security updates Archives

Winsage

May 27, 2026

Your PC’s trust in Windows has an expiration date

Microsoft will change Secure Boot certificates in June 2026, impacting Windows 11 PCs. If users do not update the certificates, their PCs may still function but will lack critical boot updates and malware blacklists, potentially compromising security. Without the new certificates, systems cannot run the latest Windows Boot Manager, making them vulnerable to bootkit malware and hindering future Windows feature updates. Older computers using BIOS are exempt from this issue. The new Secure Boot certificates are valid until 2038. Users can check their Secure Boot status in the Windows Security app; a green circle indicates readiness for the deadline.

Winsage

May 26, 2026

‘Restart Multiple Times’—Microsoft Changes Windows Next Week

Microsoft will begin the expiration of Secure Boot certificates on most PCs in June, marking the end of a 15-year period of stability. This affects all PCs manufactured before 2023. Users will likely need to perform multiple restarts during the update process, which includes pushing data into firmware and loading a new bootloader. Ignoring the Secure Boot deadline in June 2026 may lead to significant security risks, as Microsoft will stop providing essential boot updates and malware blacklists. The Windows Security App has been updated to help users monitor these changes, and users should check for warnings indicating the status of Secure Boot. It is important for Windows 10 users to ensure they are enrolled in the Extended Security Updates (ESU) program to avoid vulnerabilities.

Winsage

May 26, 2026

Microsoft: Domain Controller lookup may fail on Windows Server 2016

Microsoft has acknowledged an issue affecting Windows Server 2016 systems related to domain controller lookups after the installation of the KB5087537 security update released in May 2026. The problem occurs specifically for devices with hostnames that are exactly 15 characters long, causing domain controller discovery to fail and resulting in an ERRORINVALIDPARAMETER during DCLocator calls. This issue may disrupt administrative operations that depend on domain controller lookups, such as DFS Namespace management. Microsoft is investigating the issue but has not provided a timeline for resolution.

Winsage

May 23, 2026

Microsoft says you should pause Windows 11 Updates when you need to work, as it tests greater controller

Microsoft is shifting its approach to Windows updates, responding to user frustrations about receiving update notifications during critical work hours. The company is currently testing more nuanced controls for updates with Windows Insiders, including a "Pick a date" feature that allows users to pause updates for up to 35 days, with the option to extend the pause indefinitely. Retail Windows 11 users can pause updates for up to five weeks, after which updates will automatically download without further pause options. Microsoft acknowledges that the frequency of updates can disrupt workflows for its 1.6 billion users, many of whom view mandatory updates as interruptions. The time required for updates has increased due to larger cumulative update packages, which can exceed 4GB, and the complexity of the operating system. To improve user control, Microsoft is testing a new power menu that separates update and shutdown options, allowing users to power down without installing updates. Additionally, updates will now include device class information in their titles for better user awareness. These changes aim to streamline the update experience and address long-standing user complaints.

Tech Optimizer

May 23, 2026

CVE-2026-9082: Critical Drupal Core SQLi Flaw

Drupal has issued critical security updates for a vulnerability in Drupal Core, identified as CVE-2026-9082, which affects sites using PostgreSQL databases. This flaw allows anonymous attackers to exploit the system through arbitrary SQL injection, posing risks such as sensitive information disclosure, privilege escalation, and remote code execution. The vulnerability is rated 20 out of 25 by Drupal and 6.5 out of 10 by CVE.org. It specifically impacts the database abstraction API, which fails to properly sanitize queries. The fixed versions include 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10, with best-effort patches available for unsupported versions 9.5 and 8.9. Organizations are advised to inventory their Drupal installations, verify PostgreSQL usage, and prioritize patching for public-facing sites.

Winsage

May 22, 2026

Get That Windows 7 Feel In An OS That Still Gets Updates

Classic 7 is a reskin of Windows 10 IoT Enterprise LTSC, not a revival of Windows 7. It offers long-term support with security updates until 2032 and lacks consumer-oriented bloatware. Classic 7 eliminates forced feature updates, providing a stable user experience and a visually appealing interface reminiscent of Windows 7. Users may face challenges in obtaining a license for this version.

