Microsoft va prochainement abandonner un système de chiffrement obsolète qui était pris en charge par défaut depuis 26 ans. Nommé RC4, ce système était devenu l'élément clé de plusieurs piratages dévastateurs et faisait l'objet de vives critiques, notamment de la part de législateurs américains.

An anonymous reader quotes a report from Ars Technica: Microsoft is killing off an obsolete and vulnerable encryption cipher that Windows has supported by default for 26 years following more than a decade of devastating hacks that exploited it and recently faced blistering criticism from a prominent US senator. When the software maker rolled out Active Directory in 2000, it made RC4 a sole means of securing the Windows component, which administrators use to configure and provision fellow administrator and user accounts inside large organizations. RC4, short for Rivist Cipher 4, is a nod to mathematician and cryptographer Ron Rivest of RSA Security, who developed the stream cipher in 1987. Within days of the trade-secret-protected algorithm being leaked in 1994, a researcher demonstrated a cryptographic attack that significantly weakened the security it had been believed to provide. Despite the known susceptibility, RC4 remained a staple in encryption protocols, including SSL and its successor TLS, until about a decade ago. [...] Last week, Microsoft said it was finally deprecating RC4 and cited its susceptibility to Kerberoasting, the form of attack, known since 2014, that was the root cause of the initial intrusion into Ascension's network. "By mid-2026, we will be updating domain controller defaults for the Kerberos Key Distribution Center (KDC) on Windows Server 2008 and later to only allow AES-SHA1 encryption," Matthew Palko, a Microsoft principal program manager, wrote. "RC4 will be disabled by default and only used if a domain administrator explicitly configures an account or the KDC to use it." [...] Following next year's change, RC4 authentication will no longer function unless administrators perform the extra work to allow it. In the meantime, Palko said, it's crucial that admins identify any systems inside their networks that rely on the cipher. Despite the known vulnerabilities, RC4 remains the sole means of some third-party legacy systems for authenticating to Windows networks. These systems can often go overlooked in networks even though they are required for crucial functions. To streamline the identification of such systems, Microsoft is making several tools available. One is an update to KDC logs that will track both requests and responses that systems make using RC4 when performing requests through Kerberos. Kerberos is an industry-wide authentication protocol for verifying the identities of users and services over a non-secure network. It's the sole means for mutual authentication to Active Directory, which hackers attacking Windows networks widely consider a Holy Grail because of the control they gain once it has been compromised. Microsoft is also introducing new PowerShell scripts to sift through security event logs to more easily pinpoint problematic RC4 usage. Microsoft said it has steadily worked over the past decade to deprecate RC4, but that the task wasn't easy. "The problem though is that it's hard to kill off a cryptographic algorithm that is present in every OS that's shipped for the last 25 years and was the default algorithm for so long, Steve Syfuhs, who runs Microsoft's Windows Authentication team, wrote on Bluesky. "See," he continued, "the problem is not that the algorithm exists. The problem is how the algorithm is chosen, and the rules governing that spanned 20 years of code changes."

