Kategorie

The anonymous security researcher going by the name Chaotic Eclipse (aka Nightmare-Eclipse) has released a proof-of-concept (PoC) exploit for yet another Microsoft Defender zero-day named RoguePlanet. "The exploit is a race condition, so it's a hit or miss," the researcher, who published the exploit under a new GitHub account, "MSNightmare" said. "I have managed to get a 100% success rate on Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Cybersecurity researchers have flagged half a dozen vulnerabilities in protobuf.js, a JavaScript and TypeScript implementation of Protocol Buffers (Protobuf), that, if successfully exploited, could result in remote code execution (RCE) and denial-of-service (DoS) attacks. "In affected environments, a single malicious protobuf schema, descriptor, or crafted payload could be enough to trigger Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

UK Prime Minister Keir Starmer’s speech on Monday insisting that tech companies create device controls to somehow block children from viewing or creating sexually explicit imagery has raised alarms among CISOs, who worry that the same technology could undermine enterprise security. Starmer gave tech firms three months to create and implement such restrictions voluntarily, at which point he said he would push for legislation to make it mandatory.

Behind the technical and logistical hurdles for tech firms to clear, such as how a device would determine that an image was inappropriate, and how it could reliably determine the subject’s age, is the issue of whether this process would interfere with encryption protections for enterprises worldwide. And that comes down to whether the required data analysis happens on the device or in the cloud. 

Starmer did not go into a lot of detail, preferring to let technology companies craft their own plans, but in this case the details matter. Analysts and consultants said that there has been a push for everything to happen on-device, which would avoid any encryption problems; if the inspected data never leaves the device, the encryption protection would stay intact.

But this plan for the process to stay on the device seems highly unlikely for multiple reasons. The first problem is device capabilities and hardware age. Although Apple and Google engineers would be working with the latest devices, much of the UK population is using much older and less capable hardware, analysts said. 

Although a 2-, 3- or 4-year-old phone might still be able to handle the additional load, it would likely suffer a dramatic slowdown sufficient to make users decidedly unhappy. That would mean that even if the execution of the data analysis began on the device, it would likely have to be shifted to the cloud for performance reasons. And once it moved into the cloud, the encrypted data problem begins. 

Trying to do this scanning on-device in the UK would fail, said Flavio Villanustre, CISO for the LexisNexis Risk Solutions Group. “It will make unusable the majority of devices used in the UK today. It just can’t work on-device.”

However, Villanustre observed that on-device analysis for this kind of effort, which would need to scan everything that gets downloaded to the phone in search of prohibited images, might be viable in a few years, once the typical device becomes much more powerful. But not today.

Creates new risks

Leading secure messaging app provider Signal also issued a strong statement opposing Starmer’s proposal.

“The UK governmentʼs demand that all content on all devices sold or used in the UK be scanned on the presumption of nudity, using a dystopian combination of age verification and content scanning, will not safeguard children. It endangers us all, whilst strengthening Apple, Google and Microsoft’s market dominance and their control over our most personal information,” Signal said.  “Once created, [the program] will be expanded, forming a dangerous tool that will be wielded both in the UK and abroad to censor and surveil whatever they might consider ‘threats’ or ‘harmful content.’”

Signal has aggressively fought against such programs before. Similar privacy campaigns have also been launched in other parts of Europe. 

The long held fear is that moving encrypted data to the cloud, regardless of whether it remains encrypted or is converted to clear text, creates opportunities for attackers to access the sensitive data.

“The mechanism that flags and reports a match to external authorities creates a new, built-in exfiltration path,” said Jeff Valdes, a director at consulting firm Acceligence.

Could do more harm than good

Sanchit Vir Gogia, chief analyst at Greyhound Research, argued that the UK proposal is likely to do far more damage than good. He pointed to the short three month timeframe as evidence of a lack of good faith.

“Legislation of this complexity cannot be drafted in a quarter. The deadline is a pressure instrument, not a delivery schedule. Child safety is the destination. Device-wide inspection is the wrong vehicle,” Gogia said. “Apple and Google already run on-device nudity detection in bounded contexts, and it works: a child can be warned, an image blurred, a sharing attempt interrupted.”

