reporter

An intermittent outage at Cloudflare on Tuesday briefly knocked many of the Internet’s top destinations offline. Some affected Cloudflare customers were able to pivot away from the platform temporarily so that visitors could still access their websites. But security experts say doing so may have also triggered an impromptu network penetration test for organizations that have come to rely on Cloudflare to block many types of abusive and malicious traffic. At around 6:30 EST/11:30 UTC on Nov. 18, Cloudflare’s status page acknowledged the company was experiencing “an internal service degradation.” After several hours of Cloudflare services coming back up and failing again, many websites behind Cloudflare found they could not migrate away from using the company’s services because the Cloudflare portal was unreachable and/or because they also were getting their domain name system (DNS) services from Cloudflare. However, some customers did manage to pivot their domains away from Cloudflare during the outage. And many of those organizations probably need to take a closer look at their web application firewall (WAF) logs during that time, said Aaron Turner, a faculty member at IANS Research. Turner said Cloudflare’s WAF does a good job filtering out malicious traffic that matches any one of the top ten types of application-layer attacks, including credential stuffing, cross-site scripting, SQL injection, bot attacks and API abuse. But he said this outage might be a good opportunity for Cloudflare customers to better understand how their own app and website defenses may be failing without Cloudflare’s help. “Your developers could have been lazy in the past for SQL injection because Cloudflare stopped that stuff at the edge,” Turner said. “Maybe you didn’t have the best security QA [quality assurance] for certain things because Cloudflare was the control layer to compensate for that.” Turner said one company he’s working with saw a huge increase in log volume and they are still trying to figure out what was “legit malicious” versus just noise. “It looks like there was about an eight hour window when several high-profile sites decided to bypass Cloudflare for the sake of availability,” Turner said. “Many companies have essentially relied on Cloudflare for the OWASP Top Ten [web application vulnerabilities] and a whole range of bot blocking. How much badness could have happened in that window? Any organization that made that decision needs to look closely at any exposed infrastructure to see if they have someone persisting after they’ve switched back to Cloudflare protections.” Turner said some cybercrime groups likely noticed when an online merchant they normally stalk stopped using Cloudflare’s services during the outage. “Let’s say you were an attacker, trying to grind your way into a target, but you felt that Cloudflare was in the way in the past,” he said. “Then you see through DNS changes that the target has eliminated Cloudflare from their web stack due to the outage. You’re now going to launch a whole bunch of new attacks because the protective layer is no longer in place.” Nicole Scott, senior product marketing manager at the McLean, Va. based Replica Cyber, called yesterday’s outage “a free tabletop exercise, whether you meant to run one or not.” “That few-hour window was a live stress test of how your organization routes around its own control plane and shadow IT blossoms under the sunlamp of time pressure,” Scott said in a post on LinkedIn. “Yes, look at the traffic that hit you while protections were weakened. But also look hard at the behavior inside your org.” Scott said organizations seeking security insights from the Cloudflare outage should ask themselves: 1. What was turned off or bypassed (WAF, bot protections, geo blocks), and for how long? 2. What emergency DNS or routing changes were made, and who approved them? 3. Did people shift work to personal devices, home Wi-Fi, or unsanctioned Software-as-a-Service providers to get around the outage? 4. Did anyone stand up new services, tunnels, or vendor accounts “just for now”? 5. Is there a plan to unwind those changes, or are they now permanent workarounds? 6. For the next incident, what’s the intentional fallback plan, instead of decentralized improvisation? In a postmortem published Tuesday evening, Cloudflare said the disruption was not caused, directly or indirectly, by a cyberattack or malicious activity of any kind. “Instead, it was triggered by a change to one of our database systems’ permissions which caused the database to output multiple entries into a ‘feature file’ used by our Bot Management system,” Cloudflare CEO Matthew Prince wrote. “That feature file, in turn, doubled in size. The larger-than-expected feature file was then propagated to all the machines that make up our network.” Cloudflare estimates that roughly 20 percent of websites use its services, and with much of the modern web relying heavily on a handful of other cloud providers including AWS and Azure, even a brief outage at one of these platforms can create a single point of failure for many organizations. Martin Greenfield, CEO at the IT consultancy Quod Orbis, said Tuesday’s outage was another reminder that many organizations may be putting too many of their eggs in one basket. “There are several practical and overdue fixes,” Greenfield advised. “Split your estate. Spread WAF and DDoS protection across multiple zones. Use multi-vendor DNS. Segment applications so a single provider outage doesn’t cascade. And continuously monitor controls to detect single-vendor dependency.” View the full article

19 November is the day when Anglicans remember St Hilda of Whitby. She was a powerful and important woman in the history of the English Church. This is her story.View the full article

Despite a slight drop in overall numbers, the attacks are becoming more violent in nature, a new report has warned.View the full article

We have reached goodness in our journey through the fruits of Holy Spirit (Galatians 5:22-23) - a virtue often spoken of but less often understood.View the full article

Cybereason Threat Intelligence Team recently conducted an analysis of "The Gentlemen" ransomware group, which emerged around July 2025 as a ransomware threat actor group with relatively advanced methodologies. The Gentlemen group employs a dual-extortion strategy, not only encrypting sensitive files but also exfiltrating critical business data and threatening to publish it on dark web leak sites unless a ransom is paid. The group has demonstrated a unique approach by combining established ransomware techniques with newer strategies, making them quick to adapt to new attack vectors, allowing them to remain a persistent to evolving threat to organizations worldwide. View the full article

The European Court of Human Rights (ECHR) has come under criticism after ruling against Poland in a case concerning abortion on the grounds of disability. View the full article

