news
Security Leftovers
-
SANS ☛ Microsoft June 2026 Patch Tuesday, (Tue, Jun 9th)
Microsoft today released patches for 204 vulnerabilities. 38 of these vulnerabilities are considered critical, and three have been disclosed before today. Six of the vulnerabilities affect Abusive Monopolist Microsoft cloud solutions and do not require any user action. In addition, Abusive Monopolist Microsoft incorporated 360 different vulnerabilities affecting Chromium into its Edge browser.
-
LWN ☛ Larson: Are insecure code completions a vulnerability?
Seth Larson, the Python Software Foundation's security developer-in-residence, has written about the difficulty in classifying insecure code completion in the PyCharm IDE using its Full Line code completion plugin.
-
Security Week ☛ Microsoft Patches 200 Vulnerabilities
Three of the vulnerabilities fixed with the latest Patch Tuesday updates were publicly disclosed before Abusive Monopolist Microsoft addressed them.
-
Scoop News Group ☛ Microsoft breaks Patch Tuesday record with 206 vulnerabilities
Fears and warnings about a roaring flood of error-riddled software have materialized. And the disease is spreading.
-
OpenSSF (Linux Foundation) ☛ Mini Shai-Hulud: Where SLSA’s Boundaries Fall
The “Mini Shai-Hulud” attack chained a Microsoft's proprietary prison GitHub Actions workflow misconfiguration, cache poisoning, and OIDC token extraction to publish malicious packages through legitimate CI/CD pipelines.
-
Xe's Blog ☛ "No way to prevent this" say users of only language where this regularly happens
In the hours following the release of CVE-2026-45447 for the project OpenSSL, site reliability workers and systems administrators scrambled to desperately rebuild and patch all their systems to fix a heap use-after-free in PKCS7_verify().
-
LWN ☛ Security updates for Tuesday
Security updates have been issued by AlmaLinux (bind and libyang), Debian (keystone and openssl), Fedora (mingw-objfw, objfw, sentencepiece, and tailscale), Mageia (packagekit and suricata), Oracle (bind, bind9.16, go-toolset:ol8, ImageMagick, kernel, samba, and vim), SUSE (apache-commons-lang3, apache-commons-text, apache-commons- configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec, avahi, busybox, chromedriver, chromium, csync2, firewalld, frr, gleam, helm, kernel-devel, keybase-client, libmozjs-140-0, libopenvswitch-3_7-0, libsoup, memcached, mutt, openjpeg2, ovmf, perl-HTML-Parser, perl-Net-CIDR-Set, perl-Protocol-HTTP2, postgresql-jdbc, postgresql17, python-CairoSVG, python-Flask, python-pip, python-pyOpenSSL, python-python-multipart, python-Twisted, python-urllib3, python-urllib3_1, python-uv, python311, rsync, tomcat, and tree-sitter), and Ubuntu (alsa-lib, cups, inetutils, isc-kea, jpeg-xl, libnet-cidr-lite-perl, netatalk, netty, nginx, node-shell-quote, php-twig, pillow, poppler, rsync, strongswan, systemd, and transmission).
-
Security Week ☛ OpenSSL Patches High-Severity Vulnerability Found With AI
A total of 18 vulnerabilities have been patched in the latest OpenSSL releases, including many that were potentially discovered by AI.
-
Security Week ☛ Adobe Patches 123 Vulnerabilities
Nearly half of the security holes, most allowing arbitrary code execution, have been fixed in Adobe’s Experience Manager product.
-
Federal News Network ☛ CISA chief details hiring progress, Hey Hi (AI) BOD
Acting CISA Director Nick Andersen said "ruthless prioritization" is key as the cyber agency tackles threats to federal networks and critical infrastructure.
-
Security Week ☛ SAP Patches Critical NetWeaver, Commerce Vulnerabilities
The flaws could lead to the disclosure of sensitive information, memory corruption, and disruption of normal system usage.
-
Security Week ☛ ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Phoenix Contact
In addition, Rockwell Automation announced some enhancements to its SecureOT cybersecurity solution for OT.
-
Bruce Schneier ☛ NSO Group Hacking WhatsApp Despite Court Order
WhatsApp has caught the NSO Group phishing its users, in violation of a court order.
-
Tomasz Torcz: Small TLS settings modernization
Some time has passed since I've tightened TLS settings on my home server. Let's move it a notch higher, this time including home k3s cluster.