Gogia pointed to another logistical problem, which is that some devices such as tablets are often shared between family members, which makes reliable age determinations all but impossible. 

“The deeper flaw is that the policy assumes a stable mapping between device, person, and age, and that mapping does not exist in real households,” Gogia said. “A device cannot know its holder has changed. The only architecture that survives this is default-child with recurring adult verification, which is surveillance arriving through the back door of household economics.”

In addition, he noted, “Children disproportionately inherit the old, out-of-support handsets the mandate cannot reach. Forcing churn manufactures electronic waste and punishes the families least able to buy new.”

Carmi Levy, an independent technology analyst, agreed that the computing overhead alone for such an effort could make this a deal-killer. 

“The compute requirements, particularly in light of the need to execute this kind of filtering in real time, would be immense. It is futile to assume this capability can ever be rolled out at scale without running into massive concerns on several fronts,” Levy said. “Simply deciding how to tune the filters is an almost impossible task. Although the overall definition of nudity, namely not wearing clothing, is generally agreed upon, the line where it becomes inappropriate for minors is neither static nor universally established. So it’s wildly optimistic to assume that a single threshold would be workable at the scale proposed by Prime Minister Starmer.”

Nidhi Luthra, a director at Acceligence, added that the logistical and technological roadblocks are also a big problem. 

“Technically, parts of this can work,” she said, but vendors would have to deal with age verifications, drifts in the models and false positives, and there is also the “lack of contextual information that truly would have let this work.” 

Puts CISOs in ‘an impossible bind’

The UK proposal also puts enterprise CISOs and IT directors who need to protect sensitive data in an impossible bind, Gogia said. 

They “can govern device management and conditional access. What they cannot govern is a mandatory inspection capability that updates according to political appetite rather than enterprise risk appetite,” he pointed out. “The proposal does not automatically create a breach inside Signal, WhatsApp, or Teams, but it creates the conditions for a new class of breach around them. The weakness need not live in the messaging protocol. It can live in the mandated inspection layer, the classifier update mechanism, the age-assurance workflow, or the logs that enforcement inevitably generates.”

Regime change could lead to abuse

Another common concern is that governments change hands, so limited capabilities granted today to one government might be used very differently by a future government. 

Brian Jackson, principal research director at Info-Tech Research Group, noted, “the current government may only use it to detect nudes, but what is to stop a future authoritarian government from using it to detect unfavorable political commentary? Creating a back door means there is potential for third parties — hackers — to exploit that back door to gain access to the user’s communications. This is exactly what encryption and on-device security measures are supposed to prevent.”

He added, “Apple’s Communication Safety feature, Google’s Family Link, and a range of parental control tools already use on-device AI to detect and restrict explicit imagery on children’s devices. The government is not filling a gap the market failed to address. It is proposing to transfer control of an existing capability from the device owner to the state. Parents can deploy this protection right now, on their terms. That is where the decision should sit.”

Ryan O’Leary, research director for privacy and legal technology at IDC, said the current proposal only involves the UK, and there’s no way to determine whether other governments will try something similar. He noted that the EU’s GDPR was widely expected to go global when it launched in 2016, but in ten years, it hasn’t.

O’Leary said that if this proposal is enacted in the UK, he would advise IT and cybersecurity executives to be extra cautious when sending team members to the region. 

“It would essentially be ‘China rules’” such as air gapping systems and traveling with disposable data-limited burner phones, O’Leary said. “It’s an exceptionally big deal if it goes through,” but, he added, the chance of it happening is very low. “It seems like the technology companies will call his bluff.”

This article originally appeared on CSOonline.

LF AI & Data Foundation, a division of the Linux Foundation, launched a working group on Tuesday that will focus on the development of DocLang, a specification intended to support interoperable document processing across AI and agentic workflows.

