By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

The major and monthly updates to Windows 10 can be a headache for some people. From the infamous blue screen of death errors, installation issues, reduced performance, and data deletion bugs, installing Windows update isn’t a seamless process for everyone. Windows 10 KB4540673 is the latest update and it was released on March 10 with security fixes. The March Patch Tuesday update is a low-key release and there are not too many changes, but it appears that the patch is still causing a series of problems for some people. The most recent cumulative update for the Windows 10 version 1909 and 1903 is causing the blue screen of death on some devices, according to user reports. Only a small subset of consumers appear to be impacted, but the number of reports is growing. Concerns over Windows 10 KB4540673 cumulative updates were documented in our comments section and other forums. “After installing it I started having BSOD every time I started my PC. The only solution I had was rolling back to a previous restore point of some days ago.,” explained the post author in our comments. “This March update installed automatically on my devices and it leads to BSOD errors on my gaming PC and my work laptop,” another user wrote. These user reports suggest that the issue is only due to compatibility issues with KB4540673. As we noted, consumers in other forums also reported seeing the issue with Windows 10’s newest patch. A discussion on Reddit also confirms the issue happens on some devices. For example, as one Redditor notes: “Not sure if this is the same problem given mine auto-updated to KB4540673 (not KB4535996), but after the update, my desktop PC was hanging on the BIOS/UEFI loading screen. I couldn’t get past POST to even attempt booting into Windows or Safe Mode”. “Installed KB4540673 today got a blue screen while playing CS: GO,” another user noted. “In all fairness, as annoyed as I am that my laptop is completely crashed right now over this update,” one poster noted in Microsoft’s forums. Some users have also claimed that this update could take a really long time to install, while others have reported installation issues. “It doesn’t install here. It restarts and says that the update wasn’t installed,” a reader told us. “I have the same issue. Only mine doesn’t go far as 1% and it won’t allow the other updates to download so I really don’t know what to do. Like I’ve had my PC opened all day and is still 1% not gone up at all,” a user wrote. One user also claimed that this patch once again causes a temporary user profile bug. It is worth noting that only a subset of users with unknown PC configuration reported these problems and it’s unclear just how widespread this issue is. For more refer to OUR FORUM.

Multiple sources familiar with the Entertainment Software Association (ESA)'s plans have confirmed to Ars Technica that the organization, which is responsible for the annual Electronic Entertainment Expo (E3), will soon cancel the three-day expo. Like in prior years, E3 2020 was scheduled to play out in early June as a three-day event at the Los Angeles Convention Center. Shortly after we received the tip, indie game publisher Devolver Digital posted a brief, ominous message on Twitter: "Cancel your E3 flights and hotels, y'all." The ESA had not made any announcements about E3 2020 at that time. One source who spoke to Ars on background said they'd heard the news of E3 2020's cancellation "directly from ESA members" and that an official, public statement on the matter "was supposed to be today [Tuesday, March 10] and slipped." Representatives for the ESA did not immediately respond to Ars Technica's questions about the state of E3 going forward or whether the event's seismic shift may instead mean a delay, a move to a completely different venue, or a wholly virtualized, live-streamed event. Exactly why the event will be canceled is not clear at this time. Late last month, the ESA addressed concerns about the spread of coronavirus and its impact on major 2020 expos around the world by insisting that it "continue[d] to plan for a safe and successful E3" while otherwise "monitoring and evaluating" its potential impact on events held in Los Angeles. Following that announcement, E3's contracted creative directors, the merchandise and events company iam8bit, resigned from its post after five weeks on the job. That news followed a February announcement that longtime E3 collaborator Geoff Keighley would not be participating in this year's expo. More so than the organizers and headlines, E3 has always been about the games—but even that fact has been a sore spot, as E3 has seen major game publishers bow out in recent years. Activision-Blizzard became an unreliable attendee starting in 2016. EA officially ditched E3 in 2016 to operate EA Play, a standalone event timed alongside E3, on an annual basis ever since. While Nintendo has regularly had a major booth on the E3 show floor, the company hasn't hosted an E3 keynote event for some time, choosing instead to host pre-filmed Nintendo Direct presentations on YouTube. Sony's absence in 2019 was considered particularly major, given that it's the producer of the world's best-selling home gaming console, and its E3 2020 no-show seemed even more glaring in comparison, thanks to a new PlayStation 5 console expected to launch later this year. Follow any Conference Cancellations by visiting OUR Forum.

