Kategorie

Chinese hackers took control of a target organization's authentication stack and maintained persistence for 10 years, with full visibility into the administrative activity. [...]

Splunk has released security updates to address a critical security flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution. The vulnerability, tracked as CVE-2026-20253, is rated 9.8 on the CVSS scoring system. "In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitraryRavie Lakshmananhttp://www.blogger.com/profile/[email protected]

The US government has ordered Anthropic to block all foreign nationals from accessing Fable 5 and Mythos 5, forcing the company to suspend both models worldwide. Anthropic is complying but disputes the basis, calling the cited jailbreak narrow and the capability widely available elsewhere. [...]

Anthropic said on Friday it will "abruptly disable" its most advanced artificial intelligence (AI) models, Claude Fable 5 and Mythos 5, for all users after the U.S. government ordered it to suspend access to the models for foreign nationals, whether inside or outside the U.S., citing national security concerns. The AI company said it received an order at 5:21 p.m. ET, instructing it to suspendRavie Lakshmananhttp://www.blogger.com/profile/[email protected]

Extremely powerful large language models (LLMs) still operate as though they’re typing on a keyboard, processing workloads in a simple left-to-right fashion. But in locally-run, single-user scenarios, this sequential processing can leave graphics processing units (GPUs) and tensor processing units (TPUs) underutilized.

Google is betting that DiffusionGemma can get around this bottleneck. The new experimental open model generates text “exceptionally fast,” creating entire blocks of text simultaneously through diffusion techniques rather than through token-by-token processing. The company says this technique results in 4x faster inference compared to auto-regressive models that rely on sequential processing.

It can also save users money. Technology analyst Carmi Levy noted that existing pay-per-token monetization models “penalize the use of less than optimally efficient AI solutions.”

But DiffusionGemma “could herald a new generation of task-defined, efficient solutions that can enable expanded compute capacity without draining the operations budget,” he said.

A contrast to left-to-right processing

Built on Google’s Gemma 4 family and its Gemini Diffusion research, DiffusionGemma is a 26B mixture-of-experts (MoE) model designed to maximize text output generation.

It essentially shifts how models use hardware, giving processors a larger hunk of work each cycle so it can draft full 256-token paragraphs in sequence. This allows the model to generate text up to 4x faster on GPUs, Google claims. It activates only 3.8B parameters during inference, and, when quantized, can fit within 18GB VRAM on high-end consumer GPUs like Nvidia RTX 5090.

“It upgrades your model inference from a single, sequential typewriter to a massive printing press that stamps the entire block of text simultaneously,” Google research scientists Brendan O’Donoghue and Sebastian Flennerhag wrote in a blog post.

AI image generators begin with pure, random ‘visual noise’ and iteratively refine that into a finalized picture (what’s known as ‘diffusion’); DiffusionGemma applies this same process to text. It does not generate tokens in order, but begins with a “canvas of random placeholder tokens” that it processes in multiple passes, identifying the context tokens it feels are most relevant and using those to refine the rest.

The model has the ability to self-correct, using confidence scoring to re-evaluate tokens in the next pass. “The model iteratively refines its own output, allowing it to evaluate the entire text block at once to fix mistakes in real-time,” O’Donoghue and Flennerhag explained.

DiffusionGemma also has bidirectional attention, they wrote. “Generating 256 tokens in parallel with each forward pass allows every token to attend to all others.” This can be particularly helpful in domains that are non-linear in nature, such as mathematical graphs, code infilling, and in-line editing, they said.

DiffusionGemma is optimized across Nvidia’s hardware stack, making it compatible with consumer setups as well as with high-performance enterprise systems like Hopper and Blackwell.

Because it is released under the Apache 2.0 license, developers can freely use, modify, distribute, and commercialize the software using their preferred tools. It can be run on GPUs or in the cloud through Google Cloud Model Garden or Nvidia NIM, and is available on Hugging Face, GitHub, and vLLM, with support for the open-source library llama.cpp coming soon.

Key use cases

The model is particularly useful in local workflows that are “speed critical,” such as generation of non-linear text structures, and unlocks what Google calls “new patterns of model behavior” like multimodal understanding and generating and rendering code in near real-time.

Levy explained, “DiffusionGemma is particularly well suited for interactive coding and editing where its efficiency allows rapid processing and iterations,” noting that its ability to fit within 18GB of VRAM and its deployability on commonly available local GPUs can potentially benefit customer service-related workloads that lean heavily on real-time interaction and local processing.

