Microsoft

Microsoft Smashes Record For Biggest Ever Patch Tuesday Update (computerweekly.com) 51

An anonymous reader quotes a report from ComputerWeekly: Microsoft has issued patches for about 200 flaws in its latest monthly Patch Tuesday drop, blasting past a previous record high of almost 170 common vulnerabilities and exposures (CVEs) set in October 2025. Among a great many others, the latest update from Redmond fixes a total of 32 critical CVEs and three zero-day flaws. Dustin Childs, head of threat awareness at TrendAI's Zero Day Initiative, said: "We are heading into a high-stakes summer for cyber security. June's record-shattering drop ... is a stark warning that AI is supercharging flaw discovery at an uncontrollable scale. The current number of CVEs shipped by Microsoft this year exceeds the total number of CVEs shipped in all of 2018. It is extraordinary that Microsoft can produce so many patches in a single month, and I expect many testers are wondering what quality issues may exist."

And with the addition of hundreds of CVEs in Google Chrome and Microsoft Edge (Chromium) and other third-party flaws taking the total to almost 600, Chris Goettl, vice president of security product management at Ivanti, said talk of a 'Patch Apocalypse' was no longer unwarranted. "We are in the Patch Apocalypse. The Patch Apocalypse is now," said Goettl. "This is not intended to be a scare tactic. It is meant to outline the challenge that many organizations were anticipating, but the new generation of LLMs [Large Language Models] has accelerated significantly in the first half of 2026."

"There are going to be more CVEs resolved by vendors at a faster and more continuous pace than we have ever seen previously. Unfortunately, this will also include more zero-day and n-day exploits than previously seen as well. The window from release from a vendor to exploitation had already shortened to five days as of 2023 threat intelligence data." Goettl said that many suppliers have acknowledged the need to use AI tools in their security research to identify and resolve flaws, with Oracle, Google Chrome and Mozilla all upping the cadence of their updates. Whether or not Microsoft follows suit remains to be seen.

Cellphones

FCC Wants To Kill Burner Phones By Forcing Telecoms To Get All Customers' IDs (404media.co) 166

An anonymous reader quotes a report from 404 Media: The Federal Communications Commission (FCC) wants to make it effectively impossible for people to buy what many call burner phones -- a phone not explicitly linked to your identity at the point of purchase -- which would impact privacy-conscious people, to domestic abuse survivors, to journalists, and many more. The FCC plans to do this by legally forcing the country's telecoms to store a wealth of personal information about essentially all phone customers, including a government issued identification number and their physical address, alarming privacy advocates and civil rights activists who compare the measures to those from authoritarian countries where it can be difficult to buy a mobile phone plan without giving up your identity.

The proposed change would drastically shake up how people obtain phone plans in the U.S., and have all sorts of privacy and cybersecurity knock-on effects. The FCC is proposing the data collection partly as a way to combat scammers, with telecoms being required to collect other information on business and foreign customers like the intended use case of their bulk phone plan purchase and their IP address. But the changes would mean telecoms collect data on all new and renewing customers, and the FCC provides a long list of other things that the collected data could help authorities with.

In a synopsis of the proposed changes, the FCC writes, "Specifically, we seek comment on requiring originating providers to, at a minimum, obtain and retain the name, physical address, government issued identification number, and an alternate telephone number of any new and renewing customer before granting access to its services." The goal of collecting this data, the FCC writes, is to deter some scammers from getting onto a telecom network in the first place, and so "enforcers will be better able to identify the scammers when they do." The FCC compares the changes to the sort of data collected by banks to prevent money laundering.

One section stresses that the newly collected data would help "law enforcement to more easily identify callers that use the network to perpetuate crimes by ensuring that voice providers have accurate and complete customer information." It goes on to ask if the data would help identify people buying and selling illicit goods; the investigation of "fraud, espionage, or influence operations that undermine national security", and "address abuse in text messaging networks." "Criminals continue to leverage the anonymity provided by phone calls and texts to defraud Americans and exploit communications networks to further other crimes," one section reads.
"For decades, civil libertarians have looked overseas at authoritarian countries where the government requires people to register to get a mobile phone to ensure they can be tracked. We never thought that would happen here," Jay Stanley, senior policy analyst at the American Civil Liberties Union's (ACLU) Speech, Privacy, and Technology Project told 404 Media in an email. "But make no mistake: with this rulemaking, the government is contemplating taking away people's ability to get a burner phone, which will hurt low-income people, domestic violence victims, and anyone else who cares about their privacy."
China