A late-night assault on a Catholic health facility in northeastern Democratic Republic of Congo has left around 20 civilians dead.View the full article

A nationwide prayer initiative involving thousands of churches and Christians is set to take place at the start of the New Year.View the full article

Christians are being asked to pray as the Employment Appeal Tribunal hears the case of sacked chaplain Rev Dr Bernard Randall. View the full article

King Charles has personally stepped in to support restoration work at a historic Norfolk church long treasured by his late mother, Queen Elizabeth II.View the full article

The next three in this series on online events highlighting interesting uses of AI in cybersecurity are online: #4, #5, and #6. Well worth watching. View the full article

Russian courts have banned three more Baptist churches affiliated with the Council of Churches Baptists in the southern region of Krasnodar amid an ongoing crackdown on unregistered congregations across the country.View the full article

Prime Minister Nikol Pashinyan, under criticism from rights groups over his government's treatment of senior clergy from Armenia's national church, received strong praise from American and British Evangelical leaders after highlighting his record at the country's first national prayer breakfast on Saturday. View the full article

Pope Leo XIV welcomed a group of Hollywood luminaries to the Vatican on Saturday, including Oscar-winning actress Cate Blanchett and director Spike Lee. View the full article

There’s a saying that a lone coal grows dim, but coals heaped together glow red-hot. The same could be said of the Church.View the full article

The same God who led Joshua still leads you today.View the full article

In a wide-ranging and deeply personal conversation, renowned lay theologian and apologist John Lennox has provided a striking reflection on ageing, spiritual resilience, and what it truly means to “finish well.”View the full article

Microsoft this week pushed security updates to fix more than 60 vulnerabilities in its Windows operating systems and supported software, including at least one zero-day bug that is already being exploited. Microsoft also fixed a glitch that prevented some Windows 10 users from taking advantage of an extra year of security updates, which is nice because the zero-day flaw and other critical weaknesses affect all versions of Windows, including Windows 10. Affected products this month include the Windows OS, Office, SharePoint, SQL Server, Visual Studio, GitHub Copilot, and Azure Monitor Agent. The zero-day threat concerns a memory corruption bug deep in the Windows innards called CVE-2025-62215. Despite the flaw’s zero-day status, Microsoft has assigned it an “important” rating rather than critical, because exploiting it requires an attacker to already have access to the target’s device. “These types of vulnerabilities are often exploited as part of a more complex attack chain,” said Johannes Ullrich, dean of research for the SANS Technology Institute. “However, exploiting this specific vulnerability is likely to be relatively straightforward, given the existence of prior similar vulnerabilities.” Ben McCarthy, lead cybersecurity engineer at Immersive, called attention to CVE-2025-60274, a critical weakness in a core Windows graphic component (GDI+) that is used by a massive number of applications, including Microsoft Office, web servers processing images, and countless third-party applications. “The patch for this should be an organization’s highest priority,” McCarthy said. “While Microsoft assesses this as ‘Exploitation Less Likely,’ a 9.8-rated flaw in a ubiquitous library like GDI+ is a critical risk.” Microsoft patched a critical bug in Office — CVE-2025-62199 — that can lead to remote code execution on a Windows system. Alex Vovk, CEO and co-founder of Action1, said this Office flaw is a high priority because it is low complexity, needs no privileges, and can be exploited just by viewing a booby-trapped message in the Preview Pane. Many of the more concerning bugs addressed by Microsoft this month affect Windows 10, an operating system that Microsoft officially ceased supporting with patches last month. As that deadline rolled around, however, Microsoft began offering Windows 10 users an extra year of free updates, so long as they register their PC to an active Microsoft account. Judging from the comments on last month’s Patch Tuesday post, that registration worked for a lot of Windows 10 users, but some readers reported the option for an extra year of updates was never offered. Nick Carroll, cyber incident response manager at Nightwing, notes that Microsoft has recently released an out-of-band update to address issues when trying to enroll in the Windows 10 Consumer Extended Security Update program. “If you plan to participate in the program, make sure you update and install KB5071959 to address the enrollment issues,” Carroll said. “After that is installed, users should be able to install other updates such as today’s KB5068781 which is the latest update to Windows 10.” Chris Goettl at Ivanti notes that in addition to Microsoft updates today, third-party updates from Adobe and Mozilla have already been released. Also, an update for Google Chrome is expected soon, which means Edge will also be in need of its own update. The SANS Internet Storm Center has a clickable breakdown of each individual fix from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should keep an eye on askwoody.com, which often has the skinny on any updates gone awry. As always, please don’t neglect to back up your data (if not your entire system) at regular intervals, and feel free to sound off in the comments if you experience problems installing any of these fixes. [Author’s note: This post was intended to appear on the homepage on Tuesday, Nov. 11. I’m still not sure how it happened, but somehow this story failed to publish that day. My apologies for the oversight.] View the full article

16 November is the day when people remember St Margaret of Scotland. She was born in Hungary and became Queen of Scotland, where she restored the religious life of the country. This is her story …View the full article

There is a major roadblock on the way to peace but it's not what many of our church leaders think it is.View the full article

Christian and pro-life groups are calling on the Scottish government to reject "extreme" proposals to allow abortion up to birth.View the full article

The Church of England is not moving fast enough to implement promised safeguarding improvements, the Charity Commission has said.View the full article

Five Christians were killed and 44 others injured on 4 November after an Islamist leader incited Muslims to attack Christians over pork sales near a mosque in Yumbe, northern Uganda, sources said.View the full article

A first year female student was distressed after older students invited her to whip a rubber dummy at a Fresher's fair.View the full article

A judge has recused himself from the appeal case of the first person to be convicted under Northern Ireland's abortion clinic buffer zone laws. View the full article