It’s no surprise that Arm64 PCs hit a sweet spot for music creation and live performance. They are thin and light, have excellent battery life (I used a Surface Laptop 7 at the entire NAMM show and never had to charge it despite giving presentations and demos), great screens, USB-4 ports that support Thunderbolt 3, and are super quiet. They continue to get even more powerful, as seen during Snapdragon Summit this year with the announcements around Snapdragon X2 Elite, including the 18 core, 5 GHz Snapdragon X2 Elite Extreme.

The Snapdragon X Elite Arm64 PCs have impressed me so much over the past year and a half, not only with the hardware but the software compatibility, that I didn’t even hesitate before picking one for my daughter this past September to bring to college. The only difficult choice we had to make was the color (Surface Laptop 7 in that gorgeous Sapphire Blue).

Although my huge water-cooled coal-burning desktop is an Intel 285k beast with 192GB memory and 16TB of storage, that I could not part with, I really appreciate everything Arm brings to the table when I use my travel PC running a Snapdragon X Elite processor. And most people today purchase laptops, not desktops.

For those who prefer a laptop as their primary PC, Windows Arm64 devices are a great choice because of all the above reasons, and they have great screens and device connectivity. It was great to present at the MIDI association events at NAMM, running a full DAW workload on the laptop, while having it sitting on my lap without sending me to the burn unit. No fan blowing on the folks sitting next to me, no noise for my mic to pick up, no heat on my laptop, and best of all, no problem running plugins, a stand-alone synthesizer, MIDI 2.0 debug apps, and a full DAW. And did I mention that I didn’t have to run around looking for a power outlet while there?

Microsoft has been investing heavily in Arm64, and so are our development software and hardware partners. Let’s take a look at where we are for Arm64 for musicians and other audio professionals/creators, and where we’re headed in 2026.

Making Music on Windows on Arm

The past 12 months have seen huge progress in building the ecosystem around making music on Windows on Arm. Over the year, we’ve had most DAWs go fully native on Arm64 (including their in-box plugins), more plugin releases, releases of new native Arm64 drivers for audio interfaces, news about our own in-box ASIO driver, a great Qualcomm booth at the NAMM show and CES, and much more.

A huge thank you to all our partner developers out there who have made this happen!

This is a long-ish post with something for everyone. Here’s what we’ll cover:

• Arm64 Software like DAWs and software production
• Audio interfaces and the hardware ecosystem
• In-Box Low-latency (ASIO) Audio Driver for USB Audio Class 2 Devices

I briefly covered Windows MIDI Services in my most recent blog post. The team has been working really hard to fix any last-minute bugs found in our testing and our partner testing, and have been putting the results into the pipe to get into retail Windows. I’ll mostly leave that out of this post and provide more details there when we ship the production bits for both Arm64 and x64 in Q1 2026.

Software

There’s lots of Arm64 software, both native and emulated, but let’s focus on what’s critical to the musician workflow: DAWs, Plugins, and Software Protection.

Ableton Live

Ableton is a great partner with a great set of products, both software and hardware. Arm64 Windows laptops are especially well-suited to live performance, and so a perfect match for Live. At Snapdragon Summit this September, Qualcomm announced that Ableton Live will be coming to Arm64 in 2026, as a native application. They also put together a great video with a local Hawaiian artist to showcase in-development Ableton Live on an Arm64 Copilot+ PC.

See the Ableton Live keynote segment at 46:05

The video used in the keynote

We’re really excited to see Ableton Live coming to Arm64 in 2026!

There are many other equally important DAWs and apps out there, starting with the launch partners for Snapdragon X Elite: Steinberg Cubase and Nuendo, and REAPER.

Steinberg Cubase and Nuendo

We appreciate Steinberg taking the early leap here and leading the way for the industry by not only being among the first on the platform, but by performing live, all day, out in the Hawaiian sun, on Snapdragon laptops. The performances Cooper and Don gave out there were fantastic, and really showcased what Cubase on Windows can do.

