Agregátor RSS

Microsoft set a record with its June Patch Tuesday release, addressing 206 CVEs across its products and shipping fixes for them, with 38 deemed critical and the rest important. Three are listed as publicly known, but none (so far) have been exploited in the wild. We have no idea how many of these June bugs were uncovered using AI tools. Unlike last month’s patching event, when Redmond disclosed its agentic bug-hunting system found 16 of the 137 vulnerabilities, there’s no word on any AI assists for new releases. Still, it’s safe to assume AI played a major role. As Tom Gallagher, VP of engineering at Microsoft Security Response Center, said about May's Patch Tuesday with a whopping 30 critical flaws: “We expect releases to continue trending larger for some time.” June’s Patch Tuesday proved Gallagher correct, surpassing May in both overall volume and critical bugs. “I’ve been counting CVEs on Patch Tuesday since 2017, and this is by far the largest monthly release in that time,” Zero Day Initiative’s bug hunter in chief Dustin Childs said in his review. “It is extraordinary that Microsoft can produce so many patches in a single month, but it does raise concerns,” he added, asking, as we did: How many were found via AI? And: “How many patches were generated using AI to assist in coding or testing? What quality issues may exist in these patches? And likely most importantly, is this the new normal?” Childs noted that May and April also saw mega releases. “Should sysadmins adjust their processes for prioritization and patch deployment based on this new volume of updates? Unfortunately, Microsoft is not providing those answers right now,” he wrote, adding in this fun fact: “The current number of CVEs shipped by Microsoft this year exceeds the total number of CVEs shipped in all of 2018.” Wowza. While it’s fun to watch from a purely speculative standpoint, as in: "Will Microsoft top 300 next month?", our thoughts and prayers are nonetheless with sysadmins and vulnerability management teams drowning in the AI-induced vulnpocalypse by now. None of the Patch Tuesday security holes are listed as under attack – at least not yet – but three are listed as publicly known. Let’s take a look at those first. Three known vulnerabilities CVE-2026-49160 is an HTTP.sys denial of service vulnerability that we wrote about earlier this month. Calif researcher Quang Luong discovered the attack with an assist from OpenAI's Codex agent, named it HTTP/2 Bomb, and said it exploits the HTTP/2 header compression algorithm by sending thousands of tiny messages to the server, forcing it to rapidly allocate memory and ultimately crash. At the time, a Microsoft spokesperson told The Register that Redmond was “aware and actively investigating appropriate mitigations.” On Tuesday, the tech giant fixed the security issue by introducing a new MaxHeadersCount registry setting, which allows users to limit the number of headers included in HTTP/2 and HTTP/3 requests, and should prevent denial-of-service attacks. CVE-2026-50507, a security feature bypass bug in Windows BitLocker, is the second CVE listed as publicly disclosed, and “exploitation more likely.” An attacker with physical access to the vulnerable system could bypass the BitLocker Device Encryption feature and gain access to the device's encrypted data, according to the advisory. This flaw also seems to be a patch for one of the zero-days dropped in the ongoing war between Microsoft and a disgruntled bug hunter known as Nightmare Eclipse - likely the YellowKey vulnerability disclosed in May. Nightmare has published details about and in some cases, full proof-of-concept exploit code for six zero-days, and promised a “bone shattering” release on June 14. The third publicly known bug, CVE-2026-45586, is a Windows Collaborative Translation Framework (CTFMON) elevation of privilege vulnerability that can be abused by an authorized attacker to elevate privileges locally and gain SYSTEM access. From there, miscreants could deploy malware, steal data, and move laterally through the victim's environment - so patch this one sooner. Plus these two (of 38) critical bugs In addition to those three known vulnerabilities that made the rounds before Microsoft issued a patch, a couple of critical-rated 9.8 security flaws are worth highlighting this month. The first, CVE-2026-45657, is a Windows kernel remote code execution (RCE) bug that allows remote, unauthenticated attackers to run code with system-level privileges without any user interaction. It’s due to an error in how the Windows kernel processes some TCP/IP data, and can be exploited by sending malicious network packets to a vulnerable Windows system, thus triggering the flaw. While it’s listed as “exploitation less likely” by Redmond, we like Childs’ response. “Rest assured that every researcher and bug shop on the planet is reversing this patch right now trying to create an exploit,” he said. “Test and deploy this patch quickly.” CVE-2026-47291, an HTTP.sys RCE vulnerability that also earned a 9.8 CVSS rating, deserves attention as it can also be triggered with zero user interaction and Microsoft says it’s “more likely” to be exploited. “This vulnerability creates severe business risk because HTTP.sys is used by Windows services that process HTTP traffic,” Alex Vovk, CEO and co-founder of patch-management vendor Action1, told The Register. “A successful attack could lead to server takeover, malware deployment, data theft, service disruption, and lateral movement across the environment. Internet-facing systems are especially exposed.” The good news: systems using the Windows HTTP stack’s default MaxRequestBytes registry value are not affected. In the advisory, Redmond provides detailed instructions on how to edit registry settings, which can buy admins some time (and security) while deploying the patch. ®

