joshuark shares a report from PCMag: The official Windows developer documentation team at Microsoft decided to ask Microsoft Archivist Amy Stevenson "What was the largest piece of software we ever shipped?" The answer may surprise you... [T]he award goes to Microsoft C/C++ compiler with the Windows SDK, which was released in 1992 and weighed over 40 pounds. It included Microsoft C/C++ 7.0 in a box that was more than two feet long and allowed a developer to produce MS-DOS, Windows, and OS/2 applications. As Stevenson points out, "we never did that again," and the next product launched was Visual C++.

Microsoft could be preparing to name its next big OS update the "Windows 11 2022 Update." A report adds: References to this naming have appeared in near-final versions of the next big Windows 11 release, currently named 22H2. Twitter user XenoPanther spotted the Windows 11 2022 Update naming in the Get Started app that appears when you set up a new PC. The naming could simply be a placeholder, or it could indicate Microsoft is finally simplifying its often confusing update names for Windows. We've seen a variety of names over the years, including the Creators Update naming for a big Windows 10 update, more mundane naming like the Windows 10 May 2021 Update, and more recently, the Windows 10 21H2 moniker. Microsoft had considered naming its updates after animals or people but transitioned to the more safe monthly naming instead of point releases like Apple does with iOS, iPadOS, watchOS, and many other software updates. A move to just the yearly naming for Windows 11 updates would make sense if Microsoft is planning fewer big drops of features.

The USB Rubber Ducky "has a new incarnation, released to coincide with the Def Con hacking conference this year," reports The Verge. From the report: To the human eye, the USB Rubber Ducky looks like an unremarkable USB flash drive. Plug it into a computer, though, and the machine sees it as a USB keyboard -- which means it accepts keystroke commands from the device just as if a person was typing them in. The original Rubber Ducky was released over 10 years ago and became a fan favorite among hackers (it was even featured in a Mr. Robot scene). There have been a number of incremental updates since then, but the newest Rubber Ducky makes a leap forward with a set of new features that make it far more flexible and powerful than before.

With the right approach, the possibilities are almost endless. Already, previous versions of the Rubber Ducky could carry out attacks like creating a fake Windows pop-up box to harvest a user's login credentials or causing Chrome to send all saved passwords to an attacker's webserver. But these attacks had to be carefully crafted for specific operating systems and software versions and lacked the flexibility to work across platforms. The newest Rubber Ducky aims to overcome these limitations.

It ships with a major upgrade to the DuckyScript programming language, which is used to create the commands that the Rubber Ducky will enter into a target machine. While previous versions were mostly limited to writing keystroke sequences, DuckyScript 3.0 is a feature-rich language, letting users write functions, store variables, and use logic flow controls (i.e., if this... then that). That means, for example, the new Ducky can run a test to see if it's plugged into a Windows or Mac machine and conditionally execute code appropriate to each one or disable itself if it has been connected to the wrong target. It also can generate pseudorandom numbers and use them to add variable delay between keystrokes for a more human effect. Perhaps most impressively, it can steal data from a target machine by encoding it in binary format and transmitting it through the signals meant to tell a keyboard when the CapsLock or NumLock LEDs should light up. With this method, an attacker could plug it in for a few seconds, tell someone, "Sorry, I guess that USB drive is broken," and take it back with all their passwords saved.

An anonymous reader quotes a report from Ars Technica: It sounds like something out of an urban legend: Some Windows XP-era laptops using 5400 RPM spinning hard drives can allegedly be forced to crash when exposed to Janet Jackson's 1989 hit "Rhythm Nation." But Microsoft Software Engineer Raymond Chen stands by the story in a blog post published earlier this week, and the vulnerability has been issued an official CVE ID by The Mitre Corporation, lending it more credibility. According to Chen, CVE-2022-38392 was originally discovered by "a major computer manufacturer," and it can affect not just the laptop playing the song but adjacent laptops from other PC companies as well.

