Category: News

The European Commission (EC) on Friday said it needs more information from Facebook and Instagram parent company Meta to assess its compliance with applicable privacy and security laws in the European Union (EU).

The EC, in a statement, said Meta also needs to speed up its responses to requests in December for information, which centered on election information, terrorism and the protection of minors. The company has until March 15 to provide that information, with the new info about Meta’s pay-to-opt-out-of-tracking program due March 22.

The  EC noted that, like all companies doing business in the EU and subject to the Digital Services Act, Meta could be subject to hefty fines for providing incomplete information or missing deadlines. European data protection authorities have levied heavy GDPR fines against a range of businesses, not just social media giants.

“The present [request for information]  builds on Meta’s previous replies and asks additional information concerning the methodology underlying Meta’s risk assessment and mitigation measures reports, the protection of minors, elections and manipulated media,” the EC said. “The RFI also requests Meta to provide information related to the practice of so-called shadow banning and the launch of Threads.”

The Digital Services Act was approved in April 2022. It governs how internet companies must manage user data, how they are allowed to use that data to target advertising, and steps they must take to police illicit or deceptive content.

“It will ensure that the online environment remains a safe space, safeguarding freedom of expression and opportunities for digital businesses,” EC president Ursula von der Leyen said in a statement at the time.

The latest request for information aimed at Meta comes a day after eight consumer protection watchdog groups in the EU filed complaints against the company for its opaque data collection and processing policies. The complaints, filed with national data protection authorities, accuse Meta of violating the GDPR, abusing its dominant market position to misuse customer information, and making merely superficial changes to its privacy policy instead of actually complying with the law.

European authorities have long had Meta in their sights, having fined the company more than $2 billion since the GDPR took effect in 2018.

Eight European consumer organizations have filed complaints against Facebook parent Meta accusing it of breaching the EU’s General Data Protection Regulation (GDPR) with its so-called “pay-or-consent” policy and opaque internal policies.

The organizations are all members of BEUC, the European Consumer Organization.  Their complaints, publicized Thursday, argue that the large-scale consumer data collection practiced by Meta violates the GDPR, and that the company has abused its dominant market position to essentially coerce customers into accepting its terms. Each of the eight groups filed their complaints with their national data protection authorities, as there is no pan-European office to accept such complaints.

Facebook and Instagram users, according to BEUC, are being forced to choose between consenting to the processing of their personal information for advertising or paying fees that could top €311/year for a person with a mobile device on which they use both Facebook and Instagram.

Despite the furor around the “pay or consent” model, BEUC said that this is largely a side issue.

“While public discussions revolve around this ‘pay-or-consent’ model, Meta carries on with its privacy-invasive business model,” the group said in a brief report. “Each time regulators confirmed that the legal basis Meta relied on was invalid, the company has simply made changes in its privacy policy, while continuing its structural surveillance of consumers.”

Reached via email, a spokesperson for the consumer federation underlined that the real problem is Meta’s data processing, “regardless of what consumers choose, which cannot be compliant with the GDPR.”

The spokesperson said that the group believes fines will be a helpful remedy to the extent that they change Meta’s behavior, but that the behavioral change is what they’re really after.

“Ultimately, that will mean a change of its business model away from surveillance advertising and towards more privacy-friendly forms of business such as contextual ads,” the group said.

This is far from the first time that data privacy regulators and watchdogs have taken aim at Meta in the wake of the GDPR’s coming into effect in 2018. Complaints to the data protection watchdogs in Ireland, the UK and Austria, among others, have made headlines in recent years, and the company has paid well over $2 billion in fines since the law went into effect.

Meta is by far the biggest payer of fines for GDPR violations, but a host of smaller businesses have paid penalties because they didn’t ensure GDPR compliance.

Microsoft has partnered with Mistral AI to make the latter available to its Azure customers, adding more options to enterprise customers.

Mistral AI is set to enrich Azure’s AI offerings, introducing its premium models via Azure AI Studio’s Models as a Service (MaaS) and the Azure Machine Learning model catalog.

This move complements the existing array of OpenAI models, broadening the catalog with a versatile mix of open source and proprietary AI solutions, thereby enhancing the options available to Azure customers.

“This latest addition of Mistral AI’s premium models into Models as a Service (MaaS) within Azure AI Studio and Azure Machine Learning provides Microsoft customers with a diverse selection of the best state-of-the-art and open source models for crafting and deploying custom AI applications, paving the way for novel AI-driven innovations,” Microsoft said in a blog post.

More options and more customers

The addition of Mistral to Azure could bring more options to customers. For Microsoft, this could be a strategic move to beat the competition in the AI space. 

