Visual Prompt Injection Strikes
Loading summary
Leo Laporte
It's time for Security now. Steve Gibson is here. Great show planned. We're going to talk about Fable 5. Actually, we're going to talk about AI used for security. One of the creators, the fathers of the Internet, is retiring and you won't believe how many bugs Google fixed in Chrome this time around. All that and more coming up next on Security now this episode is brought to you by Black Hat usa. If you listen to this show, you go deep on the technical detail. Well, so does Black Hat. For nearly three decades it's been where the security industry's most rigorous research gets presented and pressure tested. More than 100 hands on trainings taught by practitioners who've actually deployed in live environments, not lecturers reading from slides. And hundreds of peer reviewed briefings that go well past the overview into the real work across the four areas defining security right now. AI and autonomous threats, cyber conflict, systemic resilience and identity. This year, Black Hat's briefings pass includes all keynotes and main stage access plus business hall entry. You also get breakfast, lunch, arsenal live tool demos, on demand session access and admission to the midnight in the war room screening. Black Hat takes place from August 1st to the 6th in Las Vegas. If you want the depth this show gets into in person with the people doing the work, this is the room. And we'll be there too. Prices rise on July 17th, so book before then. Use code TWIT for $200 off your briefings pass@blackhat.com US-26 that's B L A C K H A T.com US-26 podcasts
Steve Gibson
you love from people you tr.
Leo Laporte
This is TWIT. This is Security now with Steve Gibson. Episode 1086 recorded Tuesday, July 7, 2026. The apex agentic adversary. It's time for Security now the show we cover the latest in security, privacy and online shenanigans with the king of online shenanigans, Mr. Steve Gibson.
Steve Gibson
Not the creator of I Water of. Fortunately, the Internet did not exist when I was a little one like high school age when I was, you know, creating shock machines and portable dog killers. Because that would have been a problem. Yeah.
Leo Laporte
What do you think if as a kid at your, you know, this super inquisitive, super smart kid, had AI been
Steve Gibson
available,
Leo Laporte
it'd be completely different, right?
Steve Gibson
I mean I, I would be doing things because I've always been a project person. I mean I've been, I, I've, I, I don't sort of just meander. I normally want a conclusion, right. So, so I, I'M sure I would be, you know, telling my parents, I need more tokens. I need more.
Leo Laporte
Can I have some more tokens, Mom?
Steve Gibson
I need to increase my, you know, allowance is is what we used to get, you know. Well, we'll give you a dollar a week if you take the trash cans out. Of course, that lasts about a week and a half and then trash cans don't get taken out anymore. But I would have been saying I need to increase my token allowance. Yeah,
Leo Laporte
take out the trash cans, you get a million more tokens, Little Stevie.
Steve Gibson
So today's podcast title, which is the apex Agentic Adversary, is a phrase that comes from someone famous who we're going to be talking about at the end of the podcast. Actually, we're going to talk about several famous people during this podcast because Vint Cerf also has his name pop up. Of course we recognize it. We'll have some fun with that. So we're going to talk about so an aspect of Fable 5 which has disappointed people, not you. And we'll talk about how it's, you know, what your experience has been because that's certainly interesting. Opera becoming the first browser to offer paste protect and why, while I think that's good, why I'm more annoyed than ever at that. It had to be, you know, Opera and who cares about 2% of the browsers. I mean it's better than zero, right? But still, Microsoft Blue Hammer is now being used to hammering to Hammer systems. Vint Surf has some comments about AI on the eve of his retirement. Chrome has turned 150 as the nation turns 250 and Leo well, we'll have some fun. Something happened about that. That's just so cool. Also Google, I wanted to just touch on Google and the EU and oops. The the the fine is coming out of escrow but it's not going back to Google. Also there's an upcoming what we think is going to be the final chat control vote. Although really unclear, it's looking like something may happen. We no. But no, no one knows what because it's all behind closed doors. Turns out that there were some bad problems found both in Airdrop and in the Android equivalent Quick Share, which are exploitable. Also something interesting about bypassing Claude's and Chat GPT's guardrails. As I've been saying, this is uncontrollable technology. And we have another example of that. I had a spin right story to share so which I haven't had for ages. Yeah yeah. And this one was like I'm the proud father. Anyway, and then we're going to talk about a legendary hacker who has used AI against a. I don't know, to say horribly, shockingly, massively. Anyway, it's a library that is everywhere. And it is, again, you know what AI does when you aim at it. And anyone's past code is it just cuts it to Swiss cheese. Anyway, and that is where the phrase a apex agentic adversary came from. So I think a lot of fun stuff for us, Fun picture of the week from a listener who's been listening to us for about six years. And he, and, and he, he sent an email. I think I just got it over the weekend. He said his name is Ryan. He said after 6ish years of listening, I think I finally got something for Picture of the Week. Thanks for a great podcast that's been very helpful throughout my career. So anyway, we will get to that after our first break. And so, yeah, a fun podcast.
Leo Laporte
And if you are listening, there's a couple of ways you can see the picture the week. One is to get the video. The other is to get Steve's show notes, which always contain the picture of the week. Now, I am looking at your show notes, but I have not scrolled up.
Steve Gibson
So if you, if you prescribe, if you sub, it may be a prescription. If you subscribe to the weekly mailing, then there's a 250 pixel wide. That's the standard picture of the week. Oh, thumbnail. And if you click on it, you immediately get the picture of the week. You don't even have to look at the show notes is my point. So you could also just get it
Leo Laporte
that way in the email right there.
Steve Gibson
There are lots of people who just say, I just really, I don't care about security, but the pictures of the week are worth it.
Leo Laporte
That's actually, you know, that's a good point. Get the email just for the thumbnail so you can click it and see the picture of the week. A little laugh of the week comes in your mailbox. Courtesy Steve Gibson. That's nice. Well, let's talk about our sponsor of the week and then we will get to the picture of the week and we can enjoy it together. Our show today, brought to you by Cohesity. This is really important stuff. You listen to this show, you know how sadly prevalent cyber attacks and breaches are. But there's some advice here from a company that helps you with resilience. This is Cohesity and it's, I think, boy, if nothing else from the show, this might be the most important piece of advice after a major cyber attack, recovering everything all at once, which is your natural impulse, isn't always the fastest path back to business. It's not always the right thing to do. Let me explain. Once you've been breached, once you've had a cyber attack, once you're down from ransomware, the immediate priority shouldn't be, let's get back up and running. It should be restoring a trusted operating core. All right? Just the minimum systems, data and processes that you need to keep critical operations running. Cohesity has a name for it. They call it the mvc, the Minimum Viable Company. And they will help you determine that. To prepare a framework for this, they will help you define it, protect it, and recover the things that matter the most. First. This is really valuable advice. Mvc. It helps organizations identify those are the essential applications, the essential data, the people, the processes required so that you can serve customers. You can maintain communications, protect revenue, meet those critical obligations. And we've seen in the real world, examples where companies, you know, struggle to get it all up and running again and they fail. The MVC from Cohesity provides a clear recovery target so that your team can focus resources where they're going to have the greatest business impact. You know what that would be today? You might have some idea, but this makes it very explicit. And when you restore this trusted operating core first, you don't have to, you know, be in a situation where you're just completely out of touch with customers. You can reduce your downtime, you can accelerate the recovery. Everything will happen faster after that. Most importantly, you can maintain continuity while your broader restoration efforts continue. Because cyber resilience isn't just about getting the systems back online. It's about keeping the business operating when disruption strikes. Learn more@cohesity.com Resilience Cohesity Resilience Everywhere is a brilliant advice from a company that really knows what it's doing. C O H E S I T Y Cohesity. Go to cohesity.comresilience to learn more. You know, I hadn't really even thought about this, but when it. When I started learning what they were up to, I thought, this is brilliant. This is something everybody needs to know about. Cohesity.com Resilience all right, Steve, picture of the week.
Steve Gibson
So, as I often do, I captioned this myself. I gave this a caption. But, officer, what do you mean the speed limit is 25? I'm sure I didn't see any sign to that effect.
Leo Laporte
All right, I'm Scrolling up, let's see. It's just. There's nothing here. I don't get it. You will. You've baffled me. Normally I get these right away. It's just an.
Steve Gibson
But this is not a cognitive get. This is a notice. It get. So. But, Officer, what do you mean the speed limit is 25? I'm sure I didn't see any sign to that effect.
Leo Laporte
Yeah. Oh, there it is. Yeah, you're right. You didn't. Holy cow.
Steve Gibson
Now, Leo, how does this happen?
Leo Laporte
Like, who puts a sign smack dab against the telephone pole so you can't read it?
Steve Gibson
I mean, it's even centered behind the pole.
Leo Laporte
It's. It's sl. Part of A two is all you could see. Holy cow. Do you think they put the pole in after the sign had to have been.
Steve Gibson
And they just like. Well, that's. We're not.
Leo Laporte
We're done.
Steve Gibson
We don't care.
Leo Laporte
It's our job. That's.
Steve Gibson
You know, we know. We know where the pole has to go, and it's got to go right here. And. And actually there is like. Like a.
Leo Laporte
We.
Steve Gibson
We see a big. A spool of wire at the bottom.
Leo Laporte
Yeah.
Steve Gibson
So my guess is that.
Leo Laporte
Yeah, that.
Steve Gibson
Exactly. That this is sort of in the process of happening anyway. Yeah. For those who don't have access to the video or.
Leo Laporte
Or.
Steve Gibson
Or the show notes, we have this typical, you know, speed limit 25. We've all seen those. And it is. I mean, it is. It. It's almost completely obscured. We know it's 25 because you can see just the, as Leo said, the S and the L. A little bit of the L is not visible. And then what. You know, that's got to be a 2, because it can't be any. Any other number. A 3 would look different if you just saw the very left edge of it or four or five or something. Anyway, I would argue this one, you know, you think you can get out of this ticket? I think so. I think you take a picture and you go to court. You say, your honor, you know, I'm paying attention, and, boy, I don't know where this is. But look at all those phone poles and power poles, a lot of them,
Leo Laporte
and very close together, aren't they?
Steve Gibson
And this is. This is not, you know, computer generated. This is our listener Ryan, who's six days, who's been listening for six years, and he saw this and he thought of the podcast. So, Ryan, thank you for keeping us in mind. You're. You're absolutely. I. I wrote back to him I said, you got it on the first try. I said, this is a perfect, nice job for like, wow, shaking our heads at that humanity.
Leo Laporte
Crazy.
Steve Gibson
Okay, so a blurb of reporting by, by Bleeping Computer following the release of Fable 5 caught my attention because it was, to me, it was predictable. Here's what Bleeping Computer wrote about Fable 5's performance after talking a little bit about its availability, which I've skipped because we know about that. You know, like, oh, it's, it's expensive. Twice as Expensive as Opus 4.8.
Leo Laporte
And so, yes, just as a data point, I, I, I asked my Hermes agent, which I use, to do a lot of AI stuff, based on the amount of tokens I used in June last month, how much would it have cost if I'd been using Fable 5? And it said $5,000. And this was just kind of casual use. I wasn't doing anything heavy duty, $5,000. And I said, well, if I use Deep Seq, the cheap Chinese model, it said 117 bucks. So there's a big difference between Fable now.
Steve Gibson
There is, and I'm glad you brought that up, because by the end of this podcast, something has happened which suggests that the guardrails can actually protect the user rather than limit what the user can do. So this is going to end up being, I think, very important to our audience because there will be a strong tendency to use a, a powerful foreign AI like Deep Sea, because, like, well, look at all the money I'm saving. But there's a gotcha which, which we will get by the end of, of today. I'll be listening.
Leo Laporte
Yikes.
Steve Gibson
So Bleeping Computer wrote, after talking about the availability, like, you know, that cost and token use, and, and it's like, available. Okay, what is it that is available until the 7th is.
Leo Laporte
So the whole, the deal was, I
Steve Gibson
mean, I mean, until the 12th now.
Leo Laporte
Well, yeah, so that's, that's part of the story. The deal was Fable is of course, very expensive. I think it's, what was it, 15?
Steve Gibson
Twice what 4.8 is.
Leo Laporte
Yeah, $15 for a million tokens in and 50 for a million tokens out. So it's, it's considerably more expensive than even the best models before, including ChatGPT. But OpenAI, Anthropic and other companies, even the Chinese companies, have subscriptions where it's kind of all you can eat subscription. You pay 100 bucks a month or 200 bucks a month, and you get five times the tokens or 20 times the tokens for a flat rate.
Steve Gibson
Most all you could eat then.
Leo Laporte
I mean never all you can eat
Steve Gibson
if you really too much.
Leo Laporte
Yeah. And there's also limits to how much you can use in a five hour period, how much you can use in a week and how much you can use in a month. So they try to. But honestly if you buy a 5x or 20x package, unless you're really like running 12 different tasks at the same time, you're, you're probably going to be covered. So when they first released Fable, they gave us five days that we could use it under our all you can eat package. And then we were told by on the 22nd of June it's over. Well of course the government ended it a little bit sooner. When it came back they said okay, you can use it under your subscription package and It'll only be 50% of the total usage cost of what it will be. So it's even more so half off,
Steve Gibson
half off for an introductory period.
Leo Laporte
Right. And it will be available on your subscription. But that's going to end on July 7th. So up to midnight last night I was going gotta use all the Fable. Gotta use all the Fable because I have a max subscription. Anyway, they announced this morning. Okay, never mind. We're going to let that continue until the 12th. So we have until the 12th to use it under our subscriptions.
Steve Gibson
Why do you like. They, they want to addict more people to it that not enough people got the news that it was back maybe and so. Oh, okay.
Leo Laporte
And there's another reason which is that OpenAI has a model GPT 5.6 which they're touting is as good as Fable and very good at secure cybersecurity by the way.
Steve Gibson
Oh, so AB comparison testing. Yeah.
Leo Laporte
And in fact the rumors were the minute Anthropic pulls the plug on that subscription thing, OpenAI is going to release 5.6 and say come on in, you can use a subscription here. Now that didn't happen but I, I suspect competition is the other reason. So we'll see. You know these two are head to head battle right now. Yeah, it's interesting. Yeah. Anyway, I'm going to, I have five more days to stay up till midnight.
