News from KW47.2025 – 92 is half of 99

The Wews of the week once again go a little beyond the typical IT and technology edge, as there is one or the other interesting topic here. So on, in my 9 news of the week, this time from 17.-23.11.25 (KW47)

Article 1

Update obligation: Microsoft forces Windows 11 23H2 users to upgrade to 25H2

Microsoft has started users of Windows 11 Home and Pro with version 23H2 automatically to the latest version Windows 11 25H2 (also known as Windows 11 2025 update).

The reason is this Reaching the service end (End of Life) for Windows 11 23H2. Users whose computers are not centrally managed by an IT department should expect the installation.

End of service as a compulsion to update

The automatic conversion serves primarily the security and ensuring that all devices continue to receive monthly security updates.

Affected versions: Windows 11 version 23H2 (Home and Pro).
End of service: These editions are on 11 November 2025 I fell out of support. This means they will no longer receive monthly security updates.
Exceptions: The Enterprise and Education Editions 23H2 will continue to receive security updates until November 10, 2026.

Microsoft justifies the move by requiring users to switch to the latest version in order to: “to get to the latest Windows innovations.”

Details on automatic installation

The automatic update applies to all Unmanaged computers with the Home and Pro edition of 23H2.

The move: Microsoft releases the update Windows 11 25H2 Now via Windows Update.
Restart control: Users can Restart time adjust for installation via the settings (“Suspension of updates” or “Usage times”).
Similar cases: Already the previous version Windows 11 22H2 was automatically updated to a later version after reaching the service end.
Voluntary 24H2 updates: For the time being, devices that already run on version 24H2 will only receive the update to 25H2 automatically if the option ‘Receive the latest updates as they become available’ is enabled in the Windows Update settings.

Recommendation for action: To avoid forced installation and perform the update in a favorable time window, users of Windows 11 23H2 should update to 25H2 Start manually in a timely manner.

Article 2

WhatsApp data GAU: Researchers ‘suck’ entire WhatsApp user directory

Vienna researchers from the University of Vienna and SBA Research have completed the entire list of WhatsApp phone numbers and associated profile data downloaded. With over 3.5 billion profiles In terms of the number of people affected, it is Largest data outflow in history. The data was due to insufficient Rate limiting measures Freely accessible on WhatsApp servers.

The explosiveness: Although no content was intercepted by messages, the collected data, including phone numbers, profile pictures and public keys, reveal Sensitive and potentially life-threatening information about the users.

The Critical Vulnerabilities

The researchers used an Enumeration technology about the XMP protocol and an open source implementation called Whatsmeow, to search the entire directory of participants without encountering defensive measures.

Query type	Query rate per second	Total scope
telephones	7.000	3.5 billion accounts
Profile photos	5.500	3.8 terabytes (North America area code only)
Profile data/keys	3,000 and 2,000 respectively	Entire dataset

The main problems that made this data outflow possible:

Lack of monitoring and rate limiting: Meta's WhatsApp servers allowed mass querying without adequate rate limiting.
Public profiles: Profile settings allowed mass download of Profile pictures (57% the user) and information from the "Info" field (approx. 30% the user) for everyone.

Brilliant insights for users and operators

The data obtained is valuable for attackers (doxxers, spammers) and poses serious risks for some users:

Doxxing hazard: Profile images that use Face recognition could be linked to telephone numbers, as well as permissive information in the ‘info’ field (hyperlinks to social media, political/sexual orientation, even e-mail addresses of government domains such as .mil or bund.de).
Security risk due to key collisions: 2.3 million public keys appeared on multiple devices. Some of this can be attributed to the lack of reassignment of the profile key in the event of a phone number change to return, an Data protection issue, which undermines the purpose of changing numbers (e.g. in case of persecution).
State persecution: Despite bans in countries such as China, Iran and Myanmar, the researchers found millions of active accounts that were used when authorities became aware of them. life-threatening can be.
Indications of fraud centres: The reuse of all three End-to-end encryption keys (identity key, pre-key, one-time key) for certain accounts (especially in Nigeria and Myanmar) indicates Work-related fraud The perpetrators share a common WhatsApp identity.

Meta’s response and expert recommendations

Meta Platforms has used the collected data of the researchers as scraping It says and affirms that the data has been deleted. The company thanked the researchers for working together as part of their bug bounty program and sees the study as crucial to confirming the New anti-scraping systems to.

Meta responded:

Implementation of Machine learning and Lifetime query limits per account to keep scrapers in check.
Restrictions on querying profile images and info fields.
An update to the Android app incorrect key reuse prevent the creation of a new account on a device that is already in use.