“The Mistral partnership makes good business sense for Microsoft as it diversifies its AI ecosystem beyond the OpenAI partnership, expands the roster of foundation and generative AI models available on Azure AI, and offers access to multilingual models through Azure,” said Leslie Joseph, principal analyst at Forrester. “This move brings more choice to Microsoft customers that choose to deploy AI applications through Azure, and more choice is always good.” 

Moreover, the partnership opens doors for both Microsoft and Mistral to leverage each other’s customer bases, expanding their market reach and accelerating the adoption of their respective technologies.

“From a financial standpoint, the potential cost optimizations for Azure customers by utilizing Mistral’s AI models could translate into substantial savings, further driving Azure’s appeal,” said Thomas George, president of CyberMedia Group and CMR. “Additionally, the collaborative innovation aspect of this partnership holds promise for pushing the boundaries of AI technology forward. As Microsoft and Mistral pool their expertise and resources, we can anticipate the emergence of novel AI solutions and advancements that could reshape various sectors.”

Potential challenges to overcome  

Microsoft’s partnership with Mistral won’t be without challenges, according to Manish Rawat, analyst at Techinsights. The challenges include integrating methodologies, ensuring data privacy and security, gaining user acceptance, aligning cultures, and complying with regulations must be addressed.

“Overcoming these challenges requires careful planning, transparent communication, and a commitment to shared goals and values,” Rawat said. “Despite the obstacles, the partnership holds promise for driving impactful AI solutions across industries globally.”

From a customer standpoint, bringing in more AI models could also create the need to upskill their employees. This is critical as technology advances at a fast pace.

“One way to alleviate the skill gaps is to prioritize training and upskilling for their teams and to develop an in-house understanding of AI concepts and their specific industry applications,” Joseph said. “This should be coupled with proof-of-concept projects to test use cases and refine integration approaches. Fostering collaboration between IT, business, and data science teams is crucial, as are potential partnerships with AI solution providers for expertise.” 

George suggested that CIOs can ensure their teams effectively manage the complexity of integrating advanced AI technologies through a series of broad steps and initiatives.

“Collaborating with experienced AI vendors provides valuable insights and support, mitigating risks and expediting deployment,” George added. “Continuous monitoring and evaluation mechanisms enable early issue identification and process optimization. Embracing change management practices facilitates smoother adoption and enhances overall integration outcomes.”

When Broadcom bought VMware for $69 billion last November, we knew there would be changes. What we didn’t know is that Broadcom’s radical changes would leave partners and customers alike questioning their commitment to VMware.

Personally, I’ve never been fond of VMware. But I know many IT people swear by its wide array of products. At least, they did until recently. Now that Broadcom is showing its cards for the virtualization powerhouse’s future, it’s another story.

Even before then, VMware customers were doubtful about the acquisition. Forrester Research had estimated that up to 20% of VMware’s enterprise customers would quickly switch to a new virtual machine vendor. 

Why? According to Forrester analysts, their customers “are exhausted by significant price hikes, degrading support, and forced mandatory subscription to software bundles where some modules such as NSX and Aria Suite/vRealize Suite end up as shelfware.”

They also had little faith, based on Broadcom’s acquire-slash-and-burn approach to its CA Technologies and Symantec acquisitions, that the products and services they liked from VMware would stick around.  

They were right.

Broadcom has killed more than 56 VMware products and platforms, including such favorites as VMware vSphere+, VMware Aria Suite, and VMware NSX. It will also be dumping VMware’s “end-user” computing unit, which includes its Workspace ONE and Horizon offerings.

More lines are being buried. The one that will bug the most people is Broadcom’s decision to quietly axe VMware’s Free ESXi hypervisor. Broadcom didn’t even announce this one. We only found out about it because a sharp-eyed user spotted a knowledge base article that revealed it was being terminated.

For enterprises, this isn’t that big a deal. I know a handful of people who used this limited version of ESXi. But I also know many people, indeed most of my VMware friends, who started using the VMware stack only after tinkering with the free ESXi hypervisor. Others loved being able to test-drive projects with the free version before moving it to production.

Those days are done.

Oh, so you have a perpetual license, and you think you’ll be OK? Nope, your products are getting whacked, too. The new VMware is ending perpetual license sales, so if your favorite product isn’t being killed, you’ll need to pay a subscription to keep it. From here on out, you can expect to see software-as-a-service (SaaS) licensing.

According to Broadcom, this is all about transforming its “business to deliver faster innovation with more value to customers, and even better profitability and market opportunity for our partners.”

Well, I hate to tell you, Broadcom — but from what I’m hearing, your customers and partners disagree. VMware’s rivals, including Nutanix. Scale Computing, and Virtuozzo, are loving it, though. Bigger companies, such as Microsoft with Hyper-V/Azure Stack and Red Hat with OpenShift Virtualization, also have reason to put VMware customers at the top of their marketing list. 

