Month: July 2022

Bern and Zürich are the best cities in the world in which to pursue a tech career, based on data released this week by Scotland-based digital skills development organization CodeClan.

CodeClan’s study begins with the top 100 cities in the world based on Mercer’s Quality of Living rankings, and uses a combination of several weighted indices to determine their suitability for technology workers, including average salary, rent and broadband connection speed, as well as tech companies per capita.

Tech companies per capita a key metric

The results show the two Swiss cities atop the rankings, based mostly on the large numbers of tech companies per capita in each place, coupled with high available broadband speeds. US cities fill out the rest of the top 10, though only two of the country’s more traditional tech hubs—Seattle and Boston—made that particular cut. San Franciso ranked 36^th, due in large part to its extremely high cost of living, and New York 68^th, for similar reasons as San Francisco.

Meanwhile, the best US city in which to pursue a tech career, according to CodeClan, is Atlanta, which ranked third behind Zürich. A high concentration of tech companies, coupled with strong average broadband speeds, propelled it to third place, just ahead of Washington, D.C., in fourth. In respective order, Seattle, St. Louis, Pittsburgh, Miami, Minneapolis and Boston rounded out the rest of the top 10.

Some patterns in the data are easy to see—Australian cities like Brisbane, Perth, Melbourne and Sydney were all heavily penalized for low average broadband speeds, while low salaries pushed Japanese cities like Osaka, Tokyo and Nagoya further down the list than their other scores might have indicated.

Broken out by categories, the data also show that CodeClan’s analysis used national data, rather than local, to rank internet speeds, as all cities in a given country were given identical figures. The rest of the categories, though, provide useful comparative data on cities around the world. The highest average salaries, for example, were found in San Francisco, at $108,096, while the largest number of tech companies per capita saw a statistical tie between Zürich and Atlanta, at 0.016.

The US Senate, by a vote of 64-33, has approved the CHIPS Act, a bill that would provide $52 billion in assistance funds for semiconductor manufacturers looking to make products in the US, along with a 25% tax credit for investment in the industry, as well as research and workforce development grants.

The bill still needs the approval of the US House of Representatives and President Biden, a vocal supporter of the legislation, to become law.

While $2 billion of the direct assistance funds is already earmarked for legacy programs—specifically, technologies that the Department of Defense wants to produce within the US—the other $50 billion is generally available for the development of additional domestic silicon manufacturing in the country.

The big winners, should the CHIPS Act be signed into law, will be companies like Intel, who either already have chip fabrication facilities in the US or are planning to build them—but other chip companies, particularly those that take a lead role in chip design but don’t manufacture products themselves, warn that the bill doesn’t go far enough in helping the US silicon industry.

Lawmakers urged to aid chip designers as well

The CEO of wireless chip design company EdgeQ, Vinay Ravuri, said in a statement that the US risks losing its edge in innovation by not providing funding for designers and other fabless silicon businesses.

“The CHIPS [Act] addresses a scaling issue. But it does not address ingenuity,” he said. “To remain relevant, we need to invest in cutting-edge companies, especially those pushing to disrupt and elevate the industry in new frontiers, like 5G and AI.”

Gartner Research vice president and analyst Gaurav Gupta said that EdgeQ is far from the only company irked by the bill’s exclusive focus on the manufacturing end of the silicon industry.

“If you talk to folks Iin the industry, you’ll get that view that it’s not going to benefit everyone equally,” he said.

Nevertheless, said Gupta, the CHIPS Act remains a game-changer for chipmaking in the US, making it far more competitive with semiconductor manufacturing overseas, which generally has far lower production costs.

“This gives OEMs and fabless companies the option to buy devices from here,” he said. “And the reason is that these companies won’t come here unless there’s motivation through the CHIPS Act, because there’s obviously a cost gap between running a fab in Asia and running one here.”

Chip revenue forecast to decline

The CHIPS Act’s probable passage comes at the right time for the semiconductor industry overall, as new figures released today by Gartner show semiconductor revenue growth slowing sharply over the next 18 months. Global revenue is projected to grow by 7% over the course of 2022, down from a whopping 26% in 2021, and to actually decline by 2.5% in 2023.

Practice vice president Richard Gordon said that that could be good news for customers, however, as prices may begin to decline and lead time between purchasing and delivery shrinks.

“The semiconductor market is entering an industry down cycle, which is not new, and has happened many times before,” he said in a statement accompanying the results. “While the consumer space will slow down, semiconductor revenue from the data center market will remain resilient for longer (20% growth in 2022) due to continued cloud infrastructure investment.”

The temptation to make the new world of work a digital reflection of old ways of working still exists, so it’s going to take time to get the balance right. And actually reaching the potential for asynchronous remote and hybrid working practices will take some measure of imagination.

Digital presenteeism is not your friend

That’s the sense I get from the latest future-of-work report to cross my desk. It’s from Qatalog and GitLab and explains how employers insisting on a 9-5 hour workday in this digital age reduce productivity and increase staff churn with little payback. Digital presenteeism, insisting people are at their desk during set hours, eats into the work/life balance employees seek and doesn’t really get work done.

Think of it this way. Once upon a time, workers trooped into offices to sit quietly at desks for eight hours a day while attempting to seem busy. Management could watch what people did, summon staff into ad hoc meetings to create a little friction and scare others into working harder, and might even sometimes turn up at the office themselves.

This began to change as Apple, the iPhone and iPad showed the potential for mobile technology to transform how we work, but it took a quantum leap forward when the pandemic struck. A decade of digital transformation took place in scant weeks.

Some employers continue to insist on a rigid 9-5 working culture, even when working remotely. Combined with strict hierarchies and the use of multiple remote working tools, this creates a “pervasive culture of digital presenteeism.”

At work 24/7? No thanks

The problem, according to the research, is that 54% of staff feel pressured to always appear online and visible. Yes, they might seem to work harder to gain recognition, but some of this effort, such as attending extra meetings or responding to emails late at night, means they are adding an average 67 minutes to their working day (most of which is unproductive). That effort, those additional hours, and the challenge of handling seemingly endless app notifications, means workers are stressed out, concentration is blunted, and productivity can fall.

Don’t neglect a recent Corel survey that suggested companies rely on the wrong tools a significant amount of the time. Businesses must think deeply to ensure the tools they supply are sufficiently good that workers will use them.

The report authors argue that employers should push their thinking forward a few more gears and learn to embrace flexibility, not just in terms of where people work, but also in terms of when. They point out that technology means workers can do their jobs at almost any time of day, which means coordinated hours are becoming an anachronism.

“In 10 years, we’ll look back at this period and wonder why asynchronous work seemed so difficult. Those who will succeed in the next decade will have an iterative mindset, an empowered team, and a bias for action,” writes Darren Murph, GitLabs Head of Remote.

Wake up and embrace change

It is worth noting that the principle of coordinated working hours in offices grew out of working patterns in factories at a time when the technology for business was mainly an in-person exercise. Yet, as everyone who has been through the pandemic knows, knowledge workers no longer work that way ‚ we’re asynchronous, remote, and international.

In many senses, this change in expectations is no change at all. Knowledge work has always been marked by a sense of asynchronicity. People meet, talk, agree, and then go off and work in small groups or alone. What has changed is that 65% of workers now have, and expect, more flexibility to decide when they work.

[Also read: How to set up and use Focus modes on iOS 16]

It’s time to get the apps right

Perhaps one of the most boringly predictable challenges remote workers face involves the tools they’re asked to use. On average, workers have 6.2 apps sending them notifications at work, and 73% of them respond to those outside of working hours, further eroding the division between (asynchronous) work time and personal time. It means over half (52%) of workers find it hard to switch off, and this is made worse by habits of digital presenteeism. A worker may find that they do their work at times that suit them best, but still feel pressurized to pretend to be present the rest of the time, too.

To be fair, managers are also feeling the strain, with more than 70% feeling burnt-out as they struggle to handle so much change. You could argue that inflexible management practices constitute an unarticulated cry for help, though that may be a stretch.

To arrive at these conclusions, the report authors spoke with 2,000 knowledge workers (those who use a computer or laptop over 50% of the time for work) in the US and UK. “The concept of ‘time’ at work is dead. We just don’t know it yet,” the report explains.

The inference of all this really should be clear: These days it’s less important to choose your time, and far more important to clearly define and communicate your goals if you want to deploy highly productive, highly motivated teams.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

After I wrote about NetApp’s Spot PC last month, I had a surprisingly nice call with Spot PC’s general manager, Jeff Treuhaft. He reminded me that this is still a very young offering and, given that, it makes more sense to focus on the product, not the channel or the brand. So, while Treuhaft didn’t disagree with my thoughts, he suggested NetApp has a plan to deal with issues once the Spot PC has proven itself in a few initial deployments. 

Given that the plan isn’t yet in place and because of confidentiality about the move, Treuhaft couldn’t share more. So, I want to focus on what it could be and how it could transform the PC experience into something less aggravating and closer to what users say they want.

Currently NetApp sells Spot PC through an existing channel of managed service providers (MSPs).