Steve Gibson
So five more days at half.
Leo Laporte
Half use or use my subscription and it will be half the usage. So I will get twice as much done in five hours that I could. And, and it's still on the subscription.
Steve Gibson
And that, that, that hourly reset thing also makes sense because they have, I mean because use is inherently interactive and they have a limited capacity. That's right. Based on data center, that might be the other reason. So they need to spread to what degree they can. They have to spread usage over time.
Leo Laporte
Right.
Steve Gibson
So that not everybody can pile on at the same during the same five hours.
Leo Laporte
Remember, Anthropic knows exactly how many people are using it, how hard they're using it, when so forth. They have a limited capacity. Sure, they buy capacity from Xai, a billion dollars a month worth of capacity. They've got, you know, they're, they're buying as much capacity as they can, but there is a limit to that and so that's why it costs more and that's why these limits. And yeah, they may, that may be the other detail. We don't know. Maybe they found out that oh, they've got enough capacity to support it for another few more.
Steve Gibson
Do you know if there's a diurnal cycle to it like.
Leo Laporte
Oh, there is for instance the Chinese models, the, they have a peak period that is in the middle of the night for me. So, so that's very good. So you see I have used up that's context. 13% of it's a million token context but that's the five hour period. I've used up 27%. When it gets to 90% it's. It either starts, I've turned off to start charging me, but you can have it start charging you API tokens and then it really gets expensive. So you want to stay within that five hour period. Yeah, it's, it's fun, it's working right now, even as we talk, it's doing okay.
Steve Gibson
So they talked about that stuff. Yeah. Then they said, however, the real gut punch is the degraded performance or as famously used in the AI community, the nerfed performance on Reddit, meaning nerfed is the term on Reddit. Users are reporting that the restored Fable 5 feels weaker or simply being routed through stricter safety systems more often than before. One user wrote in a Reddit post, quote, the new guardrails are kicking in on way too many tasks and falling Back to Opus 4.8. This is not the model that got banned. So bleeping says the problem is not just limited to Claude Desktop as Claude Code is also struggling with with similar issues. Now again, Leo, I don't. I think you're not hitting this because you're doing advertising management or whatever.
Leo Laporte
Yeah, they don't seem to care about what I asked somebody and it says they will tell you they didn't do this last time, but they will tell you now if they drop down to 4,8 in the past they've dropped down silently to Opus 4.8, but apparently they will let you know if they've done that. So as far as I know they haven't done that.
Steve Gibson
So bleep. And clearly these people who are writing this and complaining are knowing that it is dropping to Opus 4.8. So this is not going, you know, silently bleeping said one user said Fable quote didn't even let me search for dead code without switching to opus, while another said it was very, very obvious when the fallback triggers because Claude tells the user and visibly shifts to opus. Another developer claimed the model was unusable for some systems level coding work, saying that C, C Rust, Win32, API References, memory related work and files mentioning words like security, vulnerable, unsafe, or hook appeared to trigger a fallback or block. Fable 5 may still be powerful when it actually handles the task. That's what you're finding, Leo, but the restored version appears to be far more sensitive to prompts, project files, and security adjacent language.
Leo Laporte
Yeah, you can thank the government for the US government for that.
Steve Gibson
That's right. However they wrote bleeping Computer understands that the model itself has not been nerfed. Instead, it's likely that Anthropic is being extra careful with the safety guardrails, which is negatively affecting Fable's daily use. Cases, I would argue in a subset like that are security adjacent, which totally makes sense, they said. In fact, we observed that Fable is sometimes routed to Opus 4.8 even when the task does not appear to be a safety risk. Anthropic has said that its updated safeguards rely on a large safety margin, which could explain the subpar experience some users are seeing with Fable. Anthropic has not acknowledged the reports of false positives yet, but it's likely the company is aware of the problem and will address it in a future update. Okay, now all of this is exactly the downstream consequence of what I've meant when I've been saying over and over since the early emergence of this that the intrinsic operation of our current generation of LLM systems is fundamentally hostile to control by safeguards and guardrails. What's clearly happened here is that after an inevitable slip up caused after that inevitable slip up caused the US Government to freak out, and after even the nsa, our highest tech national security agency, discovered that the security of even their highest security networks was vulnerable to Mythos, the only way Anthropic was able to get a vestige of the Fable Mythos model back online was to go way overboard in knee jerk reaction to anything that might even possibly resemble cyber or code security. Up until this point, our AI models have been growing in power with astonishing speed. In the beginning, we found that just by making a neural network massive enough to contain a useful amount of knowledge, then training it on that knowledge, we achieved surprising utility. Eventually we were practically unable to scale them any further. So, and where we are now, rather than increasing their breadth through further scaling, now we're increasing their effective depth through looping, essentially reusing the same very powerful network iteratively to amplify and purify its knowledge output. So as a result, with a comparatively startlingly small amount of work, we, humanity at large now have in our possession a new set of knowledge manipulating tools, the likes of which have never existed before. But there's a problem with this, which this podcast has been exploring since this revolution in AI first appeared. Large language model AI essentially provides a new form and scale of access to knowledge. That's what it is. Knowledge itself, of course, is ethically neutral. It's just knowledge. The question and concern is how the access to that knowledge will be used. Until now, we've been racing forward, creating the most powerful knowledge containment and access systems possible. And we've succeeded beyond our wildest imaginations. But it really is true that knowledge is power. And only scant passing attention has been given so far to the reality that not everyone can be trusted with unrestrained access to the power of the knowledge that's now potentially available to anyone and everyone. Commercial AI providers are at a disadvantage and have a problem that the open weight models do not. It may not be fair, but it's true. To be a commercial AI provider means being saddled with the responsibility of preventing the illegal use and abuse of their commercial offerings. They have no choice. So the commercial AI industry's attention must now shift from bigger is better to how do we truly and accurately control the use of what we've created? Up to this point, control has been an annoying afterthought. That attitude cannot stand and it must have become the new focus of every provider of high strength commercial AI models. We've seen the anti control arguments that suggest that if, for example, the US were to somehow impose limits upon its internal development of AI, it would be putting itself at a significant strategic disadvantage relative to the rest of our adversarial nations. The solution to this dilemma is not to limit anything on the development and capability side. That should not only be allowed, it should be pushed to continue to go full bore. The solution is to truly develop Something we don't have yet, which is highly accurate control over the use of this most powerful AI we're able to create. So just to conclude, I have no idea how this will be done, and I accept that it's an extremely difficult problem to solve. In fact, I expect it to be significantly more difficult to solve this problem, the one of control, than it was to create the knowledge containment and access system that now requires that control. But I believe that's what has to happen next. You know, everyone's worried about controlling this. I, I, I think there should be no limit imposed on how strong these things can get, but they're going to have to have some means of control. And, and I, I just, you know, I'm not, I don't pretend to be an AI expert. I'm standing on the outside, you know, with my life's experience of intuition saying, you know, we don't really control this yet. The reason, Leo, all these false positives are happening is that basically they put keywords. Yes.
Leo Laporte
It's like it's a classifier. That's exactly how it works. Yeah.
Steve Gibson
Yes. And that's just dumb. Right? I mean, that's like, how do we get this back online so that they, so that we can offer some of Fable 5? But it means that it's really not of any practical use to security researchers. You've got to, that, you've got to be chosen and trusted. And then you get to use Fable 5's equivalent with this, which is Mythos 5.
Leo Laporte
Right. It's my guess that the gov U S government said we want to keep those capabilities to ourselves. We want the NSA to have them.
Steve Gibson
We want and, and selected trusted private organizations because we know that.
Leo Laporte
Which is sensible. That's sensible. Yeah. Yes.
Steve Gibson
And so, so I, so right now there's, you know, Fable five that you can use as long as you're careful which words you use. You know, pick, pick your words carefully. And then, and then Mythos, if you can demonstrate who you are, then you get control, you know, controlled access to unrestrained superpower, essentially. But also remember the, that there have been other researchers who've said, I found a whole bunch of things using just standard good AI and the proper harness. It's, you know, they've been arguing that, yeah, these, these latest frontier models are powerful, but you, if you're, if you're, you know, you know, if you, if you know how to build a harness and you know how to prompt, you don't need that in order to get some results, which I think is Also significant. Right, okay. So I mentioned at the top of the show Opera, they've added something that they call Paste protect to protect against, not surprisingly, click fix attacks. As we know, this new breed of so called click fix attacks has become the new number one means of getting malware into people's machines. It's the number not, not not only number one, but bigger than all others combined. It alone amounts to more than all other attack techniques combined. I've been crying in the dark for any OS vendor, but specifically Microsoft whose OS supports cross application Clipboard copy and paste, Right? I mean that's what the clipboard is to take responsibility, which they should, for preventing or in some way dramatically cautioning their users against putting anything onto the system clipboard from their browser or if you do only allow it to be pasted back into the browser, not anywhere else, you know, apparently some pendant inside Microsoft would, you know, is arguing that this is the way the clipboard is supposed to function. You know, that its entire purpose is to facilitate inter application data exchange. So it's neither their fault nor their responsibility if such a facility is misused. And you know, while that's not incorrect per se, on some level, it damages Microsoft if Windows further acquires the reputation of being a security disaster. In any event, we're talking about this today because while I would argue that this is not their responsibility, some browser vendors are doing what the underlying OS should be doing for all browsers. That is it ought to be just fix it in one place. And the proper place is the os. So today we have news from Opera, who last Thursday posted at Opera, user security is a top priority. That's why today, meaning last Thursday, we are excited to announce that Opera is the first browser to introduce Paste protect, a native defense measure against malicious takeover of your clipboard. And it isn't really a takeover, right? It's, you know, it's, well, that's Microsoft's point.
Leo Laporte
It's what it's supposed to do.
Steve Gibson
Right, Right, exactly. It's the malicious use, it's the context. Yeah, yes, and they say which includes code injection attacks such as click Fix Paste protect helps identify situations where malicious websites attempt to either replace something you copied with a malicious version or place potentially harmful commands on your clipboard and later trick you into pasting them into a terminal or you know, command prompt or, or the run dialogue when any kind of suspicious Clipboard activity is detected. And this, this makes me a little queasy, right? It feels heuristic, like, oh, it's looking
Leo Laporte
at your clipboard Every time. Right. That's.
Steve Gibson
Yeah. So like other activity that we don't think is a problem. Problem that's going to be allowed. No, it ought to be nothing from your browser gets into your system. It's just like it ought to be an island. So they said it. When any kind of suspicious clipboard activity is detected, which again makes me uncomfortable. Opera's Paste Protect warns users before dangerous content can be executed. And you've got a picture of that on the screen. Thank you. From the show notes. It says Paste Protect suspicious content blocked. This site has was prevented from copying a potentially harmful command to your clipboard. It's recommended you close this tab. Then there's a learn more or you know, close tab safely show the content and then hold to copy. That's kind of strange language. Hold to copy and then they say is parens unsafe.
Leo Laporte
It should behold the paste.
Steve Gibson
Yeah, that's weird. That is. Anyway, so they, they said by introducing pace Protect Opera, Opera is taking a proactive approach to defending against. Defending users against some of the fastest growing attack techniques on the web. Click fix is a growing form, doesn't have to grow much bigger of social engineering attack that tricks users into running malicious commands on their own devices. In 2025, it was responsible for over 53% of all malware loader activity, according to report by cybersecurity firm Huntress. And we shared that at the time. They said while there are extensions that that try to mitigate such attacks and warning systems are featured in some operating systems. Okay, Apple's beginning to do something. Paste Protect is built directly into the Opera browser. The first line of defense before a malicious command even makes it to your clipboard. It's also enabled by default, thank God, meaning users are protected automatically without needing to configure anything. Paste Protect combines Opera's already existing hijack protection feature with a new and unique injection protection element. And there's nothing else here. Blah, blah, blah. So Opera has stepped up. Yay, that's great. But at the moment, as I mentioned, Opera sits at roughly 2% of the global browser market. And I don't think it's growing, which puts it in fifth place, meaning that market share falls off dramatically. Fifth place behind Chrome, Safari, Edge and Firefox. And the people who need this protection are the, you know, the most. Right. Are the ones not using Opera because they're just using Edge or, or Chrome. You know, mostly Safari probably number three and then Firefox in fourth position. So what Opera got right was reminding us that this single easy to Cure problem alone is responsible for more than half, at least 53% and growing of all user facing attacks. And since it's so effective, you know it's not going away. The attack is the, the abuse of this clipboard is not going away. It's going to grow because the attacks are so effective. Everybody's being tricked by this. And there's only one way that's going to change. And it's not by some obscure browser fixing it for 2% of the world. It's Microsoft that needs to pay attention to this and the abuse of their clipboard.
Leo Laporte
But I do think that maybe Microsoft's reluctance, you kind of hit it is that they don't want to be reading the contents of the clipboard on every single.
Steve Gibson
They don't have to, but they know where it came from. Origin. Yes, they track the origin. And so you should not be able to paste from the clipboard anything that was copied to it from a browser.
Leo Laporte
That makes sense. I mean, I do that all the time because Bit Warden, my password manager, is an extension on my browser. And so I go there, get the password and then I paste it into a window somewhere.
Steve Gibson
Right. And, and so, and so it would make sense for you for, for default, for it to caution you. And then you could say, oh, no, thank you. Yeah, yeah. And you, and then you could have the option of turning that annoying thing off.
Leo Laporte
Right.
Steve Gibson
Like we all wish we could just turn off the cookie reminder so they
Leo Laporte
don't have to look at the contents, just the origin. That's all right.
Steve Gibson
And they do track origin already. They know where contents came from.
Leo Laporte
Yeah, that makes sense.
Steve Gibson
Yeah, yeah. And again, please, Microsoft, do it. In the meantime, while we're waiting for that Leo.
