Vulnerability Testing

Microsoft’s May 2025 Patch Tuesday unveiled a concerning landscape for Windows administrators, addressing 78 vulnerabilities, including five zero-day exploits actively leveraged in the wild. These vulnerabilities span critical components of the Windows operating system, emphasizing the necessity for immediate action and robust security measures.

The Zero-Day Threat Landscape
The five zero-day vulnerabilities patched this month are:

• CVE-2025-30397: A memory corruption vulnerability in the Microsoft Scripting Engine, potentially allowing remote code execution if a user visits a malicious website.
• CVE-2025-30400: An elevation of privilege flaw in the Windows Desktop Window Manager (DWM) Core Library, which could allow attackers to execute code with elevated privileges.
• CVE-2025-32701 and CVE-2025-32706: Elevation of privilege vulnerabilities in the Windows Common Log File System (CLFS) driver, which have been a recurring target for attackers due to improper input validation.
• CVE-2025-32709: An elevation of privilege issue in the Windows Ancillary Function Driver for WinSock, affecting multiple Windows Server versions.

These vulnerabilities have been actively exploited, with some linked to targeted espionage and financially motivated attacks, including ransomware deployments.

Strategic Response and Mitigation
Given the active exploitation of these zero-days, organizations should prioritize the following actions:

1. Immediate Patch Deployment: Ensure all systems are updated with the latest security patches released in May 2025.
2. Vulnerability Assessment: Conduct comprehensive assessments to identify and remediate vulnerabilities within your environment.
3. Security Monitoring: Implement continuous monitoring to detect and respond to potential exploitation attempts promptly.
4. Employee Awareness: Educate staff about the risks associated with these vulnerabilities and promote best practices to prevent exploitation.

Integrating these measures into your security strategy is crucial to defend against the evolving threat landscape.

Looking Ahead
The recurrence of zero-day vulnerabilities in critical Windows components underscores the importance of a proactive and layered security approach. Organizations must remain vigilant, ensuring timely updates, continuous monitoring, and comprehensive security assessments to safeguard against emerging threats.

Microsoft’s Recall General Release and New Security Considerations

May 7th, 2025

This article serves as the latest update to our ongoing coverage of Microsoft’s controversial Windows Recall feature. Since our previous discussions in September, Microsoft has officially rolled out its Recall feature to the general public following nearly a year of scrutiny, revisions, and limited testing. As part of the new Copilot+ PC experience, Recall remains one of the most debated features Microsoft has released in recent memory. Designed to take continuous screenshots and build a searchable record of user activity, Recall’s functionality promises convenience but continues to raise significant privacy and security concerns.

This latest development includes updates to Recall’s security architecture, usage policies, and system requirements. For organizations considering the deployment of Copilot+ devices, understanding the risks and implementing proactive controls is essential.

Recall Now Live on Copilot+ PCs

Recall is now publicly available on all Copilot+ PCs, excluding those in the European Economic Area where the rollout will occur later this year. It remains exclusive to devices with high-powered Neural Processing Units (NPUs) capable of 40 trillion operations per second or more. This processing enables on-device AI capabilities, reducing the need to send data to Microsoft servers and reinforcing Microsoft’s promise that all Recall data remains local.

Recall must be enabled manually by users and requires a second opt-in step during setup. The feature can also be paused from the system tray icon or uninstalled entirely through the Windows Features control panel. These changes reflect Microsoft’s effort to improve user control following significant backlash during Recall’s initial announcement.

Security Enhancements and Remaining Gaps

Microsoft has introduced several new protections with the release:

• Encrypted Storage and Isolation: All screenshots and extracted data are now encrypted and isolated using Virtualization Based Security and the Trusted Platform Module. Data is stored outside the primary Windows environment to reduce the impact of malware infection.
• Biometric Access and PIN Use: Enabling Recall requires facial or fingerprint authentication using Windows Hello. After setup, access is controlled using the same Windows Hello PIN used to unlock the device. Critics argue this fallback method could still expose data if a PIN is guessed or shared.
• Application Filtering: Microsoft has added automatic filters to prevent screenshots of sensitive content such as credit card fields, banking sites, and password managers. However, researchers continue to find instances where sensitive information is captured, including encrypted messages and financial data. Visual indicators are present when Recall is running, but users must manually review captured data to confirm exclusions are working correctly.
• Screenshot Management: Users can configure how long Recall stores data and can delete individual screenshots, data from specific applications, or entire time periods such as the past hour or day.