Besides the VMware licensing change, which is always worrisome, VMware customers are also worried sick about the new line’s pricing. Even before Mastodon bought the company, VMware was expensive. They’re afraid, with reason, that they’ll pay even more.

VMware’s once-flourishing partners are also concerned. Most companies don’t work with VMware directly. They worked with partners, instead. First, Broadcom dumped all its resellers and service partners. Then, it opened the door for its top former partners to come back in. Did they? Well, VMware also took its top 2,000 customers direct,  which doesn’t leave much room for VMware’s former partners. The VMware partner slogan, “VMware Partners: An Ecosystem of Trust,” sure sounds hollow.

If you’re hoping that your good, old VMware partner can help guide you through this brave new Broadcom/VMware, forget about it. Many of you will be on your own. And, honestly, if I were a VMware partner, I’d be looking to partner with someone else and get to work on providing ways to move from  VMware products to another line.

And if I were a VMware customer, I’d also be looking for another path forward. Broadcom can say what it wants about how its changes will improve things, but I don’t buy it. Broadcom’s enterprise software acquisition track record isn’t good. I see no reason to believe it will be any better this time around — and many reasons to think this is one merger and acquisition that won’t be good for anyone.

Apple is preparing for future threats to iMessage by introducing upgraded encryption for its messaging service by using quantum computers.

Think of it as state-of-the-art quantum security for messaging at scale, the company says, resulting in Apple’s messaging system being more secure against both current and future foes.

What is the protection?

Announced on Apple’s Security Research blog, the new iMessage protection is called PQ3 and promises the “strongest security properties of any at-scale messaging protocol in the world.”

The rationale behind this protection is “What if?”

In this case, Apple’s security teams asked themselves what might happen if hackers, criminals, or state-backed rogue surveillance firms gathered vast quantities of encrypted iMessage data today in order to break that encryption using quantum computers tomorrow.

Apple calls this a Harvest Now, Decrypt Later attack. The new security protocol is designed to help protect against this.

How likely are such attacks?

These attacks are less likely today than they might become. It is widely accepted that quantum computers will be capable of cracking the classical public key cryptography  such as RSA, Elliptic Curve signatures, and Diffie-Hellman key exchange in use today.

Apple explains:

“All these algorithms are based on difficult mathematical problems that have long been considered too computationally intensive for computers to solve, even when accounting for Moore’s law. However, the rise of quantum computing threatens to change the equation. A sufficiently powerful quantum computer could solve these classical mathematical problems in fundamentally different ways, and therefore — in theory — do so fast enough to threaten the security of end-to-end encrypted communications.”

In truth, quantum computers are expensive, which means their use is largely limited to only the world’s most powerful entities. But as more are made and costs decline, they will proliferate — and if Apple is considering the potential threat, then threat actors of various stripes will also be exploring the possibility.

The security industry is getting ready

Apple isn’t alone. The cryptographic community is also exploring Post-Quantum Cryptography (PQC), aiming to develop new public key algorithms that run on the devices we use today while protecting against the forms of attack we believe quantum computers will be able to deliver tomorrow.

Signal, for example, introduced its own take on PQC security a few months ago.

iMessage takes this protection further.

PQC is not only used to secure the “initial key establishment” (when a shared algorithm is defined), but with the capability to restore security rapidly and automatically if that initial key becomes compromised.

Apple has submitted PQ3 to two leading security researchers who have verified the technology — Professor David Basin of the Information Security Group at ETH in Zurich, Switzerland, and Douglas Stebila, a University of Waterloo Professor.

Basin wrote: “We have used Tamarin to formally verify the device-to-device messaging protocol PQ3. From our analysis, we conclude that this protocol achieves strong security guarantees against an active network adversary who can selectively compromise parties and has quantum computing capabilities.”

Tamarin is a leading security verification tool.

Stabila said: “The analysis shows that PQ3 provides confidentiality with forward secrecy and post-compromise security against both classical and quantum adversaries, in both the initial key exchange as well as the continuous rekeying phase of the protocol.”

Research papers describing the academic research conducted by both professors are available via Apple’s security website, where you will also find a far more in-depth analysis of how PQ3 works and the protections it provides.

What can we read into this?

The signal Apple is sending with the introduction of this protection in iMessage should not be ignored. It should be seen as both a promise and a warning.

• The promise is that Apple’s security teams are working to get ahead of both current and future threats.
• The warning is that if Apple believes it necessary to protect millions of iMessage users against such threats today, tomorrow is looming fast.

Enterprise tech leaders and IT should, therefore, also work toward protecting their own data against potential quantum computing-led attacks.

