Microsoft fixes Outlook Day Zero for March Patch Tuesday
Microsoft released fixes for two zero-day vulnerabilities among just over 80 bugs fixed in its monthly update on tuesday.
The number of issues, including four CVEs that have been assigned to Github, roughly matches the volumes of disclosures seen in the first two months of the year, with another strong bias towards remote code execution (RCE) issues.
“Microsoft authorized 80 new CVEs this month and expanded four previously released CVEs to include additional versions of Windows,” the post reads. Ivanti Chris Gettle, Vice President of Security Products. “This brings the total number of CVEs reviewed this month to 84. This month’s updates address two confirmed zero-day exploits that affect Microsoft Office and Windows Smart Screen. Both exploits are targeted at the user. A total of nine CVEs are rated critical this month. Eight of the nine critical CVEs are included in this month’s Windows OS update.”
tracked as CVE-2023-23397, perspective The vulnerability is being exploited but has not yet been made public. It has a CVSS score of 9.1 and is of significant severity. This is an Elevation of Privilege (EoP) vulnerability that can be exploited by sending an email to a potential target.
It runs on the email server side, which means it can be used before the email is actually opened and viewed. Successfully exploited, it allows an unauthenticated subject to access the victim’s Net-NTLMv2 hash and use it to authenticate as the victim, bypassing authentication measures.
Kevin Breen Immersive Laboratories director of cyberthreat research, said that CVE-2023-23397 is particularly dangerous, and also noted that the EoP error status assigned to it does not accurately reflect this.
“Known as an NTLM relay attack, it allows an attacker to obtain someone’s NTLM hash and use it in an attack commonly known as Pass the Hash,” he said. “This vulnerability effectively allows an attacker to authenticate as a trusted person without knowing their password. This is on par with the fact that the attacker has a valid password to access the systems of the organization.
Its discovery is credited to the Microsoft Incident Response and Threat Intelligence teams working with national CERT of Ukrainewhich means that Russian statesmen are using it in their ongoing cyberwarfare campaign.
Rapid7 Lead Software Engineer Adam Barnett said: “Microsoft has detected exploitation by a Russian-based attacker targeting government, military and critical infrastructure in Europe. Given the network attack vector, the ubiquity of SMB shares, and the lack of user interaction required, an attacker with a suitable foothold in the network could well consider this vulnerability as a prime candidate for lateral movement.”
The second zero day is tracked as CVE-2023-24880. It is publicly available and known to have been exploited in the wild. The security feature bypasses the vulnerability in Windows smart screen anti-phishing and anti-malware service, it has a CVSS score of 5.4 and medium severity.
Left unchecked, CVE-2023-24880 allows an attacker to create a file that bypasses Mark of the Web protections, making it much easier to distribute corrupted documents and malware that SmartScreen might otherwise detect.
Breen said that even though he has a less serious rating, defenders should still prioritize correcting him. “The notes from Microsoft say that an attacker could create a malicious file that would disable certain security features, such as ‘Protected View’ in Microsoft Office,” he said.
“Macro-based malware is still often seen as part of initial compromises, and users are used to these tips protecting them from dangerous files,” Brin added. “Protected Browsing and the Internet Mark should be part of your defense in depth strategy, not a separate layer of defense.”
Its discovery is credited to Benoit Sevens and Vlad Stolyarov of the Google Threat Analysis Group, as well as Bill Demirkapi of Microsoft.
The critical vulnerabilities listed in the March update are as follows:
Of these, Gal Sadeh, head of data and security research at Silverfortnoted that CVE-2023-21708 and CVE-2023-23415 deserve special attention.
“The critical RCE vulnerability in the remote procedure call execution environment, CVE-2023-21708, should be a priority for security groups because it allows unauthenticated attackers to execute remote commands on the target machine,” he said. “Attackers can use this to attack domain controllers that are open by default. To mitigate the situation, we recommend that domain controllers only allow RPC from authorized networks, and restrict RPC traffic to unnecessary endpoints and servers.
“Another critical vulnerability, CVE-2023-23415, poses a serious threat because it allows attackers to exploit a vulnerability in the Internet messaging protocol, which is often not restricted by firewalls, to remotely execute code on open servers using a malicious package. Raw socket targeting requirement – Any organization using such an infrastructure must either patch or block ICMP packets at the firewall,” Sadeh said.
