Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

Microsoft’s Secure Boot has been broken for a decade and no one noticed until now

Ars Technica - 1 hodina 53 min zpět

An industry-wide standard Microsoft invented to protect Windows, and later Linux, devices from firmware infections has been trivial to bypass for 13 of its 14 years of existence. The discovery was made by researchers at security firm ESET after identifying 11 firmware images, at least one from 2013, that were known to be defective but remained signed by the software company anyway.

The images are known as shims, which were invented to extend Secure Boot to Linux devices and utility software. Using a technique simple enough to be performed by novice hackers, these old, forgotten shims can be used to completely circumvent the protection, which is embedded into the UEFI (Unified Extensible Firmware Interface) of the device's motherboard. The gaffe is the result of Microsoft, which oversees the signing of shims, failing to revoke the publicly available images once vulnerabilities were found in them.

Threat extends to Windows and Linux users

The threat extends to Windows and Linux users alike, since the shim can be installed on devices running both operating systems. From there, an attacker can subvert the mandated chain of digitally signed firmware to install malicious firmware that loads early in the boot process and persists after either the OS is reinstalled or a hard drive is replaced.

Read full article

Comments

SonicWall warns of SMA1000 flaws exploited in zero-day attacks, patch now

Bleeping Computer - 14 Červenec, 2026 - 23:23
SonicWall warns that threat actors have been exploiting two SMA1000 vulnerabilities, tracked as CVE-2026-15409 and CVE-2026-15410, in zero-day attacks and urges customers to install the newly released security updates. [...]
Kategorie: Hacking & Security

Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack

The Hacker News - 14 Červenec, 2026 - 22:25
Microsoft shipped its largest Patch Tuesday on record today, and two of the fixes close holes that attackers are already exploiting. The release covers 622 of Microsoft's own CVEs by its Security Update Guide count, more than triple June's previous high of around 200. Those two live bugs are the ones to grab first. Microsoft credits incident responders for both. Both are Swati Khandelwalhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Spanish Police take down €140 million cyber fraud ring, arrest four

Bleeping Computer - 14 Červenec, 2026 - 22:23
The Spanish Police dismantled a cybercrime and money-laundering organization that made €140 million ($160 million) from investment fraud and business email compromise (BEC) attacks. [...]
Kategorie: Hacking & Security

Nearly 300 GitHub repos pose as legit software to push malware

Bleeping Computer - 14 Červenec, 2026 - 21:15
A threat actor has published hundreds of fake GitHub repositories impersonating legitimate software and security projects to distribute infostealer malware. [...]
Kategorie: Hacking & Security

Microsoft releases Windows 10 KB5099539 extended security update

Bleeping Computer - 14 Červenec, 2026 - 20:49
Microsoft has released the Windows 10 KB5099539 extended security update, which includes the July 2026 Patch Tuesday security updates for 570 vulnerabilities, along with additional security fixes. [...]
Kategorie: Hacking & Security

SAP Patches CVSS 9.9 NetWeaver ABAP Flaw That Could Expose or Modify Data

The Hacker News - 14 Červenec, 2026 - 20:17
SAP has rolled out updates to address multiple vulnerabilities as part of its July 2026 security updates, including a critical flaw in SAP NetWeaver Application Server ABAP. The vulnerability in question is CVE-2026-44747 (CVSS score: 9.9), an out-of-bounds write flaw that allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-days

Bleeping Computer - 14 Červenec, 2026 - 20:01
Today is Microsoft's July 2026 Patch Tuesday, and with it comes security updates for a record-breaking 570 flaws, including two zero-day vulnerabilities exploited in attacks and one publicly disclosed. [...]
Kategorie: Hacking & Security

Windows 11 KB5101650 & KB5099414 cumulative updates released

Bleeping Computer - 14 Červenec, 2026 - 19:41
Microsoft has released Windows 11's June 2026 Update for version 25H2, 24H2, and 23H2, bringing fixes for over 570 security issues. [...]
Kategorie: Hacking & Security