The working group, founded by premier members IBM, Nvidia and Red Hat, is tasked with the creation of an open, universal, AI-native document format designed to improve how enterprises prepare, exchange, and govern document data for AI systems. Contributors ABBYY and Human Signal will also be involved in its development.

The announcement stated, “enterprises today work across a fragmented landscape of document formats, including PDFs, JPEGs, and other file types built primarily for human consumption rather than AI interpretation.”

As organizations increasingly rely on generative AI and agentic systems, it said, “this disconnect can introduce complexity, raise costs, and reduce reliability when extracting meaning from business documents.”

Mark Collier, executive director of LF AI & Data, said the goal of the DocLang Specification Working Group is to “develop a vendor-neutral, interoperable standard that helps organizations prepare document data for AI more reliably, transparently, and at scale.”

To that end, an information document released by the group stated, “PDF was built for print, DOCX was built for editors. DocLang is built for what comes next, a machine-readable document standard your models can actually trust.”

DocLang, it said, “defines a structured, machine-readable format for documents of any type. Not a converter. Not an API. A standard, like JSON for data, like HTML for the web, that any tool can implement and any pipeline can consume.”

Standards must evolve for AI

Something like DocLang is needed, said independent technology analyst Carmi Levy. “Existing document standards have done an admirable job allowing global stakeholders to confidently collaborate for decades, but it’s becoming increasingly clear that they are in desperate need of an update as AI reshapes the rules around how work gets done,” he explained.

Largely static document types, he said, “can be somewhat limiting when AI is redefining the very word, ‘document.’ In many ways. AI-age documents are far more iterative and dynamic than what they once were, and the definitions need to evolve with the times. The documents we currently live with simply weren’t designed for the AI age.”

Within that context, Levy said, “DocLang represents an early, best hope of achieving some kind of foundational baseline for document standards, one that will hopefully allow more intelligent, more efficient, lower-risk workflows than is currently the case.”

Taking an open-source, vendor-agnostic approach to the process ensures the collective will take precedence over the needs of specific vendors, he said, adding, “earlier standards-setting efforts around networking, documentation, the web, and the cloud powered the free-flowing digital landscape that defines modern life.”

An AI-centric documentation standard will carry that reality into the next generation of technology, said Levy.

A question of governance

Asked what a DocLang standard will mean for human workers and in particular for governance and accountability, Jason Andersen, principal analyst at Moor Insights & Strategy said, “at a high level, I like and understand the idea of standards, but the question raises an important point.”

The entire concept of LLMs, said Andersen, “involves using natural human languages. The computer is supposed to understand us without us changing our syntax or language. Forcing a syntax on users is exactly what we have today with SEO and more advanced programming languages.”

With something like DocLang, where the standard can be applied to content ingestion, he said, “I would be OK with that being automated, which seems to be the intent. The use case I envision is that when I upload a document to an agent, a skill can be run to preprocess the document into the DocLang standard format, saving tokens.”

That makes sense, he said, adding that he thinks it’s good “if it can help generate outputs, like a visualization, that can be shared outside an AI tool. On that front, that is also why I am liking Web MCP, since you are just adding some code to the page, like CSS or JavaScript, and the consumer, in this case, an AI browser or skill, is better equipped to handle the site.”

The point, he said, is, “these standards need to preserve the fact that humans can still do what they want, and do not need to know any coding to be proficient. In terms of governance, I am not sure if it matters.”

Again, Andersen pointed out, “if there is some sort of preprocessing that appends metadata or code to the document, as long as it’s maintained, there should be no issue; in fact, it could make governance easier, since there is some standardization of the context. But that’s not coming across yet in the specs, and I’d encourage the team to consider it.” 

Yaz Palanichamy, senior research analyst at Info-Tech Research Group, said, “in theory, the concept of AI-native documents, at least from a user productivity standpoint, can certainly help organizations better prepare their organization’s documentation data for AI-embedded systems.”

However, he added, “organizational compliance controls and an overarching governance model would be absolutely necessary to employ if and when an organization does decide to proceed with such a use case.”