At the Winter NAMM show this year, Cooper and Dom once again took the stage, using Cubase on Arm64, and a preview of the upcoming in-box ASIO driver, all for live performance on the show floor.

Watch the launch video with a live guitar performance on Cubase on Windows on Arm

Behind the Beats with Dom Sigalas | Snapdragon Sound Sessions

In addition, we’d like to congratulate Steinberg on the recent license changes for ASIO and VST, making them now much more open source compatible with the new terms. Thank you, Steinberg!

Cockos REAPER

REAPER is another partner that was ready for musicians at Snapdragon Summit 2026, and an early adopter for Windows on Arm. REAPER is a well-loved application with a vibrant and supportive community. It has a very efficient audio engine, all coded at a very low level and in a cross-platform way, plus a highly customizable user interface. The engineering work that went into all that is impressive to say the least.

Get REAPER here

We Justin Frankel from Cockos as a guest on the DAWbench podcast a few years back. If you want to geek out a bit with some REAPER internals, check it out here.

Bitwig Studio

Around this time last year, Bitwig Studio went fully native on Arm64. Bitwig has been a long-time Windows and Surface partner, and early to incorporate features like touch in their UI. I remember seeing Bitwig Studio on the 28” Surface Studio folding multi-touch displays at the NAMM Show a few years back, and it looked and felt amazing. Personally, I think Bitwig Studio has one of the best-looking user interfaces for DAWs.

Congratulations also to Bitwig on the release of the Bitwig Connect 4/12 audio interface. It’s one of the key test devices I have here for our new ASIO / USB Audio Class 2 driver and the new MIDI drivers and stack, and is a fantasic way to link together MIDI, audio, and modular CV control.

I also had a chance to try out the new Melbourne Instruments Roto-Control Bitwig Edition at SuperBooth back in May, and at the MIDI Association meetings before that, and the integration there is fantastic.

Bandlab Cakewalk Sonar and Cakewalk Next

I’ve worked with the Cakewalk team for a long time, even co-presenting with Noel Borthwick at a Build event a decade or so ago, where he walked through Cakewalk source live on stage. Cakewalk Sonar continues to move forward as a solid Windows DAW with a great fan base. It also recently went through a huge facelift, bringing a gorgeous dark-mode UI that really modernizes the application. Cakewalk Sonar is another application which has not shied away from making the most of Windows, with support for different input modalities, different audio APIs, and more. We’re excited to see all of this now available on Arm64 PCs.

See Cooper Carter on Cakewalk Sonar with THU on Windows on Arm

Fender/PreSonus Studio One and Fender Studio

Fender/PreSonus have ported to Windows on Arm, not only for the great DAW Studio One, but also a brand new app in the Microsoft Store on Windows: Fender Studio. The free Fender Studio app is a portable 16 track recorder with built-in Fender amp sims. But it’s more than just a guitar rig, you can use it to edit audio, record podcasts and overdubs, or just jam along live with backing tracks.

Fender Studio is built upon core technology from Studio One, which is another fantastic DAW on Windows, and one which I’ve recorded a bunch of pieces using. I’m excited to see both of these great apps go full native on Arm64.

Algoriddim djay Pro

At the Winter NAMM show this year, the Qualcomm booth was showing off djay Pro and its real-time NPU-powered stem separation capabilities. This is the kind of thing I love seeing AI and the NPU used for, where it helps the creator be more creative by doing some of the chores that are difficult or impossible to do otherwise.

This was a super popular demo station at the NAMM show, with everyone trying out their DJ skills and having to just pick up, with just two fingers, what has to be the lightest laptop I’ve ever used, and it was running djay Pro and its NPU-powered stem separation without breaking a sweat.

Surge XT

The free Surge XT synthesizer, originally started by Claus of Bitwig and CLAP fame, includes Arm64/Arm64EC native beta releases in their nightly builds, available on GitHub. Here’s SurgeXT running on my Snapdragon-powered Surface Laptop 7. The “x64 compatible” means it is Arm64EC, which enables integration with emulated processes/code, but is still native Arm64 code itself.

