TPM is a dedicated chip or firmware enabling hardware-level security, housing encryption keys, certificates, passwords, and sensitive data, "and shielding them from unauthorized access," Microsoft senior product manager Steven Hosking wrote last month, declaring TPM 2.0 to be "a non-negotiable standard for the future of Windows."

Or, as BleepingComputer put it, Microsoft "made it abundantly clear... that Windows 10 users won't be able to upgrade to Windows 11 unless their systems come with TPM 2.0 support." (This despite the fact that Statcounter Global data "shows that more than 61% of all Windows systems worldwide still run Windows 10.") They add that Microsoft "announced on October 31 that Windows 10 home users will be able to delay the switch to Windows 11 for one more year if they're willing to pay $30 for Extended Security Updates."

But last week the Free Software Foundation's campaigns manager delivered a message on the FSF's official blog: "Keep putting pressure on Microsoft." Grassroots organization against a corporation as large as Microsoft is never easy. They have the advertising budget to claim that they "love Linux" (sic), not to mention the money and political willpower to corral free software developers from around the world on their nonfree platform Microsoft GitHub. This year's International Day Against DRM took aim at one specific injustice: their requiring a hardware TPM module for users being forced to "upgrade" to Windows 11. As Windows 10 will soon stop receiving security updates, this is a (Microsoft-manufactured) problem for users still on this operating system. Normally, offloading cryptography to a different hardware module could be seen as a good thing — but with nonfree software, it can only spell trouble for the user...

What's crucial now is to keep putting pressure on Microsoft, whether that's through switching to GNU/Linux, avoiding new releases of their software, or actions as simple as moving your projects off of Microsoft GitHub. If you're concerned about e-waste or have friends who work to combat climate change, getting them together to tell them about free software is the perfect way to help our movement grow, and free a few more users from Microsoft's digital restrictions. If you're concerned about e-waste or have friends who work to combat climate change, getting them together to tell them about free software is the perfect way to help our movement grow, and free a few more users from Microsoft's digital restrictions.

Politico asked an "array of thinkers — futurists, scientists, foreign policy analysts and others — to lay out some of the possible 'Black Swan' events that could await us in the new year: What are the unpredictable, unlikely episodes that aren't yet on the radar but would completely upend American life as we know it?"

Here's one from Gary Marcus, a cognitive scientist and author of the book Taming Silicon Valley: How We Can Ensure That AI Works For Us: 2025 could easily see the largest cyberattack in history, taking down, at least for a little while, some sizeable piece of the world's infrastructure, whether for deliberate ransom or to manipulate people to make money off a short on global markets. Cybercrime is already a huge, multi-trillion dollar problem, and one that most victims don't like to talk about. It is said to be bigger than the entire global drug trade. Four things could make it much worse in 2025.

First, generative AI, rising in popularity and declining in price, is a perfect tool for cyberattackers. Although it is unreliable and prone to hallucinations, it is terrific at making plausible sounding text (e.g., phishing attacks to trick people into revealing credentials) and deepfaked videos at virtually zero cost, allowing attackers to broaden their attacks. Already, a cybercrew bilked a Hong Kong bank out of $25 million. Second, large language models are notoriously susceptible to jailbreaking and things like "prompt-injection attacks," for which no known solution exists. Third, generative AI tools are increasingly being used to create code; in some cases those coders don't fully understand the code written, and the autogenerated code has already been shown in some cases to introduce new security holes.
And finally 2025 may see a U.S. government "determined to deregulate as much as possible, slashing costs," Marus speculates, a scenario where "enforcement and investigations will almost certainly decline in both quality and quantity, leaving the world quite vulnerable to ever more audacious attacks."

Elsewhere in Politico's article there's other even less-cheery predictions for 2025. The executive director of an advocacy group for public health professionals describes the possibility of an epidemic "that we had the tools to control" which "winds up killing thousands" (while also "sending the economy back into a Covid-like downward spiral.")

And a law professor predicts 2025 will see a decisive breakthrough in quantum computing. "Those little padlocks you see beside URLs? They would, overnight, become a fiction."

Remember that massive botnet run by Chinese government hackers? Flax Typhoon "compromised computer networks in North America, Europe, Africa, and across Asia, with a particular focus on Taiwan," according to the U.S. Treasury Department. (The group's botnet breaching this autumn affected "at least 260,000 internet-connected devices," reports the Washington Post, "roughly half of which were located in the United States.")

