Ars Technica reports on a dangerously "wormable" Windows vulnerability that allowed attackers to execute malicious code with no authentication required — a vulnerability that was present "in a much broader range of network protocols, giving attackers more flexibility than they had when exploiting the older vulnerability." Microsoft fixed CVE-2022-37958 in September during its monthly Patch Tuesday rollout of security fixes. At the time, however, Microsoft researchers believed the vulnerability allowed only the disclosure of potentially sensitive information. As such, Microsoft gave the vulnerability a designation of "important." In the routine course of analyzing vulnerabilities after they're patched, IBM security researcher Valentina Palmiotti discovered it allowed for remote code execution in much the way EternalBlue did [the flaw used to detonate WannaCry]. Last week, Microsoft revised the designation to critical and gave it a severity rating of 8.1, the same given to EternalBlue....

One potentially mitigating factor is that a patch for CVE-2022-37958 has been available for three months. EternalBlue, by contrast, was initially exploited by the NSA as a zero-day. The NSA's highly weaponized exploit was then released into the wild by a mysterious group calling itself Shadow Brokers. The leak, one of the worst in the history of the NSA, gave hackers around the world access to a potent nation-state-grade exploit. Palmiotti said there's reason for optimism but also for risk: "While EternalBlue was an 0-Day, luckily this is an N-Day with a 3 month patching lead time," said Palmiotti.
There's still some risk, Palmiotti tells Ars Technica. "As we've seen with other major vulnerabilities over the years, such as MS17-010 which was exploited with EternalBlue, some organizations have been slow deploying patches for several months or lack an accurate inventory of systems exposed to the internet and miss patching systems altogether."

Thanks to Slashdot reader joshuark for sharing the article.

Meanwhile, over in the Microsoft ecosystem, CNET reports: You can ditch the subscription (with recurring charges) and snag a lifetime license of access to Microsoft's Word, Excel, PowerPoint, Outlook, Teams, OneNote, Publisher and Access for just $30...

That's back at the lowest price we've ever seen, and a whopping 91% off the usual price of $349.

However, this deal expires in just a few days, so be sure to get your order in soon.The offer, from StackSocial, applies to both the Windows and Mac version of the software.

Now, you can always opt to use the free online version of Microsoft Office (which has far fewer features). But compared to the online Microsoft 365 subscription suite that costs $10 per month or $100 per year, this downloadable version is a phenomenal bargain.
The Mac deal ends today, but the Windows deal extends through December 28th, according to CNET's article. "The two big caveats: You get a single key — which only works on a single computer — and there's no Microsoft OneDrive Cloud Storage included."

Justin Garrison works at Amazon Web Services on the Kubernetes team (and was senior systems engineer on several animated films).

This week he spotted a new milestone for Linux in the 2022 StackOverflow developer survey: [Among the developers surveyed] Linux as a primary operating system had been steadily climbing for the past 5 years. 2018 through 2021 saw steady growth with 23.2%, 25.6%, 26.6%, 25.3%, and finally in 2022 the usage was 40.23%. Linux usage was more than macOS in 2021, but only by a small margin. 2022 it is now 9% more than macOS.
Their final stats for "professional use" operating system:

• Windows: 48.82%
• Linux-based: 39.89%
• MacOs: 32.97%

But Garrison's blog post notes that that doesn't include the million-plus people all the Linux-based cloud development environments (like GitHub Workspaces) — not to mention the 15% of WSL users on Windows and all the users of Docker (which uses a Linux VM).

"It's safe to say more people use Linux as part of their development workflow than any other operating system."

An anonymous reader shares a report: I reviewed a number of laptops in 2022 across consumer, workstation, gaming, business, Chromebook, and everywhere else. I touched all of the major brands. But I had a particular focus on ultraportables this year -- that is, thin and light devices that people buy to use, say, on their couch at home -- because, with Apple's MacBooks in such a dominant position, many eyes have been on their competitors on the Windows side. For many of these models, I found myself writing the same review over and over and over. They were generally good. They performed well. But their battery life was bad.