US Labels BYD, Baidu, Alibaba and Other Tech Giants As Aiding China's Military (apnews.com) 123

The Pentagon has added Alibaba, BYD, Baidu, Unitree, and other Chinese companies to its list of firms it says support China's military, barring them from U.S. defense contracts. The companies and China's embassy deny the allegations. The Associated Press reports: Created in 2021 by a congressional mandate, the list (PDF) seeks to identify Chinese companies that the Pentagon considers to have links to the Chinese military -- not only those directly controlled by the Chinese military and security forces but also those contributing to the country's defense industrial base. When updating the list last year, the Pentagon said the Chinese military sought to acquire advanced technologies and expertise developed by Chinese companies, universities and research programs that "appear to be civilian entities."

The Chinese Embassy on Monday accused the U.S. of "overstretching the concept of national security and making discriminatory lists to go after Chinese companies." It said Chinese companies observe the laws and regulations of the countries where they do business. "The U.S. should stop its wrong practice and create a fair, just and non-discriminatory environment for Chinese companies," the embassy said in a statement. [...] The Chinese Embassy on Monday accused the U.S. of "overstretching the concept of national security and making discriminatory lists to go after Chinese companies." It said Chinese companies observe the laws and regulations of the countries where they do business. "The U.S. should stop its wrong practice and create a fair, just and non-discriminatory environment for Chinese companies," the embassy said in a statement.

Security

High-Severity Vulnerability In Linux Caused By a Single Errant Character (arstechnica.com) 34

An anonymous reader quotes a report from Ars Technica: Researchers have analyzed a high-severity vulnerability in Linux that's able to escalate untrusted users to root by exploiting a bug you don't often see: a single errant character inside the kernel. The vulnerability, tracked as CVE-2026-23111, is located in nf_tables, a subsystem of the Linux kernel that provides packet filtering capabilities. It's used to manage firewall rules and replaces older subsystems such as iptables, ip6tables, arptables, and ebtables.

The presence of a single mis-issued exclamation point in code implementing nf_tables introduced a use-after-free, a class of vulnerability that corrupts memory by placing malicious code at memory addresses that haven't been properly freed of their previous contents. CVE-2026-23111 can be exploited by an unprivileged user or process to elevate system rights to root. The exploit works by disrupting the deletion of verdicts -- a determination within the nf_tables framework that determines if a packet matches a rule calling for a certain action to be performed. This process can use what are known as catchall elements, which act as a wildcard in the event a lookup doesn't match any other element in the set.

When a verdict map is deleted from memory, catchall elements are deactivated and a chain's reference counter is decremented. When errors occur the deletion can be reversed and the counter incremented. CVE-2026-53111 allows for that process to be altered. As a result, the exploit can decrement the variable an arbitrary number of times and then delete and free the chain when some objects still point to it.
Although the kernel vulnerability was fixed in February, multiple proof-of-concept exploits have since emerged, including one from FuzzingLabs in April and another from Exodus Intelligence that works on Debian and Ubuntu.
AI

EU Says Decision Not to Launch Siri AI in Europe Is Apple's Alone 75

The European Commission says Apple's decision not to launch Siri AI in the EU is Apple's alone, arguing that the company sought an exemption from Digital Markets Act interoperability rules instead of building a compliant privacy- and security-preserving solution. Apple, meanwhile, says regulators rejected its proposals and claims the DMA would require giving third-party AI systems overly broad access to users' devices. MacRumors reports: Commission spokesperson Thomas Regnier told reporters in Brussels: "The decision not to roll out Siri AI in the EU is Apple's and Apple's only. Apple was simply unable to develop interoperability solutions that meet essential EU privacy and security standards. Instead of trying to find a suitable compliance solution, Apple simply made a request to the European Commission to be exempted from their interoperability obligations. That's not an option."

Craig Federighi, Apple's senior vice president of Software Engineering, said the company was "deeply disappointed" and cited what it described as regulators' refusal to accept any of Apple's proposals, including a system called Trusted System Agent that would have allowed third-party virtual assistants to safely access the same device capabilities as Siri AI.