Friday America's Treasury Department sanctioned "a Beijing-based cybersecurity company for its role in multiple computer intrusion incidents against U.S. victims..." according to an announcement from the department's Office of Foreign Assets Control. "Between summer 2022 and fall 2023, Flax Typhoon actors used infrastructure tied to Integrity Tech during their computer network exploitation activities against multiple victims. During that time, Flax Typhoon routinely sent and received information from Integrity Tech infrastructure."

From the Washington Post: The group behind the attacks was active since at least 2021, but U.S. authorities only managed to wrest control of the devices from the hackers in September, after the FBI won a court order that allowed the agency to send commands to the infected devices...

Treasury's designation follows sanctions announced last month on Sichuan Silence Information Technology Company, in which U.S. officials accused the company of exploiting technology flaws to install malware in more than 80,000 firewalls, including those protecting U.S. critical infrastructure. The new sanctions on Beijing Integrity Technology are notable due to the company's public profile and outsize role in servicing China's police and intelligence services via state-run hacking competitions. The company, which is listed in Shanghai and has a market capitalization of more than $327 million, plays a central role in providing state agencies "cyber ranges" — technology that allows them to simulate cyberattacks and defenses...

In September, FBI Director Christopher A. Wray said the Flax Typhoon attack successfully infiltrated universities, media organizations, corporations and government agencies, and in some cases caused significant financial losses as groups raced to replace the infected hardware. He said at the time that the operation to shut down the network was "one round in a much longer fight...." A 2024 assessment by the Office of the Director of National Intelligence said China is the most "active and persistent" cyberthreat and that actors under Beijing's direction have made efforts to breach U.S. critical infrastructure with the intention of lying in wait to be able to launch attacks in the event of major conflict.
"The Treasury sanctions bar Beijing Integrity Technology from access to U.S. financial systems and freeze any assets the company might hold in the United States," according to the article, "but the moves are unlikely to have a significant effect on the company," (according to Dakota Cary, a fellow at the Atlantic Council who has studied the company's role in state-sponsored hacking).

An anonymous reader quotes a report from TechCrunch: A U.S. online gift card store has secured an online storage server that was publicly exposing hundreds of thousands of customer government-issued identity documents to the internet. A security researcher, who goes by the online handle JayeLTee, found the publicly exposed storage server late last year containing driving licenses, passports, and other identity documents belonging to MyGiftCardSupply, a company that sells digital gift cards for customers to redeem at popular brands and online services.

MyGiftCardSupply's website says it requires customers to upload a copy of their identity documents as part of its compliance efforts with U.S. anti-money laundering rules, often known as "know your customer" checks, or KYC. But the storage server containing the files had no password, allowing anyone on the internet to access the data stored inside. JayeLTee alerted TechCrunch to the exposure last week after MyGiftCardSupply did not respond to the researcher's email about the exposed data. [...]

According to JayeLTee, the exposed data -- hosted on Microsoft's Azure cloud -- contained over 600,000 front and back images of identity documents and selfie photos of around 200,000 customers. It's not uncommon for companies subject to KYC checks to ask their customers to take a selfie while holding a copy of their identity documents to verify that the customer is who they say they are, and to weed out forgeries. MyGiftCardSupply founder Sam Gastro told TechCrunch: "The files are now secure, and we are doing a full audit of the KYC verification procedure. Going forward, we are going to delete the files promptly after doing the identity verification." It's not known how long the data was exposed or if the company would commit to notifying affected individuals.

Researchers from Inria and Microsoft have developed a system to automatically convert specific types of C programming code into memory-safe Rust code, addressing growing cybersecurity concerns about memory vulnerabilities in software systems.

The technique, detailed in a new paper, requires programmers to use a restricted version of C called "Mini-C" that excludes features like pointer arithmetic. The researchers successfully tested their conversion system on two major code libraries, including the 80,000-line HACL* cryptographic library. Parts of the converted code have already been integrated into Mozilla's NSS and OpenSSH security systems, according to the researchers. Memory safety errors account for 76% of Android vulnerabilities in 2019.

Despite Microsoft's push for Windows 11, Windows 10 continues to dominate the desktop OS market, rising to 62.7% market share in December 2024. The Register reports: Figures for December 2024 from Statcounter -- used because Microsoft rarely shares usage data unless it has something to boast about -- confirm Windows 10's market share has inched up to 62.7 percent compared to the previous month while Windows 11's share fell back to 34.12 percent (from 34.94 percent in November 2024). Even though Windows 11's percentage of the pie is still bigger than it was this time last year (when Statcounter pegged it at 26.54 percent), the fact the new OS is still nowhere near to overtaking Windows 10 may alarm some Microsoft executives. [...]

