• John Hammond
  • Posts
  • Cybersecurity Shenanigans #026: A record-breaking 622 patches for Patch Tuesday, browser updates, and lots of lulz

Cybersecurity Shenanigans #026: A record-breaking 622 patches for Patch Tuesday, browser updates, and lots of lulz

Here's this month's cybersecurity scoop.

👋 Hey friend,

First things first: How is it JULY already? We were just celebrating the holidays… in 2016. And now it’s July? 2026? 😅 

Anyway, July also marked one h e c k of a Patch Tuesday, and this news cycle in general certainly isn’t doing anyone any favors. Critical browser updates across a few major vendors, and a whole lot of reasons to go check your update settings. Let's get into it.

And as always, thanks for being here! 💙

— JH

News & Commentary

Microsoft announces record-breaking 622 patches on Patch Tuesday 🫠 

So…about this month’s Patch Tuesday…

Microsoft released 622 (!!!) patches, with 400+ of them being for Windows alone and another 160ish across the Office suite.

The two that actually matter most right now are being actively exploited in the wild. The first is a privilege escalation flaw in Active Directory Federation Services (AD FS). AD FS is the system many organizations use to handle single sign-on across their environment, so a local attacker would be able to elevate themselves to admin. 😅 

The second is a SharePoint Server flaw that can be exploited over the network with zero authentication required, and also leads to privilege escalation. CISA has already flagged that one for immediate patching.

There's also a BitLocker bypass that was publicly disclosed before the patch dropped, which means the recipe for exploiting it was already out there.

Worth noting: Microsoft says part of why the CVE count is ballooning is because they're now using AI-powered tooling to surface vulnerabilities faster across the Windows codebase. Which is great — yay for more awareness! But that also means these massive Patch Tuesdays might just be the new normal. Yeesh.

Popular web browsers issue updates that fix critical security flaws ✅

Have you been putting off updating any software? You might want to make sure Firefox, Chrome, Adobe, and Broadcom are on that “update now” list. 👀

All four of these vendors just released updates to several applications that might warrant an update-sooner-rather-than-later nudge. Here are the details:

  • Mozilla: 2 critical Firefox flaws in WebAssembly and DOM navigation (and both have working exploit code already out in the wild 😅 )

  • Chrome: 15 flaws, including two critical use-after-free bugs (Chrome’s Ozone layer), which is a type of memory corruption vulnerability where a program uses a chunk of memory after it’s already been released, giving hackers the space to manipulate and run their own code

  • Adobe: 88 (!!!) vulnerabilities across ColdFusion, Commerce, Experience Manager, and Illustrator. ColdFusion got 8 critical fixes, and most of them carry CVSS scores of 9.0+, with potential for arbitrary code execution across the board. 😨 

  • Broadcom: 1 fix for a critical (9.8 CVSS score) authentication bypass in VMware AviLoad Balancer. This vulnerability could let someone on your network access the control plane without any credentials.

You already know what the parting advice is for this one. Go patch, friends!

Sponsor

Automate Pentest Delivery and Close the Gap Between Red and Blue Team

Siloed workflows, delayed reports, and manual handoffs turn great findings into stalled tickets, leaving red and blue teams working from different playbooks. PlexTrac closes that gap with automated pentest delivery, giving both teams shared visibility into findings, evidence, and remediation status in real time, plus built-in retesting to confirm fixes actually hold.

See how PlexTrac replaces spreadsheets and email chains with one connected workflow from discovery to resolution. See how it works, no sales pitch.

Email being clipped?

Here’s some actually helpful advice: You can view the email in your browser: https://johnhammond.beehiiv.com/p/cybersecurity-shenanigans-026.

(And as always, thanks for nothing, Clippy. 💙)

Latest Content

// meowch. 😅

Just Hacking Training News 🤓

20% Off Courses ALL of July! 🎆 

*Excludes already discounted bundles

Learn directly from me and 30+ All-Stars to advance your technical cybersecurity career with hands-on, practical courses from experienced practitioners.

Use Code "20for250"
Ends Midnight ET on July 31

Suggested Courses

❤️ Red Team

Blue Team 💙

Courses in Production: Home Lab, Coding for Cybersecurity, Networking for Pentesters, Reverse Engineering, MADS Vol 4, Jr Network Pentest, and more!

Vegas Baby!

An update from Don Donzal, Co-Founder of Just Hacking Training

There's nothing quite like the annual trek to the desert for Hacker Summer Camp. I've been personally going for over 20 years, and I'm thrilled that this year JHT will be attending Black Hat as well as our normal large presence at DEF CON in the IoT Village as well as sponsoring the Red Team Village, Noob Village and Scam Bait Village. More on our Conferences Page.

We’ll have 2 hands-on mini-workshops in the IoT Village. No schedule or laptop needed… just sit down and start learning! Finish either one and get a JHT t-shirt on us!

Hacking is fun but meeting new people and catching up with now lifelong friends... honestly, it's the main reason I endure the heat and the madness of Sin City. 🙏 You should, too!

Free Community Projects

Our Free AI Hacking Game Got a New Challenge!

Andrew Bellini just couldn’t help himself and already added another full challenge with its own 3 levels on OnlyLANs, an AI prompt injection teaching site.

Solve Level 1 on either challenge to enter a monthly drawing for a FREE JHT course!

I will never unsee this version of myself.

Free Vulnerable Web App

If you would like to play with a live, purposely vulnerable web app, have at it! Prefer more structured, curriculum-based training? Try JHT’s Web App Jr Analyst course.

CrossWind Systems is a fictitious company created for JHT’s web app courses.

Just Starting a Cybersecurity Career?

Here's a stat that might surprise you: over 90% of cybersecurity jobs are defensive (blue team work). So if you're trying to break into the field, having a solid foundation in the blue arts isn't just helpful. It’s basically the whole game.

Degrees and certifications are great. They make your resume look nice, and sometimes, they're a required checkbox to even get an interview. But a checkbox doesn't necessarily land you the job. What actually lands you the job is being able to sit down in a technical interview and show your work. And that takes experience.

Which brings us to the classic Catch-22: You need experience to get a job, but you need a job to get experience. 🙃 So how do you break the cycle? Hands-on training.

At Just Hacking Training, we've got more than 100 items in our technical catalog — and the question we hear most often is "where do I even start?" followed closely by "okay, what do I do next?" As our blue team offerings grow from beginner all the way to advanced, we figured it was time to stop just listing courses and start giving you actual roadmaps. What to take, when to take it, and how it fits into building a career you actually want. Don Donzal explains over on our blog.

Happy Hacking!

TeH LulZ

It’s time to share some of teh lulz that have landed in my inbox here lately.

In case you’re new here, each time someone subscribes to this newsletter, I ask them to reply and hit me with their best joke (both to appease the eMaIL oVeRlOrDs and because I’m always up for a good laugh 😅). Here are a few of my and the team’s favorites!

I’ve shenaned and I’ll Shenanigan!

Jaiken

Why did John Hammond (☠️) bring a ladder to the CTF?

Because he heard the flags were stored in higher privileges.

Dave

What do you call an excavated pyramid?

Unencrypted.

Frank

What do you call a boomerang that doesn’t come back?

A stick.

Nycole

…the deadpan the team did over that last one. 😆

Pssssst! You don’t have to be a new subscriber to hit me with your best joke. 🙂 Reply to this email with your funniest one (cybersec-related or not!), and it might be featured in a future newsletter!