Partnering or merging to create a new class of PC company

The world we live in is very different than it was even a few years ago. Rather than working in the office being the norm — and working from home the exception — we seem to be locking down on either a solid work-from-home model or a hybrid of work from home and office. Some of the reports I’m seeing from companies that demanded employees return to the office indicate that this forced march is resulting in unsustainable levels of resignations and that employees are migrating en masse to competitors who promote aggressive work-from-home policies.   

But work-from-home has significant support problems. You can’t cost effectively send out techs at scale and, given that support is also likely remote, you also can’t always assure that user problems are addressed timely. Thus, the focus must be on reducing the number of problems any user — particularly a remote user —must deal with.

The Cloud PC, which is the latest iteration of the Thin Client, would seem to be an ideal path; it tends to be more flexible (you can specify you just want an instance with more performance), more secure, and potentially less expensive, both initially and over time due to economies of scale.  Particularly for those at home, it’s better, faster, and cheaper than a traditional PC approach.

The issue, as I pointed out last month, is that NetApp isn’t known as a PC vendor. And until that lack of brand identity is corrected, it will massively reduce NetApp’s potential in the market.

But what if NetApp partnered or merged with another company to address these problems? And who would it partner with?

Lenovo and Cisco for the win?

NetApp has two long-term strategic partners who could address the problems associated with brand issues and Spot PC. Both Lenovo and Cisco (disclosure: both are clients) have capabilities that could flesh out Spot PC and make it far more capable than it is. Lenovo has what was the old IBM PC division, and IBM was dominant back in the days of terminals — which Spot PC, to some degree, emulates. Lenovo has a significant set of desktop management tools that could be pooled with this NetApp effort for an end-to-end deployment and support solution from a brand that is well regarded.

Cisco has what is arguably the most robust provisioning program for remote employees. It allows employees to go to a store like Best Buy and get the networking and collaboration tools they need in a complete, approved, and highly reliable package. Those tools could also be remotely configured and combined with Spot PC to create what is basically a plug-and-play Spot PC ecosystem. 

This would also lay a foundation for either an extended deeper partnership between the companies or a merger to create an entity that would rival the old IBM or the current Dell Technologies in size, scope and (given Lenovo’s significantly stronger presence in China) potential reach. 

While Treuhaft could not share a plan that does not yet exist for the next phase of Spot PC, I think a potential path to success would include bringing firms like Lenovo and Cisco on board. That would allow for the creation of an end-to-end Cloud PC solution that can be deployed effectively on-premise — and work particularly well for in-home offices while lowering support costs and increasing security.

If the companies have the will, we could see the emergence of either a new kind of deep partnership or a fascinating merger as the industry moves to reimagine the PC.   

The chair of the US Federal Communications Commission (FCC) wants redefine “broadband” Internet as being capable of at least 100 megabits per second (or Mbps) download and 20Mbps upload speeds.

A change in the current, seven-year-old standard for broadband would almost certainly spur networking companies to upgrade equipment to meet the new benchmark. And it would increase data download and upload capacities across the internet — a key upgrade for remote and hybrid workers, the ranks of which swelled dramatically during the COVID-19 pandemic.

Currently, broadband is defined as networks offering a minimum of 25Mbps download and 3Mbps upload speeds.

FCC Chairwoman Jessica Rosenworcel proposed raising the standard to 100Mbps/20Mbps on Friday, arguing that the old metric is “behind the times.”

“The needs of internet users long ago surpassed the FCC’s 25/3 speed metric, especially during a global health pandemic that moved so much of life online,” Rosenworcel wrote in her notice of the change. “The 25/3 metric isn’t just behind the times, it’s a harmful one because it masks the extent to which low-income neighborhoods and rural communities are being left behind and left offline.”

In the US, the average fixed broadband speed is 134Mbps/75Mbps, according to network research firm Ookla. Rosenworcel’s proposal  included the concept of an even higher “national goal of 1Gbps/500Mbps for the future.”

“The future of business will increasingly be to reach consumers electronically,” said Jack Gold, principal analyst at research firm J. Gold Associates. “Having a uniform minimum speed across the country will be advantageous to businesses that can then reach a wide audience with their services.”

Additionally, as 5G mobile networking rolls out across the world, and gets deployed in more remote locations, the prospect is growing for very high speed connections of 100Mbps and above. “So establishing a minimum might not be as hard to achieve as some expect,” Gold noted.

Ookla

At the end of 2021, Cisco surveyed 60,000 workers across 30 countries. The responses indicated that remote and hybrid work efforts were being undermined by poor broadband connectivity.

The survey results, published in February as part of Cisco’s Broadband Index, showed that 75% of respondents believe the success of hybrid work hinges on the quality and availability of the internet.

Almost eight in of 10 workers (78%) said the reliability and quality of broadband connections is important. Dependence on high-performance internet access was also underlined by the fact that 84% of respondents actively use their broadband at home for four hours or more each day.

Nearly six in 10 respondents (58%) indicated they were unable to access critical services such as online medical appointments, online education, social care and utility services during lockdown, due to an unreliable broadband connection.

“Many teleworkers need more than a basic level of connectivity to support their livelihoods,” Cisco said in a statement. “To address the demands on their broadband connection, almost half of those surveyed (43%) are planning to upgrade their internet service in the next 12 months.”

Jason Blackwell, research director for Consumer Multiplay and SMB Services at IDC, said the latest call to boost broadband’s minimum requirements is aimed at minimizing the digital divide and forcing internet service providers to supply higher performance network to more locations.

“We still have a lot of locations in the US that are served only by a single provider, and often only by DSL, which may barely qualify as broadband even under today’s definition,” Blackwell said. “Bringing more robust broadband to these unserved and underserved areas will help to create connectivity to education and business opportunities, bringing economic gains. This will also enable more people to seek remote work opportunities and open up the employment pool for businesses to access the most qualified people wherever they may be located.”

One issue is that the level of speed is not uniform across the country. In many urban and suburban areas, users can already get at least 100Mbps or even 1Gigabit speeds — if they’re willing to pay for it. But in many more remote or lowe- income areas, less bandwidth is available because of underinvestments in connectivity in general.

“Some people still need to use DSL, as an example, which is pretty slow,” Gold said. “So, anything the government can do to create a minimum requirement that enables the user to be able to take advantage of all the new video and graphics features now common on the internet is about equal access.

“That certainly has an effect on the ability to have remote work enabled from any location and can help remote communities grow their employee base without having people move away, or letting people move to more remote and/or smaller cities/towns if they’d like without missing out on job opportunities,” Gold added.

Telemedicine, which is critical to underserved communities, also needs a reasonable amount of bandwidth to provide services.

To a large extent, the government is already financing some of the broadband infrastructure upgrades through taxes on broadband connections, Gold noted – a practice that’s been ongoing for years.

“The network enhancements are taking place at the internet service providers. Cable operators are upgrading to DOCSIS 3.1 and eventually to DOCSIS 4.0, or they are deploying fiber deeper into the network,” Blackwell said. “Telcos are replacing copper networks for DSL with fiber to drive faster network speeds. The government is supporting many of these projects through a number of different programs like [Rural Digital Opportunity Fund] and the infrastructure bill.”

Apple CEO Tim Cook has given his backing to a major effort to convince state governors, government, and educators to make computer science classes available to every student in every school. But it’s not just philanthropy in play.

We just can’t get the staff

Demand and supply. In theory, when demand increases, supply emerges to meet it. Except it doesn’t always work out that way and as the world gets more digitized, the need for coders is growing faster than the world can keep up.

The demand for coding skills is growing so rapidly that developers continue to explore ways to design configurable solutions that can be built without code (no-code — essentially filling the gap Apple’s Shortcuts are becoming).

They know they must do this because demand for coding talent continues to increase internationally. It’s a need that concerns every market, from the US to Singapore and everywhere between. By 2030, the world is expected to be short of around 82.5 million coders — already, 87% of organizations struggle to find the coding staff they require.

But some industries, particularly those concerning data analytics, manage to be both in great demand and on a rapid growth curve while also being desperate to find enough staff. Given the growing importance of AI, the lack of skills in data analytics is already having consequential effects on many enterprises. The US Bureau of Labor Statistics indicates that by 2026, the shortage of engineers in the US will exceed 1.2 million.

All we are saying, is give code a chance

That’s why more than 500 business, education, and non-profit leaders have signed an appeal for “every student in every school to have the opportunity to learn computer science.” Signatories, including Cook (and numerous Apple allies and competitors) know we must invest in the next generation of coders.

They warn that because computer science education is not universally available, many students never get the chance to learn. That’s why just 5% of US high school students study computer science — and some communities, particularly young women and students of color, left behind.

Employees know this, too, of course. And while not everyone has the talent for it, one side impact of the Great Resignation has been  increasing numbers of workers join coding courses. They almost certainly hope to earn more cash and work more remotely in the future. Workforce tech education platform Pluralsight, notes that the four most popular courses it provides concern coding. Courses on AI and cloud services are also popular. At the same time, the pandemic has driven big investments in digital technologies to support the emerging future of work, further exacerbating the talent shortage.

