Security
* Key Takeaways: * WhisperPair is a Fast Pair vulnerability that can let attackers hijack Bluetooth audio devices to play audio, track location, or access microphones. * KU Leuven researchers say more than a dozen models from 10 manufacturers (including Google, Sony, Nothing, JBL, OnePlus) are affected. * The median takeover time is about
Security
* Key Takeaways: * Researchers at KU Leuven found vulnerabilities in 17 Fast Pair-compatible audio models that let attackers silently pair and hijack devices. * Exploits can enable eavesdropping, audio injection, and, for some models, high-resolution tracking via Google’s Find Hub. * Google and several vendors have released firmware updates, but many users
Security
* Key Takeaways: * Microsoft fixed a DWM information-disclosure zero-day (CVE-2026-20805) on Patch Tuesday, Jan. 13, 2026. * The bug allows low-privilege local attackers to leak user-mode memory via remote ALPC ports; MSTIC/MSRC confirmed exploitation in the wild. * CVSS v3.1 score 5.5 (Important); not remotely exploitable, but easy to trigger
Security
• Microsoft released its January 2026 Patch Tuesday fixing 114 Windows vulnerabilities. • One issue, CVE-2026-20805 in Desktop Window Manager (DWM), is confirmed exploited in the wild and added to CISA’s KEV catalog. • The bundle includes eight Critical and 106 Important fixes, with priority items in VBS Enclave and Secure Boot
Security
* Key takeaways: * Microsoft patched CVE-2026-20805, an ALPC info-disclosure zero-day discovered by its threat-intel team. * CISA added the flaw to its Known Exploited Vulnerabilities catalog; federal agencies must patch by Feb 3. * The flaw leaks a memory address (undermining ASLR) and has been observed in active attacks; patching is the primary
Security
* Key takeaways: * Zoicware released Remove Windows AI, a PowerShell script that removes or disables Windows 11 AI components like Copilot, Recall and Windows Studio Effects. * The script is actively maintained on GitHub; users are encouraged to review code, report missing components, and back up the system before running it. * Running
Security
Key Takeaways: * Moxie Marlinspike launched Confer, an open-source AI assistant designed with end-to-end encryption so only account holders can read prompts and responses. * Confer uses passkeys, client-side keys, and a Trusted Execution Environment (TEE) with remote attestation and transparency logs to prove the server runs auditable code. * Conversations sync across
Security
* Key takeaways: * A Massachusetts DIYer built a PoE-powered 16 ft driveway gate with four cameras and a 24V strobe to deter turnarounds. * The system uses Power over Ethernet (PoE) and a Ubiquiti AI turret with license-plate recognition for monitoring. * To avoid $27,000 of trenching, the builder ran sprinkler pipe
Security
* Key Takeaways: * MongoBleed (CVE-2025-14847) is an unauthenticated information-leak in MongoDB’s zlib decompression that can return uninitialized heap memory to attackers. * A public proof-of-concept appeared on Dec 26, 2025, and researchers report active exploitation; Censys and Wiz estimate tens of thousands of vulnerable, Internet-exposed instances. * Fixed releases are available for
Security
• Key Takeaways: * A public PoC called “mongobleed” exploits CVE-2025-14847, a memory-leak in MongoDB’s zlib decompression. * Attackers can extract uninitialized server memory without authentication, exposing logs, /proc data, connection UUIDs and client IPs. * Affected branches include MongoDB 5.0–8.2; fixes are available (see versions 5.0.32, 6.
Security
* Key Takeaways: * MongoBleed (CVE-2025-14847) is a high-severity, unauthenticated memory-disclosure bug in MongoDB’s zlib message decompression. * Censys identified more than 87,000 potentially vulnerable MongoDB instances exposed to the public internet. * A public PoC exploit by researcher Joe Desimone is available on GitHub; MongoDB has released patches — update immediately. What
Security
• Key takeaways: • Attackers abused internal Rainbow Six Siege systems to ban/unban players, show fake ban messages, and add roughly 2 billion R6 Credits and Renown. • All cosmetics — including developer-only skins — were unlocked; the credits are valued at about $13.3M based on Ubisoft pricing. • Ubisoft intentionally shut down Siege