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: Microsoft is killing off an obsolete and vulnerable encryption cipher that Windows has supported by default for 26 years following more than a decade of devastating hacks that exploited it and recently faced blistering criticism from a prominent US senator. When the software maker rolled out Active Directory in 2000, it made RC4 a sole means of securing the Windows component, which administrators use to configure and provision fellow administrator and user accounts inside large organizations. RC4, short for Rivist Cipher 4, is a nod to mathematician and cryptographer Ron Rivest of RSA Security, who developed the stream cipher in 1987. Within days of the trade-secret-protected algorithm being leaked in 1994, a researcher demonstrated a cryptographic attack that significantly weakened the security it had been believed to provide. Despite the known susceptibility, RC4 remained a staple in encryption protocols, including SSL and its successor TLS, until about a decade ago. [...] Last week, Microsoft said it was finally deprecating RC4 and cited its susceptibility to Kerberoasting, the form of attack, known since 2014, that was the root cause of the initial intrusion into Ascension's network. "By mid-2026, we will be updating domain controller defaults for the Kerberos Key Distribution Center (KDC) on Windows Server 2008 and later to only allow AES-SHA1 encryption," Matthew Palko, a Microsoft principal program manager, wrote. "RC4 will be disabled by default and only used if a domain administrator explicitly configures an account or the KDC to use it." [...] Following next year's change, RC4 authentication will no longer function unless administrators perform the extra work to allow it. In the meantime, Palko said, it's crucial that admins identify any systems inside their networks that rely on the cipher. Despite the known vulnerabilities, RC4 remains the sole means of some third-party legacy systems for authenticating to Windows networks. These systems can often go overlooked in networks even though they are required for crucial functions. To streamline the identification of such systems, Microsoft is making several tools available. One is an update to KDC logs that will track both requests and responses that systems make using RC4 when performing requests through Kerberos. Kerberos is an industry-wide authentication protocol for verifying the identities of users and services over a non-secure network. It's the sole means for mutual authentication to Active Directory, which hackers attacking Windows networks widely consider a Holy Grail because of the control they gain once it has been compromised. Microsoft is also introducing new PowerShell scripts to sift through security event logs to more easily pinpoint problematic RC4 usage. Microsoft said it has steadily worked over the past decade to deprecate RC4, but that the task wasn't easy. "The problem though is that it's hard to kill off a cryptographic algorithm that is present in every OS that's shipped for the last 25 years and was the default algorithm for so long, Steve Syfuhs, who runs Microsoft's Windows Authentication team, wrote on Bluesky. "See," he continued, "the problem is not that the algorithm exists. The problem is how the algorithm is chosen, and the rules governing that spanned 20 years of code changes."

Read more of this story at Slashdot.

Microsoft a profité de l’édition 2025 de la conférence Black Hat Europe, organisée à Londres du 8 au 11 décembre 2025, pour dévoiler de nouvelles règles appliquées à ses programmes de bug bounty. Numerama a pu s’entretenir avec Tom Gallagher, vice‑président en charge de l’ingénierie au Microsoft Security Response Center (MSRC), afin de détailler ces nouvelles modalités d’attribution des primes.

Microsoft has announced that it will raise prices on its Microsoft 365 productivity suites for businesses and government clients starting in July 2026, marking the first commercial price increase since 2022. Small business and frontline worker plans face the steepest hikes: Business Basic jumps 16.7% to $7 per user per month, while frontline worker subscriptions surge up to 33%. Enterprise plans see more modest bumps, ranging from 5.3% for E5 to 8.3% for E3. Microsoft attributed the increases to more than 1,100 new features added to the suite, including AI-driven tools and security enhancements. Copilot remains a separate $30-per-month add-on.

Read more of this story at Slashdot.

Microsoft announced on Tuesday its largest-ever investment in Asia -- $17.5 billion over four years starting in 2026 -- to expand cloud and AI infrastructure across India, fund skilling programs, and support ongoing operations in the country. The commitment adds to a $3 billion investment the company announced in January 2025 that is on track to be spent by the end of 2026. A new hyperscale cloud region in Hyderabad is set to go live in mid-2026 and will be Microsoft's largest in India, comprising three availability zones. The company also plans to integrate AI into two government employment platforms -- e-Shram and the National Career Service -- that serve more than 310 million informal workers. Microsoft is doubling its India skilling target to 20 million people by 2030; since January, it has already trained 5.6 million.

Read more of this story at Slashdot.

Microsoft Excel, the 40-year-old spreadsheet application that helped establish personal computers as essential workplace tools and contributed to Microsoft's current valuation of nearly $4 trillion, has weathered both the rise of cloud computing and the current AI boom largely unscathed. In its most recent quarter, commercial revenue for Microsoft 365 -- the bundle including Excel, Word, and PowerPoint -- increased 17% year over year, and consumer revenue rose 28%. The software traces its origins to a 1983 Microsoft offsite under the code name Odyssey, where engineers set out to clone Lotus 1-2-3. That program had itself cloned VisiCalc, the first computerized spreadsheet, created by Dan Bricklin for the Apple II in the late 1970s. Bricklin never patented VisiCalc. "Financially it would have been great if we'd have been able to patent it," he told Bloomberg. "And there would be a Bricklin Building at MIT, instead of a Gates Building." Excel now counts an estimated 500 million paying users. The Pentagon pays for 2 million Microsoft 365 licenses. Google's free Sheets product, launched in 2006, captured casual use cases like potluck sign-ups but failed to dislodge Excel from enterprise work. AI chatbots present the latest challenge, but venture capitalists say nearly every AI spreadsheet startup they meet builds on top of Excel rather than replacing it.