Coding is one of the most valuable skills a person can learn. It can open new doors, jumpstart careers, and help big dreams seem like achievable goals. Everyone around the world should have an opportunity to learn how to code. https://t.co/yWfNlmQwdz

— Tim Cook (@tim_cook) July 12, 2022

Apple can scale its coding search, but not everyone can

Apple has made no secret that it thinks we need to nurture more coding talent. It has built and continues to build new development hubs around the world so it can source talent unavailable in the US.

It runs coding workshops in retail stores and has developed academic courses to nurture future talent. Swift Playgrounds isn’t just intended to be fun to use; it’s also designed to teach the essentials of coding to young people as the company works to foster future talents.

But Apple’s opportunity to engage in such schemes is something only the largest firms can really access — and the coder Cupertino creates today isn’t necessarily going to be coding for iPhones tomorrow, particularly when their skills are in such high demand. It’s also true that the need, combined with shortage, means more than 50% of companies are hiring tech workers who don’t have all the skills the job needs.

Challenging the economy

All the same, the size of the issue represents a big challenge to economic growth and productivity, generating a transnational scramble to secure talent.

In the US, almost two-thirds of high-skilled immigration is for computer scientists. The US alone has more than 700,000 open computing jobs, but trains only 80,000 computer science graduates each year – and demand for those skills will increase as digitalization continues to grow. The demand is also putting existing hires under a great deal of pressure. That extra work means some claim around 70% plan to change jobs over the next year. This is in itself a problem for employers — it costs up to $35,685 to identify and recruit a full-time developer, according to CodeSubmit data.

Any churn in staffing represents added costs, as well as increased the pressure on existing workers and additional damage to project planning and overall productivity.

With all of this in mind, it’s of little surprise that Cook and what looks like a roll call of all the biggest businesses in the US are making this urgent call to code. Their eye-watering bonuses probably depend on it.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

Though we get a reprieve from Exchange updates in this month’s Patch Tuesday update, more printer updates are on the way. Even with no updates for Microsoft Exchange or Visual Studio, Adobe is back with 15 critical updates for Adobe Reader. And Microsoft’s new patch deployment tool Auto-Patch is now live. (I always thought application testing was the main problem here, but actually getting patches deployed is still tough.)

Though the numbers are still quite high (with 86+ reported vulnerabilities), the testing and deployment profile for July should be fairly moderate. We suggest taking the time to harden your Exchange Server defenses and mitigation processes, and invest in your testing processes.

You can find more information on the risk of deploying these Patch Tuesday updates in our helpful infographic .

Key Testing Scenarios

Given the large number of changes in this July patch cycle, I have broken down the testing scenarios into high-risk and standard-risk groups:

High Risk: These changes are likely to include functionality changes, may deprecate existing functionality, and will likely require creating new testing plans.

Core printing functionality has been updated:

• Install and test any new V4 print drivers on a local machine and print.
• Test new V4 printer connections using client and server and print.
• Test existing v4 printer connections
• Ensure GDI rendering and printer drivers generate the expected output

The core changes relate to how Microsoft supports timestamp checking for kernel drivers, so testing applications that require digitally signed binaries is key for this cycle. The big change here is that unsigned drivers should not load. This may cause some application issues or compatibility problems. We recommend a scan of the application portfolio, identifying all applications that depend upon drivers (both signed and unsigned), and generating a test plan that includes installation, application exercising, and uninstall. Having a comparison between pre- and post- patched machines would be helpful, too.

The following changes are not documented as including functional changes, but will still require at least “smoke testing” before general deployment:

• Test scenarios that utilize Windows DevicePicker. Almost impossible to test — as most applications use this common class. If your internally-developed applications pass their basic smoke test, you’re fine.
• Test your line of business applications that reference the Microsoft mobile CDP APIs. If you have internally developed desktop applications that communicate with mobile devices, a communications check may be required.
• Test connections to the rasl2tp server. This means finding and testing applications that have a dependency on the RAS miniport driver over remote or VPN connections

And Curl. Specifically, CURL.EXE: — a command line tool for sending files via HTTP protocols (hence “client URL”) — has been updated this month. Curl for Windows (the one that is being updated this month) is different from the Open Source project curl. If you are confused why the Curl project team offers this, here’s the answer:

“The curl tool shipped with Windows is built by and handled by Microsoft. It is a separate build that will have different features and capabilities enabled and disabled compared to the Windows builds offered by the curl project. They do however build curl from the same source code. If you have problems with their curl version, report that to them. You can probably assume that the curl packages from Microsoft will always lag behind the versions provided by the curl project itself.”

With that said, we recommend teams that use the curl command (sourced from the Windows supported branch) give their scripts a quick test run. Microsoft has published a testing scenario matrix that this month includes:

• Use physical machines and virtual machines.
• Use BIOS-based machines and UEFI-enabled machines.
• Use x86, ARM, ARM64, and AMD64 machines.

Note: for each of these testing scenarios, a manual shut-down, reboot and restart is suggested.

Known Issues

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. For July, there are some complex changes to consider:

• Devices with Windows installations created from custom offline media or custom ISO image might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.
• After installing the June 21, 2021 (KB5003690) update, some devices cannot install new updates, such as the July 6, 2021 (KB5004945) or later updates. You will receive the error message, “PSFX_E_MATCHING_BINARY_MISSING.” For more information and a workaround, see KB5005322.
• After installing this update, IE mode tabs in Microsoft Edge might stop responding when a site displays a modal dialog box. This issue is resolved using Known Issue Rollback (KIR) with the following group policy downloads: Download for Windows 10, version 20H2 and Windows 10, version 21H1 .
• After installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.”

Major Revisions

This month, Microsoft has not formally published any major revisions or updates to previous patches. There was a kind of “sneaky” update from the .NET group that really should have been included in the formal Microsoft documentation update process. However, that update was merely documented support for later versions of Visual Studio.

Mitigations and Workarounds

Microsoft published one key mitigation for a Windows network vulnerability:

• CVE-2022-22029: Windows Network File System Remote Code Execution Vulnerability. Noting that there are no publicly reported exploits for this network vulnerability, Microsoft still recognizes that some administrators may choose to disable NFSV3 before their server systems are fully patched. To disable this network feature, use the PowerShell command. ” Set-NfsServerConfiguration -EnableNFSV3 $false.” There is no need to disable V4 (as opposed to V3) as the later versions of this protocol are not affected by this security vulnerability.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

• Browsers (Microsoft IE and Edge);
• Microsoft Windows (both desktop and server);
• Microsoft Office;
• Microsoft Exchange;
• Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
• Adobe (retired???, maybe next year).

Browsers

It just keeps getting better. The downward trend for Microsoft’s browser reported vulnerability continues to track ever lower with just two (CVE-2022-2294 and CVE-2022-2295) Chromium updates for this July. Both updates only affect Edge (Chromium) and were released last week. Chrome should automatically update, with our initial analysis showing that both updates will have marginal impact on browser compatibility. You can read about this update on the Google Blog, with the technical details found on Git. Add these low-profile, low-risk updates to your standard browser release schedule.

Windows

With just four critical updates and 16 rated important this month, Microsoft is really giving IT admins a bit of a break. The four critical Windows update for this release cycle include:

• CVE-2022-30221: This Windows vulnerability in the core graphics sub-system (GDI) could lead to a remote code execution (RCE) scenario.
• CVE-2022-22029 and CVE-2022-22039: These Windows Network file system issues could result in RCE scenarios on the compromised system.
• CVE-2022-22038: This low-level (Win32) RPC component, reported as difficult to exploit, could lead to very difficult troubleshooting scenarios.

All of these critical updates have been officially confirmed as fixed, with no reports of public exploits on Windows desktop systems. The remaining 14 updates are rated important by Microsoft and affect the following Windows systems and components:

Unfortunately, Windows Server 2012 did not fare so well, with reports of CVE-2022-22047 exploited in the wild. This Windows server vulnerability affects the Client Server Run-Time subsystem (CRSS) which is where all the badly behaving user mode drivers hang out. If you have any Windows Server 2012 under your care, this is a “Patch Now” update. Otherwise, add this very low-profile Windows update to your standard release schedule. And don’t forget, Microsoft has delivered another Windows 11 update video; it’s found here .

Microsoft Office

Microsoft released only two (CVE-2022-33632 and CVE-2022-33633) updates to Microsoft Office this month. Both updates are rated important by Microsoft, and both require local, authenticated privileges to the target system. Add these updates to your standard Office update schedule.