Recommendations from researchers to users:

If you change your phone number due to acute danger, you should also delete the entire WhatsApp account and, if necessary, open a new one on a new device.

rethinking You are your Profile photo and the content of your Info field or limit visibility to confirmed contacts.

Article 3

Critical vulnerability in 7-Zip is now actively exploited

Users of the widely used pack program 7-Zip We need to act urgently: A patched already in July 2025 Vulnerability (CVE-2025-11001) Older versions are up-to-date Actively exploited by attackers. This is based on a warning from the British National Health Service (NHS) out.

A successful attack can Execution of unwanted code and endanger the security of the target system.

What's the problem? The Symlink vulnerability

The vulnerability identified by Trend Micro’s Zero Day Initiative (ZDI) High Severity (CVSS: 7,0) has been assigned, is in the faulty Processing of symbolic links in zip files.

Cause: The incorrect processing allows the program to unpack a specially designed zip file in unintended directories The Path Traversal.
Target of attack: An attacker can take advantage of this to own code (e.g., an executable file) to any unauthorized path on the target system and execute it in the context of a service or admin account.
Prerequisite: For exploitation, there is still a User interaction required (i.e. the user must unpack the harmful archive).

Security researchers classify exploitation as ‘Very simple’ one. One Proof-of-concept code (PoC) is already publicly available on platforms like GitHub.

Affected versions and the solution

All users who 7-zip versions from 21.02 to 24.09 inclusive use, are vulnerable.

statuses	7-zip version	publication	Patch details
Vulnerable	21.02 to 24.09	–	Contains the critical gap CVE-2025-11001
Patched	25.00	5 July 2025	Closes CVE-2025-11001 and CVE-2025-11002
Currently	25.01	3 August 2025	In addition, closes the gap CVE-2025-55188

Recommendation for action:

Users should immediately to the Latest stable version (25.01) or higher to protect against these and other symbolic link vulnerabilities.

Article 4

Proxmox Virtual Environment 9.1 now available

Proxmox Server Solutions GmbH announced the release of Proxmox Virtual Environment in version 9.1 on 19.11. The new version introduces innovations in container deployment, virtual machine security, and software-defined networking, providing businesses with even more flexibility, higher performance, and improved operational control.

Highlights in Proxmox Virtual Environment 9.1

OCI images for creating LXC containers

Proxmox VE 9.1 integrates native support for Open Container Initiative (OCI) images, the vendor-independent standard for container distribution. Users can now download common OCI images directly from registries or upload them manually to use as templates for the creation of LXC containers. Depending on the image, these containers are provisioned as complete system containers or as lean application containers. Application containers provide an optimized approach that ensures minimal resource consumption and more efficient utilization, ideal for microservices. The new functionality makes it possible to quickly and intuitively deploy standardized applications (such as specific databases or API services) from existing container build pipelines via the Proxmox VE web interface or the command line.

Support for TPM in qcow2 format

This version now allows you to save the state of a virtual Trusted Platform Module (vTPM) directly in qcow2 format. Thus, complete VM snapshots can be created across different storage types, including NFS/CIFS, even with active vTPM. LVM storage with snapshots as ‘volume chains’ now support the creation of offline snapshots of VMs with vTPM status. This advancement increases operational agility for security-sensitive workloads, such as Windows installations that require a vTPM.

Granular Control for Nested Virtualization

Proxmox VE now offers improved control for Nested Virtualization in VMs. This feature is especially useful for workloads such as nested virtualization (hypervisors) or Windows environments with virtualization-based security (VBS). A new vCPU flag makes it possible to activate Nested Virtualization conveniently and specifically for VM guests. This flexible option gives IT administrators more control and is an optimized alternative to simply delivering the full host CPU type to the guest.

Advanced status reporting for SDN

Version 9.1 brings an improved Software-Defined Networking (SDN) stack, including detailed monitoring and reporting directly in the web interface. The GUI provides even more insight into the SDN stack and displays all guests connected to local bridges or VNets. In addition, EVPN zones now report learned IP and MAC addresses. Fabrics are integrated into the resource tree and present important network parameters such as routes, neighbors and interfaces in a clear way. The updated management interface provides insight into key network components such as IP VRFs and MAC VRFs. This improved visualization simplifies cluster-wide troubleshooting and monitoring of complex network topologies, eliminating the need to handle the command line.

availability

Proxmox Virtual Environment 9.1 is now available for download. The available ISO installation image contains the entire function package and can be easily set up on bare metal systems thanks to an intuitive installation wizard.