Get Surge XT here Try the nightly builds here

We recently interviewed Paul, the lead maintainer of Surge XT, on the DAWbench Podcast. This was a super fun podcast to record, and is now up at the DAWbench podcast site as well as YouTube, Spotify, Apple Podcasts, and more

JUCE

JUCE is one of the most popular frameworks for developing both stand-alone music creation apps as well as plugins supporting all the popular formats. They’ve had Windows Arm64 support for quite some time (Surge XT uses it, for example). Recently, PACE announced JUCE support for MIDI 2.0, including Windows MIDI Services, in their preview branch. This means JUCE will be ready for MIDI 2.0 on Windows as soon as we release it!

iLok / PACE Software Protection

Last, but certainly not least, is iLok. Or, to be more precise, the full suite of software protection products that PACE Anti-Piracy, Inc provides. As an end user, we usually only see the iLok tools themselves, but there’s much more to it, starting at the app/plugin compilation stage. To support Arm64, all of that technology needs to be ported. What ultimately we see as iLok is the end of a long chain designed to help software developers protect their investments and continue to create great software for musicians.

When we checked in with PACE, here’s what Neal Michie recently had to say about Arm64 support:

“PACE has delivered an initial beta release of its next-generation software protection to developer partners. This release introduces Arm64 support. Throughout 2026, PACE will extend Arm64 support across its full suite of products, including iLok for software licensing.” – Neal Michie – VP of Product Management, PACE Anti-Piracy, Inc.

So I’m really excited to see that coming! Software protection is a reality, especially in the plugin world, and native Arm64 versions will help unblock those developers who use PACE’s suite of tools. If you are a plugin developer this is great news for you so you can begin or finish your port to Arm64.

Other Software

There are some other popular DAWs that are blocked by their compiler technology at the moment. We’re working with those compiler teams to bring up full support for Arm64 in 2026 to help unblock these apps.

There are many other software releases including native Arm64 ports, and also optimizations to ensure apps run really well under emulation on Arm64 devices. For example, both FL Studio and Reason Studio work great under emulation. Because of the investment in the Prism emulator, in many cases, the emulated software can run nearly as well as native, but uses more battery.

Obviously plugins are an incredibly important part of this ecosystem. We’ve heard from plugin developers that many of them are working towards Arm64 support on Windows over the next calendar year. Still others can often be run under emulation in DAWs which support mixed-architecture plugin loading.

Hardware

Class-compliant MIDI devices will just work with the Windows MIDI Services stack when we release it in Q1 2026, for both x64 and Arm64. For modern MIDI devices, you generally do not need to use a third-party driver because our new code is all multi-client, performs well, and supports both MIDI 1.0 and MIDI 2.0 devices.

Beyond MIDI, audio interfaces are another area where vendor drivers are even more common (to the point of being required today to get low-latency performance). More on our approach that in a moment, but first I’d like to celebrate all the great devices out there today, complete with native Arm64 drivers.

Steinberg/Yamaha interfaces

Steinberg / Yamaha were launch partners for music creation on Snapdragon in 2024. And they’ve continued to be great partners since then. They have released, and continued to maintain, their Yamaha Steinberg USB Driver for the full set of models listed on their driver release page.

Steinberg also deserves credit for working with us to support Microsoft using the ASIO SDK in Windows for the new UAC2/ASIO driver Yamaha is building with us. Thank you to both Steinberg and Yamaha!

RME audio interfaces

In early 2025, RME released native Arm64 support for their entire line of USB Audio Class 2 devices. RME makes fantastic high-end devices (my home PC uses an HDSPe MADI FX) with stable low-latency drivers. Thanks again to RME for taking the plunge early and making so many devices available for Arm64!

