This Week in IT – Windows Hacked: Security Flaw in Top Laptops Revealed!
- Podcasts
- This Week in IT
- This Week in IT – Windows Hacked: Security Flaw in Top Laptops Revealed!
This Week in IT, discover how experts from Blackwing HQ uncovered startling Windows Hello fingerprint vulnerabilities on Dell, Lenovo, and Surface laptops. Learn about the flaw and what it means for your device’s security. Plus, Windows 10 is getting a new feature and there are some changes to end of support for Exchange Server 2019.
Links and resources
- Researchers Unveil Flaws in Windows Hello Fingerprint Authentication (petri.com)
- A Touch of Pwn – Part I (blackwinghq.com)
- New Windows 10 Optional Update Brings AI-Powered Copilot (petri.com)
- November 30, 2023—KB5032278 (OS Build 19045.3758) Preview – Microsoft Support
- Copilot coming to Windows 10 | Windows IT Pro Blog (microsoft.com)
- Microsoft Delays Final Exchange Server 2019 CUs Until 2024 (petri.com)
- Servicing Exchange Server 2019 – Microsoft Community Hub
- Microsoft Defender for APIs is Now Generally Available (petri.com)
- Microsoft Announces General Availability of Defender for APIs
- Microsoft Defender for Cloud Gets New Terraform Module (petri.com)
- Simplifying Onboarding to Microsoft Defender for Cloud with Terraform – Microsoft Community Hub
- Microsoft Sunsets Defender Application Guard for Office (petri.com)
- Deprecated features in the Windows client – What’s new in Windows | Microsoft Learn
Transcript
This Week in IT, discover how experts from Blackwing HQ uncovered startling Windows Hello fingerprint vulnerabilities in Dell, Lenovo and Surface laptops.(…) Learn about the floor and what it means for your device’s security. Plus, Windows 10 is getting a new feature and there are changes to end of support for Exchange Server 2019. Stay tuned for all of that and the rest of the week’s IT Pro news.(…)
Welcome to This Week in IT, the show where I cover all the latest Microsoft 365, Windows and Azure news. My name is Russell Smith and I’m editorial director of Petri.com. But before I get started, I’d like to thank everybody for the overwhelming support for last week’s video.(…) It was interesting that 97% of the people who watched the video weren’t subscribed to the channel. Today we’re on about 2,500 subscribers as we go live with this video. I’d really love it if we could push that up to about 2,800 this week. If you’d like to help us meet our goal, I’d really appreciate it if you subscribe to the channel and don’t forget to hit the bell notification so that you don’t miss out on these weekly uploads. Windows Hello is a key security feature in Windows 10 and Windows 11.
So even if you don’t have a webcam that supports facial recognition or a fingerprint reader built into your device, you might be familiar with Windows Hello anyway because quite often we use a pin maybe to sign into Windows and that’s called a gesture. So you use that instead of a password and that pin should be unique to that particular device and that’s considered a more secure way to log into the operating system. So if you’re using the fingerprint reader then it’s called a biometric gesture. Now you’d think this is pretty secure and despite what was revealed recently by Blackwing HQ, it is still more secure than using a password.
But what researchers at Blackwing uncovered was not so much a problem with Windows Hello itself but the way the authentication was implemented with certain fingerprint readers. Now they uncovered this vulnerability on certain laptops from Dell, Lenovo and of course maybe most surprisingly from Microsoft. So on certain models of laptops from these manufacturers they were able to buy pass Windows Hello and log into the operating system without ever providing their fingerprint yes that’s quite shocking. So they didn’t need a password, they didn’t even need to provide that biometric gesture, they were just able to bypass it. So of course this does require physical access to the device, you can’t do this via a remote attack but the problem in most cases was because the secure device communications protocol which is something that Microsoft established for Windows Hello so that things like fingerprint readers could communicate with the operating system and specifically Windows Hello could do that in a secure manner and Lenovo and the type cover for Surface laptops, this just wasn’t implemented at all.
So, I think the Surface type cover was the worst offender in that it was just using clear text communication over USB to send this data from the fingerprint reader back to the operating system and of course that could be intercepted and it was easy then just to be able to basically log on. Lenovo had a similar problem with its notebook that the secure device communications protocol was just not implemented and therefore the researchers were able to bypass the authentication from Windows Hello and I think with the Dell notebook the story was a little bit more complicated that the protocol had been implemented but they ended up with somehow two databases where the fingerprint data was stored, a Windows database and a Linux database and the researchers were able to access the information in the Linux database and then use that to log on to Windows.(…) So they’ve got a bit of a more complex story. Of course this could have been avoided especially in the Lenovo and the Surface notebook by simply implementing STCP, that would have solved that problem.
