Microsoft has released an emergency out-of-band (OOB) update full to address an array of issues found in last week’s Windows Server patch, but IT administrators are in agreement that they will not apply them.

Last week’s Patch Tuesday fixed a host of issues across Microsoft products, including a number of zero-day vulnerabilities, but Windows Server administrators have complained that some of the patches released have created even more problems.

Because of the issues introduced by the most recent cumulative patches, IT administrators discussing the issues on Reddit are mostly in agreement that forgoing the patches and waiting for the next cumulative update in February is the best course of action to minimise operational disruption and complexity.

The patches issued last week have been breaking a number of key components in business environments and the solution many administrators have turned to is to uninstall the updates entirely. 

Four main flaws

The latest out-of-band update from Microsoft issued this week aims to address the issues faced by businesses running Windows Servers but in some cases, it first requires administrators to install the broken patch from last week.

The issues businesses are currently facing include domain controllers unexpectedly restarting and entering boot loops every few minutes. The issue is thought to affect all supported Windows Server versions and the failure in the LSASS.exe process means Windows cannot run correctly.

Microsoft Hyper-V is also affected by the patches, with enterprise virtual machines (VMs) failing to start on some Windows Servers. In addition, ReFS-formatted removable media is failing to mount post-patch, which has caused issues for administrators thinking their external drives were corrupted. Numerous reports of experts formatting their drives after applying last week’s patches, only to realise it was in vain, have appeared on social media, too. 

To cap off a bug-laden release of patches, some L2TP VPN connections are also failing across Windows 11, Windows 10, and certain Windows Server versions. 

Microsoft has issued fixes the all of the aforementioned issues and aside from the ReFS-formatted media issues, they are cumulative updates which means they do not require administrators to install the broken patch from last week first. 

The updates are available in the Microsoft Update Catalogue which also has instructions on how to install the updates manually into Windows Server Update Service (WSUS).

A risky response?

Despite most of the updates being cumulative, IT admins are seemingly still in agreement that they will be waiting until February, or until a fully safe wave of patches arrives, to fix the Windows Server issues.

One user said: “I’ll be waiting on the cumulative… I’m not reinstalling a broken patch I just removed from a bunch of servers to then have to immediately apply a fix to said patch.”

Another user said installing the out-of-band update made matters worse: “[We] received the bad updates this morning, and Exchange wouldn’t see the Active Directory (AD) environment anymore. I saw the optional OOB update and installed that – [it] actually made the problem worse. I removed all of the updates and AD was back to being seen and Exchange was finally working.”

Weighing in on the matter, outside experts have said the idea of forgoing updates is one that shouldn’t be taken lightly and the risks of leaving environments open to known vulnerabilities need to be considered on balance with the potential disruption the updates themselves could cause an organisation.

“This is very much a question of risk management and risk assessment,” said Andy Norton, European cyber risk officer at Armis to IT Pro. “Clearly the risk from installing the patch is one of disruption to the organisation. If you balance that with the risk from a cyber attack stemming from the issues that are not addressed by failing to patch, you then have both sides of the equation and are able to make a decision. 

“There were six zero-day flaws addressed in the January patch, however, none of these zero-days are actively being exploited currently, and so it may appear that the consensus is to delay the patching process as it is riskier than being exposed to the zero days.”

Alan Calder, CEO at GRC International Group, added:  “If it were my business, and a sysadmin said they thought it might be ok to continue with critical vulnerabilities unpatched until Patch Tuesday in February, we would have had a very blunt conversation about taking cyber security seriously.”

In a statement given to IT Pro, Microsoft said: “We recommend customers install updates released on January 17.”

Researchers have found a bug in Apple’s Safari browser that allows websites to track a user’s browsing activities across other sites.

The bug, discovered by browser fingerprinting service FingerprintJS, also exposes a user’s unique ID for some websites to other sites that they visit.

The flaw, found in Apple’s WebKit browser engine, affects Safari 15 on macOS and all browsers on iOS and iPadOS 15. It lies in WebKit’s implementation of the Indexed Database API, commonly called IndexedDB, a JavaScript API that browsers use to access a database of objects, and it frequently stores data generated while interacting with a web application. This includes a user’s unique ID for interacting with web applications, such as their Google ID.