The specific hard drive model at issue -- again from an unnamed manufacturer -- would crash because "Rhythm Nation" used some of the same "natural resonant frequencies" that the drives used, interfering with their operation. Anyone trying to independently recreate this problem will face several obstacles, including the age of the laptops involved and a total lack of specificity about the hard drives or computer models. The CVE entry mentions "a certain 5400 RPM OEM hard drive, as shipped with laptop PCs in approximately 2005" and links back to Chen's post as a primary source. And while some Windows XP-era laptop hard drives may still be kicking out there somewhere, after almost two decades, it's more likely that most of them have died of natural causes. The PC manufacturer was able to partially resolve the issue "by adding a custom filter in the audio pipeline that detected and removed the offending frequencies during audio playbanck," says Chen. However, these HDDs would still crash if they were exposed to another device that was playing the song.

Nvidia is upgrading its GeForce Now game streaming service to support 1440p resolution at 120fps in a Chrome or Edge browser. GeForce Now members on the RTX 3080 tier of the service will be able to access the new browser gameplay options today by selecting 1440p on the GeForce Now web version. From a report: Nvidia originally launched its RTX 3080 GeForce Now membership tier last year, offering streams of up to 1440p resolution with 120fps on PCs and Macs or 4K HDR at 60fps on Nvidia's Shield TV. Previously, you had to download the dedicated Mac or Windows apps to access 1440p resolution and 120fps support, as the web version was limited to 1080p at 60fps.

Microsoft is rolling out a taskbar notification system to its Windows 11 widgets this week. While the weather widget returned to Windows 11 earlier this year, it's largely been a static experience that displays a sunny icon when the weather is good and an umbrella icon when it's raining and sucks to be outside. That's all changing this week, as Microsoft is now adding live animations to this taskbar widget. From a report: All Windows 11 users will start to see these new widget notifications in the coming days and weeks, thanks to an update to the Windows Web Experience Pack that powers Microsoft's widgets feature. The notifications appear as live animations on the taskbar weather widget, and include alerts for thunderstorms and even ticker alerts when stocks you're following go up or down. "When something important happens related to one of your other widgets, you may see an announcement from that widget on your taskbar," explains Microsoft in a support article. "These announcements are meant to be quick and glanceable, and if you don't interact with them, the taskbar will return to showing you the weather."

Microsoft is planning to release its next big Windows 11 update, version 22H2, on September 20th. The Verge: Sources familiar with Microsoft's plans tell The Verge Microsoft will roll out Windows 11 22H2 through Windows Update on September 20th, a week after the company's regular Patch Tuesday fixes. Microsoft has been testing Windows 11 22H2 for months, and it will include a number of new improvements, like app folders in the Start menu, drag and drop on the taskbar, and new touch gestures and animations. Microsoft is also adding a new Live Captions accessibility feature with 22H2, which is ideal for people who are deaf, hard of hearing, or anyone who wants to caption audio automatically. Similarly, a new Voice Access tool that allows people to control their PCs by using voice commands is part of 22H2.

The Task Manager is also being overhauled in Windows 11 22H2, with a new dark mode and a far better layout that includes a new command bar and an efficiency mode to limit apps from consuming resources. Snap Layouts will also be greatly improved in 22H2, making it easier to drag and app to reveal all the layouts you can use to arrange apps. Microsoft is also working on tabs for File Explorer, which will arrive a little later than September 20th.

Long-time Slashdot reader drinkypoo writes: John Deere, current and historic American producer of farming equipment, has long been maligned for their DRM-based lockdowns of said equipment which can make it impossible for farmers to perform their own service. Now a new security bypass has been discovered for some of their equipment, which has revealed that it is in general based on outdated versions of Linux and Windows CE.

Carried out by Sick Codes, the complete attack involves attaching hardware to the PCB inside a touchscreen controller, and ultimately produces a root terminal.

In the bargain and as a result, the question is being raised about JD's GPL compliance.
Sick Codes isn't sure how John Deere can eliminate this vulnerability (beyond overhauling designs to add full disk encryption to future models). But Wired also notes that "At the same time, though, vulnerabilities like the ones that Sick Codes found help farmers do what they need to do with their own equipment."

Although the first thing Sick Codes did was get the tractor running a farm-themed version of Doom.

joshuark shares a report from Computerworld: Despite previously claiming the DogWalk vulnerability did not constitute a security issue, Microsoft has now released a patch to stop attackers from actively exploiting the vulnerability. [...] The vulnerability, known as CVE-2022-34713 or DogWalk, allows attackers to exploit a weakness in the Windows Microsoft Support Diagnostic Tool (MSDT). By using social engineering or phishing, attackers can trick users into visiting a fake website or opening a malicious document or file and ultimately gain remote code execution on compromised systems. DogWalk affects all Windows versions under support, including the latest client and server releases, Windows 11 and Windows Server 2022.

