All news with #security misconfiguration tag

🛡️ A security researcher says Microsoft’s Windows Recall feature remains vulnerable to quiet exfiltration of everything it captures by malware running in the same user context. Alexander Hagenah published a proof-of-concept called TotalRecall Reloaded and disclosed the issue to Microsoft on March 6; Microsoft reviewed and closed the report April 3, calling the behavior "by design." Hagenah says the gap lies not in encryption but in how decrypted screenshots and text are handled and displayed in an unprotected process, allowing same-user code to read Recall data without admin rights or kernel exploits.

🔒 The ShinyHunters extortion group has published data tied to 13.5 million McGraw Hill user accounts after exploiting a misconfiguration in a Salesforce-hosted webpage. McGraw Hill confirmed unauthorized access to a limited set of data and said its internal systems, courseware and customer databases were not affected. Leaked files — over 100GB by Have I Been Pwned — contain names, email addresses, phone numbers and physical addresses that could be used for targeted spear‑phishing.

🔐 Microsoft confirmed that some Windows Server 2025 devices may boot into BitLocker recovery after installing the April 2026 security update KB5082063. The issue affects very specific enterprise configurations where a Group Policy or registry setting includes PCR7 in the TPM platform validation profile while System Information reports Secure Boot State PCR7 Binding as 'Not Possible' and the Windows UEFI CA 2023 certificate is present but the 2023-signed Boot Manager is not yet running. Microsoft says the recovery key entry is required only once and has published workarounds: remove the Group Policy before deployment or apply a Known Issue Rollback (KIR) to prevent triggering BitLocker recovery.

🔒 McGraw-Hill says unauthorized actors accessed a limited set of data hosted on a Salesforce webpage after a platform misconfiguration. The company emphasized this did not involve unauthorized entry to its Salesforce accounts, customer databases, courseware, or internal systems, and that exposed information was non-sensitive. McGraw-Hill secured the pages, engaged external cybersecurity experts, and is working with Salesforce to strengthen protections amid an extortion claim by ShinyHunters.

🚨 An internal late-2024 government report reviewed by ProPublica found that Microsoft’s Government Community Cloud High lacked “proper detailed security documentation,” leaving evaluators with “a lack of confidence” in assessing the platform. One reviewer called the package “a pile of shit.” Despite those findings, FedRAMP authorized the product with a buyer-beware notice, a decision that helped Microsoft expand a multibillion-dollar federal cloud business.

⚠️ Microsoft has suspended developer accounts used to maintain multiple high-profile open-source projects, blocking them from publishing Windows builds and security patches without prior notice or a quick reinstatement path. Affected projects include WireGuard, VeraCrypt, MemTest86, and Windscribe. Maintainers report no emails, warnings, or clear appeals process and say they can still publish Linux and macOS updates but not Windows releases. Microsoft said accounts were automatically suspended for failing mandatory verification for the Windows Hardware Program and that outreach and press attention have prompted follow-up from company representatives.

🧩 Commercial off-the-shelf (COTS) cybersecurity tools promise rapid deployment and mature capabilities, but over time they frequently become architectural anchors that are costly and risky to replace. Embedded business logic, vendor-shaped workflows, platform-native customizations, and data entanglement all accrue to create deep vendor lock-in that slows change and raises ongoing costs. The article warns that the next wave—AI-driven security—adds fresh switching costs as models, threat feeds, and baselines become proprietary, and it prescribes architectural patterns—anti-corruption layers, process abstraction, event-driven integration, the strangler fig, and data sovereignty—to keep systems replaceable and preserve strategic flexibility.

⚠️ Microsoft has paused the rollout of a Windows 11 preview update, KB5079391, after reports that installations fail with error 0x80073712. The optional cumulative update targeted Windows 11 24H2 and 25H2 and bundled 29 changes, including Smart App Control, display improvements, improved Windows Hello fingerprint reliability, and Windows RE stability for x64 apps on ARM64 devices. To prevent further impact, Microsoft has temporarily limited the update's availability through Windows Update while it investigates and said the issue will most likely be resolved before the April 14 Patch Tuesday, though no firm timeline was provided.

🔒 Cloud virtual machines deliver speed, scale and agility, but uncontrolled VM sprawl creates persistent security gaps. Many instances are provisioned quickly and then left unmanaged—missing OS updates, scoped permissions and continuous monitoring—so they can be abused for lateral movement or used as throwaway attack infrastructure. Organizations should inventory VMs, tighten workload identities and apply continuous, identity‑aware monitoring to reduce risk.

🔊 Denver's newly installed pedestrian audio units on East Colfax Avenue were hijacked over the weekend to broadcast explicit anti-Trump messages in a robotic voice, startling pedestrians. Officials report the devices were activated while still using factory-default credentials; passwords have since been changed and police are investigating. The tampering created a safety hazard for people with visual impairments and echoes prior incidents involving Polara crosswalk systems.

