This is a current list of where and when I am scheduled to speak:

I’m speaking (remotely) at the Sektor 3.0 Festival in Warsaw, Poland, May 21-22, 2025.

The list is maintained on this page.

Поръчване на лекарства с рецепта от Германия

2025-05-14 Боян Юруков

Post Syndicated from Боян Юруков original https://yurukov.net/blog/2025/lekarstva-recepta/

Вчера във Fb групата Татковците на София имаше въпрос за поръчване на лекарство с рецепта, което е изчерпано от доста време в България. За съжаление, това се случва доста често и е отчасти заради схеми на болници и отделни лекари, но също и липсата на адекватен, а понякога какъвто и да е контрол на здравните и съдебните власти. Фактор е, че сме малък пазар и далеч не приоритет за резерви от дори критично важни лекарства. Доста хора прибягват към поръчване на лекарства от аптеки в Гърция. Описах вече как може да си поръчате препоръчителни ваксини като тези срещу менингит и хепатит А, където съхранението по цялата верига на доставка е важно. В случая на този татко обаче препаратът беше свършил и там.

Затова се разрових и писах на няколко аптеки в Германия, където може да се поръчва през интернет. Една Disapo ми отговори, че приемат рецепти от ЕС, но има няколко важни условия наложени им нормативно:

Рецептата трябва да се предостави в оригинал
Доставката трябва да е на адрес в Германия
Плаща се предварително и по цена непокрита от здравна каса

Уточнихме преди малко процесът и реших да го споделя, защото може да е полезен на някого. Важно уточнение е, че не съм поръчвал така – това са инструкциите на една аптека. За разлика от дистанционното вадене на ЕЗОК, ваксините или чиповете за тол пунковете в Гърция, където исках първо да мина целия процес преди да го споделя, тук нямам какво да поръчвам, за го пробвам.

Вземете рецепта от лекар с ясно изписано името на лекарството, подпис и печат
Направете си акаунт на фирма за доставки от Германия. Аз използвам GGBG.
Поръчайте от сайта лекарството избирайки производител и количество и изберете „Privatrecept“, т.е. не електронна от немски лекар
При поръчката въведете адреса в Германия на фирмата за доставки. Този на GGBG е в Берлин.
Изпратете рецептата с писмо до посочения от тях адрес в инструкциите. Добавете в писмото номер на поръчката. Препоръчвам да използвате куриер, но и с български пощи ще стане – просто последните може да отнемат между една и три седмици да пристигне писмото
Когато бъде обработена рецептата, ще получите инструкции за плащане
След като платите ще изпратят лекарството на фирмата за доставки, а те ще го докарат в България

Целият процес оскъпява лекарството по няколко причини. Първо, лекарствата в Германия без каса са доста по-скъпи от България. Въпросния препарат, който беше причината да проверя това, има двойна цена в Германия,… но е наличен. Второ, изпращането на писмо с куриер, ако бързате, не е евтино. Не на последно място макар доставката над 30 евро да е безплатна от самата аптека, доставянето до България ще струва още 5 до 10 лв. в зависимост дали искате да се донесе до вкъщи.

Разбира се, всичко може много да се опрости, ако познавате някой в Германия, изпратите му рецептата и той купи лекарството директно от аптека. Доста хора обаче нямат такива познати или не могат да чакат същите да пътуват за България. Във всеки случай, ако имате въпроси или намерите търсеното от вас лекарство в друга аптека, препоръчвам ви да им пишете. Тази тук просто беше първата, която ми отговори и то на добър английски.

Ако някой поръча така лекарства с рецепта от тази или друга аптека в тази или друга държава, моля да сподели опит в коментарите. Интересно ми е колко време отнема и дали има спънки.

Разбира се, за да не прибягваме до такива еквилибристики както за лекарства, така и за ваксини, трябва да изискваме доста по-настоятелно от Министерството на здравеопазването да ги осигурят в достатъчни количества. При това следва да го правим не само с коментари из фейса, а с търсене на сметка на народните ни избраници и висшите чиновници, от които пряко зависи това. Макар навсякъде да се случват проблеми с доставките в това турболентно време, няма две мнения, че сме свидетели на абсурдно отношение и бездействие към злоупотреби и критични липси.

The post Поръчване на лекарства с рецепта от Германия first appeared on Блогът на Юруков.

CVE-2025-32756 Exploited in the Wild, Affecting Multiple Fortinet Products

2025-05-14 Stephen Fewer

Post Syndicated from Stephen Fewer original https://blog.rapid7.com/2025/05/14/etr-multiple-fortinet-products-cve-2025-32756-exploited-in-the-wild/

CVE-2025-32756 Exploited in the Wild, Affecting Multiple Fortinet Products

On May 13, 2025, Fortinet disclosed CVE-2025-32756, an unauthenticated stack-based buffer overflow affecting multiple Fortinet products; including FortiVoice, FortiRecorder, FortiNDR, FortiMail, and FortiCamera. The vulnerability is rated as CVSS 9.6 (Critical), and allows an unauthenticated remote attacker to achieve remote code execution (RCE) against a vulnerable target.

Fortinet has disclosed that this vulnerability has been exploited in the wild by a threat actor who is targeting vulnerable FortiVoice appliances. No threat actor attribution has been made at this time. FortiVoice is an enterprise unified communication (UC) platform, providing communications services such as calling, conferencing, and chat. The Fortinet Product Security Team made this discovery based on observed threat activity. This threat activity included additional network scanning, credential logging, and log file wiping. Several IOCs have been published in the vendor advisory to assist customers in threat hunting.

Mitigation guidance

Fortinet have provided patches for affected versions under support, and guidance for unsupported versions to migrate to a fixed version. Customers are advised to follow the vendor guidance, and remediate this vulnerability by upgrading to a fixed version on an urgent basis, as outlined below.

FortiVoice 7.2 should be upgraded to 7.2.1 or above
FortiVoice 7.0 should be upgraded to 7.0.7 or above
FortiVoice 6.4 should be upgraded to 6.4.11 or above
FortiRecorder 7.2 should be upgraded to 7.2.4 or above
FortiRecorder 7.0 should be upgraded to 7.0.6 or above
FortiRecorder 6.4 should be upgraded to 6.4.6 or above
FortiNDR 7.6 should be upgraded to 7.6.1 or above
FortiNDR 7.4 should be upgraded to 7.4.8 or above
FortiNDR 7.2 should be upgraded to 7.2.5 or above
FortiNDR 7.1 should be migrated to a fixed release
FortiNDR 7.0 should be upgraded to 7.0.7 or above
FortiNDR 1.5 should be migrated to a fixed release
FortiNDR 1.4 should be migrated to a fixed release
FortiNDR 1.3 should be migrated to a fixed release
FortiNDR 1.2 should be migrated to a fixed release
FortiNDR 1.1 should be migrated to a fixed release
FortiMail 7.6 should be upgraded to 7.6.3 or above
FortiMail 7.4 should be upgraded to 7.4.5 or above
FortiMail 7.2 should be upgraded to 7.2.8 or above
FortiMail 7.0 should be upgraded to 7.0.9 or above
FortiCamera 2.1 should be upgraded to 2.1.4 or above
FortiCamera 2.0 should be migrated to a fixed release
FortiCamera 1.1 should be migrated to a fixed release

For customers who may not be able to update to a fixed version, Fortinet has given guidance to disable the affected appliance’s HTTP(S) administration interface. For the latest mitigation guidance, please refer to the vendor advisory.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2025-32756 on FortiVoice with an unauthenticated check expected to be available in the May 14, 2025 content release.

How to enhance your application resiliency using Amazon Q Developer

2025-05-14 Dr. Rahul Sharad Gaikwad

Post Syndicated from Dr. Rahul Sharad Gaikwad original https://aws.amazon.com/blogs/devops/how-to-enhance-your-application-resiliency-using-amazon-q-developer/

“Everything fails, all the time” – Werner Vogels, Amazon.com CTO

In today’s digital landscape, designing applications with resilience in mind is crucial. Resiliency is the ability of applications to handle failures gracefully, adapt to changing conditions, and recover swiftly from disruptions. By integrating resilience into your application architecture, you can minimize downtime, mitigate the impact of failures, and ensure continuous availability and performance for end-users.

Amazon Q Developer, a generative AI-powered assistant for software development lifecycle (SDLC), helps design resilient architectures and enhance application availability. It recommends best practices, analyzes code, and identifies potential failure points, serving as an expert companion to strengthen application architecture and boost system availability through the following key resiliency practices.

Resilient design pattern recommendations: Access tailored design patterns like distributed systems, microservices, and serverless architectures. Amazon Q offers recommendations across redundancy, robust failovers, and circuit breakers to boost resilience in your environment.
Disaster Recovery planning: Amazon Q offers expert guidance on comprehensive disaster recovery (DR), including efficient backups, systematic restorations, strategic data replication, and seamless failovers to ensure rapid recovery from disruptions with minimal impact.
Customized Resiliency testing frameworks: Create custom templates to simulate diverse failure scenarios, such as network degradation and infrastructure outages. This streamlines thorough resilience verification across your systems.
Failure mode evaluation: Use Amazon Q to conduct comprehensive Failure Mode and Effects Analysis (FMEA) identifying infrastructure vulnerabilities and assessing their impact. Amazon Q then ranks these issues by severity, enabling you to prioritize and address the most critical risks to protect your production environment.

In the following sections, we will demonstrate how Amazon Q improves the resiliency of a foundational application architecture.

