Connect with us

Tech

Microsoft Confirms New Windows 10 Login Bypass Threat: Here’s The Fix

Published

 on

Security researchers have found a way to bypass the Windows Hello facial recognition that is used by hundreds of thousands of Windows 10 users to login.

The latest batch of ‘Patch Tuesday’ security updates from Microsoft has landed with a hefty thump. With 116 vulnerabilities fixed, 12 of which were rated as critical and two already being exploited, the usual advice to install those updates as soon as possible applies. Not least as one of them fixes the PrintNightmare vulnerability in the Windows print spooler service that could lead to a remote takeover of your system.

However, the vulnerability that really caught my attention is one with the potential to impact a massive 85% of all Windows 10 consumers: a way for an attacker to bypass the Windows Hello facial recognition login authentication system.

Here’s what we know and what you need to do next.

Genius Dog 336 x 280 - Animated

The Windows 10 facial recognition vulnerability explained

Security researchers at CyberArk Labs have discovered a vulnerability within the Windows Hello facial authentication process, CVE-2021-34466, that could allow an attacker to gain access to a Windows 10 computer. Scary sounding stuff, but how worrying is this in a real-world setting for the average Windows 10 user?

Let’s start by looking at what the vulnerability is. The full technical explanation has been published on the CyberArk website but here’s the brief version. The Windows Hello facial recognition process requires a camera with two separate sensors, namely an infra-red and RGB one.

However, the researchers found that only the output from one of these, the infra-red images, was processed during authentication. Indeed, they replaced the RGB user image with that of SpongeBob to prove the point.

The vulnerability, then, being that an attacker would only need a single, valid, infra-red frame to bypass the system.

Complexity of exploitation lessens the impact considerably for most users

Well, sort of, and this is where the scariness starts to fade a little. The exploitation of the vulnerability is far from an easy process. For a start, the attacker needs that infra-red image of the user. The researchers say that this can be achieved by walking past someone, placing a camera in an elevator, etc. So already, this is starting to sound like a somewhat unlikely risk to the average user.

And it gets even more unlikely when you realise that even if the attacker got that infra-red image of your face, they would still require physical access to your computer for stage two.

Stage two is the insertion of a custom-built USB device that can then inject the spoofed image.

So, should Windows 10 users stop using Windows Hello authentication?

In an email addressing the vulnerability status, a CyberArk Labs spokesperson wrote that “the bypass would be of particular use to a criminal launching a targeted espionage attack, with targeted attacks having increased in popularity over the past three years as nation-states and organised groups realise their potential.”

This is true enough, but most Windows 10 users are not on the nation-state espionage radar. Moreover, even if they were, I suspect much easier methods that didn’t require physical access to a computer would be higher on the attack menu.

“When I see these sorts of announcements of security authentication bypass by either 3D printing, high-resolution digital photography or Tom Cruise descending on wires to ‘hack in,’ the hype machine is always deflated by the words requires physical access,” Ian Thornton-Trump, the chief information security officer at threat intelligence experts Cyjax, told me. “Mission Impossible operatives as a threat model aside, “Thornton-Trump concludes, “I think we can all rest comfortably on this issue.”

What does Microsoft have to say?

Microsoft has stated that “customers with Windows Hello Enhanced Sign-in Security are protected against such attacks which tamper with the biometrics pipeline.” As the name suggests, this is a more robust biometric system requiring factory-installed hardware and drivers for the computer.

You can see if this is enabled for you by opening the Windows Security app and heading for Device Security. Unfortunately, if there’s no Enhanced Sign-in Security section displayed, you don’t have it.

But don’t despair because Microsoft also stated that it “released a security update on July 13 that mitigates this issue.”

Tuesday, July 13, to be precise. Patch Tuesday. So, install those updates and don’t worry unduly about this one.

Source link

Continue Reading

Tech

The Witcher’s Geralt of Rivia drops into Fortnite with his mate Doom Slayer

Published

 on


(Pocket-lint) – Fortnite has always been the king of the crossover and now it’s at it again with Chapter 4 Season 1 with Geralt and Doom Slayer making an appearance.

Genius Dog 336 x 280 - Animated

The next big thing in Fortnite is now live with Chapter 4 Season 1 getting an all-new map and a whole lot more. One of those things is a new character called Selene, available from the get-go. But things will get interesting for The Witcher fans come mid-season when Epic Games adds Geralt of Rivia as Battle Pass skin.