Canalys analyst, Kieren Jessop, noted that when looking at the more than 230 countries and regions tracked by Statcounter, Windows 10 share had actually only increased in just under a quarter of them, but that increase made an outsized impacted. Jessop cited the example of the US, where Windows 10 market share had gone from 58 percent in October 2024 to 67 percent in December. [...] Many editions of Windows 10 are due to drop out of free support on October 14, 2025. Affected users will then have the option to purchase Extended Security Updates (ESU) to keep the lights on a little longer or keep using the operating system and risk falling foul of unpatched vulnerabilities. Further reading: Ex-Microsoft Designer Reveals Windows 11's Dynamic Wallpapers That May Have Been Shelved

An anonymous reader quotes a report from The Record: Cybersecurity researchers have uncovered dozens of attacks that involve malicious updates for Chrome browser extensions, one week after a security firm was compromised in a similar incident. As of Wednesday, a total of 36 Chrome extensions injected with data-stealing code have been detected, mostly related to artificial intelligence (AI) tools and virtual private networks (VPNs), according to a report by ExtensionTotal, a platform that analyzes extensions listed on various marketplaces and public registries. These extensions, collectively used by roughly 2.6 million people, include third-party tools such as ChatGPT for Google Meet, Bard AI Chat, YesCaptcha Assistant, VPNCity and Internxt VPN. Some of the affected companies have already addressed the issue by removing the compromised extensions from the store or updating them, according to ExtensionTotal's analysis. [...]

It remains unclear whether all the compromised extensions are linked to the same threat actor. Security researchers warn that browser extensions "shouldn't be treated lightly," as they have deep access to browser data, including authenticated sessions and sensitive information. Extensions are also easy to update and often not subjected to the same scrutiny as traditional software. ExtensionTotal recommends that organizations use only pre-approved versions of extensions and ensure they remain unchanged and protected from malicious automatic updates. "Even when we trust the developer of an extension, it's crucial to remember that every version could be entirely different from the previous one," researchers said. "If the extension developer is compromised, the users are effectively compromised as well -- almost instantly."

The U.S. Commerce Department said on Thursday it is considering new rules that would impose restrictions on Chinese drones that would restrict or ban them in the United States citing national security concerns. From a report: The department said it was seeking public comments by March 4 on potential rules to safeguard the supply chain for drones, saying threats from China and Russia "may offer our adversaries the ability to remotely access and manipulate these devices, exposing sensitive U.S. data."

China accounts for the vast majority of U.S. commercial drone sales. In September, Commerce Secretary Gina Raimondo said the department could impose restrictions similar to those that would effectively ban Chinese vehicles from the United States and the focus will be on drones with Chinese and Russian equipment, chips and software. She told Reuters in November she hopes to finalize the rules on Chinese vehicles by Jan. 20. A decision to write new rules restricting or banning Chinese drones will be made by the administration of President-elect Donald Trump, who takes over on Jan. 20.

The Metropolitan Transportation Authority has announced plans to retire its iconic R46 subway cars, triggering nostalgia among New Yorkers who cherished their distinctive seating arrangement. The fleet -- which has served A, C, N, R, Q, and W lines for five decades -- will be replaced by R211 cars expected for delivery in 2027.

The R46's perpendicular seating configuration, designed for comfort during long trips to destinations like Coney Island, encouraged social interaction among passengers, according to New York Transit Museum director Concetta Bencivenga. The new R211 cars will feature longitudinal seating to improve passenger flow and reduce platform waiting times. Currently, 696 of the original 754 R46 cars remain in service. The replacement R211 cars will include security cameras, wider seats, improved signage, and better lighting.

An anonymous reader quotes a report from KrebsOnSecurity: Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon. As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea. Cameron John Wagenius was arrested near the Army base in Fort Hood, Texas on Dec. 20, after being indicted on two criminal counts of unlawful transfer of confidential phone records. The sparse, two-page indictment (PDF) doesn't reference specific victims or hacking activity, nor does it include any personal details about the accused. But a conversation with Wagenius' mother -- Minnesota native Alicia Roen -- filled in the gaps.

