• About WordPress
    • WordPress.org
    • Documentation
    • Learn WordPress
    • Support
    • Feedback
  • Log In
  • Register

AnonymousMedia.org

  • Home
  • Headline News
  • Videos
  • Chat
  • History
  • File Manager
  • Activity
  • Forums
  • ISC Stormcast For Wednesday, July 15th, 2026 https://isc.sans.edu/podcastdetail/10008

    ISC Stormcast For Wednesday, July 15th, 2026 https://isc.sans.edu/podcastdetail/10008



    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.



    Source link

    07/15/2026
  • Microsoft Patches a Record 570 Security Flaws – Krebs on Security

    Microsoft Patches a Record 570 Security Flaws – Krebs on Security


    Microsoft Corp. today released software updates to plug at least 570 security holes in its Windows operating systems and other software, almost triple the number of vulnerabilities the software giant fixed in its record-smashing Patch Tuesday release last month. Microsoft attributed the burgeoning patch counts to vulnerability discoveries aided by artificial intelligence.

    A picture of a windows laptop in its updating stage, saying do not turn off the computer.

    Nearly 60 of the bugs quashed in July’s Patch Tuesday earned a “critical” severity rating, meaning miscreants or malware could use them to seize remote control over a Windows device with little or no help from the user. Microsoft also addressed three zero-day flaws, including two that are already being exploited in the wild.

    Two of the zero-day weaknesses allow an attacker to elevate their user rights on a Windows system, as do approximately 250 other elevation of privilege flaws fixed this month; they include CVE-2026-56155 — an Active Directory Federation Services bug — and CVE-2026-56164, a Microsoft Sharepoint vulnerability.

    CVE-2026-50661 is a security feature bypass in Windows BitLocker that could allow attackers to gain access to encrypted data if they have physical access to the device. Microsoft said this bug has been detailed publicly, but that it is not aware of any active exploitation.

    In a blog post on July 9, Microsoft Executive Vice President Pavan Davuluri wrote that Windows users will notice “a higher volume of security updates included in each security release” as a result of AI aiding in the discovery of vulnerabilities.

    “The pace of vulnerability discovery is changing with advances in AI making it possible to find more issues, faster, across more code, with new mechanisms that can accelerate both discovery and analysis,” Davuluri wrote.

    Jack Bicer, director of vulnerability research at Action1, called attention to CVE-2026-48561, a remote code execution flaw in Microsoft Copilot (with a 9.6 CVSS threat score) that allows an unauthorized attacker to execute code over the network. Microsoft says an attacker could exploit this bug by hosting a malicious website that causes Microsoft Edge for Android to automatically send crafted prompts to Copilot when a user visits the site.

    As AI advances the state of vulnerability discovery and remediation, it is also making it easier for attackers to quickly devise working exploits for known software flaws. Microsoft has long labeled security bugs using its “exploitability index,” which is Redmond’s best guess as to how likely it is that attackers will be able to figure out a reliable way to exploit a given vulnerability.

    But Satnam Narang, senior staff research engineer at Tenable, argues that Microsoft’s exploitability index needs to do a better job of shifting with the machine speed of discovery. For example, Microsoft originally gave this month’s SharePoint zero-day an exploitability rating of “less likely,” although the flaw was added to CISA’s Known Exploited Vulnerabilities list on July 1.

    “Anthropic’s Red Team’s own findings for known vulnerabilities (n-days) revealed how fragile this system has become, with its Mythos Preview model being able to produce proof-of-concept exploits for 13 of 14 vulnerabilities that were rated ‘Exploitation Less Likely’ or ‘Exploitation Unlikely,’” Narang said. “What this means is that our way of looking at Patch Tuesday has changed, because the exploitability index is centered around humans, not AI tools, and as these tools continue to improve, defense needs to improve alongside it.”