Microsoft Exchange Server

It’s good that we get a break from Microsoft Exchange Server updates. Rather than simply resting, it may be worth investing in your Exchange security infrastructure. Microsoft has provided some major improvements on Exchange during the past year; here are a few ideas on securing your Exchange Server:

• Microsoft Safety Scanner: This command line tool is downloaded from Microsoft (must be refreshed every 10 days) and removes malware from your target system. It’s not a replacement for third-party tools, but if there is a concern about a machine, this is a good first step.
• Exchange On-premises Mitigation Tool (EOMT): If you are unable to quickly patch specific Exchange Servers, Microsoft offers a command line to mitigate against known attacks. This PowerShell script will both attempt to remediate as well as mitigate your servers against further attacks — noting that once done, applying patches is the top priority.
• Exchange Emergency Mitigation Service (EM): The Exchange Emergency Mitigation service (EM service) keeps your Exchange Servers secure by applying mitigations/updates/fixes to address any potential threats against your servers. It uses the cloud-based Office Config Service (OCS) to check for and download available mitigations and will send diagnostic data back to Microsoft.

All of these features and offerings are predicated on using at least Office 2019 — another reason Microsoft has strongly recommended everyone move to Exchange Server 2019 at least. The EM Service was last used in March 2021 to deal with several Microsoft Exchange vulnerabilities (CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858). These were specific attacks on on-premise servers. It’s helpful to know this service is there, but I’m glad it has not been required recently.

Microsoft Development Platforms

As with Microsoft Exchange, Microsoft has not published any “new” security updates to the Microsoft .NET platform or tools this month. However, there was a problem with June’s .NET update, which was addressed this month. This month’s .NET release resolves the issue that some versions of .NET were not addressed by the previous patch — this is just an informational update. If you are using Microsoft Windows update infrastructure, no further action is required.

Adobe (really just Reader)

This is a big update from Adobe, with 15 updates rated as critical and seven rated important, all just for Adobe Reader. The critical updates mainly relate to memory issues and could lead to the exercise of arbitrary code on the unpatched system. You can read more about the Adobe bulletin (APSB22-32) and Adobe security bulletins here. Add this application specific update to your “Patch Now” release.

The launch of a major Windows 10 update isn’t the end of a process — it’s really just the beginning. As soon as one of Microsoft’s feature updates (such as Windows 10 version 21H2) is released, the company quickly gets to work on improving it by fixing bugs, releasing security patches, and occasionally adding new features.

In this story we summarize what you need to know about each update released to the public for the most recent versions of Windows 10 — versions 21H2, 21H1, 20H2, and 2004. (Microsoft releases updates for those four versions together.) For each build, we’ve included the date of its initial release and a link to Microsoft’s announcement about it. The most recent updates appear first.

If you’re still using an earlier version of Windows 10 or of Windows, see the Microsoft support site for info about updates to Windows 10 1909, 1903, 1809, 1803, 1709, 1703, 1607, 1511, the initial version of Windows 10 released in July 2015, Windows 8.1, and Windows 7.

And if you’re looking for information about Insider Program previews for upcoming feature releases of Windows 10, see “Windows 10 Insider Previews: A guide to the builds.”

Updates to Windows 10 versions 20H2, 21H1, and 21H2

KB5015807 (OS Builds 19042.1826, 19043.1826, and 19044.1826)

Date: July 12, 2022

This build addresses an issue that redirects the PowerShell command output so that transcript logs do not contain any output of the command. That means the decrypted password is lost. The build also includes improvements made in the KB5014666 update.

This build has three known issues, including one in which devices with Windows installations created from custom offline media or custom ISO images might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5015807.)

KB5014666 (OS Builds 19042.1806, 19043.1806, and 19044.1806) Preview

Release Date: June 28, 2022

This build adds IP address auditing for incoming Windows Remote Management (WinRM) connections in security event 4262 and WinRM event 91. This addresses an issue that fails to log the source IP address and machine name for a remote PowerShell connection. The build also includes several new Print and Scan features.

The build also fixes a number of bugs, including one that prevented the Snip & Sketch app from capturing a screenshot or from opening using the keyboard shortcut (Windows logo key + Shift + S).

This build has three known issues, including one in which devices with Windows installations created from custom offline media or custom ISO images might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5014666 Preview.)

KB5016139 (OS Builds 19042.1767, 19043.1767, and 19044.1767)

Release date: June 20, 2022

This out-of-band build, which is only available for Windows devices that use Arm processors, fixes a bug that prevented Windows Arm-based devices from signing in using Azure Active Directory (AAD). Apps and services that use AAD to sign in, such as VPN connections, Microsoft Teams, and Microsoft Outlook, might also be affected.

This build has four known issues, including one in which devices with Windows installations created from custom offline media or custom ISO images might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge. In another, Windows devices might be unable use the Wi-Fi hotspot feature. When attempting to use the hotspot feature, the host device might lose the connection to the internet after a client device connects.

(Get more info about KB5016139.)

KB5014699 (OS Builds 19042.1766, 19043.1766, and 19044.1766)

Release date: June 14, 2022

This build includes a wide variety of security updates. For details, see Microsoft’s Security Update Guide.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

There are three known issues in this update, including one in which devices with Windows installations created from custom offline media or custom ISO images might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5014699.)

KB5014023 (OS Builds 19042.1741, 19043.1741, and 19044.1741) Preview

Release date: June 2, 2022

This build fixes several bugs, including one that prevented Excel or Outlook from opening, one that slowed down file copying, and one that prevented internet shortcuts from updating.

There are three known issues in this update, including one in which devices with Windows installations created from custom offline media or a custom ISO image might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info KB5014023 Preview.)

KB5015020 (OS Build 19042.1708)

Release date: May 19, 2022

This out-of-band build fixes two bugs: one that could cause authentication failures for some services on a server or client after you install the May 10, 2022 update on domain controllers, and another that could prevent the installation of Microsoft Store apps when you enable Control-flow Enforcement.

There are three known issues in this update, including one in which devices with Windows installations created from custom offline media or custom ISO image might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5015020.)

KB5013942 (OS Builds 19042.1706, 19043.1706, and 19044.1706)

Release date: May 10, 2022

This build includes a wide variety of security updates. For details, see Microsoft’s Security Update Guide and the May 2022 Security Updates notes.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

There are three known issues in this update, including one in which devices with Windows installations created from custom offline media or custom ISO images might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5013942).

KB5011831 (OS Builds 19042.1682, 19043.1682, and 19044.1682) Preview

Release date: April 25, 2022

This build fixes a wide variety of bugs, including one that caused a remote desktop session to close or a reconnection to stop responding while waiting on the accessibility shortcut handler (sethc.exe), another that that displayed a black screen for some users when they sign in or sign out, and another that prevented you from changing a password that has expired when you sign in to a Windows device.

(Get more info about KB5011831 Preview.)

KB5012599 (OS Builds 19042.1645, 19043.1645, and 19044.1645)

Release date: April 12, 2022

This build includes a wide variety of security updates. For details, see Microsoft’s Security Update Guide and the April 2022 Security Updates notes.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

There are three known issues in this update, including one in which devices with Windows installations created from custom offline media or custom ISO image might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5012599.)

KB5011543 (OS Builds 19042.1620, 19043.1620, and 19044.1620) Preview

Release date: March 22, 2022

This build introduces Search highlights, which display notable moments about each day, including holidays, anniversaries, and other events globally and in your region. To see more details at a glance, hover or click on the illustration in the search box.

There are also a variety of small new features, including a new policy that expands an app’s top three notifications by default in the Action Center for apps that send Windows notifications. It displays multiple notifications that you can interact with simultaneously.

In addition, there are a wide variety of bug fixes, including for a bug that stopped Microsoft Outlook’s offline search from returning recent emails, and another that prevented the User Account Control (UAC) dialog from correctly showing the application that is requesting elevated privileges.

There are three known issues in this update, including one in which devices with Windows installations created from custom offline media or custom ISO images might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5011543 Preview.)

KB5011487 (OS Builds 19042.1586, 19043.1586, and 19044.1586)

Release date: March 8, 2022

This build fixes a bug that occurs when you attempt to reset a Windows device and its apps have folders that contain reparse data, such as Microsoft OneDrive or OneDrive for Business. When you select Remove everything, files that have been downloaded or synced locally from Microsoft OneDrive might not be deleted.

It also includes a wide variety of security updates. For details, see Microsoft’s Security Update Guide and the March 2022 Security Updates notes.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

There are three known issues in this update, including one in which devices with Windows installations created from custom offline media or custom ISO images might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5011487.)

KB5010415 (OS Builds 19042.1566, 19043.1566, and 19044.1566) Preview

Release date: February 15, 2022

The build lets you share cookies between Microsoft Edge Internet Explorer mode and Microsoft Edge, and adds support for hot adding and the removal of non-volatile memory (NVMe) namespaces.

It also fixes a wide variety of bugs, including one that affected the Windows search service and occurred when you queried using the proximity operator, and one that caused the Remote Desktop Service (RDS) server to become unstable when the number of signed in users exceeds 100. This prevented you from accessing published applications using RDS on Windows Server 2019.

There are three known issues in this update, including one in which devices with Windows installations created from custom offline media or custom ISO images might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5010415 Preview.)