When properly implemented, IndexedDB follows the same-origin principle. This ensures that information stored from a web page is only available to web pages from the same domain. It stops over-inquisitive web pages from accessing other domain’s stored information, which could include sensitive user or session data.

FingerprintJS found that WebKit’s IndexedDB implementation fails to observe the same-origin principle, instead making stored information available to web sites from other domains.

FingerprintJS called the bug a privacy violation. “It lets arbitrary websites learn what websites the user visits in different tabs or windows,” the company said in its analysis of the bug. “This is possible because database names are typically unique and website-specific.”

The company found some websites using user-specific IndexedDB data such as ID numbers in their IndexedDB database names, making it easy for any other website to find out a user’s ID on other sites. Using this ID to look up the user’s assets (such as profile pictures) could allow identification of the user, the company warned. Google websites store ID numbers in this way, making it possible for other sites to harvest Google IDs using the bug.

The bug affects all browsers on iOS 15 because Apple mandates the use of WebKit on this platform in its developer guidelines. Section 2.5.6 says “Apps that browse the web must use the appropriate WebKit framework and WebKit Javascript.”

FingerprintJS said that it had notified Apple of this bug on November 28 but Apple had not not patched it. Apple’s engineers began creating a patch on Sunday February 17, the day that FingerprintJS published details of the bug.

​

UK businesses are being urged to join a six-month trial of a four-day working week, as organisers aim to sign up at least 30 companies by June.

Organised by the 4 Day Week Global organisation and the Autonomy thinktank, the pilot programme will be monitored by Cambridge and Oxford Universities in order to measure the four-day working week’s impact on staff productivity and wellbeing, as well as the impact on the environment and gender equality.

​

Participating employees will receive 100% of their usual pay for only four days at work, in exchange for their commitment to maintain “at least” 100% productivity.

Autonomy co-director Kyle Lewis said that organisations taking part in the trial will benefit from “unparalleled access to the expertise, tools and resources they will need to run a smooth and successful trial”.

“This is a fantastic opportunity for organisations who want to be pioneers and trial a four-day week as a way of supporting and empowering workers, enhancing organisational productivity and having a positive impact on our society and the environment,” he added.

In 2019, prior to the mass shift to remote working, Autonomy authored a report which found “strong indications that reducing the working week can help reduce air pollution and our overall carbon footprint”.

According to Brendan Burchell, professor in the Social Sciences at Cambridge University, with the rise of technology allowing to maintain productivity, “the time has come for more organisations to take the leap and unravel the practicalities”

“This scheme has tremendous potential to progress from conversations about the general advantages of a shorter working week to focussed discussions on how organisations can implement it in the best possible way,” he added.

One of the businesses taking part in the pilot programme is the Edinburgh-based Canon, which found that the work-life balance of its 140 employees had changed “substantially” during the pandemic.

“As a responsive employer we are always looking at how we can adapt our working practices to ensure that employees find their time with us is meaningful, fulfilling and productive. For this reason, we’re keen to pilot a four-day week to see if it can work for us,” said president Ken Sutherland.

Last year, UK-based fintech Atom bank garnered headlines for introducing a four-day working week for all its employees with no change in salary. Prior to that, UK supermarket Morrisons also announced plans to shift to a four-day working week, keeping employee pay the same. However, this was only made available to head office staff in Bradford, who also had to work one Saturday per month to recoup the lost time.

Businesses can sign up for the trial until the end of March. 

​

Google Drive accounted for the most malware downloads in 2021, taking the top spot from Microsoft OneDrive.

The cloud storage service accounted for 37% of all malicious downloads last year, according to the January edition of Netskope’s Cloud and Threat report. 

CloudPro contacted Google, Microsoft and Amazon for comment but had not received a response at the time of publication. 

Netskope, a US-based cyber security provider, noted that cloud storage apps gained even greater adoption in 2021, with 79% of customers analysed using at least one cloud storage app, which is up from 71% in 2020. The number of cloud storage apps in use also rose, with organisations with 500 to 2,000 employees using 39 different cloud storage apps last year.