Roen said that prior to her son's arrest he'd acknowledged being associated with Connor Riley Moucka, a.k.a. "Judische," a prolific cybercriminal from Canada who was arrested in late October for stealing data from and extorting dozens of companies that stored data at the cloud service Snowflake. In an interview with KrebsOnSecurity, Judische said he had no interest in selling the data he'd stolen from Snowflake customers and telecom providers, and that he preferred to outsource that to Kiberphant0m and others. Meanwhile, Kiberphant0m claimed in posts on Telegram that he was responsible for hacking into at least 15 telecommunications firms, including AT&T and Verizon. On November 26, KrebsOnSecurity published a story that followed a trail of clues left behind by Kiberphantom indicating he was a U.S. Army soldier stationed in South Korea.

[...] Immediately after news broke of Moucka's arrest, Kiberphant0m posted on the hacker community BreachForums what they claimed were the AT&T call logs for President-elect Donald J. Trump and for Vice President Kamala Harris. [...] On that same day, Kiberphant0m posted what they claimed was the "data schema" from the U.S. National Security Agency. On Nov. 5, Kiberphant0m offered call logs stolen from Verizon's push-to-talk (PTT) customers -- mainly U.S. government agencies and emergency first responders. On Nov. 9, Kiberphant0m posted a sales thread on BreachForums offering a "SIM-swapping" service targeting Verizon PTT customers. In a SIM-swap, fraudsters use credentials that are phished or stolen from mobile phone company employees to divert a target's phone calls and text messages to a device they control.

Researchers have uncovered widespread manipulation of GitHub's star-rating system, with over 3.1 million fraudulent stars identified across 15,835 repositories, according to a new study by Socket, Carnegie Mellon University, and North Carolina State University.

The research team analyzed 20TB of data from GHArchive, spanning 6 billion GitHub events from 2019 to 2024, using their "StarScout" detection tool. The tool identified 278,000 accounts engaging in coordinated inauthentic behavior to artificially boost repository rankings.

GitHub uses stars, similar to social media likes, to rank projects and recommend content to users. The platform has previously encountered malicious exploitation of this system, including the "Stargazers Ghost Network" malware operation discovered last summer. Approximately 91% of flagged repositories and 62% of suspicious accounts were removed by October 2024.

President-elect Donald Trump has asked the Supreme Court to delay the upcoming TikTok ban while he works on a "political resolution." In a legal brief (PDF) on Friday, his lawyer said Trump "opposes banning TikTok" and "seeks the ability to resolve the issues at hand through political means once he takes office." The BBC reports: Trump had met with TikTok's CEO, Shou Zi Chew, at his Mar-a-Lago estate in Florida last week. In his court filing on Friday, Trump said the case represents "an unprecedented, novel, and difficult tension between free-speech rights on one side, and foreign policy and national security concerns on the other." While the filing said that Trump "takes no position on the underlying merits of this dispute", it added that pushing back the 19 January deadline would grant Trump "the opportunity to pursue a political resolution" to the matter without having to resort to the court. [...]

Trump has publicly said he opposes the ban, despite supporting one in his first term as president. "I have a warm spot in my heart for TikTok, because I won youth by 34 points," he claimed at a press conference earlier in December, although a majority of young voters backed his opponent, Kamala Harris. "There are those that say that TikTok has something to do with that," he added. Earlier this month, TikTok asked the Supreme Court to block the ban, saying that the law violates both its First Amendment rights and those of its 170 million American users.

An anonymous reader quotes a report from Reuters: Chinese state-sponsored hackers broke into the U.S. Treasury Department earlier this month and stole documents from its workstations, according to a letter to lawmakers that was provided to Reuters on Monday. The hackers compromised a third-party cybersecurity service provider and were able to access unclassified documents, the letter said, calling it a "major incident."

According to the letter, hackers "gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able override the service's security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users." After being alerted by cybersecurity provider BeyondTrust, the Treasury Department said it was working with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to assess the hack's impact. Developing...

Valerie Warner is 71 years old — and owes $268,000 in student loans.

Roughly 40 years ago she went to law school, but was only able to find work as a legal aid and later work in the public school system, which the Washington Post calls "a rewarding job but one that didn't pay enough to wipe out her loans." Later she earned a masters of education degree: All told, Warner borrowed a total of about $60,000 for her two advanced degrees. The amount seemed reasonable given the career trajectory that both credentials promised, but that path never materialized. Working a series of low-wage jobs, she went in and out of forbearance before ultimately defaulting. The balance ballooned to the current $268,000 total over the years due to collection fees and interest capitalization.
And she's not the only one in debt. "On a dreary December afternoon, a group of senior citizens stood in the rain outside the Education Department pleading for relief from a debt that many fear will burden them for the rest of their lives..." Some sat in rocking chairs, cross-stitching their debt number in a pattern. Others held signs that read, "Time is running out, sunset our debt." Or wore T-shirts saying, "Debt relief before we die...."

