security meets culture
USB-C was Supposed to Unify Everything, but it's a Mess of Hidden Incompatibilities
By Sydney Butler for How-To Geek
Credit: Justin Duino / How-To Geek
I can't imagine my life without USB-C at this point. There's lots to love about this widespread connector standard. For the most part, I can plug any 2 things with USB ports or cables into each other, and something useful will happen.
The problem is that, more often than not, the "useful" thing that happens is different from the thing I needed to happen, or it's a worse-- but functional-- version of the thing I needed. In its attempt to be everything to everyone, USB-C has become a bit of a mess, and I'm not exactly sure if it can even be fixed at this point.
Not every USB-C port can do the same things - What's going to happen when I plug this in? It's a surprise!
The biggest problem with USB-C is that the connector itself gives you very little information when it comes to what a device does or what port can actually do. You can have 2 laptops, as one example, that both have USB-C ports which look absolutely the same. Yet one might be the latest, fastest, most powerful version of USB4 with Thunderbolt to boot. The other? It could be USB 2.0 for all you know.
The problem is that, more often than not, the "useful" thing that happens is different from the thing I needed to happen, or it's a worse-- but functional-- version of the thing I needed. In its attempt to be everything to everyone, USB-C has become a bit of a mess, and I'm not exactly sure if it can even be fixed at this point.
Not every USB-C port can do the same things - What's going to happen when I plug this in? It's a surprise!
The biggest problem with USB-C is that the connector itself gives you very little information when it comes to what a device does or what port can actually do. You can have 2 laptops, as one example, that both have USB-C ports which look absolutely the same. Yet one might be the latest, fastest, most powerful version of USB4 with Thunderbolt to boot. The other? It could be USB 2.0 for all you know.
Credit: Apple
Nothing exemplifies this better than the MacBook Neo. A low-cost laptop released to great acclaim by Apple. It sports just 2 USB-C ports alongside a headphone jack. The one on the left is a full-fat USB 3.1 port with support to run a high-resolution monitor. The one on the right is USB 2.0, good for charging the laptop and running a mouse and keyboard.
The technological gap between these two ports is literally decades apart, but you can't tell just by looking. With USB-A, at least there was some attempt at establishing a color code. If the port was blue on the inside, you were looking at USB 3.0 or better, and if it was black, it was USB 2.0. In the end lots of manufacturers did what they wanted anyway-- purple and orange? Sure, why not?-- but there was some effort.
Some laptop makers try to include little icons to give you an idea of whether a port will run a monitor or if it has Thunderbolt support, but this is hit-and-miss and also not standardized.
USB-C cable labels are still a mess - They're either not into labels, or way too into labels
So you've confirmed your ports have the features you want, but that's not even close to the end of the ordeal. Next you have to ensure that the cable you have also supports the same level of features. Now, to be fair, the USB-IF has tried to create logos for the packaging that cables come in. These have changed in the meantime as the names of the different standards have been changed-- which is a different complaint-- but at least at the point where you buy the cable, you can tell what it can do.
The technological gap between these two ports is literally decades apart, but you can't tell just by looking. With USB-A, at least there was some attempt at establishing a color code. If the port was blue on the inside, you were looking at USB 3.0 or better, and if it was black, it was USB 2.0. In the end lots of manufacturers did what they wanted anyway-- purple and orange? Sure, why not?-- but there was some effort.
Some laptop makers try to include little icons to give you an idea of whether a port will run a monitor or if it has Thunderbolt support, but this is hit-and-miss and also not standardized.
USB-C cable labels are still a mess - They're either not into labels, or way too into labels
So you've confirmed your ports have the features you want, but that's not even close to the end of the ordeal. Next you have to ensure that the cable you have also supports the same level of features. Now, to be fair, the USB-IF has tried to create logos for the packaging that cables come in. These have changed in the meantime as the names of the different standards have been changed-- which is a different complaint-- but at least at the point where you buy the cable, you can tell what it can do.
Credit: USB-IF
After you've thrown the packaging away and the cable enters your general spaghetti of USB cables, good luck working out which of your cables will run your SSD at full potential, and which will throttle it back to the year 2000.
Charging speeds remain confusing - Shocking, we know
Credit: Sergio Rodriguez / How-To Geek
In defense of USB-C, you'll almost always get some form of charging if you plug, say, a phone into a random USB-A or USB-C charger. The problem is that the lowest common-denominator charging speed that is negotiated between the charger, cable, and port on the device might be so slow that you'll only have a full battery in a week, or perhaps never.
