Sometimes it takes a while to detect a vuln. A 29-year-old, Heartbleed-style vulnerability in Squid, a popular open-source caching proxy server, silently leaked users’ plaintext HTTP requests and potentially revealed sensitive data, including credentials and session tokens, for decades – until AI (and a few humans) saved the day. A security researcher and Mythos Preview found the flaw and reported it to project maintainers, who fixed the code earlier this month. Squid is widely used by large corporations, schools, and internet service providers to cache, filter, and monitor network traffic, and Calif.io researcher Lam Jun Rong said he came across the open source proxy while attempting to connect to the internet on a flight. “As you might expect, the version of Squid deployed on that plane was released nearly 10 years ago and is affected by the vulnerability I’m about to share with you,” Rong wrote in a blog post about the bug, which he dubbed Squidbleed and investigated with help from Anthropic’s Claude Mythos Preview. Rong reported the bug, tracked as CVE-2026-47729, to Squid’s maintainers back in April, and it’s fixed in Squid v7.6, released June 8. The Reg readers may remember Calif from their earlier HTTP/2 Bomb research, uncovered by OpenAI’s Codex agent, and the AI bug-finding firm also collaborated with OpenAI on its Patch the Planet initiative, announced on Monday. According to Rong, Squidbleed leaks internal memory from every version of Squid in its default configuration with two conditions. First, Squid has to be able to read and inspect the network traffic, so it must be handling cleartext HTTP (not HTTPS) or be deployed in TLS-terminating setups. Additionally, the proxy must be allowed to reach an attacker-controlled FTP (File Transfer Protocol) server via TCP port 21. FTP is an outdated protocol for moving files between machines, and Squid supports it – which is where the problem lies. The bug exists in Squid’s FTP directory listing parser, and it was injected into the open source code as a commit (bb97dd37a) created in 1997 to support old NetWare servers. NetWare is a discontinued network operating system that was popular in the 1980s and 1990s, providing file and print services across local area networks before Windows and Linux servers became dominant. NetWare FTP servers also added extra whitespace between the modification timestamp and the filename, compared to most other FTP servers that just used a single spFace. The 1997 commit fixed this NetWare issue by instructing the code to skip the extra whitespace using this loop: while (strchr(w_space, *copyFrom)) ++copyFrom;. As Mythos Preview discovered, if an attacker’s FTP server doesn’t provide a filename after the modification timestamp, copyFrom points to the terminating NUL character at the end of the string. “strchr treats that terminating NUL as part of the string it searches, so it returns a pointer instead of NULL, and the loop never stops,” Rong explains. “It walks off the end of the buffer, and xstrdup copies whatever follows back to the attacker as a filename.” This results in a heap overread and can leak HTTP requests that often contain passwords or API keys, and Rong demonstrated this exploit in a proof of concept. “The patch is simple: check for the null terminator before calling strchr,” Rong wrote. If you use Squid, make sure to download the June release to fix this flaw. Also, as Rong suggests, you should disable FTP unless there’s a “specific, unusual need for it.” Chromium-based browsers stopped supporting FTP years ago and for good reason. This means “most organizations running Squid are getting close to zero legitimate FTP traffic,” the security sleuth noted. “Turning it off removes this entire attack surface for free.”®

Rocket Lab has just completed one of the most rapid space launches ever, kicking off a complicated exercise that will test the US Space Force’s ability to respond to and characterize potential threats in orbit. The Victus Haze mission, as the project is known, saw Rocket Lab lob one of its Pioneer spacecraft into orbit for the Space Force on June 19 in just 16 hours and 42 minutes, beating the notice-to-launch record set during the 2023 Victus Nox tactically responsive space mission (TacRS) by more than 10 hours. In addition to the rapid launch, Rocket Lab also managed to fully ready its Pioneer spacecraft being used for the exercise in just 37 hours and 36 minutes, well in advance of Victus Haze’s 72-hour commissioning deadline. With Pioneer now in orbit, the next phase of Victus Haze is set to begin. “The mission will now transition into an on-orbit focus placing operationally relevant systems through realistic rendezvous and proximity operations (RPO) threat response scenarios,” the US Space Force said in its own announcement of the Rocket Lab launch. Pioneer won’t be flying RPO maneuvers on its own, though. Rocket Lab may be playing the part of the Space Force’s rapid launch partner for Victus Haze, but space defense company True Anomaly already has one of its Jackal satellites in orbit. Jackal, which was launched on a SpaceX Falcon 9 rocket in May, will be playing the role of a “non-compliant satellite” that Pioneer will have to rendezvous with and characterize, demonstrating the ability for both craft to maneuver around each other, take photographs for analysts to pick apart, and track each other as if they were hostile targets the USSF wanted to monitor. As noted by True Anomaly, Victus Haze marks a departure from Victus Nox, which only involved a single spacecraft and focused on uncontested orbital operations. “VICTUS HAZE encompasses the full scope of TacRS operations: rapid launch and initialization, followed by operationally relevant 1-on-1 RPO between Rocket Lab and True Anomaly spacecraft in low Earth orbit,” True Anomaly said in its own announcement of the Victus Haze mission. Those one-on-one maneuvers the two satellites will undertake will help develop tactics, techniques, and procedures for future space operations, True Anomaly explained, as well as determining what sort of equipment the Space Force might want to consider for its TacRS spacecraft. The mission marks the second of the USSF’s planned annual tactical space missions, a pace that has already slipped after no TacRS launch took place in 2025. Victus Nox, the first full-fledged TacRS mission involving an actual space launch, launched in 2023 and concluded in 2024. Victus Haze’s notice-to-launch record comes a week after DARPA announced it was seeking concepts for rapid-launch space missions able to quickly replace space assets destroyed in an orbital conflict, again suggesting that star wars – or at least orbital ones – are rapidly looking inevitable. ®