Prerequisites

To begin using Amazon Q, the following are required:

An AWS Account
An AWS Builder ID or an AWS IAM Identity Center login controlled by your organization
Visual Studio Code or supported IDEs
How to set up and chat with Amazon Q Developer

Application Overview

We have a three-tier web application shown below that is running on AWS in a single Availability Zone (AZ). The architecture consists of Application Layer hosted on Amazon Elastic Kubernetes Service (Amazon EKS) cluster with two Amazon Elastic Compute Cloud (Amazon EC2) nodes in a single-AZ and the Data Layer uses Amazon Relational Database Service (Amazon RDS) instance deployed in single-AZ configuration. The architecture is functional but has several limitations. It poses a single point of failure and offers limited application availability with no fault tolerance. High response times may occur because there is no caching layer in front of the database. Additionally, the lack of auto-scaling can lead to resource contention.

A three-tier web application basic architecture running on AWS in a single Availability Zone.

Basic Application Overview

Enhance Application Resiliency

Let’s explore how Amazon Q helps incorporate resiliency best practices that enhance system availability in our basic application architecture.

Resilient architecture recommendations

The initial architecture faced challenges with reliability, performance and scalability, largely due to its single-point of failure and lacked redundancy. To address this, we described the existing application design and its challenges to Amazon Q using a natural language prompt to seek resiliency recommendations.

Prompt for improving the architecture design:

I have manually setup an application that runs within an EKS cluster on two EC2 nodes in single AZ. My application is not highly available and scalable. It talks to an RDS database which is single AZ. However, there is high response times from database. Provide me only the recommendations to re-design this application architecture at each layer that will addresses all these issues.

Amazon Q offering resiliency architecture recommendations

Amazon Q analyzed the provided context and recommended improvements such as introducing Multi-AZ deployments for high availability, adding auto-scaling groups for elasticity, and incorporating caching layers to enhance performance. These targeted recommendations helped redesign the architecture to be more resilient and scalable, directly addressing the initial shortcomings.

Disaster Recovery (DR) recommendations to improve the architecture

To further enhance resiliency, we prompted Amazon Q for disaster recovery (DR) recommendations. We asked for guidance aligned with the AWS Well-Architected Framework. This built upon the previously improved architecture design.

Prompt for recommendations on Disaster Recovery (DR) and architecture based on RTO/RPO

Based on the above improvements on AWS architecture design, share recommendations for Disaster Recovery (DR) based on AWS Well Architected Framework

Optionally, we can use advanced prompts like the below with additional context:

Please provide a recommendations to redesign my application that is running on an EKS cluster with two EC2 nodes and a single-AZ RDS database, addressing high database latency, low availability, and scalability issues. Suggest improvements across all architectural layers including presentation tier, application tier and data tier to enhance performance, resiliency, and scalability. Also, recommend DR strategies aligned with the AWS Well-Architected Framework focusing on resilience, data protection, and recovery.

Amazon Q tailoring recommendations based on business requirements using AWS Well-Architected Framework

Amazon Q provided detailed DR strategies. These included multi-region configuration, backup and restore procedures, and best practices for meeting specific Recovery Time Objective (RTO) and Recovery Point Objective (RPO) requirements.

Prepare DR strategy based on RTO and RPO requirements:

Diving further, asking for a specific disaster recovery strategy that meets the application RTO requirements of 2 hours and RPO requirements of 30 minutes.

Prompt for DR strategy based on RTO/RPO values

Which DR strategy should I use if my RTO is less than 2 hours and RPO is less than 30 minutes?

Amazon Q recommending disaster recovery strategy

Amazon Q recommended a Pilot light approach, detailing the setup and components needed to achieve the specified disaster recovery objectives.

Define resiliency testing workflow, identify key metrics and tools

As we incorporate resiliency best practices into the application architecture, its is important to employ a resiliency test workflow to ensure application’s resiliency requirements are met. To do this, we are asking for guidance to define an end-to-end resiliency testing process workflow. We also want to identify the key metrics and tools needed to test the resilience of each AWS service involved in the architecture.

Prompt for defining the resiliency testing workflow:

Define the end-to-end resiliency testing process workflow. Also, identify the key metrics and tools that should be used to test the resilience of each AWS service involved in the improved architecture design.

Amazon Q offering resiliency testing best practices and tools

Amazon Q offers a step-by-step approach to define resiliency testing experiments and prepare the environment for testing.

Failure mode evaluation to prioritize resiliency tests

Failure Mode and Effects Analysis (FMEA) can further assist with designing the resiliency tests. It is a proactive method to identify potential failures in processes or systems, assess their impact, and prioritize critical issues. It evaluates failure modes across hardware, software, human factors, and external events, enabling teams to develop strategies for prevention, detection, and mitigation, ultimately enhancing system resilience.

Leveraging Amazon Q, we requested a comprehensive FMEA report that includes components, cause, effect and their respective Risk Priority Numbers (RPN). RPNs are calculated by multiplying three key factors: Severity (S), Occurrence (O), and Detection (D). It helps organizations understand and prioritize which risks to address first.

Prompt for designing the FMEA template and scoring:

Create the FMEA in tabular format with scoring for improved architecture design above keeping in mind the RTO/RPO values and provide the steps for execution as well.

Amazon Q assisting with systematic risk assessment and FMEA report

Amazon Q intelligently incorporated previously defined RTO and RPO requirements to identify critical failure scenarios and calculated RPN for each potential incident.

Enhanced Architecture Implementing Resiliency Best Practices

After identifying the key pain points in our original architecture such as single points of failure, limited scalability, and lack of automated recovery, we leveraged Amazon Q to analyze our architecture to get targeted recommendations to elevate the resiliency. By describing our requirements and challenges to Amazon Q, we received actionable guidance on AWS best practices and service configurations, which we then implemented to transform our infrastructure for high resilience and availability.

Resilient Application Architecture

The original Application Layer was running in a single Availability Zone without auto-scaling, leading to potential downtime and performance bottlenecks. Amazon Q recommended distributing Amazon EKS worker nodes across multiple Availability Zones and enabling the Cluster Autoscaler to dynamically adjust node capacity based on traffic patterns. Additionally, it suggested implementing horizontal pod autoscaling within Amazon EKS to automatically scale application resources according to CPU utilization and custom metrics. Following these recommendations, we deployed Amazon EKS worker nodes across three Availability Zones, configured Cluster Autoscaler and horizontal pod autoscaling, and integrated an Application Load Balancer, to intelligently distribute incoming traffic. These changes significantly improved scalability, fault tolerance, and performance.

The Data Layer initially relied on a single-instance Amazon RDS deployment, which posed a risk of downtime and limited read performance. Upon review, Amazon Q advised implementing a Multi-AZ Amazon RDS configuration to enable automated failover and improve availability. It also recommended deploying read replicas to offload read-heavy workloads and enhance performance. Furthermore, Amazon Q suggested adding a Multi-AZ Amazon ElastiCache for Redis to reduce database load and speed up data access. We incorporated these recommendations, resulting in a more resilient and performant data layer capable of handling failover scenarios and scaling read operations efficiently.

The Presentation Layer lacked an optimized content delivery mechanism and comprehensive security controls. Amazon Q recommended integrating Amazon CloudFront as a content delivery network to accelerate the delivery of static content and reduce load on application servers. It also suggested deploying AWS WAF to protect against common web exploits. To improve operational visibility, Amazon Q emphasized the importance of comprehensive monitoring using Amazon CloudWatch, combining logs, metrics, and traces for rapid issue detection and resolution. Implementing these recommendations enhanced both the performance and security posture of the presentation layer.

Conclusion

Amazon Q Developer transforms how teams build resilient applications by serving as your expert companion throughout the development journey. Its guidance helps create systems that excel in resilience, scalability, and availability—critical factors for today’s demanding digital landscape. Amazon Q goes beyond theoretical advice by providing practical, step-by-step implementation guidance. In the above, we’ve witnessed how Amazon Q’s expertise can transform basic architectures into robust, failure-resistant systems. Its recommendations such as Multi-AZ redundancy, elastic scaling, strategic caching, and proactive resilience testing create applications that maintain performance and availability even during significant disruptions.

Ready to strengthen your applications against unexpected challenges? Harness Amazon Q’s capabilities to create resilient infrastructure that consistently delivers for your customers, regardless of conditions. Unlock the full potential of your AWS infrastructure and deliver uninterrupted service to your customers, today. To learn more about Amazon Q refer to the documentation.

About the authors:

Security updates for Wednesday

2025-05-14 jzb

Post Syndicated from jzb original https://lwn.net/Articles/1021199/

Security updates have been issued by AlmaLinux (emacs, firefox, gnutls, java-17-openjdk, java-21-openjdk, osbuild-composer, python39:3.9, and thunderbird), Arch Linux (screen), Debian (varnish), Fedora (chromium), Gentoo (Atop, FreeType, and Spidermonkey), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk and postgresql15, postgresql13), Oracle (389-ds-base, emacs, firefox, kernel, libsoup, libtiff, mod_auth_openidc:2.3, nodejs:20, nodejs:22, osbuild-composer, python39:3.9, qemu-kvm, ruby, ruby:3.1, ruby:3.3, and thunderbird), Red Hat (.NET 8.0, .NET 9.0, avahi, buildah, corosync, delve and golang, exiv2, expat, firefox, ghostscript, gimp, git, grafana, gvisor-tap-vsock, java-21-openjdk, kernel, kernel-rt, libarchive, libjpeg-turbo, libsoup, libsoup3, libxslt, mod_auth_openidc, nginx, nginx:1.22, nginx:1.24, nodejs22, nodejs:20, nodejs:22, opentelemetry-collector, osbuild-composer, perl, php, php:8.2, php:8.3, podman, python-jinja2, redis, redis:7, rhc, ruby:2.5, skopeo, sqlite, thunderbird, tomcat, tomcat9, valkey, vim, xorg-x11-server-Xwayland, xterm, xz, yelp, and yggdrasil), Slackware (screen), SUSE (apparmor, dirmngr, gimp, golang-github-prometheus-node_exporter, java-11-openj9, java-17-openj9, java-21-openj9, libxmp-devel, python311-Django4, rabbitmq-server313, rke2, and transfig), and Ubuntu (abseil and open-vm-tools).