Court rules Uber and Lyft can continue to treat California drivers as independent contractors
Sacramento, California. (AP) — App-based pickup and delivery companies like Uber and Lyft can continue to treat their California drivers as independent contractors, a state appeals court ruled Monday, allowing the tech giants to bypass other state laws requiring protection and benefits. for workers.
The ruling basically supports a voter-approved law called Proposition 22, which says drivers for companies like Uber and Lyft are independent contractors and are not eligible for benefits like paid sick leave and unemployment insurance. A 2021 lower court ruling declared Proposition 22 illegal, but Monday’s ruling reversed that ruling.
“Today’s decision is a victory for app workers and the millions of Californians who voted for Proposition 22,” said Tony West, Uber’s general counsel. “We are glad that the court respectfully treated the will of the people.”
The decision is a defeat for the unions and their allies in the state legislature, who in 2019 passed a law requiring companies like Uber and Lyft to treat their drivers like employees.
“Today, the Court of Appeals decided to side with powerful corporations, not workers, in allowing companies to buy off our state labor laws and undermine our state constitution,” said Lorena Gonzalez Fletcher, leader of the California Federation of Labor and former state legislator. Author of the law in 2019. “Our system is broken. It would be an understatement to say that we are disappointed with this decision.”
The decision was not a complete defeat for the unions, as the court ruled that companies cannot prevent their drivers from joining a union and collectively bargaining for better working conditions, said Mike Robinson, one of the drivers who filed the lawsuit challenging the proposal. 22
“Our right to associate and bargain collectively opens a clear path for drivers and deliveries to hold giant corporations accountable,” he said. “But make no mistake, we continue to believe that Proposition 22 – as a whole – is an unconstitutional assault on our fundamental rights.”
In 2019, the California Legislature passed a law that changed the rules about who is an employee and who is an independent contractor. This is an important distinction for companies because employees are subject to a wide range of labor laws that guarantee them certain benefits, while independent contractors do not.
While the law has applied to many industries, it has had the biggest impact on app-based car ordering and delivery companies. Their business is based on contracting people to use their own cars for people transportation and delivery. Under the 2019 law, companies will be required to treat these drivers as employees and provide certain benefits that will significantly increase business costs.
In November 2020, voters agreed to exclude app-based car ordering and delivery companies from the 2019 law by endorsing the ballot proposal. The proposal included “alternative benefits” for drivers, including a guaranteed minimum wage and health insurance subsidies if they work an average of 25 hours a week. Companies like Uber, Lyft and DoorDash have spent $200 million on the campaign to make sure it gets through.
Three Drivers and the International Union of Employees in the South, arguing that the proposal to vote was illegal in part because it limited the power of the State Legislature to change the law or pass laws on workers’ compensation programs. In 2021, a state judge agreed with them and ruled that companies like Uber and Lyft are no exception.
On Monday, a state appeals court overturned that decision, allowing companies to continue treating their drivers as independent contractors.
The decision may not be final. Employees International Union still has the option to appeal the decision to the California Supreme Court, which may decide to hear the case.
“We will consider all of these options as we decide how to ensure that the fight for these workers continues,” said Tia Orr, chief executive of SEIU California.
Most Frequently Asked Questions About Affiliate Marketing
There are many questions about how affiliate marketing works, what to do and what not to do when it comes to building a business. With so much uncertainty associated with both the personal and business aspects of affiliate marketing. In this post, we will answer the most frequently asked question about affiliate marketing.
1. What is affiliate marketing?
Affiliate marketing is a way to make money by promoting the products and services of other people and companies. You don’t need to create your own product or service, just promote existing ones. That’s why it’s so easy to get started with affiliate marketing. You can even start without a budget!
2. What is an affiliate program?
An affiliate program is a package of information that you create for your product that is then shared with potential publishers. The program usually includes detailed information about the product and its retail value, commission levels and promotional materials. Many affiliate programs are managed through an affiliate network such as ShareASale, which acts as a platform for publishers and advertisers to connect, but it is also possible to offer your program directly.
3. What is an affiliate network and how do affiliate networks make money?
Affiliate networks connect publishers with advertisers. Affiliate networks make money by charging a commission to merchants who advertise with them; these merchants are known as advertisers. The percentage of each sale that the advertiser pays is agreed between the seller and the affiliate network.