Further information and links:
Roadmap | ISO Image Download | What’s new in Proxmox VE 9.1

Article 5

Infrastructure breakdown! Configuration errors shut down half of the Internet

Autumn 2025 will go down in the history of Internet infrastructure as a period of massive outages. Within a few weeks, the breakdowns demonstrated at the industry giants Amazon Web Services (AWS) and Cloudflare, How vulnerable the modern Internet can be to seemingly small configuration errors.

Cloudflare: The November shock

On 19 November 2025 An internal error occurred with the Content Delivery Network (CDN) provider Cloudflare One of the biggest failures in years.

The cause: The failure was the unintended consequence of permission changes in a database system. They solved one latent bug which led to the fact that an Feature file des Bot management system filled with duplicated entries. As a result, the file grew beyond its permissible limit, which in the attempt to distribute the dependent core systems to the crash brought.

The consequences:

Services such as ChatGPT, X (formerly Twitter) and numerous other online services were available for almost 6 hours (from 12:20 to 18:06 CET) impaired or unavailable.
Cloudflare announced that in the future the Security of automatically distributed configuration files Increased and the Detection of error states Rapidly accelerate core systems.

AWS: The October Panning by Race Condition

Just a few weeks ago, in October 2025, The cloud provider has already Amazon Web Services (AWS) with a far-reaching failure in its main region US-EAST-1 (Northern Virginia) to fight.

The cause: According to AWS, the trigger was Race condition bug (State of Competition) Automated DNS management system the Internal Database Service DynamoDB. This technical error caused the DNS record for the DynamoDB endpoint to be temporarily unresolved.

The consequences:

Da DynamoDB is a fundamental internal service that many other AWS services (such as EC2 and Lambda) access for control, it came to a Massive cascade effect.
Numerous worldwide applications, including Slack, Zoom, Epic Games and Playstation Network, were affected by the disturbance.

Conclusion: The Lesson of Centralization

Both incidents, caused by an Configuration error Cloudflare and a Race condition bug At AWS, we are reminded of the critical dependence of the modern Internet on a few highly centralized infrastructure players.
A single internal error with these providers can take on global proportions in just a few minutes and severely impact the digital economy. The announced measures to increase resilience are an urgent requirement of the hour.

Article 6

Wero: Why the European PayPal Alternative is Failing to Implement

With Wero A strong European response to the dominant US payment providers such as PayPal, Visa or Google Pay should finally emerge. But the start of the service, which is from the European Payments Initiative (EPI) a network of 16 European banking houses, is supported by so many Restrictions and poor coordination Experts are critical of the chances of success.

The official kick-off for Wero payments in online retail fell in the week of the 18 November 2025. The balance sheet so far: It's disappointing.

A start full of hurdles and limitations

In order to attract customers from an established, simple service such as PayPal, Wero would have to offer significant added value. Instead, the service confronts users with two key issues:

1. Lack of banking integration

Wero relies on a deep integration with the participating banks. The biggest obstacle to user acceptance is incomplete participation The banking houses.

Poor coverage: Many large banks are still missing, and even the Deutsche Bank, which is one of the 16 founding members of the EPI, does not yet fully offer the service 1.5 years after its launch (leading to confusion among media and customers).
Information policy: The official Wero website It's weeks after the start. insufficiently updated and does not even list all banks that are already Wero-enabled – an unacceptable condition for a critical payment service.

In contrast, PayPal customers can use the service with any bank account or credit card regardless of their specific financial institution.

2. The online shopping bottleneck

The use of Wero in online retail is currently particularly limited (as of November 2025):

Extremely limited: In online shopping, Wero can for the time being Only in a single shop (Eventim) is used.
Restricted banks: Even with this single shop, only customers of the Savings banks or the Volks- and Raiffeisenbanken pay.
Lack of transparency: There are no public overview, which online shops support Wero, which makes customer acceptance even more difficult. The EPI vaguely announced that in the remaining six weeks of the year, Wero will start at over 150 shops, but named only twelve of them.

PayPal shows how it works

The dilettante implementation of the EPI is in sharp contrast to the strategy of the competitor PayPal:

feature	Wero (Start online shopping)	PayPal (start in store)
Start scope	An online shop (Eventim)	About half a million stores (all that allow contactless payment with Mastercard)
Bank dependency	strong dependency; Only certain banks can be used	No dependency; Can be used with any account
User acceptance	1.3 million customers in 4.5 years	5 million customers have unlocked the feature in just half a year (Germany)

The figures speak a clear language: While PayPal within half a year 5 million customers In Germany, Wero was able to win for the payment in the store, needed for 1.3 million customers the three times the time, also because potential interested parties are excluded due to banking dependency.