As always, the Battle Pass costs 950 V-Bucks and as you progress through you’ll unlock items and whatnot. Geralt will be unlocked via that Battle Pass, as will Doom Slayer – of DOOM fame, of course. Other unlockable skins include Massai, Dusty, Nezumi, Helsie, and The Ageless. The Geralt unlock won’t be available until later on in the season, Epic says.

The latest season includes plenty of other tweaks and treats and makes use of Unreal Engine 5.1, making this the best-looking version of Fortnite to date on PlayStation 5, Xbox Series X|S, and PC.

All of this will take place on a brand-new island with new points of interest that include The Citadel, Anvil Square, and Brutal Bastion.

The new season of Fortnite is up and running right now and you can get involved yourself. You can play Fortnite on just about anything right now and the download is of course free.

Writing by Oliver Haslam.

Source link

Continue Reading

Tech

‘Elden Ring’ Reveals Free PvP Colosseum Update, Hopefully Ahead Of DLC Announcement

Published

 on

FromSoftware has just released a new trailer for an upcoming free update to Elden Ring that drops tomorrow, Wednesday December 7.

It’s a PvP-focused update to the game which will herd players into battles into the many colosseums doting the map, hence why it’s called the “Colosseum Update.” They just released a new trailer for it, which you can see below:

According to the official press release about the addition, we have some confirmation on what exactly the modes are that will be added:

“The Colosseums of Limgrave, Leyndell and Caelid will open their gates, allowing players to engage in battles such as duels, free-for-alls and team fights.”

In the trailer, we see a traditional 1v1 battle at the start, but it progresses to players fighting each other’s summons, and then finally a 3v3 team fight battle which is well beyond anything the game is currently capable of now.

Genius Dog 336 x 280 - Animated

Elden Ring has spent many months balancing all of its magic and weapon skills in an effort to try to create more parity in PvP, which has turned out to be a significant part of the game, and the core of the game’s endgame once you’ve done everything in PvE.

There is a theory that I personally subscribe to, that FromSoft is revealing this PvP update now and launching it tomorrow so it will not get drowned out by a potential announcement this Thursday at The Game Awards. There are rumblings, and fervent prayers, that this would be the stage in which they would finally announce sizable, PvE DLC for Elden Ring. We are well, well behind the pacing of past DLC announcements from FromSoft games, given that Elden Ring came out almost ten months ago now, but it’s obviously a bigger game than past ones. Elden Ring DLC repeatedly is brought up as the “World Premiere” at The Game Awards that everyone is hoping to see, and these days, with the demise of E3, it’s pretty much the biggest place in the industry to debut things, outside of first party PlayStation and Xbox showcases.

That’s the hope anyway, but the concrete facts right now are just that this PvP update will come tomorrow, so get your builds ready and find some teammates in order to take on the toughest PvP challenges in the game yet. Should be a lot of fun.

Source link

Continue Reading

Tech

Witcher 3’s Free DLC Update Doesn’t Have A Switch Release Date Yet

Published

 on

Image: CD Projekt Red

Next week sees the arrival of The Witcher 3‘s “next-gen” update across multiple platforms, but new information suggests it won’t be coming to the Nintendo Switch on the same date.

Our friends at Eurogamer caught up with CD Projekt Red ahead of the free update’s release, and apparently, there’s “no specific release date yet” for the Nintendo Switch version of the game. All that’s known is it will arrive “later than 14th December”.

Witcher 3 next-gen update producer Ryu Underhill mentioned how the team was “working hard to bring it to [Switch] players” as soon as possible, and more information will be shared in the near future.

When the Switch version of this update does arrive, players can expect the “same fixes and additional content” as other platforms like Xbox One and PlayStation 4. The Switch will also receive cloud-save and cross-progression features, as well as the new Netflix DLC. This new quest will last for about “half-an-hour”, according to Eurogamer:

Genius Dog 336 x 280 - Animated

“…it’s about half-an-hour’s worth, plus a bit more for a follow-up step. It was flagged as level 15…”

Obviously, the Switch update will not include “next-gen features such as visuals/technical/gameplay improvements, modes” or “other additions” exclusive to next-generation platforms.

Via Eurogamer: “The Witcher Netflix DLC is a new scavenger hunt-style quest that takes place inside The Devil’s Pit in Velen. The Devil’s Pit is the place you find yourself immediately after leaving the starter zone of White Orchard. It’s that big, circular, wooden-fence-ringed place where nothing seems to actually happen. Currently, there are only some humanoid enemies in there, and the big door to the mine is closed. This DLC opens those doors.”

You can see more of this next-generation update in our previous Witcher 3 coverage:

Are you looking forward to trying out this update? Comment below.

Source link

Continue Reading

Trending