Leo Laporte
It may be quite a while, Steve, but I'm willing to fill some of that time anyway. All right, our show today, brought to you by Bit Warden. Love the Bit Warden, the trusted leader in password, passkey and secrets management. By the way, I trust so much. I don't just use it for passwords. I don't just use it for, you know, important documents like my driver's license, my passport. I use it for the API keys, the token, the important secrets that my AI uses. I keep everything in Bit Warden. I know it's safe. Bit Warden provides very effective ways to get that into your AI without revealing those secrets. So that's pretty important. I also use it for my SSH keys. I can go on and on. With more than 15 million users across 180 countries and over 80,000 businesses, Bitwarden has built its reputation around trust, transparency, open source. Let's underscore that security and putting users first. And by the way, just to nail this down, for those of you who have heard maybe stories or you're wondering, yes. Well, what you heard is probably not true, but. But the truth is Bitwarden is absolutely committed to its free version. I talked to the creator of Bitwarden, Kyle Spiran, a month ago and put him on the spot and said, are you going to continue to make the Bitwarden individual account? Is that going to continue to be free? And he said, absolutely, that's the nature of open source. The company continues to invest in secure, accessible tools that help individuals, families and organizations protect their digital lives without compromising trust or transparency. Kyle believes very strongly no one should have to pay for that kind of security. If you're an individual and you want to make sure that your stuff is secure, he wants to make sure you have access to Bitwarden because Bitwarden believes security should be accessible to everyone. So that's why they continue to offer a trusted free password manager. And yes, they have to make a living. They're a company and so they do that alongside with more advanced tools. For people who want more. I pay for a premium subscription, not because I have to, but because I want to support them. Or if you have family and you have multiple members and you want to share passwords, or if you've got a team, if you've got a company you want to protect, there's plenty of ways for them to get revenue without charging individuals for that basic free version. And when I say basic, it's not that basic. Bitwarden gives you everything you need to stay secure online. Even in the free version, it generates strong passwords, it stores pass keys, unlimited pass keys. You can manage sensitive credentials like SSH keys, API keys for your AI and yes, syncing securely across devices. But then for businesses and advanced users, Bitwarden also delivers a lot more enterprise grade security tools, including a secrets manager, vault, health reports and secure credentials sharing for teams. Bit Warden is so committed to making sure that your credentials are safe, they have actually written put out for free, encouraging all password managers to support it. Their new agent Access SDK. This is what I was talking about. It's an open source developer toolkit designed to help teams securely integrate credential access into applications, automation, workflows and AI agent environments. The SDK enables controlled human approved, just in time access to credentials stored in the Bit Warden vaults, where they're safe without exposing Sensitive information or granting persistent access. It's so brilliant and they want everybody to use it. They've made it available open source for free to everybody. It's designed to support modern development and automation workflows while keeping security and transparency front and center. And the other advantage of being open source is that Bitwarden code base is continuously reviewed and audited by the community, but also by independent third party experts. Kyle told me this. He said when I started, the only way I could propose people use my password manager is by making it open source. You know, trust has to be earned and he believes in that and he still wants to earn your trust. Bitwarden also complies with major security and privacy standards. Of course, SoC2, type 2, GDPR, HIPAA, CCPA, ISO 27001, all of the standards. And Bitwarden's always getting better. They're evolving to meet modern security standards. The expanded Paskey supports. Fantastic. They have secure developer tooling like that SSH manager. They have flexible self hosting options. Bitwarden, what do they call? Bitwarden Mini, which you can self host for users who want additional control over their environments. A lot of companies will say, oh no, no, no, you can't self host your vault. Not only do they support it, when File Vault was written in Rust, that was a Bit Warden compatible vault manager. They not only supported it, they hired the guy, he now works for Bitwarden. And they said, and by the way, keep developing filevault. This is a company that really does it right, get started today with a free trial of your Bit Warden teams or enterprise plan or get started for free across all devices as an individual user. Bitwarden.com Twitter that's bitwarden.com Twitter they deserve our support. They really do. When a company does it right like this, they deserve that support. Become a Bit Warden customer, help them out and you know what, pay for it if you can, but you don't have to. That's bitwarden.com TWIT I am so proud to be able to tell you about Bitwarden and to support them and I'm so grateful to Bitwarden. All my AI tools now use Bit Warden because that keeps that stuff safe. And I appreciate that. Bitwarden.com tweet I'm sorry I went overboard. No, I care so much about this. Anyway, back to you, Steve.
Steve Gibson
We all, we all really need a vault. Yes, that where we can. Because no one knows their password any longer. Anybody who does is not doing the right thing. I have and my wife really hasn't converted yet. And so she says, what is the password? And I go, well, honey, I, you know, I can't read it.
Leo Laporte
I don't know, because, you know, but I could share it with you. If you use Bitwarden, I can share it securely with you. Yeah, I, it's really an interesting issue. It's not. They shouldn't really call it a password manager because I think everybody needs an encrypted spot vault to put stuff. And so it's really much more than that now. And I think it's vital for, well,
Steve Gibson
and with so much of our lives now being digital, not to be morbid, but there is the issue of what happens to a person's accounts when they're no longer able, you know, when they're, when they're no longer at the helm. You know, their, their loved one or their family is saying, how do we deal with this? I mean, so, you know, how many
Leo Laporte
times have I got calls on the radio show with somebody with that exact situation? And Bitwarden has that. Actually, most password managers now have that capability to say, here is my designated survivor.
Steve Gibson
Right.
Leo Laporte
And, and a mechanism for giving that person all of that information. At least, of course, my wife has all of that and I'm sure, I'm sure Lori does too.
Steve Gibson
Yeah, absolutely.
Leo Laporte
Yeah. Because we're getting on, Steve.
Steve Gibson
Well, I'm feeling good and I'm going for episode 2000. So that's our next milestone.
Leo Laporte
Yeah, let's do it.
Steve Gibson
Okay. So one place we know Microsoft is paying attention, although they don't seem to be paying attention to abuse of the Clipboard by online browser hackers, we know they're paying attention to the continuing antics of the security researcher hacker who fashions themselves Nightmare Eclipse.
Leo Laporte
Oh Lord.
Steve Gibson
They're not happy about that person.
Leo Laporte
No.
Steve Gibson
There's been some speculation that it's a, a, a young woman who we've covered long time ago who was like camping in the, in Alaska or something. I remember her. Yes. Huh. Similar skill set. Worked for Microsoft for a while, presumably left unhappy and similar outrage.
Leo Laporte
Yeah, yeah, maybe it is, I didn't think.
Steve Gibson
There's been some online speculation anyway. Early last week CISA confirmed that the Blue Hammer Windows Defender local elevation of privilege vulnerability was now seeing active use. Bleeping computer wrote CISA confirmed on Monday that ransomware gangs have begun exploiting a high severity Microsoft Defender privilege escalation vulnerability that's previously been abused in zero day attacks. So had been abused. CISA got on board is the point. Blue Hammer, they wrote, was Leaked by a security researcher known as Nightmare Eclipse in early April. Now keep track of that early April together with proof of concept exploit code. In protest at how the Microsoft Security Research Response Center MSRC handles the disclosure process, Microsoft explains in a security advisory quote, insufficient, I love this. Insufficient granularity of access control in Microsoft Defender allows an unauthorized attacker to elevate privileges locally. What? Insufficient granularity, What a crock. That's like excusing a leaky water faucet by saying it insufficient valve closure allows water to escape. Yeah, right. So you know, that's known as a leak. Anyway, what they're describing is not insufficient granularity but improper design. So how about taking some responsibility here, Microsoft? Anyway, Bleepy Computer continues Will Dorman, principal vulnerability analyst at Tharos, told Bleeping Computer in April that while the issue is not easy to exploit, meaning Blue Hammer, it gives local attackers access to the Whoops security account manager, the SAM database, which, you know, that's the world which contains password hashes for local accounts. With this access they can escalate to system privileges and potentially take complete control of of the targeted system. Dorman said, quote, at that point the attackers basically own the system and can do things like spawn a system privilege shell or whatever. Unquote. Microsoft patched the V and here it is. Microsoft patched the vulnerability on April 14th two months ago. Wait, almost three, right? April made yeah, almost three as part of the April 2026 patch. Tuesday. However, days later, Huntress Lab security researchers revealed that threat actors had been exploiting it as a zero day in attacks that showed evidence of hands on keyboard threat actor activity. So not automated, but you know, a hacker in somebody's system using this escalation of privilege exploit in order to get control of the system. CISA added the Blue Hammer flaw to its KEV the known exploited vulnerabilities catalog on on the 22nd of April. So again, you know, two and a half months ago, ordering federal civilian executive branch agencies to patch their Windows devices against ongoing attacks using that within two weeks, which would be bring it to May 7th. So by May 7th, CISA warned at the time, quote, this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Unquote. While Microsoft writes Bleeping Computer has yet to tag this security flaw as exploited in attacks. Why bother at this point? Everybody else knows. CISA has now also flagged it as exploited in ransomware campaigns in a Monday update to its Kev catalog, which surprised no one in recent years CISA has flagged eight Microsoft Defender vulnerabilities that have been exploited in attacks, with two of them also targeted by ransomware gangs. Okay, so what's curious about the timing of this to me is that this flaw was patched way back on April 14th. So we've had the second half of April followed by all of May and all of June, because here we are in July 7th. So how is it that there are any Windows systems that have not been updated since April's maze or June's patch Tuesdays or any time since? You know, no one, as we've said, no one deserves being attacked. But asking for it is what this looks like. So the only explanation I can find would be some overzealous enterprise IT admin who's decided that allowing Microsoft to have unfettered update rights over the systems they oversee is a bigger problem than patching actively exploited vulnerabilities. And I think they're wrong. You know, or perhaps this hypothetical IT person is overworked and is just asleep at the switch. Whatever, you know, they intended to get around to it, but didn't. Whatever the case, the idea that Windows systems are being successfully exploited two and a half months after Microsoft made patches available and, you know, those systems will, will be tr, if they're allowed to, will be trying to update themselves. Somebody is saying, no, no, no, no, no, no. Anyway, it's, it's really unfortunate and so avoidable that this is happening. Having nightmare Eclipse posting proofs of concept for these prematurely disclosed vulnerabilities, I'm sure made matters worse, made it trivial for the bad guys to grab an example of how to do this and then start using it. But never updating Windows is also a no wins strategy, as everyone has seen. I've, you know, the dynamics of the way the world has changed has really moved me in the direction of, of let updates happen. The, the incidence of them causing a problem, while not zero, is low enough that the, the, the, the, the risk imposed by not doing it is far higher. Okay, so Leo Vint. Surf is certainly not a household name. I'm sure that none of the hosts of the View would recognize it.
Leo Laporte
No, no, but we do.
Steve Gibson
We do. Certainly a name that is revered among the techies who have been present throughout the birth of the Internet. During a recent conference where Vint Cerf's pending retirement from Google was noted, he had some interesting things to share about where he sees things today and where AI may be headed. TechCrunch covered this under their headline the Father of the Internet is finally retiring, they wrote Vinton Cerf will step down from his role as Google's chief Internet evangelist next week, marking the conclusion of one of the most influential careers in in technology history. And yes, I would argue that's not overstated. They continue writing speaking via video feed at the Open Frontier conference hosted by the Laud Institute, Cerf was recognized by Dave Patterson, the UC Berkeley professor best known for co developing risk processor architecture. Patterson said quote, vint has been at Google for more than 20 years and he's retiring a week from today. So I think we ought to give him a round of applause for a relatively good career.
Leo Laporte
Relatively. Yeah, relatively invented tcpip. Big deal.
Steve Gibson
That's. That's right. The room erupted in cheers.
Leo Laporte
Yeah.
Steve Gibson
Oh, so it was neat. A Google spokesperson confirmed that that Cerf will be stepping down from his role at the company. Cerf, now 83, and collaborator Robert Kahn are credited with being the architects of the networking protocols that became the Internet we know today. His work developing and popularizing TCP IP, the basic set of rules. This is. This is TechCrunch writing that lets different computer networks talk to each other. Beginning in the late 1970s, has been recognized with numerous honorary degrees, the Presidential Medal of Freedom and a touring award, among other honors. Since 05, Cerf has served as vice president and chief Internet evangelist at Google. TechCrunch had in parens at this point we can safely say the Internet has been fully evangelized.
Leo Laporte
I think so, yeah.
Steve Gibson
That's. And they said for good or otherwise,
Leo Laporte
job, job well done.
Steve Gibson
That's right. Surf, they wrote, was speaking on a panel alongside other computer scientists known for their work on durable open source projects, including Patterson. Francois Cholet, creator of the Keras deep Learning library and co founder of ndia. John Osterhout, the Stanford computer scientist behind the tcl, you know TCL programming language who also co founded Electric Cloud and mate Zaharia, who is Databricks co founder and chief technologist. They offered advice about what it takes to build open source systems that survive. Advice that's increasingly relevant as founders bet on open infrastructure for the next wave of AI products. Much of the conference's discussion focused on the problems with the centralization of advanced models in a handful of well resourced labs. In contrast to the decentralized world of the open Internet that made Cerf's own protocols so durable, however, Cerf predicted that the rise of AI agents, software that can act autonomously and coordinate with other software, would push tech companies back toward standardized protocols. Cerf said quote the agentic model of AI with multiple agents from multiple sources interacting with each other is going to force composability and a requirement for interoperability and standardization, unquote. If he's right, writes TechCrunch, the companies that define those interoperability standards early could end up with outsized influence over how the agentic economy actually works, a dynamic not unlike the early Internet protocol wars. While other panelists speculated that natural language communication between LLM agents would be sufficient, CERF predicted formal standards would be required. He said, quote, I don't think English is going to be the best choice. There's a flexibility in it, but there's also ambiguity. And I think precision for interagent interaction is going to be very, very important. An agent really needs to be sure that the other agent understands what it is that they just agreed to do together. Remember the old telephone game where you whispered a message in someone's ear and by the time it got 10 people away the message was totally different? Imagine a bunch of agents talking to each other in natural language. You know, that's kind of terrifying. Unquote.
Leo Laporte
I don't have to. We have a Discord chat with four agents talking to each other and it's cuckoo. It's really out there. You know, OpenAI has a standard, an API standard for how you talk to Codex that everybody uses. Anthropic has the MCP standard. I think it's already happening. I think he's absolutely right.