🔒 CISA urged U.S. organizations to strengthen Microsoft Intune administrative controls after a cyberattack exploited Intune to wipe devices at medical technology firm Stryker. Attackers allegedly created a new Global Administrator account, exfiltrated data, then used Intune’s built‑in wipe to erase nearly 80,000 devices. CISA recommended least‑privilege RBAC, enforced MFA via Microsoft Entra, privileged‑access hygiene, and multi‑admin approval for sensitive actions to reduce similar risks.

🔒 Most major cloud breaches in recent years have stemmed from basic misconfigurations rather than sophisticated zero-days or custom malware. The article highlights incidents such as Snowflake (2024), AT&T, Ticketmaster and Capital One to show how exposed credentials, public storage buckets and missing controls led to vast data exposure. Immediate actions recommended are enabling MFA everywhere, enforcing account-level public access blockers, activating comprehensive logging across AWS/Azure/GCP, and prioritizing remediation of exposed buckets and keys, while longer-term fixes include CSPM tools and infrastructure-as-code security checks.

🔒 CISA warns of malicious activity targeting endpoint management systems following the March 11, 2026 attack against Stryker Corporation that affected its Microsoft environment. The agency urges organizations to harden endpoint management configurations and adopt Microsoft’s newly released best practices for securing Microsoft Intune, while applying those principles to other endpoint management tools. Key recommended controls include RBAC-based least-privilege administrative roles, phishing-resistant MFA and privileged access hygiene using Microsoft Entra ID, and configuring Multi Admin Approval policies for high-impact actions such as device wipes, application and script changes, and RBAC modifications.

🔒 The Federal Office for Information Security (BSI) has warned that software used in medical practices, clinics and long-term care needs stronger protections to safeguard sensitive patient data. In tests of standard configurations, the agency described the IT security of healthcare software as in need of improvement, finding chains of vulnerabilities in three of four representative practice management systems that could be exploited from the Internet. Outdated encryption algorithms were specifically cited; manufacturers were informed and issued timely fixes.

⚠️ Microsoft removed the Samsung Galaxy Connect app from the Microsoft Store after a joint investigation concluded the app (used for screen mirroring, file sharing and data transfer) was triggering "C:\ is not accessible – Access denied" errors on certain Windows 11 Samsung Galaxy Book 4 and desktop models. Affected users reported blocked applications, failure to access files, and privilege elevation problems that impeded diagnostics. Samsung republished a stable previous version to stop further occurrences, but recovery options for impacted devices remain limited. Microsoft and Samsung have not published a workaround yet; users should contact Samsung for device-specific support.

🔒 Google is testing a change in Android 17 Beta 2 within its Advanced Protection Mode that blocks apps not designated as accessibility tools from using the system Accessibility Services API. Apps without the isAccessibilityTool="true" flag will have existing permissions revoked when AAPM is active, and users cannot grant new access until the mode is turned off. Verified assistive tools such as screen readers and Braille programs remain exempt.

⚠️Microsoft is investigating reports that some Samsung laptops running Windows 11 lose access to the C:\ drive after installing the February 2026 security updates. Affected users encounter the error 'C:\ is not accessible - Access denied' and cannot launch applications such as Outlook, Office apps, web browsers, and system utilities. Microsoft says it is working with Samsung and that the problem may be related to the Samsung Share application, but no official workaround has been provided.

🔍Salesforce has warned that a threat actor is using a customized version of the open-source tool AuraInspector to mass-scan publicly accessible Experience Cloud sites and exploit overly permissive guest user configurations. The modified tool can both identify vulnerable API endpoints and extract data from misconfigured environments without authentication. Salesforce says the activity targets customer configuration weaknesses rather than a platform flaw and urges customers to review guest user settings and follow recommended configuration guidance.

🔒 Google patched a high-severity WebView policy enforcement bug, CVE-2026-0628 (CVSS 8.8), in early January 2026 that could let a malicious extension inject scripts or HTML into the browser's new Gemini side panel. Discovered by Palo Alto Networks Unit 42 researcher Gal Weizman, the flaw could have enabled privilege escalation to access local files, take screenshots, and turn on camera or microphone without consent. The fix shipped in Chrome 143.0.7499.192/.193 (Windows/Mac) and 143.0.7499.192 (Linux).

🔒 Microsoft is rolling out Windows 11 Insider Preview builds that introduce a secure processing mode for batch files and CMD scripts. Administrators can enable the feature via the LockBatchFilesInUse registry value under HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor or via the LockBatchFilesWhenInUse manifest control. When enabled, batch files cannot be modified while executing and signature validation runs once rather than per statement, improving both security and performance for scripted enterprise workflows.