< ciso
brief />
Tag Banner

All news with #security misconfiguration tag

140 articles

EC2 exposes public AMI SSM parameter metadata

🔎 Amazon EC2 now includes the AWS Systems Manager (SSM) Parameter Store parameters linked to public AMIs directly in AMI metadata. When you describe a public AMI, the response returns the associated public SSM parameter, making discovery and reference simpler. This eliminates manual namespace searches and enables using the parameter as an alias to always resolve to the latest AMI version. The feature is available at no additional cost in all AWS commercial, China, and GovCloud Regions.
read more →

Claude for Chrome click flaw lets other extensions act

🔒 Manifold Security found that Claude for Chrome still accepts synthetic clicks and can read permission mode from its URL, enabling other extensions with DOM access on claude.ai to trigger nine allowlisted tasks (including Gmail, Google Docs, and Calendar). Anthropic constrained arbitrary prompts after ClaudeBleed, but the click handler lacks an event.isTrusted check and the side panel honors ?skipPermissions=true, creating high-risk scenarios especially if "Act without asking" is enabled. Manifold reported this in May against v1.0.72; the issues remained in v1.0.80 as of July 7 and no patch or public advisory was available by July 14.
read more →

Progress orders ShareFile Storage Zones offline

🔒 Progress Software has told ShareFile customers to shut down Windows servers running their Storage Zone Controllers in response to a "credible external security threat." The company has temporarily disabled access to affected accounts and says it has no indication of unauthorized access to ShareFile accounts or data while it investigates with internal and external experts. The disruption was made public via a customer post on Reddit and confirmed on Progress's status page; only self-hosted Storage Zone Controllers are affected, not cloud-only ShareFile accounts.
read more →

Progress warns ShareFile customers to shut servers

🛑 Progress Software has alerted ShareFile customers using on-premise Storage Zone Controllers to immediately shut down the Windows servers hosting those controllers after identifying a "credible external security threat." The company temporarily disabled access to Storage Zone Controller–backed accounts and says manual shutdown is required in addition to cloud-side restrictions. Progress is investigating with cybersecurity partners and will update customers within 24 hours while the ShareFile status page shows affected controllers are nonoperational.
read more →

Microsoft to retire OWA Light from Exchange Server

📰 Microsoft will remove the OWA Light experience from on-premises Exchange Server in an upcoming update. The Exchange Team says retiring OWA Light reduces legacy surface area, simplifies engineering, and lets them focus on the full Outlook on the web experience. Administrators can proactively disable OWA Light via PowerShell using Set-OwaMailboxPolicy and Set-OwaVirtualDirectory commands. The change is expected in August 2026 after OWA Light was deprecated in August 2024.
read more →

OnlyFans DMCA Requests Reveal Compromised Domains

🔎 Armed with copyright law and internet scanning, OnlyFans creators and specialized vendors have been using DMCA takedowns to identify and remove unauthorized adult-content listings that appear on high-authority government and education websites. By tracking requests in Google’s Transparency Report and the Lumen database, researchers mapped thousands of compromised .gov and .edu domains used by traffic distribution systems (TDS) and parasite SEO. This trend has grown rapidly since 2020 as decentralized content ownership increased detection coverage and vendor capabilities.
read more →

Malicious AI agent skill bypasses security checks

🛡️ A faux AI agent skill called brand-landingpage bypassed static security scanners and reached over 26,000 users via an Instagram ad, highlighting risks as enterprises adopt AI-driven tools. The skill pointed agents to a fake Stitch SDK hosted on a domain controlled by researchers, which initially redirected to the real Google Stitch site to pass review. After distribution, the researchers changed the hosted content to instruct agents to download a script that collected email addresses, demonstrating how mutable external resources let malicious behaviors slip past static reviews. Security vendors and scanners from Cisco, Nvidia, and skills.sh marked the skill safe during testing.
read more →

Microsoft fixes AutoGen Studio flaw enabling code execution

🛡️ Microsoft patched a vulnerability chain named AutoJack in AutoGen Studio that could allow a visiting webpage to coerce a developer’s AI agent into executing arbitrary commands on the host. AutoGen Studio is the graphical interface for Microsoft’s open-source AutoGen framework for multi-agent AI systems; the flaw was fixed during development and never shipped in a PyPI release. The issue affected developers who built from the main GitHub branch in a limited window and allowed attacker-supplied commands to be launched with the developer’s account privileges. Microsoft urges running AutoGen Studio only as a developer prototype in isolated, low-privilege environments and avoiding exposure to untrusted content.
read more →

AWS Network Firewall changes default stateful action

🚨 AWS Network Firewall now sets the default stateful action for newly created firewall policies to Application drop established (server-directed only), replacing the previous Application drop established (bidirectional). This safer default prevents silent drops of legitimate server-to-client TCP packets (for example, window updates, keep-alives, and resets) that caused intermittent connection issues. No action is required for new policies; existing environments that rely on bidirectional behavior for post-quantum cryptography (PQC) fragmented TLS handshakes should consult the documentation for guidance on switching or adding the to_server flag to TCP drop rules.
read more →