[A]ctivists are urging the U.S. Education Department to discharge the student debt of older borrowers who they say are in no position to repay. They say the department could use a little-known federal statute that considers a person's ability to pay within a reasonable time and the inability of the government to collect the debt in full. There are 2.8 million federal student loan borrowers aged 62 and older with a total of $121.5 billion in debt, more than 726,300 of them over the age of 71, according to the Education Department. Older borrowers are one of the fastest-growing segments of the government's student loan portfolio, and their Social Security benefits are subject to garnishment...

The Education Department would only acknowledge receiving a memo from the Debt Collective, the group organizing the campaign, outlining the agency's authority to cancel the debt of older borrowers. The activist organization said it has been meeting with members of Congress, White House committees and Education Department officials about the matter since September. "Many of these folks have been borrowers for 20 or 30 years, with punishingly high interest rates. Their balances and the way they have dragged on for decades is just an indictment of the broken system and the failure of past relief efforts," said Eleni Schirmer, an organizer with the Debt Collective... According to the think tank New America, the number of Americans approaching retirement age with student loan debt has skyrocketed over 500 percent in the last two decades. Some have loans they took out to finance their college educations, while others took out federal Parent Plus loans or co-signed private loans for their children.
The article points out that the U.S. government will garnish up to 15 percent of the Social Security income to recoup student loan debt, even if it means leaving recipients below the poverty line.

But it also includes this quote from Adam Minsky, an attorney who specializes in student debt, about the prospects for federal action that survives challenges in the U.S. court system. "[A]s a practical matter, I don't think that judges and courts that have been hostile to mass debt relief would treat this differently from other programs that have been blocked or struck down."

A new report reveals that the VW Group left sensitive data for 800,000 electric vehicles from Audi, VW, Seat, and Skoda poorly secured on an Amazon cloud, exposing precise GPS locations, battery statuses, and user habits for months. Carscoops reports: It gets worse. A more tech-savvy user could reportedly connect vehicles to their owners' personal credentials, thanks to additional data accessible through VW Group's online services Crucially, in 466,000 of the 800,000 cases, the location data was so precise that anyone with access could create a detailed profile of each owner's daily habits. As reported by Spiegel, the massive list of affected owners isn't just a who's-who of regular folks. It includes German politicians, entrepreneurs, Hamburg police officers (the entire EV fleet, no less), and even suspected intelligence service employees. Yes, even spies may have been caught up in this digital debacle.

This glaring error originated from Cariad, a VW Group company that focuses on software, due to an error that occurred in the summer of 2024. An anonymous whistleblower used freely accessible software to dig up the sensitive information and promptly alerted Chaos Computer Club (CCC), Europe's largest hacker association. CCC wasted no time contacting Lower Saxony's State Data Protection Officer, the Federal Ministry of the Interior, and other security bodies. They also gave VW Group and Cariad 30 days to address the issue before going public. According to CCC, Cariad's technical team "responded quickly, thoroughly and responsibly," blocking unauthorized access to its customers' data.

Accidental missile attacks on commercial airliners have become the leading cause of aviation fatalities in recent years (Warning: source paywalled; alternative source), driven by rising global conflicts and the proliferation of advanced antiaircraft weaponry. Despite improvements in aviation safety overall, inconsistent risk assessments, political complexities, and rapid military escalations make protecting civilian flights in conflict zones increasingly difficult. The Wall Street Journal reports: The crash Wednesday of an Azerbaijan Airlines jetliner in Kazakhstan, if officially confirmed as a midair attack, would be the third major fatal downing of a passenger jet linked to armed conflict since 2014, according to the Flight Safety Foundation's Aviation Safety Network, a global database of accidents and incidents. The tally would bring to more than 500 the number of deaths from such attacks during that period. Preliminary results of Azerbaijan's investigation into the crash indicate the plane was hit by a Russian antiaircraft missile, or shrapnel from it, said people briefed on the probe.