The Commission's account tells a different story. Rather than negotiating over Apple's proposed solutions, regulators say Apple simply requested a blanket exemption from its interoperability obligations under the Digital Markets Act, something the Commission says is not an available option. Apple's statement framed the DMA's requirements as demanding that any AI system be given "nearly unlimited access" to a user's device.
Security

Microsoft Hacked To Deliver Malware To Claude and Gemini Users (404media.co) 9

An anonymous reader quotes a report from 404 Media: Microsoft has shut down a wave of its own repositories on GitHub, including those related to Azure and AI coding agents, as it investigates a data breach, according to research from cybersecurity researchers and a statement given to 404 Media by Microsoft. Hackers planted malware that would harvest peoples' credentials when they opened it in AI coding tools like Claude Code or Gemini CLI, according to one set of researchers. The exact contours of the breach are unclear, but researchers say Microsoft has disabled more than 70 of its own repositories, and pointed to a particular package that was previously compromised.

Last week, cybersecurity website OpenSourceMalware.com, which acts as a clearing house for indicators of supply chain attacks so defenders can secure their own networks, and which also publishes its own write-ups, wrote about the mass disabling of Microsoft GitHub repositories. "GitHub disabled 73 Microsoft repositories across four of its GitHub organizations -- the entire Azure Functions org, the whole Durable Task family, and a row of AI sample apps -- in a 105-second sweep on June 5," the website wrote on Friday. Is it very unusual for any company, let alone Microsoft, to disable so many of its own repositories in one go. They include 49 related to Azure, Microsoft's cloud computing arm, and some concerning AI agents. The shutdown repositories also include ones related to durabletask, a Microsoft development tool.

Researchers from StepSecurity wrote on Friday that the GitHub closures came after a malicious commit was pushed to the durabletask repository. That attack planted configuration files that would harvest peoples' credentials when they opened the repository in Claude Code, Gemini CLI, Cursor, or VS Code, StepSecurity wrote.
Microsoft said in a statement: "Our priority is to protect customers and the broader ecosystem. We temporarily removed some repositories as we investigated potential malicious content. Some of these repos have been restored after review, while others may remain offline while work continues. As part of our investigation, we notified a small number of customers who may have pulled down content from the affected repositories. We will continue to investigate, and if anything further is identified that requires customer action, we will reach out directly through our established support channels."
Security

WhatsApp Catches Spyware Firm NSO Defying No-Hacking Court Order (securityweek.com) 34

wiredmikey shares a report from SecurityWeek: Meta-owned communications app WhatsApp says it recently detected and disrupted a spear-phishing attempt linked to spyware company NSO Group. The attack is allegedly in defiance of a court order that bars the spyware maker from targeting WhatsApp. WhatsApp filed a lawsuit against NSO in 2019, after it came to light that a zero-day vulnerability had been exploited to deliver spyware to users. [...] NSO has been seeking to overturn the order blocking it from targeting WhatsApp users, arguing that the company will "suffer irreparable harm."

According to WhatsApp, the spyware maker has violated the permanent injunction. The messaging app reported on Monday that it had recently learned of a social engineering attack that attempted to trick users into clicking on malicious links. WhatsApp has only shared a few domains as an indicator of compromise (IoC), but says it was able to link the attack to NSO, pointing to similarities to previously reported one-click phishing campaigns tied to the spyware company. WhatsApp says it also caught the attackers creating test accounts and groups. Those accounts and groups have been disabled, but further action is also being taken.
WhatsApp says it is asking a federal court to hold NSO in contempt for allegedly violating a permanent injunction barring it from targeting WhatsApp and its users. The company also said it is making a "significant contribution" to the Spyware Accountability Initiative, a fund aimed at exposing and stopping spyware abuse.
Programming

Ruby Fights Supply-Chain Attacks With Filter Offering 'Cooldown' Before Installing New Packages (rubygems.org) 24

Most supply-chain attacks using Ruby's package hosting site "exploit a narrow window," according to a new blog post form Ruby core maintainer Hiroshi Shibata.

So its packaging-managing Bundler tool now offers a filter that blocks new version until it's been public "for at least N days. Releases too new to have been scrutinized are passed over in favor of ones that have aged past the window." The feature was designed in the open, drawing on how other ecosystems approach the same problem. It is opt-in, and complements rather than replaces existing defenses like mandatory 2FA and trusted publishing... Cooldown is unset by default, so a project without it keeps resolving to the newest versions.... Passing 0 disables cooldown for the run...