KB5010342 (OS Builds 19042.1526, 19043.1526, and 19044.1526)

Release date: February 8, 2022

The build fixes a bug that causes a Lightweight Directory Access Protocol (LDAP) modify operation to fail if the operation contains the SamAccountName and UserAccountControl attribute. It also includes a wide variety of security updates. For details, see Microsoft’s Security Update Guide and the February 2022 Security Updates notes.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

There are three known issues in this update, including one in which devices with Windows installations created from custom offline media or custom ISO image might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5010342.)

KB5009596 (OS Builds 19042.1503, 19043.1503, and 19044.1503) Preview

Release date: January 25, 2022

The build fixes a variety of bugs, including one that stops printing or prints the wrong output when you print using USB on Windows 10 version 2004 or later, and another that causes functioning Bluetooth devices to stop working when you attempt to connect to a non-functioning Bluetooth device. It also adds a reminder to Internet Explorer 11 that notifies you about its upcoming retirement.

There are three known issues in this update, including one in which devices with Windows installations created from custom offline media or custom ISO image might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5009596.)

KB5010793 (OS Builds 19042.1469, 19043.1469, and 19044.1469)

Release date: January 17, 2022

This out-of-band build fixes several bugs, including one that caused IP Security (IPSEC) connections that contain a Vendor ID to fail. VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP security Internet Key Exchange (IPSEC IKE) could have also been affected. It also fixed a bug that could cause Windows Servers to restart unexpectedly after installing the January 11, 2022 update on domain controllers (DCs).

There are three known issues in this update, including one in which devices with Windows installations created from custom offline media or custom ISO image might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5010793.)

KB5009543 (OS Builds 19042.1466, 19043.1466, and 19044.1466)

Release date: January 11, 2022

The build fixes a bug in the Japanese Input Method Editors (IME) and includes a wide variety of security updates. For details, see Microsoft’s Security Update Guide and the January 2022 Security Update notes.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

There are three known issues in this update, including one in which devices with Windows installations created from custom offline media or custom ISO image might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5009543.)

Updates to Windows 10 versions 2004, 20H2, 21H1, and 21H2

KB5008212 (OS Builds 19041.1415, 19042.1415, 19043.1415, and 19044.1415)

Release date: December 14, 2021

The build includes a wide variety of security updates. For details, see Microsoft’s Security Update Guide and the December 2021 Security Update notes.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

There are three known issues in this update, including one in which devices with Windows installations created from custom offline media or a custom ISO image might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5008212.)

KB5007253 (OS Builds 19041.1387, 19042.1387, 19043.1387, and 19044.1387) Preview

Release date: November 22, 2021

This optional update can be downloaded from the Microsoft Update Catalog or by going to Settings > Update & Security > Windows Update > Optional updates available.

The build fixes a variety of bugs, including one that caused the 32-bit version of Microsoft Excel to stop working on certain devices when you exported to PDF, and another that caused the Settings page to unexpectedly close after you uninstalled a font.

There are several known issues in this update, including one in which devices with Windows installations created from custom offline media or custom ISO image might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5007253 Preview.)

Windows 10 November 2021 Update (version 21H2)

Release date: November 16, 2021

Version 21H2, called the Windows 10 November 2021 Update, is the second feature update to Windows 10 released in 2021. Here’s a quick summary of what’s new:

• Wi-Fi security has been enhanced with WPA3 H2E standards support.
• GPU compute support has been added in the Windows Subsystem for Linux (WSL) and Azure IoT Edge for Linux on Windows (EFLOW) deployments for machine learning and other compute-intensive workflows.

There are also a number of features designed for IT and business:

• Windows Hello for Business has a new deployment method called cloud trust that simplifies passwordless deployments.
• For increased security, there have been changes to the Universal Windows Platform (UWP) VPN APIs, which includes the ability to implement common web-based authentication schemes and to reuse existing protocols.
• Apps can now be provisioned from Azure Virtual Desktop. This allows those apps to run just like local apps, including the ability to copy and paste between remote and local apps.
• The release closes the gap between Group Policy and mobile device management (MDM) settings. The device configuration settings catalog has been updated to list more than 1,400 settings previously not available for configuration via MDM. The new MDM policies include administrative template (ADMX) policies, such as App Compat, Event Forwarding, Servicing, and Task Scheduler.
• An upgrade to Windows 10 Enterprise includes Universal Print, which now supports print jobs of up to 1GB or a series of print jobs from an individual user that add up to 1GB within any 15-minute period.
• Universal Print integrates with OneDrive for web and Excel for web. This allows users of any browser or device connected to the internet to print documents hosted in OneDrive for web to a printer in their organization without installing printer drivers on their devices.

Microsoft has also announced that starting with this release, Windows 10 will get feature updates only once a year.

Updates to Windows 10 versions 2004, 20H2, and 21H1

KB5007186 (OS Builds 19041.1348, 19042.1348, and 19043.1348)

Release date: November 9, 2021

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. The build also includes a wide variety of security updates. For details, see Microsoft’s Security Update Guide and the November 2021 Security Update notes.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

There are three known issues in this update, including one in which devices with Windows installations created from custom offline media or a custom ISO image might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5007186.)

KB5006738 (OS Builds 19041.1320, 19042.1320, and 19043.1320)

Release date: October 26, 2021

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. It also fixes a wide variety of bugs, including one that prevented subtitles from displaying for some video apps and streaming video sites, and another that sometimes caused lock screen backgrounds to appear black if they were set up to have a slideshow of pictures as the lock screen background.

There are three known issues in this update, including one in which devices with Windows installations created from custom offline media or custom ISO image might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5006738.)

KB5006670 (OS Builds 19041.1288, 19042.1288, and 19043.1288)

Release date: October 12, 2021

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. It also fixes a bug that prevented some applications, such as Microsoft Office and Adobe Reader, from opening or caused them to stop responding.

The build also includes a wide variety of security updates. For details, see Microsoft’s Security Update Guide and the October 2021 Security Update notes.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

There are two known issues in this update, including one in which devices with Windows installations created from custom offline media or a custom ISO image might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5006670.)

KB5005611 (OS Builds 19041.1266, 19042.1266, and 19043.1266) Preview

Release date: September 30, 2021

This build fixes a small number of bugs, including one in which applications such as Microsoft Outlook suddenly stopped working during normal use, and another that caused blurry News and Interests icons with certain screen resolutions.

(Get more info about KB5005611.)

KB5005565 (OS Builds 19041.1237, 19042.1237, and 19043.1237)

Release date: September 14, 2021

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. It also fixes a bug that caused PowerShell to create an infinite number of child directories. The issue occurred when you used the PowerShell Move-Item command to move a directory to one of its children. As a result, the volume filled up and the system stopped responding.

The build also includes a wide variety of security updates. For details, see Microsoft’s Security Update Guide.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

There are two known issues in this update, including one in which devices with Windows installations created from custom offline media or custom ISO image might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5005565.)

KB5005101 (OS Builds 19041.1202, 19042.1202, and 19043.1202)

Release date: September 1, 2021

This build fixes a wide variety of bugs, including one that reset syncing for Microsoft OneDrive to “Known folders only” after you installed a Windows update, and another in which flickering and residual line artifacts appeared when resizing images.

The build also includes more than 1,400 new mobile device management (MDM) policies. With them, you can configure policies that Group Policies also support. These new MDM policies include administrative template (ADMX) policies, such as App Compat, Event Forwarding, Servicing, and Task Scheduler. Starting in September 2021, you can use the Microsoft Endpoint Manager (MEM) Settings Catalog to configure these new MDM policies.

There are several known issues in this update, including one in which devices with Windows installations created from custom offline media or custom ISO images might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5005101.)

KB5005033 (OS Builds 19041.1165, 19042.1165, and 19043.1165)

Release date: August 10, 2021

This build changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers. See KB5005652, Point and Print Default Behavior Change, and CVE-2021-34481 for more information. The build also makes quality improvements to the servicing stack, which is the component that installs Windows updates.

The build also includes a wide variety of security updates. For details, see Microsoft’s Security Update Guide.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

There are several known issues in this update, including one in which devices with Windows installations created from custom offline media or custom ISO image might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5005033.)

KB5004296 (OS Builds 19041.1151, 19042.1151, and 19043.1151)

Release date: July 29, 2021

This build fixes a wide variety of bugs, including one that caused the File Explorer window to lose focus when mapping a network drive, another that failed to detect internet connectivity when connected to a VPN, and another that caused System Integrity to leak memory.

There are several known issues in this update, including one in which devices with Windows installations created from custom offline media or a custom ISO image might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5004296.)

KB5004237 (OS Builds 19041.1110, 19042.1110, and 19043.1110)

Release date: July 13, 2021

This build fixes several bugs, including one that made it difficult to print to a variety of printers, primarily USB receipt or label printers. It also removes support for the PerformTicketSignature setting and permanently enables Enforcement mode for CVE-2020-17049.

It also has a variety of security updates for Windows Apps, Windows Management, Windows Fundamentals, Windows Authentication, Windows User Account Control (UAC), Operating System Security, Windows Virtualization, Windows Linux, the Windows Kernel, the Microsoft Scripting Engine, the Windows HTML Platforms, the Windows MSHTML Platform, and Windows Graphics.