At the very least, this will involve staying abreast of new research in the field from the likes of the US Department of Commerce’s National Institute of Standards and Technology (NIST), which announced some preliminary encryption tools for the post-quantum era in 2022. A response might also involve insisting on such protection in new purchasing relationships.

When is iMessage quantum security launching?

• Apple says support for PQ3 will start to roll out with the public releases of iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4.
• That means the support should already be available in the betas.

It explains that iMessage conversations between devices that support PQ3 are automatically ramping up to the post-quantum encryption protocol. “As we gain operational experience with PQ3 at the massive global scale of iMessage, it will fully replace the existing protocol within all supported conversations this year.”

For Apple, the protection reflects the extent to which privacy and security enhancements have been integral to its iMessage service since it was first introduced. It builds, for example, on robust protections such as Lockdown Mode and Contact Key Verification that already exist.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

We all know by now that many business leaders want their employees to work in the office instead of at home. But most don’t understand why.

And we know that many employees want to work from home instead of the office. And most don’t understand why, either.

As a result, we have a standoff at many companies where corporate leadership is imposing return-to-office (RTO) mandates, and employees are resisting.

It’s time for everyone to really understand what’s driving the standoff.

Why employees hate RTO mandates

The conventional wisdom says that the COVID-19 pandemic, which forced companies to embrace full-time, work-from-home (WFH), gave employees a taste of remote work. They liked it. And that stiffened resistance to RTO mandates.

The well-known reason many employees prefer WFH policies is increased schedule flexibility, better work-life balance, and less time spent fighting traffic on the way to and from the office.

But there’s another factor at play: money.

Prices vary by region. But in general, since the beginning of the pandemic in 2020, the cost of living has risen dramatically for employees: annual mortgage payments have grown by more than $3,500; the price of a car has risen by about $10,000; and the cost for groceries has increased by around 10%.

The direct additional cost of working in an office for employees is higher, too: Gasoline costs more than it did in 2019; annual child-care costs have increased by more than $1,000. And inflexible RTO policies requiring normal business hours impose even more child-care costs, as arrangements often have to be made for kids to be picked up and dropped off at school.

To put that into perspective, one report notes that it costs employees the equivalent of a month’s grocery bill to return to the office.

RTO mandates don’t represent a return to normal. They represent the imposition of new high costs for employees already feeling the pain of inflation. (Even though it has subsided somewhat, prices remain stubbornly high.)

Not only are employees required to sacrifice flexibility, work-life balance, and valuable time. They’re now expected to pay for the privilege.

Here’s another point to consider. While flexibility and work-life balance are somewhat squishy and vague, the literal financial costs to employees are directly measurable in dollars.

Why many business leaders want RTO mandates

Researchers at the University of Pittsburgh’s Katz Graduate School of Business studied the reasons for, and impacts of, RTO requirements. They looked at S&P 500 companies with RTO mandates and tested the three major justifications for those mandates: 1) higher productivity; 2) better company performance; and 3) company values.

The researchers also collected job satisfaction and other data from Glassdoor to see how RTO mandates affect both employees and managers.

The results were eye-opening.

The researchers found that companies with RTO policies were more likely to have had poor prior stock performance, and more likely to be led by “male and powerful CEOs” seeking to “grab power back from employees through RTO.”

RTO polices were also found to be used to scapegoat employees working from home for bad company performance.

Counterintuitively, they found that tech companies are more likely to demand RTO. Very intuitively, they found fewer RTO mandates at companies with high competition and places with longer commute times.

The results weren’t one-sided. Many employees, they found, agree with RTO mandates and feel that living and working in separate places improved work-life balance.

Interestingly and unusually, the researchers looked at the impact of RTO mandates on companies’ financial performance. They pointed out that improving employee productivity is a major justification for RTO policies, while measurably lower employee satisfaction is known to reduce productivity. In a nutshell, they found that RTO mandates don’t significantly affect productivity or company financial performance in either direction.

Why RTO mandates are risky business

The best data to date shows that the reasons and justifications for RTO mandates are largely misguided. Such mandates do not generally lead to higher productivity, better performance or improved corporate values in the short term.

It also shows that the reasons and justifications for WFH are largely real and serious. Remote work does improve schedule flexibility and work-life balance, and it saves employees a lot of time and money.

In other words: Forcing employees to work in an office doesn’t benefit companies, but does harm the lives of employees — at least in the short term.

More to the point: Most companies cannot show actual monetary benefits from RTO mandates. But most employees can show actual and significant monetary costs from RTO mandates.

In essence, these kinds of mandates represent a transfer of wealth from employees that their employers don’t even benefit from.

Here’s what’s missing from the calculation: The long-term impact of RTO mandates could be catastrophic for businesses.

The thing you need to know is that employees unhappy with RTO mandates aren’t likely to tell you. In a recent survey, more than a third (38%) of employees believe it’s a “red flag” to complain about RTO policies. And they’re right: More than half of managers (56%) agree.