Cooldown is most useful as one part of the wider security investment happening on rubygems.org. The registry now validates gem contents at push time and checks logins against Have I Been Pwned so that compromised passwords cannot be reused, work described in Protecting rubygems.org from the outside in. A dedicated team is running AI-assisted vulnerability scanning against the most critical gems, backed by Alpha Omega and Anthropic, and the direction of all of this is tracked on a public roadmap. Trusted publishing and mandatory 2FA already raise the bar for who can push a release in the first place.

EU

EU's Tech Sovereignty Package Includes 9+ Pages on Open Source, Says Open Source Initiative (opensource.org) 18

Friday the Open Source Initiative welcomed the EU's new tech sovereignty package, noting that "over a third of the 29-page document is devoted to Open Source."

The nonprofit OSI — maintainers of the Open Source definition — submitted their official feedback in February, and notes that "many" of their key requests were addressed, "as well as some exciting new announcements!" One of the biggest barriers to Open Source adoption has been public procurement. Too often, tenders have been designed around proprietary solutions, ignoring the benefits of Open Source and locking public institutions into closed ecosystems. The OSI called for procurement rules that prioritize interoperability, reusability, and vendor independence. The package takes a major step forward in this area. The EU pledges to make the public sector an anchor consumer for Open Source solutions. The Commission plans to reform procurement rules to remove barriers for Open Source, provide better guidance to EU countries on procurement criteria to avoid excluding Open Source, and uphold the "public money, public code" principle when procuring software development. Both proposals align with the OSI's feedback. The next critical step is the EU's public procurement law reform. The OSI will continue advocating to ensure these pledges translate into action.

Beyond procurement, the OSI highlighted challenges faced by Open Source communities in Europe, particularly difficulties accessing investment and expertise to commercialize and scale projects. The Commission has responded by committing to ensure Open Source companies are considered for funding under the European Competitiveness Fund (ECF). It also plans to create "Open Source business accelerators" that will offer mentorship, training, legal and licensing consulting, and business development support, including marketing. Additionally, the Commission will work to raise industry awareness of Open Source solutions by leveraging the EU's existing business support networks. These measures directly address the OSI's concerns and could significantly boost the Open Source ecosystem in Europe...

[I]n our feedback, we called for the continuation of the Next Generation Internet (NGI) initiative that has funded many Open Source projects, and for the creation of a European Sovereign Tech Fund to fund ongoing maintenance and features development to meet the EU's needs. We also highlighted the need to mainstream Open Source in other funding opportunities (like the €100bn+ Horizon Europe programme). The Commission's strategy addresses these requests. The NGI will be scaled up under the new name "Open Internet Stack." A new Open Source Maintenance Instrument will fund the "maintenance and security upkeep of essential components." The Commission will also create a list of critical and security-relevant Open Source dependencies to inform funding decisions and promote Open Source solutions as the default approach in Horizon Europe funding.

Friday's announcement from the Open Source Initiative notes that the EU is already leading by example in Open Source adoption. It applauds the EU for "deploying a Matrix-based communications system and the openDesk collaboration environment internally, trialing an alternative operating system to replace Windows, which is currently widely used in EU institutions, and expanding its presence on the Fediverse, with Commissioners and key departments already joining the EU's Mastodon server.'
Open Source

Ladybird Browser Stops Accepting Public Pull Requests (ladybird.org) 25

The Ladybird browser isn't opposed to AI coding tools, but it's just brought a new change to their code-contributing policies.

February 23: "Ladybird adopts Rust, with help from AI." Our first target was LibJS , Ladybirdâ(TM)s JavaScript engine... I used Claude Code and Codex for the translation. This was human-directed, not autonomous code generation. I decided what to port, in what order, and what the Rust code should look like. It was hundreds of small prompts, steering the agents where things needed to go... The requirement from the start was byte-for-byte identical output from both pipelines. The result was about 25,000 lines of Rust, and the entire port took about two weeks. The same work would have taken me multiple months to do by hand.
June 5 (Friday): We will no longer accept public pull requests... A pull request no longer tells us as much as it used to about the person submitting it. A substantial patch used to imply substantial effort, and that effort was a reasonable proxy for good faith. That assumption no longer holds....

We have already seen patient, well-resourced campaigns in open source to earn maintainer trust and abuse it. What has changed is how much faster and cheaper it has become to produce work that looks like a serious contribution... Whether code was typed by hand is beside the point. What matters is who is responsible for it once it enters the browser. Ladybird is becoming a browser for real users. The people introducing changes to it must be the people who decide those changes belong in the project, and who will answer for the consequences.