We have the official USB-PD standard, but there's also a lot of proprietary stuff out there. A 100W charger doesn't guarantee 100W charging. A high-end cable doesn't guarantee maximum speed. Some devices charge at their full rated speed only with specific chargers, while others aggressively limit charging depending on battery conditions or thermal limits.
Honestly, I think the current power regime for USB-C is just too convoluted for the average consumer. I bet most people just don't realize that their devices aren't charging at the best rate, unless it's so slow as to be unusable. The industry is getting away with it, because most of its users don't know any better.
USB naming is somehow worse than ever
USB's branding problem deserves an award for making simple things unnecessarily complicated. This is the naming fiasco I alluded to earlier, but seeing it in all its glory really makes my blood boil.
The standard that launched as USB 3.0 became USB 3.1 Gen 1. Later it became USB 3.2 Gen 1. Meanwhile, newer versions introduced names such as USB 3.2 Gen 2 and USB 3.2 Gen 2x2. The speed differences between these standards can be enormous, with each successive generation doubling the bandwidth in some cases. In the world of WiFi or PCI Express, they have the decency to just give each major bump in performance a whole generational number. Instead, we get a series of fractional USB 3 versions, and then USB4. I give up.
We have the official USB-PD standard, but there's also a lot of proprietary stuff out there. A 100W charger doesn't guarantee 100W charging. A high-end cable doesn't guarantee maximum speed. Some devices charge at their full rated speed only with specific chargers, while others aggressively limit charging depending on battery conditions or thermal limits.
Honestly, I think the current power regime for USB-C is just too convoluted for the average consumer. I bet most people just don't realize that their devices aren't charging at the best rate, unless it's so slow as to be unusable. The industry is getting away with it, because most of its users don't know any better.
USB naming is somehow worse than ever
USB's branding problem deserves an award for making simple things unnecessarily complicated. This is the naming fiasco I alluded to earlier, but seeing it in all its glory really makes my blood boil.
The standard that launched as USB 3.0 became USB 3.1 Gen 1. Later it became USB 3.2 Gen 1. Meanwhile, newer versions introduced names such as USB 3.2 Gen 2 and USB 3.2 Gen 2x2. The speed differences between these standards can be enormous, with each successive generation doubling the bandwidth in some cases. In the world of WiFi or PCI Express, they have the decency to just give each major bump in performance a whole generational number. Instead, we get a series of fractional USB 3 versions, and then USB4. I give up.
Microsoft fixes Windows Update Failures Linked to WUSA Installer
By Sergiu Gatlan for bleepingcomputer
bleepingcomputer
Microsoft has fixed a known issue that caused Windows updates released since May 2025 to fail when installed via the Windows Update Standalone Installer (WUSA) from a network share.
WUSA is a built-in Windows command-line tool that helps admins install and uninstall Microsoft Standalone Update (.msu) files through the Windows Update Agent API to deploy or remove patches, updates, and hotfixes.
This known issue affects Windows 11 24H2/25H2 and Windows Server 2025 devices on enterprise networks, as WUSA isn't a common method for installing updates on home devices. Microsoft also noted that the bug doesn't occur with a single .msu file or when the files are stored locally.
"Windows updates installed using the Windows Update Standalone Installer (WUSA) might fail with error ERROR_BAD_PATHNAME, when the update is installed using WUSA or double-clicking a .msu file from a network share that contains multiple .msu files," Microsoft said when it acknowledged the issue in August 2025.
"These issues might occur on devices that installed updates released May 28, 2025 (KB5058499) and later."
Microsoft first mitigated this known issue automatically on home and non-managed business devices through a Known Issue Rollback Group Policy beginning September 2025.
Fixed in June 206 cumulative updates
As part of the June 2026 Patch Tuesday, Microsoft finally addressed this known issue for all affected systems in cumulative updates released for Windows 11-- KB5079391-- and Windows Server 2025-- KB5094125.
"If you are using an update released before this date, and are experiencing this issue, you have the option to work around it by saving the .msu files locally on the device and install the update from this location," Microsoft said in a Windows release health dashboard update.
"Also, if you've restarted Windows after installing an .msu file via WUSA, please wait 15 minutes or more before checking the Update History page in Settings. After this short delay, the Settings app should properly indicate if the update installed successfully."
Microsoft resolved another issue in April 2025 preventing enterprise customers from installing the April 2025 security updates via Windows Server Update Services (WSUS), and an identical bug that caused the August 2025 Windows 11 updates to fail with 0x80240069 errors.
Earlier this week, Microsoft also warned customers that they may have issues installing the latest monthly updates on some Windows devices upgraded to Windows 11 24H2 or 25H2.