What’s more, cloud-delivered malware is now more prevalent than variants are downloaded via the web. In 2021, cloud app malware accounted for 66% of all malware downloads, up from 46% at the start of 2020. 

Aside from its increasing popularity, there are other reasons why Drive surpassed other services when it came to malware downloads, according to Netskope. For example, the Emotet botnet that used Box to deliver malicious Office document payloads was taken down early in 2021 but ended up inspiring hackers to use Google Drive to share malicious Office documents.

“The increasing popularity of cloud apps has given rise to three types of abuse described in this report: attackers trying to gain access to victim cloud apps, attackers abusing cloud apps to deliver malware, and insiders using cloud apps for data exfiltration,” Netskope Threat Labs threat research director Ray Canzanese said. 

“The report serves as a reminder that the same apps that you use for legitimate purposes will be attacked and abused. Locking down cloud apps can help to prevent attackers from infiltrating them, while scanning for incoming threats and outgoing data can help block malware downloads and data exfiltration.”

IBM has acquired Envizi, an Australian data and analytics software provider for environmental performance management, as it looks to help customers better measure their environmental impact.

The company said the acquisition adds to its investments in AI-powered software to help organisations create more resilient and sustainable operations and supply chains. It added that companies are under mounting pressure from regulators, investors, and consumers to progress towards more sustainable and socially responsible business operations while demonstrating these measures in a robust and verifiable way.

Financial terms of the deal were not announced. CloudPro contacted IBM for more information, but the company had not responded at the time of publication.

Envizi’s software automates the collection and consolidation of over 500 data types and supports major sustainability reporting frameworks. It helps companies analyse, manage, and report on environmental goals and identify efficiency opportunities while assessing sustainability risk. 

IBM said by using Envizi with its broader AI-powered software, companies will be able to automate feedback generated between their corporate environmental initiatives and the operational endpoints being used in daily business operations. Envizi is set to be integrated with IBM Maximo, IBM Sterling, IBM Environmental Intelligence Suite, and IBM Turbonomic and Red Hat OpenShift.

“To drive real progress towards sustainability, companies need the ability to transform data into predictive insights that help them make more intelligent, actionable decisions every day,” said Kareem Yusuf, general manager of IBM AI Applications.

“Envizi’s software provides companies with a single source of truth for analyzing and understanding emissions data across the full landscape of their business operations and dramatically accelerates IBM’s growing arsenal of AI technologies for helping businesses create more sustainable operations and supply chains.”

Envizi is available as a SaaS product and runs in multi-cloud environments, serving companies like Microsoft, Qantas, and Uber.

In February last year, IBM vowed to become carbon-neutral by 2030. It planned to procure 75% of its electricity from renewable sources and cut its greenhouse gas emissions 65% from its 2010 emission levels by 2025. By 2030, it plans to reach its carbon-neutral goal by obtaining 90% of its electricity from renewable sources and implementing tech to neutralise residual emissions.

IBM isn’t the only tech company helping customers to monitor their emissions. In October, Microsoft launched a preview of Microsoft Cloud for Sustainability to help organisations more effectively record, report, and reduce their carbon emissions on a path to net-zero. The SaaS product connects to data sources and centralises and organisations data in a common format to provide a more accurate system of record that enables more comprehensive sustainability management.

Nvidia has announced the acquisition of high-performance computing (HPC) systems management provider Bright Computing for an undisclosed sum.

The deal will see Nvidia open new markets for Bright Computing, which in turn will help expand Nvidia’s accelerated computing portfolio with its Bright Cluster Manager product.

The two companies had been collaborators for more than a decade, with Nvidia integrating Bright’s Cluster Manager with its CUDA parallel computing platform and programming model, and most recently its deep learning-focused DGX systems.

Commenting on the acquisition, vice president and general manager of DGX Systems at Nvidia, Charlie Boyle, said that Bright Computing’s software and expertise will enhance the company’s growing DGX and data centre businesses,

“Now we see an opportunity to combine our system software capabilities to make HPC data centres easier to buy, build and operate, creating a much larger future for HPC,” he added.