With the Dell notebook it would probably be a little bit more complicated but having the database for fingerprints twice of course doesn’t really make sense and that should be just in Windows, doesn’t need to be in Linux as far as I understand so that could also be solved. So while Blackwing HQ is saying of course this is a bit disappointing it’s still better to implement Windows Hello even with these flaws than to use passwords. Now I’m sure that Microsoft, Dell and Nova are going to be looking at addressing these vulnerabilities so basically these fingerprint readers use a technology called Match on chip which stores the fingerprint information that the devices receive on the chip so that it’s not directly stored on the host operating system and that’s where the problem lies in that technology and I’m sure that it can probably be addressed with some updates to the firmware to make sure that they change the way this communication works.(…) So I’m hoping that we’re going to see some firmware updates for the devices that were mentioned specifically so it was a Lenovo ThinkPad T14, Dell, Inspiron 15 and the Microsoft Surface Pro 8 and the X device and they were fingerprint sensors from Synaptics, Goodix and Elan.(…)
So while Blackwing HQ found the vulnerabilities in these specific devices I bet that this is a much wider problem and that we’ll see firmware updates rolling out for lots of notebooks over the coming months. Let me know in the comments below whether you use Windows Hello or whether your organization still relies solely on passwords. Copilot has come into Windows 10. I think we did mention the possibility of this happening a few weeks ago but there were some rumors about this. We do now know that it’s happening. It’s in preview so you have to be I think accepting the optional updates that come every month in order to get this at the moment.
There is an optional update that was released just yesterday for Windows 10 and that now brings the Copilot preview icon to the taskbar. So I’m sure this is going to work you know in a very similar way to Windows 11. I don’t know whether it’s going to include all of the Copilot features that are planned for Windows 11 but I think it makes sense that Microsoft want to get this Copilot stuff in front of as many people as possible and of course there’s still just a big user base working with Windows 10 so it makes sense that it’s going to come there too. So you can expect to see that become you know generally available I think sometime in early 2024. Microsoft Exchange Server 2019 will be getting two extra cumulative updates after the end of support which I think is January the 9th.
I don’t think I know it’s January the 9th 2024.(…) So the upcoming CU so that’s cumulative update which is going to be number 14 is going to get support for TLS 1.3 extended protection and more. So I think it’s just to keep those servers you know which are going into extended support after that date you know as secure as possible for as long as possible because Microsoft knows that of course there are going to be lots of organizations that are not ready or haven’t even started to investigate upgrading to a later version of Exchange Server.(…) So you kind of get a little bit a little bit more time there but of course you do really need to consider upgrading as quickly as you can if you don’t want to pay a lot of money for extended updates that is.
Microsoft Defender for APIs is now generally available and this is a protection technology of course a Microsoft that’s designed to protect business critical APIs you know. So an API is basically a piece of code that usually runs in the cloud somewhere that one application can communicate with in order to interface and do stuff with another application usually. So it’s kind of a way to interconnect two applications into the cloud and of course they need to be protected against cyber threats just like anything else. So this technology includes things like an API attack path analysis, security workbook for working through issues and there’s a partnership with an organization called 42 Crunch that basically allows you to monitor(…) the threat over the entire lifecycle and this capability is currently available in public preview. Microsoft Defender for cloud is getting support for Terraform in the form of a Terraform module so you’ll be able to deploy MDC using Terraform. So if you’re not aware Terraform is basically a system that allows you to define infrastructure as code if you like. Terraform is quite popular because it works across different platforms so it doesn’t matter whether you’re deploying your infrastructure into Azure, into AWS, into Google Cloud Platform, you can code something in Terraform that works across all of those different platforms and Microsoft Defender for cloud is now getting a module.
So this module will allow you to automate the onboarding process for your cloud applications essentially and it will also support Terraform destroy should you want to tear down that configuration as well. Microsoft Defender application guard for office is being deprecated. So this was basically a solution that would isolate a file if you open it from an unknown location and check to see whether it’s safe before allowing the user to work with it. It’s going away. So what does that mean for you if you have that implemented for your organization? So Microsoft is saying that you should look at using their other robust security solutions to secure office so that includes things like Defender for endpoint and setting up attack surface reduction rules, using protected views and making sure that that’s kind of enforced within your office configuration and using Windows Defender application control.
Microsoft also highlighted that they’re going to be doing other things in the future to further secure Microsoft Office like removing support for VB script and the legacy TLS 1 and 1.1 protocols from Windows 11. So there you go. If you found this video useful I’d really appreciate it if you gave it a like because it helps to get it pushed out to more people on YouTube and if you didn’t catch last week’s video about the big announcements Microsoft made surrounding Planner then I’m going to put that on the screen so that you can check it out now. But that’s it from me for this week and I’ll see you next time.