As part of this change, we will close all currently open public pull requests. We are grateful for the work people put into them, but keeping the existing queue open would keep that contribution path open in practice. There is no perfect time to make this change, so we are making it now. Going forward, pull requests will only be available to project maintainers. There will not be a separate process for submitting patches by other means. We do not want to create a shadow contribution system through issues, comments, email, or forks...

Outside involvement still matters: clear bug reports, reductions, website testing, standards discussion, design discussion, security reports, and technical feedback all help move the project forward. This is the right change for Ladybird now. We are preparing to ship a browser to real users, and our development process has to match that responsibility.

Communications

The US Military Quietly Turned GPS Into a Global 'Numbers Station,' Evidence Suggests (404media.co) 49

A security researcher says evidence suggests the U.S. military has been using an obscure GPS message field for nearly 20 years to broadcast encrypted key-distribution data, effectively turning GPS satellites into a global "numbers station." The hidden-looking 176-bit messages appear tied to the Pentagon's Over-the-Air Distribution system for remotely updating cryptographic keys, meaning ordinary GPS receivers may have been receiving the traffic all along without anyone outside the military noticing. The findings have been detailed by Steven Murdoch, an information security expert, in a new article in Inside GNSS. 404 Media reports: [...] From the beginning, he suspected that the subframe field contained encrypted transmissions because the data was so random. "Random data is actually very unusual to get in nature," Murdoch said. "If you see it, either it's been carefully designed to be random -- but then, why is someone sending out random data? -- or it's encrypted data. I thought encrypted data is by far the most likely explanation." He returned to the subframe on and off over the years, and solicited guesses about its content on Stack Exchange in 2023. Ahmed Kamruddin, a master's student at UCL, developed the project further in 2025. Then, this year, Murdoch put the last pieces of the puzzle together over several weeks by analyzing open archive Global Navigation Satellite System (GNSS) recordings collected since 2007 and kept by GFZ Helmholtz Centre for Geosciences.

This dataset included more than 12 million observations of Subframe 4, Page 17, yielding 3,994 unique 176-bit messages. Within this corpus, Murdoch pinpointed key-repeating "sentinels" including a pattern that appeared in February 2010 and was broadcast on and off across dozens of satellites for more than a decade. Murdoch discovered that this particular sentinel was transmitted by all 31 operational satellites within a window of a few hours on May 26, 2011, potentially heralding the activation of a new operational system. He confirmed that this timeline coincided with the rollout of the military's Over-the-Air Distribution (OTAD) and the Over-the-Air Rekeying (OTAR) by cross-referencing declassified documents, including a 2015 presentation about the dates of the operation.

"There was a perfect match between the timeline and that presentation and the change points that were automatically identified from the data," Murdoch said. "That was the smoking gun that made me think: This is what it's for." These automated systems replaced the cumbersome manual distribution of cryptographic keying material, allowing military GPS receivers around the world to be rekeyed remotely through satellite broadcasts rather than through onsite procedures. For the next 11 years, this expansive rekeying operation was overlooked in public GPS data. In 2022, the system entered a new phase, according to Murdoch's analysis. The shift was characterized by a slowing in the message rotation rate. Later, in December 2023, broadcasts carrying a distinctive "TEXT" prefix emerged then gradually spread across the constellation.

Murdoch isn't sure what explains the recent transition, though it could be a possible modernization of the infrastructure or the introduction of a new protocol. But to him, the bigger takeaway is that the signals were always available for anyone willing to take a closer look, a discovery that suggests that there could be more revelations hidden for the cryptographically curious among us. "Every receiver in the world decodes Subframe 4, Page 17," Murdoch said in his new article. "Almost none of them have ever looked at it. The lesson generalizes: There is more to learn from the bytes already arriving at our antennas than from the bytes we wish were specified differently. The data are publicly available. The signal is overhead, twice a day, every day."

