Tech News Weekly: Issue 27
Windows Sandbox, Start Menu ads, a 10-year old Windows security bug with an opt-in fix
News
Operating Systems
Microsoft has launched Start Menu Promotions in a recent update. These advertise the company’s cloud storage service OneDrive, and are displayed when users click on the profile icon of the Start Menu. An option to disable these is in testing, but it looks as if it will be rolled out at a later point in time.
Another Start Menu change adds options to install free Microsoft Store apps and games directly from the Start Menu. It improves the usability of the Store and may increase conversions.
Threat actors are exploiting a 10-year old Windows bug that allows them to add code to signed files without Windows detecting the files as tampered with. There is even a workaround, but it needs to be applied manually, and upgrades to Windows 11 may revert the change. All details on this here.
Mobile
The new Outlook app now supports third-party accounts, starting with Google Mail.
Browser
Google Chrome is getting a new Reading Mode feature, and the browser’s Reader Mode feature, which was never activated automatically, will be replaced by it. Reading Mode displays a distraction-free version of an article in the browser’s sidebar.
Chrome users may enable the feature by loading chrome://flags/#read-anything and setting the flag to Enabled. One unique feature is that the full webpage is always displayed next to the Reading Mode version of the article, and that following links will automatically sync the data between the two modes.
Google Chrome 112 was released yesterday. It addresses 16 unique vulnerabilities, none exploited in the wild. Expect other Chromium-based browsers to publish updates today and in the coming days to address these vulnerabilities as well.
Microsoft Edge Stable users may activate the Split feature of the browser now to display two websites side-by-side. All it takes for that is to load edge://flags/#edge-split-screen and set the experiment to Enabled. A restart is required, and Edge displays a new split icon in its toolbar, which enables the feature.
It is more limited than Vivaldi’s excellent splitting functionality. Still, it may appeal to some users of the browser.
Mullvad Browser is a new Firefox ESR-based browser that can best be described as Tor Browser, but without Tor. Developed by Mullvad in cooperation with the Tor Project, it is a privacy-first browser that does not collect Telemetry, comes with uBlock Origin and several other privacy features turned on by default.
Privacy and Security
Amazon’s Audible has started limited testing of ads in audiobooks. The test does not affect paying customers and makes available a selection of titles to users who get to access them for free but need to listen to a maximum of 8 ads within a 24-hour period according to Engadget.
OneNote users won’t be able to execute more than 120 high-risk file types anymore. Microsoft has implemented the same file type restrictions as in other Microsoft Office applications. Threat actors have increased attacks using OneNote in the past, and this is Microsoft’s reaction to that.
The Android April 2023 Security Bulletin has been released. It includes six critical vulnerabilities and more than 50 that are rated high. Manufacturers will release updates in the coming days and weeks to address these.
Western Digital confirmed a network security incident this week, that it became aware of last week. Some systems are offline currently, and the company is still investigating the issue with third-party experts.
The underground marketplace Genesis Market has been shut down and seized by the FBI. Criminals could search infected systems and make purchases based on a variety of parameters.
Software Updates
CopyQ 7.0: new version of advanced clipboard manager for Windows. Comes with option to install for current/all users now, plus some fixes mostly.
Gaming
Asus unveiled its Rog Ally gaming handheld device this week. It is more powerful than Steam Deck, but its price and many stats are not known yet. Preorders open later this year and we will know more about it by then.
Other
Speaking of bad communication. Google introduced hard file limits on Google Drive about two months ago, but never communicated this to users or updated the Drive documentation. Now, after press reports, Google reverted the change and promised to do better, next time.
Google announced three new search related features, which may improve finding hotels, attractions and flights for users, but also may help Google monetize the content even further.
A new hotel browser on mobile, to quickly see a few photos of the property and user review summaries.
Flight Search comes with a price guarantee feature now in the U.S. for certain flights. If prices drop further after booking these flights, the company will sends users the difference via Google Pay.
Discover unique things to do is now linking directly to offers, e.g., booking tickets.
