preview of Visual Studio 2019 -- you can download it now for Windows and Mac. Separately, .NET Core 2.2 has hit general availability and .NET Core 3.0 Preview 1 is also available today.

At the event today, Microsoft also made some open-source announcements, as is now common at the company's developer shindigs. Microsoft open-sourced three popular Windows UX frameworks on GitHub: Windows Presentation Foundation (WPF), Windows Forms, and Windows UI XAML Library (WinUI). Additionally, Microsoft announced the expansion of the .NET Foundation's membership model.

An anonymous reader writes: At its Microsoft Connect(); 2018 virtual event today, Microsoft announced the initial public preview of Visual Studio 2019 -- you can download it now for Windows and Mac. Separately, .NET Core 2.2 has hit general availability and .NET Core 3.0 Preview 1 is also available today.

At the event today, Microsoft also made some open-source announcements, as is now common at the company's developer shindigs. Microsoft open-sourced three popular Windows UX frameworks on GitHub: Windows Presentation Foundation (WPF), Windows Forms, and Windows UI XAML Library (WinUI). Additionally, Microsoft announced the expansion of the .NET Foundation's membership model.

Intel has published its first Modern Windows Driver for several of its modern integrated GPUs, representing a new way for graphics drivers to be pushed to your PC -- and something to keep an eye on until the new driver infrastructure settles in. From a report: Modern Windows Drivers, also known as Universal Windows Drivers, are a new feature of the Windows 10 October 2018 Update that takes advantage of the UWP infrastructure within Windows 10. As Microsoft explains it, a Modern Windows Driver is a "single driver package that runs across multiple different device types, from embedded systems to tablets and desktop PCs." The first Intel driver to take advantage of this is labeled UWD 25.20.100.6444. Microsoft doesn't intend for you to do anything different to obtain the new Modern drivers. If you own a prebuilt PC, the PC maker will continue to be the first place you should check for updated drivers, according to an Intel FAQ. That's because the universal driver includes a base driver, plus optional component packages and an optional hardware support app. The latter two are written by the system builder or OEM, while the former is written by the GPU maker itself.

An anonymous reader quotes a report from ZDNet: New Delhi police have arrested 63 suspects in the last two months working and operating 26 call centers that were engaging in tech support scams, posing as tech support staff at Microsoft, Google, Apple, and other major tech companies. The raids on Delhi-based call centers have taken place over the last two months, Microsoft said. Police first raided 10 call centers and arrested 24 people in October, and then raided 16 other call centers and made 39 more arrests this week.

Microsoft said its staff received over 7,000 victim reports associated with the 16 call centers raided this week, from over 15 countries. Users reported paying between $100 and $500 for unnecessary tech support services and products. The raids resulted in the seizure of substantial evidence including call scripts, live chats, voice call recordings and customer records from tech support fraud operations, Microsoft said. The Delhi police's crackdown on tech support call centers came after Microsoft filed legal complaints earlier this year. Microsoft has been collecting customer complaints about tech support scams since 2014, via its "Report a technical support scam" portal.

An anonymous reader quotes a report from ZDNet: New Delhi police have arrested 63 suspects in the last two months working and operating 26 call centers that were engaging in tech support scams, posing as tech support staff at Microsoft, Google, Apple, and other major tech companies. The raids on Delhi-based call centers have taken place over the last two months, Microsoft said. Police first raided 10 call centers and arrested 24 people in October, and then raided 16 other call centers and made 39 more arrests this week.

Microsoft said its staff received over 7,000 victim reports associated with the 16 call centers raided this week, from over 15 countries. Users reported paying between $100 and $500 for unnecessary tech support services and products. The raids resulted in the seizure of substantial evidence including call scripts, live chats, voice call recordings and customer records from tech support fraud operations, Microsoft said. The Delhi police's crackdown on tech support call centers came after Microsoft filed legal complaints earlier this year. Microsoft has been collecting customer complaints about tech support scams since 2014, via its "Report a technical support scam" portal.

Catalin Cimpanu, reporting for ZDNet: Microsoft has issued a security advisory this week warning that two applications accidentally installed two root certificates on users' computers, and then leaked the private keys for all. The software developer's mistake means that malicious third-parties can extract the private keys from the two applications and use them to issue forged certificates to spoof legitimate websites and software publishers for years to come.