AppWizard

May 22, 2026

New SteamOS update finally fixes one of the Steam Deck’s most irritating bugs

Valve has released the SteamOS 3.8.5 Beta, which includes bug fixes and enhancements for the Steam Deck and other devices like the Asus ROG Ally and Lenovo Legion Go. Key improvements include a fix for audio issues on the Steam Deck OLED, enhancements to video memory management for discrete GPUs, and a resolution for a bug in Desktop Mode. The update also includes stability and security updates, a fix for the Asus ROG Ally's control behavior after suspend, and improvements from the previous 3.8.4 Beta, such as solutions for WiFi performance issues and trackpad sensitivity adjustments. Users can join the beta by navigating to Settings > System > System Update Channel.

Tech Optimizer

May 21, 2026

Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks

Drupal has announced critical security updates for a vulnerability in Drupal Core, identified as CVE-2026-9082, which allows attackers to execute remote code, escalate privileges, or disclose sensitive information. The vulnerability has a CVSS score of 6.5 and affects only sites using PostgreSQL databases. It can be exploited by anonymous users and is rooted in a database abstraction API used for query validation and SQL injection prevention. Updates have been released for the following versions: - Drupal 11.3.10 - Drupal 11.2.12 - Drupal 11.1.10 - Drupal 10.6.9 - Drupal 10.5.10 - Drupal 10.4.10 Drupal 7 is not impacted by this vulnerability. Users on unsupported versions 9 and 8 can access manual patches for: - Drupal 9.5 - Drupal 8.9 Drupal has stated that versions 11.1.x, 11.0.x, and 10.4.x and below are end-of-life and do not receive security coverage, and that both Drupal 8 and 9 have reached end-of-life status. Patches for unsupported versions are provided as a best effort, but users should be aware of potential other vulnerabilities.

Tech Optimizer

May 21, 2026

PostgreSQL Flaws Expose Databases to Remote Code Execution and SQL Injection

PostgreSQL has released versions 18.4, 17.10, 16.14, 15.18, and 14.23 to address 11 security vulnerabilities and over 60 bugs. The vulnerabilities affect PostgreSQL versions 14 through 18 and include issues such as remote code execution, SQL injection, and denial-of-service risks. Specific vulnerabilities include: - CVE-2026-6472: Missing authorization in CREATE TYPE allows query hijacking. - CVE-2026-6473: Integer wraparound leads to out-of-bounds writes and server crashes. - CVE-2026-6474: Format string issue leaks server memory. - CVE-2026-6475: Symlink attack allows overwriting arbitrary files. - CVE-2026-6476: SQL injection allows execution of arbitrary SQL as superuser. - CVE-2026-6477: Memory buffer overwrite via libpq lo_* functions. - CVE-2026-6478: Timing attack exposes MD5-hashed passwords. - CVE-2026-6479: SSL/GSS recursion flaw allows denial-of-service. - CVE-2026-6575: Buffer over-read leaks memory data (PostgreSQL 18 only). - CVE-2026-6637: Refint module enables stack overflow and SQL injection, leading to possible RCE. - CVE-2026-6638: SQL injection in REFRESH PUBLICATION via table names. Organizations are advised to upgrade to the latest versions, avoid MD5 password authentication, restrict privileges, audit extensions, and monitor for abnormal activity. PostgreSQL 14 will reach its end-of-life on November 12, 2026.

Tech Optimizer

May 20, 2026

Critical PostgreSQL Flaws Enable Code Execution and SQL Injection

On May 14, 2026, PostgreSQL released critical security updates for versions 18.4, 17.10, 16.14, 15.18, and 14.23, addressing 11 Common Vulnerabilities and Exposures (CVEs) related to stack buffer overflows, SQL injection, memory disclosure, and denial-of-service vulnerabilities. The most critical vulnerability, CVE-2026-6637, has a CVSS score of 8.8 and allows remote, unprivileged database users to execute arbitrary code. Other notable vulnerabilities include CVE-2026-6473, which affects memory allocation leading to potential memory corruption, and CVE-2026-6475, which allows overwriting sensitive OS-level files. Additional vulnerabilities include SQL injection flaws and authentication issues, with various CVSS scores ranging from 3.7 to 7.5. The updates can be implemented without a database dump, and PostgreSQL 14 will reach its end-of-life on November 12, 2026.