Researchers Say Claude for Chrome Flaw Lets Rogue Extensions Trigger Gmail Reads

The Hacker News - 14 Červenec, 2026 - 19:27
Any other browser extension that can run a script on claude.ai can still trigger Claude for Chrome tasks aimed at your Gmail, your latest Google Doc and its comments, and your Calendar. Both this and ClaudeBleed need a rogue extension that can already run a script on claude.ai; the difference is scope. Anthropic restricted the arbitrary-prompt path in May as part of its response to the Swati Khandelwalhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

LabubaRAT Masquerades as NVIDIA Software to Control Windows Hosts

The Hacker News - 14 Červenec, 2026 - 18:52
Cybersecurity researchers have flagged a previously undocumented Rust-based remote access trojan (RAT) codenamed LabubaRAT that masquerades as NVIDIA software to blend into target environments. "LabubaRAT creates a reusable foothold for hands-on activity," Blackpoint Cyber researchers Sam Decker and Nevan Beal said in an analysis published today. "Once deployed, it can profile the host, Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Progress confirms ShareFile zero-day flaw behind Storage Zone shutdown

Bleeping Computer - 14 Červenec, 2026 - 18:08
Progress Software has confirmed that a high-severity zero-day vulnerability is behind the emergency shutdown of ShareFile Storage Zone Controllers last week and has released security updates to patch the flaw. [...]
Kategorie: Hacking & Security

Siri AI steals the show as the iOS 27 public beta lands

Computerworld.com [Hacking News] - 14 Červenec, 2026 - 17:47

Apple has released the first public betas of its “27” series of operating systems, and feedback so far suggests they’re already very stable builds, even at this early end of the release cycle. 

For most intrepid public beta testers, the big attractions here are Siri AI and the heavily improved Apple Intelligence tools – though Siri AI is not yet available in Europe due to regulatory problems there. Overnight social media commentary has been highly positive, with Siri widely seen as delivering on what we always thought it should be rather than the limited product it became.

Caveat emptor

Once installed, the new operating system is fast and better performing on the iPhone, though there are some limitations anyone considering the beta should consider first:

  • This is beta software; things can and sometimes do go wrong. So don’t install it on your primary device unless you know how to restore your device and its data.
  • Some critical apps such as banking tools, VPNs and some smart home management software are reported to be unstable at times.
  • Once the public beta is first installed, there’s a lengthy period during which your device will rebuild its database; this can take many hours and performance will be affected.
  • As the OS beds in, users might experience sudden battery drain or the device might seem warmer than usual.
  • You’ll need to join a lengthy Siri waitlist before you can install the updated Siri AI.
  • Siri AI requires significant hardware capabilities and only runs on iPhone 15 Pro, iPhone 16 and iPhone 17 models. Alternatively, you must have an M1 or later Mac or an iPad running an M1 chip or later, or A17 Pro (iPad mini).
Siri AI is a big improvement

Siri AI is the big reward here. Joanna Stern called it “significantly better.” It will provide you with much better responses than its predecessor, and its contextual understanding is sophisticated and advanced. 

That’s because Siri can search across your messages, emails, photos and more to help you find what you’re looking for and has some understanding of where you are and what you are doing to help it make even more accurate decisions. It is faster than it’s ever been with a dedicated app (which includes logs of your interactions) and a new glowing design when activated. 

The assistant can now hold an ongoing conversation with you, understands what’s on screen, and take some actions in apps. One way that might be useful is if you are looking at a recipe online, you can ask Siri to write up a shopping list for the recipe ingredients and paste it in a Note. Siri has become much more knowledgeable than in the past thanks to its expanded and updated world knowledge database.

Apple Intelligence has been beefed up, too, with keyboard tools much improved on the last version. Siri can even reflect your personal tone and style based on the person you’re communicating with when sending a Mail or Messages post. 

Apple and the image

The Camera app now has a new Siri mode; it can do things like identify objects and people, or import event details from a leaflet. You can easily search or ask questions about what’s around you, and there are useful new actions you can take, such as getting nutritional insights about a plate of food.

Image Playground wasn’t terribly impressive when it first appeared, and a lot of people did little with it. It seems much better now, capable of generating photo-realistic images in virtually any style from natural language prompts or editing existing images. It’s a useful step up.