“DiffusionGemma also incorporates a thinking mode that is especially adept at problem solving,” he said. For instance, the model was fine-tuned to play Sudoku, a typically challenging task for autoregressive models because each token depends on future tokens. This “rather handily” illustrates the model’s capability to solve more complex problems, Levy noted.

Limitations

Google freely admits that DiffusionGemma is geared to specific workflows, and there are “key trade-offs.”

The model is engineered for small batch size inferencing and low-latency, high-speed generation low-to-medium batch sizes on a “single capable accelerator.”

In high-QPS cloud serving environments, (where infrastructure is designed to handle tens or hundreds of thousands of requests per second with ultra-low latency), DiffusionGemma’s parallel coding “offers diminishing returns,” and can even result in higher serving costs, Google conceded. In addition, its overall output quality is lower than that of standard Gemma 4, which is built for apps demanding maximum quality.

However, Levy noted that while DiffusionGemma “can be less precise than other models in certain workloads,” subsequent refinement cycles could overcome this limitation.

While Google isn’t sharing runtime costs, it’s clear that this is an efficiency play, he added. “When deployed across the kinds of workloads that would optimally benefit from its architecture, DiffusionGemma seems to have the potential to reduce processing overhead and related costs,” he said.

This article originally appeared on InfoWorld.

Maine has taken its public data breach reporting portal offline after fraudulent breach disclosures were published on the state's website, prompting a review of procedures to prevent abuse in the future. [...]

Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them. The malware is a Rust binary built to harvest developer secrets. When it lands with root, it can also load an eBPF rootkit to hide itself. The AUR is Arch Linux's community package collection, and it is separate Swati Khandelwalhttp://www.blogger.com/profile/[email protected]

One of the world’s most active ransomware groups exploited a critical vulnerability in Oracle’s PeopleSoft software suite and used it to target about 100 customers and extort at least one of them to pay up in exchange for not leaking stolen data, researchers said.

The group, tracked as ShinyHunters, had been exploiting the PeopleSoft vulnerability for more than two weeks before Oracle flagged it. CVE-2026-35273, as the vulnerability is tracked, carries a severity rating of 9.8 out of 10, making the former zero-day one of the year’s most critical vulnerabilities to be exploited.

Google’s Mandiant security team said it’s an SSRF (server-side request forgery), a vulnerability that allows attackers to send requests from a susceptible server to systems used by the targeted organization. Oracle said the SSRF is remotely exploitable, and the company has issued a stopgap mitigation but has yet to fully patch the flaw. Google has confirmed that victims are receiving extortion demands.

Read full article

Comments

Google on Friday said it's pursuing legal action against a Chinese cybercrime network, accusing it of using its Gemini artificial intelligence (AI) agent to send phishing text messages targeting Americans. The network is said to be behind the development and management of a phishing-as-a-service (PhaaS) software kit called Outsider, per the tech giant. "The operation weaponized Gemini to help Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

A 10-year-old authentication bypass vulnerability discovered in the phpBB forum software allows an attacker to log in as any user, including administrators. [...]

Instead of hiding on the laptops and servers defenders watch most closely, a China-nexus group spent close to a decade hidden inside the Linux login system itself. Sygnia, which tracks the group as Velvet Ant, says it backdoored the PAM and OpenSSH components that decide who is allowed to sign in, planting its access where ordinary cleanup could not reach it. The network it targeted had no Swati Khandelwalhttp://www.blogger.com/profile/[email protected]

A Ukrainian national extradited from Ireland to the United States last year has pleaded guilty to conspiracy charges tied to the Conti ransomware operation. [...]

More than 400 packages in the Arch User Repository (AUR) are distributing a Linux rootkit and infostealer malware targeting credentials and access tokens. [...]

** Vyzkoušeli jsme první vývojářskou betu iOS 27 ** Změn je vidět minimum a v Evropě chybí ty největší novinky ** Je vidět důraz na větší přizpůsobení, bezpečnost a design

Anthropic has come up with a neat way to combat those students who are booing AI at their universities.

The company has launched Claude Corps, an endeavor that will pay selected young people to extol the benefits of AI to communities across the US.

Anthropic is looking to recruit 1000 “fellows” and introduce them to selected nonprofits. The vision is that both sides benefit: the nonprofits learn how to use AI tools effectively and the young evangelists develop their own knowledge of AI. The company is committing to spend $150m on the project.

It will work with two partners: CodePath will act as the fellows’ official employer, while investment advisor Social Finance will lead measurement and evaluation.