While these improvements represent a significant upgrade over Recall’s earlier iterations, privacy risks persist. Any active window can be silently recorded if Recall is enabled, potentially capturing sensitive conversations, passwords, or proprietary business data. Furthermore, anyone with physical access and the correct PIN may still access stored content.

AI Feature Expansion and Privacy Implications

Alongside Recall, Microsoft has publicly launched two additional Copilot+ AI tools:

• Natural Language Windows Search: This enhancement allows users to search across apps, settings, and documents using conversational language.
• Click to Do: A context-sensitive interface that enables quick actions like summarizing text, copying content, or erasing parts of images.

These features contribute to a growing reliance on embedded AI in the Windows ecosystem. As with Recall, these tools operate at the system level and interact closely with user data, increasing the attack surface and making centralized visibility and control more important than ever.

Mitigating Enterprise Risk:

As Recall and other AI-powered features roll out across enterprise devices, organizations must take proactive steps to mitigate privacy and data leakage risks. nGuard offers several services that can help:

• Group Policy Configuration Review: Ensure that Recall and associated features are disabled organization-wide using Group Policy Objects (GPOs). nGuard’s configuration review services can verify that security policies are correctly implemented and enforced.
• AI Risk Assessments: Evaluate the broader impact of adopting AI-powered features like Copilot in your environment. nGuard provides strategic guidance and technical assessments aligned with the NIST AI Risk Management Framework.
• Security Awareness Training: Educate staff on the risks associated with Recall, AI, and similar tools.

Wrap

Microsoft has made Recall more secure than its original form, but not without compromise. Organizations must remain on top of their risk management practices, especially as AI features become more embedded in everyday operating systems. With the general availability of Recall, now is the time for enterprises to review internal policies, implement technical controls, and conduct regular assessments to ensure these features do not become a blind spot in their security strategy.

---

New Recall Updates and Changes – September 2024

September 11th, 2024

This article serves as the latest update to our ongoing coverage of Microsoft’s controversial Windows Recall feature. Since our previous discussions in June, significant developments have unfolded, particularly surrounding the security concerns and the broader implications of Recall’s reintroduction. Microsoft has made a series of changes in response to user feedback and security concerns, and in this article, we will explore the latest updates and how they fit into the wider Recall saga.

The Comeback of Windows Recall: October Rollout for Windows Insiders

After pausing the rollout of Windows Recall in June 2024, Microsoft has now confirmed that the feature will be returning in October. However, this return will be limited to Windows Insiders who are using Copilot+ PCs. These devices, equipped with powerful Neural Processing Units (NPUs), are the only ones capable of running Recall’s AI-powered screenshot functionality effectively.

Despite privacy concerns that led to Recall’s initial suspension, Microsoft is moving ahead with plans to test the feature among Insiders. The company hopes to leverage user feedback from this program before making Recall more widely available. Microsoft has made several key adjustments, including stronger encryption for the Recall database and requiring biometric authentication through Windows Hello. These security improvements aim to address the vulnerabilities that were previously identified, but questions remain about the long-term privacy risks of the feature.

Key Updates and Adjustments to Windows Recall

1. Security Enhancements: Encryption and Authentication

The most notable security update is the encryption of the SQLite database that Recall uses to store screenshots. This database will remain encrypted until a user authenticates through Windows Hello, adding a critical layer of security to protect the data collected by Recall. Moreover, the feature now requires biometric verification, ensuring that unauthorized users cannot access this sensitive information. These measures are welcomed, given the concerns raised by security researchers that the unencrypted database could be exploited by malware or other malicious actors.

These updates, while addressing some of the initial concerns, highlight the need for comprehensive security solutions for businesses and organizations that may adopt this feature. Companies can turn to services provided by nGuard for security assessments and managed SIEM, which can help ensure that sensitive data, such as that captured by Recall, is protected from exploitation.

2. Clarification on Uninstallation Options

Recently, confusion arose when users discovered an option to uninstall Recall in the Windows Features menu following the release of Windows 11’s 24H2 update (KB5041865). Microsoft has since clarified that this was a bug and that Recall cannot be fully uninstalled – only disabled. This has disappointed users hoping to remove the feature entirely due to its security risks. While Recall can be disabled, Microsoft’s decision not to allow full removal may lead to concerns in specific environments, particularly in corporate or governmental sectors, where stringent data privacy policies are in place.

The Return of Recall with More Screenshots Features

As Microsoft prepares to release Recall for testing within the Windows Insider community, more detailed information about the system requirements has emerged. To run Recall, a device must meet the following specifications:

• Processor: Snapdragon X Plus or X Elite processors, System on a Chip (SoC), or another compatible processor.
• RAM: At least 16GB DDR5/LPDDR5.
• Storage: Minimum of 256GB SSD or UFS storage.