От тротоара до екрана. Достъпната среда отвъд физическото пространство

2025-05-14 Ивелина Гаджева

Post Syndicated from Ивелина Гаджева original https://www.toest.bg/ot-trotoara-do-ekrana-dostupnata-sreda-otvad-fizicheskoto-prostranstvo/

От тротоара до екрана. Достъпната среда отвъд физическото пространство

Достъпността е важна не само за нашата архитектурна, физическа среда, но и за дигиталната. А нейното значение за ежедневието ни непрекъснато нараства – от предварителното задаване на маршрут, преглеждането на новините, онлайн плащанията, търсенето на информация до издаването на документи. Дигиталните услуги за всички тези дейности трябва да отговарят на Европейския акт за достъпност (ЕАД), който влиза в сила на 28 юни 2025 г.

Достъпност ли е, ако човек с различни възможности може да стигне до магазин, но не и да поръча онлайн?

EAД е ключова стъпка към общи стандарти за улеснено ползване на продукти и услуги, с които се подобрява качеството на живот не само на хората с различни възможности, но и на цялото общество.

Това не е първата директива за дигиталната достъпност в ЕС. Съществува и Директива (ЕС) 2016/2102, известна като Директивата на ЕС за уеб достъпността. Тя обаче се фокусира само върху уебсайтове и мобилни приложения на организации от обществения сектор, докато ЕАД важи и за частния сектор, с някои малки изключения.

ЕАД задължава бизнеса да прилага принципите на достъпност, заложени в акта, който е естествено продължение на адаптирането към Конвенцията на ООН за правата на хората с увреждания. По този начин се подчертава ангажираността на Европа с изграждането на една по-достъпна среда за всички.

Директивата се отнася до производството на потребителски технологични продукти, финансовите услуги, електронната търговия на дребно, транспорта, медиите и комуникациите, както и до спешните телефонни номера.

Единният европейски номер за спешни повиквания 112 впрочем е достъпен за хора с увреждания от януари 2019 г. Тогава е внедрена услуга, която осигурява лесен достъп за хора със слухови и/или говорни увреждания до този номер. Тя може да се ползва през интернет, чрез мобилно или уеббазирано приложение.

На ЕАД трябва да отговарят компютрите и мобилните устройства, смарттелевизорите, устройствата за стрийминг и възпроизвеждане на видео, игровите конзоли, електронните книги и четци. Също така и платформите за стрийминг и видео по заявка, обществените радиа и телевизии, мобилната телевизия.

Новите изисквания важат и за платформите за онлайн и мобилно банкиране, банкоматите и изобщо за всички места, където може да си купите нещо с карта, в т.ч. за онлайн магазините. От тях не са изключени и машините за продажба или чекиране на билети на гари, летища и във всякакви транспортни средства.

За кого важи Европейският акт за достъпност?

ЕАД изисква всички продукти и услуги в ЕС да бъдат достъпни за хора с увреждания, като определя пет категории, наричани икономически оператори, които трябва да отговарят на нейните изисквания. В тези категории влизат производителите, предлагащи продукцията си на пазара, независимо дали са физически лица, или предприятия, техните представители, вносителите, дистрибуторите и доставчиците на услуги.

Микропредприятията са частично освободени от съответствие с ЕАД. Те се определят като предприятия с по-малко от 10 служители, чийто оборот или общ годишен баланс не надвишава 2 млн. евро.

ЕАД налага минимални стандарти за достъпност и изисква гаранции, че уебсайтове, мобилни приложения и софтуерни интерфейси отговарят на Насоките за достъпност на уебсъдържание. Тези гаранции може да се осигурят чрез различни варианти на каналите за достъп (например текстови алтернативи на изображения, навигация чрез клавиатура, аудиоописания). Друга възможност е разработването на продукти, които може да се използват с помощни технологии, като екранни четци или адаптивни устройства.

Важно е да отбележим, че реално ЕАД дава само насоки на организациите, но достъпността е много повече от придържането към тях. Например фактът, че даден уебсайт отговаря на изискванията до степен, че текстът е достъпен за електронните четци и може да се променят контрастът и големината на шрифта, по никакъв начин не гарантира, че хората могат лесно да се ориентират, да разбират информацията и да намерят важната за тях.

Ако на „нормален“ човек му отнема, да кажем, минута да си поръча пица, а на един човек, който е незрящ и ползва екранен четец – пет минути, това е съществена разлика в достъпа.

Числа, които говорят

Спазването на изискванията за достъпност трябва да се разглежда не само като регулаторно задължение, а и като възможност за разширяване на пазара. По оценки на Европейската комисия над 135 млн. души в ЕС живеят с някаква форма на увреждане.

Последният доклад на WebAIM Million за 2025 г. включва анализи на данни от 1 млн. най-посещавани начални страници в интернет. Една от основните констатации в доклада е, че на всяка от тези страници има средно 51 различни грешки по отношение на достъпността. Освен това броят на елементите на началните страници расте от година на година. Това увеличава сложността на навигацията и затруднява потребителите, особено тези с увреждания.

Сред основните констатирани проблеми са ниският контраст на текста (в 81% от изследваните страници) и липсващият алтернативен текст за изображения (55%). В 49% от страниците няма „етикети“ за формуляри, които да улеснят хората с нарушено зрение, които също така не могат да се ориентират и в разбирането на линковете на 45% и бутоните на 28% от сайтовете. 17% от началните страници не указват езика на документа, което е важен фактор за правилното функциониране на екранните четци.

Достъпността е основен фактор при изграждането на дигитални услуги. Това означава използване на ясен и разбираем език, интуитивен дизайн и адаптивност към различни устройства. Най-често хората, които най-много се нуждаят от дадена услуга, са тези, които срещат най-големи трудности при използването ѝ. Затова от самото начало трябва да мислим как да направим услугата максимално достъпна за всички, независимо от техните способности или технически познания.

Как един сайт може да стане по-достъпен

Трудно ще направим един сайт по-достъпен, ако не го тестваме с реални хора. Съществуват обаче определени практики, за които вече е натрупан достатъчно опит, че затрудняват определени групи лица, например:

създаване на достъпни версии само за определен браузър или операционна система;
поставяне на активни бутони много близо един до друг – това е предизвикателство за хората с проблеми с моториката;
слагане на таймер при извършването на определени задачи, например онлайн плащане – това създава напрежение у хората с когнитивни различия;
ясна ориентация докъде е стигнал потребителят в процеса (например при поръчка на самолетен билет) – не всички притежават перфектна концентрация;
избягване на CAPTCHA с картинки като тази по-долу, която е бариера за незрящите.

От тротоара до екрана. Достъпната среда отвъд физическото пространство

На български език са налични ресурси с практически съвети за постигане на достъпност, като „Accessibility – как да създаваме уеб, който всеки може да ползва“ и АccessDrum.

Какво е важно за достъпния уебдизайн

Контекстът, в който потребителите използват услугите, е от съществено значение. Дизайнът не трябва да се ограничава само до екрана, а да отчита реалните условия, в които хората взаимодействат с технологията. Например потребителите може да използват дадена услуга в движение, на мобилно устройство или в среда, където достъпът до интернет е ограничен. Нужно е да се мисли за всички тези фактори при изграждането на услугата. Затова и е важно да се провеждат съпътстващи потребителски проучвания.

Последователността в дизайна е важна, но тя не бива да се бърка с еднообразието. Когато използваме утвърдени дизайнерски модели, улесняваме потребителите, защото те вече са запознати с тях. Въпреки това моделите подлежат на адаптация. Гъвкавото и отворено отношение към промените е основен фактор за устойчивото развитие на дигиталните услуги и наистина правят живота на хората по-лесен.

Певицата и авторка на бестселър Хедър Хътчинсън, която е незряща по рождение, споделя, че цял живот са ѝ казвали да почака „5–10 години“, докато проблемите, свързани с увреждането ѝ, се решат:

Целият ми живот е „изчакай още 5–10 години. Най-голямата промяна, на която се надявам през следващите 5–10 години, е промяната в отношението на хората към уврежданията. Ние не чакаме да станем „цялостни“ и „пълноправни“ хора след 5–10 години, когато се появи лек или когато самоуправляващите се коли станат реалност. Хората с увреждания сме пълноценни хора – точно такива, каквито сме днес.

Примерът на Великобритания

Вместо да помагат, сложните системи и дълги информационни полета често затрудняват потребителите. Такива примери може да се видят на повечето сайтове на общини, държавни агенции и т.н. Истинското предизвикателство е да се създадат интуитивни и лесни за използване решения. А това не може да се постигне без отхвърляне на остарели и неефективни практики дори ако се ползват от години.

Искаме да споделим един добър пример от Обединеното кралство и историята на правителствения сайт GOV.UK. Отправната точка за създаването му е била не как правителството иска хората да ползват уебсайта, а как хората искат да го ползват. Така резултатът се оказва не просто уебсайт, а фундаментална промяна в начина, по който обществото взаимодейства с държавните институции.

GOV.UK представлява новаторски подход, който значително намалява разходите и подобрява достъпността и ефективността на обществените услуги. Платформата спестява на данъкоплатците приблизително 70 млн. паунда годишно. Но най-голямото постижение е поставянето на потребителите в центъра на услугата.

Разработката на уебсайта е основана на принципите на отвореност и постоянна обратна връзка. GOV.UK се изгражда и тества публично, като по този начин позволява реални потребителски мнения и идеи да бъдат интегрирани в подобренията. Платформата не просто отговаря на настоящите очаквания, но и се съобразява с бъдещите нужди на обществото и това съдейства държавната администрация да става по-компактна, по-бърза и по-адаптивна към нуждите на гражданите.

Достъпността не става случайно – тя се създава

Ако искаме дигиталните услуги, които създаваме, да са наистина достъпни, смислени и удобни за всички, това няма как да стане спонтанно. Нужен е съзнателен избор. Нужен е дизайн. И тук говорим не за дизайн на бутони или екрани, а за нещо много по-цялостно — дизайн на услуги.