What these laptops had in common is that they were all powered by the Intel P-series. Without getting too into the weeds here, Intel processors have, in the past, included H-series processors -- powerful chips that you'll find in gaming laptops and workstations -- and U-series processors for thinner, lighter devices. (There was also a G-series, which was this whole other thing, for a couple of years.) But the Intel 12th Generation of mobile chips (that is, the batch of chips that Intel released this year) has a new letter: the P-series. The P-series is supposed to sit between the power-hungry H-series and the power-efficient U-series; the hope was that it would combine H-series power with U-series efficiency.

And then many -- a great many -- of this year's top ultraportable laptops got the P-series: big-screeners like the LG Gram 17; modular devices like the Framework Laptop; business notebooks like the ThinkPad X1 Yoga Gen 7; premium ultraportables like the Acer Swift 5, the Lenovo Yoga 9i, the Samsung Galaxy Book2 Pro, and the Dell XPS 13 Plus. The problem was that, in reality, the P-series was just a slightly less powerful H-series chip, which Intel had slapped an "ultraportable" label onto. It was identical to the H-series in core count and architecture, but it was supposed to draw slightly less power.

A Microsoft .NET Community standup has left Windows desktop developers wondering what kind of future, if any, the company has planned for its older desktop application frameworks, Windows Forms and Windows Presentation Foundation (WPF). From a report: A "what's new" slide for WPF presented by senior program manager Olia Gavrysh last week shows "Community Run Project" as the first bullet point, causing consternation among attendees. "Who's happy that WPF is now a community run project? This is soooo scary," remarked Morten Nielsen, a senior principal engineer at ESRI working on the ArcGIS runtime, for location-based analytics.

The slide was perhaps misinterpreted. It was intended as an update on what is happening with pull requests from the community, rather than meaing that WPF has been handed over to the community. Nevertheless, concerns about the future of the framework are well founded. "It's not dead. we have a team working on WPF and supporting it," said Gavrysh, but added, "we now switch to the model where we accept a lot of PRs [pull requests] from the community because we think of WPF as [a] very mature project so not that much rapid development is happening."

Slashdot reader SoftwareArtist writes: Terminal emulators have barely changed in 30 years. They're still just scrolling windows of unstructured text. Why is there so little innovation in an application we use every day?

There are so many ways they could be modernized to help us be more productive. For example:

- If I type ls to show a directory listing, I should be able to right-click on a filename and get a list of operations to perform on that file, just like a file browser.

- If I start to type a filename and press tab twice, it shouldn't just print a list of possible completions. It should provide a popup to select the one I want.

- Why can't I cat an image file and see the image right in the terminal window?


Are there any modern terminals that update this important tool for the 21st century? And if not, what prevents them?

In June GitHub announced they'd retire their customizable text editor Atom on December 15th — so they could focus their development efforts on the IDEs Microsoft Visual Studio Code and GitHub Codespaces. "As new cloud-based tools have emerged and evolved over the years, Atom community involvement has declined significantly," according to a post on GitHub's blog.

So while "GitHub and our community have benefited tremendously from those who have filed issues, created extensions, fixed bugs, and built new features on Atom," this now means that:

- Atom package management will stop working
- No more security updates
- Teletype will no longer work
- Deprecated redirects that supported downloading Electron symbols and headers will no longer work
- Pre-built Atom binaries can continue to be downloaded from the atom repository releases

Fortunately, in 2014 GitHub open sourced the code for Atom. And according to It's FOSS News: A community build for it is already available; however, there seems to be a new version (Pulsar) that aims to bring feature parity with the original Atom and introduce modern features and updated architecture....

The reason why they made a separate fork is because of different goals for the projects. Pulsar wants to modernize everything to present a successor to Atom. Of course, the user interface is much of the same. Considering Pulsar hasn't had a stable release yet, the branding could sometimes seem all over the place. However, the essentials seem to be there with the documentation, packages, and features like the ability to install packages from Git repositories....

As of now, it is too soon to say if Pulsar will become something better than what the Atom community version offers. However, it is something that we can keep an eye on.... You can head to its official download page to get the package required for your system and test it out.
Like Atom, Pulsar is cross-platform support (supporting Linux, macOS, and Windows).