Nemoc vám může překazit nejen zájezd, ale i čerpání dovolené v práci. Kdy se dny volna nepočítají a jaké potvrzení musíte dodat zaměstnavateli?

Dlouho platilo, že brigádu si mohou sjednávat mladí lidé od 15 let a vykonávat ji mohou až po ukončení povinné školní docházky. Od loňska ale mohou na letní brigádu i čtrnáctiletí.

Paperless-ngx převádí skeny, faktury a smlouvy do lokálního prohledávatelného archivu s OCR, metadaty a plnotextovým hledáním. Na domácím serveru nebo NASu může nahradit hromadu PDF v adresářích.

Spustíme AI agenta přímo v terminálu, zorganizujeme projektový vývoj v lehkém lokálním trackeru, přeneseme zvuk do bezdrátových rendererů a diagnostikujeme auto přes sériový adaptér.

Britská společnost Thales (UK) nedávno otestovala svou mikrovlnnou zbraň RapidDestroyer ve vylepšené verzi se čtyřmi anténami a umělou inteligencí. Je sice určená proti celým hejnům dronů, ale v tomto případě šlo o testy s jednotlivými drony, v nichž vývojáři sledovali, jak mikrovlnný úder likviduje zasažené drony.

Nedávno vyšla kniha s tímto názvem a s podtitulem Atlas exkurzí po pamětních místech vědy v českých zemích. Krom toho je na webu volně přístupná rozsáhlá aplikace Živá mapa dějin přírodních věd v českých zemních, s velkým množstvím dalších aktivních odkazů.

Z pohledu toxikologa jsou Azorské ostrovy na první pohled docela nuda. Nežijí zde žádní hadi ani štíři, a nenajdete tu ani chemičku chrlící průmyslové jedy. Pokud pomineme několik dráždivých endemických rostlin, například místní pryšec azorský (Euphorbia azorica), patří k nejvýznamnějším toxikologickým hrozbám invazní libora měňavá (Lantana camara).

Pokud se vesmírem potulují primordiální černé díry planetkové až lunární velikosti, mohla by je občas pohltit hvězda, která se jim připlete do cesty. Jak taková nešťastná hvězda asi skončí? A co bychom mohli v takovém případě pozorovat? Odpověď nabízejí modely vývoje hvězd s magnetohydrodynamickými simulacemi.

Segment, který měl Intel původně pokrýt šestijádrovou konfigurací Nova Lake, nakonec dostane starší WildCat Lake se zdvojnásobeným počtem velkých jader…

ServiceNow is warning about a security incident after attackers exploited an unauthenticated access flaw through a vulnerable API endpoint, allowing them to query data from customer instances. [...]

Phishing simulation on an OpenClaw email agent with various configuration profiles showed that it was susceptible to tactics commonly used to compromise human users. [...]

Microsoft on Tuesday released fixes for two high-severity zero-days that were disclosed by a researcher who has been locked in a testy beef with the software giant.

