"I'm very glad," said Piglet happily, "that I thought of giving you Something to put in a Useful Pot."
#ESETresearch discovered and reported to @certcc 11 old Microsoft-signed UEFI shim bootloaders that allow bypassing UEFI Secure Boot on most UEFI systems. Read about it at https://www.welivesecurity.com/en/eset-research/forgotten-uefi-shims-undermining-secure-boot/
Tracked by #CVE-2026-8863 and #CVE-2026-10797, all these vulnerable shims were revoked in Microsoft’s June Patch Tuesday updates.
https://www.cve.org/CVERecord?id=CVE-2026-8863
https://www.cve.org/CVERecord?id=CVE-2026-10797
Exploiting these vulnerable shims allows execution of untrusted code at system boot by using the Bring Your Own Vulnerable Driver (#BYOVD) technique, enabling deployment of malicious UEFI bootkits on systems that trust the Microsoft Corporation UEFI CA 2011 certificate.
What makes these old shims dangerous is not a novel vulnerability, it’s that no new vulnerability is needed to bypass Secure Boot. Just an old, still-trusted, unrevoked shim and basic knowledge of how UEFI works is enough to bypass UEFI Secure Boot and deploy a UEFI bootkit.
For more details and instructions on how to verify that the dbx patches were properly applied on your system, read our blogpost:
https://www.welivesecurity.com/en/eset-research/forgotten-uefi-shims-undermining-secure-boot/
Idle thought: you can have progressive JPEGs in which coefficients for lower-frequency components are sent first and the detail is refined as more data arrives.
I'm sure you can abuse this to construct a *regressive* JPEG that looks good with the initial low-frequency data and then degrades into something terrible.
Remarkable transparency from CISA here. After years of telling orgs to have a playbook for security incident handling, they had a security incident themselves.. and no playbook on how to respond. https://techcrunch.com/2026/07/10/us-cyber-agency-cisa-had-to-build-its-incident-playbook-during-the-incident-agency-reveals/
Jesus christ. I just watched ChatGPT consult the Merriam-Webster dictionary for firewall syntax.
lets be honest, we’re doing you a favor making your pc unbootable.
RE: https://infosec.exchange/@nemokamui/116919449162115047
Perfect 10 in SonicWALL SMA1000! 🥳
sev:CRIT 10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface. A remote unauthenticated attacker could potentially cause the appliance to make requests to unintended location.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0008
Edit to add that it's EITW:
IMPORTANT: SonicWall PSIRT has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory. Customers are strongly urged to upgrade to the hotfix release as soon as possible to remediate these vulnerabilities.
It's landed. The bug apocalypse is upon us as #Microsoft releases patches for 620+ CVEs to go along with #Adobe's 88. @TheDustinChilds has done his best to make sense of it all. Read his analysis at https://www.zerodayinitiative.com/blog/2026/7/14/the-july-2026-security-update-review
@cR0w when I need to do substitutions or otherwise want to push bash to its limits, my first reference was always the Bash Hacker's Wiki, which is now defunct but I'm thankful for flokoe for being back the content: https://flokoe.github.io/bash-hackers-wiki/
NEW: The Iranian government abused well-known flaws in the global telecoms infrastructure — specifically SS7 — to locate U.S. military personnel in the Middle East at the beginning of the war.
So, @Rapid7Official is shutting down AttackerKB (https://attackerkb.com/) soon.
I view this as a case where an initially promising idea became overwhelmed by low‑quality reports from contributors.
Anyway, archive any data you wish to retain.
Firefox Security & Privacy Newsletter 2026 Q2 | Attack & Defense
https://attackanddefense.dev/2026/07/12/firefox-security-privacy-newsletter-2026-q2.html