Steve Gibson
Yeah. And then their article concludes. Saying in a more light hearted moment, Patterson remember the. The UC Berkeley inventor of risk, recalled meeting Surface, known for his wardrobe of three piece suits as a grad student in the 90s. Patterson said he's always been the best dressed computer scientist I've ever met. My memory of Vint is that he came as a grad student with a shirt and tie in the 90s. Surf replied, it's absolutely true. I even had a vest and for some reason I always wanted to stick out and instead of having long hair and something in my nose, I thought just, I thought just dressing differently was one way to do it.
Leo Laporte
He always wore a three piece suit. Here he is, I interviewed him in 2014 in his three piece suit. He always did wear that. He was very well dressed fella and a real gentleman. Genius, just a genius.
Steve Gibson
So yeah, I would assert that Vint certainly did stand out, but not due to his choice of wardrobe, but because he turned out to be so completely correct about many of the design decisions that grew into the Internet through The more than 20 years of this podcast, our listeners have often heard me shake my head in wonder of the early genius that designed the Internet. It's easy for us to forget that there were many early competing and proprietary alternative protocols like Novell's IPX SPX, Apple's Apple Talk, Dex DecNet, Xerox's XNS, IBM's token ring. But TCP IP was also present and it was open, free and worked. No one owned it. And when Windows 95 shipped with a built in TCP IP protocol stack, that was pretty much the rest of the game. It's like, okay, it's done, it's out there now, everybody has it.
Leo Laporte
And by the way, gave it away. Right? He didn't try to make money on it.
Steve Gibson
Oh, absolutely. The whole, I mean the whole concept was here's how you do DNS, here's how you do ip, here's how, here's how you create a connection oriented association between two IP endpoint addresses. That's called tcp. If you don't want connection, you use udp. I mean, yeah, it was all open protocol and you know, and he was an early evangelist of this and it worked. And I think that, I think that there was a very early stack called Trumpet. Trumpet Windsock was.
Leo Laporte
Oh yeah, Trumpet Windsock, I remember and
Steve Gibson
I, and I believe that that's what Microsoft grabbed and incorporated into Windows 95.
Leo Laporte
That makes sense. Yeah, yeah, yeah.
Steve Gibson
You know, we're going to talk about Chrome 150, but we're at an hour in. Let's take another break so we don't get too far ahead of ourselves.
Leo Laporte
We absolutely best do that, Mr. And then.
Steve Gibson
Oh, wait, wait till you, wait till you see what happened. Oh goodness.
Leo Laporte
Really? Okay. Oh, that's a tease. I don't know what it's a tease for, but that's a tease that makes me want to stay tuned. Our show today, brought to you by Zscaler, the world's largest cloud security platform. Now, as we talk about AI, I think every company has but by this point realized that the potential rewards of AI are far too great for you to ignore in your business. Right? Your competitors are doing it, you got to do it. But let's not forget there are also risks and, and some significant ones. The loss of sensitive proprietary data attacks against enterprise managed AI. And of course there's the risk we all know, well, we're going to talk about later, which is that generative AI increases the opportunities for threat actors, even people with no coding skills at all, to create perfect phishing lures. To write malicious code to extract data at speed, all automatically. Let me give you some examples. There were 1.3 million instances of Social Security numbers leaked. Two AI applications. Your employees are doing the same thing right now in your offices using AI right chat. This was another example and this was a kind of less voluntary chat. GPT and Microsoft Copilot saw nearly 3.2 million data violations. It's time for a modern approach with Zscaler Zero Trust plus AI. Okay, the Zero Trust works to remove your attack surface and secure your data everywhere. But it also secures your use of private and public AI. It protects you against ransomware, protects you against AI powered phishing attacks. It does it all. That's why people choose zscaler. Check out what Siva, the director of security and Infrastructure at Zwora, says they chose Zscaler Watch. AI provides tremendous opportunities, but it also brings tremendous security concerns when it comes to data privacy and data security.
Steve Gibson
The benefit of Zscaler with ZIA rolled
Leo Laporte
out for us right now is giving us the insights of how our employees are using various gen AI tools. So ability to monitor the activity, make sure that what we consider confidential and sensitive information according to you know, companies data classification does not get fed into the public LLM models, et cetera. Thank you Siva. With Zero Trust plus AI you could thrive in the AI era. You could stay ahead of the competition. You can remain resilient even as threats and risks evolve. You can learn more@zscaler.com Security Zscaler.com Security we thank them so much for support and security now and we encourage you to support us by going to that address so they know you saw it here and you'll be doing yourself a favor I think. Zscaler.com/security thank you Zscaler. Now back to Steve.
Steve Gibson
So as the United States reaches 250 Chrome hits 150 I went to bring up the page of updates to get some sense for what Chrome 150 had wrought. So I clicked on the link which my system's default URL handler, Firefox of course, then began to render and the page would not come up too big. Yes, actually that's exactly right, Leo.
Leo Laporte
Wow.
Steve Gibson
I received a little Google. It does now. I just tried it. I don't know what was going on. 33 yes.
Leo Laporte
Oh my gosh, yes.
Steve Gibson
Just scroll that sucker. I mean it scrolls and scrolls and scrolls and scrolls and by the way,
Leo Laporte
many of these critical CVEs.
Steve Gibson
Yes. So. Oh my God. Just it's, it's astonishing.
Leo Laporte
This has to be fabled. This error mythos. This has to.
Steve Gibson
That's exactly what, what we are seeing overall. I, I don't, I'm, I don't want to forget to mention this. There's probably a place where I, I had, I had intended to. I'm seeing this everywhere. You probably got a notice that there was critical updates for your synology. I just updated both of mine. I believe what we are seeing is what we saw pre y2k which is great. Everybody is using AI on their own in the privacy of their own R D and their development shops to find and fix problems.
Leo Laporte
That's all from one version of Chrome.
Steve Gibson
I know unbelievable what I know. It's astonishing. And I've, I. There have been a couple other things where I, I've had updates and I thought wow, that's a lot of updates. And I went back and looked at the previous one where there was like one thing fixed, the one before that one thing fixed and went over that one thing fixed and then this one is like 27. So what, what the, the feeling I'm getting is that what we had hoped would happen is happening, which is is quietly without a lot of fanfare everywhere. The word has, has gotten to people writing software that they can invest in some tokens and they can get their software fixed. And we're seeing updates dates far more comprehensive than they have been historically. So the, the p. The, the, the little page here says the Chrome team is delighted to announce the promotion of Chrome 150 to the stable channel for Windows, Mac and Linux. This will roll out over coming days and weeks. Chrome150.0, 787146 for Linux and either 46 or 47 for Windows and Mac they said contains a number of fixes and improvements. Well yeah, 433, that's a number. It's got three digits.
Leo Laporte
A number with lots of digits.
Steve Gibson
That's right. So they said a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 150. I'll talk a little bit about that then. Under the section titled Security Fixes and Rewards they write note access to bug details and links may be kept restricted until the majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on but have not yet fixed. They said this update includes 433 security fixes, not just random like oh, the font was the wrong size. Oh, speaking of which, they there is a new they are now supporting the feature in CSS where the font will scale itself to the area provided which isn't that handy. Yes, as far as I know they're the first person to do the first browser to do that. Anyway, they said please see the Chrome security page for more information if you can get it to display. So yes, 433 security fixes and as I as we've said, we've both seen the page just scrolls and scrolls and scrolls so it's sorted by severity with the most severe first. So at the top we see that all of the first 20 of those 433 which were all found by Google themselves as all as were most but, but, but the 21st one wasn't so I'll get there in a second. All of those first 20 are critical so 20 critical security flaws fixed and
Leo Laporte
isn't like some brand new application that's not being actively maintained by the best engineers in the world. Chrome.
Steve Gibson
This is Chrome.
Leo Laporte
Wow.
Steve Gibson
Yeah, wow. So we see Use after free in Extensions Use after free in GPU Use after free in Angle Type confusion in Dawn Insufficient validation of untrusted input in iOS web use after free in Web USB Use after free in Chromoting Insufficient validation of untrusted input in Angle Insufficient validation of untrusted input in Skia Use after free in Dawn Use after free in Browser Use after free in Views Use after free in Views. You get the feeling that they put a memory tester on this Use after free in Skia Use after free in Bluetooth out of bounds Read and write in Dawn Use after free in Ozone Heap Buffer overflow in Skia Use after free in Chromoting and a Use after free in full screen. So it's pretty obvious that some sort of new tooling has been quite successfully deployed against the Chromium code base to discover 433 previously unknown problems. They didn't fix these last month. They didn't know about them. They didn't know about them last month. As we know, a use after free where an attacker is able to control the data that's used is a premier means of remotely taking over a system. And as we frequently observe, today's web browsers present the largest and most vulnerable attack surface to the Internet, since by design, they execute untrusted code supplied by not only every site the user visits, but every third party that wishes to supply their own content.
Leo Laporte
Yes, just that sentence should make you terrified.
Steve Gibson
It should. It is utterly insane. It is insane. But it's what we are all doing today. Yes. How did we get how did this happen? Right? So next up under those 20 critical vulnerabilities that have all been repaired with the release of Chrome 150, we have the first high. It's rated a high vulnerability, high stakes vulnerability, and this one was interesting. It's been assigned the CVE of 2026114382 and its description is insufficient validation of untrusted input in angle. What makes it interesting is that its anonymous discoverer and the reporter of this earned him or herself a bug bounty from Google of a cool quarter million dollars in return for reporting this. And this brings me to an observation that I have missed until now. We've talked a lot about bug bounties and about the feasibility of, you know, followers of this podcast perhaps earning sufficient income on the side from finding and reporting bug bounties to significantly augment and maybe even supplant their day job. The acknowledged problem with that is that finding exploitable, exploitable vulnerabilities at that time, when we were previously talking about this a year or two ago, required both sufficient expertise and potentially really significant amount of time invested. But as we've been covering for months now, AI has now largely eliminated both of those limitations. Near the start of what was happening, I observed that the future of PWN to own competition and programs like Hacker One were probably endangered. And in fact, last week we saw five of the six PWN to own Berlin contestants drop out after Mozilla patched a single flaw that they were that five of those six were all depending upon. It's like, whoops, oh boy. But when I spoke of bug bounty programs disappearing, I was talking about a future after the legacy of past troubled software had all been cleaned up. That's not today, that's not yet. That's some future day. This moment in time is the optimum opportunity for someone who has the motivation to score some available bug bounty while also helping to improve that software and beat the bad guys to the punch. The time is now, while AI vulnerability discovery is still in its infancy and bugs are so numerous that webpage attempting to list them are unable to load before timing out. If you may have considered this before, you may wish to consider it again. The game has changed, and that same lowered bar that has the world worried that bad guys are going to take advantage allows the good guys to also and as we've seen, it's not necessary to have access to the latest and greatest expensive models. So dive in, hang out in forums where this is being discussed, you'll learn a lot and who knows, might happen you might make some money. The other changes that Google brought to Chrome 150 were the addition of post quantum crypto. Chrome now supports something called MLDSA for TLS connections, something Vince never thought about. MLDSA is module Lattice based digital signature authentication. Back during its development we talked about it because it was known as Crystals dilithium, where crystals is the acronym for cryptographic suite of algebraic lattices. But once the algorithm was approved by nist, it was formally renamed to the much more boring ML dsa. MLDSA is a general purpose digital signature scheme meant to replace RSA and ecc, you know, elliptic curve crypto based digital signatures. Its performance is already on par with previous schemes and will likely improve going forward. The downside is that the signatures and public keys are significantly larger than their non quantum safe predecessors, which we're still using. This creates potential resource issues, you know, resource size issues that must be accounted for for in the system's design and deployment. So it might break some space allocation assumptions in the short term and require a bit of re engineering. You know, it's not going to pro, it's not going to just like break things because both sides have to agree upon their ability to handle the the, the signature and public key sizes. Once they both do, then it's like hey, we get to use post quantum crypto. Chrome 50 also adds support for the Fido Alliance Credential Exchange standard in Chrome on Android and also a new always use Secure Connections mode, as well as some new UI elements including new icons, context menus and settings. The most interesting new feature for us is probably Android Chrome's support for what essentially is Passkey Exchange. This was a well thought out solution by a committee of designers that included representatives for one, Password, Dashlane, Bitwarden, NordPass and Google. They got it right, since actually it wasn't very difficult to get it right. While it's really just a matter of securely encrypting a bundled up blob of metadata, the composition of that metadata needed everybody's input to keep from missing something important. Now we just needed to be supported everywhere. The spec, which was published two years ago, suggests that now it's time to get it supported so that pass keys and essentially all the data that is a passkey can be securely moved from from one client to another. It's clear that's going to happen, it'll just take some time, as indeed these things do in a bit of miscellaney I want I noted that everywhere I looked everybody was covering a little bit of news. Maybe schadenfreude, I'm not sure. But since it has already altered current behavior and will almost certainly inform future behavior, I wanted to share the news here. The European Union's highest court, that is the court of last resort, rejected the final appeal made by Google against a record antitrust fine. Google's argument was that the Euroblock was was unfairly penalizing innovation. Yeah, right. You know they're unfairly penalizing innovation by preventing Google from forcing all Android users to use Google's stuff in order to use Android. Good luck with that argument. Anyway, the reporting on this reads Google will have to pay a record 4.125 billion euros, which is currently around $167 billion in antitrust fine over anti competitive practices after the European Union's top court ruled against an appeal by the tech giant on Thursday. Last Last Thursday, the European Commission initially imposed a 4.3 billion euro penalty back in 2018. So fully eight