I never run Zoom in anything other than a special purpose (test)virtual machine on Windows as it’s track record with security, is just terrible.
However, it seems you can’t escape it these days.
I do wish they were a bit more forceful in saying " hey Mac users, this is important!" as many Mac users still see malware and other security threats as an other OS issue and not thiers.
Apple seems to encourage that in a nod and wink fashion unfortunately
BTW: If Apple would just finish developing app signing on Mac like they already have on IOS the Zoom hack wouldn’t be possible.
Adobe already does signing with their own apps, albeit it’s their own proprietary implementation
So this is a remarkably sophisticated fake/fraud. One of our UK customers employees got two of these.
What’s amazing is how good the fake is. Even the UPC on the box scans as an Office SKU, albeit a product key only in reality.
Impressive approach by the bad guys, but falling for this requires an equally impressive sequence of bad decisions:
Still, I’ve seen people fall for worse.
Woke up to see that at 2am MS Authenticator was challenged. The good news, this probably means nobody got in. The bad news: someone tried. I don’t recall, does this mean they supplied the correct password? Or can I get an MSAuth request even if the password was incorrect?
If the former, there’s cause for concern, since I reset my password fairly recently.
You will get an MSAuth request regardless of correct password. One of our customers that is a government agency, sees these types of requests all the time on their field systems.
I wouldn’t worry about it.
So this one is significant as it’s already been exploited in the wild and I suspect our group is likely to have Plex users.
and BTW: Why don’t these articles emphasize one of the most basic things you can do for any account is to on a scheduled basis, update your passwords?
Yes It’s a PITA, but for me anyway, the additional peace of mind, more than offsets that.
For whatever reason the NIST guidance on password policies (iirc) was to NOT make your users reset their passwords on a (frequent) regular basis. I forgot the reasoning though.
Side note, in a comment on alleged Twitter security issues I saw someone claim that it would be smart to avoid doing any banking on phones. Personally I had decided the opposite. For Android I’d agree, but I thought that iOS devices were likely to be less risky than PCs.
Side note to the side note: how on earth do many banks STILL not offer the option to secure accounts using authenticator apps. Protecting accounts with text messages seems dumb, given the frequency with which people are able to convince phone company reps to do SIM transfers. I’d actually appreciate a list of banks that DO offer authenticator app based account protection.
Followup to the earlier concerns, I installed FullEventLogView on my SG Book2, and the error list is MUCH quieter than on my SLS. So it looks like in the very least I ended up with some damaged Win11 install on the SLS. Either that, or the difference is due to the fact that I have tons more software installed on the SLS than on the SGB2. I think I’ll bite the bullet at some point and do a fresh install after all, hoping that I’m not the lucky recipient of some newfangled UEFI malware.
Thanks for the reminder on NIST guidance and you are right it’s still that.
My opinion on all this, is that in the world we are in now, it’s not a matter of if something you use gets hacked but when.
The idea behind regularly updating your passwords, is that even if that occurs, that by the time they try to exploit it, you will have already changed it.
and FWIW, I do all my banking on my iPhone as of all my devices, it seems to be the most secure
So while I don’t think it’s technically necessary to do it, I think for your peace of mind alone, wipe and reinstall is your best option. In other words it’s going to continue to nag at you until you do, which is MHO a significant impediment.
Plus it’s still true that a fresh install of Windows always brings a performance bump as MS is still bad at removing the cruft that accumulates over time
And so far anyway I haven’t seen or heard of any MS surface UEFI malware to date. And for that matter MS UEFI is among the most complex and at least on the surface (pun intended) secure UEFI implementations out there
Yeah, completely agreed on that one, I guess it’s time to update some of those ancient but important passwords. Important enough to never save in built-in browser passwords managers.
On that note, I mentioned earlier that I was shocked how Firefox was able to slurp up all my saved passwords from Edge when I made the switch, without so much as an UAC prompt. Does this mean that if say nirsoft gets hacked (or bought) and adds some code to say FullEventLogView, that some simple utility like that could read all those passwords and send them to whoever wrote that code? It certainly seems like that. Are password managers any better in that respect? Or is it basically game over if you install a malicious app (undetected by AV software) on a Windows PC? I guess yes, especially if you click ‘yes’ on the Admin access request during install. Note to self, don’t install too many handy utilities.
Thanks, me neither. I used all my google skills, but nothing found. So I should be fine once I do a wipe and reinstall. To be continued. I’m going to be so p*ssed if I find all the same errors in the Event Log after a fresh install. 
Edit: this thread is more of a Security and Privacy J&D (JoeS and Desertlap). 
I don’t have a good answer to your concerns there and my feelings on this continues to evolve.
More generally, our advice to our customers generally is to standardize on a specific set of tools and applications and stick with them and not install anything unless there is an unambiguous business reason to install.
Yes it can make you sound like the security nazi, but OTOH, once you’ve experienced a significant extensive hack, it’s more than compensatory
It’s truly the Wild West out there…
I wish they would have gone a little deeper on this though.
As convenient and time saving as it is for MS and Apple, Google, Samsung to store all your passwords/logins etc. , even though they all use 2FA now, if someone gets legitimate credentials, regardless of method, then they pretty much hold the door wide open to all of your accounts if you go in on all the keychain thing.
And I know many an Apple user specifically that does FWIW.
That’s why all of at least my financial related logins are both unique, and not stored in any keychain.
This one should be shouted from the rooftops. I can’t count the number of users, especially the youngest ones, that have argued with us about this, until in some cases we actually show them.
Can you share the most egregious uses of the in app browser permissions? I’m curious…
It’s more that we’ve seen them used as vector for password/user harvesting. Some versions of Tik Tok like the article mentioned as well as the facebook app.
The most notorious awhile back was the kindle app which leaked like a sieve and ultimately led to Apple banning embedded browsers in apps in the app store.
The signal app was also bad about this, but has since been fixed. Some of samsung 's apps were also culprits thought they have been slowly removing that functionality
I guess my point was that users should settle on a browser, make sure it’s kept current and only use it for all your web browsing.
The Kindle app had a browser at one time? Not just the physical Kindles? How did I miss that? I don’t recall the option on Android or iOS or Windows 8.
Anyway, yeah, good advice that people who aren’t geeks, who don’t read PCmag or the like, won’t hear of or follow. 