Microsoft has quietly banned cryptocurrency mining from its online services, and says it did so to protect all customers of its clouds. The Register reports: The Windows and Azure titan slipped the prohibition into an update of its Universal License Terms for Online Services that came into effect on December 1. That document covers any "Microsoft-hosted service to which Customer subscribes under a Microsoft volume licensing agreement," and on The Register's reading, mostly concerns itself with Azure. Microsoft's Summary of Changes to the license states: "Updated Acceptable Use Policy to clarify that mining cryptocurrency is prohibited without prior Microsoft approval." Within the license itself there's hardly any more info.

A section headed "Acceptable Use Policy" states: "Neither Customer, nor those that access an Online Service through Customer, may use an Online Service: to mine cryptocurrency without Microsoft's prior written approval." Microsoft appears not to have publicized this decision beyond the Summary of Changes page and, in recent hours, in an advisory to partners titled: "Important actions partners need to take to secure the partner ecosystem." That document states "the Acceptable Use Policy has been updated to explicitly prohibit mining for cryptocurrencies across all Microsoft Online Services unless written pre-approval is granted by Microsoft," and adds: "We suggest seeking written pre-approval from Microsoft before using Microsoft Online Services for mining cryptocurrencies, regardless of the term of a subscription." Microsoft told The Register it made the change because "crypto currency mining can cause disruption or even impairment to Online Services and its users and can often be linked to cyber fraud and abuse attacks such as unauthorized access to and use of customer resources."

"We made this change to further protect our customers and mitigate the risk of disrupting or impairing services in the Microsoft Cloud." Permission to mine crypto "may be considered for Testing and Research for security detections."

Microsoft has quietly banned cryptocurrency mining from its online services, and says it did so to protect all customers of its clouds. From a report: The Windows and Azure titan slipped the prohibition into an update of its Universal License Terms for Online Services that came into effect on December 1. That document covers any "Microsoft-hosted service to which Customer subscribes under a Microsoft volume licensing agreement," and on The Register's reading, mostly concerns itself with Azure.

Microsoft's Summary of Changes to the license states: "Updated Acceptable Use Policy to clarify that mining cryptocurrency is prohibited without prior Microsoft approval." Within the license itself there's hardly any more info. A section headed "Acceptable Use Policy" states: "Neither Customer, nor those that access an Online Service through Customer, may use an Online Service: to mine cryptocurrency without Microsoft's prior written approval."

couchslug writes: Mozilla's Firefox once commanded a large chunk of the browser market share, but now it stands under a pitiful 5 percent. Google money removes need to compete from a management POV as they'll get paid either way but they're still leaving money on the table.

What should Mozilla do to help Firefox regain its lost market share? Not so long ago Internet Explorer was only used to download Firefox when geeks reloaded Windows machines for others. Today, Edge, however pathetic, still outranks Firefox. Were FF not arguably the best available browser for Linux, share would be even less.

Were you the king for a day what would you do to make Firefox great again? If you dropped or deprecated Firefox what shooed you off? This is not about Firefox being good or bad but about regaining casually discarded market share.

Microsoft has once again been caught allowing its legitimate digital certificates to sign malware in the wild, a lapse that allows the malicious files to pass strict security checks designed to prevent them from running on the Windows operating system. ArsTechnica: Multiple threat actors were involved in the misuse of Microsoft's digital imprimatur, which they used to give Windows and endpoint security applications the impression malicious system drivers had been certified as safe by Microsoft. That has led to speculation that there may be one or more malicious organizations selling malicious driver-signing as a service. In all, researchers have identified at least nine separate developer entities that abused the certificates in recent months.

The abuse was independently discovered by four third-party security companies, which then privately reported it to Microsoft. On Tuesday, during Microsoft's monthly Patch Tuesday, the company confirmed the findings and said it has determined the abuse came from several developer accounts and that no network breach has been detected. The software maker has now suspended the developer accounts and implemented blocking detections to prevent Windows from trusting the certificates used to sign the compromised certificates. "Microsoft recommends that all customers install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date with the latest signatures and are enabled to prevent these attacks," company officials wrote.