ChatGPT can be tricked into generating product keys for operating systems and software. While the AI refuses to do so when asked directly, it apparently has no such restrictions when asked indirectly (aka, generate a string using the following rules).
Newegg has added AI, powered by ChatGPT, to its PC Builder and several other sections of its website. The idea is interesting, as it allows users to describe the PC they want using their own words, and the AI will pick one based on these instructions.
In testing, AI Builder did not fail, but it did not pick optimal components many times and also did not really take into account measurements. All in all, users have to check everything to make sure the choices are the right ones.
Article(s)
How to use Windows Sandbox to open files in a secure environment
Windows Sandbox is a built-in feature of Windows 10 and Windows 11. Its main purpose is to provide a safe environment for running applications. Anything that is executed in the sandbox, e.g., a software that is installed, remains trapped inside. It can’t break out and affect the “real” operating system.
As a consequence, malware, spyware and other unwanted and undesirable code, can’t infect the system or pull data from it.
System Requirements
Windows Sandbox has the following system requirements:
Windows 10 Pro, Enterprise or Education build 18305 or Windows 11 (Windows Sandbox is currently not supported on Windows Home edition)
AMD64 or (as of Windows 11 Build 22483) ARM64 architecture
Virtualization capabilities enabled in BIOS
At least 4 GB of RAM (8 GB recommended)
At least 1 GB of free disk space (SSD recommended)
At least two CPU cores (four cores with hyperthreading recommended)
Installation
Installation of Windows Sandbox is straightforward in most cases:
Open the Start Menu, type Turn Windows Features on or off, and select the result.
Locate Windows Sandbox in the Windows Features window that opens and check its box to enable it.
Select OK, and the installation process starts automatically.
A restart of the system is required to complete the process.
Making use of Windows Sandbox
Use the search to run Windows Sandbox. This opens a dedicated window that looks like the default Windows desktop.
To run an executable file inside Windows Sandbox, just copy it to the window. Note that drag & drop is not supported, which means that you need to use Ctrl-C to copy and Ctrl-V to paste the file. Once inside the Sandbox, run the file.
While that is useful already, you may notice that you can’t execute any non-executable files that are not already inside the sandbox this way.
Thankfully, there is an option to map local folders, so that their contents become available.
Here is a basic configuration file that you need to save as downloads.wsb on the local system.
<Configuration>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\Users\USERNAME\Downloads</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>
</Configuration>
Note: please replace USERNAME with the local username.
Once done, double-click on the wsb file to launch the Sandbox. The mapped folder is then available on the Desktop inside the sandbox environment. Using it, you may then launch any file that is in that folder, e.g. a PDF document or images.
The sandboxed environment has no access to installed programs on the host system. Some files may not open if no dedicated application is installed that supports it.
Windows Sandbox’s configuration file supports additional options, which Microsoft has documented here. Among the options are to share Clipboard entries, to run the sandbox in Protected client mode, which adds extra protections, or to disable networking.
All in all, Windows Sandbox is a useful tool in the arsenal of Windows 10 and 11 users who want to run dangerous or suspicious files in a safer environment.
Snapdrop, quick file and message transfers between devices.
This was published previously to supporters. It is now released for everyone.
Snapdrop is an open source web application to share files and messages between devices connected to the same network. It can be self-hosted and relies on WebRTC for transfers.
To use it, simply open the Snapdrop website on the first device. A unique name is associated to the device. Now open the website in another device that is also connected to the network.
To send files or messages, tap on the device that you want to send files to, or long-tap to send a message to the device.
A file browser opens, and all that is left to do is select the files that you want to share.
The receiving device needs to accept the file transfers. Multiple files can be transferred in one go.
The project is open source and connections are direct between devices. File transfers are encrypted and never leave the network.
Files can be transferred between different platforms. The only requirement is a web browser that supports WebRTC, which most modern web browsers do.
Links
Hey Siri, use this ultrasound attack to disarm a smart-home system