    Chris Goettl at Ivanti observed that the record patch numbers from Microsoft come as a number of other major software makers are increasing their patch cadence, including Adobe which announced today it is moving to twice-monthly security bulletins published on the 2nd and 4th Tuesday of each month (Adobe also cited AI for accelerating their patch cycles). Cisco, Mozilla and Oracle also are shipping updates more frequently, while Google’s patch batches in June 2026 totaled more than 900 security fixes, Goettl noted.

    Backing up your Windows system and/or data is always a good idea before applying operating system updates. Given the volume of patches addressed this month it may be wise for end users to wait a few days before applying these fixes. It’s not uncommon for security patches to introduce system stability issues, and those chances probably increase quite a bit with the gigantic patch count released today.

    Further reading:

    Action1’s Patch Tuesday blog

    Automox’s rundown



    Source link

    07/15/2026
  • Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack

    Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack


    Microsoft shipped its largest Patch Tuesday on record today, and two of the fixes close holes that attackers are already exploiting. The release covers 622 of Microsoft’s own CVEs by its Security Update Guide count, more than triple June’s previous high of around 200.

    Those two live bugs are the ones to grab first. Microsoft credits incident responders for both. Both are elevation-of-privilege flaws in identity and collaboration infrastructure: CVE-2026-56164 in on-premises SharePoint Server and CVE-2026-56155 in Active Directory Federation Services.

    Neither is one of the splashy remote code execution criticals. They are privilege bugs in two systems that matter more than their scores suggest: the company document store, and the box that signs its logins.

    The two zero-days to patch first

    CVE-2026-56164, a SharePoint Server flaw Microsoft says is being exploited in attacks, lets an unauthenticated attacker escalate privileges over the network. No credentials, no user interaction, remote. Microsoft credited it to Mandiant’s incident responders and Google’s FLARE team, which points to discovery inside active attacks, though Microsoft has not said how it was exploited or by whom.

    If you run self-hosted SharePoint, this is the one to grab first, and there is a second clock on it: today is also the day SharePoint Server 2016 and 2019 reach the end of extended support. Unlike Windows Server or SQL Server, neither has a paid ESU program to fall back on.

    Cybersecurity

    Beyond patching, Microsoft’s advisory notes that enabling AMSI in Full Mode on the server blunts the attack. SharePoint has been an attacker magnet since the ToolShell chain tore through unpatched servers in 2025, and it has not stopped being one.

    CVE-2026-56155, an Active Directory Federation Services flaw Microsoft also flags as exploited, lets an already-authenticated attacker elevate privileges locally through weak access controls. Microsoft’s own DART incident-response unit gets the credit.

    AD FS is the box that signs the tokens for the rest of the estate trusts, which is why a flaw labeled “local” on that host is worth more attention than the label suggests. Microsoft has not said what privileges it grants, or how attackers used it.

    Worth knowing for anyone tracking remediation deadlines: neither CVE is on CISA’s Known Exploited Vulnerabilities catalog as of this writing. Microsoft’s own exploitability rating already marks both as exploited. Do not wait for a KEV listing to make it official.

    Microsoft also rates the SharePoint bug fairly low on severity, which is a good reminder that the severity label is not the thing to sort by this month.

    A third bug, and a SharePoint chain landing in August

    The third zero-day was publicly disclosed but is not under attack: CVE-2026-50661, another BitLocker bypass. It needs physical access to the device, so it is not a remote emergency. Patch it, but it does not jump the queue. It continues a run of BitLocker bypasses stretching back through bitskrieg and YellowKey earlier this year.

    SharePoint drew a second notable fix. Rapid7 Labs disclosed CVE-2026-55040, a JWT authentication bypass they built for their Pwn2Own Berlin entry. The score depends on who you ask: Rapid7 puts it at 5.3 and says Microsoft assigned it medium severity, while ZDI reads the release as Critical at 9.1.

    What it does is not in dispute. Rapid7 chained it to a separate remote code execution bug to reach unauthenticated RCE against a vulnerable server, and the RCE half is not patched yet; Microsoft is slated to fix it in August.