Microsoft's Chromium-based Edge browser was an improvement over the initial version of Edge in many ways, including its support for Windows 7 and Windows 8. But the end of the road is coming: Microsoft has announced that Edge will end support for Windows 7 and Windows 8 in mid-January of 2023, shortly after those operating systems stop getting regular security updates. From a report: Support will also end for Microsoft Edge Webview2, which can use Edge's rendering engine to embed webpages in non-Edge apps. The end-of-support date for Edge coincides with the end of security update support for both Windows 7 and Windows 8 on January 10, and the end of Google Chrome support for Windows 7 and 8 in version 110. Because the underlying Chromium engine in both Chrome and Edge is open source, Microsoft could continue supporting Edge in older Windows versions if it wanted, but the company is using both end-of-support dates to justify a clean break for Edge.

Anyone remember the high-end commercial UNIX workstations from a few decades ago — like from companies like IBM, DEC, SGI, and Sun Microsystems?

Today OSnews looked back — but also explored what happens when you try to buy one today> : As x86 became ever more powerful and versatile, and with the rise of Linux as a capable UNIX replacement and the adoption of the NT-based versions of Windows, the days of the UNIX workstations were numbered. A few years into the new millennium, virtually all traditional UNIX vendors had ended production of their workstations and in some cases even their associated architectures, with a lacklustre collective effort to move over to Intel's Itanium — which didn't exactly go anywhere and is now nothing more than a sour footnote in computing history.

Approaching roughly 2010, all the UNIX workstations had disappeared.... and by now, they're all pretty much dead (save for Solaris). Users and industries moved on to x86 on the hardware side, and Linux, Windows, and in some cases, Mac OS X on the software side.... Over the past few years, I have come to learn that If you want to get into buying, using, and learning from UNIX workstations today, you'll run into various problems which can roughly be filed into three main categories: hardware availability, operating system availability, and third party software availability.
Their article details their own attempts to buy one over the years, ultimately concluding the experience "left me bitter and frustrated that so much knowledge — in the form of documentation, software, tutorials, drivers, and so on — is disappearing before our very eyes." Shortsightedness and disinterest in their own heritage by corporations, big and small, is destroying entire swaths of software, and as more years pass by, it will get ever harder to get any of these things back up and running.... As for all the third-party software — well, I'm afraid it's too late for that already. Chasing down the rightsholders is already an incredibly difficult task, and even if you do find them, they are probably not interested in helping you, and even if by some miracle they are, they most likely no longer even have the ability to generate the required licenses or release versions with the licensing ripped out. Stuff like Pro/ENGINEER and SoftWindows for UNIX are most likely gone forever....

Software is dying off at an alarming rate, and I fear there's no turning the tide of this mass extinction.
The article also wonders why companies like HPE don't just "dump some ISO files" onto an FTP server, along with patch depots and documentation. "This stuff has no commercial value, they're not losing any sales, and it will barely affect their bottom line.

It was 29 years ago today that DOOM was first released — and we're still using it! Here in 2022, the latest mod reportedly converts its demons into the zombies and creepers from Minecraft. This week Hackaday wrote about a simple emulated RISC-V processor that runs DOOM. Last month someone even got DOOM running in Notepad. And recently WebTV enthusiasts not only jerry-rigged a contemporary TV to a WebTV unit, but then actually got it to play a 1990s-era WebTV version of DOOM on their TV screen.

The last 29 years have been a long, strange trip. A hidden Doom level appeared in Microsoft Excel. A Doom video was also used to promote Windows 95. And then there was that weird Doom movie starring The Rock and Karl Urban... By 2015 Doom was inducted into the World Video Game Hall of Fame. In 2016 John Romero created a new level. Later that year a new release of Doom even featured a mod with one of the the original Doom II levels from 1994.

In 2016 we'd asked Slashdot readers to share their own favorite stories about Doom — and the best thing about that post is those 351 comments. ("I went to the door, confused why the police were banging on my door.... They said they had reports of shots being fired." )

Is anyone still playing Doom today? Share your own thoughts and memories in the comments.

And what's your own favorite story about Doom?

An anonymous reader quotes a report from Ars Technica: Following Google's beta rollout of the feature in October, passkeys are now hitting Chrome stable M108. "Passkey" is built on industry standards and backed by all the big platform vendors -- Google, Apple, Microsoft -- along with the FIDO Alliance. Google's latest blog says: "With the latest version of Chrome, we're enabling passkeys on Windows 11, macOS, and Android." The Google Password Manager on Android is ready to sync all your passkeys to the cloud, and if you can meet all the hardware requirements and find a supporting service, you can now sign-in to something with a passkey. [...]