Дизайнът на услуги е системен подход. Не се занимава само с това как изглежда даден продукт, а как реално функционира – за хората, които го ползват, и за онези, които го предоставят. Използва се т.нар. включващ дизайн – метод, при който се отчитат различията между хората и стремежът е да не се изключва никой.

Тук работата на дизайнера започва с въпроси. Но не „Как да направим това по-бързо?“, а „Трябва ли изобщо да го има?“, „Къде губим доверието на хората?“, „Какво кара потребителите да се отказват?“. Целта е да се види системата в пълнота – не само приложението или уебсайтът, а цялостното преживяване при използването ѝ.

Дизайнът на услуги не се интересува единствено от визията, а съчетава стратегии, технологии, поведение и комуникация в едно. Затова намира приложение в най-различни сектори – от публичната администрация до частния бизнес.

Нека дадем пример с платформите за доставка на храна. Да си представим, че проучване е установило, че някои потребители са объркани и се изнервят, когато не знаят къде е поръчката им. Ето какво могат да въведат компаниите:

карта с реално време на GPS проследяване на доставчика;
възможност за директен чат с доставчика;
автоматично известяване и компенсации при забавяне – без нужда от обаждане.

Този пример не се отнася пряко до хората с увреждания, но той илюстрира, че става дума не просто за „добавяне на функции“, а за системно мислене за преживяването като цяло.

ЕАД има за цел да подсигури, че всеки възможен клиент, независимо от увреждането си, може да ползва подобна платформа.

Важно е да се разбере: дизайнер на услуги не е строго дефинирана професия. В една организация това може да е UX дизайнер, специализиран в потребителското преживяване, в друга – стратегически консултант, в трета – човек, който оптимизира бекенд процеси, т.е. софтуера, който е зад видимата част на страниците.

Дизайнът на услуги не е инструмент за естетика. Той е инструмент за смисъл. Помага на организациите да проектират услуги, които не просто се „ползват“, а работят добре за хората – във всеки етап от взаимодействието.

И когато говорим за достъпност, тук тя вече не е просто функция или опция в менюто, а и начин на мислене, заложен в самата архитектура на услугата. Създаването ѝ започва с въпроса „Как можем да направим тази услуга така, че да работи за всички – не само за най-опитните, най-здравите и най-информираните, а и за онези, които най-често биват пренебрегнати или възпрепятствани?“.

Прилагането на Директивата служи за отправна точка. Но се надяваме да го видим приложено с вдъхновение и новаторство, за да създаваме смислени и безпрепятствени преживявания, а не просто уебстраници.

В настоящата ни съвместна поредица с „Екипът на София“ обсъждаме планирането, озеленяването, архитектурата, инфраструктурата, мобилността и още много други градски теми, описваме добрите примери и търсим възможните решения за подобряването на качеството на живот в нашите градове.

Watch BEFORE You Buy a Robotic Lawnmower – LIDAR is a GAME CHANGER!

2025-05-14 The Hook Up

Post Syndicated from The Hook Up original https://www.youtube.com/watch?v=9pKMjC9xyc8

Sinking of AHS Centaur

2025-05-14 The History Guy: History Deserves to Be Remembered

Post Syndicated from The History Guy: History Deserves to Be Remembered original https://www.youtube.com/watch?v=sdhCm3fXueU

Google’s Advanced Protection Now on Android

2025-05-14 Bruce Schneier

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2025/05/googles-advanced-protection-now-on-android.html

Google has extended its Advanced Protection features to Android devices. It’s not for everybody, but something to be considered by high-risk users.

Wired article, behind a paywall.

Shashi Tharoor and the Trump Grift Machine | The David Frum Show

2025-05-14 The Atlantic

Post Syndicated from The Atlantic original https://www.youtube.com/watch?v=chiBgioM4Xs

Comic for 2025.05.14 – Robobert

2025-05-14 Explosm.net

Post Syndicated from Explosm.net original https://explosm.net/comics/robobert

New Cyanide and Happiness Comic

Which side of the fork is up?

2025-05-14 The History Guy: History Deserves to Be Remembered

Post Syndicated from The History Guy: History Deserves to Be Remembered original https://www.youtube.com/watch?v=DQb1_E8SmkM

Ending TLS Client Authentication Certificate Support in 2026

2025-05-14 Let's Encrypt

Post Syndicated from Let's Encrypt original https://letsencrypt.org/2025/05/14/ending-tls-client-authentication.html

Let’s Encrypt will no longer include the “TLS Client Authentication” Extended Key Usage (EKU) in our certificates beginning in 2026. Most users who use Let’s Encrypt to secure websites won’t be affected and won’t need to take any action. However, if you use Let’s Encrypt certificates as client certificates to authenticate to a server, this change may impact you.

To minimize disruption, Let’s Encrypt will roll this change out in multiple stages, using ACME Profiles:

Today: Let’s Encrypt already excludes the Client Authentication EKU on our tlsserver ACME profile. You can verify compatibility by issuing certificates with this profile now.
October 1, 2025: Let’s Encrypt will launch a new tlsclient ACME profile which will retain the TLS Client Authentication EKU. Users who need additional time to migrate can opt-in to this profile.
February 11, 2026: the default classic ACME profile will no longer contain the Client Authentication EKU.
May 13, 2026: the tlsclient ACME profile will no longer be available and no further certificates with the Client Authentication EKU will be issued.

Once this is completed, Let’s Encrypt will switch to issuing with new intermediate Certificate Authorities which also do not contain the TLS Client Authentication EKU.

For some background information, all certificates include a list of intended uses, known as Extended Key Usages (EKU). Let’s Encrypt certificates have included two EKUs: TLS Server Authentication and TLS Client Authentication.

TLS Server Authentication is used to authenticate connections to TLS Servers, like websites.
TLS Client Authentication is used by clients to authenticate themselves to a server. This feature is not typically used on the web, and is not required on the certificates used on a website.

After this change is complete, only TLS Server Authentication will be available from Let’s Encrypt.

This change is prompted by changes to Google Chrome’s root program requirements, which impose a June 2026 deadline to split TLS Client and Server Authentication into separate PKIs. Many uses of client authentication are better served by a private certificate authority, and so Let’s Encrypt is discontinuing support for TLS Client Authentication ahead of this deadline.

Modern

2025-05-14 xkcd.com

Post Syndicated from xkcd.com original https://xkcd.com/3089/

Scholars are still debating whether the current period is post-postmodern or neo-contemporary.

Ending TLS Client Authentication Certificate Support in 2026

2025-05-14 Let's Encrypt

Post Syndicated from Let's Encrypt original https://letsencrypt.org/2025/05/14/ending-tls-client-authentication/

To minimize disruption, Let’s Encrypt will roll this change out in multiple stages, using ACME Profiles:

Today: Let’s Encrypt already excludes the Client Authentication EKU on our tlsserver ACME profile. You can verify compatibility by issuing certificates with this profile now.
October 1, 2025: Let’s Encrypt will launch a new tlsclient ACME profile which will retain the TLS Client Authentication EKU. Users who need additional time to migrate can opt-in to this profile.
February 11, 2026: the default classic ACME profile will no longer contain the Client Authentication EKU.
May 13, 2026: the tlsclient ACME profile will no longer be available and no further certificates with the Client Authentication EKU will be issued.

Once this is completed, Let’s Encrypt will switch to issuing with new intermediate Certificate Authorities which also do not contain the TLS Client Authentication EKU.

TLS Server Authentication is used to authenticate connections to TLS Servers, like websites.
TLS Client Authentication is used by clients to authenticate themselves to a server. This feature is not typically used on the web, and is not required on the certificates used on a website.

After this change is complete, only TLS Server Authentication will be available from Let’s Encrypt.

Protect against advanced DNS threats with Amazon Route 53 Resolver DNS Firewall

2025-05-14 Lawton Pittenger

Post Syndicated from Lawton Pittenger original https://aws.amazon.com/blogs/security/protect-against-advanced-dns-threats-with-amazon-route-53-resolver-dns-firewall/

Every day, millions of applications seamlessly connect users to the digital services they need through DNS queries. These queries act as an interface to the internet’s address book, translating familiar domain names like amazon.com into the IP addresses that computers use to appropriately route traffic. The DNS landscape presents unique security challenges and opportunities in Amazon Virtual Private Cloud (Amazon VPC) environments. First, DNS resolution acts as an early checkpoint that you can use to control network traffic before it even begins. Second, DNS queries in your VPC follow a distinct path through the Amazon Route 53 Resolver that operates independently from your standard internet gateway, bypassing other network security controls.

To address this, Amazon Route 53 Resolver DNS Firewall provides protection for DNS traffic, starting with traditional domain lists where you can explicitly allow or deny DNS resolution of specific domains. Also, included are AWS Managed Domain Lists, which automatically block known malicious domains identified through Amazon Threat Intelligence and our trusted security partners. While this approach works effectively to help prevent known threats, sophisticated bad actors are increasingly using techniques that traditional blocklists can’t catch.

Instead of relying solely on static lists, Amazon Route 53 Resolver DNS Firewall Advanced provides intelligent protection alongside these traditional controls. These advanced rules work like a skilled security analyst, watching for suspicious patterns in DNS queries in real time. By examining characteristics such as query length, entropy, and frequency, the service can spot potentially malicious activity even when encountering previously unknown domains. This approach enables detecting and blocking advanced threats like DNS tunneling and domain generation algorithms (DGAs)—techniques that bad actors use to establish hidden communication channels or connect malware to their control servers.

In this post, we take you on a practical journey exploring these DNS-based threats and tools to help prevent them. You’ll learn how to set up effective Route 53 Resolver DNS Firewall Advanced rules, and we provide a ready-to-deploy CloudFormation template with our recommended configurations. Finally, we demonstrate an example of real-world threat detection and show you how the service integrates with AWS Security Hub to improve visibility of alerts. By the time you finish reading this post, you’ll have a clear understanding of how to deploy Route 53 Resolver DNS Firewall rules to add an intelligent, proactive layer of security to your AWS environment.