WUSA is a built-in Windows command-line tool that helps admins install and uninstall Microsoft Standalone Update (.msu) files through the Windows Update Agent API to deploy or remove patches, updates, and hotfixes.
This known issue affects Windows 11 24H2/25H2 and Windows Server 2025 devices on enterprise networks, as WUSA isn't a common method for installing updates on home devices. Microsoft also noted that the bug doesn't occur with a single .msu file or when the files are stored locally.
"Windows updates installed using the Windows Update Standalone Installer (WUSA) might fail with error ERROR_BAD_PATHNAME, when the update is installed using WUSA or double-clicking a .msu file from a network share that contains multiple .msu files," Microsoft said when it acknowledged the issue in August 2025.
"These issues might occur on devices that installed updates released May 28, 2025 (KB5058499) and later."
Microsoft first mitigated this known issue automatically on home and non-managed business devices through a Known Issue Rollback Group Policy beginning September 2025.
Fixed in June 206 cumulative updates
As part of the June 2026 Patch Tuesday, Microsoft finally addressed this known issue for all affected systems in cumulative updates released for Windows 11-- KB5079391-- and Windows Server 2025-- KB5094125.
"If you are using an update released before this date, and are experiencing this issue, you have the option to work around it by saving the .msu files locally on the device and install the update from this location," Microsoft said in a Windows release health dashboard update.
"Also, if you've restarted Windows after installing an .msu file via WUSA, please wait 15 minutes or more before checking the Update History page in Settings. After this short delay, the Settings app should properly indicate if the update installed successfully."
Microsoft resolved another issue in April 2025 preventing enterprise customers from installing the April 2025 security updates via Windows Server Update Services (WSUS), and an identical bug that caused the August 2025 Windows 11 updates to fail with 0x80240069 errors.
Earlier this week, Microsoft also warned customers that they may have issues installing the latest monthly updates on some Windows devices upgraded to Windows 11 24H2 or 25H2.
Microsoft Fixes BitLocker Recovery Bug on Windows Server 2025
By Sergiu Gatlan for bleepingcomputer
bleepingcomputer
Microsoft has resolved a known issue causing some Windows Server 2025 devices to boot into BitLocker recovery after installing the April 2026 security update.
The BitLocker security feature encrypts storage drives to prevent data theft and will typically force Windows computers to enter recovery mode after hardware changes or events, such as TPM-- Trusted Platform Module-- updates, to allow regaining access to protected drives that have not been unlocked via the default unlock mechanism.
"Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update," Microsoft said when it acknowledged this issue after the April 2026 Patch Tuesday.
"In this scenario, the BitLocker recovery key only needs to be entered once-- subsequent restarts will not trigger a BitLocker recovery screen, as long as the group policy configuration remains unchanged."
While this issue may also affect some systems running Windows 11, Microsoft says it's unlikely to impact personal devices, as affected configurations are typically found only on enterprise systems managed by corporate IT teams.
As Microsoft explained at the time, this only happens for very specific configurations, on devices where all the following conditions are met:
The BitLocker security feature encrypts storage drives to prevent data theft and will typically force Windows computers to enter recovery mode after hardware changes or events, such as TPM-- Trusted Platform Module-- updates, to allow regaining access to protected drives that have not been unlocked via the default unlock mechanism.
"Some devices with an unrecommended BitLocker Group Policy configuration might be required to enter their BitLocker recovery key on the first restart after installing this update," Microsoft said when it acknowledged this issue after the April 2026 Patch Tuesday.
"In this scenario, the BitLocker recovery key only needs to be entered once-- subsequent restarts will not trigger a BitLocker recovery screen, as long as the group policy configuration remains unchanged."
While this issue may also affect some systems running Windows 11, Microsoft says it's unlikely to impact personal devices, as affected configurations are typically found only on enterprise systems managed by corporate IT teams.
As Microsoft explained at the time, this only happens for very specific configurations, on devices where all the following conditions are met:
- BitLocker is enabled on the OS drive.
- The Group Policy "Configure TPM platform validation profile for native UEFI firmware configurations" is configured, and PCR7 is included in the validation profile (or the equivalent registry key is set manually).
- System Information (msinfo32.exe) reports that the Secure Boot State PCR7 Binding is "Not Possible".
- The Windows UEFI CA 2023 certificate is present in the device's Secure Boot Signature Database (DB), making the device eligible for the 2023‑signed Windows Boot Manager to be made the default.
- The device is not already running the 2023-signed Windows Boot Manager.