Virgin Media O2 (VMO2) will switch off its 2G network starting in summer 2029, meaning that anyone still operating devices that use the technology must start planning an upgrade. The UK network operator says it will start to switch off its 2G signal in 2029 as part of an ongoing mobile transformation plan. This will see it expand and upgrade its 4G and 5G support, leading to reduced energy consumption and a faster and more reliable service for customers. 2G cell networks first started operating in Britain back in 1992, meaning the technology will have been around for nearly four decades by the time it is phased out. O2 can trace its roots to Cellnet, which launched as a joint venture between British Telecom and Securicor in January 1985. Cellnet introduced its digital GSM network in December 1993, before BT bought out Securicor, renamed the business BT Cellnet, and later spun it off as O2. All of this stems from plans announced back in 2021 by the previous UK government for all 2G and 3G mobile networks to be phased out of use by 2033. All of the major networks had managed to phase out 3G services by the end of 2025, but 2G is proving more problematic. This is because many devices have come to rely on the 2G service as a a low-power, cost-effective conduit for small volumes of data. In the UK, this includes such hardware as smart meters installed by utilities, telecare alarms and other medical devices, and many Internet of Things (IoT) devices. The topic was covered by The Register a couple of years ago, when a Parliamentary committee questioned what was going to happen when millions of smart meters lost their connection back to the mothership. The big three network operators – VMO2, BT/EE, and VodafoneThree – signed a government 2G switch-off charter earlier this year, undertaking to ensure that the switch-off takes place safely and effectively for all users of 2G services, including for vulnerable users, life-critical systems, and critical national infrastructure (CNI). The operators also agreed to publicly announce the end date of their 2G services a minimum of three years before it happens. BT/EE will begin closing its network from May 2029, and Vodafone will switch off in spring 2030, well ahead of the government deadline. Another undertaking is that the telcos will verify that “reliable 4G and/or 5G coverage” is present for their network before switching off the old service. From Reg reader comments on earlier articles, we understand that many locations in the country still lack a 4G signal, so this will be interesting to follow. But don’t worry – they also agreed to encourage suppliers and customers to “upgrade and/or mitigate 2G devices” well ahead of the doomsday date. VMO2 says its 2G service currently carries less than 0.5 percent of all data traffic across its mobile network and is already closed for international roaming. By reallocating the spectrum to more efficient 4G and 5G services and replacing old network equipment, it claims the switch-off will allow it to provide customers with faster and more reliable connectivity. PP Foresight founder and analyst Paolo Pescatore told us that O2’s 2029 date is an important marker that the switch-off is now moving from theory to reality. “But this is not just about old phones. There are still many devices and services that need to be supported through the transition, from smart meters and telecare alarms to payment terminals, security systems and enterprise IoT estates,” he said. Not all smart meters will need to be replaced. In many cases, the communications hub can be upgraded, Pescatore added. “But a clear program is needed to identify which devices can be migrated, which need a new 4G communications hub, and which require a full meter replacement.” “The clock is now ticking for utilities, local authorities, healthcare providers, alarm companies and businesses to map their 2G estates and act early. Arguably, now is the time to fully migrate to 4G communications hubs to ensure a smoother transition and make these services more future-proof.” ®