IMHO (In My Humble Opinion): As long as EPI does not pursue a clear, unified strategy and convinces customers with better information and wider acceptance, Wero will hardly become a serious alternative to PayPal.

Article 7

billions of dollars: Microsoft's digital monopoly stifles innovation in administration

The German public administration is in a deep Digital dependency by Microsoft, the Exploding licensing costs and a growing Digital Unsovereignty lead. This Cyber Intelligence Institute (CII) warns In a new white paper Before that, without an urgent change of course Rigid lock-in effects There is a risk of loss of state control.

The Cost of Dependency

The dominance of the US company Microsoft costs taxpayers enormous sums every year.

Exploding costs: The federal government's annual licensing costs for Microsoft solutions have increased since 2017. 250 percent increased.
Current issues: The Federal Government has now more than 200 million euros per year for Microsoft licenses.
The total load: The CII estimates that the total cost of licensing More than one billion euros could grow. This capital would then be lacking to support alternative European providers.

The quasi-monopoly and the lock-in trap

According to CII, Microsoft has used targeted strategies to ‘quasi-monopoly position’ achieved in public administration. This dependence is not only financially, but also technologically critical.

Causes of Dominance:

Closed ecosystems: Close technical integration of client, server and cloud components.
Restrictive license management and bundling of products.
Long-term framework contracts and intensive lobbying.

The Disastrous Consequences for Sovereignty:

Restricted freedom of choice Lack of competition.
Increase in security risks (due to lack of transparency).
Loss of budget sovereignty the public sector on IT expenditure.

Particularly critical Lock-in effects, since the high conversion costs de facto prevent the switch to digitally sovereign solutions on alternative, open systems.

CII claims: A Step-by-Step Path to Sovereignty

The CII proposes concrete measures to gradually restore digital sovereignty and to Germany Stack (an interoperable system of different providers) to enable:

horizon	Focus and measures
Short-term	Cost monitoring IT procurement; Potential studies alternative operating systems and office software; Competition test The Microsoft ecosystem.
Medium term	‘Freedom of choice light’ (no need for cloud migration); Contractual anchoring from Cost transparency and open interfaces (Interoperability) in future framework contracts.
Long term	Setting up an interoperable system (Germany Stack); Specialist support IT requirements by competent authorities (BSI, BfDI, Bundeskartellamt).

The report calls on the administration to break the cycle of short-term operational orientation and adaptation to existing dominances in order to regain the strategic competence to design the digital infrastructure.

A possible start could the OpenDesk project and also the Germany Stack goes at least partially In the right direction, these are developments that look very promising so far.

Article 8

Valve dares to restart: The Steam Machine is coming to the living room in 2026!

After the great success of the handheld Steam deck Valve launches a second attempt in the console market: On 12 November 2025 The company officially announced a brand new Steam machine a compact console designed to bring PC gaming directly to the living room TV.

Last week I was in the news. Yes, this has happened before Link an article from Golem.de who deals with self-construction, but now we also have more information about the purchase variant at the start.

The new Steam Machine is about to begin. 2026 It will be positioned as a hybrid of a mini PC and console that combines the openness of the Steam ecosystem with the comfort of a classic console.

Gronk's reaction to the LTT video by Linus also makes you want to die:

Performance: Significant upgrade to Steam Deck

The new console is intended to build a bridge between the Steam Deck and a full-fledged gaming PC in terms of performance:

component	specification	Comparison & classification
CPU	AMD Zen 4 (6-core)	The basis is an energy-efficient PC chip
GPU	AMD RDNA 3 (28 Compute Units)	According to Valve more than six times the power of the Steam Deck and rough in the environment from PS5 / Xbox Series X.
RAM	16 GB DDR5 RAM	Standard for modern gaming systems
VRAM	8 GB GDDR6 VRAM	Could be modern Bottleneck 4K Titles will be.
memory	512 GB SSD or 2 TB SSD	Expandable by Micro SD slot and probably also about upgradable M.2 SSDs.

The goal is to: solid 1080p or 1440p gaming performance Deliver with high settings. 4K gaming at 60 FPS will be difficult to achieve in most challenging titles, but will be driven by Valve's software optimizations (similar to the Steam Deck).