These hardware requirements ensure that Recall functions smoothly and securely, as it heavily relies on the computational power of NPUs to analyze and manage the continuous stream of screenshots.

Microsoft’s reintroduction of Recall also includes the Copilot Screenray feature, which offers real-time analysis of the user’s desktop, further expanding the functionality of Recall. For instance, this feature could translate text from an email in real-time or provide AI-powered insights on various tasks. However, this addition brings even greater concerns about privacy, as the continuous monitoring of user screens could expose confidential or sensitive information. Ensuring that this data is adequately protected will be critical.

The Evolving Privacy Debate and Microsoft’s Response

The return of Recall has not been without criticism, especially from privacy advocates who argue that the feature remains a potential vulnerability. By continuously taking and storing screenshots, Recall creates a log of user activity that could be exploited if a device is compromised.

Security researchers, including Michael Bargury, have highlighted how Microsoft’s Copilot AI system, which Recall is a part of, could be weaponized for cyberattacks through prompt injections and data exfiltration. These techniques could allow attackers to manipulate the system, extract sensitive data, and even alter key information such as financial details.

While Microsoft has worked to improve Recall’s security, organizations need to stay informed on updates, changes, and vulnerabilities discovered in Recall. The risks associated with AI-powered tools like Recall can be mitigated by regularly conducting security audits against something like the NIST AI RMF Playbook, and employing advanced logging and monitoring solutions to detect suspicious activities early.

Wrap: Balancing Innovation and Security

The Microsoft Recall saga outlines another example of the challenges involved in integrating innovative AI features with user privacy concerns. While Microsoft’s adjustments to Recall, including its enhanced encryption, are steps in the right direction, the privacy debate is not over, yet.

For those looking to bolster their security as AI features like Recall become more prevalent, regular security assessments, logging, and monitoring can help organizations stay ahead of emerging threats and ensure compliance with privacy regulations.

---

Update: Microsoft Recall Recalled

June 12th, 2024

This article provides an update to our original discussion on the Microsoft Recall feature, updating you on the significant developments since our last coverage on June 6^th. The Recall feature has faced extensive criticism concerning privacy and security, leading Microsoft to make crucial adjustments. Here, we dive into the latest updates and recent changes Microsoft has implemented to alleviate these concerns.

Microsoft Recall Under Scrutiny
Microsoft announced significant changes to the Recall feature following widespread criticism. Originally set to be enabled by default, Recall will now be an opt-in feature for users. This change is part of Microsoft’s response to the heavy criticism regarding privacy and data security.

Key Updates to Microsoft Recall

1. Recall to Be Opt-In
Microsoft’s decision to make Recall an opt-in feature marks a significant shift. Users will now have to actively enable the feature, which Microsoft believes will enhance user trust and security.

2. Enhanced Security Measures
To address privacy concerns, Microsoft has introduced several security enhancements for Recall:

• Biometric Authentication: Users will need to use Windows Hello biometric security to enable Recall.
• Presence Detection: Recall will require user presence verification to view data.
• Additional Encryption: Microsoft has implemented further encryption measures to protect stored data.

3. Recall Feature Pulled from Developer Channel
In response to ongoing criticism, Microsoft has temporarily pulled the latest Windows 11 24H2 preview build, the only version that included Recall, from the Windows Insider Program. This move aims to give the company time to refine the feature and address the concerns raised by users and privacy advocates.

Privacy Concerns and Microsoft’s Response
Recall was initially designed to capture periodic screenshots of user activity, stored and analyzed locally on the device. Despite these assurances, privacy experts raised alarms about the potential for misuse, especially if others gained physical access to the device. Microsoft has acknowledged these concerns and emphasized its commitment to user privacy and security.

Public and Expert Reactions
The initial release of Recall received backlash from security researchers, users, and the press. Critics highlighted the potential risks of storing detailed activity logs on devices, which could be exploited by attackers or advertisers. Microsoft’s decision to make Recall an opt-in feature and enhance its security protocols has been seen as a positive step, though skepticism remains.

Future of Recall and Windows 11 24H2
While the Recall feature will be included in the Copilot Plus PCs set to launch on June 18, its broader rollout remains uncertain. Microsoft has paused the release of the 24H2 update but plans to resume it soon, ensuring the feature is thoroughly tested and secure before a wider release.

The Importance of Regular Security Audits
As Microsoft works to improve Recall’s security, it’s crucial for users and organizations to regularly perform security audits of new technologies like Recall. Regular security audits can identify potential vulnerabilities and ensure compliance with industry standards. nGuard offers comprehensive security assessments that help businesses protect their data and systems effectively.