RME Product Line

Focusrite interfaces

This summer, Focusrite released native Arm64 support for their entire line of USB Audio Class 2 devices. You can’t miss the red (and a limited-edition blue) boxes out there. You see them on musician desks, podcasts, gamers, and more. Focusrite makes some of the most popular audio interfaces on Windows.

Focusrite USB Audio Interfaces

Audient iD series interfaces

Just after Snapdragon Summit last year, Audient released native Arm64 support for their iD series of USB Audio Class 2 devices, providing native Arm64 support for their family of popular interfaces.

Audient Products

In-Box Low-latency USB Audio Class 2 and ASIO Driver

We applaud all of these partners for releasing great native Arm64 support. A native vendor driver will almost always be better tuned for performance for a specific line of devices vs a more generic driver. When every microsecond matters, you can’t beat them.

For devices you don’t see in the list above, if they are USB Audio Class 2-compliant, they will work with our new in-box low-latency audio driver. Our new driver also provides plug & play compatibility with all USB Audio Class 2 interfaces so that musicians, podcasts, and audio professionals can have a “just works” experience right out of the box.

A year ago, at Snapdragon Summit 2024, Qualcomm announced the new in-box ASIO driver for low-latency audio on Windows. Since that time, we’ve been partnering with Qualcomm and Yamaha to complete the driver work, with Yamaha tapping their years of audio driver development experience to create a great-performing class driver for Windows.

Today, we’re in testing, validation, and bug-fixing mode in preparation for a public preview of the new driver in 2026. Thank you to Qualcomm and Yamaha for the incredible partnership in developing this driver with us.

Opening the In-Box ASIO Driver Repo

Earlier this year, we opened the repo for this driver to make the source available to everyone. We felt that making this source code public, under a permissive MIT license, was the right way to go to help grow the ecosystem of ASIO drivers on Windows.

This driver has been developed by Yamaha Japan, using their hard-won expertise with ASIO and USB Audio Class 2 devices. We’re really excited to have partnered with them and Qualcomm on this project!

Any person or company can now take this code, and with an open source or commercial ASIO license from Steinberg, create their own ASIO drivers, building on the practices followed in our code. Or they can contribute to this driver to help us ensure it remains the best in-box USB audio driver on Windows.

It’s also a great way to see exactly what our driver is doing, and also participate in development to contribute code back to the repo to light up other features or tune performance for devices, power management, new processors, etc. This driver source code is the same source we pull into Windows, and so you can see, just like we did with MIDI 2.0, exactly how everything works. Low-latency audio repo

New Features

Our current in-box USB Audio Class 2 driver, in addition to having higher latency, also doesn’t support some key features that devices need. It doesn’t have both implicit and explicit feedback for example, nor does it support all the audio endpoints a device may surface. And, of course, it doesn’t have a native ASIO driver attached to it.

The new driver fixes all of those deficiencies, and again because of the open source nature, will be even easier for us or partners to extend in the future to support any missing features required by other new devices.

And, of course, the new driver supports both Arm64 and Intel/AMD x64 architectures, so you can use it on your Windows 11 PCs regardless of the CPU you prefer.

Release Plans

We expect to release a public preview of the new driver in 2026 through Windows Insider Canary releases of Windows. We may have to release the ASIO control panel applet separately via GitHub, but are working on the plan for that.

We expect a long public validation cycle with this driver, because there are so many devices we need to ensure backwards compatibility with. These aren’t just musician-focused devices, but also various docks, headphones, DACs, and more.

If you want to participate in this work, our MIDI Discord server is now the MIDI and Audio Discord server, and has specific channels just for the new driver. In addition, for developers, we welcome bug reports in our public repo.

Others

We know there’s a strong desire for other ASIO drivers in Windows as well, including those for on-board low-latency audio, and something to provide aggregation of different audio endpoints. While we do not yet have concrete plans to share there, we recognize both the need and the utility of this for musicians on Windows.

The future is bright

With apps, devices, and important technologies like JUCE and iLok all either already native or coming soon, we know that making music on Windows on Arm will be an excellent experience for everyone, whether in the studio, home, or out.