The fellows will certainly be well rewarded: the companies are paying $85,000 for their yearly commitment, on top of their extensive training. At least 400 nonprofits will be hosting the initial wave of AI enthusiasts.

Of course, it’s easy to be cynical about such a venture given the increasing backlash against AI from students. But perhaps Anthropic has genuinely seen an opportunity to improve AI knowledge and equip a new generation with another set of skills. Time will surely tell.

When Pope Leo XIV wrote about the effect that AI is having on our world in his encyclical, Magnifica Humanitas, he may not have imagined the document being referenced in an HR environment.

But, according to a report by Business Insider, Erin Maus, a software developer in North Carolina, used the Pope’s message about the need for vigilance in how AI would be deployed to gain a special exemption from her employer about using the technology for coding.

Maus is not even a Catholic but a Unitarian Universalist, according to the report. However, it said, she maintained that the use of AI didn’t align with her religious beliefs.

Business Insider said that to make her case, she consulted an employment lawyer — a move to be expected — and her local chapter’s minister — which probably wasn’t. Her wishes were reportedly granted last month. “I’m writing my code and reviewing my code by hand, which seems crazy to say,” she told the publication.

She’s certainly not alone in wondering whether AI is always the way forward for techies: a journalist at PC World has also been rethinking its use after reading the encyclical.

It remains to be seen whether this will be the spur for a torrent of claims from Catholic workers, asking to be freed from the demands of using AI or whether Business Insider’s report is an outlier.

This article first appeared on InfoWorld.

Lawmakers have failed to extend a surveillance law that allows US intelligence agencies to monitor targets abroad without a warrant.

Congress rejected a vote to extend Section 702 of the Foreign Intelligence Surveillance Act to July 2, which means, for a few days at least, some surveillance will be put on hold, for the first time since the Act was passed in 2008. The next possible chance for a vote will be June 28.

This has significance for CISOs because they need to be aware of how communication between the US and other countries is being monitored. The Act permits US intelligence agencies to collect texts and emails sent to and from foreigners living outside the US without a warrant — and when those communications are to or from an US citizen, it allows them to scoop them up too.

“For too long, the FBI has been able to piggyback on a major national security tool as an unconstitutional backdoor way of reading Americans’ communications,” Electronic Frontier Foundation Senior Policy Analyst Matthew Guariglia wrote in article about the renewal vote this week.

It is uncertain what will happen next. Some commentators expect things will proceed as if the Act had been extended, possibly through an executive order.  However, the industry may well revolt against this and we could see some tech providers take legal action.

This article first appeared on CSO.

Long before Taco Tuesday became part of the pop-culture vernacular, Tuesdays were synonymous with security — and for anyone in the tech world, they still are.  Patch Tuesday, as you most likely know, refers to the day each month when Microsoft releases security updates and patches for its software products — everything from Windows to Office to SQL Server, developer tools to browsers.

The practice, which happens on the second Tuesday of the month, was initiated to streamline the patch distribution process and make it easier for users and IT system administrators to manage updates.  Like tacos, Patch Tuesday is here to stay.

In a blog post celebrating the 20th anniversary of Patch Tuesday, the Microsoft Security Response Center wrote: “The concept of Patch Tuesday was conceived and implemented in 2003. Before this unified approach, our security updates were sporadic, posing significant challenges for IT professionals and organizations in deploying critical patches in a timely manner.”

Patch Tuesday will continue to be an “important part of our strategy to keep users secure,” Microsoft said, adding that it’s now an important part of the cybersecurity industry.  As a case in point, Adobe, among others, follows a similar patch cadence.

Patch Tuesday coverage has also long been a staple of Computerworld’s commitment to provide critical information to the IT industry. That’s why we’ve gathered together this collection of recent patches, a rolling list we’ll keep updated each month.

In case you missed a recent Patch Tuesday announcement, here are the latest six months of updates.

For June, Patch Tuesday means an IT scramble

Microsoft this month released 206 updates affecting Windows, Office, Exchange Server, and its developer tools — including three Windows vulnerabilities already publicly disclosed. That trio includes an elevation of privilege in the Collaborative Translation Framework (CVE-2026-45586), a denial of service in HTTP.sys (CVE-2026-49160), and a BitLocker security feature bypass (CVE-2026-50507). At the moment, none appear to be under active exploitation, but all three are rated “Exploitation More Likely.” 

Even without an exploited zero-day, the June 2026 Patch Tuesday release requires Patch Now recommendations for Windows, Office, and Exchange. The latter is back in the patch picture with a consolidated security update that Microsoft recommends installing “as soon as possible.”

More info is available here on Microsoft Security updates for June 2026.

