Comments

Comments

Comments

Comments

Microsoft releases important security updates on the second Tuesday of every month, known as “Patch Tuesday.” This month’s update patches fix 59 Microsoft CVE’s including six zero-days.

Let’s have a quick look at these six actively exploited zero-days.

Windows Shell Security Feature Bypass Vulnerability

CVE-2026-21510 (CVSS score 8.8 out of 10) is a security feature bypass in the Windows Shell. A protection mechanism failure allows an attacker to circumvent Windows SmartScreen and similar prompts once they convince a user to open a malicious link or shortcut file.

The vulnerability is exploited over the network but still requires on user interaction. The victim must be socially engineered into launching the booby‑trapped shortcut or link for the bypass to trigger. Successful exploitation lets the attacker suppress or evade the usual “are you sure?” security dialogs for untrusted content, making it easier to deliver and execute further payloads without raising user suspicion.

MSHTML Framework Security Feature Bypass Vulnerability

CVE-2026-21513 (CVSS score 8.8 out of 10) affects the MSHTML Framework, which is used by Internet Explorer’s Trident/embedded web rendering). It is classified as a protection mechanism failure that results in a security feature bypass over the network.

A successful attack requires the victim to open a malicious HTML file or a crafted shortcut (.lnk) that leverages MSHTML for rendering. When opened, the flaw allows an attacker to bypass certain security checks in MSHTML, potentially removing or weakening normal browser or Office sandbox or warning protections and enabling follow‑on code execution or phishing activity.

Microsoft Word Security Feature Bypass Vulnerability

CVE-2026-21514 (CVSS score 5.5 out of 10) affects Microsoft Word. It relies on untrusted inputs in a security decision, leading to a local security feature bypass.  

An attacker must persuade a user to open a malicious Word document to exploit this vulnerability. If exploited, the untrusted input is processed incorrectly, potentially bypassing Word’s defenses for embedded or active content—leading to execution of attacker‑controlled content that would normally be blocked.

Desktop Window Manager Elevation of Privilege Vulnerability

CVE-2026-21519 (CVSS score 7.8 out of 10) is a local elevation‑of‑privilege vulnerability in Windows Desktop Window Manager caused by type confusion (a flaw where the system treats one type of data as another, leading to unintended behavior).

A locally authenticated attacker with low privileges and no required user interaction can exploit the issue to gain higher privileges. Exploitation must be done locally, for example via a crafted program or exploit chain stage running on the target system. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Windows Remote Access Connection Manager Denial of Service Vulnerability

CVE-2026-21525 (CVSS score 6.2 out of 10) is a denial‑of‑service vulnerability in the Windows Remote Access Connection Manager service (RasMan).

An unauthenticated local attacker can trigger the flaw with low attack complexity, leading to a high impact on availability but no direct impact on confidentiality or integrity. This means they could crash the service or potentially the system, but not elevate privileges or execute malicious code.

Windows Remote Desktop Services Elevation of Privilege Vulnerability

CVE-2026-21533 (CVSS score 7.8 out of 10) is an elevation‑of‑privilege vulnerability in Windows Remote Desktop Services, caused by improper privilege management.

A local authenticated attacker with low privileges, and no required user interaction, can exploit the flaw to escalate privileges to SYSTEM and fully compromise confidentiality, integrity, and availability on the affected system. Successful exploitation typically involves running attacker‑controlled code on a system with Remote Desktop Services present and abusing the vulnerable privilege management path.

Azure vulnerabilities

Azure users are also advised to take note of two critical vulnerabilities with CVSS ratings of 9.8:

• CVE-2026-21531 affecting Azure SDK
• CVE-2026-24300 affecting Azure Front Door

How to apply fixes and check you’re protected

These updates fix security problems and keep your Windows PC protected. Here’s how to make sure you’re up to date:

1. Open Settings

• Click the Start button (the Windows logo at the bottom left of your screen).
• Click on Settings (it looks like a little gear).

2. Go to Windows Update

• In the Settings window, select Windows Update (usually at the bottom of the menu on the left).

3. Check for updates

• Click the button that says Check for updates.
• Windows will search for the latest Patch Tuesday updates.
• If you have selected automatic updates earlier, you may see this under Update history:

• Or you may see a Restart required message, which means all you have to do is restart your system and you’re done updating.
• If not, continue with the steps below.

4. Download and Install

• If updates are found, they’ll start downloading right away. Once complete, you’ll see a button that says Install or Restart now.
• Click Install if needed and follow any prompts. Your computer will usually need a restart to finish the update. If it does, click Restart now.

5. Double-check you’re up to date

• After restarting, go back to Windows Update and check again. If it says You’re up to date, you’re all set!

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Comments

Mac faithful aghast at helpful wallet-emptying suggestions

Apple fanbois are realizing what the Creator Studio subscription means for its productivity apps, and many are unhappy with the direction of travel.…

The mother of murdered transgender teenager Brianna Ghey has shared a heartfelt message on the third anniversary of her daughter’s death.

“Tomorrow marks 3 years without you, Brianna,” her mum, Esther, wrote in a message shared on social media on Tuesday (10 February). “I still think of you every. single. day.”

“I wish I could hug you and hear your voice, even just one more time,” she continued.

“I will continue to work hard in your memory, because I have to do something with the love and energy I will forever hold for you.

“Brianna Ghey, I will make sure your name lives on and you will continue to make a difference, bringing joy, peace and resilience to families for years to come.”