For more details, see Microsoft’s Security Update Guide.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

There are several known issues in this update, including one in which devices with Windows installations created from custom offline media or custom ISO images might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5004237.)

KB5004945 (OS Builds 19041.1083, 19042.1083, and 19043.1083)

Release date: July 6, 2021

This build closes a remote code execution exploit in the Windows Print Spooler service, known as “PrintNightmare,” as documented in CVE-2021-34527.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

 (Get more info about KB5004945.)

KB5004760 (OS Builds 19041.1082, 19042.1082, and 19043.1082)

Release date: June 29, 2021

This out-of-band build fixes a bug that may prevent you from opening PDFs using Internet Explorer 11 or apps that use the 64-bit version of the WebBrowser control.

Among the build’s known issues are one in which when using the Microsoft Japanese Input Method Editor (IME) to enter Kanji characters in an app that automatically allows the input of Furigana characters, you might not get the correct Furigana characters. You might need to enter the characters manually.

(Get more info about KB5004760.)

KB5003690 (OS Builds 19041.1081, 19042.1081, and 19043.1081)

Release date: June 21, 2021

This build addresses about three dozen bugs, including one in which signing in using a PIN fails, and another that might cause a VPN to fail after renewing a user auto-enrolled certificate. It also removes Adobe Flash from your PC and makes improvements to the servicing stack, the component that installs Windows updates.

Among the build’s known issues are one in which when using the Microsoft Japanese Input Method Editor (IME) to enter Kanji characters in an app that automatically allows the input of Furigana characters, you might not get the correct Furigana characters. You might need to enter the characters manually.

(Get more info about KB5003690.)

KB5004476 (OS Builds 19041.1055, 19042.1055, and 19043.1055)

Release date: June 11, 2021

This out-of-band build fixes a bug that might redirect you to the Microsoft Store page for Gaming Services when you try to install or start an Xbox Game Pass game on your Windows 10 device. Additionally, you might receive error 0x80073D26 or 0x8007139F. For more information, see KB5004327.

In addition, the build makes improvements to the servicing stack, the component that installs Windows updates.

(Get more info about KB5004476.)

KB5003637 (OS Builds 19041.1052, 19042.1052, and 19043.1052)

Release date: June 8, 2021

This build includes improvements to the servicing stack, which is the component that installs Windows updates. It also includes changes for verifying user names and passwords and for storing and managing files.

It also has a variety of security updates to the Microsoft Scripting Engine, Windows App Platform and Frameworks, Windows Input and Composition, Windows Management, Windows Cloud Infrastructure, Windows Authentication, Windows Fundamentals, Windows Virtualization, Windows Kernel, Windows HTML Platform, and Windows Storage and Filesystems.

For more details, see Microsoft’s Security Update Guide.

There are several known issues in this update, including one in which system and user certificates might be lost when updating a device from Windows 10 version 1809 or later to a later version of Windows 10. Devices using Windows Update for Business or that connect directly to Windows Update are not impacted.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

(Get more info about KB5003637.)

KB5003214 (OS Builds 19041.1023, 19042.1023, and 19043.1023) Preview

Release date: May 25, 2021

This build adds the Open on hover option (which is checked by default) to the News and interests menu. To access it, right-click a blank space on the Windows taskbar and open the News and interests menu.

In addition, it makes quality improvements to the servicing stack, which is the component that installs Windows updates. It also includes a wide variety of small bug fixes, including one that displayed items on the desktop after they have been deleted from the desktop, and another that caused configuration problems with devices that were configured using mobile device management (MDM) RestrictedGroups, LocalUsersAndGroups, or UserRights policies.

(Get more info about KB5003214 Preview.)

Windows 10 May 2021 Update (version 21H1)

Release date: May 18, 2021

Version 21H1, called the Windows 10 May 2021 Update, is the most recent update to Windows 10. This is a relatively minor update, but it does have a few new features.

Here’s a quick summary of what’s new in 21H1:

• Windows Hello multicamera support: If you have an external Windows Hello camera for your PC, you can set the external camera as your default camera. (Windows Hello is used for signing into PCs.) Why should this change matter to you? If you have an external camera, you probably bought it because it’s superior to the built-in, internal one on your computer. So with this change, you’ll be able to use the more accurate camera for logging into your PC.
• Improved Windows Defender Application Guard performance: Windows Defender Application Guard lets administrators configure applications to run in an isolated, virtualized container for improved security. With this change, documents will open more quickly. It can currently take up to a minute to open an Office document in it.
• Better Windows Management Instrumentation (WMI) Group Policy Service support: Microsoft has made it easier for administrators to change settings to support remote work.

Updates to Windows 10 versions 2004 and 20H2 prior to the 21H1 release

KB5003173 (OS Builds 19041.985 and 19042.985)

Release date: May 11, 2021

This build includes a variety of security updates for Windows App Platform and Frameworks, the Windows Kernel, Windows Media, the Microsoft Scripting Engine, and the Windows Silicon Platform. For more details, see Microsoft’s Security Update Guide. It also updates security for Bluetooth drivers and Windows OLE (compound documents).

There are several known issues in this update, including one in which system and user certificates might be lost when updating a device from Windows 10 version 1809 or later to a later version of Windows 10. Devices using Windows Update for Business or that connect directly to Windows Update are not impacted.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

(Get more info about KB5003173.)

KB5001391 (OS Builds 19041.964 and 19042.964) Preview

Release date: April 28, 2021

This update gives you quick access to an integrated feed of dynamic content, such as news, weather, sports, and more, that updates throughout the day, via the Windows taskbar. You can personalize the feed to match your interests. For more details, see Microsoft’s “Personalized content at a glance: Introducing news and interests on the Windows 10 taskbar.”

There are several known issues in this update, including one in which system and user certificates might be lost when updating a device from Windows 10 version 1809 or later to a later version of Windows 10. In addition, devices with Windows installations created from custom offline media or custom ISO images might have the legacy version of Microsoft Edge removed by the update, but not automatically replaced by the new Microsoft Edge.

(Get more info about KB5001391 Preview.)

KB5001330 (OS Builds 19041.928 and 19042.928)

Release date: April 13, 2021

This update includes a wide variety of security updates, for Windows App Platform and Frameworks, Windows Apps, Windows Input and Composition, Windows Office Media, Windows Fundamentals, Windows Cryptography, the Windows AI Platform, Windows Kernel, Windows Virtualization, and Windows Media. For details, see Microsoft’s Security Update Guide website.

There are several other security issues addressed, including fixing a potential elevation of privilege vulnerability in the way Azure Active Directory web sign-in allows arbitrary browsing from the third-party endpoints used for federated authentication.

In this build, Microsoft also removed the Microsoft Edge legacy browser and replaced it with the new Chromium-based Edge.

There are several known issues in this update, including one in which system and user certificates might be lost when updating a device from Windows 10 version 1809 or later to a later version of Windows 10. Devices using Windows Update for Business or that connect directly to Windows Update are not impacted.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

(Get more info about KB5001330.)

KB5000842 (OS Builds 19041.906 and 19042.906) Preview

Release date: March 29, 2021

This update fixes a variety of minor bugs, including one that made high dynamic range (HDR) screens appear much darker than expected, and another that caused video playback to be out of sync in duplicate mode with multiple monitors.

There are several known issues in this build, including one in which System and user certificates might be lost when updating a device from Windows 10 version 1809 or later to a later version of Windows 10. Devices using Windows Update for Business or that connect directly to Windows Update are not impacted.

(Get more info about KB5000842 Preview.)

KB5001649 (OS Builds 19041.870 and 19042.870)

Release date: March 18, 2021

This out-of-band update fixes a single bug in which graphical content could not be printed.

There is one known issue in this update, in which system and user certificates may be lost when updating a device from Windows 10 version 1809 or later to a later version of Windows 10.

(Get more info about KB5001649.)

KB5001567 (OS Builds 19041.868 and 19042.868)

Date: March 15, 2021

This out-of-band update fixes a single bug, which caused a blue screen when you attempted to print to certain printers using some apps.

There is one known issue in this update, in which system and user certificates may be lost when updating a device from Windows 10 version 1809 or later to a later version of Windows 10.

(Get more info about KB5001567.)

KB5000802 (OS Builds 19041.867 and 19042.867)

Release date: March 9, 2021

This update includes a wide variety of security updates for the Windows Shell, Windows Fundamentals, Windows Management, Windows Apps, Windows User Account Control (UAC), Windows Virtualization, the Windows Kernel, the Microsoft Graphics Component, Internet Explorer, Microsoft Edge Legacy, and Windows Media. For details, see the Microsoft Security Update Guide.

There are three known issues in this update, including one in which system and user certificates might be lost when updating a device from Windows 10 version 1809.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

(Get more info about KB5000802.)

KB4601382 (OS Builds 19041.844 and 19042.844) Preview

Release date: February 24, 2021

This update fixes a variety of minor bugs, including one that caused video playback to flicker when rendering on certain low-latency capable monitors, and another that sometimes prevented the input of strings into the Input Method Editor (IME).