-
LWN ☛ Security updates for Wednesday
Security updates have been issued by AlmaLinux (poppler), Debian (dnsmasq, mistral, okular, openssl, poppler, and strongswan), Fedora (exim, firefox, pcs, putty, and xorg-x11-server), Mageia (freeciv, golang-x-net, jq, libssh, libxmp, libxpm, minetest, ruby-net-ssh, tor, and wireshark), SUSE (389-ds, ack, agama-web-ui, amazon-ssm-agent, avahi, dpkg, elemental-register, elemental-system-agent, elemental-toolkit, ggml-devel-9500, go1.25, go1.26, kernel, kubernetes1.23, kubernetes1.24, kubernetes1.26, libsoup, mariadb, netty, netty-tcnative, NetworkManager, nginx, perl-CryptX, perl-XML-LibXML, podofo, polkit, python-Django, python-requests, samba, strongswan, vim, and xen), and Ubuntu (cyborg, gdk-pixbuf, golang-golang-x-net-dev, nginx, node-lodash, openssl, openssl, openssl1.0, qemu, tomcat9, tomcat10, and vim).
-
Citizen Lab ☛ Ron Deibert Speaks About “Greek Watergate”
Citizen Lab director Ron Deibert gave a keynote speech about the Greek spyware scandal at an event hosted by Eteron think tank in Athens in May.
-
Security Week ☛ Over 100 NPM, PyPI Packages Hit in New Shai-Hulud Supply Chain Attacks
The most recent variants of the self-propagating attacks are named Miasma and Hades.
-
Security Week ☛ Check Point VPN Zero-Day Exploited in Qilin Ransomware Attacks
The authentication bypass vulnerability allows attackers to establish VPN connections without a valid password.
-
SANS ☛ How has use of framing protection security headers changed in the past 3 years, (Wed, Jun 10th)
-
Security Week ☛ Infostealers Turn Millions of Devices Into Credential Theft Machines
As attackers increasingly favor stolen credentials over exploits, infostealers have become a primary source of access for ransomware and other cybercrime operations.
-
Federal News Network ☛ Our drinking water systems are more connected than ever, and more exposed to risks
"It's something we take for granted, but the water sector is one part of the national infrastructure of resources," said Dave Hinchman.
-
XSAs released on 2026-06-09
The Xen Project has released one or more Xen security advisories (XSAs).
-
QSB-115: HVM I/O port list traversal (XSA-491)
We have published Qubes Security Bulletin (QSB) 115: HVM I/O port list traversal (XSA-491). The text of this QSB and its accompanying cryptographic signatures are reproduced below, followed by a general explanation of this announcement and authentication instructions.
-
Krebs On Security ☛ A Record-Breaking Patch Tuesday for June 2026
Microsoft today released software updates to plug nearly 200 security holes across its backdoored Windows operating systems and supported software, a record number of fixes for the company's monthly Patch Tuesday cycle. Nearly three dozen of those bugs earned Microsoft's most dire "critical" rating, and exploit code for at least three of the weaknesses is now publicly available.
-
Silicon Angle ☛ SailPoint shares fall despite earnings beat and raised guidance
Shares in SailPoint Inc. fell more than 11% today after the identity security company beat analyst expectations on revenue and adjusted earnings and raised its outlook, in a selloff that pointed to investor expectations the results did not clear.
-
Federal News Network ☛ AI directive focuses patching efforts on ‘highest risk’ vulnerabilities
CISA's latest binding operational directive takes a risk-based approach to software vulnerabilities, driven by recent advancements in AI-powered cyber exploits.
-
Pen Test Partners ☛ ClickFix, CrashFix and the growing family of copy and paste attacks
At the start of this year, I wrote a blog on how 2025 was the ‘year of the infostealer’, and it doesn’t look like that is going to change anytime soon. We’re now into June and the ‘fix’ attacks have continued to soar as they did last year.
-
Security Week ☛ ServiceNow Patches Vulnerability Exploited Against Some Customers
The company updated hosted customer instances to patch a security issue it reportedly had known about since April 7.
-
Security Week ☛ Critical Vulnerabilities Patched in Fortinet, Ivanti Products
Two OS command injection flaws can be exploited remotely, without authentication, for arbitrary code execution.