The vulnerability was first reported in January 2020 but at the time, Microsoft said it didn't consider the exploit to be a security issue. This is the second time in recent months that Microsoft has been forced to change its position on a known exploit, having initially rejected reports that another Windows MSDT zero-day, known as Follina, posed a security threat. A patch for that exploit was released in June's Patch Tuesday update.

Software sold by market leaders tend to be primary purchases for regular consumers. Brand comfort is important but so too is affordability, especially when pirate copies are available for free. Some find a middle ground with purchases of discounted activation keys but, as a new Microsoft lawsuit shows, that can amount to copyright infringement for buyers and sellers alike. From a report: In a complaint filed at a Washington court this week, Microsoft targets Canadian company The Search People Enterprises Ltd (TSPE), assumed director Mehtabjit Singh, and 'John Doe' defendants 1-10. The defendants are described as prolific distributors of "black market access devices," aka activation keys and tokens for Microsoft software. Those who bought keys and tokens may have been under the impression that they were purchasing official software but as Microsoft explains, that is not only misleading but a mischaracterization of the things they were sold.

Products including Microsoft Office, Project, Visio, Windows 10, and Windows 11 are all subject to licensing terms that restrict how the products can be used. Microsoft can also provide a product activation key to be entered as part of the installation process, with data about the activation sent to the company's servers. Like software tokens, which enable downloads and automatic software activation, activation keys are anti-piracy tools, and exchanging money for them is not the same as buying a license. Indeed, Microsoft makes itself very clear -- the activation of a piece of software means nothing in the absence of a license. Microsoft's problem is that product activation keys can be 'decoupled' from the software they were meant to authorize and then reused to activate more copies of the software, in some cases more copies than the attached Microsoft license permits.

Microsoft said Wednesday that it has released almost all of its emoji designs to GitHub and Figma, allowing anyone to tweak and design their own. From a report: Microsoft isn't saying that you'll be able to use your own emoji designs inside Windows, and the company isn't saying that absolutely all of the company's emoji are being released into open source, either. Specifically, Microsoft is excluding the Clippy emoji (boo!) and a few that includes the Microsoft logo. Naturally, Microsoft can't release its own copyrighted trademarks into the public domain, Jon Friedman, a corporate vice president of design and research at Microsoft, wrote in a blog post. It's no small task to open-source each of Microsoft's 1,538 emoji, Friedman wrote. "Similar to how typeface sets include bold, italic, and regular styles, emoji must exist as a SVG, PNG, and JPG file to allow for true versatility. And for each of those, a vector, flat, and monochrome version should be created for scale and flexibility."

An anonymous reader quotes a report from Ars Technica: Microsoft has published a knowledge base article acknowledging a problem with encryption acceleration in the newest versions of Windows that could result in data corruption. The company recommends installing the June 2022 security updates for Windows 11 and Windows Server 2022 "to prevent further damage," though there are no suggested solutions for anyone who has already lost data because of the bug.

The problems only affect relatively recent PCs and servers that support Vector Advanced Encryption Standard (VAES) instructions for accelerating cryptographic operations. Microsoft says affected systems use AES-XTS or AES-GCM instructions "on new hardware." Part of the AVX-512 instruction set, VAES instructions are supported by Intel's Ice Lake, Tiger Lake, Rocket Lake, and Alder Lake architectures -- these power some 10th-generation Core CPUs for laptops, as well as all 11th- and 12th-gen Core CPUs. AMD's upcoming Zen 4 architecture also supports VAES, though by the time these chips are released in the fall, the patches will have had plenty of time to proliferate. Microsoft says that the problem was caused when it added "new code paths" to support the updated encryption instructions in SymCrypt, Windows' cryptographic function library. These code paths were added in the initial release of Windows 11 and Windows Server 2022, so the problem shouldn't affect older versions like Windows 10 or Windows Server 2019.

The initial fix for the problem, provided in Windows' June 2022 security update package (Windows 11 build 22000.778), will prevent further damage at the cost of reduced performance, suggesting that the initial fix was to disable encryption acceleration on these processors entirely. Using Bitlocker-encrypted disks or the Transport Layer Security (TLS) protocol or accessing encrypted storage on servers will all be slower with the first patch installed, though installing the July 2022 security updates (Windows 11 build 22000.795) should restore performance to its previous level.