For May, Patch Tuesday means 139 updates — but no zero-days

Microsoft this month released 139 updates affecting Windows, Office, .NET, and SQL Server (though there were no updates for Microsoft Exchange Server). Despite the absence of zero-days, the May Patch Tuesday update still requires Patch Now recommendations for Windows and Office. 

The combination of three unauthenticated network RCEs (Netlogon, DNS Client, and SSO Plugin for Jira and Confluence), four Word Preview Pane RCEs, the large TCP/IP vulnerability cluster, and the carry-over BitLocker recovery condition (still active on Windows 10 and Windows Server) warrants an accelerated deployment release schedule. 

More info is available here on Microsoft Security updates for May 2026.

Microsoft’s Patch Tuesday release for April is a whopper

Windows admins are going to be busy this month, dealing with the largest Patch Tuesday cycle in memory. The April release involves 165 updates and roughly 340 unique CVEs from Microsoft — including two zero-days, one of which is already being actively exploited in the wild. 

The Readiness team recommends “Patch Now” schedules for nearly every major product family: Windows, Office (with a zero-day), Microsoft Edge (Chromium), SQL Server, and Microsoft Developer Tools (.NET). April also brings Phase 2 of Microsoft’s Kerberos RC4 hardening with full enforcement set for July. There is a lot to cover, so here’s a useful infographic mapping the deployment risk for each platform.

More info is available here on Microsoft Security updates for April 2026.

For March, Patch Tuesday delivers fixes for 83 vulnerabilities

Microsoft’s March Patch Tuesday release addresses 83 vulnerabilities across Windows, Office, SQL Server, Azure, and .NET — with two publicly disclosed zero-days affecting SQL Server and .NET (though neither is being actively exploited in the wild.) Six additional vulnerabilities spanning the Windows Kernel, Graphics Component, SMB Server, Accessibility Infrastructure, and Winlogon are flagged as “Exploitation More Likely.”

The most significant change this month is the introduction of Common Log File System (CLFS) hardening with signature verification, which will affect how Windows handles log files across the operating system. More info on Microsoft Security updates for March 2026.

February’s Patch Tuesday release fixes 59 flaws, including 6 being exploited

The company’s Patch Tuesday release for February addresses 59 CVEs across the company’s product family — roughly half the volume of January’s 159 patches. Six vulnerabilities, affecting Windows Shell, MSHTML, Desktop Window Manager, Remote Desktop, Remote Access, and Microsoft Word, are already being actively exploited. (All five Critical-rated CVEs target Azureservices rather than Windows, however.) 

Both Windows and Office get a “Patch Now” recommendation, with CISA setting a March 3 enforcement deadline for all six exploited vulnerabilities. Two new enforcement timelines also take effect in April: Kerberos RC4 deprecation (CVE-2026-20833) and Windows Deployment Services hardening (CVE-2026-0386). More info on Microsoft Security updates for February 2026.

For January, Patch Tuesday starts off with a bang

The first Patch Tuesday release of 2026 addresses 112 CVEs across Microsoft’s product portfolio, including eight rated critical and three zero-day vulnerabilities. One zero-day (CVE-2026-20805), an information disclosure flaw in the Desktop Window Manager, is already under active exploitation, prompting CISA to add it to the Known Exploited Vulnerabilities catalog with a remediation deadline of Feb. 3, 2026. (Note: 95 of the vulnerabilities affect Windows.) More info on Microsoft Security updates for January 2026.

Microsoft this week released 206 updates affecting Windows, Office, Exchange Server, and its developer tools —  including three Windows vulnerabilities already publicly disclosed. That trio includes an elevation of privilege in the Collaborative Translation Framework (CVE-2026-45586), a denial of service in HTTP.sys (CVE-2026-49160), and a BitLocker security feature bypass (CVE-2026-50507). At the moment, none appear to be under active exploitation, but all three are rated “Exploitation More Likely.” 

Even without an exploited zero-day, the June 2026 Patch Tuesday release requires Patch Now recommendations for Windows, Office, and Exchange. The latter is back in the patch picture with a consolidated security update that Microsoft recommends installing “as soon as possible.” 

The Readiness team suggests testing start with domain controllers, Hyper-V hosts, anything self-hosting on HTTP.sys, and Outlook-heavy desktops —  in that order. To help navigate these changes, here’s a useful infographic detailing the risks of deploying the updates to each platform.

(More information about recent Patch Tuesday releases is available here.)