Understanding the risks of DNS tunneling and DGAs

As mentioned earlier, the Route 53 Resolver provides a service-managed path to the internet that operates independently from your VPC’s internet gateway. While this architecture enables efficient DNS resolution, it can be exploited through techniques such as DNS tunneling. Let’s explore how these techniques work and why they present unique challenges.

DNS tunneling takes advantage of the DNS protocol’s basic function—asking questions about domain names and receiving answers from the authoritative nameserver for the domain. But instead of using DNS for its intended purpose of domain name resolution, tunneling encodes other types of data within DNS queries and responses. For example, rather than asking simply what is the IP address for example.com?, a tunneling exploit might embed data within a query like secretdata123.attacker.com, where secretdata123 contains encoded information. This can lead to DNS being used as a two-way communications command and control channel. Detecting and blocking DNS tunneling is a vital control for stopping data exfiltration and command and control (C2) communications.

DGAs represent a different challenge for DNS security. Rather than using a fixed, predictable domain name that can be quickly blocked, DGAs automatically create many possible domain names using mathematical formulas, which are then used as a destination for C2 traffic. For instance, a DGA might generate domains like xkt7py.com today and mn9qrs.com tomorrow. This makes it difficult to maintain effective blocklists, because the domains change frequently and appear random. Traditional threat intelligence feeds, which rely on identifying and blocking known malicious domains, struggle to keep pace with DGA-generated domains.

How DNS Firewall Advanced works

When examining a domain name, Route 53 Resolver DNS Firewall Advanced looks at multiple characteristics that help distinguish between legitimate and suspicious domains. For example, legitimate domain names typically use real words and follow predictable patterns that are designed to facilitate a human’s ability to recall and enter them accurately. In contrast, domains used for tunneling or generated by DGAs often contain random-looking strings of characters or unusual patterns.

Route 53 Resolver DNS Firewall Advanced builds its intelligence on extensive analysis of real-world domain usage patterns. It learns what legitimate domain names look like by studying the most resolved domains on the internet, combined with actual domain resolution patterns from across AWS. This real-world training data helps establish a baseline for normal domain name characteristics. DNS Firewall Advanced then contrasts these patterns against known techniques used in DNS tunneling and domain generation to identify suspicious activity.

The service analyzes various aspects of each domain name, including:

How the domain name is structured and broken into parts
The patterns of letters and numbers used
How closely the domain resembles natural language
The presence of common words versus random character combinations

The service analyzes queries in real time, processing each one in less than a millisecond, which maintains strong security controls without affecting your applications’ performance.

Route 53 Resolver DNS Firewall Advanced has customized protection levels that you can use to choose how aggressively you want to detect and respond to suspicious domains through confidence thresholds:

High confidence: This setting focuses on the most obvious threats, minimizing false positives. It’s ideal for production environments where blocking legitimate traffic could be disruptive.
Medium confidence: Provides balanced protection, suitable for most environments.
Low confidence: Offers the most detection but might require more tuning to avoid false positives. This setting is useful for high-security environments or for initial monitoring to understand traffic patterns.

You can combine these confidence levels with different actions (block or alert) to create a defense strategy that matches your security needs.

Manually create a DNS Firewall Advanced rule:

To start, we show you how to manually create a Route 53 Resolver DNS Firewall Advanced rule in the AWS Management Console. This rule will block DNS queries that it has detected to be DNS tunneling with high confidence.

To manually create a rule:

In the Route 53 console, choose Rules in the navigation pane, and then choose Add rule.

Figure 1: Rules in the Route 53 console
Enter a name for the rule and select DNS Firewall Advanced protections.

Figure 2: Add a rule
Under DNS Firewall Advanced protection:
1. Select DNS tunneling detection.
2. For Confidence threshold, select High.
3. Leave the Query type empty so that the rule applies to all query types.
Figure 3: Select DNS protection options
Under Action:
1. Select Block.
2. For the response, select OVERRIDE.
3. For the Record value, enter dns-firewall-advanced-block.
4. For the Record type, select CNAME.
5. Choose Add rule.
Figure 4: Configure actions for the rule

Deploy the recommended DNS Firewall Rule group using CloudFormation (OPTIONAL)

We’ve created an AWS CloudFormation stack that deploys the following recommended Route 53 Resolver DNS Firewall rules in a DNS Firewall rule group. We recommend this configuration because it provides a balanced security approach—blocking high-confidence threats immediately while generating alerts for lower-confidence detections.

The inclusion of the AWS Managed Aggregate Threat List is particularly valuable because it combines domains from multiple threat categories (malware, ransomware, botnet, spyware, and DNS tunneling) into a blocklist. This consolidated list includes the domains from other AWS Managed Domain Lists, including those identified by GuardDuty threat intelligence systems, giving you broad protection against known malicious domains while the Route 53 DNS Firewall Advanced rules catch previously unseen threats.

For enterprise environments, you can scale this protection across your entire organization by using AWS Firewall Manager to automatically deploy and manage this rule group configuration consistently across the VPCs in your organization.

BLOCK – Aggregate Threat List (domains associated with multiple DNS threat categories including malware, ransomware, botnet, spyware, and DNS tunneling to help block multiple types of threats)
BLOCK – DNS Tunneling | Confidence: HIGH
BLOCK – DGAs | Confidence: HIGH
ALERT – DNS Tunneling | Confidence: LOW
ALERT – DGAs | Confidence: LOW

To deploy this rule group using a CloudFormation stack:

Navigate to the CloudFormation console, choose Stacks from the navigation pane. Choose Create Stack in the upper right and select With new resources (standard).

Figure 5: Create a stack
Download the CloudFormation template. Select Choose an existing template and then select Upload a template file and upload the CloudFormation stack. Choose Next.

Figure 6: Use the CloudFormation template
Enter a stack name and choose Next.

Figure 7: Enter a stack name
Leave the default values for all options, select Next, and then choose Submit.
Navigate to the Route 53 Resolver DNS Firewall by visiting the Amazon VPC console, scroll down to the DNS firewall section, and select the Rule groups tab.
Select the newly created rule group.
Select the Associated VPCs tab, choose Associate VPC, and then associate a VPC you want to protect and choose Associate.

Figure 8: Associate a VPC

Observability

Route 53 Resolver query logging provides detailed visibility into DNS queries made from resources associated with your VPCs, enabling you to monitor and analyze your DNS traffic for security and compliance purposes. By configuring query logging, you can capture essential information about each DNS request, including the domain name being queried, the record type, the response code, and the originating VPC and instance. Query logging is particularly valuable when used in conjunction with Route 53 Resolver DNS Firewall, because it helps you track blocked queries and fine-tune your security rules based on actual DNS traffic patterns in your environment. The following are examples of log entries generated when DNS Firewall detects and responds to suspicious activities, showing the detailed information available for security analysis and incident response.

Example log entry: DNS tunneling block

The following is an example of a DNS tunneling block.

{
    "version": "1.100000",
    "account_id": "11111111111",
    "region": "us-west-2",
    "vpc_id": "vpc-0fcc85bd45b791d5a",
    "query_timestamp": "2025-02-05T03:54:12Z",
    "query_name": "1WTE4CyL4Vf1LQDDAToimuqFBEtMXyYMsYP8zPgVyTagzSh5PvinuQcL6N8at4A.REZv3VqKU4x43DPcCKAzQk4UKoZjB3nDMukHAuKTtDckTqZ8SDDZ1iXRey6a5sD.mEDMdrzPocS9exqoBQ1xfSuKfvW.1.dnstunnel.com.",
    "query_type": "A",
    "query_class": "IN",
    "rcode": "NXDOMAIN",
    "answers": [
        {
            "Rdata": "dns-firewall-advanced-block.",
            "Type": "CNAME",
            "Class": "IN"
        }
    ],
    "srcaddr": "10.1.0.122",
    "srcport": "41859",
    "transport": "UDP",
    "srcids": {
        "instance": "i-0c738190f19db9a2c"
    },
    "firewall_rule_action": "BLOCK",
    "firewall_rule_group_id": "rslvr-frg-63efa138b43f428b",
    "firewall_protection": "DNS_TUNNELING"
}

Example log entry: DNS tunneling alert

The following is an example of a DNS tunneling alert.

{
    "version": "1.100000",
    "account_id": "11111111111",
    "region": "us-west-2",
    "vpc_id": "vpc-0fcc85bd45b791d5a",
    "query_timestamp": "2025-02-05T04:00:02Z",
    "query_name": "1WTEc8GwFH3qHY8XKjbhXuj43yGShMrhacqwJYSZkSqRQ95sagz64NUpnuj4R8R.S79aru2KRB8d9nCHEPdXWJxGT4aUjVMqtCRSq9EZXRCo8NH5cmLvmcho3hh1mbK.NqGY1X6M4qpMGX6dnTSHuCsZFbf.1.dnstunnel.com.",
    "query_type": "A",
    "query_class": "IN",
    "rcode": "NOERROR",
    "answers": [
        {
        "Rdata": "202.92.34.217",
        "Type": "A",
        "Class": "IN"
        }
    ],
    "srcaddr": "10.1.0.122",
    "srcport": "35116",
    "transport": "UDP",
    "srcids": {
        "instance": "i-0c738190f19db9a2c",
        "resolver_endpoint": "rslvr-out-e20639d3666748f58"
    },
    "firewall_rule_action": "ALERT",
    "firewall_rule_group_id": "rslvr-frg-63efa138b43f428b",
    "firewall_protection": "DNS_TUNNELING"
}

Integration with Security Hub

Security Hub provides you with a view of your security state in AWS and helps you to check your environment against security industry standards and best practices. Security Hub collects security data from across AWS accounts, AWS services, and supported third-party partner products, and helps you to analyze security trends and identify the highest priority security issues. It enables findings from both the Amazon: Route 53 Resolver DNS Firewall – AWS List and Amazon: Route 53 Resolver DNS Firewall Advanced list by default, so you’ll automatically receive these alerts without additional configuration. You only need to manually enable Amazon: Route 53 Resolver DNS Firewall – Custom List findings if you’re using custom domain lists in your rule groups. See Sending findings from Route 53 Resolver DNS Firewall to Security Hub for more information.