Features for the living room

The new Steam Machine is clearly tailored to the living room experience, but retains the flexibility of a PC.

Operating system: As with the Steam Deck, the Linux-based SteamOS for use.
Comfort functions: Quick-Resume, Cloud-Saves and Remote play for seamless gaming.
Versatility: The device can also be used as a full-fledged Mini PC with full desktop use (including app installation and dual boot).
Design: Compact, cube-shaped housing (approx. 160 mm per side) with internal power supply, which can be used even under load ‘cool and quiet’ Let's run.

Part of a hardware offensive

The new Steam Machine is Valve's attempt to permanently establish PC gaming in the living room. It is part of a larger hardware announcement, which also includes a revised Steam controller and the wireless VR headset Steam frame belong.

Valve still has No official prices However, hardware experts expect that the price of the base model could be in the range of 700 to 800 euros to be competitive with the PS5 and Xbox Series X consoles.
Updated on 25.11: Console prices are not expected..

Article 9

Departure into space: The most important space missions 2026 at a glance

After a record-breaking 2025 in space, an even more ambitious programme is due in 2026. Private giants such as SpaceX and Blue Origin Working together with the NASA and international partners for groundbreaking projects. The focus is clearly on the return to the moon, the testing of new technologies and the vision of a space economy.

T3N has summarized this in detail., Definitely worth reading. I'll cut the topic here just for teasing:

First half of the year (Q1 & Q2) - Moon and crew missions

mission	Who / Who with whom	target	Meaning / highlights
Artemis II	NASA	circumnavigation of the moon	First crew mission to the moon since Apollo times (planned February 5, 2026). Test critical life support systems.
Blue Moon Pathfinder	Blue Origin	Moon landing (unmanned)	the First Flight New Glenn rocket by Jeff Bezos’ company. Test it Blue Moon Mark 1 countries for future NASA and commercial missions.
Starliner-1 / -2	ULA (Boeing/Lockheed Martin)	International Space Station (ISS)	The first planned Crew crew mission the Starliner to the ISS after the test flights. Take four astronauts to the ISS for six months.
Crew Dragon 12	SpaceX / ESA / Roskosmos	ISS	Could be the first flight with a planned crew stay of eight months It is a NASA cost-cutting measure.
Haven-1 / Vast-1	SpaceX / Vast	Earth orbit	Start of private, commercial space station “Haven-1” (a ‘space hotel’) and the first commercial manned flight Vast-1 there.
Project Kuiper	Arianespace / Blue Origin (New!)	Earth orbit	Continuation of Amazon's Starlink competitor Project Kuiper. From Q2 onwards, it will be New partially reusable Blue Origin New Glenn rocket for use.
Starship HLS	SpaceX / Astrolab	moon	the Unmanned Test Flight Starship Human Landing System (HLS) with the FLEX rover on board, which can carry cargo and house astronauts.

Starship, Mars and Space Scrap (Q3 & Q4)

The year 2026 marks a crucial time for SpaceX's most ambitious plans, including preparation for interplanetary flights.

Starship 3 (SpaceX): After successful tests of the previous versions, Starship 3 should Crossing the boundary of orbit. During the year, up to Five unmanned Starship capsules Automated Experiments for an Landing of Mars planned.
Refueling in orbit (SpaceX): With the mission Starship Target and Chaser SpaceX wants it. Refueling rockets in Earth orbit demonstrate. This technology is essential Missions that go beyond the moon.
Lunar logistics (Griffin-I/II): The unmanned mission Griffin-I is to land at the south pole of the moon and the ‘Nanofiche GLPH’ unloading – one Nickel disc as an archive of historical documents (‘Galactic Library Preserve Humanity’) to preserve human achievements over millions of years.
Clearspace-1 (Arianespace): The European mission is due to start in July and the problem of Space debris tackle. A tug will capture the old ESA satellite Proba-1 and cause it to glow in the Earth's atmosphere.
Chang’e 7 (CASC): China's ambitious lunar mission will head for the South Pole. It includes a country, a rover and a Lunar Hopper, the areas difficult to access by rocket propulsion after traces of water can search.

2026 will thus be a year that not only opens the door to the moon, but also sets the course for the first private Mars landing and at the same time The Urgent Need to Dispose of Earth's Orbit addressed.

Outro with Sun-Tsu, the security officer of your IT, you already know, so please: ‘Speed is the essence of war. Only a rapid response can limit the catastrophe.”

Meaning: One Developed incident response plan and the Ability to quickly contain Attacks (such as ransomware) can have devastating consequences in minutes.