BitLocker recovery screen (Microsoft)
During this month's Patch Tuesday, 2 months after confirming the issue, Microsoft resolved this bug in the KB5094125 (Windows Server 2025) and KB5093998 (Windows 11 23H2) cumulative updates.
"This update addresses an issue where some devices might enter BitLocker Recovery after updating boot files on systems with certain Trusted Platform Module (TPM) validation settings, including invalid PCR7-- Platform Configuration Register 7-- configurations," Microsoft said in updated advisories.
"To prevent the unexpected BitLocker recovery key prompt, devices with this incompatible group policy configuration are prevented from installing the 2023-signed Windows Boot Manager. If your device was impacted, you will see Event ID 1032 in the System event log when installing Windows updates," it added in a service alert seen by BleepingComputer.
IT admins who can't yet deploy this month's updates to fix the issue are advised to remove the Group Policy configuration before installing KB5082063 and later updates, and to ensure that BitLocker bindings use the PCR7 profile.
Those who can't remove the group policy before deployment can also apply a Known Issue Rollback (KIR) on affected devices to prevent the automatic switch to the 2023 Boot Manager, which triggers the BitLocker recovery prompts.
In August 2024, Microsoft addressed another known issue that triggered BitLocker recovery prompts across all supported Windows versions after installing the July 2024 security updates.
More recently, in May 2025, Microsoft released emergency updates to address a similar issue causing Windows 10 systems to enter BitLocker recovery after installing the May 2025 security updates.
During this month's Patch Tuesday, 2 months after confirming the issue, Microsoft resolved this bug in the KB5094125 (Windows Server 2025) and KB5093998 (Windows 11 23H2) cumulative updates.
"This update addresses an issue where some devices might enter BitLocker Recovery after updating boot files on systems with certain Trusted Platform Module (TPM) validation settings, including invalid PCR7-- Platform Configuration Register 7-- configurations," Microsoft said in updated advisories.
"To prevent the unexpected BitLocker recovery key prompt, devices with this incompatible group policy configuration are prevented from installing the 2023-signed Windows Boot Manager. If your device was impacted, you will see Event ID 1032 in the System event log when installing Windows updates," it added in a service alert seen by BleepingComputer.
IT admins who can't yet deploy this month's updates to fix the issue are advised to remove the Group Policy configuration before installing KB5082063 and later updates, and to ensure that BitLocker bindings use the PCR7 profile.
Those who can't remove the group policy before deployment can also apply a Known Issue Rollback (KIR) on affected devices to prevent the automatic switch to the 2023 Boot Manager, which triggers the BitLocker recovery prompts.
In August 2024, Microsoft addressed another known issue that triggered BitLocker recovery prompts across all supported Windows versions after installing the July 2024 security updates.
More recently, in May 2025, Microsoft released emergency updates to address a similar issue causing Windows 10 systems to enter BitLocker recovery after installing the May 2025 security updates.
Valve Kills its Retail Gift Card Program due to Scammers
By Kyle Orland for Ars Technica
Move also cuts off a massive market of legit users who buy cards with physical cash.
Move also cuts off a massive market of legit users who buy cards with physical cash.
This photo is going to be a vision from a lost world relatively soon. Credit: Prestmit
For years, Valve's physical Steam gift cards have been the closest you could come to buying a Steam game at a brick-and-mortar store. Now, Valve says it is phasing out the production of new retail gift cards, citing a losing battle against scammers exploiting the hard-to-track payment method.
PC Guide was among the first to note the end of Valve's retail gift card program, which was quietly announced in a recent update to a Steam support page. Since launching the retail cards in 2012, Valve says it has been fighting a constant battle with scammers, who instruct victims to purchase gift cards and share the pertinent details and security PIN. Those scammers can then resell the gift card details at a discount on gray-market sites to effectively launder the funds, creating an anonymous and hard-to-trace form of payment.
Valve says it has made various moves to slow scammers, including placing limits on redemption and availability and adding a prominent warning on the cards themselves: "Never share a pin via email, social media or over the phone."
But the company now admits that "scammers have adapted" and "continue to have an impact on Steam customers and other unsuspecting individuals." Rather than continue to fight against that "impact," Valve writes that it has "made the difficult decision to end the Steam Gift Card program at retail stores."
Steam users will still be able to redeem existing physical gift cards, and retailers will be able to sell physical gift cards that are already in stores. But Valve estimates that those existing stocks will be completely gone by the end of 2026 as it ceases new production.