Now that this is actually up and running on Chrome 108 and a supported OS, you should be able to see the passkey screen under the "autofill" section of the Chrome settings (or try pasting chrome://settings/passkeys into the address bar). Next up we'll need more websites and services to actually support using a passkey instead of a password to sign in. Google Account support would be a good first step -- right now you can use a passkey for two-factor authentication with Google, but you can't replace your password yet. Everyone's go-to example of passkeys is the passkeys.io demo site, which we have a walkthrough of here.

Microsoft is finally bringing a built-in screen recorder to Windows. The Verge reports: The Snipping Tool in Windows 11 will soon be updated to include screen recording, meaning Windows users won't have to rely on the Xbox Game Bar or third-party tools just to record their screens. Windows 11 testers will start getting access to the updated Snipping Tool today, and the new record option will allow you to record an entire screen or even a section that gets cropped. The update comes more than four years after Microsoft first introduced a new screenshot experience for Windows. [...] Microsoft has only just started testing this with Windows 11 testers in the Dev Channel, so it's likely some weeks or months before this Snipping Tool is released to everyone using Windows 11.

Microsoft has released an out-of-band update to nudge laggards toward Windows 11 amid a migration pace that company executives would undoubtedly prefer is rather faster. From a report: The software giant is offering an option of upgrading to Windows 11 as an out of box experience to its Windows 10 22H2 installed base, the main aim being to smooth their path forward to the latest operating system. "On November 30, 2022, an out-of-band update was released to improve the Windows 10, version 2004, 20H2, 21H1, 21H2, and 22H2 out-of-box experience (OOBE). It provides eligible devices with the option to upgrade to Windows 11 as part of the OOBE process. This update will be available only when an OOBE update is installed."

The update, KB5020683, applies only to Windows 10 Home and Professional versions 2004, 20H2, 21H1, 22H2. There are some pre-requisites that Microsoft has listed here before users can make the move to Windows 11. The operating system was released on October 5 last year but shifting stubborn consumers onto this software has proved challenging for top brass at Microsoft HQ in Redmond. According to Statcounter, a web analytics service that has tracking code installed on 1.5 million websites and records a page view for each, some 16.12 percent of Windows users had installed Windows 11 in November, higher than the 15.44 percent in the prior month, but likely still not close to the figures that Microsoft was hoping for.

Around 2009 Slashdot was abuzz about how over-the-air broadcasting in North America was switching to a new standard called DTV. (Fun fact: North America and South America have two entirely different broadcast TV standards — both of which are different from the DVB-T standard used in Europe/Africa/Australia.) But 2022 ends with us already talking about DTV's successor in North America: the new broadcast standard NextGen TV.

This time the new standard isn't mandatory for TV stations, CNET points out — and it won't affect cable, satellite or streaming TV. But now even if you're not paying for a streaming TV service, another article points out, in most major American cities "an inexpensive antenna is all you'll need to get get ABC, CBS, Fox, NBC and PBS stations" — and often with a better picture quality: NextGen TV, formerly known as ATSC 3.0, is continuing to roll out across the U.S. It's already widely available, with stations throughout the country broadcasting in the new standard. There are many new TVs with compatible tuners plus several stand-alone tuners to add NextGen to just about any TV. As the name suggests, NextGen TV is the next generation of over-the-air broadcasts, replacing or supplementing the free HD broadcasts we've had for over two decades. NextGen not only improves on HDTV, but adds the potential for new features like free over-the-air 4K and HDR, though those aren't yet widely available.

Even so, the image quality with NextGen is likely better than what you're used to from streaming or even cable/satellite. If you already have an antenna and watch HD broadcasts, the reception you get with NextGen might be better, too.... Because of how it works, you'll likely get better reception if you're far from the TV tower.

The short version is: NextGen is free over-the-air television with potentially more channels and better image quality than older over-the-air broadcasts.
U.S. broadcast companies have also created a site at WatchNextGenTV.com showing options for purchasing a compatible new TV. That site also features a video touting NextGen TV's "brilliant colors and a sharper picture with a wider range of contrast" and its Dolby audio system (with "immersive, movie theatre-quality sound" with enhancements for voice and dialogue "so you get all of the story.") And in the video there's also examples of upcoming interactive features like on-screen quizzes, voting, and shopping, as well as the ability to select multiple camera angles or different audio tracks.