Nightmare Eclipse, the pseudonym the researcher goes by, released a handful of high-severity vulnerabilities in recent months, making them zero-days that had the potential to be exploited in the wild. The researcher has said the disclosures, which included proof-of-concept code, came after Microsoft reneged on an arrangement the two made regarding vulnerabilities they had discussed.

Disclosure drama

“But someone violated our agreement and left me homeless with nothing,” Nightmare Eclipse wrote in March. “They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine.”

Read full article

Comments

Upozornění pro uživatele Asahi Linuxu: Neaktualizujte macOS na verzi 27 Golden Gate! Apple změnil detekci spouštěcích oddílů. Po aktualizaci oddíl s Asahi Linuxem nevidí. Snad je to jenom chyba.

SAP has released fixes for 15 vulnerabilities as part of its June 2026 Security Patch package, including four critical-severity flaws affecting SAP NetWeaver and SAP Commerce Cloud. [...]

MUNICH — Nextcloud has integrated Euro-Office into its workplace application suite, one of several updates to Nextcloud Hub unveiled on Tuesday that include a new compliance app for large organizations and a program to support developers building for its platform.

The announcements came during the company’s Nextcloud Summit 2026 here.

Euro-Office, announced in March, is billed as an open source, sovereign alternative to Microsoft Office for European organizations keen to reduce their reliance on US tech providers. It consists of four browser-based applications: a document editor, spreadsheet program, presentation tool, and a PDF editor — each enabling collaborative editing. Euro-Office documents can also be opened directly from the Nextcloud Files mobile app.

Nextcloud is one of several European companies that support Euro-Office, which is built on the open-source code base of OnlyOffice and distributed under the GNU Affero General Public License v3 (AGPL v3).

The integraton means Nextcloud users can now choose between two options in Nextcloud Office: Euro-Office and the existing Collabora integration. 

“Euro-Office uses a different architectural approach that can result in a better performance in the browser, a different user experience…, so it’s important that this option is available,” Jos Poortvliet, Nextcloud co-founder and vice president of communications, said at the Tuesday event.

Other changes in the Nextcloud Hub 26 Spring release include updates to Nextcloud‘s Talk video and voice meeting app, including AI noise suppression and the ability to start a call from any Nextcloud Hub app – an addition that will make collaborative editing easier, said Poortvliet. 

For Nextcloud Assistant, there are new AI agent capabilities. In addition to existing capabilities such as managing calendars and tasks, AI agents can now create cards in Nextcloud’s Deck task management app and update information in the Forms app.

There are also improvements to the AI assistant’s interface, which can be moved around to avoid blocking other applications and allow users to copy and paste text more easily without opening another tab. To meet EU AI Act requirements, Nextcloud will make it easier to see which  provider supplies the large language model (LLM) the Assistant runs on.

Nextcloud will also integrate the AI assistant directly into its Nextcloud Office suites via a sidebar chat interface, allowing users to address problems such as errors in the spreadsheet app.

NextCloud’s AI chat assistant is integrated into the company’s Office suites.

NextCloud

There’s also a new Governance app that helps large organizations — particularly governments and highly regulated industries — meet regulatory requirements with compliance tools to manage data held in Nextcloud Hub. It contains several features,  including sensitivity labels to control access rights; data retention and archive capabilities; and a legal hold option that preserves documents for legal purposes such as a court case.

The Governance app includes a Compliance Manager that provides a compliance score based on an organization’s regulatory requirements, and measures progress towards certain targets. Admins can also search and review documents shared by employees and generate audit reports for compliance. The Governance app is available to Nextcloud Enterprise customers.

Nextcloud also launched a program to support independent software providers interested in building apps on its platform. 

With AI making it easier for developers to build software that integrates with its platform, Nextcloud expects a 10-fold increase in the number of available apps — from 600 now to 6,000 over the next 12 months, according to Nextcloud CEO Frank Karlitschek.

Nextcloud promised to promote apps developed by partners in its App Store and sell subscriptions as part of the ISV program, as well as provide documentation and technical help to customers. In return, developers would provide guarantees to customers around security processes and long-term support.

“We can strengthen our ecosystem, the developers also make some money — because obviously we do a revenue share here — and we leverage the dynamics that we expect from AI coming very soon,” said Karlitschek.