Moreover, in addition to model training permissions and fine-tuning extraction scope, Palanichamy said, “the hypothetical organization ‘X’ that wants to employ AI-embedded document management workflows needs to also understand whether their company, from a technology readiness standpoint, is able to appropriately standardize their internal document management practices across both AI and agentic workflows.”

That being said, he added, “without doing any internal feasibility studies or prepping their organization in advance, change management from a document lifecycle management standpoint will not be enforced appropriately, and, therefore this would deter the organization from maturing and/or scaling their AI-embedded document processing capabilities further.”

Palanichamy pointed out, “in essence, while in theory DocLang as a universal AI-native documentation format is not an ineffective idea as such, there will still be several organizational controls that will need to be reviewed appropriately from a governance standpoint to ensure that the organization scales this new collaborative standard and toolkit in an accountable and secure manner.”

This article originally appeared on CIO.com.

Anthropic has begun rolling out a new model called "Fable," which is based on the same underlying model as Mythos, its most powerful AI model class. [...]

A security researcher has released a new Microsoft Defender zero-day exploit named "RoguePlanet" just hours after Microsoft fixed two previously disclosed flaws during June 2026 Patch Tuesday. [...]

ServiceNow is warning about a security incident after attackers exploited an unauthenticated access flaw through a vulnerable API endpoint, allowing them to query data from customer instances. [...]

Phishing simulation on an OpenClaw email agent with various configuration profiles showed that it was susceptible to tactics commonly used to compromise human users. [...]

Microsoft on Tuesday released fixes for two high-severity zero-days that were disclosed by a researcher who has been locked in a testy beef with the software giant.

Nightmare Eclipse, the pseudonym the researcher goes by, released a handful of high-severity vulnerabilities in recent months, making them zero-days that had the potential to be exploited in the wild. The researcher has said the disclosures, which included proof-of-concept code, came after Microsoft reneged on an arrangement the two made regarding vulnerabilities they had discussed.

Disclosure drama

“But someone violated our agreement and left me homeless with nothing,” Nightmare Eclipse wrote in March. “They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine.”

Read full article

Comments

SAP has released fixes for 15 vulnerabilities as part of its June 2026 Security Patch package, including four critical-severity flaws affecting SAP NetWeaver and SAP Commerce Cloud. [...]

MUNICH — Nextcloud has integrated Euro-Office into its workplace application suite, one of several updates to Nextcloud Hub unveiled on Tuesday that include a new compliance app for large organizations and a program to support developers building for its platform.

The announcements came during the company’s Nextcloud Summit 2026 here.

Euro-Office, announced in March, is billed as an open source, sovereign alternative to Microsoft Office for European organizations keen to reduce their reliance on US tech providers. It consists of four browser-based applications: a document editor, spreadsheet program, presentation tool, and a PDF editor — each enabling collaborative editing. Euro-Office documents can also be opened directly from the Nextcloud Files mobile app.

Nextcloud is one of several European companies that support Euro-Office, which is built on the open-source code base of OnlyOffice and distributed under the GNU Affero General Public License v3 (AGPL v3).

The integraton means Nextcloud users can now choose between two options in Nextcloud Office: Euro-Office and the existing Collabora integration. 

“Euro-Office uses a different architectural approach that can result in a better performance in the browser, a different user experience…, so it’s important that this option is available,” Jos Poortvliet, Nextcloud co-founder and vice president of communications, said at the Tuesday event.

Other changes in the Nextcloud Hub 26 Spring release include updates to Nextcloud‘s Talk video and voice meeting app, including AI noise suppression and the ability to start a call from any Nextcloud Hub app – an addition that will make collaborative editing easier, said Poortvliet. 

For Nextcloud Assistant, there are new AI agent capabilities. In addition to existing capabilities such as managing calendars and tasks, AI agents can now create cards in Nextcloud’s Deck task management app and update information in the Forms app.

There are also improvements to the AI assistant’s interface, which can be moved around to avoid blocking other applications and allow users to copy and paste text more easily without opening another tab. To meet EU AI Act requirements, Nextcloud will make it easier to see which  provider supplies the large language model (LLM) the Assistant runs on.