Known issues

This June release note from Microsoft flags known issues with three updates:

• KB5094128 — BitLocker recovery prompt on first restart (Windows Server 2022). The PCR7 condition we have tracked since April is still live on the platforms that did not receive May’s Boot Manager servicing fix. Devices with BitLocker enabled on the OS drive, the Group Policy “Configure TPM platform validation profile for native UEFI firmware configurations” set with PCR7 included, and System Information reporting Secure Boot State PCR7 Binding as “Not Possible” may prompt for the recovery key on the first restart after installing this update.
• KB5094127 — Windows 10 21H2/22H2. The release note carries a known-issue flag, too, with Windows 10 in the same boat as Server 2022: it has not received the Boot Manager servicing improvement that closed the BitLocker/PCR7 recovery condition on Windows 11. So, that same Group Policy configuration remains the trigger to check before deployment.
• KB5094125/KB5094128 — WSUS synchronization error details suppressed (Windows Server 2025 and 2022). WSUS no longer displays synchronization error details in its reporting. This is deliberate: the functionality was “temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.” Microsoft offered no workaround.

One continuing advisory from May remains in effect: Windows Update can still replace manually installed graphics drivers with older OEM versions from the Windows Update catalogue.

Major revisions and mitigations

Unlike last month, this patch cycle delivered two genuine revisions and a cluster of out-of-band fixes that require action:

• Microsoft Teams Spoofing (CVE-2026-32185) — revised to version 3.0 on May 21. Microsoft announced the availability of the security update for Teams for Android; customers running affected versions should install it. If your mobile fleet runs Android, this is the action item.
• Microsoft Defender out-of-band cluster (May 19–21) — a Critical remote code execution flaw (CVE-2026-45584), plus an elevation of privilege (CVE-2026-41091) and a denial of service (CVE-2026-45498).
• SharePoint RCE (CVE-2026-45659) — a separate out-of-band fix also posted on May 21. SharePoint admins had three distinct security notices in a fortnight. The recommendation: deploy these clustered but separate patches as a single unit.

Interestingly, there were two omissions from last month’s list:

• SharePoint Server RCE (CVE-2026-47294) — published May 29 with the note that it “was addressed by updates that were released in May 2026, but the CVE was inadvertently omitted from the May 2026 Security Updates.”
• Windows DWM Core Library Information Disclosure (CVE-2026-48566) — also fixed in May, also left off the May list.

That makes two months running: the Patch Tuesday list is never final. The June release itself also carried a substantive revision:

• Remote Desktop cluster re-issued for Windows 11 26H1 — five RDP/RDS CVEs from 2024–2025, including two Critical RCEs (CVE-2024-49123, CVE-2024-49132) and the RDP Server RCE (CVE-2024-43582). If you are running 26H1, the June cumulative closes these older CVEs.

Windows lifecycle and enforcement updates

Given the month SharePoint just had, SharePoint 2016/2019 require some of the cycle’s most active patching on a platform with one update left. If migration is not already in progress, July’s final update is the deadline. Here are the other key dates:

• The 2011 KEK CA expires on June 24, and the UEFI CA for third-party boot loaders follows three days later, with the Windows Production PCA for the boot manager coming up October. 19. Devices that have not taken the Windows UEFI CA 2023 key updates under CVE-2023-24932 lose the ability to receive updated boot components once the certificates lapse. This is a big deal.
• With just one Patch Tuesday to go, SharePoint Server 2016 and 2019, Project Server 2016 and 2019, SQL Server 2016, and SQL Server 2014 ESU Year 2 all reach end of support on July 14. (InfoPath 2013, SharePoint Designer 2013, and Visual Studio 2022 17.12 LTSC go with them.)
• Kerberos RC4 hardening (CVE-2026-20833) moves from default-hardening to its enforcement phase next month. Accounts still depending on RC4 service tickets have weeks, not months.
• The graphics-driver targeting change (four-part to two-part Hardware IDs) pilots to September 2026, with broader enforcement planned for Q4 2026 to Q1 2027; until then, Windows Update can still downgrade manually installed display drivers.

This month’s release is a security-only release with a clear feature focus: the Remote Desktop client. The Remote Desktop ActiveX control (mstscax.dll) is the most patched component this cycle with five separate updates (see below). 

The secondary theme is Windows authentication, with three updates to the NTLM security package. Every Windows binary this month reports no functional changes, so the work is pure regression validation. Lower-risk patches reach DHCP, telephony, Hyper-V, UDF and Projected File System storage, and the graphics stack.