Proper Logging and Monitoring Practices
In addition to regular security audits, implementing proper logging and monitoring is essential for maintaining security. Proper logging helps in tracking user activities and identifying potential security incidents early. Services like nGuard’s Managed Event Collection provide comprehensive  solutions for logging and monitoring, ensuring continuous oversight and quick response to any suspicious activities.

Microsoft’s Commitment to AI Integration
Despite the controversy, Microsoft continues to push forward with its AI integration plans. The Recall feature is part of the larger Copilot Plus initiative, which includes AI-driven capabilities such as advanced photo editing and live transcription. Microsoft’s partnership with OpenAI and its focus on AI innovation remain central to its strategy, even as it navigates the challenges posed by new technologies.

The Microsoft Recall Saga highlights the complexities of integrating advanced AI features into widely used software. By making Recall an opt-in feature and implementing much needed security measures, Microsoft aims to balance innovation with user privacy and trust. As the situation evolves, nGuard will continue updating to see how Microsoft addresses the remaining concerns and rolls out its AI-powered features.

---

Microsoft’s Windows 11 Recall: Revolution or Privacy Nightmare?

June 6th, 2024

Overview
Microsoft’s latest Windows 11 feature, Recall, has generated substantial controversy in the tech community. This AI-driven tool aims to enhance user productivity by capturing screenshots of active windows every few seconds, allowing users to easily retrieve past information. However, this seemingly innovative feature has raised significant privacy and security concerns among users and experts alike.

Privacy advocates and security experts have voiced concerns over the potential for Recall to inadvertently capture sensitive information, such as passwords, confidential documents, and personal data. Critics argue that the constant screenshot capturing could lead to unintended data exposure and increased risk if a device is compromised. The debate has highlighted the need for stronger privacy controls and transparent data handling practices from Microsoft to address these widespread apprehensions.

Technical Methodologies
Recall operates by taking periodic screenshots of a user’s active window, storing this data on the device for up to three months. These snapshots are analyzed by an on-device Neural Processing Unit (NPU) and an AI model, indexing the data semantically. Users can search their Recall history through natural language queries, making it easy to locate specific information.

The data collected by Recall is encrypted with BitLocker and tied to the user’s Windows account. Microsoft emphasizes that the data remains local and private, not shared with Microsoft or other users on the same device.

Impact Assessment
While Microsoft asserts that Recall is designed with user privacy in mind, critics highlight several vulnerabilities:

1. Data Exposure: Continuous screenshot capturing can inadvertently include sensitive information such as passwords, confidential documents, and personal photos. For example, if a user is working on a confidential business proposal, screenshots of this document could be captured and stored.  This data, stored locally, is accessible to anyone with device access.
2. Security Risks: If a device is compromised by malware, the attacker could potentially access the entire Recall database, extracting sensitive information stored in these snapshots.
3. User Trust: Historical data usage by large corporations has eroded user trust. Despite Microsoft’s assurances of local data storage and encryption, users remain skeptical, particularly in light of past incidents where tech companies have mishandled user data.

Strategic Responses
To mitigate these risks, users and organizations should consider the following strategies:

1. Disable Recall: Users can manage Recall settings to limit its functionality or disable it entirely. Companies can use group policies to disable Recall across all devices. For detailed instructions, refer to Microsoft’s official Recall settings guide.
2. Regular Audits: Conduct regular security audits to ensure no sensitive information is inadvertently captured and stored by Recall.
3. User Training: Educate users on the potential risks of using Recall and best practices for managing their privacy settings.

Forward-Looking Strategies
Looking ahead, Microsoft and users can adopt several strategies to address these concerns:

1. Enhanced Controls: Microsoft should provide more granular controls for users to manage what information Recall captures and stores.
2. Transparency: Continuous transparency from Microsoft about how Recall data is handled, stored, and protected is crucial to building user trust.
3. Integration with Security Solutions: Users should leverage advanced security solutions, such as those offered by nGuard, to monitor and protect data stored by Recall. nGuard’s security assessments and managed event collection services can add an extra layer of security, ensuring that sensitive data remains safe even if captured by Recall. These services help identify vulnerabilities and monitor for suspicious activities, providing comprehensive protection against potential breaches.

Conclusion
While Microsoft’s Recall feature in Windows 11 promises enhanced productivity, it brings significant privacy and security risks. Users and organizations must adopt strategic measures to safeguard their information, ensuring that this innovative tool does not become a gateway for data breaches.