Nextcloud will also integrate the AI assistant directly into its Nextcloud Office suites via a sidebar chat interface, allowing users to address problems such as errors in the spreadsheet app.

NextCloud’s AI chat assistant is integrated into the company’s Office suites.

NextCloud

There’s also a new Governance app that helps large organizations — particularly governments and highly regulated industries — meet regulatory requirements with compliance tools to manage data held in Nextcloud Hub. It contains several features,  including sensitivity labels to control access rights; data retention and archive capabilities; and a legal hold option that preserves documents for legal purposes such as a court case.

The Governance app includes a Compliance Manager that provides a compliance score based on an organization’s regulatory requirements, and measures progress towards certain targets. Admins can also search and review documents shared by employees and generate audit reports for compliance. The Governance app is available to Nextcloud Enterprise customers.

Nextcloud also launched a program to support independent software providers interested in building apps on its platform. 

With AI making it easier for developers to build software that integrates with its platform, Nextcloud expects a 10-fold increase in the number of available apps — from 600 now to 6,000 over the next 12 months, according to Nextcloud CEO Frank Karlitschek.

Nextcloud promised to promote apps developed by partners in its App Store and sell subscriptions as part of the ISV program, as well as provide documentation and technical help to customers. In return, developers would provide guarantees to customers around security processes and long-term support.

“We can strengthen our ecosystem, the developers also make some money — because obviously we do a revenue share here — and we leverage the dynamics that we expect from AI coming very soon,” said Karlitschek.

Editor’s note: NextCloud paid for Matthew Finnegan’s travel and hotel costs for NextCloud Summit 2026, but had no editorial role in the creation of this story.

Microsoft has released the Windows 10 KB5094127 extended security update, which fixes the June 2026 Patch Tuesday vulnerabilities and adds new functionality to monitor the rollout of updated Secure Boot certificates that replace those expiring this month. [...]

Today is Microsoft's June 2026 Patch Tuesday, with security updates for 200 flaws and three publicly disclosed zero-day vulnerabilities. [...]

Microsoft has released Windows 11 KB5094126 and KB5093998 cumulative updates for versions 25H2/24H2 and 23H2 to fix security vulnerabilities, bugs, and add new features. [...]

Meta on Tuesday announced that it will use information shared by other businesses to personalize users' feed and responses from its artificial intelligence (AI) chatbot, expanding its scope beyond targeted ads. "Businesses often share information about people's activity on their sites with us to make ads more relevant," Meta said in a statement. "We already use this data - like games you play

Meta on Tuesday announced that it will use information shared by other businesses to personalize users' feed and responses from its artificial intelligence (AI) chatbot, expanding its scope beyond targeted ads. "Businesses often share information about people's activity on their sites with us to make ads more relevant," Meta said in a statement. "We already use this data - like games you play Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Veeam has released security patches to address a critical flaw in its Backup & Replication software that could result in remote code execution. Tracked as CVE-2026-44963, the vulnerability carries a CVSS score of 9.4 out of a maximum of 10.0. "A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user," Veeam said in a Tuesday advisory. It

Veeam has released security patches to address a critical flaw in its Backup & Replication software that could result in remote code execution. Tracked as CVE-2026-44963, the vulnerability carries a CVSS score of 9.4 out of a maximum of 10.0. "A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user," Veeam said in a Tuesday advisory. It Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Microsoft on Monday confirmed that it temporarily removed some GitHub repositories in response to a recent security incident that led to 73 of its open-source projects being compromised to inject an information stealer into the code. "Our priority is to protect customers and the broader ecosystem," a Microsoft spokesperson told The Hacker News via email. "We temporarily removed some

Microsoft on Monday confirmed that it temporarily removed some GitHub repositories in response to a recent security incident that led to 73 of its open-source projects being compromised to inject an information stealer into the code. "Our priority is to protect customers and the broader ecosystem," a Microsoft spokesperson told The Hacker News via email. "We temporarily removed some Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]