Open Source

BSA Lashes Out At Mandatory Open-Source Licensing (bsa.org) 87

Longtime Slashdot reader Elektroschock writes: The American Business Software Alliance (BSA) does not consider mandatory open-source licensing to be an appropriate indicator of sovereignty. This is among the "pointed messages" they sent to the French government consultation (closed) today. "What protects Europe is the ability to govern, audit, and mitigate risk, not where a company files its corporate papers," said Thomas Boue of BSA. "Criteria of this kind raise costs, reduce access to best-in-class security solutions, and risk conflicting with the EU's international trade commitments."
Security

New IronWorm Malware Hits 36 Packages In npm Supply-Chain Attack (bleepingcomputer.com) 20

A new npm supply-chain attack has infected 36 packages with Rust-based infostealer malware called IronWorm. According to BleepingComputer, the malware "targets 86 environment variables (key-value pairs) and 20 credential files that may contain OpenAI, AWS, Anthropic, and npm credentials, vault configuration files, SSH keys, and Exodus cryptocurrency wallet files." From the report: According to researchers at supply-chain and devops company JFrog, IronWorm is written in Rust, hides behind an eBPF kernel rootkit, and communicates with the operator over the Tor network. The Rust-based malware self-propagates by using stolen credentials for publishing on npm; this includes secrets associated with npm's Trusted Publishing workflow. Once it compromises a developer or CI environment, it can publish trojanized versions of packages owned by the victim, which then infect additional developers and CI systems.

This behavior is conceptually similar to Shai Hulud, which had its code published on GitHub recently. Although JFrog researchers did not find a clear connection between IronWorm and Shai Hulud, they observed the same commit names in both supply-chain attacks. This opens the possibility that the new malware is an evolution of TeamPCP's payload, since IronWorm appears to be "a custom, carefully built implant from an operation with its own infrastructure."

[...] The company provides a list of all impacted package names and their versions in the report and recommends that developers upgrade to fixed releases, rotate their keys, and enable two-factor authentication (2FA) for all accounts. At the same time, Endor Labs and StepSecurity have spotted a very similar but distinct attack involving a JavaScript-based malware named binding.gyp, performing registry poisoning and GitHub Actions infection, unfolding during the same time-frame.

China

LinkedIn China Spying Threat Prompts Warning From US, Allies (bloomberg.com) 21

The U.S. and its Five Eyes intelligence partners issued a joint warning (PDF) that Chinese military intelligence services are using LinkedIn and other professional networking sites to recruit people with access to government, military, foreign policy, or sensitive economic information. "These actors use an aggressive online recruitment strategy whereby intelligence officers or their affiliates pose as employees of private consultancies, think tanks or human resources firms, and place online job advertisements for foreign policy and defense analysts," the agencies said Wednesday. "China's military intelligence services ultimately seek to acquire privileged military, political and economic intelligence that can provide China with a strategic and tactical advantage over the Five Eyes." Bloomberg reports: China was targeting Five Eyes nationals with security clearance, particularly those working in foreign affairs, security and intelligence, and military personnel including people stationed in the Asia-Pacific region, it said. People with more peripheral access to government information, such as academics, journalists and think tank employees, were also being approached.

The Chinese embassy in the UK strongly condemned the accusations, calling the allegation of Chinese espionage threats "entirely fabricated" and "malicious slander." The "Five Eyes" members have "engaged in unscrupulous espionage and intelligence-gathering activities around the globe. Their activities are the real threat to peace-loving countries," the embassy said in a statement Thursday.

[...] According to the agencies, Chinese spies have commissioned reports to be written by those they've approached, paying them anywhere from a few hundred to several thousand dollars, with payments sometimes made in cryptocurrency. "Military members may be asked about their roles and unit activities, home base or naval vessel," the notice said. "Five Eyes agencies have identified individuals who have undertaken these activities, leading to criminal prosecutions, job losses, and security-clearance revocation," it warned.

Bug

Fedora Linux 43 Exposes 20-Year-Old Microsoft Outlook Security Failure (nerds.xyz) 54

BrianFagioli writes: Fedora Linux 43 users upgrading to the latest Dovecot mail server discovered something rather unsettling: some older Microsoft Outlook configurations may have been silently ignoring SSL/TLS settings for POP3 email connections for years. According to a Fedora community blog post, affected Outlook clients reportedly continued using insecure port 110 connections even when encryption was enabled in the application settings. The issue surfaced after Dovecot 2.4 disabled plaintext authentication on non secure connections by default, causing Outlook users to suddenly lose mailbox access after the Fedora 43 upgrade.

The report suggests the behavior may date back as far as Outlook 2007, although modern Outlook builds were not fully tested. Fedora admins stress that the problem could be limited to legacy account configurations rather than current versions of Outlook itself. Still, the discovery has sparked discussion among Linux admins and security folks because many users likely assumed their email traffic was encrypted simply because Outlook claimed SSL/TLS was enabled. The incident also highlights how stricter defaults in modern open source infrastructure can expose ancient assumptions and questionable behaviors that quietly survived for decades.