Apple change to Hide My Email raises privacy concerns

🔒 Apple is changing the domain used for newly generated Hide My Email aliases from "@icloud.com" to "@private.icloud.com", a tweak that has drawn criticism from privacy-minded users. The shift makes generated addresses identifiable as aliases, potentially allowing sites to block anonymous sign-ups. Existing aliases will continue to function, while new ones will be issued on the new domain later this summer. Users warned this could reduce the feature's effectiveness for anonymity.
read more →

Microsoft confirms Recycle Bin filename display bug

🛠️ Microsoft acknowledged a bug that causes the Recycle Bin confirmation dialog to show internal filenames (for example, $Rxxxxx.ext) instead of the original filename when permanently deleting a single item. The Recycle Bin view and restore operations continue to use the original filename. The issue affects all supported client and server Windows releases after installing the June 2026 security updates, and a fix is planned for a future update. Businesses can request a temporary workaround via Microsoft's Business Support.
read more →

CISA Urges Fortinet Users to Secure Devices Now

🔒 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Fortinet customers to secure devices after nearly 74,000 firewall and VPN credentials were exposed in a leak dubbed "FortiBleed." The agency advised terminating SSL VPN and admin sessions, resetting passwords, enabling phishing-resistant multifactor authentication, and reviewing logs for signs of unauthorized access. CISA also recommended using PBKDF2 for admin credential storage and restricting management interfaces from the public internet.
read more →

Microsoft confirms Office launch issue after June updates

🛠️ Microsoft is investigating reports that certain third-party applications may be unable to launch Word, Excel, PowerPoint, Access, and other Office apps or open documents after installing Windows updates released on or after June 9, 2026. The problem affects apps that use OLE automation, sometimes causing Office apps or documents to fail to open without an error. Microsoft advises opening Office files directly or contacting Microsoft Support for Business for enterprise workarounds while a fix is developed.
read more →

Top 10 Attack Surface Exposures in 2026

🔍 Intruder analyzed 3,000 internet-facing attack surfaces to identify services that have no business being publicly reachable. Their 2026 Attack Surface Management Index found widespread exposure: 60% had at least one HTTP admin panel exposed, 49% had risky ports/services, 42% had internet-accessible databases, and 30% had publicly accessible files or documentation. The report lists the ten most common exposures and urges a shift from pure patching to active attack surface reduction.
read more →

UK filtering plan raises encryption and security concerns

🔒 UK Prime Minister Keir Starmer urged tech firms to implement device controls to block children from viewing or creating sexually explicit imagery, prompting CISOs to warn the plan could undermine enterprise encryption. Starmer gave companies three months to propose voluntary measures before pushing legislation; analysts caution on-device scanning is unlikely at scale and cloud processing would introduce new risks. Experts highlight logistical, performance, age-verification, and abuse risks that could create exploitable inspection vectors.
read more →

Microsoft attributes unexpected driver updates to caching error

🔧 Microsoft acknowledged and fixed an issue where a Windows Update caching misconfiguration caused some devices to install driver updates despite policies preventing auto-updates. The company said the caching service temporarily dropped device enrollment information, causing driver-approval controls to be bypassed. Microsoft updated the service cache and enrollment status, confirmed remediation, and is investigating root causes to prevent recurrence.
read more →

DynamoDB Streams PrivateLink for FIPS in GovCloud

🔒 Amazon DynamoDB Streams now supports AWS PrivateLink for FIPS endpoints in AWS GovCloud (US) Regions. This enables private connectivity between VPCs and DynamoDB Streams FIPS endpoints, keeping traffic off the public internet for agencies and organizations with federal compliance requirements. The capability simplifies compliant architectures for real-time data processing, CDC, and event-driven applications while maintaining enhanced security and privacy.
read more →

Windows Server 2016 DC lookup fails with KB5087537

🔔 Microsoft confirmed a known issue where domain controller discovery may fail on Windows Server 2016 after installing the KB5087537 May 2026 security update. The problem affects only systems whose hostnames are exactly 15 characters long, causing DCLocator calls to return ERROR_INVALID_PARAMETER. This can prevent applications and admin tools from locating domain controllers and may disrupt administrative scenarios such as DFS Namespace management.
read more →

Amazon Aurora MySQL Adds MySQL 8.4 Support

🔒 Amazon Aurora MySQL-Compatible Edition now supports community MySQL 8.4, aligning Aurora version numbers with community releases and managing underlying patches for customers. The release enforces stronger security defaults—TLS 1.2/1.3 only and caching_sha2_password for new accounts—and offers customizable password validation via DB cluster parameter groups. Automated upgrade prechecks reduce upgrade risk, and multiple upgrade and migration paths are supported, including Blue/Green Deployments and AWS DMS.
read more →

B&R Automation Runtime SDM Vulnerabilities Fix Released

🔒 An update resolves multiple vulnerabilities in B&R Automation Runtime SDM prior to 6.4 that could allow session takeover, reflected XSS, or CSV formula injection. The vendor corrected the issues in Automation Runtime 6.4 and notes SDM is disabled by default in AR 6. Customers should apply the update based on risk assessment and follow recommended network isolation and access-control practices.
read more →