❗ Action Alerts
- Microsoft July 2025 Patch Tuesday fixes one zero-day, 137 flaws — www.bleepingcomputer.com/…, krebsonsecurity.com/… & isc.sans.edu/…
- Most important patches for typical NosillaCastaways are Office zero-click exploits (triggered by previewing a document)
- Most important updates for sysadmins are in SQL Server
- Google fixes actively exploited sandbox escape zero day in Chrome — www.bleepingcomputer.com/… (Sandbox escapes are a particularly dangerous class of browser bug, so restart Chrome ASAP to let it update itself!)
- ⚠️ PC users with older Gigabyte motherboards: Gigabyte motherboards vulnerable to UEFI malware bypassing Secure Boot — www.bleepingcomputer.com/…
- Allows malware to infect the boot loader, allowing persistent malware infection even surviving complete OS re-installs!
- 100s of motherboard models affected (very common brand for build-your-own and custom-built gaming PCs)
- All appear to be out of support, so patches seem unlikely
- No response from Gigabyte at all 🙁
Worthy Warnings
- ‘123456’ password exposed chats for 64 million McDonald’s job chatbot applications — www.bleepingcomputer.com/…
- Affects anyone who applied for just about any job at McDonalds in the US in recent years, even those who were not successful
- Unbelievably careless lapses in fundamental security practices — would have been a fun “here’s a perfect example of everything not to do” story were the implications not so serious 🙁
- No way to know who abused this vulnerability before white-hat researchers found and reported it, so assume you’re at risk from very convincing phishing if you so much as applied.
Notable News
- New Android TapTrap attack fools users with invisible UI trick — www.bleepingcomputer.com/…
- Android’s API’s let apps control how system dialogues they trigger get rendered (terrible idea!)
- There is a design flaw in this ill-conceived API that allows the final opacity to be set at 0.01%, i.e. effectively completely transparent — not sure of that’s detectable even when you look really closely 😕
- Users can be tricked into giving system permissions to apps by placing buttons behind the effectively invisible system permission buttons
- Google are working on a fix
- Google is expanding their protected accounts feature for at-risk users down into the Android OS and even some system apps: Google reveals details on Android’s Advanced Protection for Chrome — www.bleepingcomputer.com/…
- A great illustration of the two sides of AI in cybersecurity
- Not only can attackers use AI to help them write exploits of composed more convincing phishes, they can also find and exploit weaknesses in these very immature technologies which are being prematurely integrated into billion-user services: Google Gemini flaw hijacks email summaries for phishing — www.bleepingcomputer.com/… (Hidden email content to trick the AI into writing malicious summaries)
- Defenders can leverage AI to pre-emptively find and fix potentially very damaging vulnerabilities: Google AI “Big Sleep” Stops Exploitation of Critical SQLite Vulnerability Before Hackers Act — thehackernews.com/…
- iCloud Passwords autofill now available in Firefox for Windows — appleinsider.com/…
- Windows 11 now uses JScript9Legacy engine for improved security — www.bleepingcomputer.com/…
- Up to this point Windows still used the old Internet Explorer JavaScript engine for backwards compatibility
- This is a version of the modern JScript9 Javascript engine that supports the old IE-era legacy APIs (hence the name, it’s the API that’s legacy, not the engine!)
- Cloudflare’s “Pay-Per-Crawl” Points to a New Model for Paying Content Creators — tidbits.com/…
- Intended to force AI bots make micro-payments to website owners in exchange for crawling their content
- Given Cloudflare’s scale, this actually has a chance of succeeding
- This solution revives the seldom-used
HTTP 402 Payment RequiredHTTP response code — developer.mozilla.org/… - Editorial by Bart: This is the first hint of a possible future for the web not encumbered by the current toxic tracking/ad model.
Interesting Insights
- A fascinating visualisation of the data in HaveIBeenPwned powered by the free endpoints on the HIBP API — haveibeenpwned.watch/… (Code is open source and on GitHub)
Palate Cleansers
- From Bart:
- 🎧 A deep and meaningful conversation with the great George Takei: Bullseye with Jesse Thorn: George Takei — overcast.fm/…
- 🎵 A heart-warming cross-cultural collaboration with a truly unique and beautiful sound: FROM CHINA TO APPALACHIA: Cathy Fink & Marcy Marxer with Chao Tian — cathyfinkmarcymarxer.bandcamp.com/…
- Just in time for World Emoji Day: Science proves that emojis improve text messages — www.cultofmac.com/… 😀
- We mentioned Rocket app for macOS from matthewpalmer.net/…
Legend
When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |
| 🎦 | A link to video content. |