Feed aggregator

Article URL: https://krebsonsecurity.com/2025/04/patch-tuesday-april-2025-edition/

Comments URL: https://news.ycombinator.com/item?id=43628571

Points: 1

# Comments: 0

if so, which one(s) and on which OS platform(s)?

Comments URL: https://news.ycombinator.com/item?id=43628561

Points: 2

# Comments: 0

Microsoft today released updates to plug at least 121 security holes in its Windows operating systems and software, including one vulnerability that is already being exploited in the wild. Eleven of those flaws earned Microsoft’s most-dire “critical” rating, meaning malware or malcontents could exploit them with little to no interaction from Windows users.

The zero-day flaw already seeing exploitation is CVE-2025-29824, a local elevation of privilege bug in the Windows Common Log File System (CLFS) driver.  Microsoft rates it as “important,” but as Chris Goettl from Ivanti points out, risk-based prioritization warrants treating it as critical.

This CLFS component of Windows is no stranger to Patch Tuesday: According to Tenable’s Satnam Narang, since 2022 Microsoft has patched 32 CLFS vulnerabilities — averaging 10 per year — with six of them exploited in the wild. The last CLFS zero-day was patched in December 2024.

Narang notes that while flaws allowing attackers to install arbitrary code are consistently top overall Patch Tuesday features, the data is reversed for zero-day exploitation.

“For the past two years, elevation of privilege flaws have led the pack and, so far in 2025, account for over half of all zero-days exploited,” Narang wrote.

Rapid7’s Adam Barnett warns that any Windows defenders responsible for an LDAP server — which means almost any organization with a non-trivial Microsoft footprint — should add patching for the critical flaw CVE-2025-26663 to their to-do list.

“With no privileges required, no need for user interaction, and code execution presumably in the context of the LDAP server itself, successful exploitation would be an attractive shortcut to any attacker,” Barnett said. “Anyone wondering if today is a re-run of December 2024 Patch Tuesday can take some small solace in the fact that the worst of the trio of LDAP critical RCEs published at the end of last year was likely easier to exploit than today’s example, since today’s CVE-2025-26663 requires that an attacker win a race condition. Despite that, Microsoft still expects that exploitation is more likely.”

Among the critical updates Microsoft patched this month are remote code execution flaws in Windows Remote Desktop services (RDP), including CVE-2025-26671, CVE-2025-27480 and CVE-2025-27482; only the latter two are rated “critical,” and Microsoft marked both of them as “Exploitation More Likely.”

Perhaps the most widespread vulnerabilities fixed this month were in web browsers. Google Chrome updated to fix 13 flaws this week, and Mozilla Firefox fixed eight bugs, with possibly more updates coming later this week for Microsoft Edge.

As it tends to do on Patch Tuesdays, Adobe has released 12 updates resolving 54 security holes across a range of products, including ColdFusion, Adobe Commerce, Experience Manager Forms, After Effects, Media Encoder, Bridge, Premiere Pro, Photoshop, Animate, AEM Screens, and FrameMaker.

Apple users may need to patch as well. On March 31, Apple released a huge security update (more than three gigabytes in size) to fix issues in a range of their products, including at least one zero-day flaw.

And in case you missed it, on March 31, 2025 Apple released a rather large batch of security updates for a wide range of their products, from macOS to the iOS operating systems on iPhones and iPads.

Earlier today, Microsoft included a note saying Windows 10 security updates weren’t available but would be released as soon as possible. It appears from browsing askwoody.com that this snafu has since been rectified. Either way, if you run into complications applying any of these updates please leave a note about it in the comments below, because the chances are good that someone else had the same problem.

As ever, please consider backing up your data and or devices prior to updating, which makes it far less complicated to undo a software update gone awry. For more granular details on today’s Patch Tuesday, check out the SANS Internet Storm Center’s roundup. Microsoft’s update guide for April 2025 is here.

For more details on Patch Tuesday, check out the write-ups from Action1 and Automox.