Remote Desktop client

The Remote Desktop client (mstscax.dll) draws a high-risk flag that lands specifically on printer redirection — the path that maps a client’s local printers into a remote session. A regression here typically shows as missing redirected printers, failed print jobs, or a hang on connect or reconnect. The wider Remote Desktop stack is also updated, including RemoteApp and clipboard redirection (rdpclip.exe, RdpCoreTS.dll) and Remote Desktop Licensing (lserver.dll). So, be sure to validate connection, session, and licensing together.

A passing run is a remote session that connects, redirects printers, prints, and survives a reconnect with no crashes or missing devices.

• Connect with Remote Desktop Connection (mstsc.exe) to a test host, enable printer redirection in Local Resources, and confirm redirected printers appear in the session.
• Print a test page from an app in the session to a redirected printer; repeat with two or more client printers installed.
• Disconnect and reconnect the session, then confirm the redirected printers are still present and usable.
• Repeat the printer test in both a full desktop session and a RemoteApp session.
• Exercise general remote access: connect through a Remote Desktop Gateway, use VMConnect to reach a VM, and verify clipboard and device redirection.
• On a Remote Desktop Licensing server, confirm clients connect with licensing enabled, across Per User and Per Device modes.

Windows authentication (NTLM)

Three updates touch the NTLM security support provider (msv1\_0.dll), the module behind network authentication when Kerberos is not used. Authentication changes are regression-sensitive: the failure modes are logon failures, broken file-share or RDP access, and application sign-in problems. Validate across domain-joined and workgroup machines.

• Sign in to domain-joined and standalone machines with domain, local, and cached credentials after a reboot.
• Access SMB file shares by host name and IP, including paths that fall back to NTLM, and confirm authenticated reads and writes.
• Authenticate to a Remote Desktop host and to line-of-business applications that rely on integrated Windows authentication.
• Watch the Security event log for new logon-failure or audit anomalies during the test window.

Other Windows components

The remaining updates carry no functional changes, so cover them with routine regression by area.

• Networking: exercise DHCP lease, renewal, and release on IPv4 and IPv6 (dhcpcore), sustained socket traffic over the WinSock driver (afd.sys, two updates), HTTP.sys request handling under IIS, and TAPI telephony integrations (tapisrv.dll).
• Virtualization: boot Generation 1 and Generation 2 VMs, including nested virtualization, to cover the Hyper-V hypervisor (hvix64/hvax64), and connect a VM through an external virtual switch (toggling NIC RSS) to cover vmswitch.sys.
• Storage and filesystems: read and write UDF-formatted media (udfs.sys), exercise the Projected File System minifilter (prjflt.sys), and validate cloud files hydration and Work Folders sync (cldflt.sys, workfolders.exe), including a ReFS volume with BitLocker enabled.
• Graphics and shell: run GPU-accelerated and 2D rendering workloads to cover Direct2D (d2d1.dll), GDI+ (gdiplus.dll), the Desktop Window Manager (dwmcore.dll), the Windows Imaging Component (windowscodecs.dll), and UI Automation (UiaManager.dll); watch for artifacts and accessibility regressions.
• Notifications and input: open apps that raise toast and push notifications (wpnapps.dll, wpncore.dll) and verify Text Services Framework input across keyboard layouts and IMEs (msctf.dll).

Microsoft Office & SharePoint

June’s Office updates are MSI editions only: Excel 2016 (KB5002877), Word 2016 (KB5002879), Office 2016 shared components (KB5002878, KB5002852, and the rich-edit control KB5002578), and Office Online Server 2019 (KB5002875). The shared Office 2016 component updates also apply to the SharePoint Server 2016, 2019, and Subscription Edition baselines. No Critical non-security client release ships this cycle, and Click-to-Run estates are unaffected.

• Open complex Excel workbooks with formulas, macros, and external data connections; save and reopen to verify integrity.
• Edit Word documents with embedded objects, tracked changes, and rich formatting that exercises the rich-edit control.
• On the SharePoint Server baselines (2016, 2019, Subscription Edition) and Office Online Server, validate document library operations, co-authoring, and browser-based viewing and editing.
• Confirm that Office add-ins and line-of-business integrations continue to operate.

Developer tools and databases

June’s fixes update the .NET SDK across the 8.0, 9.0, and 10.0 servicing lines (8.0.422, 9.0.315, 10.0.301), and ships SQL Server GDR security updates spanning SQL Server 2016 SP3 through SQL Server 2025, in both RTM+GDR and cumulative-update+GDR branches.

