Gizmodo reports on recent comments made by Microsoft founder Bill Gates, basically amounting to him saying Apple should just put a secret law enforcement-only backdoor in the iPhone rather than fighting the US government:

As lawmakers on both sides of the aisle have started paying more attention to tech’s increasing influence over our lives, Microsoft’s antitrust battle with the US government in the ‘90s has frequently been used as an example of the worst way to deal with the US government. Since it lost that case, Microsoft has become the war-weary veteran of the tech world—highly profitable and not too disruptive. Gates tells Axios that he fears “Apple and other tech giants” are in a precarious position at the moment. “The companies need to be careful that they’re not … advocating things that would prevent government from being able to, under appropriate review, perform the type of functions that we’ve come to count on,” he said.

When pressed for an example of how companies are flouting government oversight, he mentioned the wave of “enthusiasm about making financial transactions anonymous and invisible, and their view that even a clear mass-murdering criminal’s communication should never be available to the government.” Axios pointed out that he appeared to be referring to the FBI’s desire for an ability to break into encrypted iPhones. Gates replied, “There’s no question of ability; it’s the question of willingness.”

Bill Gates is highly intelligent, but this position is just downright dumbfounding.

The Next Web discusses how Microsoft is developing digital identity management techniques using blockchain as the basis, hopefully proving all the naysayers wrong:

Following a collaboration with the Decentralized Identity Foundation (DIF), Microsoft has revealed its plans to rely on blockchain technology to solve some of the challenges we face when managing our identities and personal data digitally, such as improving privacy and security across the physical and digital world.

“We believe it is essential for individuals to own and control all elements of their digital identity,” the company said in a blog post. “Rather than grant broad consent to countless apps and services, and have their identity data spread across numerous providers, individuals need a secure, encrypted digital hub where they can store their identity data and easily control access to it.”

To this end, the company is developing an off-chain solution – akin to the Lightning Network – that will allow it to process massive volumes of ID data without congesting the blockchain network.

While the company has yet to demo working prototypes of its solutions, it has shared some findings from its jointly research with the DIF. In addition to its uses for cryptocurrencies like Bitcoin and Ethereum, the Windows-maker concludes that blockchain tech is well-suited for a number of other applications.

Blockchain is being leveraged in so many industries that it will one day be as ubiquitous as computers themselves.

Malicious actors are actively exploiting a huge Windows vulnerability allowing USB sticks to be used to infect endpoints:

The vulnerability is reminiscent of a critical flaw exploited around 2008 by an NSA-tied hacking group dubbed Equation Group and later by the creators of the Stuxnet computer worm that disrupted Iran’s nuclear program. The vulnerability—which resided in functions that process so-called .LNK files Windows uses to display icons when a USB stick is plugged in—allowed the attackers to unleash a powerful computer worm that spread from computer to computer each time they interacted with a malicious drive.

When Microsoft patched the .LNK vulnerability in 2010 with MS10-046, company officials classified the vulnerability as “critical,” the company’s highest severity rating. The classification seemed appropriate, considering the success of the .LNK exploits in infecting large numbers of air-gapped computers. For reasons that aren’t clear, Tuesday’s vulnerability has been rated “important,” Microsoft’s second-highest severity rating. Update: As Virus Bulletin researcher Martijn Grooten pointed out, the .LNK vulnerability was remotely exploitable, allowing it to infect millions of people. By contrast, the bug patched Tuesday appears to require a USB stick, a requirement that would greatly limit the scale of attacks. That’s the likely reason for the lower severity rating.

This vulnerability exists in just about every version of Windows capable of mounting USB drives.

Due to a critical OpenType font driver vulnerability affecting every version of Windows ever, Microsoft has released an out-of-band emergency update to address this huge issue (emphasis added):

“This is a complete exploit which allows even an escape of the Chrome sandbox through a kernel bug; the proof of exploit code runs the Windows calculator calc.exe with system privileges under winlogon.exe,” Trend Micro researchers explained in a blog post.

“There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts,” Microsoft’s advisory (MS15-078) explained.