years ago, accusing Google of abusing its Android systems market dominance by requiring all phone makers to pre install Google Search and Chrome, the EU's executive branch accused Google of restricting competition while imposing the block's highest antitrust fine ever. The EU's General Court upheld the findings in 2022, but they reduced the fine from 4.34 billion to 4.125 billion, not much of a reduction. Google then appealed to the Luxembourg based Court of justice, the EU's highest court, which is now cited with the block's antitrust enforcer. The justices of that court said, quote, the appeal brought by Google and its parent company Alphabet against the judgment of the General Court is dismissed, thereby confirming the penalty imposed for Google's searches. Abuse of a dominant position in the context of the Android operating system, unquote. Google claimed the case was unfounded, saying that the sanction penalized innovation and that Android users were free to download rival apps. Google said in a statement, quote, in any event, we adapted our agreements to comply with the initial decision back in 2018. That's what I referred to, or that's what I was referring to when I said behavior had been altered and we remain focused on continued innovation and openness for our users, partners and developers. Earlier, Google had also accused the EU of being blind to practices by Apple pushing its own services on iPhones. It occurs to me that Google was maybe not paying attention to what the EU did with Internet Explorer Leo way back in the early days of Windows, which You know, very similar outcome they that this reporting finishes saying. The latest case is one of several antitrust disputes between Google and the EU, which fined the company more than 8 billion euros between 2017 and 2019 over antitrust violations. The EU has other open investigations into big tech giants under its Digital Markets act, the dma. And Thursday's ruling sets the stage for the bloc's regulatory crackdown. Among the other EU sanctions Google is facing for exploiting its market dominance are a 2.95 billion euro fine from September 25 for favoring its own advertising services, and a 2.4 billion euro competition fine for promoting its own shopping services. So I previously noted during a podcast long ago that there was a shockingly large gap between imposed versus paid fines. This gave the impression that the imposition of the fines were just pro forma and that they could, they could and would simply be ignored because that seemed to be what was happening. In looking a bit deeper into this for this reporting, I learned that in every case when a fine is imposed, the challenger of that fine is required to place the entire fine amount into an escrow where it will be held during any series of appeals. So for example, that $4.6 billion that Google just lost had already been captured by an escrow years ago and has been out of circulation ever since. Upon losing that appeal, the escrow is now collectible by the European Union and the EU shows no signs of letting up. Google, Apple and Meta are all currently contesting fines over various antitrust and anti competition law violations totaling more than 6 billion euros since the start of 2024. Google's fighting an ad tech fine of 2.9 billion euros, Apple's arguing against a 500 million euro anti steering fine, and Meta is appealing a 797 million euro marketplace fine. So, you know, no, the, the EU is just saying we're not putting up with, you know, any of this behavior, which the US seems to be fine with. We're going to require that, you know, true competition be supported. And while we're talking about the European Union, it's worth noting that the ever controversial chat control has not surprisingly refused to die. Not surprisingly because it, you know, it was never fully resolved and I could argue maybe it's never going to be. It is a fundamentally unresolvable sore point and I don't see how it can go away. Chat control, that phrase, of course, is the euphemism that's been given to the requirement to detect and prevent any and all illegal communications among citizens of the European Union. There's just no getting around the fact that the prevention of any illegal communications necessarily requires somehow the monitoring of all communications in order to determine if any are illegal. And in this regard the EU has apparently painted themselves into their own corner. Since any such communications monitoring flies in the face of their own citizenry's privacy laws, which they also have and which are also absolute. What they want is obviously impossible on its face. They say they want to give their citizens privacy, but that only applies to legal communications. And any enforcement of this requires a breach of all that privacy. Recall that the previous chat control 1.0 was a voluntary scanning scheme. Few companies complied with it even so, but a few did. And what happened was that it was renewed and remained optional. But by Comparison Chat Control 2.0, which is what is now looming is the pending permanent so called CSAR child sexual abuse regulation. This if it happened and it's like still hasn't gone away. There's a vote next week this would impose a mandatory scanning framework. This 2.0 legislation has been through trilog negotiations since December 25 with meetings held on December 9 of last year, then February 26, April 16 and May 16 of of this year, the fifth and supposedly final one. Reports say that it just happened and there's. I saw some reports that said it's about to happen. So some there was Something happened on June 29th, but apparently something's also happening next week. We should know what's gonna what is actually happening shortly. It's we're currently under Cyprus's Council presidency. So far any conclusions from these multiple rounds of trilog negotiations are unknown. No one knows what's been happening behind closed doors but we should know soon. And as I said I don't see what's like any way to resolve the conflicting goals that the EU themselves have, let alone what the the vendors of communications systems are going to do. All of the big guys have written to the EU like Apple for example saying you know, don't do this. There's just no way to do what you want in a privacy enforcing fashion. There was also a report that I saw which I didn't put in into the show notes that mentioned that fully 1 in 4 of all AI attempted automated recognition of CSAM material was was a false positive. So AI wasn't either was was also not doing a good job of this.
Leo Laporte
So and I don't know, I think CSAM is just the excuse. I think these governments really do want access.
Steve Gibson
Yes, yes, they want to have communications that, that they can monitor at the Same time they say they want to give their citizens privacy, you know, can't do. I don't know how you. Yeah, I don't know how you resolve that.
Leo Laporte
The sad thing is they've changed the rules, which makes it more likely to pass. And I have a feeling this time it's going to get through.
Steve Gibson
Yes. And what I've seen noted is that some countries are signaling a, a new willingness to pass it. The question is what is going to pass and what will the vendors do?
Leo Laporte
Well, we know we'll leave. Speaking of signaling. Signal will leave.
Steve Gibson
Yeah, Signal will leave. I don't know. I don't know about Telegram. But then, you know, Apple Telegram cares. Yeah.
Leo Laporte
They see this as an opportunity, frankly.
Steve Gibson
Right. Because Signal, their big competitor will say, sorry, we can't offer our services.
Leo Laporte
I think really, Apple and Android are really going to be the big question marks because both of those have Strong encryption with RCS and WhatsApp.
Steve Gibson
Same. WhatsApp.
Leo Laporte
Yep. It uses the signal protocol. That's right.
Steve Gibson
Wow. Really, really interesting. It just won't go away. A research paper published during last week or during, sorry, the last week of June, so two weeks ago was titled Protocol Prying Systematic Vulnerability Research in the Apple Airdrop and Android Quick Share Proximity Transfer Protocol. Okay. You know, like, you know, transferring something between devices that are near each other. Okay, I'm just going to share the abstract while breaking in to comment on their. On the abstract writing. They wrote Apple Airdrop and Google Samsung Quick Share are proximity file transfer protocols used by over 5 billion devices. Yet their application layer security properties remain largely unstudied because both stacks are proprietary and undocumented. Okay, now what? You know this is an all too familiar problem, right? We've got something which is where we're just being asked to believe it's secure, yet there's no proof of that. I mean, I get it, I guess on Apple's side that they're saying, well, you know, we don't document these things, we fix them. If, if, when problems are found. How can you find problems if you, if, if you force researchers to reverse engineer the, you know, extracted code or, or on the wire protocol, it's just still the wrong way to operate. But we're in a world where we do have proprietary companies offering solutions. Not everything is open source yet they said both protocols are reachable from wireless proximity without any prior pairing and process. Complex serialized content. Oh, binary P lists, CPIO archives, protocol buffers, Yuki 2 handshakes. And they do this inside privileged demons, making them attractive. Zero Click targets across multiple operating systems. Okay, so the attacker needs to be within typical airdrop Quick Share distance of their target. We know the danger inherent and in taking serialized content, assuming that it was serialized by a friendly party, then deserializing it to restore its original structure, you know, kind of re inflating it. Deserialization means interpretation and we've seen so many times how fraught with error interpreters could be when they're not completely protected. And to make matters worse here, these deserializing interpreters are running inside privileged demons, meaning that any code an attacker may be able to cause the interpreter to execute will have system level privileges. It's in the kernel, so no need to also elevate. You're already elevated if you can get code to run. So they continue writing. We perform the first cross platform reverse engineering and protocol aware fuzzing study of both stacks. We reconstruct airdrops seven layer state machine and dvzip adaptive compression from binary analysis. Build Air Fuzz, a protocol aware fuzzer that mutates pre compression representations and complement it with targeted handwritten analysis of Samsung's Quick Share service and Google's Quick Share for Windows, we discover a total of six vulnerabilities. Three are pre authentication issues in macOS,OS airdrop. The first is Swift fatal error DOS in the HTTP path router. The second is an unbounded XML plist recursion in foundation and the third is a null dereference in network frameworks HTTP 1.1 parser. We found two protocol layer flaws in Samsung Quick Share. The first is a pre authentication offline frame dispatch and the second is a D to D encryption bypass for three frame types. The last problem was a heap used after free in Google Quick Share for Windows for which Google awarded a bounty. We responsibly disclosed all findings. Apple, Samsung and Google have acknowledged the reports. So these are all clearly bugs and should be readily fixable by their respective publishers. So I'd imagine that we'll be seeing updated, you know, updates, addressing them soon. Still, it's annoying that the researchers had to go to such extreme lengths. You know, prying apart proprietary protocols, figuring out what was going on, creating a fuzzer to essentially, you know, attack the. The interpreters of those protocols, find problems, reverse engineer the problems like, okay, Apple's not doing that. There ought to be some way to, to cross that Rubicon. I, I don't know what that would be, but I do know what it's time for. Leo. Oh, and then we're going to talk about at some length, bypassing Anthropics and OpenAI's guardrails.
Leo Laporte
Time for our hydration break. As they say in the World Cup. He's gonna. What are you drinking? Orange juice. What's wrong with you?
Steve Gibson
Diluted three to one.
Leo Laporte
Oh, okay. Yeah. No more coffee. You've had enough.
Steve Gibson
I'm, I'm running around so much. It's. As I think I mentioned last week, the Apple health app is saying, what is going on with you? Because it's like just jumped up in the amount of activity, but it's been great.
Leo Laporte
What, it, what? So just what's going on in your heart rate? And it's like. But it's happy that you're working so hard.
Steve Gibson
It's just my. Is my phone in my pocket and it says my number of steps have gone from 2,000 to 5,300. Because you're moving. Because I'm moving from one to go back and forth and up and downstairs.
Leo Laporte
Yes, stairs is good. Stairs is good for you. All right, well, we'll continue with security now as Steve takes his hydration break. Our show today, brought to you by. This is actually timely because you're going to talk a little bit about agentic. How about agentic pen testing from Expo Xbow? AI has changed the pace of everything, right? I mean, from how software develops to how it gets attacked, right? Everything's sped up. Engineering teams are moving faster than ever. They're creating more and more applications in less and less time. The problem is security hasn't really kept up with the, with the pace. The best way to do it is pen testing. There is, it's the gold standard, one of the most trusted ways to understand real exploitatable risk risks that, that you know, and to see the path the magic guy could take. But in an AI world, pen testing slow, it's human, it can become a bottleneck. Security teams now are choosing between. They're forced to choose between slowing down development so that they can test thoroughly or moving fast and accepting gaps in coverage. Until Expo came along, Expo Xbow eliminates that trade trade off. Expo is, get this, an autonomous offensive security platform. It runs continuous AI driven pen testing. It never tires, it doesn't go to bed at night. It works 24 7, mirroring real world attacks. It hammers your software constantly, continuously. It doesn't just scan for vulnerabilities. Expo discovers, exploits and validates them. So you're only dealing with issues that actually matter. You know, proven that they work. That's good news. It means dramatically fewer False positives and a clear view into the actual attack paths bad guys can use. With Expo tests run in hours now, not weeks. You get complete visibility into how an attacker would move through your systems and the ability to uncover issues that traditional tools just don't see. That means zero days. It means novel never before seen attack paths. Expo's results speak for themselves. Ask the application security lead at saysnam cz. He says, quote, even right now, after a year, I don't know of any other company that it's at least close to Expo in terms of agentic pen testing. What do you get? Well, the result is predictable, cost, consistent quality, stronger security and you don't slow down your engineers. Expo or helps security teams keep pace with innovation and discover and cover more apps, more flaws, more often with the resources they already have. The ancestry is great. This was found by the team behind Microsoft Copilot. So these are really very talented people. And Expo is already being used and trusted by companies ranging from fast growing startups to Fortune 500 enterprises. Expo is quickly becoming a mission critical layer in modern security stacks. You need to know more. Go to xbo.com to start a pen test today. That's xbo.com this is a brilliant idea and it really works. It's kind of impressive. Expo.com now back to Steve.
Steve Gibson
Okay, so Deep keeps D E E P K E E P Deep keeps research paper has the headline ink ject I N K J E C T inkject colon the visual prompt injection that text defenses were never meant to stop or never built to stop. Their paper reads. A user asked an LLM to deploy a website. Oh, and I should mention Leo. This is why an AI's guardrail technology benefits its user as opposed to encumbers its user. Okay, why? It could be dangerous to use a powerful Chinese AI that doesn't have the same guardrails, which I am.
Leo Laporte
Okay, so quickly tell me.
Steve Gibson
A user asked an LLM to deploy a website from a public repository.
Leo Laporte
Okay.
Steve Gibson
Standard workflow. The model retrieved the code, processed the repository's assets and built the site as requested. It also created an admin account with attacker controlled credentials. Whoopsie. Silently embedded in the back end.
Leo Laporte
Oh.
Steve Gibson
The user saw none of it. The model flagged nothing. Every guardrail in place treated the task as clean. The instructions that caused this were sitting inside an image file in the repository.
Leo Laporte
Oh.