The following figure is an example of how Route 53 Resolver DNS Firewall Advanced findings appear in the Security Hub console, providing you with actionable security intelligence directly in your centralized dashboard.

Figure 9: DNS Firewall Advanced findings in Security Hub

Select a finding to view details such as Finding ID, Types, Workflow status, and so on.

Figure 10: Findings details

Conclusion

Amazon Route 53 Resolver DNS Firewall Advanced represents a significant step forward in protecting organizations against sophisticated DNS-based threats. As mentioned, DNS queries sent to the Route 53 Resolver follow a unique path that bypasses traditional AWS security controls like security groups, NACLs, and even AWS Network Firewall—creating a security gap in many environments. Throughout this post, we’ve explored how DNS tunneling and DGA-based exploits take advantage of this blind spot, and how you can use Route 53 Resolver DNS Firewall Advanced to protect from these threats through real-time pattern analysis and anomaly detection. You learned how to configure the service in the AWS console and use the provided CloudFormation template with recommended rules that balance blocking high-confidence threats while alerting on potential issues. And you saw how query logging provides valuable visibility into your DNS traffic and how Security Hub integration centralizes your security findings. Implementing these capabilities helps you protect your infrastructure from sophisticated DNS-based exploits that traditional domain blocklists cannot catch, strengthening your cloud security posture while maintaining operational efficiency.

If you have feedback about this post, submit comments in the Comments section below.

SMS Onboarding for SaaS, ISV, and Multi-Tenant Applications with AWS End User Messaging

2025-05-14 Tyler Holmes

Post Syndicated from Tyler Holmes original https://aws.amazon.com/blogs/messaging-and-targeting/sms-onboarding-for-saas-isv-and-multi-tenant-applications-with-aws-end-user-messaging/

Introduction

SMS messaging continues to be one of the most reliable and effective communication channels. However, for Software as a Service (SaaS) companies, Independent Software Vendors (ISVs), and multi-tenant solution providers looking to incorporate SMS capabilities into their offerings, the journey can be complex and filled with challenges.

This guide is specifically designed for technology providers—whether you’re a SaaS company, an ISV, or any platform that enables your customers to send SMS messages to their end users. Throughout this article, the following terminology will be used:

Provider: An organization offering SMS capabilities as part of your product or service
Customer: The entities using Provider technology to send SMS messages
End User: The recipients who opt in to receive SMS messages from Customers

The landscape of SMS implementation can be complicated, with varying country-specific regulations, lengthy registration processes that can take weeks or even months, different originator types (Long Code, Short Code, Sender ID, etc.) with unique capabilities, and the diverse needs of Customers and End Users. These challenges are amplified when you’re a Provider offering SMS services to your own Customers, who in turn serve their End Users.

By the end of this guide, you’ll understand:

How opt-in influences architecture
Options for how to structure your SMS offering to Customers
Strategies for reducing friction in the SMS implementation process

Let’s dive in.

The Registration Dilemma: Who Owns the Relationship?

One of the most critical decisions for your SMS Originator registration is determining whose information is used to apply. The biggest mistake AWS sees Providers make is not knowing how their relationship with their Customers and their Customers’ End Users affects their architecture and how they complete any registrations that are necessary.

Mobile carriers want to know who will be sending SMS to their customers, how that entity will opt them in, and what content they will be sending. When registering for originators, especially in the United States, you will need to succinctly explain how End Users will opt in and how that data will not be shared with any third parties. Your architecture must ensure:

Clear opt-in processes that name the correct entity
- A deep dive into opt-in processes can be found here
Privacy policies that accurately reflect data sharing practices
- Boiler plate terms for a privacy policy can be found here
Compliance with third-party data sharing regulations

AWS consistently sees Providers register themselves when obtaining an Originator when they do not have a relationship with their Customers’ End Users. The decision of whose information belongs in the registration hinges primarily on a fundamental question: Who does the End User believe they’re entering into a relationship with when they provide their phone number?

The most common scenarios are below:

Scenario 1: End Users interact with the Customer’s brand only

In most cases, End Users are completely unaware of your existence as the Provider. They believe they’re opting in to receive messages from your Customer directly. In this scenario:

Registration should be completed using the Customer’s information. There are many ways you can facilitate this process and some ways to reduce this common friction point will be discussed later in this post.
Messages should appear to come from the Customer, not the Provider, your service name should not appear in messaging

Scenario 2: End Users explicitly opt in through the Provider application

In some cases, End Users clearly understand they’re opting in to receive messages via your technology platform, on behalf of your Customer. The opt-in data will not be shared with your Customers and your brand, as the Provider, will be the named entity in all SMS sent.

There are a number of ways that this can happen:

End Users could opt in using a widget you build that your Customers install on their site or in their app
A paper form or verbal script that you supply that clearly identifies you, the Provider

AWS commonly sees this occurring with Providers that supply:

Third-party payment processing
Shipping and logistics support
Customer service platforms
One-Time Password (OTP) capabilities

In this scenario your company name would typically appear in the messaging and registration would use your company information.

NOTE: There are edge cases to these two scenarios but the implementation can be complicated, so if you are a Provider and you don’t think that you fit into these two scenarios above make sure to reach out to your Account Manager, open a case, or speak to a specialist before starting to implement anything.

Architectural Models for SMS Implementation

Let’s explore various architectural models for structuring your SMS offering based on your business needs and Customer relationships. Each model has distinct characteristics in the following areas:

1. “Bring Your Own AWS Account” Model

Who does the registration and configuration?

The Customer connects their own AWS account, so the registration and any configuration happens in the Customer account.
Usually in this scenario the information that is input into the registration is the Customer’s since it’s their account

Customer responsibilities:

Customer handles all registration and configuration requirements themselves
Customer integrates their account with the Provider service
Customer manages sending, opt-out lists, etc.
Pays the AWS bill

Provider responsibilities:

The Provider offers a user-friendly interface that calls the AWS End User Messaging Service APIs using the Customer’s credentials.
The depth of services offered by the Provider can vary

Best for: Technical Customers who want full control and already use AWS; Providers who want to avoid registration and configuration complexities.

2. Provider Account – Manual Registration and Configuration

Who does the registration and configuration?

The Provider owns the account and is not providing the Customer with a way to submit their own information so the Provider must enter the information
The Customer’s information is captured manually
The Provider handles the complexity of registration and configuration through the console

Customer responsibilities:

Provide necessary information to the Provider for registration purposes

Provider responsibilities:

Captures the registration information manually from Customers.
Manages the complexity on behalf of your Customers.

This can be implemented either with separate AWS accounts for each Customer or a multi-tenant architecture in a single account.

Best for: Providers with a small number of high-value Customers who need hand-holding through the SMS implementation process.

3. Semi-Automated Solution – Customer Sending

Who does the registration and configuration?

The Provider builds a way for the Customer to submit their registration information, which the Provider then programmatically submits to carriers/regulators.

Customer responsibilities:

Your platform manages the technical configuration and provides sending capabilities, but the Customer is responsible for maintaining compliance.

Provider responsibilities:

You provide a streamlined way for Customers to submit registration information (webhooks, forms, APIs).
You programmatically submit the registration data to carriers/regulators.
You manage the technical configuration and provide sending capabilities.

Best for: Providers with moderate technical sophistication who want to reduce friction while maintaining separation of regulatory responsibilities.

4. Fully Automated Solution – Provider Sending

Who does the registration and configuration?

The Customer’s information is used in the registration, which you handle programmatically.

Customer responsibilities:

You handle all technical aspects of registration, but the Customer is still responsible for maintaining messaging compliance.

Provider responsibilities:

You provide hosted, customizable Terms & Conditions and Privacy Policies for each Customer that are compliant out of the box.
You offer compliant opt-in pathways (web forms, verbal scripts, etc.).
You handle all technical aspects of registration.

Best for: Large-scale Providers serving many Customers with varying levels of technical sophistication.

5. Template-Restricted Fully Automated Messaging

Who does the registration and configuration?

The Customer’s information is used in the registration, which you handle programmatically.

Customer responsibilities:

You manage all regulatory compliance centrally, and the Customer can only personalize specific fields in pre-approved message templates.

Provider responsibilities:

You provide a suite of pre-approved message templates.
You manage all regulatory compliance centrally.
You simplify the registration process since the content is tightly controlled.

Best for: Use cases with predictable messaging needs like appointment reminders, shipping notifications, or one-time passwords.

6. Fully Managed Programs

Who does the registration and configuration?

The Customer authorizes you to send messages on their behalf, so you own the relationship with the end-user and the registration.

Customer responsibilities:

Only required to give you any pertinent information necessary for you to send messages to the End-Users. This could be things like tracking numbers or other information that the particular use case requires and is part of the personalization that is allowed.

Provider responsibilities:

You manage all aspects of the end-user relationship.
You control the entire messaging experience, including opt-in collection and the end-user relationship.

Example: A shipping notification service might send messages like: “ShipTrack: Your order from ACME Corp will arrive tomorrow. Track at [link]”

Best for: Specialized use cases where your platform adds significant value as an identified intermediary.

Shaping Your SMS Offering: Strategic Considerations

Pricing Strategies

When incorporating SMS into your product, one of the first considerations is how to structure your pricing. Unlike many digital services with predictable costs, SMS pricing varies significantly based on destination country, originator type, and volume.