The post Fall 2025 Windows Musician Technology and Arm64 Update appeared first on Windows MIDI and Music dev.

A Texas Judge has rejected a request from Texas Attorney General Ken Paxton to issue a temporary order barring Tylenol’s maker, Kenvue, from claiming amid litigation that the pain and fever medication is safe for pregnant women and children, according to court documents.

In records filed Friday, District Judge LeAnn Rafferty, in Panola County, also rejected Paxton’s unusual request to block Kenvue from distributing $400 million in dividends to shareholders later this month.

The denials are early losses for Paxton in a politically charged case that hinges on the unproven claim that Tylenol causes autism and other disorders—a claim first introduced by President Trump and his anti-vaccine health secretary, Robert F. Kennedy Jr.

In a bizarre press conference in September, Trump implored Americans repeatedly not to take the drug. But, scientific studies have not shown that Tylenol (acetaminophen) causes autism or other neurologic disorders. Some studies have claimed to find an association between Tylenol use and autism, but the studies have significant flaws, and others have found no link. Moreover, Tylenol is considered the safest pain and fever drug for use during pregnancy, and untreated pain and fevers in pregnancy are known to cause harms, including an increased risk of autism.

Still, Paxton filed the lawsuit October 28, claiming that Kenvue and Tylenol’s former parent company, Johnson & Johnson, deceptively marketed Tylenol as safe while knowing of an increased risk of autism and other disorders. The lawsuit sought to force Kenvue to change the way it markets Tylenol and pay fines, among other requests.

As a first step, the attorney general—who is running to unseat U.S. Sen. John Cornyn in next year’s Republican primary—attempted to get the judge to temporarily bar some of Tylenol’s safety claims and stop Kenvue from paying the dividends. He failed on both accounts.

Paxton made the request to stop the dividends under a state law that can keep companies on the brink of financial ruin from giving out funds that could otherwise be reserved for creditors, such as those suing the company over claims that Tylenol caused autism or other harms. Kenvue is facing a number of such lawsuits in the wake of Trump’s announcement. But, even the state’s lawyers acknowledged that Paxton’s request to block dividends was “extraordinary,” according to The Texas Tribune.

According to Reuters, one of Kenvue’s lawyers, Kim Bueno, explained that the problem with the state of Texas making this request is that Kenvue is based in New Jersey and incorporated in Delaware. “There was no jurisdiction to challenge that,” she said.

Rafferty determined that she did not have jurisdiction over the dividend claim. She also denied the marketing claim, which even the Trump administration is not standing by. The day after Paxton filed his lawsuit, Kennedy said that “the causative association… between Tylenol given in pregnancy and the perinatal periods is not sufficient to say it definitely causes autism.” Though, he called some studies “very suggestive.”

Read full article

Comments

On Friday, a US District Court issued a preliminary injunction blocking the United States government from halting federal funding at UCLA or any other school in the University of California system. The ruling came in response to a suit filed by groups representing the faculty at these schools challenging the Trump administration’s attempts to force UCLA into a deal that would substantially revise instruction and policy.

The court’s decision lays out how the Trump administration’s attacks on universities follow a standard plan: use accusations of antisemitism to justify an immediate cut to funding, then use the loss of money to compel an agreement that would result in revisions to university instruction and management. The court finds that this plan was deficient on multiple grounds, violating legal procedures for cutting funding to an illegal attempt and suppressing the First Amendment rights of faculty.

The result is a reprieve for the entire University of California system, as well as a clear pathway for any universities to fight back against the Trump administration’s attacks on research and education.

First Amendment violations

The Judge overseeing this case, Rita Lin, issued separate documents describing the reasoning behind her decision and the sanctions she has placed on the Trump administration. In the first, she lays out the argument that the threats facing the UC system, and most notably UCLA, are part of a scripted campaign deployed against many other universities, one that proceeds through several steps. The Trump administration’s Task Force to Combat Anti-Semitism is central to this effort, which starts with the opening of a civil rights investigation against a university that was the site of anti-Israel protests during the conflict in Gaza.