(Get more info about KB4601382.)

KB4601319 (OS Builds 19041.804 and 19042.804)

Release date: February 9, 2021

This update fixes a bug and includes a variety of security updates. The bug fixed could damage the file system of some devices and prevent them from starting up after running chkdsk /f.

Security updates are provided for Windows App Platform and Frameworks, Windows Apps, Windows Input and Composition, Windows Cloud Infrastructure, Windows Management, Windows Authentication, Windows Fundamentals, Windows Cryptography, Windows Virtualization, Windows Core Networking, and Windows Hybrid Cloud Networking. For details, see the Microsoft Security Update Guide.

There are three known issues in this update, including one in which system and user certificates might be lost when updating a device from Windows 10 version 1809.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

(Get more info about KB4601319.)

KB4598242 (OS Builds 19041.746 and 19042.746)

Release date: January 12, 2021

This build fixes a variety of security vulnerabilities, including one with HTTPS-based intranet servers, and a security bypass vulnerability in the way the Printer Remote Procedure Call (RPC) binding handles authentication for the remote Winspool interface.

There are also security updates to Windows App Platform and Frameworks, Windows Media, Windows Fundamentals, Windows Kernel, Windows Cryptography, Windows Virtualization, Windows Peripherals, and Windows Hybrid Storage Services. For details see the Microsoft Security Update Guide.

There are two known issues in this update, including one in which system and user certificates might be lost when updating a device from Windows 10, version 1809.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

(Get more info about KB4598242.)

KB4592438 (OS Builds 19041.685 and 19042.685)

Release date: December 8, 2020

This update fixes a security vulnerability by preventing applications that run as a SYSTEM account from printing to “FILE:” ports. It also has security updates for the legacy version of Microsoft Edge, the Microsoft Graphics Component, Windows Media, Windows Fundamentals, and Windows Virtualization. For details see the Microsoft Security Update Guide.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

(Get more info about KB4592438.)

KB4586853 (OS Builds 19041.662 and 19042.662) Preview

Release date: November 30, 2020

This build fixes a wide variety of bugs, including one that caused Narrator to stop responding after you unlock a device if the app was in use before you locked the device, and another that made makes the touch keyboard unstable in the Mail app.

There are two known issues in this update, one in which system and user certificates might be lost when updating a device from Windows 10 version 1809 or later to a later version of Windows 10, and another in which users of the Microsoft Input Method Editor (IME) for Japanese or Chinese languages might experience issues when attempting various tasks.

(Get more info about KB4586853.)

KB4594440 (OS Builds 19041.631 and 19042.631)

Release date: November 19, 2020

This minor build fixes issues with Kerberos authentication related to the PerformTicketSignature registry subkey value in CVE-2020-17049, which was a part of the November 10, 2020 Windows update.

There are two known issues in this update, one in which system and user certificates might be lost when updating a device from Windows 10, version 1809 or later to a later version of Windows 10, and another in which users of the Microsoft Input Method Editor (IME) for Japanese or Chinese languages might experience issues when attempting various tasks.

(Get more info about KB4594440.)

KB4586781 (OS Builds 19041.630 and 19042.630)

Release date: November 10, 2020

This build updates the 2020 DST start date for the Fiji Islands to December 20, 2020 and includes security updates to the Microsoft Scripting Engine, Windows Input and Composition, Microsoft Graphics Component, the Windows Wallet Service, Windows Fundamentals, and the Windows Kernel. For details see the release notes for November 2020 Security Updates.

There are two known issues in this update, including one in which system and user certificates might be lost when updating a device from Windows 10 version 1809 or later to a later version of Windows 10, and another in which users of the Microsoft Input Method Editor (IME) for Japanese or Chinese languages might experience issues when attempting various tasks.

What IT needs to know: Because this is a security update, it should be applied relatively soon. Over the next few weeks, check for reports about problematic issues, and if all seems well, apply the update.

(Get more info about KB4586781.)

KB4580364 (OS Builds 19041.610 and 19042.610)

Release date: October 29, 2020

This update makes it easier to connect to others in Skype, using Meet Now from the taskbar. In addition, there are a wide variety of bug fixes, including for one that displayed the incorrect CPU frequency for certain processors, another that displayed nothing on the screen for five minutes or more during a Remote Desktop Protocol (RDP) session, and another that caused the Docker pull operation to fail due to a Code Integrity (CI) Policy that blocks the import of a Windows container image.

There are two known issues in this update, including one in which system and user certificates might be lost when updating a device from Windows 10 version 1809 or later to a later version of Windows 10, and another in which users of the Microsoft Input Method Editor (IME) for Japanese or Chinese languages might experience issues when attempting various tasks.

(Get more info about KB4580364.)

Windows 10 October 2020 Update (version 20H2)

Release date: October 20, 2020

Version 20H2, called the Windows 10 October 2020 Update, is the most recent update to Windows 10. This is a relatively minor update but does have a few new features.

Here’s a quick summary of what’s new in 20H2:

• The new Chromium-based version of the Microsoft Edge browser is now built directly into Windows 10.
• The System page of Control Panel has been removed. Those settings have been moved to the Settings app.
• The Start menu’s tiled background will match your choice of Windows themes. So the tiled background will be light if you’re using the Windows 10 light theme and dark if you’re using the Windows 10 dark theme.
• When you use Alt-Tab, Edge will now display each tab in your browser in a different Alt-Tab window. Previously, when you used Alt-Tab, Edge would get only a single window. You can change this new behavior by going to Settings > System > Multitasking.
• When you pin a site to the taskbar in Edge, you can click or mouse over its icon to see all your browser tabs that are open for that website.
• When you detach a keyboard on a 2-in-1 device, the device will automatically switch to the tablet-based interface. Previously, you were asked whether you wanted to switch. You can change that setting by going to Settings > System > Tablet.
• The Your Phone app gets a variety of new features for some Samsung devices. When using one of the devices, you can interact with the Android apps on your phone from the Your Phone app on Windows 10.

What IT needs to know: Windows 10 version 20H2 also has a variety of small changes of note for sysadmins and those in IT.

• IT professionals who administer multiple mobile devices get a new Modern Device Management (MDM) “Local Users and Groups” settings policy that mirrors options available for devices that are managed through Group Policy.
• Windows Autopilot, used to set up and configure devices in enterprises, has gained a variety of small enhancement, including better deployment of HoloLens devices, the addition of co-management policies, enhancements to Autopilot deployment reporting, and the ability to reuse Configuration Manager task sequences to configure devices.
• Microsoft Defender Application Guard now supports Office. This allows untrusted Office documents from outside an enterprise to launch in an isolated container to stop potentially malicious content from compromising computers or exploiting personal information found on them.
• Latest Cumulative Updates (LCUs) and Servicing Stack Updates (SSUs) have been combined into a single cumulative monthly update, available via Microsoft Catalog or Windows Server Update Services.
• Biometric sign-on has been made more secure. Windows Hello now has support for virtualization-based security for certain fingerprint and face sensors, which protects, isolates, and secures a user’s biometric authentication data.

For more details, see Microsoft’s “What’s new for IT pros in Windows 10, version 20H2.”

Apple device management is the beating heart at the center of the mobile hybrid enterprise, and vendors that support Apple’s MDM (mobile device management) platform are investing as they seek to build for future growth. At this stage in the evolution of the Apple device management industry, it appears we are on the edge of an M&A frenzy as players in that space seek to build unique identities designed to foster future growth.

Industry activity is intensifying

Jamf, arguably one of the biggest firms in the Apple MDM business, has been investing deeply in companies and services to extend the tranche of security and device management tools it can provide to its customers. These extend to powerful content monitoring, zero trust, and endpoint management.

Jamf CIO Linh Lam recently noted the acceleration of Apple’s enterprise market status, predicting: “The way the demand is growing and the expectations of younger generations joining the workforce, Apple devices will be the number one endpoint by 2030.” 

More recently, we’ve begun to see entities from outside the Apple device management space begin to seek a way in. VMWare’s $1.17 billion acquisition of AirWatch in 2014 showed what was coming. Ivanti in 2021 purchased MobileIron. More recently, GoTo is in the process of acquiring cloud-based cross-platform device management provider Miradore. And arguably one of the larger illustrations of this kind was Apple’s 2020 acquisition of MDM vendor Fleetsmith, whose solutions have now been rolled inside Apple Business Essentials.

Elsewhere, Hexnode has entered a partnership with Keeper Security; JumpCloud in February acquired MYKI to expand its cloud directory platform; Kandji continues to attract investment capital as it plays its own long game; Addigy is working with Acronis (the latter also works with Jamf); and Mosyle recently closed a $196m funding round and introduced new solutions for enterprise customers.

The irresistible force

This activity has purpose, of course. As enterprises become increasingly digitized, the value of the device management market is expected to reach $28.7 billion by 2027.

To put that figure into context, that’s around four times the existing value, meaning there is huge scope for growth in the space, particularly around Apple devices.