Valve has opened pre-orders for its forthcoming Steam Machine – but it is going to cost you quite a lot, thanks to the AI-induced storage shortage. However, the company is expecting such high demand that it is setting up an automated lottery system, so that the lucky people whose orders go through will get random places on the waiting list. The machine will come with an AMD Zen 4 hexacore CPU, as we covered back in November when the company’s three new hardware models were announced. The desktop model will be offered in two configurations, with either a 512 GB or 2 TB SSD. You can order just the base unit, or if you want, get it bundled with Valve’s new Steam Controller. The announcement lays out the pricing: Both models come with 16 GB of DDR5 RAM (plus 8 GB of GDDR6 VRAM), and if you’re feeling rich, you can upgrade the main memory yourself. There’s a microSD slot for more storage. You can pre-order the machine on its Steam Store page, although this vulture isn’t eligible – in our 15 years on Steam, we’ve never bought a game. If you do want to get in line, you have until Thursday, June 25, to do so. There’s also a Steam Hardware News Hub for news and updates. The company is randomizing the placement of orders, and there are separate queues for North America, Europe (including the UK), and Australia. Or you can do-it-yourself with SteamOS 3.8 The reason that the largely non-video-game-playing Reg FOSS desk is looking at the news is that the machine will run SteamOS 3, which, as we have covered before, is a relatively radical Arch-based Linux distribution. It has dual immutable Btrfs root partitions, which update one another ChromeOS-style, with automatic rollback and recovery in the event of failed updates. SteamOS 3.8 was released just last week. It now uses KDE Plasma 6.4.3 and defaults to a Wayland session, although you can still choose X11 from the Steam developer settings or via the steamosctl command. Perhaps the most interesting thing about this version is that the company now permits you to install SteamOS on your own hardware – so long as it uses an AMD GPU. (Nvidia support is planned: the company says “we’re working on expanding support for the future.”) The latest version of the SteamOS Installation and Repair page includes downloads and instructions. We lack suitable hardware for testing, but it looks like you need an 8 GB USB key for installation, the machine needs to have UEFI firmware, and you need to disable Secure Boot – all of which are very reasonable. However, the fancy partitioning scheme means that it doesn’t dual-boot – so any existing OS will be erased. If you have anything on your machine you want to keep, we suggest buying a second-hand SSD, and disconnecting any other drives just in case. ® Bootnote Despite the continued non-appearance of Half-Life 3 – which has been awaited for so long that even this geriatric vulture played the original game 28 years ago – Valve seems to be doing well. It is privately held company, so it doesn’t release public finances, but industry analysts peg the company’s annual operating profit at around $2 billion to $3 billion – most of that coming from Steam. According to Robb Report, which seems to be a website for very rich people to learn about other very rich people’s new toys, Valve boss Gabe Newell has just ordered another new €700 million yacht for his collection, part of a fleet which to his credit is also used for marine research. Perhaps he will keep it with his other six.

Oracle’s workforce shrank by 21,000 over the last year, according to the company’s annual report. In June 2025 [PDF], Big Red reported that it employed “approximately 162,000” employees. By June 2026 [PDF], that figure had fallen to 141,000. US headcount fell by 9,000, while the international workforce declined by 12,000. “Our periodic workforce restructurings and reorganizations can be disruptive,” Oracle stated. “Deployment of AI technologies across our operations have resulted, and may continue to result, in reductions to our workforce.” “We may initiate new restructuring plans in the future,” it added, ominously. Reports of layoffs at Oracle have circulated in recent months as the company seeks to finance its AI datacenter build-out. Estimates have ranged from 20,000 to 30,000, while the annual report shows that its workforce shrank by approximately 21,000 over the last year. Oracle spelled out the effect on the company and remaining staff, saying: “These types of restructurings have resulted, and may in the future result, in increased restructuring costs and reduced productivity. These types of restructurings may also lead to shortages of sufficiently skilled employees in certain roles, loss of valuable institutional knowledge and damage to employee morale and retention.” The company is legally obliged to highlight the risks in these reports, but it’s a point worth making. “As our cloud and AI businesses grow, we will continually balance our resources and restructure our development group to help ensure we have the right people delivering the best cloud and AI products to our customers around the world,” the company said in response to The Register’s request for comment. Big Red is hardly alone in laying off staff as companies roll out AI technologies, spend billions on infrastructure for the tech, and seek to improve the bottom line by cutting payroll. Microsoft has laid off thousands of workers in the last year, something CEO Satya Nadella said was “weighing heavily on me.” Nonetheless, in April, the company offered a voluntary departure program to some US employees. Microsoft has not confirmed how many staffers have taken the option to depart, but one commented: “Seeing a lot of ‘I’m accepting the retirement’ posts this week,” to which another responded: “Folks leaving behind some big shoes to fill.” All of which highlights one cost of layoffs for companies. For affected staff, the experience can be traumatic, even when departure is voluntary, but the loss of institutional knowledge can be difficult to quantify. ®

Consumer AMD CPUs will once again offer encryption protections against physical attacks after facing user backlash for silently removing the feature.