Another impressive feature is Spatial Reframing. This lets you shift the composition of a photo after you’ve taken it, using AI to create accurate renditions of what is outside the frame. A new Extend tool lets you expand images, which is useful for adjusting aspect ratios or creating Lock Screen wallpapers.

The future on your wrist

If you use an Apple Watch, you’ll be impressed, as the contextual AI extends to that device. So, you can have context-savvy conversations with your watch and ask it to do tasks on your behalf. It makes it feel like a bona fide computer on your wrist and bodes well for other future wearable products from the company

There are lots of other interesting features in the beta. Call Context can automatically surface the information you need, like a confirmation code or reservation number, when calling up a business. And a new Notify Me feature in Safari lets you know when a web page changes, so you can watch for stock availability or ticket sales.

How to install the beta

If you’re interested in installing the new OSes, Apple’s Beta Software Program website should be your first port of call. You’ll need to sign in to access the betas using your Apple Account. Once you’ve done that, open Settings and go to Software Update; there you can select Beta Updates and choose the 27 series Public beta. Tap Update Now and the installation will begin.

You can follow me on social media! Join me on BlueSkyLinkedInMastodon, and subscribe to The Core.

Kategorie: Hacking & Security

LastPass, Bitwarden users targeted with fake security alerts

Bleeping Computer - 14 Červenec, 2026 - 17:31
LastPass is warning users about an ongoing phishing campaign that is using fake security notices to direct them to fraudulent websites. [...]
Kategorie: Hacking & Security

GhostLock Exposes an Uncomfortable Truth About Open Source Security

LinuxSecurity.com - 14 Červenec, 2026 - 16:17
When researchers announced GhostLock, many people focused on the exploit. What stood out to me wasn't just what the vulnerability could do, but how long it had remained hidden. The flaw had lived in the Linux kernel for roughly 15 years before it was publicly identified by researchers. That means the flaw survived hundreds of kernel releases and years of upstream development before it was publicly documented. It raises an uncomfortable question about one of open source's oldest assumptions. O...
Kategorie: Hacking & Security

You Don't Have to Run an Exploit to Know If You're Vulnerable

Bleeping Computer - 14 Červenec, 2026 - 16:00
Many vulnerabilities cannot be safely validated with live exploits, either because no exploit exists or the affected systems are too critical to test. Picus explains how TTP chaining helps organizations determine exploitability by validating the attack techniques an exploit depends on, without launching the exploit itself. [...]
Kategorie: Hacking & Security

RabbitMQ Flaws Could Leak OAuth Secrets and Expose Cross-Tenant Queue Metadata

The Hacker News - 14 Červenec, 2026 - 15:48
Cybersecurity researchers have disclosed details of two access control-related flaws impacting the RabbitMQ message broker service that could allow attackers to leak OAuth client secrets, expose enterprise messaging infrastructure to takeover risks, and bypass tenant boundaries. Miggo's security team, which discovered and reported the flaws, said one "leaks the broker's confidential OAuth Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

How Linux Security Teams Spot Vulnerabilities Before CVEs Are Published

LinuxSecurity.com - 14 Červenec, 2026 - 15:12
Most of us don't hear about a kernel vulnerability until a CVE lands in our inbox or the vulnerability scanner starts complaining. By then, the patch isn't new anymore. Kernel developers may have been passing it around for review, arguing over the implementation, or revising it for days before anyone outside that community noticed it. None of those discussions are secret. They're sitting in mailing list archives, Git commits, and patch reviews where they've been the whole time. The strange pa...
Kategorie: Hacking & Security

Microsoft Entra ID gets passkeys default authentication starting September

Bleeping Computer - 14 Červenec, 2026 - 14:49
Microsoft has announced that passkeys will become the default authentication method for the Entra ID enterprise identity service starting September 2026. [...]
Kategorie: Hacking & Security

New phishing kits target Microsoft 365 accounts, evade MFA

Bleeping Computer - 14 Červenec, 2026 - 14:49
Two new phishing kits, Jalisco and OmegaLord, have been discovered in attacks targeting Microsoft 365 accounts, using techniques that defeat multi-factor authentication (MFA). [...]
Kategorie: Hacking & Security
Syndikovat obsah