“Rooting out antisemitism is undisputedly a laudable and important goal,” Judge Lin wrote. But the investigations in many cases take place after those universities have already taken corrective steps, which the Trump administration seemingly never considers. Instead, while the investigations are still ongoing, agencies throughout the federal government cancel funding for research and education meant for that university and announce that there will be no future funding without an agreement.

The final step is a proposed settlement that would include large payments (over $1.2 billion in UCLA’s case) and a set of conditions that alter university governance and instruction. These conditions often have little to no connection with antisemitism.

While all of this was ostensibly meant to combat antisemitism, the plaintiffs in this case presented a huge range of quotes from administration officials, including the head of the Task Force to Combat Anti-Semitism, saying the goal was to suppress certain ideas on campus. “The unrebutted record in this case shows that Defendants have used the threat of investigations and economic sanctions to… coerce the UC to stamp out faculty, staff, and student ‘woke,’ ‘left,’ ‘anti-American,’ ‘anti-Western,’ and ‘Marxist’ speech,” Lin said.

And even before any sort of agreement was reached, there was extensive testimony that people on campus changed their teaching and research to avoid further attention from the administration. “Plaintiffs’ members express fear that researching, teaching, and speaking on disfavored topics will trigger further retaliatory funding cancellations against the UC,” Lin wrote, “and that they will be blamed for the retaliation. They also describe fears that the UC will retaliate against them to avoid further funding cuts or in order to comply with the proposed settlement agreement.”

That’s a problem, given that teaching and research topics are forms of speech, and therefore protected by the First Amendment. “These are classic, predictable First Amendment harms, and exactly what Defendants publicly said that they intended,” Lin concluded.

Beyond speech

But the First Amendment isn’t the only issue here. The Civil Rights Act, most notably Title VI, lays out a procedure for cutting federal funding, including warnings and hearings before any funds are shut off. That level of coercion is also limited to cases where there’s an indication that voluntary compliance won’t work. Any funding cut would need to target the specific programs involved and the money allocated to them. There is nothing in Title VI that enables the sort of financial payments that the government has been demanding (and, in some cases, receiving) from schools.

It’s pretty obvious that none of these procedures are being followed here. And as Lin noted in her ruling, “Defendants conceded at oral argument that, of the billions of dollars of federal university funding suspended across numerous agencies in recent months, not a single agency has followed the procedures required by Title VI and IX.”

She found that the government decided it wasn’t required to follow the Civil Rights Act procedures. (Reading through the decision, it becomes hard to tell where the government offered any defense of its actions at all.)

The decision to ignore all existing procedures, in turn, causes additional problems, including violations of the Tenth Amendment, which limits the actions that the government can take. And it runs afoul of the Administrative Procedures Act, which prohibits the government from taking actions that are “arbitrary and capricious.”

All of this provided Lin with extensive opportunities to determine that the Plaintiffs, largely organizations that represent the faculty at University of California schools, are likely to prevail in their suit, and thus are deserving of a preliminary injunction to block the federal government’s actions. But first, she had to deal with a recent Supreme Court precedent holding that cases involving federal money belong in a different court system. She did so by arguing that this case is largely about First Amendment and federal procedures rather than any sort of contract for federal money; money is being used as a lever here, so they ruling must involve restoring the money to address the free speech issues.

That issue will undoubtedly be picked up on appeal as it makes its way through the courts.

Complete relief

Lin identified a coercive program that is being deployed against many universities and is already suppressing speech throughout the University of California system, including on campuses that haven’t been targeted yet. She is issuing a ruling that targets the program broadly.

“Plaintiffs have shown that Defendants are coercing the [University of California] as a whole, through the Task Force Policy and Funding Cancellation, to stamp out their members’ disfavored speech,” Lin concluded. “Therefore, to afford Plaintiffs complete relief, the entirety of the coercive practice must be enjoined, not just the suspensions that impact Plaintiffs’ members.”