"One potential downside? ATSC 3.0 will also let broadcasters track your viewing habits," CNet reported earlier this year, calling the data "information that can be used for targeted advertising, just like companies such as Facebook and Google use today...

"Ads specific to your viewing habits, income level and even ethnicity (presumed by your neighborhood, for example) could get slotted in by your local station.... but here's the thing: If your TV is connected to the internet, it's already tracking you. Pretty much every app, streaming service, smart TV and cable or satellite box all track your usage to a greater or lesser extent."

But on the plus side... NextGen TV is IP-based, so in practice it can be moved around your home just like any internet content can right now. For example, you connect an antenna to a tuner box inside your home, but that box is not connected to your TV at all. Instead, it's connected to your router. This means anything with access to your network can have access to over-the-air TV, be it your TV, your phone, your tablet or even a streaming device like Apple TV....

This also means it's possible we'll see mobile devices with built-in tuners, so you can watch live TV while you're out and about, like you can with Netflix and YouTube now. How willing phone companies will be to put tuners in their phones remains to be seen, however. You don't see a lot of phones that can get radio broadcasts now, even though such a thing is easy to implement.
But whatever you think — it's already here. By August NextGen TV was already reaching half of America's population, according to a press release from a U.S. broadcaster's coalition. That press release also bragged that 40% of consumers had actually heard of NextGen TV — "up 25% from last year among those in markets where it is available."

An anonymous reader quotes a report from BleepingComputer: A previously undocumented data wiper named CryWiper is masquerading as ransomware, but in reality, destroys data beyond recovery in attacks against Russian mayor's offices and courts. CryWiper was first discovered by Kaspersky this fall, where they say the malware was used in an attack against a Russian organization. [...] CryWiper is a 64-bit Windows executable named 'browserupdate.exe' written in C++, configured to abuse many WinAPI function calls. Upon execution, it creates scheduled tasks to run every five minutes on the compromised machine.

Next, it contacts a command and control server (C2) with the name of the victim's machine. The C2 responds with either a "run" or "do not run" command, determining whether the wiper will activate or stay dormant. Kaspersky reports seeing execution delays of 4 days (345,600 seconds) in some cases, likely added in the code to help confuse the victim as to what caused the infection. CryWiper will stop critical processes related to MySQL, MS SQL database servers, MS Exchange email servers, and MS Active Directory web services to free locked data for destruction.

Next, the malware deletes shadow copies on the compromised machine to prevent the easy restoration of the wiped files. CryWiper also modifies the Windows Registry to prevent RDP connections, likely to hinder intervention and incident response from remote IT specialists. Finally, the wiper will corrupt all enumerated files except for ".exe", ".dll", "lnk", ".sys", ".msi", and its own ".CRY", while also skipping System, Windows, and Boot directories to prevent rendering the computer completely unusable. After this step, CryWiper will generate ransom notes named 'README.txt,' asking for 0.5 Bitcoin (approximately $8,000) in exchange for a decrypter. Unfortunately, this is a false promise, as the corrupted data cannot be restored.

Google researchers say they have linked a Barcelona, Spain-based IT company to the sale of advanced software frameworks that exploit vulnerabilities in Chrome, Firefox, and Windows Defender. From a report: Variston IT bills itself as a provider of tailor-made Information security solutions, including technology for embedded SCADA (supervisory control and data acquisition) and Internet of Things integrators, custom security patches for proprietary systems, tools for data discovery, security training, and the development of secure protocols for embedded devices.

According to a report from Google's Threat Analysis Group, Variston sells another product not mentioned on its website: software frameworks that provide everything a customer needs to surreptitiously install malware on devices they want to spy on. Researchers Clement Lecigne and Benoit Sevens said the exploit frameworks were used to exploit n-day vulnerabilities, which are those that have been patched recently enough that some targets haven't yet installed them. Evidence suggests, they added, that the frameworks were also used when the vulnerabilities were zero-days. The researchers are disclosing their findings in an attempt to disrupt the market for spyware, which they said is booming and poses a threat to various groups.