Android

Android Gets Fake Call Detection That Uses RCS 54

An anonymous reader quotes a report from 9to5Google: Phone by Google wants to combat the "growing threat of impersonation scams" and protect Android users against "sophisticated, AI-powered deepfake attacks" with fake call detection. [...] Fake call detection requires that both parties are on Android and use the Phone by Google app, while Google Messages and Google Contacts also have to be installed. When a contact calls, their phone "sends a silent confirmation signal in real time to your device to verify the call is legitimate and truly coming from the contact's device."

This digital handshake uses end-to-end encrypted RCS (Rich Communication Services). If you're being scammed by an impersonator, your phone will notice that the "initial confirmation signal will be missing," and ping the contact's real device to double-check. If their real device says, "I'm not making a call right now," you'll get a warning on your screen advising you to hang up immediately. This feature will be available globally on Android 12+ phones starting with Pixel devices this month. Fake call detection is enabled by default but can be turned off at any time. Google says it's "possible for other apps and device manufacturers to adopt this technology" given the RCS underpinnings.
You can learn more about fake call detection in Google's blog post.
The Military

Thanks To Robots, Ukraine Is Now Talking About Winning, Not Just Surviving (defenseone.com) 321

fjo3 shares a report from Defense One: A small but growing number of European officials and analysts are saying what four years ago was unthinkable: Ukraine isn't just surviving its grueling war with Russia, it is in some ways thriving and may even be on a path to victory. This isn't yet captured in headlines -- for example, about last weekend's barrage of Russian drones and missiles around Ukraine -- but in the details, like how some 90 percent were intercepted. Several long-term trends have shifted in Ukraine's favor, and the core reason is its fierce focus on AI and robotics.

In the crucible of war, Ukraine has developed drones and ground robots that can hold territory -- even take it back. Some are fully controlled by humans, like supply robots and medical-evacuation vehicles. But an increasing number are controlled in at least some aspects by dozens of AI products, from guidance packages on aerial drones to decision aids at the highest levels. [...] Just as important as the tech are the new tactics. Given unusual latitude to experiment, Ukrainian fighters began to develop robot-forward infantry concepts, like combined-arms attacks by airborne and ground systems, "more than a year ago. Right now, we're massively starting to implement this," said Davyd Aloian, deputy secretary of the National Security and Defence Council of Ukraine, the coordinating body on domestic and international security, in an interview.

Ukraine and its partners are also steaming ahead on new concepts for highly autonomous defenses against Russian drones, combining ISR sensors and AI to detect and identify enemy drones in less time and with more certainty. "All of the systems are being linked with each other and with people" to create a distributed network with interceptor drones at various locations to be activated when needed, Aloian said. "One day we will have only like 10 guys who are just going to be responsible for approving interception. And it will automatically go direct to the target." The human operators will be dispersed as well. "Everything can be controlled from Kyiv, Lviv, from cities in other countries," he said.
"It's not what happened to Ukraine" (referencing Russia's barrage of Shahed drones) that "should scare us in Europe," said Swarmer CEO Serhii Kupriienko. It's how quickly Ukraine's "middling" military evolved to counter Russia's invasion.

"We are behind by literally 10 years or 20 years" in some defense-technology areas, such as satellite imagery, Kupriienko said, and yet his country has climbed a capability curve that just two years ago seemed insurmountable. So could others, he said. "The answer is always AI solutions and integrating the AI into even the daily routine work within the bureaucracy," he said.

"We have evolved since 2022, the industry has and our defense has as well. Right now we are able to provide not only [large quantities of drone] assets but everything what is needed to build out the ecosystem," including parts and production, training, modification, etc. Aloian said.
AI

Microsoft's Project Solara Is an OS For Devices That Run AI Agents Instead of Apps (geekwire.com) 50

An anonymous reader quotes a report from GeekWire: A team inside Microsoft has been quietly building a platform for devices that run AI agents instead of apps, based on Android instead of Windows, with two working hardware designs so far, and an initial set of big-name companies lined up to run pilots. The platform, dubbed "Project Solara," is Microsoft's bet that AI will open up entirely new scenarios for computing -- using agents to avoid the constraints of traditional software, and off-the-shelf components to develop new devices quickly and inexpensively. [...] The company unveiled Solara on Tuesday at its Build conference in San Francisco, describing it as a new platform that spans from chip to cloud. GeekWire got a behind-the-scenes look at the project during a briefing last week in Redmond, including demos of the first two concept devices based on the platform:

- A desktop hub that sits beside a PC and responds to voice commands, signs users in using facial recognition, and surfaces the day's most pressing items. With a monitor attached, it becomes a full Windows machine running in the cloud.
- A wearable badge that reimagines the standard employee ID card. A fingerprint button wakes an agent in one press; a single tap records and transcribes a conversation; and a built-in camera lets the agent act on what the user sees.