    That makes July bypass the fix that breaks the chain. A four-point spread on one bug also tells you what a severity number is worth this month.

    The RC4 cleanup that can break logins

    This update also finishes Microsoft’s multi-year Kerberos RC4 hardening. The July rollout removes the RC4DefaultDisablementPhase rollback switch, the escape hatch admins have leaned on since Microsoft began the crackdown in January.

    After this, RC4 works only for accounts explicitly configured to allow it. If any service account in your environment still requests RC4 Kerberos tickets, it can fail authentication the moment the update lands.

    The order matters: audit first, using the RC4 audit events Microsoft added in January, then rotate the passwords on flagged service accounts, so Windows generates AES keys for them, then patch. Rotation only fixes accounts missing AES keys.

    Anything pinned to RC4 by configuration, or a legacy client that speaks nothing else, needs its own fix before the update lands. This one does not get you breached; it breaks things, but it will page you at 2am if you skip the audit.

    Why a quiet month set a record

    July is historically one of the lightest months on Microsoft’s calendar, which makes a release this size stand out. Windows alone accounts for 416 of the 622, and ZDI counts 95 remote code execution bugs across the release.

    Here is where the rest sits, and what is worth pulling out of each pile:

    Product family CVEs Worth pulling out
    Windows 416 Both the AD FS zero-day (CVE-2026-56155) and the disclosed BitLocker bypass (CVE-2026-50661) live here. Top score of the release is a VMSwitch RCE, CVE-2026-57092 at 9.9. Also five DHCP RCEs, and 21 NTFS and ReFS driver bugs that ZDI reads as one shared root cause.
    Office 82 Counted once. Microsoft lists the same 82 again under a separate Office 2016 track, which is why some outlets report 164.
    Microsoft Edge 46 ZDI counts 21 as Microsoft’s own rather than Chromium re-listings.
    Developer Tools 27 Security feature bypasses across Visual Studio, VS Code, and GitHub Copilot, mostly injection and path traversal.
    SharePoint Server 17 The exploited zero-day (CVE-2026-56164) and Rapid7’s chain bypass (CVE-2026-55040), plus a Critical RCE pair including CVE-2026-50522 at 9.8.
    Azure 11 Nothing flagged as urgent.
    SQL Server 8 An RCE pair, CVE-2026-54117 and CVE-2026-54118, both 8.8.
    Defender 5 Two Critical RCEs.
    Exchange Server 5 A stored XSS in Outlook Web Access, CVE-2026-55008, at 9.6. Microsoft files it under spoofing, which undersells it.
    Other 5 Nothing flagged as urgent.

    Counts are from Microsoft’s Security Update Guide, which totals 622 unique CVEs this month. ZDI, counting independently, landed on 621, and its July review is the source for the per-family callouts.

    Cybersecurity

    Microsoft called this one five days early. In a July 9 post, it told customers to expect a “higher volume of security updates included in each security release” as AI helps it uncover more issues. That work includes MDASH, its multi-model agentic scanning system, which found 16 of the bugs in May’s Patch Tuesday by itself. Microsoft has not said how many of July’s 622 came out of that pipeline.

    The same automation cuts both ways. Once a patch ships, attackers can diff it against the last build, find the bug it closes, and build a working exploit before most shops have finished testing. That eats the old “wait a week” cushion and shrinks the gap to Exploit Wednesday.

    It also guts CVSS-based triage. When a release carries 600-plus CVEs and a large share are rated High or Critical, “critical” stops sorting anything. This month’s two exploited bugs make the point: neither is a headline 9.8, both are mid-tier privilege flaws, and both are already in use.

    Sort by what is being exploited, using KEV, EPSS, and Microsoft’s exploited flag, not by score, and patch faster than you used to. The number on the box is only going up.



    Source link

    07/14/2026
←Previous Page
1 … 3 4 5 6 7 … 1,043
Next Page→