Steve Gibson
The model read them and followed them. That is inkject steganography. Yes. The attacker never touched the user's system, the user's environment, or the user's credentials. They uploaded an image to a repo to a public repository. That was enough. Direct versus Indirect why the distinction matters Visual prompt injection is not a new concept. Researchers have demonstrated that instructions embedded in images can manipulate visual language models. VLMs and some vendors have implemented mitigations for the most straightforward cases. InKject is an indirect variant. The word carries a lot of weight. In a direct attack, the attacker needs the user to interact with a malicious image. The user has to upload it, reference it explicitly, or send it through a channel the attacker controls. That creates a dependency. The attacker needs the user to do something. In an indirect attack, the attacker does not need the user to do anything beyond their normal workflow. The malicious image sits in a public location. When the user asks the LLM to work, the model retrieves and processes the image on its own as part of the task. The user does not know the image is there. The model pulls it anyway. The attack surface for indirect injection is not a specific user interaction. It's every asset the model will autonomously retrieve during the course of its work. Every string, every image, every file could be malicious. So how does InKject work? The setup is simple. An attacker embeds malicious instructions inside an image and hosts it where a vlm, a visual language model, is likely to encounter it during a task. The instructions are designed to evade security scanning while remaining legible to the model. When a user asks the LLM to deploy or interact with that repository, the model retrieves the image as part of its normal operation. Through its inherent ability to process images, it reads the embedded instructions and executes them alongside the user's actual task. The user receives a result that looks correct. The unauthorized action has already been taken in our test case, and they've got five bullets. First, a user asked an LLM to deploy a website from a from a public repository. The repository contained an image with embedded instructions. The model retrieved and processed the image as part of the deployment. The hidden instructions told the model to create an admin account with full privileges on the deployed site. The website was deployed as requested. An attacker controlled admin account was created without the user's knowledge. The model did not flag the instruction. It did not warn the user. It completed both the requested task and the unauthorized one with no visible indication that anything out of scope had occurred. InKject works because of a gap between what security tools can read and what visual language models can read. We found two distinct techniques that exploit this gap. Both defeated the guardrails on all four tested models. The first technique employs white text on a white Background Malicious instructions are rendered in white or near white text against a white background. The image looks blank to any human reviewer. Security scanning tools that evaluate image content for harmful material also miss it. They are looking for recognizable visual content. Faces, objects, explicit material, known threat signatures. A white rectangle with no visible contrast registers as an empty image, but the VLM reads it without difficulty. This is not a quirk of any specific model. Visual language models are built to extract meaning from images across a wide range of conditions, including low contrast, faded text, and challenging backgrounds. That general purpose visual capability is precisely what the attacker is using. The model sees what human reviewers and automated scanners do not. The second technique uses skewed and distorted text. Some security architectures attempt to catch embedded instructions by running images through OCR before passing them to the model. The reasoning is if you can extract the text first, you can run it through the same filters that catch text based injection. But skewing or distorting the perspective of embedded text breaks OCR extraction. The characters are rotated, warped or transformed enough that OCR returns garbled output or nothing at all. The security filter sees clean input, but the VLM reads the original instructions accurately. This is the core of the capability gap inKject exploits. OCR and visual language models do not read the images the same way. OCR looks for well formed character patterns under expected conditions. VLMs interpret visual content semantically, including text rendered in ways that OCR cannot process. Any security architecture that treats these as equivalent has a blind spot that can be precisely targeted. We tested both techniques against four models across two providers. You know and they are the top two the providers. All four executed the injected instructions. All four would refuse the same instructions delivered as plain text. OpenAI and Anthropic have both invested heavily in defenses against conventional prompt injection. These systems work. They catch a wide range of text based injection attempts, flag suspicious patterns, and block instructions that arrive through the prompt. Inkject bypasses them because it does not go through the text layer. The malicious instruction lives in an image. The VLM processes it through its visual encoder before any text level analysis occurs. By the time the model processes output, sorry produces output, it has already read the embedded instruction and acted on it. The guard rails that stop quote Create an admin account with these credentials unquote in a text prompt do not stop the same instruction placed inside an image. The same instruction delivered visually executes without resistance. This is not a failure of any specific safety system. It's a consequence of where those systems were built to operate. They were designed for models that process text vlms process images too, and that processing happens upstream of the controls. We tested InKject against four production models OpenAI GPT 5.2, OpenAI GPT 5.4, Mini Anthropics Claude Sonnet 4.6, and Anthropics Claude Opus 4.5. All four were susceptible to both evasion techniques. Attack success varied across models, but no model in the test set blocked the injected instructions. The vulnerability was disclosed to OpenAI and Anthropic prior to this publication. So why does this model why does this matter now? Visual language models are not being deployed as novelties. They're being embedded into production engineering workflows, repository analysis, code generation, automated deployments, infrastructure provisioning. These systems have real access to real environments. The indirect nature of inkject means the attack scales. An attacker does not need to target specific users or compromise specific sessions. They need to implant a malicious image somewhere in the path of assets. VLMs routinely retrieve public repositories, image hosting services, shared asset libraries. Any of these is a viable delivery point. One image can affect every user whose VLM retrieves it. The attack also leaves no obvious trace. The model completes the user's requested task. Nothing in the output signals that an additional unauthorized action occurred. A user who deploys a repository and reviews the result sees a correctly deployed site. The unauthorized account is there, but they have no reason to look for it. 40% of generative AI solutions are predicted to be multimodal by 2027. The workflows being built today on VLMs are the attack surface inkject targets. Security architecture for these systems needs to account for what the visual layer can do, not just what the text layer can do. InKject demonstrates three things that have practical implications for any organization running VLMs in production. First, indirect injection is viable at scale. Attackers do not need direct access to a target user or system. They need access to content that a VLM will retrieve autonomously. Second, the capability gap between OCR and vlms is an exploitable attack surface. Defenses that rely on OCR to pre process visual content assume equivalence that does not exist. That assumption is wrong in exactly the ways an attacker needs it to be. And finally, third, text based guardrails do not transfer to the visual layer. The same instruction that triggers a refusal in text executes without resistance in an image. Until defenses are built to operate at the visual processing layer, that gap remains open. Inkjet was discovered by Deep Keep's research team, and the vulnerability was disclosed to OpenAI and Anthropic. Ahead of this Publication. So my takeaway from this is the need to remain very careful as a user of current generation AI, be vigilant and as aware of all the ways that things can go wrong as possible. Also, as I said, this research suggests that we may be seeing a long term divergence in the delivered safety of AI models. These very responsible deep keep researchers notified anthropic and OpenAI immediately. And we know that both of those two top tier commercial AI providers are already in the crosshairs of the US government. So they're going to be on their best behavior. And they will have certainly already jumped onto this research and either have or soon will have closed yet another loophole in their AI's guard railing. But what about all the other AI systems and models which are now proliferating around the world? Will they care as much? Will they need to. We become used to guard railing being put in place to prevent the abuse of AI by malefactors. But the point of this research is to show that malefactors may be able to to use this technique not to trick an AI into providing them with knowledge and information that it should not, but to indirectly take some action against unwitting end users of the AI on the malefactor's behalf. This suggests that that the use of any AI whose guardrails may not be absolutely state of the art doesn't just allow its users to get away with things they should not. It also means that its users could be indirectly attacked due to the lack of the fully comprehensive guard rails their chosen AI is using. And that's a big deal.
Leo Laporte
Yeah. So takeaway is I shouldn't just take stuff off the web and give it to my AI, I guess.
Steve Gibson
Well, depends upon your AI. I would say it's safe to give
Leo Laporte
it to Anthropic or let me do anything anyway.
Steve Gibson
Claude or Chat GPT. Exactly. They're going to have a new knee jerk reaction, but they're good. But as a consequence of this research, they will now be scanning any imagery.
Leo Laporte
Right.
Steve Gibson
That, that your AI might encounter while it's doing its work. And, and we talk. Remember how long ago we talked about this idea of like, like you could embed commands in images? Well, so they put in an OCR to check for commands and images.
Leo Laporte
Right.
Steve Gibson
But, but turns out you can do it in a wacky way that an image processor which is designed to pull meaning from an image will still be able to read even though Both Anthropic and OpenAI's image scanners were missing the embedded text. So the embedded Text finder is going to get better. My worry is why would everybody's embedded text finder take the time to get better? And if there's a gap, then it means that there could be problems with, with a, with using an AI that isn't protecting you against its encounter with deliberately embedded malicious material that arranges to get in. So it's a little spooky.
Leo Laporte
Yeah.
Steve Gibson
Okay, so it's been a while, as I mentioned at the top of the show, that I've talked about GRC's primary bread and butter product. Of course, Spin. Right. But I had the occasion on Sunday two days ago to have a proud father experience. My wife Lori and I, as we've said, have been wrapping up our move into our new and our new and final home. She hates it when I call it that, but I'm sure it is at this point, everything is out of our previous place, but very little is organized in the new place. And over morning coffee, we were talking and taking stock in what needed to happen next, how to organize where we are. She mentioned that she needed to do something that would, would require a PC. And as I've noted before, she uses her iPhone for PC things that would drive me nuts. I just like, hey, you have a real computer around the corner. Why don't you use that? But, you know, it's the computer that she's holding in her hand that she uses, so I get it. And I asked her whether she'd like me to reassemble her PC, you know, get it all plugged back in and ready for her, and she said no, that she wanted to use her laptop, you know, like going forward for all of these such things. She just doesn't really need a, a PC full time. A laptop would be enough. So I told her that I had no idea where the laptop that she had been using was, but that I'd try to track it down. Fortunately, it was a. It was, it was a soft laptop bag. It was in a soft laptop bag. That is a brand we both like. It's. The brand is in case. It's got a distinctive, almost fluorescent green tag. So I was able to find it easily since it hadn't been used in many months. I, of course, I wanted to do the right hus, you know, the techie husband thing. I needed to join it to our new WI FI network. And of course I would run Windows Update and get it all, you know, settled and ready for her. The laptop was Adele, which is my second favorite brand after Lenovo. So I plugged it in powered it up and I watched the Windows 10 roller coaster dots spinning around and around and around.
Leo Laporte
We've all been there.
Steve Gibson
Oh my God. And actually after a while I became concerned that something was wrong. Because I mean it I it like 2, probably 200 spins. You know that. Oh, and the little disk drive icon was lit up solid the entire time. So I thought okay, whatever it's doing, I mean it's like, it's like just what? Anyway, and at the time I was working on today's podcast, so I just let it keep going on the side. Eventually it got itself booted. So I joined it to our brand new WI FI network and ran Windows Update. That also took nearly forever, but it did finally finish. After the update I noted that booting wasn't any faster. So I decided it was time to run Spinrite 61. Time for six. One on it. And I've pasted the before and after benchmark photos from our Spinrite 61 customers before. I've never pasted them from me. Your own pictures, My own pictures. What I immediately saw before running Spinrite on the drive. But just running spinrite's built in benchmark.
Leo Laporte
Oh, look at this.
Steve Gibson
The front of the 256 gigabyte SSD was astonishingly slow. It was clocking in at just 13.445 megabytes per second. 13.445. Whereas the middle and the end of the same drive was running the way it should be at 570.5 megabytes per second. So we have 13.4 versus 570. Now this was the phenomenon that the group of us who were testing Spinrite6.1 throughout its three and a half year development became quite familiar with. And I've shared, as I've said, many of our other users, similar reports since then. But I may not have ever had the occasion to witness myself on a real live system that someone I cared about was going to be using. So I fired it up on level three, which is what's necessary to refresh the entire storage surface of an ssd. And I watched it painfully run. The real time monitor page of Spin Right lets us watch the individual reading and writing phases. Spin right is reading 16 megabytes at a time. 6.6.3 is able to do that. And, and it's got a, it's got a bar where, where it shows what, which phase of the work it's on where. Where the first one is reading. It may do other recovery things if necessary. And if you're running on different levels and then the last one is where it's finished, it writes it back. And so it normally would just be, it would just be a flick on the read and then a writing, as we know on an SSD always takes longer than reading. So it would normally you would mostly see it sitting on writing and it would. And it would briefly flick up to read and then back down to writing. That's not what was happening. It was sitting on the reading phase for a long time and then then dropping to writing and then back up to reading again. So, you know, again it's what I expected, but it was an extreme case of that. So that meant that for that, well, I'm getting ahead of myself. One of the more amazing things that I should mention that I've witnessed across many brands now of SSD is how slow an SSD can become while still. And I'm kind of amazed by this still finally being able to obtain an error free read. It is retrying and it is applying error correcting like crazy, but it ends up getting the data back. Those 16 megabyte blocks that Spinrite 61 reads at a time are typically composed of of eight logical 5K sectors, meaning a 4K byte physical block. So. So SSDs are actually allocated in 4K pages. 4K physical blocks. So for every 16 megabytes that Spin right reads, that's four thousand and ninety six individual 4K byte physical blocks being read. And apparently in this case on this drive, a large Percentage of those 4096 individual 4k byte physical blocks must have needed retrying and rereading and error correction, rethresholding whatever it took to finally pull the data off. But I'll be damned if every single block was not finally read without a single error. It might slow way down. But the SSD controllers are clearly prioritizing read recovery over speed, which makes sense. That's exactly. Yes, that is exactly what we would want. The problem is, Leo, this is so gradual over time that people adjust to it. They just, they, you know, it didn't happen suddenly one morning. It's just, it's slow, it's over time. It just. Things slowed down. So anyway, this was going on, it was going painfully slow. So I turned back to work on the podcast and let six one grind away on that Dell laptop's ssd. After a couple of hours, I looked over and noticed that it was now about halfway done and zipping along. Spinride had moved through and past the slow beginning regions of the drive into the unused territory where the drive probably knew that nothing had ever been stored there. Now, what's interesting about SSDs is they know that an old school hard drive doesn't. But those regions were still fully trimmed, meaning that the SSD's controller did not even need to read from the media, since, as I noted, the drives, yes, its controller would have known that those regions contain no data. Okay. And since there was no point in continuing, I hit Escape at that point to interrupt spin right, exited back to the DOS console prompt, pulled the USB boot stick from the laptop, hit Control alt delete to reboot, and I watched. Sure enough, rather than watching those six annoying roller coaster dots looping around hundreds of times, unbelievably, they looped around exactly twice and the welcome screen popped up and I was in Windows. Now, the first thing I did was to enter Optim Optim into the search bar. And that brought up the disk. The. The. The disk defragmenter and optimizer. This was not to defrag an SSD, but rather to re trim it. Running spin right at level 3, 4 or 5 will always write to the media, even if the file system is not storing any data in that location. The ssd, which doesn't know any better, will assume that it must keep whatever Spinwright just wrote, even though Spinwright was just writing zeros. So running an Optimize on an SSD after Spin writing it serves to re trim the SSD, meaning to let it know which 4K physical blocks are important and actually contain file system data, and which it does, it never needs to. And. And which are actually empty and which it never needs to worry about preserving in the future. So anyway, we've had many users and owners of Spinrite 6. One described their before and after experiences with with 6:1 and the performance of their machines, but I've never had the experience myself on an actual machine. So yeah, a bit of a proud father experience here. And my wife now gets to use a snappy laptop that performs just the way it did when it was brand new. So anyway, it was very nice.