AWS End User Messaging Service bills based on volume sent per country, with each country having its own price point. This pricing is determined by the recipient’s handset country code, not their physical location. This means that even if you primarily serve U.S. based Customers, you may need to account for international rates when recipients have non-U.S. phone numbers.

There are also one-time and ongoing fees to be accounted for. Registrations often have one-time processing fees and Originators can have leasing costs that range from free to more than $1,000 a month for short codes in some countries. Make sure that you think through how those costs will or will not be passed to your Customers.

As you design your pricing model, consider these common volume based approaches:

SMS Credits: Create a standardized credit system where Customers purchase credits regardless of destination country. You would internally manage the conversion between credits and actual costs.
Dollar-Based Allocation: Provide Customers with a budget that gets depleted based on actual costs per message sent.
Tiered Country Pricing: Group countries into tiers (e.g., Tier 1 for North America, Tier 2 for Western Europe) with different pricing for each tier.
Bundled Messaging: Include a certain number of messages in your base subscription with overage fees for additional messages.

Each approach has trade-offs in terms of simplicity, transparency, and risk management. Your decision should align with your overall business model and Customer expectations.

Geographic Considerations

Different countries have distinct regulatory requirements for SMS messaging, including:

Originator Support: Not all countries support all originator types, view the details here
Originator Selection: In cases where multiple types of originators are supported, how do you support your Customer in selecting the right originator for the right use case?
Read through this tutorial to help decide what originator(s) are right for your use case(s)
Registration: An increasing numbers of countries require you to register before being allowed to send
Quiet hours: Many countries restrict when promotional messages can be sent
Content restrictions: Certain types of content (gambling, alcohol, adult content, etc.) may be prohibited or heavily restricted. A more comprehensive list can be found here
Template requirements: Some jurisdictions require pre-approval of message templates
Sender ID regulations: Rules regarding who can use alphanumeric sender IDs vary widely

As a Provider, you need to decide which countries you’ll support and how you’ll ensure compliance across markets. This decision affects not just your pricing but your entire product architecture, especially if you serve global Customers.

Strategies to Reduce Implementation Friction

Implementing SMS can be complex for your Customers. Here are some strategies that can simplify and/or streamline the process. Some of these can be mixed and matched and could also be used as a value-add or even as a paid offering to your Customers:

Provider-Hosted Privacy Policy and/or Terms & Conditions

Create customizable, compliant templates for Privacy Policies and Terms & Conditions that your Customers can use. This ensures proper disclosure of SMS practices without requiring Customers to update their own legal documents.

Registration Webforms and Workflows

Develop user-friendly webforms that collect all required registration information in a guided process. These can significantly simplify complex registrations like 10DLC brand and campaign registration.

Below, Figures 1-3, you will find several examples of compliant forms that could be customized for your use:

Fig. 1

Fig. 2

Fig. 3

Pre-Approved Opt-In Widgets

Create embeddable widgets, such as Figures 1-3 above, that your Customers can add to their websites or apps that implement compliant opt-in processes. These can include all required disclosures and confirmations while being easy to integrate.

Template Libraries

Provide a library of pre-approved message templates for common use cases. This reduces compliance risks and simplifies the sending process for your Customers.

Testing Environments

Create sandbox environments where Customers can test their SMS implementation before going live. This helps catch issues with formatting, opt-in processes, or content compliance.

Documentation and Training

Develop clear documentation and training resources specific to each originator type and use case. This empowers your Customers while reducing support burden.

Conclusion

Incorporating SMS capabilities into your platform can enhance Customer engagement, but the journey can be complex. This guide has explored key considerations to help you navigate it successfully.

This post examined various architectural models, each with tradeoffs in Customer responsibilities and Provider responsibilities. This post reviewed strategic factors like pricing, geographic regulations, and originator types that must be carefully considered.
Finally, practical strategies to reduce implementation friction for Customers such as hosted compliance documents, streamlined registration workflows, and pre-approved templates, you can use to simplify the integration process were discussed .

The critical first step though, is understanding the relationship between you as the Provider, your Customers, and their End Users. This shapes whose information is used for originator registration, which in turn defines the SMS experience.

Ultimately, a successful SMS solution requires balancing technical, regulatory, and Customer-centric factors. Leveraging this guidance will equip you to design and deploy an offering that delights your Customers and their End Users.

Additional resources:

Patch Tuesday – May 2025

2025-05-13 Adam Barnett

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2025/05/13/patch-tuesday-may-2025/

Patch Tuesday - May 2025

Microsoft is addressing 77 vulnerabilities this May 2025 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation for five of the vulnerabilities published today, and these are already reflected in CISA KEV. Separately, Microsoft is aware of existing public disclosure for two vulnerabilities published today. This is now the eight consecutive Patch Tuesday on which Microsoft has published zero-day vulnerabilities without evaluating any of them as critical severity at time of publication. Today also sees the publication of six critical remote code execution (RCE) vulnerabilities. Six browser vulnerabilities have already been published separately this month, and are not included in the total.

Windows Scripting Engine: zero-day RCE

In the majority of cases, the CVSSv3 base score provides a solid sense of the severity of a vulnerability. Sometimes, however, even a correct CVSS assessment can disguise the potential impact of a specific vulnerability. This arguably the case with CVE-2025-30397, a zero-day RCE vulnerability in the Windows Scripting Engine with a healthy but unremarkable CVSSv3 base score of 7.5. Microsoft is aware of exploitation in the wild. It’s certainly not the worst of the worst — we save that level of alarm for pre-authentication RCE with no requirement for user interaction — and Microsoft assesses attack complexity as high, which is arguably correct. And yet…

The advisory FAQ for CVE-2025-30397 explains that successful exploitation requires an attacker to first prepare the target so that it uses Edge in Internet Explorer Mode, and then causes the user to click a malicious link; there is no mention of a requirement for the user to actively reload the page in Internet Explorer Mode, so we must assume that exploitation requires only that the “Allow sites to be reloaded in Internet Explorer” option is enabled. Users who are most likely to require Internet Explorer compatibility mode in 2025 are surely users at enterprise organizations, where critical business workflows still depend on applications from the dinosaur days when Internet Explorer ruled the roost. No doubt the concept of a plan for migration of all of these applications exists, buried several layers deep in a dusty backlog, but Microsoft would hardly be offering IE compatibility mode until at least 2029 if it didn’t know that a huge swathe of its customer base demands it.

If the pre-requisite conditions are already conveniently in place on the target asset thanks to a well-meaning corporate IT policy, attack complexity is suddenly nice and low. If this vulnerability didn’t have that requirement for environment preparation, the CVSS base score would then be 8.8, which is as close to critical as you can get without actually stepping over the line. As Rapid7 has previously noted on a number of occasions, the MSHTML/Trident scripting engine is still present in Windows; this is true even for assets which have only ever run versions of Windows released well after the end of support for Internet Explorer 11 back in June 2022.

Common Log File System: zero-day EoPs

Neither CVE-2025-32701 nor CVE-2025-32706 are the first zero-day vulnerabilities in the Windows Common Log File Driver System; indeed, they are the latest members of an ongoing dynasty where exploitation typically leads to elevation of privilege to SYSTEM. Credit where credit is due: recent disclosures by Microsoft’s own Threat Intelligence Center (MSTIC), including this month’s CVE-2025-32701, demonstrate that Microsoft is putting serious effort into detecting and rooting out CLFS exploitation. Of course, since Microsoft is aware of exploitation in the wild, we know that someone else got there first, and there’s no reason to suspect that threat actors will stop looking for ways to abuse CLFS any time soon.

Windows Desktop Window Manager: zero-day EoP

If proof were needed that elevation of privilege to SYSTEM will never go out of style, today sees the publication of CVE-2025-30400, which is a zero-day vulnerability in the Windows Desktop Window Manager (DWM). As it happens, tomorrow marks the one-year anniversary of CVE-2024-30051, a previous zero-day EoP vulnerability in DWM.

Visual Studio: zero-day RCE

Today, all current versions of Visual Studio 2022 and 2019 receive patches for CVE-2025-32702, a zero-day RCE where exploitation requires the user to download and open a malicious file. There is nothing obviously remarkable about this, although Microsoft is aware of public disclosure. As usual for a malicious file/link vuln, the word Remote here refers to the location of the attacker, even though exploitation is set in motion by local user action.

Ancillary Function Driver for Winsock: zero-day EoP

Regular Patch Tuesday watchers will recognize the Ancillary Function Driver for Winsock, which is the site of CVE-2025-32709, an elevation of privilege vulnerability for which Microsoft is aware of exploitation. In something of a break with tradition for Patch Tuesday zero-day EoP vulnerabilities, exploitation only leads to administrator privileges rather than all the way to SYSTEM, but no attacker is going to waste too many cycles feeling sad about that.

Defender for Identity: situationally-ironic zero-day spoofing

Today sees the publication of CVE-2025-26685, a zero-day spoofing vulnerability in Microsoft Defender for Identity. The advisory provides puzzle pieces which don’t by themselves add up to anything like a full explanation of the vulnerability; no action is required for remediation, but you can render yourself vulnerable if you insist by opening a case with Microsoft Support to re-enable the legacy NTLM authentication method.

However, the FAQ does offer a link to an article published yesterday: Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity. This solid piece of documentation is part of the overall Defender for Identity administration guide, and explains that the lateral movement path detection feature can itself potentially be exploited by an adversary to obtain an NTLM hash.

Exploitation relies on achieving fallback from Kerberos to NTLM; the compromised credentials in this case would be those of the Directory Service Account for Defender for Identity. The new Defender for Identity sensor (version 3.x) is not affected by this issue as it uses different detection methods; at time of writing, the Defender for Identity What’s new? page doesn’t yet describe the 3.x release, but this will presumably receive an update soon.

Microsoft lifecycle update

The next batch of significant Microsoft product lifecycle status changes are due in July 2025, when SQL Server 2012 ESU program draws to a close, along with support for Visual Studio 2022 17.8 LTSC.