The two applications are HeadSetup and HeadSetup Pro, both developed by German audio hardware company Sennheiser. The software is used to set up and manage softphones -- software apps for making telephone calls via the Internet and a computer, without needing an actual physical telephone. The issue with the two HeadSetup apps came to light earlier this year when German cyber-security firm Secorvo found that versions 7.3, 7.4, and 8.0 installed two root Certification Authority (CA) certificates into the Windows Trusted Root Certificate Store of users' computers but also included the private keys for all in the SennComCCKey.pem file.

An anonymous reader quotes a report from Ars Technica: The important data loss bug that interrupted the rollout of the Windows 10 October 2018 Update, version 1809, may be fixed, but it turns out there are plenty of other weird problems with the release. As spotted by Paul Thurrott, the update also breaks the seek bar in Windows Media Player when playing "specific files." Microsoft does promise to fix the bug, but the timeframe is vaguely open-ended: it will be "in an upcoming release."

Also in the "how did that happen" category comes another bug: some Win32 programs can't be set as the default program for a given file type. So if you want certain files to always open in Notepad, for example, you're currently out of luck. A fix for this is promised by the end of the month. Setting default program associations is something that's been in Windows for 20-something years, so it's a little alarming that it should be broken. On top of this, there continue to be complaints that Windows 10 version 1809 doesn't work with iCloud, and machines with the iCloud client are currently blacklisted to prevent them from receiving the 1809 update. It's not immediately clear whose fault this one is -- it could be Microsoft's, but it's also possible that Apple is to blame.

Long-time Microsoft programmer Raymond Chen recently shared a memory about an unusual single-line instruction that was once added into the Windows kernel code -- accompanied by an "incredulous" comment from the Microsoft programmer who added it:

;
; Invalidate the processor cache so that any stray gamma
; rays (I'm serious) that may have flipped cache bits
; while in S1 will be ignored.
;
; Honestly. The processor manufacturer asked for this.
; I'm serious.
invd

"Less than three weeks later, the INVD instruction was commented out," writes Chen. "But the comment block remains.

"In case we decide to resume trying to deal with gamma rays corrupting the the processor cache, I guess."

Microsoft and Google engineers appear to be working on a Chrome browser running on Windows on ARM. "9to5Google has spotted various commits by Microsoft engineers assisting with the development of Chrome for Windows 10 on ARM," reports The Verge. "The details follow claims by a Qualcomm executive last month that the chip maker was working on an ARM version of Chrome for Windows 10." From the report: A native ARM version of Chrome would make a lot of sense for Qualcomm, Microsoft, and Google. Chrome is one of the most popular desktop apps available on Windows 10, and without a native version for ARM it's difficult to take ARM-powered Windows 10 devices seriously for many. However, it was only last year that Microsoft pulled Google's Chrome installer from the Windows Store, because it violated store policies. Those policies restrict rival browsers to using Microsoft's own Edge rendering engine, specifically that "products that browse the web must use the appropriate HTML and JavaScript engines provided by the Windows Platform." Microsoft also blocked similar browser apps for Windows 8.

Unless Microsoft relaxes its rules then this native Chrome support for Windows on ARM won't be found in the Windows Store. Microsoft and Google's work could still help improve performance for Electron-based apps like Slack and Visual Studio Code which rely on parts of Chromium.

New submitter neo00 writes: Office 365 users in Europe, Asia, and Americas are impacted by a wide-spread outage causing users who have Multi-Factor Authentication (MFA) enabled by default policy to be unable to login to Office 365 and other services reliant on Azure Active Directory. According to The Register: "Microsoft confirmed that there were problems from 04:39 UTC with a subset of customers in Europe and Asia-Pacific experiencing 'difficulties signing into Azure resources' such as the, er, little used Azure Active Directory, when Multi-Factor Authentication (MFA) is enabled. Six hours later, and the problems are continuing."

The Office 365 health status page has reported that: "Affected users may be unable to sign in using MFA" and Azure's own status page confirmed that there are "issues connecting to Azure resources" thanks to the borked MFA."

Official Azure status updates are published here.

Microsoft has released a free AV1 video codec for Windows 10 devices that's available via the Microsoft Store.