Her ruling indicates that if the federal government decides it wants to cut any grants to any school in the UC system, it has to go through the entire procedure set out in the Civil Rights Act. The government is also prohibited from demanding money from any of these schools as a fine or payment, and it can’t threaten future funding to the schools. The current hold on grants to the school by the government must also be lifted.

In short, the entire UC system should be protected from any of the ways that the government has been trying to use accusations of antisemitism to suppress ideas that it disfavors. And since those primarily involve federal funding, that has to be restored, and any future threats to it must be blocked.

While this case is likely to face a complicated appeals process, Lin’s ruling makes it extremely clear that all of these cases are exactly what they seemed. Just as members of the administration stated in public multiple times, they decided to target some ideas they disfavored and simply made up a process that would let them do so.

While it worked against a number of prominent universities, its legal vulnerabilities have been there from the start.

Read full article

Comments

An anonymous reader quotes a report from Ars Technica: On Thursday evening, OpenAI CEO Sam Altman posted on X that ChatGPT has started following custom instructions to avoid using em dashes. "Small-but-happy win: If you tell ChatGPT not to use em-dashes in your custom instructions, it finally does what it's supposed to do!" he wrote. The post, which came two days after the release of OpenAI's new GPT-5.1 AI model, received mixed reactions from users who have struggled for years with getting the chatbot to follow specific formatting preferences. And this "small win" raises a very big question: If the world's most valuable AI company has struggled with controlling something as simple as punctuation use after years of trying, perhaps what people call artificial general intelligence (AGI) is farther off than some in the industry claim. "The fact that it's been 3 years since ChatGPT first launched, and you've only just now managed to make it obey this simple requirement, says a lot about how little control you have over it, and your understanding of its inner workings," wrote one X user in a reply. "Not a good sign for the future."

Read more of this story at Slashdot.

The WM_COPY­DATA message can be used to send a blob of data from one window to another. The window manager does the work of copying the data from the sending process to the receiving process, but how does the receiving process send data back?

If the only information that needs to come back is a success/failure, the recipient can return TRUE on success or FALSE on failure.

But if you need to return more information, then you have a few choices.

One is to have the receiving window send the results back to the sending window by sending the WM_COPY­DATA message back to the sending window. (The sending window passes its handle in the wParam.) The data blob can contain a transaction ID or some other way to distinguish which WM_COPY­DATA the recipient is responding to.

Another way is for the sending window to create a shared memory block, duplicate the shared handle into the receiving window’s process,¹ and then pass the duplicated handle in the WM_COPY­DATA payload. The receiving window can use Map­View­Of­File to access the shared memory block and write its results there. Of course, if you’re going to do it this way, then you don’t really need WM_COPY­DATA; you can just use a custom message and pass the handle in, say, the wParam.

A customer said that if they created a shared memory block with Create­File­Mapping, they were worried because memory would become visible to all other processes, not just the two processes trying to talk to each other.

Maybe they were thinking about named shared memory blocks, which are accessible to anybody who knows (or can guess) the name, and for whom access is granted by the shared memory block’s access control list.

So don’t use a named shared memory block. Use an anonymous one. The only way to get access to an anonymous shared memory block is to get access to its handle.

So your exposure is not to all processes but just processes which have “duplicate handle” permission. And somebody has “duplicate handle” permission on your process, then they already pwn your process: They can duplicate the GetCurrentProcess() handle out of your process, and that gives them a handle with full access to your process. Your exposure is only to people who are already on the other side of the airtight hatchway.

¹ This assumes that the sending process is running at equal or higher integrity level than the recipient. If the roles are reversed, with a low integrity process sending to a high integrity process, you can delegate the duplication to the recipient. The low integrity sending process allocates the shared memory and puts the handle into the WM_COPY­DATA memory block. The recipient can then call Duplicate­Handle function to duplicate the handle out of the sending process, using Get­Window­Thread­Process­Id to get the sender’s process ID. You can include information in the WM_COPY­DATA memory block to indicate that you are in this reverse case.