A hot potato: Intel's largely undocumented master controller for its CPUs has a vulnerability that cannot be fixed, and is so severe that it can allow malicious actors to bypass storage encryption, copyrighted content protections, and take control of hardware sensors in IoT devices. Security researchers have discovered that a new vulnerability present in Intel chips that have been released over the last five years is unfixable outside of replacing the hardware that's currently being used in millions of commercial and enterprise systems. Specifically, this has to do with the Converged Security and Management Engine, which is essentially a tiny computer within your computer that has full access to all data that flows through your PC, from internal components to peripherals. Intel has guarded the secrets of how this engine works in an effort to prevent competitors from copying it, but that hasn't prevented security experts from trying to crack their way in to see if it can be exploited by malicious actors. The unfixable flaw was discovered by Positive Technologies, who says it's a firmware error that's hard-coded in the Mask ROM of Intel CPUs and chipsets. The problem is that Intel's CSME is also responsible for several security features, including the cryptographic protections for Secure Boot, digital rights management, and Enhanced Privacy ID (EPID). It also houses the Trusted Platform Module (TPM) that allows the OS and apps to store and manage keys for things like file system encryption. Researchers explained that hackers can exploit a firmware error in the hardware key generation mechanism that allows them to take control of code execution. They noted that "when this happens, utter chaos will reign. Hardware IDs will be forged, digital content will be extracted, and data from encrypted hard disks will be decrypted."The only recent platform immune to the problem is Intel's 10th generation, Ice Point chipsets and SoCs. However, the good news is that the attack method described by Positive Technology is rather difficult to achieve without other factors at play, such as direct physical access to the hardware in question. This isn't the first time someone has managed to crack open Intel's ME subsystem. Security researchers uncovered other vulnerabilities in Intel's hardware in 2017 and 2018, not to mention the Spectre-style one from 2019 and the recently disclosed CacheOut attack, but at least those are fixable. Stay on top of the by visiting OUR FORUM.

The California Consumer Privacy Act (CCPA) is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents. The effective date of the CCPA is January 1, 2020. It is the first law of its kind in the United States. CCPA applies to any for-profit businesses in the world that sells the personal information of more than 50,000 California residents annually, or have annual gross revenue exceeding $25 million, or derives more than 50 percent of its annual revenue from selling the personal information of California residents. Sale of PI is defined in the CCPA as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” (1798.140.t1). If a company shares common branding (i.e. shared name, service mark or trademark) with another business that is liable under the CCPA, the company will be subject to CCPA compliance too. Under the CCPA, California residents (“consumers”) are empowered with the right to opt-out of having their data sold to third parties, the right to request disclosure of data already collected, and the right to request deletion of data collected. Additionally, California residents have the right to be notified and the right to equal services and price (i.e. cannot be discriminated against based on their choice to exercise their rights). Failure to comply with the CCPA can result in fines for businesses of $7,500 per violation and $750 per affected user in civil damages for businesses. The power to enforce the CCPA lies with the office of the Attorney General of California, who has until July 2020 to specify enforcement regulation. However, the interim period between January and July 2020 is not a grace period, and businesses are liable for civil lawsuits from their data collection and selling from January 1, 2020. If your business meets any of the three CCPA thresholds above and has an online domain, you are required to implement certain changes to your website. Your website must inform its users at or before the point of data collection about the categories of personal information that it collects and for what purposes. Your website must feature a Do Not Sell My Personal Information link that users can use to opt-out of third-party data sales. If your website has minors under the age of 16 among its users, you are required to obtain their opt-in (consent) before you are allowed to sell or disclose their personal information to third parties. If the minor is under the age of 13, a parent or legal guardian must opt-in for them. Your business must also update its website’s privacy policy to include a description of the consumer’s rights and how to exercise these rights. Your privacy policy must also contain an annually updated list of the categories of personal information that your company collects, sells and discloses. Complete details, plus the Full Text of CCPA can be found on OUR FORUM.