Not in a sto' no mo'
The end of physical gift cards effectively severs Valve's last link to the old brick-and-mortar retail world that Steam so effectively killed across the PC gaming landscape. When Steam was announced in 2002, Valve's Gabe Newell sold it as a way to get around those annoying retailers altogether, "eliminating the overhead of physical goods distribution" and "leverag[ing] the efficiency of broadband to improve customer service and increase operating margins."
Over 2 decades later, though, Valve says there's still a huge legitimate market for physical Steam gift cards, which are the most direct way for gamers to convert physical cash into digital PC games. In early 2024, Valve reported that it had tallied up $80 million in physical gift card redemptions during just the last 11 days of 2023.
That's a significant market even for a multi-billion-dollar company like Valve, and one that Valve said has been a "massive benefit to developers." At the same time, Valve wrote in 2024 that "physical cards are some of the most expensive payment methods we support," no doubt thanks to the overhead associated with printing/shipping and support time devoted to dealing with scammed customers.
So while Valve will miss the significant revenue it derives from physical gift cards each year, it will probably welcome the opportunity to finally be able to completely ignore the retail market. Customers, meanwhile, will still be able to purchase digital gift cards directly from Valve or add Steam funds via some prepaid debit cards available at retail-- as long as there's an address attached.
PC Guide was among the first to note the end of Valve's retail gift card program, which was quietly announced in a recent update to a Steam support page. Since launching the retail cards in 2012, Valve says it has been fighting a constant battle with scammers, who instruct victims to purchase gift cards and share the pertinent details and security PIN. Those scammers can then resell the gift card details at a discount on gray-market sites to effectively launder the funds, creating an anonymous and hard-to-trace form of payment.
Valve says it has made various moves to slow scammers, including placing limits on redemption and availability and adding a prominent warning on the cards themselves: "Never share a pin via email, social media or over the phone."
But the company now admits that "scammers have adapted" and "continue to have an impact on Steam customers and other unsuspecting individuals." Rather than continue to fight against that "impact," Valve writes that it has "made the difficult decision to end the Steam Gift Card program at retail stores."
Steam users will still be able to redeem existing physical gift cards, and retailers will be able to sell physical gift cards that are already in stores. But Valve estimates that those existing stocks will be completely gone by the end of 2026 as it ceases new production.
Not in a sto' no mo'
The end of physical gift cards effectively severs Valve's last link to the old brick-and-mortar retail world that Steam so effectively killed across the PC gaming landscape. When Steam was announced in 2002, Valve's Gabe Newell sold it as a way to get around those annoying retailers altogether, "eliminating the overhead of physical goods distribution" and "leverag[ing] the efficiency of broadband to improve customer service and increase operating margins."
Over 2 decades later, though, Valve says there's still a huge legitimate market for physical Steam gift cards, which are the most direct way for gamers to convert physical cash into digital PC games. In early 2024, Valve reported that it had tallied up $80 million in physical gift card redemptions during just the last 11 days of 2023.
That's a significant market even for a multi-billion-dollar company like Valve, and one that Valve said has been a "massive benefit to developers." At the same time, Valve wrote in 2024 that "physical cards are some of the most expensive payment methods we support," no doubt thanks to the overhead associated with printing/shipping and support time devoted to dealing with scammed customers.
So while Valve will miss the significant revenue it derives from physical gift cards each year, it will probably welcome the opportunity to finally be able to completely ignore the retail market. Customers, meanwhile, will still be able to purchase digital gift cards directly from Valve or add Steam funds via some prepaid debit cards available at retail-- as long as there's an address attached.
Microsoft Patches Exchange Server Zero-Day Exploited in Attacks
By Sergiu Gatlan for bleepingcomputer
bleepingcomputer
Microsoft has patched an actively exploited Exchange Server vulnerability that allows threat actors to execute arbitrary JavaScript code in cross-site scripting (XSS) attacks targeting Outlook Web Access users.
This high-severity spoofing vulnerability-- CVE-2026-42897-- affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) software and can be exploited by remote attackers with no privileges.
"An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context," the Exchange Team said in mid-May, when Microsoft rolled out automatic temporary mitigation through the Exchange Emergency Mitigation Service (EEMS).
BleepingComputer has yet to receive a response from Microsoft to questions about the attacks exploiting CVE-2026-42897.
Yesterday, Microsoft released security updates to address the security flaw in affected Exchange Server installations, advising admins to deploy them "as soon as possible" and leave the mitigations in place for additional protection.
"Microsoft recommends installing the June 2026 Security Updates for your version of Exchange Server as soon as possible to be protected from this vulnerability," it noted in an update to the original security advisory.