Microsoft says it won't ship these devices itself. Instead, it envisions hardware makers and other industry partners turning the reference designs into implementations of their own, each intended for a specific industry, company, or scenario. For example, in one demo shown by the company, the high-tech badge ran on agents designed for use by a health-care worker, including the ability to scan a patient's QR code, record and transcribe the visit, log vitals, and start a prescription. In another application of the same badge, the built-in camera scanned a brainstorm board with ideas for an office revamp, and made a suggestion: add some plants.

The two devices are a starting point. The bigger opportunity, the company says, is all the tasks and workflows where a PC or phone gets in the way or isn't practical to use. [...] In the coming months, companies including AccuWeather, Best Buy, CVS Health, Levi's, and Target are expected to begin pilots of devices based on the reference designs. The operating system is the Microsoft Device Ecosystem Platform, or MDEP, an enterprise version of Android that Microsoft developed for devices including Teams meeting-room hardware. The company says it chose MDEP over Windows deliberately, to run on smaller, lower-power devices while keeping the management and security features IT departments expect: patch and over-the-air updates, device integrity, Microsoft Defender, Intune, and Entra ID sign-in.
While the project is still in the early stages, Microsoft CEO Satya Nadella encouraged the team to show it at Build sooner than the company would normally show its work in public. "That underscores just how competitive and fast-moving the AI world is right now, but it also illustrates the pace that the new technologies are enabling," reports GeekWire.

The report notes that the business model for the platform still needs to be worked out. The devices run on Microsoft's Azure cloud, but beyond that, "the economics are still taking shape."

Qualcomm and MediaTek have been chosen as the first chip partners. "The badge runs on a new Qualcomm wearable chip; the desk hub runs on MediaTek IoT silicon," reports GeekWire. "Both are off-the-shelf, not custom, which is central to how Microsoft plans to keep devices cheap and fast to build."
Cellphones

Russian Spy Agency Says Foreign Spies Turned Officials' Smartphones Into Surveillance Devices (theregister.com) 26

Russia's FSB claims foreign intelligence services compromised smartphones belonging to senior Russian officials, allegedly turning them into surveillance devices capable of stealing data, recording conversations, and activating microphones or cameras. "This software is used to steal existing data, eavesdrop on ongoing conversations, and conduct covert acoustic and video monitoring of the environment near electronic devices, all aimed at obtaining sensitive information," the FSB said. The Register reports: The agency said it had opened a criminal investigation into illegal access to computer information and the distribution of malicious software. It did not identify the alleged intelligence service responsible, disclose how many officials were affected, name the malware involved, or provide any technical indicators that would allow independent verification of the claims. As things stand, the FSB has revealed the accusation but not the proof.
Government

Trump Signs AI Executive Order Asking Companies To Give Government Early Access To Models (cnbc.com) 68

An anonymous reader quotes a report from CNBC: President Donald Trump on Tuesday signed an executive order asking artificial intelligence companies to provide models to the federal government to assess their capabilities ahead of a full release. The order asks companies, on a voluntary basis, to participate in a benchmarking process to assess a model's "advanced cyber capabilities" and determine whether it should be considered a "covered frontier model." It then asks for access to those models up to 30 days before the companies plan to release them more broadly, and enables the government to help select the "trusted partners" that will receive early access.

"Nothing in this section shall be construed to authorize the creation of a mandatory governmental licensing, preclearance, or permitting requirement for the development, publication, release, or distribution of new AI models, including frontier models," the order said. Trump signed the order in private, just weeks after he postponed a signing ceremony with prominent tech CEOs because he "didn't like certain aspects of it," he told reporters at the time. [...] Trump's AI order outlines several timeframes to develop directives and other guidance, specifically calling on the Department of Defense to prioritize the cyber defense of its information systems.

Slashdot Top Deals