4. What is the difference between affiliate marketing and drop shipping?
Dropshipping is a selling method that allows you to run an online store without having to stock items. You advertise products like you own them, but when someone places an order, you create a duplicate order with the distributor at a discounted price. The distributor will take care of shipping and packaging on your behalf. Since affiliate marketing is based on referrals and this type of drop shipping does not require an investment in inventory, when a customer purchases from an affiliate link no money is exchanged from hand to hand.
5. Are affiliate marketing and performance marketing the same?
Effective marketing is a marketing method that pays for performance, such as when a sale is made or an ad is clicked. This may include methods such as PPC (Pay Per Click) or display advertising. Affiliate marketing is a form of performance marketing whereby commissions are paid to affiliates based on the results when they click on their affiliate link and complete a purchase or action.
6. Can I promote affiliate offers on mobile devices?
Smartphones are essentially miniature computers, so publishers can display the same websites and offers that are available on a PC. But mobile phones also offer special tools not available on computers, and these can be put to good use by publishers. Publishers can optimize their ads for mobile users by making them accessible to this audience. Publishers can also make good use of text and instant messaging to promote their offerings. With mobile predicted to account for 80% of traffic in the future, publishers that don’t market on mobile are missing out on a big opportunity.
7. Where can I find qualified publishers?
The best way to find affiliate publishers is through reputable networks like ShareASale Cj (Commission Junction), Awin, and Impact radius. These networks have a rigorous application and compliance process which means that all affiliates are trustworthy.
8. What is an affiliate disclosure statement?
The Affiliate Disclosure Statement informs the reader that the website may contain affiliate links for which the publisher may be paid a commission if visitors click on those links and make a purchase.
9. Does social media activity play a significant role in affiliate marketing?
Publishers promote their programs in a variety of ways, including blogs, websites, email marketing, and pay-per-click advertising. Social networks have a huge interactive audience, which makes this platform a good source of potential traffic.
10. What is a super affiliate program?
A Super Affiliate is an affiliate who consistently generates the most sales in any program they promote compared to other affiliates in that program. Affiliates make a lot of money from affiliate marketing Pat Flynn made over $50,000 in 2013 from affiliate marketing.
11. How do we track publisher sales?
Publishers can be identified by their publisher ID, which is used in tracking cookies to determine which publishers are generating sales. The activity is then viewed in the Network Dashboard.
12. Can we create an affiliate program in several countries?
Thanks to the widespread use of the Internet, affiliate programs can be promoted in any country. Partnership strategies established internationally should be adapted to the language of the target country.
13. How can affiliate marketing help my business?
Affiliate marketing can help you grow your business in the following ways:
- This allows you to save time and money on marketing, which frees you up to focus on other aspects of your business.
- You get access to friendly marketers who are willing to help you succeed.
- It will also help you promote your products by sharing links and banners with new audiences.
- It offers a high ROI (return on investment) and is cost effective.
14. How to find quality publishers?
One of the best ways to work with qualified affiliates is to hire an affiliate marketing agency that works with all networks. Partners are carefully selected and go through a rigorous application process to join the network.
15. How can we promote affiliate links?
Affiliate marketing is usually associated with websites, but there are other ways to promote your affiliate links, including:
- Website or blog
- Through email marketing and newsletters
- Social networks such as Facebook, Instagram or Twitter.
- Leave a comment on blogs or forums.
- Write an e-book or other digital product.
16. Do I need to pay for registration in the affiliate program?
To build your affiliate marketing business, you don’t need to invest money in the beginning. You can register for free in any affiliate network and start promoting your brands right away.
17. What is a commission?
Commission rates are usually based on a percentage of the total sale, and in some cases may also be a flat fee per transaction. The rates are set by the seller.
Who manages your affiliate program?
Some merchants manage their affiliate programs in-house, while others choose to outsource management to a network or an external agency.
18. What is a cookie?
Cookies are small pieces of data that work with web browsers to store information such as user preferences, login or registration information, and the contents of a shopping cart. When someone clicks on your affiliate link, a cookie is placed on the user’s computer or mobile device. This cookie is used to remember the link or ad that the visitor clicked on. Even if a user leaves your site and comes back a week later to make a purchase, you will still receive credit for the sale and receive a commission that depends on the duration of the site’s cookies.
19. How long do cookies last?
The Seller determines the duration of the cookie, also known as the “cookie duration”. The most common duration of an affiliate program is 30 days. If someone clicks on your affiliate link, you will earn a commission if they buy within 30 days of the click.