• After installing the .NET SDK update, build and run representative applications and confirm existing projects compile and execute normally.
• For SQL Server, install the GDR update onto the matching baseline or cumulative-update branch, then restart the service and run standard transactions.
• Verify a backup and restore, confirm Always On availability groups stay healthy, and test patch install and removal on each servicing branch.

The Readiness team suggests that this month’s testing lead with Remote Desktop. The client is both the most-patched component and the sole High Risk item, so give it a focused regression pass centered on printer redirection, then broaden to general connectivity, RemoteApp, clipboard and device redirection, gateway access, and licensing. 

The NTLM authentication updates are the second priority: validate domain and standalone logon, file-share access, and application sign-in. Everything else is a no-functional-change security update, so cover networking, Hyper-V, storage, and graphics with routine regression. Office is MSI-only, with Click-to-Run untouched, and the .NET and SQL Server updates round out the developer and database estate.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

Browsers

Microsoft Edge released the stable version (149.0.4022.52) on June 4, per the Edge security release notes. Nothing ships for Internet Explorer, which remains retired. This cycle is unusually lopsided: just one Edge-engineered CVE against a very large Chromium upstream flow:

• CVE-2026-47644 — Copilot Chat (Microsoft Edge) — Information disclosure (CVSS 6.5, rated critical). For the second month running, Copilot Chat in Edge supplies the headline browser issue (May’s was CVE-2026-33111); Microsoft addresses the Copilot service component, with the browser update completing the fix.
• Chromium upstream — 407 CVEs relayed through MSRC this cycle, spanning the weekly Chrome release cadence since the May report: use-after-free, out-of-bounds read/write, type confusion, and policy bypass across V8, Blink, PDFium, WebRTC, ANGLE, and DevTools. The same fixes ship in the Chrome Stable channel; see the Chrome release blog for the upstream notes.

The Chromium volume looks alarming but is routine plumbing —  it flows to Edge through its own auto-update channel. Add these updates to your standard release schedule for Edge-managed environments.

Windows

Microsoft addressed 119 vulnerabilities in Windows this month, 22 rated critical and 97, important —  nearly double May’s count. Elevation of privilege again dominates by volume (49 entries), followed by remote code execution (28), information disclosure (16), security feature bypass (15), denial of service (6), and a handful of spoofing and tampering entries. All three of June’s publicly disclosed zero-days land here:

• CVE-2026-45586 — Collaborative Translation Framework (CTFMON) — Elevation of privilege (CVSS 7.8, publicly disclosed).
• CVE-2026-49160 — HTTP.sys — Denial of service (CVSS 7.5, publicly disclosed).
• CVE-2026-50507 — BitLocker — Security feature bypass (CVSS 6.8, publicly disclosed) —  BitLocker’s third entry this month, keeping it on the radar alongside the PCR7 known issue.

At the feature level, the critical risks are concentrated in nine areas:

• Remote Desktop Client — the largest single cluster: 11 CVEs, 7 rated critical, led by CVE-2026-47289 and CVE-2026-42985 (both CVSS 8.8, the latter “Exploitation More Likely”).
• Windows Kernel — CVE-2026-45657, remote code execution at CVSS 9.8, the joint-highest Windows score this cycle.
• HTTP.sys — CVE-2026-47291, unauthenticated remote code execution (CVSS 9.8, “Exploitation More Likely”) in the kernel-mode web server underpinning IIS, WinRM, and anything self-hosting on http.sys — paired with the disclosed DoS above.
• DHCP Client — CVE-2026-44815, remote code execution at CVSS 9.8.
• Active Directory Domain Services — CVE-2026-45648, remote code execution (CVSS 8.8) on the directory itself, with the Kerberos KDC adding a separate critical RCE (CVE-2026-47288).
• Hyper-V — three critical RCEs (CVE-2026-45607, CVE-2026-45641, CVE-2026-47652, up to CVSS 8.4) — guest-to-host risk on virtualization hosts.
• Windows Graphics Component — two critical RCEs (CVE-2026-44803, CVE-2026-44812, CVSS 7.8), both “Exploitation More Likely” vulnerabilities reachable through Office rendering paths.
• Windows Deployment Services — CVE-2026-42987, remote code execution (CVSS 8.1).
• Cryptographic Services and Device Health Attestation — critical elevation-of-privilege entries (CVE-2026-44810, CVSS 8.4; CVE-2026-33828, CVSS 7.8) in trust-anchor components.

Given the publicly disclosed vulnerabilities this month, add this Windows update to your Patch Now schedule.