"As part of our ongoing efforts to strengthen security and improve defenses across environments, we continue to enhance protections for cross-site scripting attacks. We recommend that customers keep the mitigation described in place. The mitigation provides an additional layer of defense and helps ensure continuous protection as further improvements are released."
The Cybersecurity and Infrastructure Security Agency has also added the vulnerability to its list of security flaws exploited in the wild on May 15 and ordered US government agencies to patch their servers within 2 weeks, by May 29.
Over the past 5 years, CISA has added 20 Microsoft Exchange Server vulnerabilities to its list of exploited security flaws, with ransomware gangs having exploited 14 of them.
In October, weeks after Exchange 2016 and 2019 reached the end of support, CISA and the National Security Agency (NSA) also released guidance on hardening Exchange servers against attacks.
This high-severity spoofing vulnerability-- CVE-2026-42897-- affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) software and can be exploited by remote attackers with no privileges.
"An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context," the Exchange Team said in mid-May, when Microsoft rolled out automatic temporary mitigation through the Exchange Emergency Mitigation Service (EEMS).
BleepingComputer has yet to receive a response from Microsoft to questions about the attacks exploiting CVE-2026-42897.
Yesterday, Microsoft released security updates to address the security flaw in affected Exchange Server installations, advising admins to deploy them "as soon as possible" and leave the mitigations in place for additional protection.
"Microsoft recommends installing the June 2026 Security Updates for your version of Exchange Server as soon as possible to be protected from this vulnerability," it noted in an update to the original security advisory.
"As part of our ongoing efforts to strengthen security and improve defenses across environments, we continue to enhance protections for cross-site scripting attacks. We recommend that customers keep the mitigation described in place. The mitigation provides an additional layer of defense and helps ensure continuous protection as further improvements are released."
The Cybersecurity and Infrastructure Security Agency has also added the vulnerability to its list of security flaws exploited in the wild on May 15 and ordered US government agencies to patch their servers within 2 weeks, by May 29.
Over the past 5 years, CISA has added 20 Microsoft Exchange Server vulnerabilities to its list of exploited security flaws, with ransomware gangs having exploited 14 of them.
In October, weeks after Exchange 2016 and 2019 reached the end of support, CISA and the National Security Agency (NSA) also released guidance on hardening Exchange servers against attacks.
Microsoft: Some Windows PCs Fail to Install Latest Monthly Updates
By Sergiu Gatlan for bleepingcomputer
bleepingcomputer
Microsoft warned customers on Tuesday that they may have issues installing the latest monthly updates on some Windows devices that were upgraded to Windows 11 24H2 or 25H2.
On affected systems, users will see 0x80073712 or 0x800f0993 errors when trying to install the June 2026 cumulative updates.
"A small percentage of devices running Windows 10, versions 22H2 and 21H2, or Windows 11, version 23H2, that were then upgraded to Windows 11, version 24H2 or 25H2, might fail to install the latest cumulative update," Microsoft said in a service alert first spotted by Microsoft MVP Susan Bradley.
"After encountering this issue, devices cannot install monthly Windows updates. When you go to Settings > Windows Update > Update history, you might see that Windows updates fail with error 0x80073712/0x800f0993."
When checking the Windows Update log files on impacted devices, users will see error 0x800f0993 (PSFX_E_REBASE_HYDRATION_CANDIDATES_MISSING) or 0x80073712 (ERROR_SXS_COMPONENT_STORE_CORRUPT) triggered when trying to install the latest updates.
According to Microsoft, a fix for this known issue will roll out to all unmanaged enterprise devices and personal PCs-- Home edition-- following a system restart.
"No new devices in these categories should be affected by this issue starting from May 19, 2026, 6:30 p.m. PT. Restarting the device might allow the resolution to apply sooner. No other action is required beyond a device restart," Microsoft added.
For all other affected devices, Microsoft has released the following Windows updates as part of its June 2026 Patch Tuesday, which should install automatically during upgrades to Windows 11 to prevent this issue from occurring:
On affected systems, users will see 0x80073712 or 0x800f0993 errors when trying to install the June 2026 cumulative updates.
"A small percentage of devices running Windows 10, versions 22H2 and 21H2, or Windows 11, version 23H2, that were then upgraded to Windows 11, version 24H2 or 25H2, might fail to install the latest cumulative update," Microsoft said in a service alert first spotted by Microsoft MVP Susan Bradley.
"After encountering this issue, devices cannot install monthly Windows updates. When you go to Settings > Windows Update > Update history, you might see that Windows updates fail with error 0x80073712/0x800f0993."