An anonymous reader quotes a report from Ars Technica: If you watched ESPN2 during its stint last weekend as "ESPN8: The Ocho," you may have seen some odd, meme-friendly competitions, including corgi racing, precision paper airplane tossing, and slippery stair climbing. Or you might have seen "Excel Esports: All-Star Battle," a tournament in which an unexpected full-column Flash Fill is announced like a 50-yard Hail Mary. It's just the latest mainstream acknowledgment of Excel as a viable, if quirky, esport, complete with down-to-the-wire tension and surprising comebacks. [...]

Featured in this all-star battle was 2021 FMWC World Cup winner Diarmuid Early, an FMWC grandmaster from Ireland who claims 10,000 hours in Excel. (He would be Lambda if he were a function, he said.) The winner of the first championship in 2020, Joseph Lau (28,600 hours, Isological), also competed, along with six other highly ranked function warriors. Diarmuid took a commanding lead in the first slot-like task, racking up more points more quickly in a first round than anyone has in an FMWC competition. Others faced the kinds of challenges that regular users see in less combative Excel work. Polish competitor Gabriela Stroj told the hosts that "one stupid error" -- leaving a formula linked to the wrong sheet -- likely cost her hundreds of points. David Brown from the US said that his major problem was pasting from his 32-bit Windows-based Excel to the official online Excel answer sheets, which left his formulas treated as text.

The top four of the eight competitors moved on to round 2, simulating a yacht regatta in Excel. Diarmuid and third-ranked Andrew Ngai made it through. The two competed on creating a score-tracking mechanic for an entirely Excel-based retro-style 2D platformer, "Modelario." Ngai eked out the win, although with only 411 of a total 1,000 possible points. Ngai's reward for a more than two-hour cell-based marathon: a trip to Tucson, Arizona, for the FMWC finals. You can watch the full two-hour-and-48-minute all-star battle, which ESPN edited down to 30 minutes, here. You can also try the Excel tasks used in last weekend's battle yourself, as the organizers (the Financial Modeling World Cup) made all three of them available to download.

An anonymous reader shares this report on The Switchblade, "an aircraft that doubles as a car."

It could be "just weeks away from getting its wheels off the ground after an inspection by America's Federal Aviation Administration determined that the vehicle is safe to fly: The project has been 14 years in the making, and Sam Bousfield, CEO of Samson Sky and inventor of the Switchblade, said he's "stoked" to reach this milestone. After passing the FAA inspection, his team wasted no time in beginning the high-speed taxi test. They were out on the taxiway the next day. "[The crew] took off their 'I'm doing R&D' and they put on their 'I am flight test' crew hat, and I think that really set the tone for everything after," Bousfield said. "So, we're in a different game now...."

Just like a pocket knife, the Switchblade's wings slip smoothly into the body of the vehicle with the touch of a button, allowing it to seamlessly transition from sky to air. Its tail also unfurls or retracts, depending on if it's being used to fly or drive. The idea is that the vehicle could be parked in a garage, driven to an airport, flown to a new destination, and then driven anywhere on the ground after it lands. When a trip is over, the user can fly it home or fly it elsewhere.
"The side windows (in the doors) will be power windows," noted a tweet Thursday on the car manufacturer's official Twitter feed @FlyingSportsCar.

And Maxim points out that The Switchblade can be flown at up to 200 mph and as high as 13,000 feet, "for up to 450 miles, with the 190-hp liquid-cooled three-cylinder powering the single propeller." On the ground, the Switchblade can achieve a brisk 125 mph, making it similar to "a little flying sports car," Bousfield added.

Before production begins, the Switchblade has more regulatory hurdles that flying cars will need to overcome. Owners will need a pilot's license and either a motorcycle or driver's license to operate it in both flight and ground modes, plus car/motorcycle and aircraft insurance. But for now, the FAA flight approval has inspired Bousfield to keep charging ahead....

It will be at least a few more years before civilians are flying their own Switchblades, which are expected to cost around $170,000. But anyone can join the 1,670 people who have reserved one free of charge.