"Play AV1 videos on your Windows 10 device. This extension is an early beta version of the AV1 software decoder that lets you play videos that have been encoded using the AV1 video coding standard developed by the Alliance for Open Media," the company says. "Since this is an early release, you might see some performance issues when playing AV1 videos. We're continuing to improve this extension. If you allow apps to be updated automatically, you should get the latest updates and improvements when we release them." Softpedia reports: Oddly enough, the codec can only be installed on devices running Windows 10 October 2018 Update, which is no longer up for grabs after Microsoft pulled it last month. It remains to be seen how often Microsoft updates the codec in the coming months, but I've already tried it out for a test earlier today and the initial release seems to be running just fine. You can install the codec from the Microsoft Store to be notified when new versions are out, and make sure you report any potential issues to Microsoft for more bug fixes.

Microsoft has announced an agreement with Native Network to provide broadband internet access to nearly 73,500 people without service in rural communities in Montana and Washington. Great Falls Tribune reports: This is part of the Microsoft Airband Initiative, which aims to extend broadband access to 2 million people in unserved portions of rural America by July 4, 2022, officials said. Unused parts of the broadcast spectrum are used to help rural communities access the internet. Through the partnership, Native Network will provide affordable hybrid fixed wireless broadband internet access, including TV White Spaces, to tribes within Flathead Reservation in Montana as well as Lummi Nation and Swinomish Tribe in Washington. It will come to rural Americans through commercial partnerships and investment in digital skills training for people. Proceeds from Airband connectivity projects will be reinvested into the program to expand broadband to more rural areas, officials said. "Broadband is the electricity of the 21st century and is critical for farmers, small business owners, health care practitioners, educators and students to thrive in today's digital economy," Microsoft President Brad Smith said in a news release. "We are excited about the partnership with Native Network which will help close the digital divide in rural Montana and Washington, bringing access to approximately 73,500 people within and around the tribal communities."

If you're having trouble activating your Windows 10 Pro computer today, you're not alone. Forums and social media networks are getting flooded with complaints from users who say their machines have automatically become deactivated. Users say they are having trouble connecting with Microsoft's activation servers, with some saying they are being prompted to downgrade to Windows 10 Home. According to Microsoft Answers, the company is working to resolve the issue. Only users who had upgraded their computers to Windows 10 by using product keys of Windows 7 or Windows 8.1 appear to be impacted.

Unannounced, unadvertised freebie lands ahead of Microsoft's X018 conference. PUBG, the game that kicked off an international "battle royale" gaming sensation, is currently free for all Xbox One owners. From a report: Even if you do not have a paid Xbox Live Gold subscription, you can head to this link and claim what appears to be a permanent copy of the game for your Microsoft Account. Timed trials of Xbox One games tend to be exclusive treats for XBLG subscribers. Bizarrely, the Konami soccer game PES 2019, which launched at a standard $60 retail price point in August, is also free to claim as of today. (Here's that link.) Of course, there is the caveat that these games' giveaways could be yanked from accounts by Microsoft at any moment. In the meantime, we suggest clicking first, asking questions later. Update: Microsoft says the games will be free only till November 11.

Unannounced, unadvertised freebie lands ahead of Microsoft's X018 conference. PUBG, the game that kicked off an international "battle royale" gaming sensation, is currently free for all Xbox One owners. From a report: Even if you do not have a paid Xbox Live Gold subscription, you can head to this link and claim what appears to be a permanent copy of the game for your Microsoft Account. Timed trials of Xbox One games tend to be exclusive treats for XBLG subscribers. Bizarrely, the Konami soccer game PES 2019, which launched at a standard $60 retail price point in August, is also free to claim as of today. (Here's that link.) Of course, there is the caveat that these games' giveaways could be yanked from accounts by Microsoft at any moment. In the meantime, we suggest clicking first, asking questions later. Update: Microsoft says the games will be free only till November 11.

Microsoft is using Minecraft to help employees get acquainted with a refresh of the company's campus in Redmond, Washington. CNBC reports: Earlier this year, Microsoft enlisted Blockworks, a company that uses Minecraft's digital building blocks for designing real-world projects, to create a miniature rendering of the campus facelift, which is scheduled for completion in 2022. They're using graphics that are far more immersive than two-dimensional photos and videos.