When checking the Windows Update log files on impacted devices, users will see error 0x800f0993 (PSFX_E_REBASE_HYDRATION_CANDIDATES_MISSING) or 0x80073712 (ERROR_SXS_COMPONENT_STORE_CORRUPT) triggered when trying to install the latest updates.
According to Microsoft, a fix for this known issue will roll out to all unmanaged enterprise devices and personal PCs-- Home edition-- following a system restart.
"No new devices in these categories should be affected by this issue starting from May 19, 2026, 6:30 p.m. PT. Restarting the device might allow the resolution to apply sooner. No other action is required beyond a device restart," Microsoft added.
For all other affected devices, Microsoft has released the following Windows updates as part of its June 2026 Patch Tuesday, which should install automatically during upgrades to Windows 11 to prevent this issue from occurring:
However, as Microsoft further explained, this issue will not be addressed on affected systems that have already been upgraded to Windows 11, version 24H2 or 25H2.
On these devices, users should remove the affected package to unblock update installation by running the following command in an elevated Command Prompt:
dism /online /remove-package /packagename:Package_for_RollupFix~31bf3856ad364e35~amd64~~26100.1742.1.10
If the above mitigation does not fix the update issue, users are advised to perform a Windows 11 in-place upgrade.
Over the past several months, Microsoft has fixed multiple issues affecting the Windows update installation process.
For instance, in April, it released an out-of-band update to fix the March 2026 non-security preview update-- KB5079391-- due to a known issue that also triggered 0x80073712 errors on Windows 11 during deployment.
One month later, Microsoft warned customers that they may encounter Windows Update failures after installing the January 2026 optional non-security preview updates in restricted network environments.
More recently, it resolved another known issue causing failures and 0x800f0922 errors when installing the May 2026 Windows 11 security update-- KB5089549.
The Laptop Security Features Hackers Hate
Android now Flags Calls that Spoof Your Contacts' Numbers and Voices - Here's How the Detection Feature Works
By Rob LeFebvre for Make Use Of
Make Use Of
It's getting harder and harder to figure out what's real. Scammers can use deepfake AI and spoofed caller ID to make you believe you're answering a call from someone you know, like your mom, who you might give your credit card or social security number to.
Google rolled out fake call detection in June as part of its Android Feature Drop, and it's one of the more practical and useful security additions. Here's how it works, what it can actually catch, and where it still falls short.
Why caller ID stopped being enough - The AI voice cloning problem
Google rolled out fake call detection in June as part of its Android Feature Drop, and it's one of the more practical and useful security additions. Here's how it works, what it can actually catch, and where it still falls short.
Why caller ID stopped being enough - The AI voice cloning problem
Credit: Kaspars Grinvalds/Shutterstock
Caller ID was created to show you a number and a name, not to prove the person holding the phone is actually the person that matches the information. Scammers have exploited this loophole, called number spoofing, by routing calls through software that can make any number appear in your Caller ID display.
The new development is called AI voice cloning. Experts say AI audio deepfakes can be so realistic that most people can't tell the difference between the AI and a real human voice. Combine this with a spoofed number and you've got a prime way to get past any suspicions you might have. If you see mom's number and hear your mom's voice, you likely won't think twice.
The scale is pretty significant, as well. INTERPOL's March 2026 Global Financial Fraud Threat Assessment report cited impersonation fraud as one of the leading contributors to over $400 billion in global losses. The FTC logged $2.95 billion in impersonation scam losses in 2024 alone.
How Android's detection actually works - A silent digital handshake between devices
The new development is called AI voice cloning. Experts say AI audio deepfakes can be so realistic that most people can't tell the difference between the AI and a real human voice. Combine this with a spoofed number and you've got a prime way to get past any suspicions you might have. If you see mom's number and hear your mom's voice, you likely won't think twice.
The scale is pretty significant, as well. INTERPOL's March 2026 Global Financial Fraud Threat Assessment report cited impersonation fraud as one of the leading contributors to over $400 billion in global losses. The FTC logged $2.95 billion in impersonation scam losses in 2024 alone.
How Android's detection actually works - A silent digital handshake between devices
Credit: Google
Instead of analyzing voices, Google's fake call detection works at the device level. When a saved contact calls you and both of you are running Google's native Phone app, the caller's device sends a confirmation signal in real time to verify the call is legitimate and truly coming from the contact's device. This digital handshake uses end-to-end encrypted RCS-- Rich Communication Services-- technology, keeping it completely private.
If that handshake signal is missing-- and it will be if a scammer is spoofing your contact's number-- your device will know right away and will ping your contact's actual device to double-check. If their device doesn't confirm that it's making a call, you'll get a warning on your screen to hang up immediately.