Leo Laporte
Congratulations. I noticed the random access time improved too. Yeah.
Steve Gibson
Yes, yes. Because any. During random fetching, any read that happened to fall within the. The front of the drive would just basically stall while the. While the driver tried to actually read it. Yeah, yeah.
Leo Laporte
Very cool.
Steve Gibson
Very cool. Okay, our last break and then we're going to talk about who it was who coined the term apex agentic adversary.
Leo Laporte
It sounds like something from Jurassic park, but I might be wrong on that. Apex.
Steve Gibson
Apex predator.
Leo Laporte
Apex predator. That's right. That's right. The show today brought to you by Adaptive. I know you know that name. The first security awareness platform built to stop AI powered social engineering. That is, you know, I mean, there's all sorts of ways they can attack you. The social engineering one though, that's the one that sticks. That's the one that shiny hunters uses, right? Here's the shift attackers, they don't even need malware anymore. They just need trust. And that's easy to do with AI. A cloned voice, a convincing deep fake on zoom, an AI written fish that looks like it came from your team. Adaptive prepares your organization for this kind of attack with simulations. And not just across email, but sms, even voice. Yes, imagine getting a voice message, right? Deep fakes, vishing. That's what they call it, voice phishing. Vishing and AI generated phishing, including scenarios that can mirror your own brand, even your own executives. You get a call with Lisa's voice on it. One of our employees gets that, they may respond, but we don't want them to, right? And when employees report something suspicious, Adaptive goes, oh yeah, I can help you with that. They can help you triage it fast so you don't get a bunch of false alarms. You security teams know exactly what's going on and what to really handle. If you need training fast, Adaptive can do it with their AI content creator. You can see a breaking threat, turn it into an incident report or a compliance doc into an interactive multilingual module in minutes, no design team required. So you go, oh, look how they're getting in with these paste click attacks. Simulate it and it does it. With Adaptive, you can build, customize and monitor every part of your training with complete personalization. The result is a more resilient security culture. And that's essential for companies. Companies like Plaid, they use Adaptive. Their platform powers thousands of digital finance apps, links consumers, developers and institutions. They can't afford to be hacked. With sensitive data at its very core, Plaid security and compliance are non negotiable. That's why Plaid's head of security, grc, says quote, adaptive has equipped our teams with cutting edge tools and built a smarter, more resilient security culture across the company. End quote. It's not, it's just Plaid. It's trusted by Fortune 500, backed by Nvidia and OpenAI. Adaptive is building the defenses we need for the AI era. Learn more at adaptivesecurity.com that's adaptive security.com It's a really great solution. We thank them so much for supporting Security. Now. All right, on we go with agent. What is this? Agentic what?
Steve Gibson
The apex agentic adversary. Oh, which is a phrase that we will see quoted by somebody who's sort of famous. So a set. Oh, and what. But I mean, but this sort of hides the fact that a really bad set of vulnerabilities has been uncovered. A set of seven severe vulnerabilities have been discovered in the massively widely used FATFS file system library. FATFS as file system. FAT file system. It's a pure ANCC implementation of Microsoft's original FAT file system with extension allocation
Leo Laporte
table it stands for.
Steve Gibson
Exactly. And this FAT FS code is the solution used by virtually any and all embedded computing devices that have any need to operate any lightweight and broadly compatible file system. Like for example, a voting machine. I mean like anything you can imagine where, you know, you, you plug an SD card or, or a, a thumb drive into it, a router or whatever if it needs to do to understand the FAT file system. Many of the systems use this. So the troubles these seven severe vulnerabilities were discovered by the security firm Run Zero. Now, Run Zero has some pedigree by virtue of its founders. Its primary founder and CEO is none other than HD Moore. The is a name we've used on this podcast many times. He's the primary developer of the massively popular Metasploit framework which became the Metasploit project. Metasploit is the world's most widely used penetration testing framework. The research paper's co author is Todd Beardsley who currently enjoys the title of VP of Security Research along with HD at Run Zero. Excuse me. Todd was previously the Section Chief for the Vulnerability Response Section at CISA. Todd has over 30 years of hands on security experience with previous IT Ops, Security and software engineering and management positions in large organizations including the government Rapid7, another company we refer to for like over and over and over three Com, Dell and Westinghouse, both in offensive and defensive practices. So when these guys notify the world that they have found something serious, they know of what they speak. The title of their research, which they updated most recently last Wednesday was seven FAT FS bugs. One very large blast radius. Yeah, right. So here, here's what they shared with the embedded computing world. They said heads up, if you ship firmware that touches FAT media, that's you, right? Yeah. Think any removable storage like USB drives and SD cards, you'll want to pay attention to this. This work was part of Run Zero's research into long tail supply chain bug hunting. Using LLMs and and they they wrote we live in the future, meaning they're just as blown away by what AI is doing as anybody else. So just to be clear, we have another example of what the world can expect as LLM technology is aimed at old and long standing code bases. The trouble is when they're also massively widely deployed and enable vulnerabilities that are probably impossible to remediate. You know, think of all the devices around that that might need a removable media of any kind. So these this pair tells the story well they write. Today we're publishing seven CVEs documenting several vulnerabilities in in the FAT FS project, ranging from CVSS of of from medium to high and they wrote no criticals the affected ecosystem includes some major non the affected ecosystem meaning for example things that use this some major non hobby platforms like ExpressIF, ESP, IDF, ST, microelectronics, STM32Q middleware, Zephyr, RTOS, micropython, rgupilot, RT thread embed Samsung's Tizen RT and SW update with downstream reach into consumer IoT, industrial controllers, drones, crypto wallets and more. Fat FS, they write, is a portable royalty free FAT ex FAT file system library written in C by author whose moniker is Chan Cha Capital N and he this person posts over at elm-.org e l m-a n.org they write. It's designed for resource constrained embedded systems with no OS dependency and is typically compiled directly into Firmware. It supports FAT12, FAT16, FAT32 and EX Extended FAT as well as optional long file name and GPT partition support. So it's been kept up to date. I think the most recent CH update was about a year ago. Because fatfs is small, self contained and permissively licensed, it's become the de facto standard FAT implementation for microcontroller firmware. The library is vendor vendored verbatim into official SDKs, RTOS's bootloaders and application frameworks, meaning a single upstream vulnerability propagates to every downstream project that copied FF C, which is the you know, the the FAT filesystem C file. They said this project is a return to a this project meaning their current work now that they're reporting on is a return to a security assessment started back in 2017 when a manual audit and multi day fuzzing effort identified some basic but not compelling bugs in the fat FS driver. Nine years later in March 2026, we revisited this project using Visual Studio Code, GitHub, Copilot in auto mode and some basic prompts, all without any specific loops, harnesses, or skills. The results were surprising. Bugs that were overlooked during the manual audit became trivial to find by using the LLM to automatically build a fuzzer with novel inputs. Not only did this effort find interesting and reportable bugs, it also automated the process of validating that these bugs are actually exploitable across different embedded scenarios. So why do FATFS bugs matter? For the vendors who build on these platforms, it's simple. Any physical access leads to a jailbreak, especially given the FATFS library's lack of address space, layout, randomization and memory protection. For everyone else, there are numerous devices where brief physical access by the general public should not lead to a full compromise, for example Security cameras with SD card storage, voting machines with USB file readers, ATMs, and pretty much anything else that has a screen that you expect people to touch. Fatfs has no CVE history, no security mailing list, no patch notification mechanism. Every downstream project that uses FF C must discover, triage and patch these vulnerabilities independently, usually without knowing whether they're affected. That means the window between public disclosure and widespread remediation will be measured in years, not days. The practical attack surface is therefore not one software application or service, but tens of millions of of devices across dozens of independent code bases, many of which will never receive a patch. The archetypal exploitation scenario is the evil SD card. An attacker with a few seconds of physical access swaps the storage medium in a device from consumer cameras to drones to 3D printers to 1000 other product families. Every vulnerability in this set is triggerable by mounting a crafted FAT image, which nearly always happens automatically on insertion with no user interaction required. That said, physical access is not the only path. Devices that ingest FAT formatted update packages from a network source, such as over the air update frameworks and drag and drop bootloader updates, are exploitable by any attacker who can deliver a malicious image to the FAT update pipeline. Supply chain compromises, an agent in the middle injection on a clear text HTTP update feed, or a malicious image posted to a hobby platform distribution portal. The over the air path is fully remote on any device that lacks end to end authenticated integrity verification of its update container prior to mounting it with with FATFs. Therefore, the value presented to attackers is straightforward. These issues are triggerable by crafted FAT extended FAT GPT images, often through removable media or update channels that get mounted automatically. Note that CVE 2026, 6682, and 6683 are both impacted in some over the air processes for firmware. This post is intentionally light on exploit internals. For technical details, proof of concept, images, harnesses and code level analysis, see Run Zero's companion search research repository on GitHub and I've got a link to them in the show notes or just go to GitHub.com runzero inc.r u N Z E R O I N C and you'll find the the directory there. The seven findings documented here are listed roughly in order of subjective value to an attacker, and I'm going to skip over them. They're in the show notes for anyone who's interested. We start with a CVSS of 7.6 which is the highest. They called it the headline issue and that's that 6682 which they said describes integer overflow in core mount arithmetic which can produce attacker controlled file size metadata the downstream code may trust as a read length. In real systems that can become a heap stack overflow and code execution in terms of practical attacker value plus transitive impact, this is at the top of the stack. And so they have actually three that are all they all sign a CVSS of 7.6 where basically they're able to arrange to execute code they provide on an SD card or a USB stick simply by sticking it in to any machine that is using this library to read those things. That's what this comes down to. So it's bad. They in they they then independently remind us of our favorite xkcd after enumerating through those dependencies or or through through those seven CVEs they said if you've seen XKCD's 2347 dependency, of course that's the the the huge construction of different size blocks. You already know where this is going. One component maintained in one tiny corner of the Internet quietly supports an absurd amount of modern cyber stuff.
Leo Laporte
Well, EXFAT is everywhere. Yes, everywhere. You use it probably on your freedos, right?
Steve Gibson
Yes. Yeah, so they said fatfs is one of those components. It's compact, useful and copied everywhere. That's great for shipping products quickly, but less great when memory safety issues show up in parser adjacent code that happily ingests untrusted media. This kind of component is even more challenging to deal with from a disclosure and fix perspective, in that nearly everyone ends up making local vendored modifications, so an upstream patch must be validated pretty carefully before incorporating. We made repeated attempts to contact the maintainer and we invoked JPCERTCC early on as well we never received a response.
Leo Laporte
So this is a maintainer.
Steve Gibson
Actually, there basically isn't. It's just some random guy who checks in once a year to see if like, if that needs to do anything.
Leo Laporte
It's done. He thinks it's done.
Steve Gibson
Yeah, exactly. It's done. It's Fitz, it's finished code. And an audit nine years ago found no problems that, that were. That were significant. Just a few things.
Leo Laporte
You know, the fact that you could make the name of the volume so long that it goes in a user space, that seems so obvious. How could they miss something like that? That's. I mean that. So these are. Well.
Steve Gibson
Right.
Leo Laporte
Okay.
Steve Gibson
So they said we never received a response. So this publication is aimed at the people who can still do something useful right now, which is to say, yeah, downstream. Downstream implementers. They said, audit your vendor version, audit your wrappers, audit your file name and file size handling, and plan for patch updates. Okay, and now we learn where I obtain the title of today's podcast. HD Moore writes, keeping this class of issue quote quiet in 2026 considered that they were unable to find the vendor. There's no mailing list, no CVE history. There's just, you know, it was just some project some random guy Chan did. And thank you very much for giving the world a free FAT file system. Unfortunately, it's got some bad, bad bugs. So HD says keeping this class of issue quiet in 2026 would be almost entirely security theater. Now that we've entered the age of the apex agentic adversary, if we can find this kind of thing with some thoughtful application of AI assisted vulnerability hunting, then so can pretty much anyone else. Sure, this took a little H.D. moore branded stubbornness, but even so, we don't believe these are going to stay undiscovered for very long. It's too good a target space. And the next researcher probably won't bother with creating validation and reproduction harnesses. When it comes to vulnerability disclosure, I've always believed that I'm merely the most recent person to learn about the issue. Meaning why would, why, why would he. He, he's saying, imagine that he's the only one to know. He said, what's more true now than ever in this hyper automated. Oh, and that's more true now than ever in this hyper automated code auditing world. Better to disclose, coordinate where possible and in the end publish in order to give defenders the heads up. And he said, P.S. looking for exploits, you can find a test harness a full QMU based exploit example and corrupt FAT FS images in the Repository. Okay, so yes, we have indeed entered a brave new world where the rules of the game are clearly changing. The collapsing cost of novel vulnerability discovery means that many new players, both well meaning and malicious, will be joining the fray. The asymmetry of the security guarantee bites us in this instance. As we know, security must get everything right everywhere, every time. For insecurity to win, security need only make one mistake in one place once. It's an impossible scenario, but it's the scenario we have today. Someday, thanks to AI, it's clear to me that software will have finally being, will have finally been fixed. AI is going to fix our software. We couldn't do it ourselves. We could write it, but we couldn't understand it because it got out of control. And that's something that until now we've only been able to dream of. But to get there from here, we have a long and daunting road ahead because there's a lot of crappy software out there and a lot of it, as HD noted, is never going to get changed. So I'm thankful that the world does have many good guy researchers such as this HD Moore who are interested and intrigued enough to contribute their time, energy and effort. And in this specific instance, I agree with the, with the route that Harold, that's, that's what the H of HD Moore. It's. He, he's Harold Dwight Moore, but just goes by hd. I agree with the route he took. Given that this library is effectively unmaintained, that there's no mailing list nor update methodology, and that they weren't even able to contact its author. Direct outreach to all of the library's major known users and they have a list of those is all the researchers can do. You know, let them know that the library they're using would make any future use of it. Well, actually all past, but also future vulnerable. So they could fix it and depending upon who they are, maybe they can fix their, some of their installed base, maybe they can't. Maybe they just need to stick glue into the USB socket so that nothing can mount itself there.