Office

Microsoft released 53 Office CVEs this month — 10 critical, 43 important. Remote code execution again leads (24 entries), but the surprise is spoofing at 20 entries, almost all of it SharePoint. (SharePoint Server appears in 30 of the 53 CVEs this cycle.) The rest split across information disclosure (6), elevation of privilege (2), and a security feature bypass.

• Microsoft has addressed seven critical remote code execution entries, each CVSS 8.4, each with the Preview Pane confirmed as an attack vector: CVE-2026-45456, CVE-2026-45458, and CVE-2026-47635 against Outlook and Word, plus CVE-2026-45461, CVE-2026-45463, CVE-2026-45472, and CVE-2026-45474 against Office broadly.

Add these Office updates to your Patch Now deployment, prioritizing Outlook-heavy desktops and SharePoint farms.

Microsoft Exchange and SQL Server

The pattern inverts from May: SQL Server receives nothing (no patches at all), while Exchange Server — absent in May — returns with a consolidated security update carrying seven CVEs for on-premises builds (Exchange Server 2016 CU23 and Exchange Server 2019), plus one cloud-side critical:

• CVE-2026-45504 — Exchange Server — Elevation of privilege (CVSS 8.8). The headline on-premises entry.
• CVE-2026-45503 and CVE-2026-47631 — Exchange Server — Information disclosure and spoofing, each CVSS 8.1.
• CVE-2026-45583 — Exchange Server — Remote code execution (CVSS 7.5), with three further spoofing/information-disclosure entries (CVE-2026-45500, CVE-2026-45501, CVE-2026-45502) rounding out the set.
• CVE-2026-48579 — Exchange Online — Information disclosure (CVSS 9.1, rated critical) —  addressed service-side, no customer action.

Microsoft also revised the May Exchange spoofing entry (CVE-2026-42897) to point at this same June security update, with the recommendation to install “as soon as possible.” Add the June Exchange SU to your Patch Now schedule.

Developer tools

Microsoft released 10 CVEs across its developer tooling this month, all rated important —  though the top score outranks most of this cycle’s criticals, and the concentration in Visual Studio Code (seven of 10 entries) continues last month’s pattern:

• Visual Studio Code — seven entries led by CVE-2026-47281, an elevation of privilege at CVSS 9.6 —  the highest developer-tools score in months. Behind it: CVE-2026-45482, a security feature bypass in the GitHub Copilot Chat extension (CVSS 8.4); CVE-2026-47292, remote code execution in the MSSQL extension (CVSS 7.8); a second elevation of privilege (CVE-2026-40376, CVSS 7.5); and security-feature-bypass, tampering, and information-disclosure entries (CVE-2026-48569, CVE-2026-47287, CVE-2026-47284).
• Microsoft .NET on Windows has three entries: CVE-2026-45490, a .NET SDK elevation of privilege (CVSS 7.8) across .NET 8.0, 9.0, and 10.0; CVE-2026-45591, an ASP.NET Core denial of service (CVSS 7.5); and CVE-2026-45491, a .NET tampering issue (CVSS 6.2).

Add these Microsoft updates to your standard developer update release plan.

Adobe (and third-party updates)

Adobe released APSB26-63 for Acrobat and Reader this cycle, fixing critical code-execution flaws; Adobe reports no exploitation in the wild. Add it to your standard third-party schedule. This is a big (fat) Windows update this month (and yes, I think that AI has something to do with the number of these patches). 

Good luck with your deployments.

An intruder has breached the French government’s encrypted messaging service, Tchap, showing once again that human error is a weak spot in any security system.

Tchap was developed in France as an example of national sovereignty and was designed to be a more secure option than WhatsApp for communication between government employees.

In this case, it wasn’t the technology that was at fault, but a user: The intruder gained access to the system by taking over their account, according to DINUM, the French government’s interministerial digital directorate.

DINUM said it has blocked the affected user’s access and is investigating how much information has been revealed. While the system’s encryption was not broken, the intruder would have been able to view unencrypted public chat rooms accessible to the account taken over, potentially affecting 73,467 of the system’s 825,000 users, DINUM said.

That matches at least part of a post on X (formerly Twitter) reporting the intruder’s claim to have accessed the account of a Tchap user in the education sector through social engineering, exposing 73,467 user accounts, 643,459 messages, 876 chat rooms with message history, and 59,386 media files totalling 13.51 GB, including references to documents marked “Diffusion Restreinte” (restricted distribution).

DINUM said that it had reminded all Tchap users that public chat rooms are accessible to any user and are not encrypted, so all participants should refrain from any sensitive or confidential information.

This article first appeared on CSO.