The post I can use <CODE>WM_<WBR>COPY<WBR>DATA</CODE> to send a block of data to another window, but how does it send data back? appeared first on The Old New Thing.

Over the past year, scammers have ramped up a new way to infect the computers of unsuspecting people. The increasingly common method, which many potential targets have yet to learn of, is quick, bypasses most endpoint protections, and works against both macOS and Windows users.

ClickFix often starts with an email sent from a hotel that the target has a pending registration with and references the correct registration information. In other cases, ClickFix attacks begin with a WhatsApp message. In still other cases, the user receives the URL at the top of Google results for a search query. Once the mark accesses the malicious site referenced, it presents a CAPTCHA challenge or other pretext requiring user confirmation. The user receives an instruction to copy a string of text, open a terminal window, paste it in, and press Enter.

One line is all it takes

Once entered, the string of text causes the PC or Mac to surreptitiously visit a scammer-controlled server and download malware. Then, the machine automatically installs it—all with no indication to the target. With that, users are infected, usually with credential-stealing malware. Security firms say ClickFix campaigns have run rampant. The lack of awareness of the technique, combined with the links also coming from known addresses or in search results, and the ability to bypass some endpoint protections are all factors driving the growth.

“This campaign highlights that leveraging malvertising and the one-line installation-command technique to distribute macOS information stealers remains popular among eCrime actors,” researchers from CrowdStrike wrote in a report documenting a particularly polished campaign designed to infect Macs with a Mach-O executable, a common binary that runs on macOS. “Promoting false malicious websites encourages more site traffic, which will lead to more potential victims. The one-line installation command enables eCrime actors to directly install the Mach-O executable onto the victim’s machine while bypassing Gatekeeper checks.”

The primary piece of malware installed in that campaign is a credential-stealer tracked as Shamos. Other payloads included a malicious cryptocurrency wallet, software for making the Mac part of a botnet, and macOS configuration changes to allow the malware to run each time the machine reboots.

Another campaign, documented by Sekoia, targeted Windows users. The attackers behind it first compromise a hotel’s account for Booking.com or another online travel service. Using the information stored in the compromised accounts, the attackers contact people with pending reservations, an ability that builds immediate trust with many targets, who are eager to comply with instructions, lest their stay be canceled.

The site eventually presents a fake CAPTCHA notification that bears an almost identical look and feel to those required by content delivery network Cloudflare. The proof the notification requires for confirmation that there’s a human behind the keyboard is to copy a string of text and paste it into the Windows terminal. With that, the machine is infected with malware tracked as PureRAT.

Push Security, meanwhile, reported a ClickFix campaign with a page “adapting to the device that you’re visiting from.” Depending on the OS, the page will deliver payloads for Windows or macOS. Many of these payloads, Microsoft said, are LOLbins, the name for binaries that use a technique known as living off the land. These scripts rely solely on native capabilities built into the operating system. With no malicious files being written to disk, endpoint protection is further hamstrung.

The commands, which are often base-64 encoded to make them unreadable to humans, are often copied inside the browser sandbox, a part of most browsers that accesses the Internet in an isolated environment designed to protect devices from malware or harmful scripts. Many security tools are unable to observe and flag these actions as potentially malicious.

The attacks can also be effective given the lack of awareness. Many people have learned over the years to be suspicious of links in emails or messengers. In many users’ minds, the precaution doesn’t extend to sites that instruct them to copy a piece of text and paste it into an unfamiliar window. When the instructions come in emails from a known hotel or at the top of Google results, targets can be further caught off guard.

With many families gathering in the coming weeks for various holiday dinners, ClickFix scams are worth mentioning to those family members who ask for security advice. Microsoft Defender and other endpoint protection programs offer some defenses against these attacks, but they can, in some cases, be bypassed. That means that, for now, awareness is the best countermeasure.

Read full article

Comments