Bright Computing CEO Bill Wagner said that “Nvidia is changing the world as we know it”, adding that the company “couldn’t be more excited for our team and software to play a part in that”.

Founded in 2009 and based in Amsterdam, Bright Computing services are used by more than 700 organisations worldwide, including Microsoft,, Samsung, Boeing, NASA, and Tesla.

The acquisition will see Bright’s workforce transferred to Nvidia. The company wasn’t immediately available for comment regarding the future of Bright’s employees or its Amsterdam office and didn’t disclose the financial details of the deal. Nvidia’s current Netherlands headquarters are based in Delft.

The news comes weeks after the UK government ordered a “phase two” investigation into Nvidia’s $40 billion (£30 billion) acquisition of Cambridge-based ARM. Over a period of 24 weeks, the Competitions and Market Authority (CMA) will consider evidence whether the acquisition of the Cambridge-based semiconductor company by the US chip giant is a threat to competition and national security.

The first phase of the CMA’s investigation, which concluded in August and covered competition and jurisdictional issues, determined that the deal could lessen competition across four markets: data centres, Internet of Things, automotive, and gaming.

LG Electronics has joined the IBM Quantum Network to expand industry applications of quantum computing.

IBM will give LG Electronics access to its quantum computing systems and Qiskit, in addition to the firm’s open source quantum information software development kit.

The resources will help LG electronics augment big data, artificial intelligence (AI), connected cars, digital transformation, the Internet of Things (IoT), and robotics applications.

Further, with IBM Quantum technology, LG can capture the latest advances and applications from quantum computing, in accordance with IBM’s quantum roadmap. 

Using IBM Quantum technology, LG will also train its employees, allowing the company to examine potential breakthroughs for its industry.

“Based on our open innovation strategy, we plan to use IBM Quantum to develop our competency in quantum computing,” said Byoung-Hoon Kim, CTO and executive vice president of LG Electronics. 

“We aim to provide customers with value that they have not experienced so far by leveraging quantum computing technology in future businesses.”

As part of the IBM Quantum Summit in November 2021, IBM unveiled its Eagle quantum computing processor with 127 qubits. Eagle uses IBM’s 3D packaging architecture designed to support advanced quantum processors, including its 1,126-qubit Condor chip scheduled to be released in 2023.

The LG partnership further strengthens IBM’s quest for Quantum Advantage.

“We’re happy to welcome LG Electronics to a growing quantum computing ecosystem in Korea at an exciting time for the region,” said Jay Gambetta, IBM fellow and VP of quantum computing at IBM. 

“The relationship between IBM and LG Electronics will permit LG to explore new types of problems associated with emerging technologies and will help strengthen the quantum capabilities in Korea.”

UK financial regulators are reportedly concerned about the sector’s reliance on a subset of cloud computing providers that leaves banks vulnerable to service outages and hacks. 

The Prudential Regulation Authority (PRA) is said to be exploring ways to access more data from the likes of Amazon, Microsoft and Google, according to the Financial Times.

Amazon Web Services (AWS), Microsoft Azure and Google Cloud are often listed as the three biggest providers in the world, with each company increasingly active in the financial sector.

All three have made extensive deals with UK banks in recent years, offering services to reduce IT costs by migrating firms away from on-premise to the cloud, where they can capitalise on new technologies such as AI.  

The use of cloud computing by UK banks is covered under the PRA’s operational resilience framework, however, the use of just a few larger companies is causing concern, particularly given recent outages. 

While the PRA declined to confirm the FT‘s report, a source with knowledge of the situation told IT Pro financial regulators in the UK are now looking at ways to tackle the financial system’s increasing cloud service providers, which could see the introduction of additional policy measures, some requiring legislative change. 

The PRA is a part of the Bank of England (BoE), which has also expressed concern in this area; in July 2021, the BoE warned that UK banks moving more and more of their administration and account online “could pose a risk to financial stability”. It also argued that the market for cloud services was highly concentrated with AWS, Microsoft and Google all enjoying heavy dominance. 