"It adds to the worrying catalog of shootdowns now," said Andy Blackwell, an aviation risk adviser at security specialist ISARR and former head of security at Virgin Atlantic. "You've got the conventional threats, from terrorists and terrorist groups, but now you've got this accidental risk as well." No other cause of aviation fatalities on commercial airliners comes close to shootdowns over those years, according to ASN data. The deadliness of such attacks is a dramatic shift: In the preceding 10 years, there were no fatal shootdowns of scheduled commercial passenger flights, ASN data show. The trend highlights the difficulty -- if not impossibility -- of protecting civilian aviation in war zones, even for rigorous aviation regulators, because of the politics of war. Early last century similar woes plagued sea travel, when belligerents targeted ocean transport.

Increasing civilian aviation deaths from war also reflect both a growing number of armed conflicts internationally and the increasing prevalence of powerful antiaircraft weaponry. If a missile was indeed the cause of this week's disaster, it would mean that the three deadliest shootdowns of the past decade all involved apparently unintended targetings of passenger planes flying near conflict zones, by forces that had been primed to hit enemy military aircraft. Two of those incidents were linked to Russia: Wednesday's crash of an Embraer E190 with 67 people aboard, of whom 38 died, and the midair destruction in 2014 of a Malaysia Airlines Boeing 777 flying over a battle zone in Ukraine, on which all 298 people aboard died. The other major downing was the mistaken shooting in 2020 by Iranian forces of a Ukraine International Airlines Boeing 737 departing Tehran, killing all 176 people onboard. Iran's missile defense systems had been on alert for a potential U.S. strike at the time.

President Biden on Monday signed the SHARE IT Act (H.R. 9566) into law, mandating federal agencies share custom-developed code with each other to prevent duplicative software development contracts and reduce the $12 billion annual government software expenditure. The law requires agencies to publicly list metadata about custom code, establish sharing policies, and align development with best practices while exempting classified, national security, and privacy-sensitive code. FedScoop reports: Under the law, agency chief information officers are required to develop policies within 180 days of enactment that implement the act. Those policies need to ensure that custom-developed code aligns with best practices, establish a process for making the metadata for custom code publicly available, and outline a standardized reporting process. Per the new law, metadata includes information about whether custom code was developed under a contract or shared in a repository, the contract number, and a hyperlink to the repository where the code was shared. The legislation also has industry support. Stan Shepard, Atlassian's general counsel, said that the company shares "the belief that greater collaboration and sharing of custom code will promote openness, efficiency, and innovation across the federal enterprise."

A ninth U.S. telecommunications company has been compromised in a Chinese espionage campaign that targeted private communications, particularly around Washington D.C., White House Deputy National Security Adviser Anne Neuberger said Friday.

The intrusion, part of the "Salt Typhoon" operation that previously hit eight telecom firms, allowed hackers to access customer call records and private messages. While the total number of affected Americans remains unclear, many targets were government officials and political figures in the Washington-Virginia area.

Microsoft is warning that Windows 11 installations using USB or CD media created with October or November 2024 security updates may be unable to receive future security patches.

The bug affects version 24H2 installations made between October 8 and November 12, but does not impact systems updated through Windows Update or the Microsoft Update Catalog. Microsoft advised users to rebuild installation media using December 2024 patches while it works on a permanent fix for the issue, which primarily affects business and education environments.

The annual defense policy bill signed by President Joe Biden Monday evening allocates $3 billion to help telecom firms remove and replace insecure equipment in response to recent incursions by Chinese-linked hackers. From a report: The fiscal 2025 National Defense Authorization Act outlines Pentagon policy and military budget priorities for the year and also includes non-defense measures added as Congress wrapped up its work in December. The $895 billion spending blueprint passed the Senate and House with broad bipartisan support.

The $3 billion would go to a Federal Communications Commission program, commonly called "rip and replace," to get rid of Chinese networking equipment due to national security concerns. The effort was created in 2020 to junk equipment made by telecom giant Huawei. It had an initial investment of $1.9 billion, roughly $3 billion shy of what experts said was needed to cauterize the potential vulnerability.

Calls to replenish the fund have increased recently in the wake of two hacking campaigns by China, dubbed Volt Typhoon and Salt Typhoon, that saw hackers insert malicious code in U.S. infrastructure and break into at least eight telecom firms. The bill also includes a watered down requirement for the Defense Department to tap an independent third-party to study the feasibility of creating a U.S. Cyber Force, along with an "evaluation of alternative organizational models for the cyber forces" of the military branches.