Long-time Slashdot reader chicksdaddy writes: Printer maker Epson has programmed some models of its inkjet printers to "stop operating" at a pre-determined time, citing the risk of property damage linked to "ink spills," the Fight to Repair newsletter reports.

Epson printer owners have complained that their functioning printers have suddenly stopped working, displaying an error message declaring that a component of the printer has "reached the end of its service life" and that the device needs to be serviced. According to Epson's website, the message is linked to ink pads, which Epson describes as "porous pads in the printer that collect, distribute, and very importantly contain the ink that is not used on printed pages." Over time, these pads become saturated with ink though generally not "before the printer is replaced for other reasons" (??!)

"Like so many other products, all Epson consumer ink jet products have a finite life span due to component wear during normal use... The printers are designed to stop operating at the point where further use without replacing the ink pads could create risks of property damage from ink spills or safety issues related to excess ink contacting an electrical component," the company said on its website.

Rather than measure the saturation of the ink pads to determine when that point is reached, however, Epson appears to have programmed a counter on its printers that disables the device when a threshold has been reached. For printer owners who use Windows, Epson makes a reset utility that can reset the counter though it can "only be used once and will allow printing for a short period of time." For Mac users, or Windows users who have already run the reset utility once, Epson urges them to have the printer serviced by an Epson authorized service shop or — preferably — to replace the printer with a new printer. "Repair may not be a cost-effective option for lower-cost printers because other components may also be near the end of their usable life," the company said. Despite the company's claims about the unfixability of the ink pad issue, YouTube videos suggest that the ink pads are, in fact, simple to replace, as this video illustrates.

Some legal experts say that Epson's hard coding an end of life for its printers may be illegal — an example of "Deceptive trade practices," unless it is clearly disclosing the existence of the programmed end of life to consumers prior to purchase.
Here's how the Fight to Repair newsletter sees the situation. Epson "pushes its customers to throw away the entire, working printer unit simply because some sponges are saturated with ink.

"In doing so, the company amplifies our epidemic of e-waste and forces customers into an expensive and (as it turns out) unneeded upgrade."

Winamp, the premiere music player of the late 1990s and early 2000s that was acquired by Radionomy from AOL in 2014, has received a major new update for the first time in four years. An anonymous reader shares an excerpt from a report via Ars Technica: The release notes for Winamp 5.9 RC1 Build 1999 say that the update represents four years of work across two separate development teams, delayed in between by the COVID-19 pandemic. Most of the work done in this build focuses on behind-the-scenes work that modernizes the codebase, which means it still looks and acts like a turn-of-the-millennium Windows app. The entire project has been migrated from Microsoft Visual Studio 2008 to Visual Studio 2019, a wide range of audio codecs have been updated to more modern versions, and support for Windows 11 and https streams have both been improved.

The final release will be version 5.9, with some features targeted for release in version 5.9.1 "and beyond" (version 6.0 goes unmentioned). It requires Windows 7 SP1 or newer, dropping support for Windows XP. That said, in our limited testing the "new" Winamp is still in many ways an ancient app, one not made for the age of high-resolution, high-density displays. This may cause usability problems, depending on what you're trying to run it on. But hey, for all you people out there still trying to keep hope alive, it's nice to see something on Winamp.com that isn't a weird NFT project and a promise of updates yet to come.

Microsoft software engineer Stephen Hemminger has proposed removing the DECnet protocol handling code from the Linux kernel. The Register reports: The timing is ironic, as this comes just two weeks after VMS Software Inc announced that OpenVMS 9.2 was really ready this time... That announcement, of course, came some months after the first time it announced [PDF] version 9.2 [...]. The last maintainer of the DECnet code was Red Hat's Christine Caulfield, who flagged the code as orphaned in 2010. The change is unlikely to vastly inconvenience many people: VMS is the last even slightly mainstream OS that used DECnet, and VMS has supported TCP/IP for a long time. Indeed, for decades, the oldest email in this reporter's "sent" folder was a 1993 enquiry about the freeware CMUIP stack for VMS.