You’ll find out they were unhappy when they quit and go to work for your more flexible competitor. The result: a slow bleeding of high-performing employees, millennials and women.

In other words, to impose RTO is to implement a policy of gradually reduced overall employee performance, increased difficulty in meeting gender inclusion goals and undermined efforts to groom the next generation of corporate leaders.  

So proceed with caution. The benefits of RTO mandates are probably nonexistent. The costs are likely to grow over time.

Microsoft on Tuesday released 73 updates in its monthly Patch Tuesday release, addressing issues in Microsoft Exchange Server and Adobe and two zero-day flaws being actively exploited in Microsoft Outlook (CVE-2024-21410) and Microsoft Exchange (CVE-2024-21413).

Including the recent reports that the Windows SmartScreen vulnerability (CVE-2024-21351) is under active exploitation, we have added “Patch Now” schedules to Microsoft Office, Windows and Exchange Server. The team at Readiness has provided this detailed infographic outlining the risks associated with each of the updates for this cycle.

Known issues

Microsoft publishes a list of known issues related to the operating system and platforms included each month.

• Windows devices using more than one monitor might (still) experience issues with desktop icons moving unexpectedly between monitors or other icon alignment issues when attempting to use Windows Copilot. Microsoft is still working on this issue.
• After you install KB5034129, chromium-based internet browsers such as Microsoft Edge might not open correctly. Affected browsers might display a white screen and become unresponsive when opened. (This is probably an issue mainly affecting developers using several browsers on the same system.)  Microsoft is working on a fix. We expect an update in the next Edge update.

There is a significant issue with the current release of Microsoft Exchange Server, which is detailed below in the Exchange Server section.

Major revisions

We have seen three waves of CVE vulnerability revisions from Microsoft (so far) this month — which in itself is unusual — made all the more so by the volume of updates in such a short time. That said, all the revisions were due to mistakes in the publication process; no additional action is required for the following:

• CVE-2021-43890: Windows AppX Installer Spoofing Vulnerability. Microsoft has updated the FAQs and added clarifying information to the mitigation. This is an informational change only.
• CVE-2023-36019: Microsoft Power Platform Connector Spoofing Vulnerability. Updated the mitigation to inform customers with existing OAuth 2.0 connectors that the connectors must be updated to use a per-connector redirect URL by March 29. This is an informational change only.
• CVE-2024-0056, CVE-2024-0057, CVE-2024-0057, CVE-2024-20677 and CVE-2024-21312: These were updated to resolve broken link issues. No further action required.

Contrary to current documentation from Microsoft, there are two revisions that do require attention: CVE-2024-21410 and CVE-2024-21413. Both reported vulnerabilities are “Preview Pane” critical updates from Microsoft that affect Microsoft Outlook and Exchange Server. Though the Microsoft Security Response Center (MSRC) says these vulnerabilities are not under active exploitation, there are severalpublished reports of active exploitation.

Note: this is a serious combination of Microsoft Exchange and Outlook security issues.

Mitigations and workarounds

Microsoft published the following vulnerability-related mitigations for this month’s release cycle:

We have placed the GPO setting AllowAllTrustedAppToInstall in quotes, as we don’t believe it exists (or the documentation has been removed/deleted). This may be (another) documentation issue.

Each month, the team at Readiness provides detailed, actionable testing guidance based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations. For this February release, we have grouped the critical updates and required testing efforts into functional areas, including:

Security

• AppLocker: Test basic functionality of AppLocker, including deploying AppLocker policies.
• Secure Launch has been updated. Administrators can ensure that Secure Launch is working through the Microsoft utilityEXE.

Networking

• DNS has been updated for all Windows platforms, including changes to RRSIG and DNSKEY (used to decrypt/validate hash records). Microsoft has offered guidance on securing/validating DNS responses for Windows Server here and provided syntax and examples to test out DNS query resolutions.
• RPC clients for internal applications will require a full end-to-end test cycle.
• Internet Shortcuts have been updated and will require testing on both online trusted and untrusted sources.
• Internet Connection Sharing (ICS) will also require tests run on both host and client machines.

Developers and development tools

• Microsoft updated the core component Microsoft Message Queue (MSMQ) which will affect Message Queue Services, its related Routing service and DCOM proxy. Testing must include online browsing and video/audio streaming for any affected app.
• SQL OLEDB has been updated, requiring database administrators to check their database connections and basic SQL commands.

Microsoft Office

• Due to the changes to Adobe Reader and the PDF file format this month, Microsoft Word users should include a test to open, save, and print PDF files.
• Outlook users should test opening mail and calendar items with an additional test of opening a backup Outlook data file.