Article URL: https://medium.com/@junjunzaragosa2309/using-llm-to-generate-data-for-d3-js-force-directed-graph-c490382d1172

Comments URL: https://news.ycombinator.com/item?id=43628528

Points: 4

# Comments: 0

Article URL: https://www.cam.ac.uk/research/news/handheld-device-could-transform-heart-disease-screening

Comments URL: https://news.ycombinator.com/item?id=43628517

Points: 1

# Comments: 0

Inspired by NotebookLM but felt it was missing features I wanted: multi model support, a better text editor, more reliable source uploads, more options to review and study (flashcards, quizzes)

Built this for myself as a uni student and use this everyday for classes but also to learn things for my startup (podcasts, growth, etc)

Comments URL: https://news.ycombinator.com/item?id=43628502

Points: 1

# Comments: 0

Article URL: https://github.com/DistroHopper39B/NTATV

Comments URL: https://news.ycombinator.com/item?id=43628500

Points: 2

# Comments: 0

• Canon printer driver vulnerabilities enable Windows kernel exploitation.
• Astonishing cyber-security awareness from a household appliance manufacturer.
• France tries to hook 2.5 million school children with a Phishing test.
• Wordpress added an abuse prone feature in 2022. Guess what happened?
• Oracle? Is there something you'd like to tell us?
• Utah's governor just signed the App Store Accountability Act. Now what?
• AI bots hungry for new data are DDoSing FOSS projects.
• No Microsoft Account? No Microsoft Windows 11.
• Gmail claims it now offers E2EE. It kinda sorta does. Somewhat.
• A dreaded CVSS 10.0 was discovered in Apache Parquet.
• A bunch of terrific listener feedback.
• What's Multi-Perspective Issuance Corroboration and why must all certificate authorities now do it?

Show Notes - https://www.grc.com/sn/SN-1020-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit

Sponsors:

• material.security
• threatlocker.com for Security Now
• canary.tools/twit - use code: TWIT
• joindeleteme.com/twit promo code TWIT
• bitwarden.com/twit

Article URL: https://fly.io/blog/fuckin-robots/

Comments URL: https://news.ycombinator.com/item?id=43628469

Points: 1

# Comments: 0

Article URL: https://getadq.com/

Comments URL: https://news.ycombinator.com/item?id=43628467

Points: 2

# Comments: 1

Article URL: https://english.elpais.com/economy-and-business/2025-04-08/eu-preparing-first-fines-against-tech-giants-apple-and-meta.html

Comments URL: https://news.ycombinator.com/item?id=43628463

Points: 2

# Comments: 0

Article URL: https://www.trialseek.org/

Comments URL: https://news.ycombinator.com/item?id=43628459

Points: 1

# Comments: 0

Article URL: https://meghprkh.github.io/blog/posts/rust-traits-associated-types-generic-traits/

Comments URL: https://news.ycombinator.com/item?id=43628448

Points: 1

# Comments: 0

Article URL: https://www.bloomberg.com/news/articles/2025-04-09/meta-whistleblower-to-tell-congress-that-company-aided-china-in-ai-race

Comments URL: https://news.ycombinator.com/item?id=43628432

Points: 8

# Comments: 2

Article URL: https://wrongthink.link/posts/hardened-backup-routine/

Comments URL: https://news.ycombinator.com/item?id=43628430

Points: 2

# Comments: 0

Article URL: https://github.com/orgs/NativePHP/discussions/547

Comments URL: https://news.ycombinator.com/item?id=43628419

Points: 2

# Comments: 0

Here are the answers for The New York Times Mini Crossword for April 9.

Article URL: https://jericho.blog/2025/04/08/vulncon-day-2-errata-taking-ben-edwards-to-task/

Comments URL: https://news.ycombinator.com/item?id=43628401

Points: 1

# Comments: 0

Article URL: https://www.politico.eu/article/donald-trump-says-eu-must-buy-350b-of-us-energy-to-get-tariff-relief/

Comments URL: https://news.ycombinator.com/item?id=43628391

Points: 2

# Comments: 0