We’ve looked before at the acceleration there, as Mac and iOS together now comprise around 23% of global mobile/PC consumer market share and a higher slice of enterprise/knowledge worker markets. When it comes to the Mac, Gartner analyst Mikako Kitagawa recently predicted Apple will seize 10.7% of the PC market in 2026 as Windows share slips. And, of course, a 2021 Dimensional Research survey found that 85% of IT decision makers say Apple devices are more secure.

With hundreds of millions of PC replacements now in sight as old Windows OS installations expire and companies seek to secure all endpoints against catastrophic business failure, the Apple side of this equation remains a highly attractive target for all these parties (and a few I probably forgot).

Carving out space in these markets means Apple MDM vendors are under some pressure to extend the functionality of the solutions they provide while also defining their own unique market position.

Many hope to achieve this by extending their core products with tools for security, remote support, and collaboration or by specializing in the needs of vertical markets such as education, healthcare, and manufacturing.

Why a wave of acquisitions may be on the way

Of course, with SAP, BlackBerry, Cisco, Citrix, IBM, Microsoft, Sophos, SOTI, and others also vying for some or all of the same business, smaller vendors must work hard to develop their own unique offerings. This suggests (at least to my jaded mind) that at some point relatively soon, we will see a wave of mergers and acquisitions as larger entities scoop up some of the smaller firms in a bid to offer more effective cross-platform MDM tools to enterprise customers and secure growth in a challenging market.

What next?

Quite a lot now depends on platform vendors, including Apple. MDM solutions providers live and die through the power of the APIs made available to them, which means that the addition of features and functionality is equally dependent on such system-level support.

All the same, if there’s a seemingly unexplored space that relates to these technologies, it likely extends to remote collaboration and autonomous security solutions.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

Apple has struck a big blow against the mercenary “surveillance-as-a-service” industry, introducing a new, highly secure Lockdown Mode to protect individuals at the greatest risk of targeted attacks. The company is also offering millions of dollars to support research to expose such threats.

Starting in iOS 16, iPadOS 16 and macOS Ventura, and available now in the latest developer-only betas, Lockdown Mode hardens security defenses and limits the functionalities sometimes abused by state-sponsored surveillance hackers. Apple describes this protection as “sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware.”

In recent years, a series of targeted spyware attacks against journalists, activists, and others have been exposed. Names including Pegasus, DevilsTongue, Predator, Hermit, and NSO Group have undermined trust in digital devices and exposed the risk of semi-private entities and the threat they show against civil society. Apple has made no secret that it is opposed to such practices, filing suit against the NSO Group in November and promising to oppose such practices where it can.

“Apple’s newly released Lockdown Mode will reduce the attack surface, increase costs for spyware firms, and thus make it much harder for repressive governments to hack high-risk users,” said John Scott-Railton, senior researcher at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy.

“We congratulate [Apple] for providing protection to human rights defenders, heads of state, lawyers, activists, journalists, and more,” tweeted the EFF, a privacy advocacy group.

What does Lockdown Mode do?

At present, Apple says Lockdown Mode provides the following protections:

• Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
• Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
• Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
• Wired connections with a computer or accessory are blocked when an iPhone is locked.
• Configuration profiles cannot be installed and the device cannot enroll into mobile device management (MDM) while Lockdown Mode is turned on.

Ivan Krstić, Apple’s head of Security Engineering and Architecture, notes that Lockdown Mode can be applied to devices that are already enrolled in an MDM service. “Pre-existing MDM enrollment is preserved when you enable Lockdown Mode,” he tweeted.

The company says it intends to extend the protection provided by Lockdown Mode over time and has invested millions in security research to help identify weaknesses and increase the integrity of this protection.

How to enable Lockdown Mode

Apple

• Lockdown Mode is enabled in Settings on iPhones and iPads and in System Settings on macOS.
• You’ll find it as an option in Privacy & Security, listed at the bottom of the page.
• Tap Lockdown Mode and you’ll be told that this provides “Extreme, optional protection that should only be used if you believe you may be personally targeted by a highly sophisticated cyberattack. Most people are never targeted by attacks of this kind.”
• The prompts also warn users that certain features will no longer work as you are used to. Shared albums will be removed from Photos, and invitations will also be blocked.

What is the scale of this threat?

These attacks don’t come cheap, which means most people are unlikely to be targeted in this way. Apple began sending threat notifications to potential victims of Pegasus soon after it was revealed and says the number of people targeted in such campaigns is relatively small.

All the same, the scale is international, and the company has warned people in around 150 nations since November 2021. A BBC report confirms hundreds of targets and tens of thousands of phone numbers leaked as a result of NSO’s Pegasus alone. Victims have included journalists, politicians, civil society advocates, activists, and diplomats, so while the numbers are small, the chilling impact of such surveillance is vast.

I believe that such technologies will become cheaper and more available over time, so it’s only a matter of time before they leak into wider use. Ultimately the very existence of such attacks — state-sponsored or not — makes the entire world less safe, not safer.

“There is now undeniable evidence from the research of the Citizen Lab and other organizations that the mercenary surveillance industry is facilitating the spread of authoritarian practices and massive human rights abuses worldwide,” said Citizen Lab Director Ron Deibert in a statement. Deibert told CNET he thinks Lockdown Mode will deal a “major blow” to spyware companies and the governments that use their products.

“While the vast majority of users will never be the victims of highly targeted cyberattacks, we will work tirelessly to protect the small number of users who are,” said Apple’s Krstić in a statement. “That includes continuing to design defenses specifically for these users, as well as supporting researchers and organizations around the world doing critically important work in exposing mercenary companies that create these digital attacks.”

There’s little doubt Microsoft and Google will also move to provide similar protection to users. Google and Meta already offer tools to secure the accounts of those who are at an “elevated risk of targeted online attacks,” but these tools don’t go nearly as far as Lockdown Mode.

Apple’s investments in security

Apple already makes vast investments in security. For example, the company is working with others in the industry to support password-free authentication, has built tools to mask IP addresses and continues to focus on user privacy.

The company will introduce a Rapid Security Response feature for its devices this fall, which will make it possible to deploy security fixes outside of full security updates and much more. Apple is even investing in improving the security of programming languages, further eroding potential attack surfaces.

The company has now announced further investment in the security community:

• Apple has also established a new category within the Apple Security Bounty program to reward researchers who find Lockdown Mode bypasses and help improve its protections. Bounties are doubled for qualifying findings in Lockdown Mode, up to a maximum of $2,000,000 — the highest maximum bounty payout in the industry.
• Apple is also making a $10 million grant, plus any damages awarded from the lawsuit it is pursuing against NSO Group, to support organizations that investigate, expose, and prevent highly targeted cyberattacks, including those created by private companies developing state-sponsored mercenary spyware. It is giving this money to the Ford Foundation’s Dignity and Justice Fund.

What will the Dignity and Justice Fund do?

The fund will make its first grants later this year, focusing initially on initiatives to expose the use of mercenary spyware. In the press release announcing the initiative, Apple tells us these grants will focus on:

• Building organizational capacity and increasing field coordination of new and existing civil society cybersecurity research and advocacy groups.
• Supporting the development of standardized forensic methods to detect and confirm spyware infiltration that meet evidentiary standards.
• Enabling civil society to more effectively partner with device manufacturers, software developers, commercial security firms, and other relevant companies to identify and address vulnerabilities.
• Increasing awareness among investors, journalists, and policymakers about the global mercenary spyware industry.
• Building the capacity of human rights defenders to identify and respond to spyware attacks, including security audits for organizations that face heightened threats to their network

The fund’s grant-making strategy will be advised by a global Technical Advisory Committee. Initial members include Daniel Bedoya Arroyo, digital security service platform analyst at Access Now; Citizen Lab Director Ron Deibert; Paola Mosso, co-deputy director of The Engine Room; Rasha Abdul Rahim, director of Amnesty Tech at Amnesty International; and Apple’s Krstić.

Ford Foundation Tech and Society Program director Lori McGlinchey said:

“The global spyware trade targets human rights defenders, journalists, and dissidents; it facilitates violence, reinforces authoritarianism, and supports political repression. The Ford Foundation is proud to support this extraordinary initiative to bolster civil society research and advocacy to resist mercenary spyware. We must build on Apple’s commitment, and we invite companies and donors to join the Dignity and Justice Fund and bring additional resources to this collective fight.”

What else can you do?

Following revelations about NSO Group last year, Apple published a set of recommendations to help users mitigate against such risks. These guidelines do not even approach the kind of robust protection you can expect from Lockdown Mode, but it makes sense for anyone to follow such practices:

• Update devices to the latest software, which includes the latest security fixes.
• Protect devices with a passcode.
• Use two-factor authentication and a strong password for Apple ID.
• Install apps from the App Store.
• Use strong and unique passwords online.
• Don’t click on links or attachments from unknown senders.

Furthermore, Amnesty Tech is gathering signatures to demand an end this kind of targeted surveillance of human rights defenders. I’d urge readers to add their signature to my own.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.