Also, this month, Microsoft added a new feature to the Microsoft .NET CORE offering with SignalR. Microsoft explains: 

“ASP.NET SignalR is a library for ASP.NET developers that simplifies the process of adding real-time web functionality to applications. Real-time web functionality is the ability to have server code push content to connected clients instantly as it becomes available, rather than having the server wait for a client to request new data.”

You can find documentation on getting started with SignalR here.

Automated testing will help with these scenarios (especially a testing platform that offers a “delta” or comparison between builds). However, for line-of-business apps, getting the application owner (doing UAT) to test and approve the results is still essential.

Windows lifecycle update

This section contains important changes to servicing (and most security updates) to Windows desktop and server platforms.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

• Browsers (Microsoft IE and Edge);
• Microsoft Windows (both desktop and server);
• Microsoft Office;
• Microsoft Exchange Server;
• Microsoft development platforms (NET Core, .NET Core and Chakra Core);
• Adobe (or, if you get this far).

Browsers

Microsoft released three minor updates to the Chromium-based Edge (CVE-2024-1283, CVE-2024-1284, and CVE-2024-1059) and updated the following reported vulnerabilities:

• CVE-2024-1060: Chromium: CVE-2024-1060 Use after free in Canvas
• CVE-2024-1077: Chromium: CVE-2024-1077 Use after free in Network
• CVE-2024-21399: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

All these updates should have minor to negligible impact on applications that integrate and operate on Chromium. Add them to your standard patch release schedule.

Windows

Microsoft released two critical updates (CVE-2024-21357 and CVE-2024-20684) and 41 patches rated as important for Windows that cover the following components:

• Windows ActiveX and WDAC OLE DB Provider;
• Windows Defender;
• Windows Internet Connection Sharing;
• Windows Hyper-V;
• Windows Kernel.

The real worry this month is the Windows SmartScreen (CVE-2024-21351) update, which has been reportedly exploited in the wild. Due to this rapidly emerging threat, add this update to your Windows “Patch Now” release schedule.

Microsoft Office

Microsoft released a single critical update (CVE-2024-21413) and seven patches rated as important for the Microsoft Office productivity suite. The real concern is older versions of Microsoft Office (2016, in particular). If you are running these older versions, you will need to add these updates to your Patch Now schedule.

All modern versions of Microsoft Office can add these February updates to their standard release schedule.

Microsoft Exchange Server

Microsoft released a single update for Microsoft Exchange server, with CVE-2024-21410 rated critical. This update will require a reboot to the target server(s). In addition, Microsoft offered this advice when patching your servers:

“When Setup.exe is used to run /PrepareAD, /PrepareSchema or /PrepareDomain, the installer reports that Extended Protection was configured by the installer, and it displays the following error message: ‘Exchange Setup has enabled Extended Protection on all the virtual directories on this machine.’”

Microsoft offers “Extended Protection” as a series of documents and scripts to help secure your Exchange server. In addition, Microsoft published Mitigating Pass the Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2 to help with managing the attack service of this serious vulnerability. Add this to your “Patch Now” schedule.

Microsoft development platforms

Microsoft released three updates (CVE-2024-20667, CVE-2024-21386 and CVE-2024-21404) affecting the .NET platform as well as Visual Studio 2022. These updates are expected to have minimal impact on app deployments. Add them to your standard developer release schedule.

Adobe Reader (if you get this far)

Adobe Reader updates are back this month (year) with the release of APSB 24-07, a priority three update for both Adobe Reader and Reader DC. Adobe notes that this vulnerability could lead to remote code execution, denial of service, and memory leaks. There are also some documented uninstall issues with Adobe Reader, which might cause deployment headaches. All this is enough to add this Adobe to our “Patch Now” schedule.

European Union (EU) legislation that would set guardrails for the use and development of AI technology appears to be on a clear path toward ratification as two key groups of legislators in the EU Parliament on Tuesday approved a provisional agreement on the proposed rules.

The EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) and Committee on the Internal Market and Consumer Protection (IMCO) approved the AI Act with an “overwhelmingly favorable vote,” putting the rules “on track to become law,” Dragoș Tudorache, an EU Parliament member and chair of the EU’s Special Committee on AI, tweeted on X, formerly Twitter.

The rules, on which the EU Parliament will formally vote in April, require organizations and developers to assess AI capabilities and place them into one of four risk categories — minimal, limited, high, and unacceptable risk. The act is the first comprehensive government legislation to oversee how AI will be developed and used, and has been met with both approval and caution from technologists.

“Parliament’s priority is to make sure that AI systems used in the EU are safe, transparent, traceable, non-discriminatory and environmentally friendly,” the EU said in describing the legislation online. “AI systems should be overseen by people, rather than by automation, to prevent harmful outcomes.”