Editor’s note: NextCloud paid for Matthew Finnegan’s travel and hotel costs for NextCloud Summit 2026, but had no editorial role in the creation of this story.

Microsoft has released the Windows 10 KB5094127 extended security update, which fixes the June 2026 Patch Tuesday vulnerabilities and adds new functionality to monitor the rollout of updated Secure Boot certificates that replace those expiring this month. [...]

Základní rady, které pomohou s výběrem chytrých hodinek • Za co má smysl připlatit, za co ne. A jak ušetřit • Jaký displej, jakou odolnost, jaký systém

As if the Miasma situation weren't bad enough, now this weapon is spreading like wildfire. Someone open sourced the entire Miasma worm supply-chain attack toolkit, likely using previously compromised developers' accounts to publish GitHub repositories containing the self-spreading malware’s source code over the last 24 hours. SafeDep, a company focused on open source supply chain security that developed Package Management Guard (PMG), spotted the malicious repos, named “Miasma-Open-Source-Release,” and said that they started appearing on Monday. Its researchers analyzed one of these before GitHub nixed it, and described the code as more than just a supply chain worm. “It is a full supply chain attack toolkit that allows the operator to execute various attacks via stolen credentials against arbitrary or targeted packages on public registries (PyPI, npm, RubyGems), JFrog Artifactory, GitHub repositories and GitHub Actions, AI coding tools config poisoning, SSH based lateral movement and other attack vectors,” the SafeDep team said. While we don’t know who is behind this publicly released worm, it follows in the footsteps of TeamPCP, which developed and then open sourced the mini Shai-Hulud worm last month, announcing a supply-chain attack contest on BreachForums and spawning copycat open source package poisonings. One of these copycat worms, Miasma, first hit upwards of 100 Red Hat and Microsoft open source projects before spreading to other victims, with app-security firm Socket tracking 473 affected package artifacts as of Tuesday. “The Miasma repository is an evolution of the Mini Shai-Hulud toolkit, and was open-sourced June 8 via four previously compromised users,” Rami McCarthy, principal threat researcher at Wiz, told The Register. “Since we had already reversed the payload, this public release isn’t particularly useful for sophisticated defenders, and we haven't observed any opportunistic adoption of it yet.” This, he added, mimics what happened when TeamPCP open sourced mini Shai-Hulud last month. “We didn't see attackers weaponize it either,” McCarthy said. “It's not clear [whether] attackers benefit from adopting this out-of-the-box toolkit versus vibe coding their own. And while it raises concerns about muddying attribution, attackers tend to continue developing their private fork of the malware, providing a clear payload progression to track and deconflict from anyone utilizing the open-source version.” An interesting aspect of both of these worms and other recent attacks like this one dubbed “Comment-and-Control” by AI bug hunter Aonan Guan is that they run entirely in GitHub - they don’t require any custom command-and-control (C2) infrastructure - and use the code-hosting platform for all stages of the attack including remote command execution, configuration, and data exfiltration. “This is a key behavioural shift because traditional network based detection and protection tools rely on baselining and anomaly detection,” SafeDep researchers noted. “Defenders now have to operate closer to application protocol to identify behavioural anomaly instead of network based anomalies.” The Miasma worm uses three independent GitHub commit search channels for C2, and each has a different search string and purpose. One of these, "DontRevokeOrItGoesBoom," discovers attacker-controlled personal access tokens (PATs) to exfiltrate credentials and other sensitive data. These PATs are AES-256-CBC encrypted in the commit message. The second, "TheBeautifulSandsOfTime," delivers JavaScript for immediate command execution. It’s checked once at startup, and, after validation, it passes the payload to eval() to execute at runtime. Finally, “firedalazer” delivers Python script URLs for the persistent monitor. All three are unauthenticated by default, use GitHub’s public commit search API, and use a different validation or decryption key, which means compromising one doesn’t automatically compromise the other two.®

Today is Microsoft's June 2026 Patch Tuesday, with security updates for 200 flaws, including five publicly disclosed zero-day vulnerabilities and one actively exploited in attacks. [...]