While Microsoft said the vulnerability was public, the software giant said it did not have any details indicating that the flaw had been exploited to attack customers. However, Microsoft warned that exploit code could be created in such a way that “an attacker could consistently exploit” the vulnerability.

Microsoft customers that have automatic updating enabled should already be protected, as the update will be downloaded and installed automatically. Users who do not have automatic updating enabled, or who install updates manually should install the update, with information on doing so manually available online.

Microsoft also provided information on workarounds for various versions of Windows.

Get those Windows machines patched ASAP or risk potential compromise.

CNN Money with some unreal news about how the Navy pays Microsoft $9 million a year for continued Windows XP support even after the product end-of-life:

In a statement, the Navy said it has a plan in place to upgrade its systems to a newer version of Windows. It expects to complete its upgrades by July 12, 2016.

But there’s a chance that it could take even longer. That’s why theNavy’s contract with Microsoft contains options to extend the deal through June 8, 2017. That would raise the amount the Navy will pay for Windows XP support to nearly $31 million.

“The Navy relies on a number of legacy applications and programs that are reliant on legacy Windows products,” said Steven Davis, spokesman for Space and Naval Warfare Systems Command. “Until those applications and programs are modernized or phased out, this continuity of services is required to maintain operational effectiveness.”

The most modern military in history continues to use Windows XP, an operating system unveiled in 2001 and one that never really took security seriously.

Brian Donohue of threatpost on the Microsoft Malware Protection Center decision to detect search protection code as malware regardless of whether the features are even enabled or not:

Search protection is a scheme deployed by certain software packages in an attempt to limit user control of browser and search settings. In some cases, software makers use search protection in order to prevent users from uninstalling products or changing their default search engine. Other varieties keep users from disabling or enabling certain browser extensions.

Microsoft is encouraging developers to remove any search protection code from their software, warning that a failure to do so will result in malicious detection. Furthermore, it will not be enough to merely disable search protection, developers will have to completely rid their wares of any search protection code, no matter how long it lie dormant.

Microsoft began blocking programs that prevent or limit users from viewing or modifying browser features or settings late last year. Starting June 1, the tech giant will take the next step, detecting software that prevents users from changing default search engines and home pages. Microsoft will also move to classify as malicious programs that attempt to circumvent consent dialogue boxes on June 1 as well.

Jef Cozza of Top Tech News on Chinese malicious actors hiding malware command-and-control on Microsoft’s TechNet as part of a concerted effort to attack US government agencies, defense industry, law and IT firms, and more, since as early as 2013:

The move by APT17 was not an attack Relevant Products/Services against TechNet itself, whose security has not been compromised. Instead, the Chinese team was using the site in order to hide their command-and-control (CnC) IP addresses for the BLACKCOFFEE malware tool. Although other groups have used similar tactics, APT17 took it one step further by embedding encoded IP addresses in legitimate Microsoft profile pages, making it more difficult for IT security professionals to identify the malware’s true CnC addresses.

After discovering the BLACKCOFFEE activity, the FireEye-Microsoft team encoded a sinkhole IP address into the profile pages and forum threads and locked the accounts to prevent the threat actors from making any changes. This approach allowed the team to observe the malware and its victims.

Though the security community has not yet broadly discussed this technique, FireEye said it has observed other threat groups adopting these measures and expect the trend to continue on other community sites. FireEye released indicators of compromise — artifacts seen on a network Relevant Products/Services that indicate a computer intrusion — for BLACKCOFFEE and Microsoft released signatures for its anti-malware products.

BLACKCOFFEE’s functionality includes uploading and downloading files; creating a reverse shell; enumerating files and processes; renaming, moving, and deleting files; terminating processes; and expanding its functionality by adding new backdoor commands. FireEye has monitored APT17’s use of BLACKCOFFEE variants since 2013 to masquerade malicious communication as normal Web traffic by disguising the CnC communication as queries to Web search engines.

Quite sophisticated.

The entire report is well worth reading and discusses their tradecraft in detail. If you are at all interested in cyber security, this is a must-read.