Thinking about the last tweet, not imposing exemplary punishment on the first person who published a `latest` tag on anything was probably a major mistake of humanity.

@christopherkunz Damn that sounds like a major burn for MS!

@buherator I can verify that the exploit still works with that mpengine.dll version and the 1.453.28.0 definition update that got released 6/10/2026 6:29:20 PM. It takes more than one attempt, sometimes up to 6-7 now, where it used to be almost always one shot, but it still works.
I'm waiting for my other VM to fully update and then I'll retry there, too.

TIL about @kagihq 's Redirect feature that finally allows me to land on the latest available documentation page on docs.rs for crates where latest is broken.

(Interestingly, the samples provided for this feature are also based on docs.rs URLs 🤔)

I wish this were fake.

@christopherkunz That's it thx! Based on the Update Guide this should fix the problem independently from the definition updates, so if you can repro on a clean system with this DLL version that's bad.

New, by me: ServiceNow appears to have notified some enterprise customers that there was outside access to their data, after a security bug left instances exposed to the web.

The company has hidden its notice behind a login wall, but was shared by network defenders on Reddit.

https://techcrunch.com/2026/06/10/servicenow-tells-customers-a-bug-left-some-of-their-data-exposed-to-the-internet/

The Anthropic Fable-5 safety classifiers seem to be written by the OpenAI marketing department.

Pretty much anything I talk to LLMs about gets downgraded.
Nerfed into useless. Worst model release ever?

Golden rule of vulnerability disclosure is:

Dont fuck with people who are time rich and cash poor.

New directory traversal CVE!
CVE-2026-52752
nationalsecurityagency - ghidra
Ghidra before 12.0.2 contains a path traversal vulnerability in the extension installer that fails to validate ZIP entry names during extraction. Attackers can craft malicious extensions with traversal sequences like ../ in filenames to write arbitrary files outside the intended directory, enabling code execution.

RE: https://mastodon.social/@fj/116696838766743727

Anthropic Fable won't answer some prompts about cybersecurity or cryptography (falling back to Opus instead) but they will send engineers to the NSA to help them with offensive operations.

My biggest concern right now is that I only have 6 years to figure out how to use the three shells

You can care about nutrition and still eat cake at a birthday party.

You can be disciplined and still be fun.

Don’t confuse self-improvement with self-surveillance.

Don’t confuse certainty with wisdom.

And don’t confuse being a dick with courage.

https://www.joanwestenberg.com/p/just-be-normal-about-st

@christopherkunz what is the version of your mpengine.dll?

The simplest of all possible modifications to the original RoguePlanet.cpp (literally interchanging two letters in the source code) defeats the detection and re-enables the exploit in current, fully patched Windows 11 with Definition Update 1.453.20.0 installed.

New OpenSSL advisory:
https://openssl-library.org/news/secadv/20260609.txt

1 high, 5 medium, 12 low severity

The high (CVE-2026-45447) was explicitly noted as discovered with help from Claude.

What's more interesting is again the confirmation that vulnerabilities are increasingly identified independently by multiple people:

CVE-2026-34182 (independently found by 4 different people), CVE-2026-35188 (2), CVE-2026-9076 (2), CVE-2026-34181 (2), CVE-2026-42766 (4).

Critical vulnerabilities in Ivanti Sentry (CERT-EU Security Advisory 2026-008)

On 9 June 2026, Ivanti released a security advisory addressing two critical vulnerabilities in their Sentry products[1]. An attacker could exploit those flaws to achieve unauthenticated remote code execution on the vulnerable device.

https://www.cert.europa.eu/publications/security-advisories/2026-008/

Holy collisions batman:

@thezdi @TheDustinChilds What does the new XI column indicate in the MS patch table?

@harrysintonen
> any competing AI assistant would have to be granted the same deep system reach as Siri AI, including the ability to read and send messages, make purchases and act across apps.

wouldn't it be great to have that kind of API accessible from a scripting language, or from some GUI "connect the blocks" automation engine?