Summary charts

Summary tables

Apps vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-29975	Microsoft PC Manager Elevation of Privilege Vulnerability	No	No	7.8

Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-29972	Azure Storage Resource Provider Spoofing Vulnerability	No	No	9.9
CVE-2025-29827	Azure Automation Elevation of Privilege Vulnerability	No	No	9.9
CVE-2025-30387	Document Intelligence Studio On-Prem Elevation of Privilege Vulnerability	No	No	9.8
CVE-2025-47733	Microsoft Power Apps Information Disclosure Vulnerability	No	No	9.1
CVE-2025-33072	Microsoft msagsfeedback.azurewebsites.net Information Disclosure Vulnerability	No	No	8.1
CVE-2025-29973	Microsoft Azure File Sync Elevation of Privilege Vulnerability	No	No	7

Azure Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-27488	Microsoft Windows Hardware Lab Kit (HLK) Elevation of Privilege Vulnerability	No	No	6.7

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-29825	Microsoft Edge (Chromium-based) Spoofing Vulnerability	No	No	6.5
CVE-2025-4372	Chromium: CVE-2025-4372 Use after free in WebAudio	No	No	N/A
CVE-2025-4096	Chromium: CVE-2025-4096 Heap buffer overflow in HTML	No	No	N/A
CVE-2025-4052	Chromium: CVE-2025-4052 Inappropriate implementation in DevTools	No	No	N/A
CVE-2025-4051	Chromium: CVE-2025-4051 Insufficient data validation in DevTools	No	No	N/A
CVE-2025-4050	Chromium: CVE-2025-4050 Out of bounds memory access in DevTools	No	No	N/A

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-29813	Azure DevOps Server Elevation of Privilege Vulnerability	No	No	10
CVE-2025-26646	.NET, Visual Studio, and Build Tools for Visual Studio Spoofing Vulnerability	No	No	8
CVE-2025-32702	Visual Studio Remote Code Execution Vulnerability	No	Yes	7.8
CVE-2025-21264	Visual Studio Code Security Feature Bypass Vulnerability	No	No	7.1
CVE-2025-32703	Visual Studio Information Disclosure Vulnerability	No	No	5.5

ESU Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-29962	Windows Media Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-29966	Remote Desktop Client Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-29967	Remote Desktop Client Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-32701	Windows Common Log File System Driver Elevation of Privilege Vulnerability	Yes	No	7.8
CVE-2025-32706	Windows Common Log File System Driver Elevation of Privilege Vulnerability	Yes	No	7.8
CVE-2025-30385	Windows Common Log File System Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-32709	Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability	Yes	No	7.8
CVE-2025-32707	NTFS Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-24063	Kernel Streaming Service Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-29831	Windows Remote Desktop Services Remote Code Execution Vulnerability	No	No	7.5
CVE-2025-30397	Scripting Engine Memory Corruption Vulnerability	Yes	No	7.5
CVE-2025-29969	MS-EVEN RPC Remote Code Execution Vulnerability	No	No	7.5
CVE-2025-29833	Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability	No	No	7.1
CVE-2025-27468	Windows Kernel-Mode Driver Elevation of Privilege Vulnerability	No	No	7
CVE-2025-29959	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability	No	No	6.5
CVE-2025-29960	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability	No	No	6.5
CVE-2025-29830	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability	No	No	6.5
CVE-2025-29832	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability	No	No	6.5
CVE-2025-29836	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability	No	No	6.5
CVE-2025-29958	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability	No	No	6.5
CVE-2025-29961	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability	No	No	6.5
CVE-2025-29835	Windows Remote Access Connection Manager Information Disclosure Vulnerability	No	No	6.5
CVE-2025-29968	Active Directory Certificate Services (AD CS) Denial of Service Vulnerability	No	No	6.5
CVE-2025-29957	Windows Deployment Services Denial of Service Vulnerability	No	No	6.2
CVE-2025-30394	Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability	No	No	5.9
CVE-2025-29954	Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability	No	No	5.9
CVE-2025-29974	Windows Kernel Information Disclosure Vulnerability	No	No	5.7
CVE-2025-29837	Windows Installer Information Disclosure Vulnerability	No	No	5.5
CVE-2025-29956	Windows SMB Information Disclosure Vulnerability	No	No	5.4
CVE-2025-29839	Windows Multiple UNC Provider Driver Information Disclosure Vulnerability	No	No	4

Microsoft Dynamics vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-47732	Microsoft Dataverse Remote Code Execution Vulnerability	No	No	8.7
CVE-2025-29826	Microsoft Dataverse Elevation of Privilege Vulnerability	No	No	7.3

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-30377	Microsoft Office Remote Code Execution Vulnerability	No	No	8.4
CVE-2025-30386	Microsoft Office Remote Code Execution Vulnerability	No	No	8.4
CVE-2025-32704	Microsoft Excel Remote Code Execution Vulnerability	No	No	8.4
CVE-2025-30382	Microsoft SharePoint Server Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-29976	Microsoft SharePoint Server Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-29978	Microsoft PowerPoint Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-32705	Microsoft Outlook Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-29977	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-29979	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-30375	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-30376	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-30379	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-30381	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-30383	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-30393	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-30384	Microsoft SharePoint Server Remote Code Execution Vulnerability	No	No	7.4
CVE-2025-30378	Microsoft SharePoint Server Remote Code Execution Vulnerability	No	No	7

Microsoft Office ESU Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-30388	Windows Graphics Component Remote Code Execution Vulnerability	No	No	7.8

System Center vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-26684	Microsoft Defender Elevation of Privilege Vulnerability	No	No	6.7
CVE-2025-26685	Microsoft Defender for Identity Spoofing Vulnerability	No	Yes	6.5

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-29964	Windows Media Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-29840	Windows Media Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-29963	Windows Media Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-30400	Microsoft DWM Core Library Elevation of Privilege Vulnerability	Yes	No	7.8
CVE-2025-29970	Microsoft Brokering File System Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-26677	Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability	No	No	7.5
CVE-2025-29971	Web Threat Defense (WTD.sys) Denial of Service Vulnerability	No	No	7.5
CVE-2025-29842	UrlMon Security Feature Bypass Vulnerability	No	No	7.5
CVE-2025-29838	Windows ExecutionContext Driver Elevation of Privilege Vulnerability	No	No	7.4
CVE-2025-29841	Universal Print Management Service Elevation of Privilege Vulnerability	No	No	7
CVE-2025-29955	Windows Hyper-V Denial of Service Vulnerability	No	No	6.2
CVE-2025-29829	Windows Trusted Runtime Interface Driver Information Disclosure Vulnerability	No	No	5.5

[$] A look at what’s possible with BPF arenas

2025-05-13 daroc

Post Syndicated from daroc original https://lwn.net/Articles/1019885/

BPF arenas are areas of memory where the verifier can safely relax its checking of
pointers, allowing programmers to write arbitrary data structures in BPF. Emil
Tsalapatis reported on how his team has used arenas in writing

sched_ext schedulers at the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit. His biggest complaint was about the fact that
kernel pointers can’t be stored in BPF arenas — something that the BPF
developers hope to address, although there are some implementation problems that
must be sorted out first.

Mitigation guidance

Rapid7 customers

Prerequisites

Application Overview

Enhance Application Resiliency

Resilient architecture recommendations

Disaster Recovery (DR) recommendations to improve the architecture

Prepare DR strategy based on RTO and RPO requirements:

Define resiliency testing workflow, identify key metrics and tools

Failure mode evaluation to prioritize resiliency tests

Enhanced Architecture Implementing Resiliency Best Practices

Conclusion

Достъпност ли е, ако човек с различни възможности може да стигне до магазин, но не и да поръча онлайн?

За кого важи Европейският акт за достъпност?

Числа, които говорят

Как един сайт може да стане по-достъпен

Какво е важно за достъпния уебдизайн

Примерът на Великобритания

Достъпността не става случайно – тя се създава

Understanding the risks of DNS tunneling and DGAs

How DNS Firewall Advanced works

Manually create a DNS Firewall Advanced rule:

Deploy the recommended DNS Firewall Rule group using CloudFormation (OPTIONAL)

Observability

Example log entry: DNS tunneling block

Example log entry: DNS tunneling alert

Integration with Security Hub

Conclusion

Introduction

The Registration Dilemma: Who Owns the Relationship?

Scenario 1: End Users interact with the Customer’s brand only

Scenario 2: End Users explicitly opt in through the Provider application

Architectural Models for SMS Implementation

1. “Bring Your Own AWS Account” Model

2. Provider Account – Manual Registration and Configuration

3. Semi-Automated Solution – Customer Sending

4. Fully Automated Solution – Provider Sending

5. Template-Restricted Fully Automated Messaging

6. Fully Managed Programs

Shaping Your SMS Offering: Strategic Considerations

Pricing Strategies

Geographic Considerations

Strategies to Reduce Implementation Friction

Provider-Hosted Privacy Policy and/or Terms & Conditions

Registration Webforms and Workflows

Pre-Approved Opt-In Widgets

Template Libraries

Testing Environments

Documentation and Training

Conclusion

Windows Scripting Engine: zero-day RCE

Common Log File System: zero-day EoPs

Windows Desktop Window Manager: zero-day EoP

Visual Studio: zero-day RCE

Ancillary Function Driver for Winsock: zero-day EoP

Defender for Identity: situationally-ironic zero-day spoofing

Microsoft lifecycle update

Summary charts

Summary tables

Apps vulnerabilities

Azure vulnerabilities

Azure Windows vulnerabilities

Browser vulnerabilities

Developer Tools vulnerabilities

ESU Windows vulnerabilities

Microsoft Dynamics vulnerabilities

Microsoft Office vulnerabilities

Microsoft Office ESU Windows vulnerabilities

System Center vulnerabilities

Windows vulnerabilities

The collective thoughts of the interwebz