Set up for simplicity

At its core, the regulation is simple, said Gartner’s Nader Henein, a fellow of information privacy, research vice president-data protection and privacy. “It requires that organizations (and developers) assess their AI capabilities and place it in one of the four tiers defined by the act,” he said. “Depending on the tier, there are different responsibilities that fall on either the developer or the deployer.”

Some advocacy groups and even an analysis by the US government have pushed back against the AI Act, however. Digital Europe, an advocacy group that represents digital industries across the continent, released a joint statement in November ahead of the Act’s final weeks of negotiations warning that over-regulation could stymie innovation and cause startups to leave the region. The group urged lawmakers not to “regulate” new AI players in the EU “out of existence” before they even get a chance.

Henein argued that the law’s mandates “are in no way a hinderance to innovation. Innovation by its nature finds a way to work within regulatory bounds and turn it into an advantage,” he said.

Adoption of the rules “should be straightforward” as long as developers and resellers provide clients with the information they need to conduct an assessment or be compliant, Henein said.

Still, one tech expert said some criticisms about the prescriptive nature of the AI Act and vague language are valid — and its relevance might not last because it’s often difficult for regulations to move at the pace of technology.

“There are some parts of the regulation that make a lot of sense, such as banning ‘predictive policing’ where police are directed to go after someone just because an AI system told them to,” said Jason Soroko, senior vice president of product at Sectigo, a certificate lifecycle management firm. “But, there are also parts of the regulation that might be difficult to interpret, and might not have longevity, such as special regulations for more advanced AI systems.”

More restrictions in the offing?

Further, enterprises could face compliance challenges in the discovery process as they build a catalog of existing AI use cases, and the subsequent categorization of those use cases into the Act’s tiering structure, Henein said.

“Many organizations think they are new to AI when in fact, there is nearly no product of note they have today that does not have AI capabilities,” Henein said. “Malware detection tools and spam filters have relied of machine learning for over a decade now, they fall in the low-risk category of AI-systems and require no due diligence.” 

If the EU votes to approve the act in April, as seems likely, other countries might follow. Several nations — the US, UK, and Australia among them — already have put in place government-led groups to oversee AI development; more formal regulations could follow.

Still, any new rules will likely only apply to the most extreme cases in which AI presents significant harm to humanity or otherwise. Cases in which it’s being used responsibly and even presents benefits, such as worker productivity — which is true in the case of currently used generative AI chatbots based on large language models (LLMs) such as OpenAI’s ChatGPT — likely will see little oversight.

“What we are seeing on both sides of the Atlantic is the need to restrict certain use cases outright; these fall under the prohibited category under the AI Act and present serious harm,” Henein said.

After disrupting the AI industry by launching ChatGPT, OpenAI’s Chief Executive Officer, Sam Altman, is now looking to reimagine the global semiconductor industry.

Alrman hopes to do that by raising $5 trillion to $7 trillion to “boost the world’s chip-building capacity, expand its ability to power AI, among other things,” according to a Wall Street Journal report. Altman is in talks with the UAE government, SoftBank, and Taiwan Semiconductor Manufacturing Company (TSMC), among other investors, to raise the massive amount, the report said.

As per reports, Altman was earlier in talks with Abu Dhabi-based AI firm G42 and SoftBank Group for a new chip venture envisioned to supply AI chips globally. OpenAI had earlier tied up with G42 to provide AI services in the regional markets.

Altman’s desire to take control of the chip supply chain will not only help OpenAI ensure improved prices but also control the development of the AI ecosystem. “If you look at most successful firms in their categories, they look or design their own chips at a later stage for better price and performance ratio for their specific requirements. For example, Apple and Tesla are designing some of their own chips along with AWS, Google, Microsoft, and Meta. In a similar context, it may make sense for OpenAI to design its own chip for better price and performance,” said Pareekh Jain, CEO at Pareekh Consulting.

The initiative, if successful, will help Altman create a massive business based on the market needs. “This is something similar to Amazon launching an AWS [Amazon Web Services] business to manage the world’s IT infrastructure and software on the cloud. Similarly, this looks like the next step for Altman,” Jain said.

Massive shortage of AI chips

The growing adoption of AI has led to a massive shortage of AI chips or GPUs, which is crippling the growth of the industry. Altman wants to take control of the entire value chain to ensure that the chip shortage doesn’t hamper the growth of the AI ecosystem. Nvidia, which had designed the chip used in ChatGPT, is largely believed to be the market leader in AI chips.

“In the adoption of Generative AI, the biggest bottleneck is the cost and availability of GPU [Graphics Processing Units] chips. If OpenAI can solve this,  it will help not only OpenAI but the whole ecosystem in the faster adoption of Generative AI,” Jain said.

