Microsoft has announced it will postpone the broadly available preview of the heavily discussed Recall feature for Copilot+ PCs. Copilot+ PCs are personal computers that come equipped with several artificial intelligence (AI) features.

The Recall feature tracks anything from web browsing to voice chats. The idea is that Recall can assist users to reconstruct past activity by taking regular screenshots of a user’s activity and storing them locally. The user would then be able to search the database for anything they’ve seen on their PC.

However, Recall received heavy criticism by security researchers and privacy advocates since it was announced last month. The ensuing discussion saw a lot of contradictory statements. For example, Microsoft claimed that Recall would be disabled by default, while the original documentation said otherwise.

Researchers demonstrated how easy it was to extract and search through Recall snapshots on a compromised system. While some may remark that the compromised system is the problem in that equation—and they are not wrong—Recall would potentially provide an attacker with a lot of information that normally would not be accessible. Basically, it would be a goldmine that spyware and information stealers could easily access and search.

In Microsoft’s own words:

“Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry.”

Microsoft didn’t see the problem, with its vice chair and president, Brad Smith even using Recall as an example to demonstrate how Microsoft is secure during the Committee Hearing: A Cascade of Security Failures: Assessing Microsoft Corporation’s Cybersecurity Shortfalls and the Implications for Homeland Security.

But now things have changed, and Recall will now only be available for participants in the Windows Insider Program (WIP) in the coming weeks, instead of being rolled out to all Copilot+ PC users on June 18 as originally planned.

Another security measure taken only as an afterthought was that users will now have to log into Windows Hello in order to activate Recall and to view your screenshot timeline.

In its blog, Microsoft indicates it will act on the feedback it expects to receive from WIP users.

“This decision is rooted in our commitment to providing a trusted, secure and robust experience for all customers and to seek additional feedback prior to making the feature available to all Copilot+ PC users.”

Our hope is that the WIP community will convince Microsoft to abandon the whole Recall idea. If not, we will make sure to let you know how you can disable it or use it more securely if you wish to do so.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Developing an AI-powered threat to security, privacy, and identity is certainly a choice, but it’s one that Microsoft was willing to make this week at its “Build” developer conference.

On Monday, the computing giant unveiled a new line of PCs that integrate Artificial Intelligence (AI) technology to promise faster speeds, enhanced productivity, and a powerful data collection and search tool that screenshots a device’s activity—including password entry—every few seconds.

This is “Recall,” a much-advertised feature within what Microsoft is calling its “Copilot+ PCs,” a reference to the AI assistant and companion which the company released in late 2023. With Recall on the new Copilot+ PCs, users no longer need to manage and remember their own browsing and chat activity. Instead, by regularly taking and storing screenshots of a user’s activity, the Copilot+ PCs can comb through that visual data to deliver answers to natural language questions, such as “Find the site with the white sneakers,” and “blue pantsuit with a sequin lace from abuelita.”

As any regularly updated repository of device activity poses an enormous security threat—imagine hackers getting access to a Recall database and looking for, say, Social Security Numbers, bank account info, and addresses—Microsoft has said that all Recall screenshots are encrypted and stored locally on a device.

But, in terms of security, that’s about all users will get, as Recall will not detect and obscure passwords, shy away from recording pornographic material, or turn a blind eye to sensitive information.

According to Microsoft:

“Note that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry.”

The consequences of such a system could be enormous.

With Recall, a CEO’s personal laptop could become an even more enticing target for hackers equipped with infostealers, a journalist’s protected sources could be within closer grasp of an oppressive government that isn’t afraid to target dissidents with malware, and entire identities could be abused and impersonated by a separate device user.

In fact, Recall seems to only work best in a one-device-per-person world. Though Microsoft explained that its Copilot+ PCs will only record Recall snapshots to specific device accounts, plenty of people share devices and accounts. For the domestic abuse survivor who is forced to share an account with their abuser, for the victim of theft who—like many people—used a weak device passcode that can easily be cracked, and for the teenager who questions their identity on the family computer, Recall could be more of a burden than a benefit.

For Malwarebytes General Manager of Consumer Business Unit Mark Beare, Recall raises yet another issue:

“I worry that we are heading to a social media 2.0 like world.”

When users first raced to upload massive quantities of sensitive, personal data onto social media platforms more than 10 years ago, they couldn’t predict how that data would be scrutinized in the future, or how it would be scoured and weaponized by cybercriminals, Beare said.

“With AI there will be a strong pull to put your full self into a model (so it knows you),” Beare said. “I don’t think it’s easy to understand all the negative aspects of what can happen from doing that and how bad actors can benefit.”

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

The March 2024 Patch Tuesday update includes patches for 61 Microsoft vulnerabilities. Only two of the vulnerabilities are rated critical and both of these are found in Windows Hyper-V.

Hyper-V is a hardware virtualization product that allows you to run multiple operating systems as virtual machines (VMs) on Windows. A virtual machine is a computer program that emulates a physical computer. A physical “host” computer can run multiple separate “guest” VMs that are isolated from each other, and from the host. The physical resources of the host are allocated to the VMs by a software layer called the hypervisor, which acts an intermediary between the host and guests.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Hyper-V CVEs patched in this round of updates are:

CVE-2024-21407 is a Windows Hyper-V Remote Code Execution (RCE) vulnerability with a CVSS score of 8.1 out of 10. Microsoft says exploitation is less likely since this vulnerability would require an authenticated attacker on a guest to send specially crafted file operation requests to hardware resources on the VM which could result in remote code execution on the host server.

This means the attacker would need a good deal of information about the specific environment, and to take additional actions prior to exploitation to prepare the target environment.

CVE-2024-21408 is a Windows Hyper-V Denial of Service (DOS) vulnerability with a CVSS score of 5.5 out of 10. This means an attacker could target a host machine from a guest and cause it to crash or stop functioning. However, Microsoft did not provide any additional details on how this DOS could occur.

The attention for Hyper-V is remarkable since only a week earlier, VMware released security updates to fix critical sandbox escape vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation. VMware ESXi and Hyper-V are both designed to handle large-scale virtualization deployments.

Another vulnerability worth mentioning is CVE-2024-21334, which has a CVSS score of 9.8 out of 10. It’s an Open Management Infrastructure (OMI) RCE vulnerability that affects System Center Operations Manager (SCOM). SCOM is a set of tools in Microsoft’s System Center for infrastructure monitoring and application performance management. A remote, unauthenticated attacker could exploit this vulnerability by accessing the OMI instance from the internet and sending specially crafted requests to trigger a use-after-free vulnerability.

OMI is an open source technology for environment management software products for Linux and Unix-based systems. The OMI project was set up to implement standards-based management so that every device in the world can be managed in a clear, consistent, and coherent way.

Use-after-free vulnerabilities are the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can exploit the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Microsoft states that if the Linux machines do not need network listening, OMI incoming ports can be disabled. In other cases, customers running affected versions of SCOM (System Center Operations Manager 2019 and 2022) should update to OMI version 1.8.1-0.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe has released security updates to address vulnerabilities in several products:

• Adobe Experience Manager
• Adobe Premiere Pro
• Adobe ColdFusion
• Adobe Bridge
• Adobe Lightroom
• Adobe Animate

The Android Security Bulletin for February contains details of security vulnerabilities for patch level 2024-03-05 or later.

Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities

SAP has released its March 2024 Patch Day updates.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.