Newsletter

Microsoft's July Security Release Addresses 622 Product CVEs

The release includes 58 critical flaws and two privilege-escalation vulnerabilities that Microsoft lists as actively exploited.

Retro editorial illustration of a security operator sorting two urgent vulnerability cards beside a large stack of software patches protecting a computer and server.
Lead imageRetro editorial illustration of a security operator sorting two urgent vulnerability cards beside a large stack of software patches protecting a computer and server.
On this page

Microsoft’s July security release addressed 622 CVEs in its own products, according to The Register’s count, excluding another 428 Chromium vulnerabilities affecting Edge. Fifty-eight of the Microsoft-product flaws were rated critical.

Microsoft lists privilege-escalation vulnerabilities in Active Directory Federation Services and SharePoint as actively exploited. The release is larger than Microsoft’s previous monthly record, set in June.

Featured source: The Register , Microsoft Security Response Center .

Microsoft Revokes Eleven UEFI Shims That Could Bypass Secure Boot

ESET researchers identified eleven old UEFI shim bootloaders whose Microsoft signatures remained trusted after vulnerabilities emerged, allowing an attacker to introduce one of the signed binaries and run untrusted code early in boot. Microsoft revoked the affected binaries in its June 9 dbx update, leaving systems without the latest UEFI revocations exposed.

Filed from: Ars Technica , ESET , CERT/CC .

Google and Epic Withdraw Their Bid to Modify the Android App-Store Injunction

Google and Epic jointly withdrew their attempt to modify the permanent injunction governing Android app distribution in the United States. Google says catalog access for enrolled third-party stores begins July 22, although several implementation and economic details remain unsettled.

Filed from: The Verge , Google Play catalog access .

White House Launches Gold Eagle Vulnerability Clearinghouse

The White House launched Gold Eagle, a government-industry clearinghouse created under a June executive order to coordinate vulnerability scanning, validation, remediation priorities, and patch distribution. The administration says intake and prioritization have begun, but its announcement provides no operational metrics.

Filed from: TechRadar , White House .

Grok Build Uploaded Complete Repositories and Git History

Cereblab reported that Grok Build’s command-line tool packaged complete repositories as Git bundles and uploaded them to Google Cloud Storage, including files the tool had been instructed not to read and secrets retained in Git history. The researcher says the behavior stopped after xAI set a global disable flag on July 13; xAI said previously uploaded data would be deleted.

Filed from: The Verge , Cereblab .

Workers Allege Meta Used AI-Assisted Scoring to Select Layoffs

Twenty-six employees sued Meta, alleging that internal AI systems, activity data, performance rankings, and AI-usage dashboards helped select workers for layoffs in ways that penalized disabilities and protected medical or family leave. The allegations have not been adjudicated, and Meta says people—not AI—made its workforce decisions.

Filed from: Ars Technica , complaint .

Publishers Sue Google Over Alleged Use of Books and Journals to Train Gemini

Hachette, Cengage, Elsevier, author Scott Turow, and S.C.R.I.B.E. filed a proposed class action alleging that Google copied works supplied for limited uses in Google Books and other services, along with material from web scrapes, to train Gemini without authorization. The claims have not been adjudicated.

Filed from: TechCrunch , complaint .

U.S. Treasury Sanctions 1VPNS and Two Alleged Ransomware Enablers

The U.S. Treasury designated First VPN Service, its administrator Dmytro Rashevskyi, and cryptor provider Yegeniy Vladimirovich Silayev. Treasury says 1VPNS sold infrastructure used by ransomware groups to conceal attacks and manage stolen data, while Silayev supplied tools intended to disguise malware.

Filed from: TechRadar , U.S. Treasury .

IBM Reports $17.2 Billion in Preliminary Quarterly Revenue

IBM reported selected preliminary second-quarter revenue of $17.2 billion, up 1 percent from a year earlier, with software revenue up 5 percent and infrastructure revenue down 7 percent. IBM says the figures may differ slightly when it releases final results on July 22.

Filed from: Stratechery , IBM .

Dependabot Adds a Three-Day Cooldown for Version Updates

Dependabot now waits until a package release has been available for at least three days before opening a version-update pull request. The default applies across supported ecosystems on GitHub.com; security updates remain immediate, and repositories can change the window or opt out.

Filed from: Simon Willison , GitHub .

Vint Cerf Joins an Effort to Develop DNS-Based Identity for AI Agents

Vint Cerf has joined Identity Digital’s Innovation Labs as an adviser on DNSid, a proposal that would bind AI-agent identities to internet domains and use cryptographic proofs to make ownership records verifiable. DNSid is an early Internet-Draft rather than an adopted standard, and competing DNS-based agent identity and discovery proposals are also under development.

Filed from: TechCrunch , IETF draft .

EU Adds Wearables to Exemptions From User-Replaceable Battery Rules

The European Commission adopted a delegated act adding six product categories, including smartwatches and fitness trackers, to exemptions from the requirement that consumers be able to remove and replace portable batteries. The batteries must still be replaceable by independent professionals; the European Parliament and Council have two months to object.

Filed from: The Register , European Commission .

From the Community

Tailscale Fixes an SSH Username Bug That Could Open a Root Session

Tailscale says its SSH implementation accepted usernames beginning with a dash and passed them to getent, where the username -i was interpreted as a flag and caused the first account in the password file—root—to be selected. Version 1.98.9 rejects leading dashes and fixes the issue for Linux hosts relying on non-root ACL restrictions.

Filed from: Tailscale security bulletin .

Cursor Repository Could Trigger Execution of a Planted Git Binary

Mindgard disclosed that Cursor on Windows searched a repository root for git.exe and automatically executed a planted binary when the project opened. The researcher says the issue was reported in December 2025 and remained present in Cursor 3.2.16 when last verified on April 30, 2026; Cursor had not published a response by the disclosure date.

Filed from: Mindgard .

Bonsai Compresses a 27-Billion-Parameter Model to 3.9 GB

PrismML released Apache-2.0-licensed weights for Bonsai 27B, a compressed Qwen3.6 27B model offered in 5.9 GB ternary and 3.9 GB binary variants. The company says the smaller build fits an iPhone 17 Pro and retained 90 percent of its full-precision baseline’s aggregate score across fifteen benchmarks; those are PrismML’s own measurements.

Filed from: PrismML .

Mozilla Reports That Windows Still Steers Users Toward Edge

Mozilla published an updated investigation of Windows 10 and 11 in four regions, finding design patterns that steer users toward Edge and impede other browsers. The report says migrating from Windows 10 to Windows 11 resets the default browser to Edge.

Filed from: Mozilla research .

Continue reading

Complete index →