Facebook parent company Meta lays off 10,000 more employees: NPR
Sasha Pfeiffer of NPR talks to Wall Street Journall reporter Sam Schechner on layoffs that will cut about 12% of Meta’s workforce. This round follows a previous cut of 11,000 jobs.
SASHA PFEIFFER, HOST:
Meta is planning a second round of layoffs. It is the parent company of Facebook, Instagram and WhatsApp. And yesterday another 10,000 job cuts were announced. This follows 11,000 layoffs at Meta last November. CEO Mark Zuckerberg said 2023 will be Meta’s “year of efficiency.” He also says that he will be, according to him, stronger and more agile. We were joined by Wall Street Journal tech reporter Sam Schechner. Sam, thanks for coming.
SAM SCHECHNER: Nice to be here.
PFEIFFER: There are a lot of layoffs, but I want to make sure we put this in the overall context of how big Meta is. So tell us, how many employees does he have now? How much will be left when the layoffs are over?
SHEKHNER: Well, those are good questions. We know the numerator. We don’t necessarily know the denominator. At the end of the year, Meta had about 86,000 employees. The majority of those laid off — 11,000 last fall — were still receiving wages, the company said. So if we go from there and add it all together – you know, 21,000 people laid off – that could be almost a quarter of Meta’s workforce.
PFEIFFER: That’s a lot. And how important do you think it is in terms of the impact it has on the company?
SCHECHNER: Well, I mean, you can see it by the fact that people inside the company are worried. You know, Mark Zuckerberg sends a message to the staff and it’s 2200 words. And, you know, there are some of my mistakes in this. But there is also his vision for a smaller, more agile company that he is trying to communicate. And actually, at some points in this memorandum, he talks about how he thinks this will happen, and makes everything work more efficiently, more efficiently than before.
PFEIFFER: During the pandemic, Meta and many other tech companies have been hiring crazy. So do these layoffs essentially bring the Meta back to pre-pandemic levels, or do you see it go deeper? Any ideas?
SCHECHNER: Well, we’ll have to see where he ends up landing. But, you know, Mark Zuckerberg, what struck me about that memo is that he said that this is something that he thinks will continue for many years. This is the new economic reality. And I think that’s a real change in tone from the go-go days – at least in regards to tech company revenues during the pandemic, as you said when Meta was counting – and many tech companies were counting – on a fundamental change in the way people work. . And it really didn’t work. And now…
PFEIFFER: It may have been temporary.
SHEKHNER: It appears to have been, at least in some way, temporary. Even Meta has changed its stance on remote work to some extent and encouraged people to return to the office.
PFEIFFER: Interesting. You know, Zuckerberg said that things like layoffs were caused by things like rising interest rates, geopolitical tensions, new rules. Do you believe that, Sam, from your report? Do you believe in these reasons?
SHEKHNER: I think that this combination of factors certainly plays a role. And I think – you mentioned the rules. You know that Meta must comply with a growing number of new rules and regulations. You know, there are new rules coming into force in the European Union that will require major changes to how companies operate. There are changes they had to make because, as you know, Apple took privacy steps to turn off some of the data they were using, which also cut their income. So I think all of these things together are factors.
PFEIFFER: Yes, about these privacy settings – Apple has made a change that limits the amount of data that apps can collect. This appears to have hit Meta’s bottom line hard — about $10 billion in lost profits last year. So has Apple really hurt Meta a lot by tweaking the iPhone’s privacy settings?
SCHECHNER: I mean, Meta, as you know, went through a whole internal process to try and deal with these changes. This was a major problem for their advertising business. In later quarters, they said they started to see a path to recovery because they are using AI to make up for some of that lost data to infer some targeting information that they can no longer collect. phone numbers of their users. You know, though, their income is down from last year in their last report.
PFEIFER: Yes. One last general question, maybe 20 seconds or so – do you assume that other tech companies within the company are now facing the same type of financial pressure Meta is talking about?
SCHECHNER: We’ve seen layoffs like this sweep through Silicon Valley. And I think, you know, we’ve seen one round in many big companies. Can we see more? I think there is definitely investor pressure, and the new one is you know, the era of free money for these Big Tech companies is over.
PFEIFFER: This is Sam Schechner. He covers technology for The Wall Street Journal. Thank you
SHEKHNER: Nice to be here.
(SOUND OF FATB AND “UNRAVEL” DRYHOPE)
NPR transcripts are produced on a tight schedule by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The official recording of NPR programs is an audio recording.