“AI infrastructure plays a key role in the training/inferencing of foundation models sitting at the core of the next-gen AI ecosystem, while the advancement and proliferation of AI technologies rely heavily on specialized hardware, particularly AI chips that are optimized for AI tasks,” said Charlie Dai, VP, Principal Analyst, Forrester.

Geopolitical face-offs for AI chip capabilities

It is tough to think of a precedent of an organization generating the kind of funds Altman has in mind for the AI chip initiative. It is safe to conclude that this kind of initiative will likely involve investors from several nations or governments, which can potentially lead to geopolitical conflict zones.  

The shortage of AI semiconductors has led to a chip war between the US and China, with both countries trying to prevent the other from gaining the upper hand. For instance, the US came up with a chip ban in October 2022, banning the export of AI chips to China.

“The shortage of AI chips has already cast a shadow over AI innovation, especially in China, due to geopolitical frictions,” said Dai.

In addition, this kind of initiative will typically take a long time to raise funds as well as to set up manufacturing units. If chip shortage is worrying Altman, this initiative is unlikely to address it in the near term.

“With the demand outpacing supply for AI hardware especially in compute – entities that have access to hardware first will enjoy the advantage of maturity of the AI models as it gives them time to fine-tune and iterate the model to serve the intended workloads/function/application,” said Akshara Bassi, Senior Analyst, Counterpoint.

“The initiative itself is more of an ambition in the long run instead of a realistic target in the short term,” said Dai of Forrester. While it remains to be seen whether Altman will succeed in this ambition or not, it is safe to say that he has successfully ushered the world into an AI era. The idea of raising trillions to control the global AI supply chain sounds extraordinary and will demand all of Altman’s business acumen and grit to make it a success. But then Altman is known to disrupt the market and make astonishing and dramatic comebacks.

If you use Windows for work and an iPhone for everything else, you should know that Apple has changed iCloud for Windows and no longer offers iTunes for the platform —  though none of your media purchases have disappeared.

How has Apple improved iCloud for Windows?

Apple has redesigned the iCloud for Windows application, giving it a more modern look that’s easier to navigate with Photos, iCloud Drive, Passwords, Bookmarks and Calendars/Contacts all easy to access in a click. It’s also easy to check how much storage you have in use.

Beyond the facelift, the software is now a little easier to set up and install and provides better insights into how files and other data are syncing. The latter means you can check whether items are in the process of syncing, and when a sync operation last took place.

You can also check service status — all from within the iCloud app front page. That means Windows users can monitor the sync status of photos, contacts, and of course any work-related documents that might be stored in iCloud Drive.

Users might also notice that photos syncing has gotten faster and and experience better syncing with Microsoft Outlook. Apple notes that contact and calendar syncing problems with Outlook have been resolved, though Windows 11 22H2 is required.

What’s new in iCloud for Windows?

There are some brand new enhancements, including support for physical security keys and dark mode. Users can also track all the devices (Apple and non-Apple) they have signed into iCloud through the Accounts Details page.

To summarize the improvements:

• A new user interface.
• Dark mode.
• Support for physical security keys.
• Improved insight into sync.
• Improved onboarding system.
• Better photo sync speeds.
• Better Outlook support on Windows 11 or later.

It might seem ironic to note that iCloud for Windows is potentially one of Apple’s most widely used applications. That is because some market share estimates suggest just a quarter of those 1 billion+ iPhones in use today are also running Macs, leaving millions of people on Windows PCs. That’s a large number of potential users of Apple’s updated applications, which also means the replacement of iTunes with standalone Apple Music and Apple TV apps is likely to impact those people, too.

Windows now supports FIDO for Apple ID protection

If you use physical security keys to protect your Apple ID, you can now also use those keys with Windows, as explained by Apple here. The company introduced support for FIDO-certified hardware keys in 2023. These provide additional security, particularly for those needing additional protection from targeted attacks.

Learn how and why to use these keys to protect your Apple ID here.

Farewell iTunes

Apple replaced iTunes on Macs with standalone Music and TV apps with macOS Catalina in 2019. In a process it announced in 2022, the company has now brought Windows users into line with that decision, introducing standalone Music and TV apps for that platform. All existing purchased content will be available from within those apps, and if you subscribe to the company’s media services, you can access those, too.

Apple has also introduced a new version of the Apple Devices app, which lets you manage your iPhone or iPad from the Windows PC without use of iTunes.

Who is it for?

The new applications are only available for Windows 10 and Windows 11. If you’re still working with an older iteration of Microsoft’s operating system, you will need to keep using Apple’s legacy apps.  

Where to get the new applications

The updated apps are available for free through the Microsoft Store at these links:

For more detailed information, check out our complete guide to iCloud for Windows. While this focuses on an earlier edition of the application, it still provides useful guidance.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.