   

The smartphone in our pockets has become our dirty secret. The next time you grab a friend's smartphone to stare at a picture or to watch the video on YouTube they simply had to share, you might want to think again. Or, even better, take a look at your own mobile device and wonder: when did I last clean it? On January 17, ZDNet took to Twitter to ask a simple question: How often do you disinfect your phone? The results surprised us and certainly revealed a disturbing truth: the majority of us are filthy creatures. In total, 18.5% of you said your smartphone was subject to a weekly clean, whereas 14% said their mobile device was subject to a monthly spruce-up. A whopping 60% of you admitted you never cleaned your mobile device. 7.4% inferred you would clean it after you've been sick. Our readers aren't alone, either, in grim habits: a 2019 report (.PDF) of 1,200 US residents and their hygiene practices found that 88% of adults use their phones in the bathroom. If you're a parent, you are even more likely to do so with the figure climbing to 93%; perhaps in a bid to snatch a few minutes of peace to check social media feeds and emails. (All in all, there are probably only two types of smartphone users: those who admit to using their device in the bathroom, and those who lie about it.) Your smartphone goes everywhere with you. The lounge, the bathroom, the kitchen, the bedroom, the pub. You touch the screen after you've washed up with the germ-infested kitchen sponge that really should have been thrown away days ago. You refill the dog bowl, perhaps receive an affectionate lick in gratitude and then accept a call, thereby pressing the screen to your face. You unlock your phone in the pub garden to check a notification after you've used the restroom. (You've washed your hands but how many reprobates have you seen while you're in there bypass the sink entirely to grab the door handle on their way out?) It's no wonder that smartphones are now comparable to toilet seats when it comes to the germs and viruses that claim them as home. Other recent studies confirm high colony-forming units (CFU) per square inch levels on our mobile devices. If you're like me and travel often with a smartphone glued to your hip, you really might want to take a wipe with you. Outstripping everything else on the list, a study into airport self-check-in kiosks showed they contain a massive 253,857 CFU per square inch, thanks to our grubby hands. We can't get rid of our smartphones, despite the breeding grounds of germs they have become, and it's important we don't sterilize our lives to the point we hamper our own immune systems. But it might be about time we think about cleaning our devices a little more often, especially in the winter season when cold and flu bugs are rampant and when touch can be enough to transfer contagious illnesses to our nearest and dearest. The now global challenge posed by the coronavirus is an additional wake-up call. Learn the proper way to clean your phone by visiting OUR FORUM.

Don't use a mobile authenticator app on an old smartphone, because the app is only as secure as the operating system in which it's running, two security researchers said at the RSA Conference here earlier this week. Aaron Turner and Georgia Weidman emphasized that using authenticator apps, such as Authy or Google Authenticator, in two-factor authentication was better than using SMS-based 2FA. But, they said, an authenticator app is useless for security if the underlying mobile OS is out-of-date or the mobile device is otherwise insecure. "You don't want the risk associated with 32-bit iOS," said Turner, adding that you should use only iPhones that can run iOS 13. "In Android, use only the Pixel class of devices. Go to Android One if you can't get Pixel devices. I've had good experiences with Motorola and Nokia Android One devices." And he warned the audience to stay away from one well-known Android brand. "[German phone hacker] Karsten Nohl showed that Samsung was faking device updates last year," Turner said. "Stop buying their stuff." To be fair, Samsung was far from the worst offender among phone makers in the study Turner cited, and the study authors later said "they got it wrong" regarding Samsung's issues, without going into further detail. (Slides for Turner and Weidman's presentation are available on the RSA website.) The problem is that if an attacker or a piece of mobile malware can get into the kernel of iOS or Android, then it can do anything it wants, including presenting fake authenticator-app screens. "One of my clients had an iPhone 4 and was using Microsoft Authenticator," Turner said, indicating another authenticator app. "All an attacker would need to do is to get an iPhone 4 exploit. My client was traveling in a high-risk country, his phone was cloned and then after he left the country, all sorts of interesting things happened to his accounts." And don't think iOS devices are safer than Android ones -- they're not. There are just as many known exploits for either one, and Weidman extracted the encryption keys from an older iPhone in a matter of seconds onstage. The iPhone's Secure Enclave offers "some additional security, but the authenticator apps aren't using those elements," said Weidman. "iOS is still good, but Android's [security-enhanced] SELinux is the bane of my existence as someone who's building exploits." "We charge three times as much for an Android pentest than we charge for an iOS one," Turner said, referring to an exercise in which hackers are paid by a company to try to penetrate the company's security. "Fully patched Android is more difficult to go after."Looking for more details on this, visit OUR FORUM.

 

Translate