While Minecraft was designed for gamers, its immersive nature and the ability to quickly move around and construct edifices makes it easy to see how new buildings will look when inserted into an existing landscape. [James Delaney, a managing director at Blockworks] said Minecraft forces designers to sacrifice some accuracy because structures in real life don't always have the game's squared-off look, but the speed and ease of use more than made up for those deficiencies. It might take just 10 minutes to wrap up a single building, he said. Microsoft employees -- and anyone else with the education edition of Minecraft -- can now take a digital tour of the new campus and see how plans are developing. Outside of Microsoft, that access requires a subscription to Office 365 Education.

Microsoft is using Minecraft to help employees get acquainted with a refresh of the company's campus in Redmond, Washington. CNBC reports: Earlier this year, Microsoft enlisted Blockworks, a company that uses Minecraft's digital building blocks for designing real-world projects, to create a miniature rendering of the campus facelift, which is scheduled for completion in 2022. They're using graphics that are far more immersive than two-dimensional photos and videos.

While Minecraft was designed for gamers, its immersive nature and the ability to quickly move around and construct edifices makes it easy to see how new buildings will look when inserted into an existing landscape. [James Delaney, a managing director at Blockworks] said Minecraft forces designers to sacrifice some accuracy because structures in real life don't always have the game's squared-off look, but the speed and ease of use more than made up for those deficiencies. It might take just 10 minutes to wrap up a single building, he said. Microsoft employees -- and anyone else with the education edition of Minecraft -- can now take a digital tour of the new campus and see how plans are developing. Outside of Microsoft, that access requires a subscription to Office 365 Education.

An anonymous reader writes: Windows Defender is the first antivirus to gain the ability to run inside a sandbox environment, Microsoft said in an announcement. In software design, a "sandbox" is a security mechanism that works by separating a process inside a tightly controlled area of the operating system that gives that process access to limited disk and memory resources. The idea is to prevent bugs and exploit code from spreading from one process to another, or to the underlying OS.

"We're in the process of gradually enabling this capability for Windows insiders and continuously analyzing feedback to refine the implementation," Microsoft said in a celebratory blog post. Users who can't wait until Microsoft finishes testing the feature can also enable it right now. Support for Windows Defender running inside a sandbox environment has been silently added since Windows 10 version 1703. To enable it right now, Windows 10 users can follow these steps.

According to a recently published paper by Microsoft Research team, the company could be looking to launch physical controllers for mobile devices. From a report: The research paper documents some of the popular solutions to gaming via a touch screen, while hailing the Nintendo Switch and PlayStation Portable (PSP) for circumventing touch-based control limitations with full joysticks and buttons. From the paper [PDF]: As smartphones and tablets have become pervasive, so has mobile gaming. Not surprisingly, popular games for these platforms are focused on touchscreen-based interaction. However, many types of game are less well-suited to mobile devices. Despite systems like AdaptControl which can adapt to the 'drift' typically occurring when using virtual on-screen controls, touchbased emulations of traditional gaming controls like Dpads, buttons and joysticks are often unsatisfactory.

Mobile gaming devices like the Sony PlayStation Portable and Nintendo's DS and Switch are dedicated mobile gaming platforms which overcome these limitations via physical controls. The success of the Switch is testament to the value of mobile gaming with physical controls. A number of cheaper products allow a smartphone to be clipped into or onto a modified handheld gaming controller; these include the ION iCade mobile, the GameCase, the GameVice and products from Moga. However, the fixed form of these accessories means they are bulky and inflexible.

Microsoft said Friday it will not pull out of the competition for a $10 billion cloud contract for the Department of Defense, despite growing concerns about private companies selling new technologies to the federal government. From a report: The Redmond, Wash., company defended its position in a blog post Friday, claiming that technologists should be involved in government adoption of new innovations to ensure they are not misused. Microsoft President Brad Smith wrote in the post that "to withdraw from this market is to reduce our opportunity to engage in the public debate about how new technologies can best be used in a responsible way." He decided to share publicly sentiments that he and Microsoft CEO Satya Nadella discussed at a monthly Q&A with employees Thursday. "We want the people of this country and especially the people who serve this country to know that we at Microsoft have their back," Smith wrote. "They will have access to the best technology that we create." Smith's defense comes days after an unspecified number of Microsoft employees urged the company to not bid on the Project JEDI.

Further reading: Oracle Trying Hard To Make Sure Pentagon Knows Amazon Isn't the Only Cloud Around; Google Drops Out of Pentagon's $10 Billion Cloud Competition; Jeff Bezos Defends Big Tech Working with Department of Defense.