Sections of the UK’s government have also questioned how much it depends on the likes of AWS. In February 2021, Conservative life peer Lord Holmes said that AWS represented “the latest iteration of the biggest player”, adding that in regards to cloud procurement, it was being allowed to “eat the largest piece of pie”. 

If 2021 was the year businesses adopted a connected enterprise mindset to adapt to new ways of working, 2022 will be the year digital transformation becomes an even more integral part of enterprise planning. 

Global IT expenditure is forecast to grow 5.5% year-on-year to $4.47 trillion (approximately £3.3 trillion) this year, according to Gartner. Digital tech initiatives will remain a top strategic business priority for companies as they continue to reinvent the future of work, said its research vice president John-David Lovelock, in October. This is especially true for those focusing spending on making their infrastructure bulletproof and implementing increasingly complex hybrid work patterns.

IT departments, however, could very well hit a crunch point over the next 12 months. Demand for high-performance computing and data centres, which comprise the infrastructure underpinning remote work, has gone through the roof since the start of the pandemic. This, coupled with poor planning on the part of automakers and a surge in demand for home entertainment electronics, has led to an ongoing chip shortage. Simply, there currently aren’t enough chips to satiate the hunger for silicon.

This shortage is set to continue for some time yet. Intel CEO Pat Gelsinger has warned the shortage will continue to impact production until 2023 at the earliest. Analysts at Deloitte, meanwhile, are slightly more optimistic and believe that the imbalance in supply and demand will normalise towards the end of this year. The shortage will, nevertheless, restrict what businesses can achieve in the coming months.

Delays, delays, delays

Amid the chip crunch, companies may struggle to get their hands on crucial hardware and equipment, says Maynard Williams, a managing director at Accenture Technology. “Businesses may find the nuts and bolts of digital transformation start to become a problem,” he tells IT Pro. “Longer lead times for laptops could mean new employees, or those with broken devices, are left unable to work for extended periods of time.”

There are, nonetheless, effective workaround strategies, such as refurbishing devices and IT equipment, Williams adds. Open dialogue with suppliers and partners around lead times and bottlenecks can help businesses improve forecasting, so they aren’t forced to make last-minute decisions. Some suppliers may be able to build up a buffer of inventory to support businesses if and when their needs suddenly change.

Demand for laptops and personal computers has been strong throughout 2021, but sales slowed towards the end of the year as supply chain constraints snarled production volumes. Some major chip foundries have also been prioritising higher margin product lines, such as CPU servers for data centres. 

A key concern for IT leaders will be if and when delays bleed into digital transformation projects that rely on connected devices, says Williams. “A warehouse automation project, for example, requires robotics and IoT sensors as well as 5G edge solutions to relay data,” he explains.

“This is all powered by chips. Even though a project like this will be planned in advance, though, plans could be threatened as a lack of supply is pushing up the price of certain chips, forcing businesses to pay more. Projects could become more expensive than previously budgeted.”

The world’s leading chipmaker Taiwan Semiconductor Manufacturing Company (TSMC) is poised to raise chip prices by as much as 20% in 2022. Prices for the likes of microcontrollers and chips communication technologies could see sharper rises than CPUs and GPUs, which have had less significant availability issues. Forrester research shows the higher costs are likely to hamper IoT device deployment, and it’s forecast the crisis could slash 10% to 15% off the IoT industry’s growth rate this year. 

The security hardware problem

Many digital transformation projects may have to be rethought over the next 12 months. What’s certain, though, is that businesses will want to move their workloads to the cloud. This is especially true for those companies that have had to reduce their cloud infrastructure spending during the pandemic.

Schwaz says adopting a zero trust-based model helps to reduce the attack vector, while providing remote workers with a seamless user experience without hindering performance.

Beyond security, the cloud can drive digital transformation through PaaS and SaaS solutions. It can also help to circumvent any local device capacity issues. Workers may need more powerful laptops with better CPUs, for example, to effectively perform their role. Rather than wait for new hardware to become available, however, much of the processing can be done in the cloud, says Williams. 

“Cloud providers also have stronger buying power,” he adds. “This means they have greater capacity to support businesses with scaling up their digital transformation plans.”