Read more of this story at Slashdot.

Qu'y a-t-il de mieux pour faire vaciller un géant qu'un autre géant ? Fort d'un double succès historique sur le marché des consoles de jeux vidéo avec ses deux premières PlayStation, Sony pouvait se sentir légitimement invincible il y a 20 ans. Pourtant, au moment d'enfoncer le clou et d'obéir à la règle du « jamais deux sans trois », le constructeur japonais faisait face à un obstacle de taille qu'il avait sans doute négligé du fait de débuts timides dans son secteur : Microsoft et sa nouvelle console, la Xbox 360, la seule à avoir réussi à battre PlayStation.

Linus Torvalds recently defended Windows' infamous Blue Screen of Death during a video with Linus Sebastian of Linus Tech Tips, where the two built a PC together. It's FOSS reports: In that video, Sebastian discussed Torvalds' fondness for ECC (Error Correction Code). I am using their last name because Linus will be confused with Linus. This is where Torvalds says this: "I am convinced that all the jokes about how unstable Windows is and blue screening, I guess it's not a blue screen anymore, a big percentage of those were not actually software bugs. A big percentage of those are hardware being not reliable." Torvalds further mentioned that gamers who overclock get extra unreliability. Essentially, Torvalds believes that having ECC on the machine makes them more reliable, makes you trust your machine. Without ECC, the memory will go bad, sooner or later. He thinks that more than software bugs, often it is hardware behind Microsoft's blue screen of death. You can watch the video on YouTube (the BSOD comments occur at ~9:37).

Read more of this story at Slashdot.

Le Microsoft Excel World Championship s'est déroulé à Las Vegas du 1er au 3 décembre, opposant passionnés et professionnels sur des défis de logique et de modélisation. C’est un Américain, cinq fois finaliste, qui s’est hissé au sommet de cette saison d'esport Excel.

Microsoft : Personne ne veut de l'IA ? On vous en mettra quand même.
Also Microsoft : Oh regardez il y a plein d'IA dans vos produits ! Ben du coup il faut augmenter les prix de l'abonnement, hein !
Ce niveau de foutage de gueule.
(Permalink)

Ancient Slashdot user Alain Williams shares a report from Al Jazeera: The Irish Council for Civil Liberties (ICCL) has announced it filed a complaint against Microsoft, accusing the global tech giant of unlawfully processing data on behalf of the Israeli military and facilitating the killings of Palestinian civilians in Gaza. In the complaint, the council asked the Data Protection Commission -- the European Union's lead data regulator for the company -- to "urgently investigate" Microsoft Ireland's processing. "Microsoft's technology has put millions of Palestinians in danger. These are not abstract data-protection failures -- they are violations that have enabled real-world violence," Joe O'Brien, ICCL's executive director, said in a statement. "When EU infrastructure is used to enable surveillance and targeting, the Irish Data Protection Commission must step in -- and it must use its full powers to hold Microsoft to account." After months of complaints from rights groups and Microsoft whistleblowers, the company said in September it cancelled some services to the Israeli military over concerns that it was violating Microsoft's terms of service by using cloud computing software to spy on millions of Palestinians.

Read more of this story at Slashdot.

Référencée sous le nom technique de CVE-2025-9491, une faille présente dans les fichiers raccourcis Windows (.lnk) était exploitée depuis des années par des groupes d’espionnage et des cybercriminels, pour sa capacité à injecter du code malveillant de façon cachée.

À une semaine d'un possible sacre absolu à l'occasion de la cérémonie des The Game Awards, Sandfall Interactive a tenu à remercier Microsoft pour son soutien envers Clair Obscur: Expedition 33. De son côté, la multinationale a indiqué que le RPG n'est autre que « le plus gros lancement d’un studio partenaire dans le Xbox Game Pass en 2025 ».