View this post on Instagram

Brianna was just 16 when she was brutally killed by Scarlett Jenkinson and Eddie Ratcliffe, both 15 at the time, in Culceth Linear Park in Warrington, Cheshire on 11 February 2023.

Following a trial at Manchester Crown Court, the pair were convicted of Brianna’s murder in December 2023.

The pair’s identities were revealed to the public after the anonymity order which protects under-18s in legal cases was lifted, due to the serious nature of their crimes.

They were subsequently sentenced to life imprisonment, with Jenkinson ordered to serve a minimum of 22 years, and Ratcliffe at least 20. Ratcliffe sought to appeal his sentence, but this was was refused in December 2024.

Ghey was stabbed 28 times in back, head and neck in a violent, daytime assault.

Jenkinson and Ratcliffe pre-planned the attack on Ghey after having already created a “kill list” of other children they wanted to harm, and in the run up to her murder consumed violent, graphic content online, including fascination with serial killers.

The court heard how the pair would swap violent and dark messages with each other about murder, death torture.

Ratcliffe described Jenkinson as not a “normal” person who would make jokes about “dead babies” and said that she called herself a “Satanist”.

A handwritten murder note, detailing plans to kill Ghey, was discovered in her bedroom by police after she was arrested in relation to the crime.

During the course of the trial, the prosecution also told the court how Ratcliffe referred to Ghey as “it”, rather than use she/her pronouns for the teen, alongside other offensive language which he claimed was a “joke” between himself and Jenkinson.

The court also heard how Jenkinson became “obsessed” with Brianna, and this obsession led her to add the 16-year-old’s name to the kill list.

They both denied the murder charges and instead blamed each other for Ghey’s death.

Following the trial at Manchester Crown Court, a jury of seven men and five women found the pair guilty after deliberating for four hours and 40 minutes.

Following the verdict, Esther Ghey spoke outside court and described her daughter as “larger than life, funny, witty and fearless”, adding their house now felt “empty without her laughter”.

“To know how scared my usually fearless child must have been when she was alone in that park, with someone that she called her friend, will haunt me forever,” she said at the time.

Peter Spooner, Brianna’s father, told the press outside court that he knew his child was going to be a “star” and “the amount of support she received from the followers on TikTok proves this”.

“It’s difficult to comprehend how some people can do these vile things in the world and don’t understand how cruel and heartbreaking their actions can be,” he said.

“The impact of Brianna’s death has not just affected me as a father, but also my whole family. My heart bleeds every day for Brianna and this will never go away.”

The post Esther Ghey shares heartfelt message to Brianna on the third anniversary of her murder appeared first on PinkNews | Latest lesbian, gay, bi and trans news | LGBTQ+ news.

Pop star Kim Petras has released her new single “Pop Sound” amid an ongoing dispute with her record label, but the song is currently unavailable on major streaming services.

“Pop Sound” is the first song from her upcoming EP Detour, with the pop starlet confirming in a recent video that she will be dropping “a song a week for the next four weeks for free”.

However, “Pop Sound” is currently only available to listen to on YouTube and SoundCloud, and not major streaming services such as Spotify and Apple Music.

Last month, the history-making trans artist and “Unholy” singer revealed that she had “formally requested to be dropped” by her record label Republic Records, an offshoot of the Universal Music Group.

She explained that she was “tired of having no control over [her] own life or career” and wished to self fund her own music releases.

“My album has been done for 6 months but my record label has refused to give me a release date or pay my collaborator’s [sic] for the work they’ve done,” she claimed.

PinkNews contacted Universal Music for comment at the time, but did not receive a response. PinkNews has now contacted the corporation for comment on whether “Pop Sound” will be released on major streaming platforms.

After publicly venting her frustrations with her record label, the singer was supported by other artists including Kesha and Grimes.

In a video posted on 6 February, the 33-year-old performer confirmed that “the conversation with [her] label is still happening” and she doesn’t yet have a release date for her new album.

pic.twitter.com/vM2727K7Zm

— kim petras (@kimpetras) February 6, 2026

In the meantime, she will spend the next month releasing new music every week.

“I’m so excited for you to hear these songs. I made them with my favourite people,” she said.

“I just wanted to make the next four weeks really, really fun,” she continued. “You’re going to be getting a song a week for four weeks for free. So don’t complain or say s***. I don’t wanna hear y’all saying s*** ‘cos you’re getting four songs in four weeks, and that’s tea.”

On social media, fans of “Future Starts Now” singer have lathered “Pop Sound” with praise and condemned Republic Records for failing to support Petras’s new music.

“I’m sorry but f*** Kim Petras’s record label because what do you mean this era has been a straight 100/10 then they don’t let her release the bible,” one fan wrote on X, formerly Twitter.

“‘Pop Sound’ really makes Kim Petras sound like [a] pop savior summed into one song,” another fan wrote.

“I hate republic records, this is a hit,” a third wrote.

Kim Petras made music history in 2022 and 2023 with “Unholy”, her collaboration with British non-binary star Sam Smith. In October 2022, she became the first trans woman to the top the US Billboard Hot 100 chart. Four months later, she became the first trans woman to win a Grammy Award in a major category, after “Unholy” won in the Best Pop Duo/Group Performance category.

Share your thoughts! Let us know in the comments below, and remember to keep the conversation respectful.

The post Kim Petras’s new single not available on major streaming services amid record label dispute appeared first on PinkNews | Latest lesbian, gay, bi and trans news | LGBTQ+ news.

💾