Alright everyone, an important public service announcement — but this one’s for those in green bubble land.

Don’t worry, iPhone users can keep sipping their lattes. But if you’re rocking an Android device, it’s time to pay attention. Google has just released its December 2025 security bulletin, patching a staggering 107 vulnerabilities across multiple components. Some of these flaws are already being exploited in the wild, which means attackers aren’t waiting around for you to hit “update.”

The holiday season is a time of joy, generosity, and celebration. But while we’re busy shopping online, booking travel, and donating to charities, cybercriminals are equally busy looking for ways to exploit the festive rush. Every year, we see a spike in phishing scams, fake websites, and fraudulent deals designed to trick distracted consumers. Staying vigilant is more important than ever — because one careless click could turn holiday cheer into holiday chaos.

When it comes to identity and access management, Microsoft continues to show that proactive security is more than just a slogan — it’s a strategy. Microsoft is flexing its proactive muscles again by enhancing the Entra ID authentication system with a strengthened Content Security Policy (CSP) designed to block external script injection attacks. This update is not just another incremental tweak, it’s a meaningful step forward in protecting users against one of the most persistent threats in web security: cross‑site scripting (XSS) and malicious script injection.

SonicWall has disclosed a critical SonicOS SSLVPN vulnerability that can crash firewalls outright, raising fresh concerns about the reliability of budget firewall solutions. While there’s no evidence of active exploitation yet, the company is urging customers to patch immediately or disable SSLVPN until updates can be applied. This flaw is just the latest in a string of incidents that have put SonicWall in the headlines. And when you zoom out, a troubling pattern emerges: SonicWall and Fortinet — two of the most popular “affordable” firewall vendors — seem to be trading places in the news cycle, each grappling with vulnerabilities that undermine trust in their products.

Phishing has always been about deception—but now it looks like phishing has received an upgrade. The latest evolution comes from Sneaky2FA, a phishing‑as‑a‑service (PhaaS) kit that has added browser‑in‑the‑browser (BitB) capabilities. This new trick allows attackers to steal Microsoft credentials and active session tokens, bypassing even two‑factor authentication (2FA). In other words: the bad guys aren’t just after your password anymore. They’re after your entire session.