Despite Windows 10 losing free support, Statcounter shows Windows 11 holding only a modest lead of 53.7% market share compared to Windows 10's 42.7%. Analysts say the slow transition reflects both hardware limitations and a lack of must-have Windows 11 features compelling organizations to refresh their fleets. The Register reports: The Register spoke to Lansweeper principal technical evangelist Esben Dochy, who noted that consumers were more likely to have devices that couldn't be upgraded or follow the "if it ain't broke, don't fix it" rule when it comes to change. He also pointed out consumers in the EU get Microsoft Extended Security Updates (ESU) for free. For businesses, though, it's different. Dochy told us: "The primary blocker is slow change management processes. These can be slow due to bad planning, lack of resources, difficulty in execution (in highly distributed organizations) etc. "The ESU are used to be secure while those change management processes take place, but organizations will have to pay to get those ESU making it more expensive for unprepared or inefficient organizations." [...] The challenge facing Windows 11 is that, other than the end of free support for many versions, there is no must-have feature to make enterprises break a hardware refresh cycle, particularly in a difficult economic environment. Microsoft has not released official statistics on Windows 11 adoption. However, hardware vendors have noted the sluggish pace of transition. Dell COO Jeffrey Clarke commented during an analyst call: "If you were to look at it relative to the previous OS end of support, we are 10-12 points behind at that point with Windows 11 than we were with the previous generation."

Read more of this story at Slashdot.

An anonymous reader quotes a report from Reuters: Multiple divisions at Microsoft have lowered sales growth targets for certain artificial intelligence products after many sales staff missed goals in the fiscal year that ended in June, The Information reported on Wednesday. It is rare for Microsoft to lower quotas for specific products, the report said, citing two salespeople in the Azure cloud unit. The division is closely watched by investors as it is the main beneficiary of Microsoft's AI push. [...] The Information report said Carlyle Group last year started using Copilot Studio to automate tasks such as meeting summaries and financial models, but cut its spending on the product after flagging Microsoft about its struggles to get the software to reliably pull data from other applications. The report shows the industry was in the early stages of adopting AI, said D.A. Davidson analyst Gil Luria. "That does not mean there isn't promise for AI products to help companies become more productive, just that it may be harder than they thought."

Read more of this story at Slashdot.

[Deal du jour] Plutôt que de lâcher beaucoup d'argent dans un abonnement mensuel, il faut parfois attendre les bons plans gaming. Une offre spéciale permet en ce moment d'avoir 12 mois de Game Pass Ultimate à seulement 139 €.

Au menu de ce récap : la dépendance technologique tenace d'Airbus, qui échoue depuis 7 ans à se défaire des outils Microsoft, et l'alerte lancée par la Chine face à une production de robots humanoïdes qui devient incontrôlable.

Breaking free from Microsoft is harder than it looks. Airbus began migrating its 100,000-plus workforce from Office to Google Workspace more than seven years ago and it still hasn't completed the switch. The Register: As we exclusively revealed in March 2018, the aerospace giant told 130,000 employees it was ditching Microsoft's productivity tools for Google's cloud-based alternatives. Then-CEO Tom Enders predicted migration would finish in 18 months, a timeline that, in hindsight, was "extremely ambitious," according to Catherine Jestin, Airbus's executive vice president of digital. Today, more than two-thirds of Airbus's 150,000 employees have fully transitioned, but significant pockets continue to use Microsoft in parallel. Finance, for example, still relies on Excel because Google Sheets can't handle the necessary file sizes, as some spreadsheets involve 20 million cells. "Some of the limitations was just the number of cells that you could have in one single file. We'll definitely start to remove some of the work," Jestin told The Register.

Read more of this story at Slashdot.

Dans un entretien accordé au site britannique The Register, Catherine Jestin, vice-présidente exécutive du numérique chez Airbus, est revenue sur les difficultés de son entreprise à s'extirper de sa dépendance envers les produits Microsoft. Un objectif qui dure pourtant depuis plus de 7 ans.