Leo Laporte
So I mean you have to have auto mount turned on. Right?
Steve Gibson
I mean, well that, that's the point. Typically these embedded devices do.
Leo Laporte
They do.
Steve Gibson
Because all you do is. Yeah, you just stick the SD card in the camera and it looks to see what's there. Looking to see what's there takes it over.
Leo Laporte
Right. So yeah. And you probably can't even disable that. You wouldn't.
Steve Gibson
Right.
Leo Laporte
You don't have an interface probably.
Steve Gibson
Exactly. Not if not a Feature.
Leo Laporte
Yeah. Wow.
Steve Gibson
Because, Leo, why would you ever need to.
Leo Laporte
Steve, Amazing. While you've been talking, I've been building and boy, Fable is amazing. And I'll tell you what it's been doing is reviewing. So I have it write the plan, then Opus four. Eight executes, and then it reviews and it's doing. Look at two real bugs were caught during execution.
Steve Gibson
Wow.
Leo Laporte
By sub agents. And this is. It's already doing, you know, that exact kind of testing. Yeah. It found a race condition, which is pretty amazing. So I just, you know, and I. Lisa says, well, what are we going to do if it doesn't work? Will you be around to fix it? Or are you going to be on the air and not able to fix it? And I said, it's always going to work. It's not going to have any bugs.
Steve Gibson
There's a far better chance it'll work than anything that anybody else would ever write.
Leo Laporte
This is true of the stuff that she's been using for 12 years. So it's kind of like, you know, come on, the thing you've been using all this time is so unreliable.
Steve Gibson
Yeah. You know, and she probably knows the quirks, like. Oh, that's exactly right.
Leo Laporte
She knows all the workarounds.
Steve Gibson
Yeah.
Leo Laporte
It's like Steve Jobs when he first demoed the iPhone. He knew there was one path and one path only, where everything, anything would work. Any deviation, the thing crashes horribly. Yeah. That we kind of were in that situation. I'm, I'm. I'm very impressed with its ability to, to do this stuff. And actually, as it turns out, this is a fairly trivial thing because it's a business application and we're not.
Steve Gibson
And I think you should be impressed. I mean, I don't think you should be at all shy about being impressed. You know, one of the, the things that I've said from the start is AI is going to inherently be very good at code.
Leo Laporte
This is its language.
Steve Gibson
Yes.
Leo Laporte
It. It's a language it, it's fluent in,
Steve Gibson
it plays by rules. It's all logical. It's got a ton of examples on the Internet to have learned from.
Leo Laporte
Yeah, that's the key. Yeah. Yeah, it's doing this in go. I, I don't have a strong preference of language. Probably if it had asked me, I would have said rust. But it likes go. Go has concurrency and go is a good.
Steve Gibson
Go is a good language. And actually that's where your race condition came from. What from was the concurrency threads.
Leo Laporte
Yeah, that's right. It has that built in.
Steve Gibson
It's also how to build a lock in.
Leo Laporte
It's also very fast, which is nice. It really, it's a good web language and we're going to be running this in the cloud. So anyway, maybe be trivial to say, hey, you know, can you rewrite that in Rust? I'll be back in a day or two, you let me know.
Steve Gibson
Wow, we are. It's in a whole different world, my friend.
Leo Laporte
It's somewhat addictive because you feel this power to do stuff that in the past as computer users we were somewhat disempowered. You know, we were stuck with whatever the fat library guy wrote. I'm not going to rewrite that. And now we have all this capability we just didn't have before for it's very addictive, it's very exciting. And you can see with agent, what is it?
Steve Gibson
Agentic, Apex, Agent, adversary.
Leo Laporte
We're going to be in a whole new world of security as well.
Steve Gibson
The good news though, as I said, if we just look at, around at the updates that are coming in from all different directions, like the fact that the Sonality, this synology fixed a bunch of stuff that where they'd only had one or two over the like for the past year, suddenly there was 14. Well, we know where those 14 came from. They, they're being responsible. And they said, whoa, let's run our software through AI. And now we have a much better result than we did before. Much more attack resistant. So again, I think in the same way that Y2K didn't crash because everybody actually did fix their year 2000 dependencies, it seems that we have a well distributed remediation going on across the globe.
Leo Laporte
Darren in our club Twit says, oh, all you have to do is add a Claude side panel to the app. And then if Lisa has a problem, she doesn't have to ask you, she just say, could you fix that? And Claude, Claude will do it. It's a little buddy in there that can do it. Wow, what a world. What a world we live in. And you know what? I'm just glad that you and I made it to this point so we can watch this.
Steve Gibson
Exactly that. This is just too significant.
Leo Laporte
I feel like our grandparents who grew up in an age before man could fly and ended up living to an age where you could fly to Europe in a jet airplane in Flanders.
Steve Gibson
Or the moon.
Leo Laporte
Or the moon. Imagine you're born in 1900, they had orbital and Wilbur Wright hadn't yet invented the airplane. And you're my age and you're watching us land on the moon. In 69 years. That's kind of where we are in. We are in this hyper speed of change. And some people find that very upsetting. I understand why. But then there are people like you and me and I imagine most of our audience who go, yeah, this is cool.
Steve Gibson
And AI is going to accelerate that rate of change. It is going to.
Leo Laporte
It already is. Yeah, you're right. That's, that's part of the most interesting part of it. Yeah. Steve Gibson's@grc.com that's where you'll find of course, Spin. Right. It's like a bicycle wheel for your hard drive. I love that story.
Steve Gibson
I mean it's transformed this laptop. I mean I turn on and it goes. And then I get the welcome screen. It's like, holy crap, Lori must be impressed.
Leo Laporte
Lori must go, you know, you, whatever. I don't know what you do, Steve, but whatever it is, I guess you're pretty good at it.
Steve Gibson
Yeah.
Leo Laporte
She says, okay, well the rest of us appreciate it. If you don't yet have the world's best mass storage, performance enhancing, repairing and, and, and kind of, you know, maintaining, maintaining maintenancing tool. It's called Spin. Right. You gotta have it. If you have Mass Storage 6.1 is the current version. It's@grc.com It's Steve's bread and butter. There's another program there you might well want as well. I think everybody should have this if you're on the Internet. If you're not on the Internet, forget it. But if you are on the Internet, you might want to take a look at his DNS Benchmark Pro, which makes sure you're using the best DNS server for your particular installation. And that is not the often not the ISPs choice.
Steve Gibson
And there's so much, there's so much more than just which. What is faster? I mean you'll, it's a deep end, rich educational environment because there's, that's a really good point.
Leo Laporte
I always focus on the speed. But there's other things.
Steve Gibson
Oh, different types of queries and IP4 and 6 and, and, and DOH and DOT. I mean there's just, there's a lot there now.
Leo Laporte
So DNS is really, really important and we've learned a lot on this show. And you can get this tool also from GRC.com while you're there. Go to GRC.com email and you can submit your email address. Steve will whitelist it. If you're not a bot. If you're a bot, don't do it. But if you're not a bot, go ahead. And by the way, underneath it there are two checkboxes for two mailing lists. One is a weekly mailing of the show notes. You'll get that picture of the week and a special thumbnail version of the picture week. You can click and see it before I do. That's free. Of course. There's also another mailing list that really gets very little traffic when Steve has something new to announce. But that's good to be on. Sign up there. GRC.com email you can also submit pictures of the week once you get your email vetted. What else? Oh, he has the show. Of course he has copies of this particular show. Security now, in fact, he has unique versions. A 16 kilobit version which is very small, a little scratchy, but tiny. He has a 64 kilobit. Sounds fine. That's a good mono version of the show. He. I presume it's mono. You don't have stereo 32 bit. It's one mono 64. Yeah, that's great. We have stereo. You don't need. I'm in the left, Steve's in the right. He also has the transcripts there which are written by an actual human. That's why they take a couple of days by Elaine Ferris. And if of course, show notes are also there for download. Grc.com Lots of other useful, fascinating stuff, all of it free. We have it at our website as well. Twitter TV sn. There's audio and video video there. We all. We are audio, stereo. We also. We also have a YouTube channel which is just video. I don't know if that one's stereo or not, but that is a good way to share clips with other people. And then of course you can subscribe in your favorite podcast player. If you do want to watch us live, you can Club trip members get special behind the velvet rope access in our Discord channel. You can watch live there, chat with us live there. Club Twitter is a great way to support Steve and the work we do here. Frankly, without the club, we would have to cut back. Lisa said just this morning I don't know what we'd do. She was doing payroll. The club helps a lot. If you're not a member, go to Twitter TV club TWiT. You'll get ad free versions of the show with chapter markings so you can jump along. You'll also get access to the Club Twit Discord and special programming we do only for the club, club members or not. You can also watch live at YouTube, Twitch, X.com, facebook, LinkedIn and Kik. We stream the show as we do it every Tuesday right after Mac Break Weekly. That's around 1:30 Pacific, 4:30 Eastern, 20:30 UTC. Live or not, we want to make sure you're here next week for another thrilling, gripping edition of Security Now. See you, Steve.
Steve Gibson
Bye, my friend.
Leo Laporte
Hey, Everybody, it's Leo Laporte. You know about MacBreak Weekly, right? You don't? Oh, if you're a Macintosh fan or you just want to keep up what's going on with Apple, this is the show for you. Every Tuesday, Andy Inocco, Alex Lindsey, Jason Snell and I get together and talk about the week's Apple news. It's an easy subscription. Just go to your favorite podcast client and search for Mac Break Weekly or visit our website, Twitter, tv, mbw. You don't want to miss a week of Mac Break Weekly.
Recorded: July 7, 2026 | Hosts: Steve Gibson & Leo Laporte
This week, Steve Gibson and Leo Laporte deliver a jam-packed episode delving into the latest in cybercrime, AI security, landmark vulnerabilities, and a groundbreaking new research paper on visual prompt injection attacks in large language models (LLMs). The show explores the downstream impact of advanced AI on security, software reliability, privacy, and the reality of an “apex agentic adversary”—AI-driven attackers empowered to seek and exploit vulnerabilities at unprecedented scale. Alongside the headlines, the hosts celebrate cybersecurity legends, mark browser milestones, share real-world SpinRite success, and offer listeners actionable takeaways to navigate the rapidly changing digital landscape.
[14:11]
“It means that [Fable 5] is really not of any practical use to security researchers. You’ve got to be chosen and trusted... and then you get Fable 5’s equivalent with this, which is Mythos 5.” — Steve Gibson [30:10]
[33:06]
"I've been crying in the dark for any OS vendor... to prevent or at least dramatically caution their users against putting anything onto the system clipboard from their browser." — Steve Gibson [33:12]
[48:53]
"How is it that there are any Windows systems that have not been updated since April's, May's or June’s patch Tuesdays?... This looks like asking for it." — Steve Gibson [53:01]
[56:40]
Cerf predicts the emergence and battle over agentic, autonomous AI software agents will force renewed composability, standards, and interoperability—just as the early internet required open protocols.
Notable Quote:
"There’s a flexibility in [natural language], but there’s also ambiguity. And I think precision for inter-agent interaction is going to be very, very important. An agent really needs to be sure that the other agent understands what it is they just agreed to do together." — Vint Cerf [61:44]
Leo compares the current AI revolution to watching air travel go from Kitty Hawk to the moon landing in a single lifetime.
[69:07]
"The feeling I'm getting is that what we hoped would happen, is happening... The word has gotten to people writing software that they can invest in some tokens and they can get their software fixed." — Steve Gibson [70:49]
[77:02]
[106:29]
“The model retrieved the code, processed the repository’s assets and built the site as requested. It also created an admin account with attacker-controlled credentials. Whoopsie... The instructions that caused this were sitting inside an image file in the repository." — Steve Gibson [107:36]
“Until defenses are built to operate at the visual processing layer, that gap remains open.” — DeepKeep Research [113:50]
Real-World Implications:
Takeaways:
[124:56]
[140:37]
“Now we’ve entered the age of the apex agentic adversary. If we can find this kind of thing with some thoughtful application of AI-assisted vulnerability hunting, then so can pretty much anyone else.” — HD Moore, via Steve Gibson [156:44]
Key Insight:
As AI commoditizes rapid bug discovery, security will become an asymmetric race. There’s no secrecy or safety in obscurity anymore: if defenders can find a bug, so can attackers.
Sobering Reality:
“The new guardrails are kicking in on way too many tasks and falling back to Opus 4.8... C, C++, Rust, Win32 API references, memory-related work—files mentioning security, vulnerable, unsafe, or hook appeared to trigger a fallback or block.” — Steve Gibson [22:09]
“This flaw was patched... nearly three months ago. So how is it that there are any Windows systems that have not been updated? ...This looks like asking for it.” — Steve Gibson [53:33]
“It’s astonishing. What we had hoped would happen is happening... People are using AI on their own in the privacy of their own R&D and dev shops to find and fix problems.” — Steve Gibson [70:49]
“The model did not flag the instruction. It did not warn the user. It completed both the requested task and the unauthorized one with no visible indication that anything out of scope had occurred.” — DeepKeep/Steve Gibson [108:11]
“Now that we've entered the age of the apex agentic adversary, if we can find this kind of thing with some thoughtful application of AI-assisted vulnerability hunting, then so can pretty much anyone else.” — HD Moore [156:44]
Steve Gibson and Leo Laporte argue convincingly that we have crossed a Rubicon: AI has made vulnerability discovery (and, by extension, software remediation) a “brave new world.” The same tools that give defenders new superpowers have also created an “apex agentic adversary”—attackers using AI as an ally. Visual prompt injection is a “canary in the coal mine,” showing how every new AI capability is another avenue for exploitation. This is a race without finish; it’s up to vendors, researchers, enterprises—and every user—to keep pace.
Full Show Notes and Links: grc.com/securitynow.htm
Security Now is released every Tuesday. Subscribe for deep, technical coverage of security news.