One of the easier ways to bootstrap VMS on an elderly VAX these days is to install it on the SimH VAX hardware simulator, and then net-boot the real VAX from the simulated one. Anyone keen enough to do that will be competent to run an older version of Linux just for the purpose. Although their existence is rapidly being forgotten today, TCP/IP is not the only network protocol around, and as late as the mid-1990s it wasn't even the dominant one. The Linux kernel used to support multiple network protocols, but they are disappearing fast. [...] For a long time, DECnet was a significant network protocol. DEC supplied a client stack called PathWorks to let DOS, Windows and Mac clients connect to VAX servers, not only for file and print, but also terminal connections and X.11. Whole worldwide WANs ran over DECnet, and as a teenage student, your correspondent enjoyed exploring them.

Spain has announced new energy-saving measures, including limits on air conditioning and heating temperatures in public and large commercial buildings, as it becomes the latest European country to seek to reduce its energy consumption and its dependence on Russian oil and gas. From a report: Under a decree that comes into effect in seven days' time and applies to public buildings, shopping centres, cinemas, theatres, rail stations and airports, heating should not be set above 19C (66.2F) and air conditioning should not be set below 27C (80.6F). Doors will need to be closed so as not to waste energy, and lights in shop windows must be switched off after 10pm. The premises in question will be required to display signs or screens that explain the energy-saving initiatives. Although Spain is not as dependent on Russian energy supplies as many other EU countries, it has agreed to a 7-8% reduction in gas use. The measures, which were published in Tuesday's edition of the official state gazette, will remain in force until November 2023. "[This] lays out a series of measures to save energy and use it more efficiently, which are urgent and necessary when it comes to reducing energy consumption in general, and reducing our dependence on energy outside the Spanish economy," the decree said.

Long-time Slashdot reader tsu doh nimh writes: 911[.]re, a proxy service that since 2015 has sold access to hundreds of thousands of Microsoft Windows computers daily, announced this week that it is shutting down in the wake of a data breach that destroyed key components of its business operations, KrebsOnSecurity reports.
From the article: "On July 28th, a large number of users reported that they could not log in the system," the statement continues. "We found that the data on the server was maliciously damaged by the hacker, resulting in the loss of data and backups. Its [sic] confirmed that the recharge system was also hacked the same way. We were forced to make this difficult decision due to the loss of important data that made the service unrecoverable."

Operated largely out of China, 911 was an enormously popular service across many cybercrime forums, and it became something akin to critical infrastructure for this community after two of 911's longtime competitors — malware-based proxy services VIP72 and LuxSock — closed their doors in the past year...

911 wasn't the only major proxy provider disclosing a breach this week tied to unauthenticated APIs: On July 28, KrebsOnSecurity reported that internal APIs exposed to the web had leaked the customer database for Microleaves, a proxy service that rotates its customers' IP addresses every five to ten minutes. That investigation showed Microleaves — like 911 — had a long history of using pay-per-install schemes to spread its proxy software.

Longtime Slashdot reader HnT shares a report from Ars Technica: Microsoft said on Wednesday that an Austria-based company named DSIRF used multiple Windows and Adobe Reader zero-days to hack organizations located in Europe and Central America. Members of the Microsoft Threat Intelligence Center, or MSTIC, said they have found Subzero malware infections spread through a variety of methods, including the exploitation of what at the time were Windows and Adobe Reader zero-days, meaning the attackers knew of the vulnerabilities before Microsoft and Adobe did. Targets of the attacks observed to date include law firms, banks, and strategic consultancies in countries such as Austria, the UK, and Panama, although those aren't necessarily the countries in which the DSIRF customers who paid for the attack resided.

"MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks," Microsoft researchers wrote. "These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open source news reports attributing Subzero to DSIRF." Referring to DSIRF using the work KNOTWEED, Microsoft researchers wrote: In May 2022, MSTIC found an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of Subzero. The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim's Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit. Based on KNOTWEED's extensive use of other 0-days, we assess with medium confidence that the Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we've seen no evidence of browser-based attacks.

The CVE-2022-22047 vulnerability is related to an issue with activation context caching in the Client Server Run-Time Subsystem (CSRSS) on Windows. At a high level, the vulnerability could enable an attacker to provide a crafted assembly manifest, which would create a malicious activation context in the activation context cache, for an arbitrary process. This cached context is used the next time the process spawned.

CVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes (with some caveats, as discussed below) and achieve system-level code execution. The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved. Microsoft recommends a number of security considerations to help mitigate this attack, including patching CVE-2022-22047, updating Microsoft Defender Antivirus to update 1.371.503.0 or later, and enabling multifactor authentication (MFA).