As Ars reported last week, AMD stripped the protection, known as TSME, from consumer Ryzen processors. Short for Transparent Secure Memory Encryption, TSME encrypts the entire contents stored in memory, making the data useless to adversaries performing cold boot attacks and similar intrusions requiring physical access.

Now you see it, now you don’t, soon you’ll see it again

About a decade ago, AMD added TSME to its high-end CPUs. Over the next few years, AMD added the protection to lower-end processors, including the consumer version of its Ryzen chips, a CPU that costs less than the Pro version. Over the years, users of these lower-end chips have gotten used to the added security, although some security experts (and plenty of novices, too) note that consumer chips are far less likely to be targeted by physical attacks. Recently and without warning or notice, the lower-end line of AMD chips suddenly dropped the protection, and it did so in a way that was impossible to detect on Windows machines and required a fair amount of technical work when using Linux. AMD last week declined to explain or acknowledge the change.

Read full article

Comments

Microsoft says it has detected new self-propagating malware that spreads through USB drives in search of cryptocurrency credentials, which it then sends to attacker-controlled servers.

The company named the worm Crypto Clipper because it monitors the contents of device clipboards for patterns consistent with wallet addresses or seed phrases. When found, the malware also takes five screenshots over a 10-second period. Both the credentials and the screenshots are then sent to the attacker through Tor, a network protocol that provides anonymous routing by sending traffic through redundant nodes so logs can’t capture both the sending and receiving IP addresses. Crypto Clipper establishes the Tor connection by using a SOCKS5 proxy, a network protocol that sends traffic through a proxy server, which then forwards it to its final destination.

A lightweight backdoor

“The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure,” Microsoft said Thursday. “Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor.”

Read full article

Comments

Apple has updated its Beats Studio Buds wireless earbuds to patch a high-severity vulnerability that could be exploited by nearby hackers to eavesdrop on users.

The vulnerability, CVE-2025-20701, allowed improper authentication in the firmware running on the Bluetooth-related chips, which made it possible for people within signal range to impersonate devices that had previously been paired with the earbuds. The researchers demonstrated this in a series of end-to-end attacks that allowed them to eavesdrop on conversations or sounds within earshot of the phone microphone.

Apple joins the patch party

“Impact: An attacker within Bluetooth range may be able to listen through the microphone of a device which is not yet paired and actively seeking pair requests,” Apple said in a Tuesday security advisory. The fix is contained in Beats Firmware Update 1B211, which is delivered automatically while headphones are paired with and within Bluetooth range of a user’s iPhone, iPad, or Mac. Users can check their firmware version by going to Settings on their device, navigating to Bluetooth, and tapping the info button next to the headphones.

Read full article

Comments

A businessman with ties to Chinese military contractors was among the overseas investors who acquired stakes in SpaceX while it was still a private company. An entity linked to the Qatari royal family also took a stake.

The new details come from a private investor list obtained by ProPublica that sheds light on a particularly delicate issue for Elon Musk’s rocket company: which people in countries like China bought into the company, and how. SpaceX built its business off sensitive US government work like making spy satellites for the Pentagon. While there is no ban on Chinese investment in US military contractors, such investment is heavily regulated.

In a sign of its sensitivity to the concerns, SpaceX barred investors from China and Hong Kong from buying shares in its initial public offering last week due to “regulatory and compliance risks,” Bloomberg reported. The US government alleges that China has a strategy of using investments in sensitive industries for espionage and to get access to cutting-edge technology.

Read full article

Comments

Researchers have uncovered a massive breach of Fortinet firewalls that has given Russian-speaking attackers near-unrestricted access to some of the world’s largest and most powerful organizations, including Oracle, Chevron, Lenovo, Federal Express, a NATO defense contractor, and Fortinet itself.

Nearly 74,000 Fortinet devices from more than 21,000 IP addresses in 194 countries have been compromised and their plaintext credentials exposed online, Bob Diachenko, a security researcher and head of SecurityDiscovery.com, said online and in an interview. He said he found the data after gaining access to the attackers’ command-and-control server and other infrastructure. The exposed data also included the industry, revenue, and employee count for each compromised organization.

Exceptional scale, poor opsec

Independent researcher Kevin Beaumont reported that “almost all” of the compromised devices remained online as of Wednesday morning. He went on to say that he has confirmed with multiple organizations found in the attackers’ logs that the credentials are real and current. In many cases, once the threat actors compromised the devices, they went on to access affected organizations’ centralized authentication systems, such as Radius servers and Microsoft Active Directory. The number of compromised devices comprises roughly half of all Internet-facing Fortinet firewalls, based on polling from Shodan.

Read full article

Comments