The whole process is fast, before you even say a word. The warning will appear at the incoming call screen, which matters: impersonation scams typically work by building urgency fast. Cutting the momentum off before it even builds up is the whole point.
What it can and can't catch - The requirements are real constraints
|
|
|
|
|
Credit: Make Use Of
Fake call detection is thankfully on by default, but it has a long list of requirements which could limit its reach. Both parties need to be on Android, and they each need to use the Phone by Google app. Plus, you both need to have Google Messages and Google Contacts installed on your phone. If your contact uses an iPhone, Samsung dialer, or any other app, the handshake can't happen and you'll get no warning.
The rollout will expand globally to Android 12+ devices through Phone by Google. This builds on Google's verified financial calls rollout earlier in 2026, which uses a similar verification approach to confirm whether an incoming call is genuinely from a user's bank, and can automatically end connections that fail verification.
You'll also need to activate RCS in Google Messages. To do that, open Messages, tap your profile icon, go to the Settings app, search for RCS, tap RCS chats in General Settings, and make sure the RCS chats are turned on. Without RCS, your phone can't send or receive the verification signal.
While you're in there, you can also take care of detecting spam calls. Tap through to Protection & safety and make sure Spam protection is toggled on.
It's a step forward, but it still has limits
Fake call detection isn't a complete solution, since your contacts might use an iPhone, a different dialing app, or don't have RCS set up. You still have to rely on your own judgment when a spoofed call comes in. Still, if your contacts and you are within Google's ecosystem, the approach makes sense: verify the device, not the voice. Caller ID hasn't ever been super accurate-- it's easily spoofed-- and AI voice cloning has now made knowing the voice on the other end rather pointless. Using the encrypted out-of-band signal to confirm the call is actually coming from where it claims to be from is the right direction, and we can only hope that other manufacturers implement something similar-- since they all now support RCS. Google has said it built the feature on the open RCS standard specifically so other app developers and device makers can adopt the same verification protocol, so broader coverage is at least technically possible.
The rollout will expand globally to Android 12+ devices through Phone by Google. This builds on Google's verified financial calls rollout earlier in 2026, which uses a similar verification approach to confirm whether an incoming call is genuinely from a user's bank, and can automatically end connections that fail verification.
You'll also need to activate RCS in Google Messages. To do that, open Messages, tap your profile icon, go to the Settings app, search for RCS, tap RCS chats in General Settings, and make sure the RCS chats are turned on. Without RCS, your phone can't send or receive the verification signal.
While you're in there, you can also take care of detecting spam calls. Tap through to Protection & safety and make sure Spam protection is toggled on.
It's a step forward, but it still has limits
Fake call detection isn't a complete solution, since your contacts might use an iPhone, a different dialing app, or don't have RCS set up. You still have to rely on your own judgment when a spoofed call comes in. Still, if your contacts and you are within Google's ecosystem, the approach makes sense: verify the device, not the voice. Caller ID hasn't ever been super accurate-- it's easily spoofed-- and AI voice cloning has now made knowing the voice on the other end rather pointless. Using the encrypted out-of-band signal to confirm the call is actually coming from where it claims to be from is the right direction, and we can only hope that other manufacturers implement something similar-- since they all now support RCS. Google has said it built the feature on the open RCS standard specifically so other app developers and device makers can adopt the same verification protocol, so broader coverage is at least technically possible.
Why the Location Icon Randomly Appears on Your Phone
One Day after Discovery, Meta pulls Facial Recognition Code
from its Smart Glasses
By Dhruv Mehrotra and Dell Cameron, wired.com
Meta won't say why or whether it's coming back.
Meta won't say why or whether it's coming back.
Mark Zuckerberg, chief executive officer of Meta Platforms. Credit: David Paul Morris/Bloomberg/Getty
One day after WIRED revealed that Meta had quietly embedded an unreleased face-recognition system into an app installed on more than 50 million phones, the company removed it, according to a WIRED analysis of the latest version's code.
The most recent version of Meta AI, a companion app for its line of smart glasses, strips out the unactivated software components that powered the system Meta internally called NameTag. The version published the day of WIRED's report included several code libraries explicitly named for face recognition. Friday's release includes none of them.
Andy Stone, Meta's vice president of communications, told WIRED on Monday that the feature is purely exploratory, adding: "No final decision has been made on what to do here, if anything."
On Thursday, WIRED reported that Meta had quietly integrated substantial portions of the NameTag system into the Meta AI app. Though never publicly enabled, the feature was designed to convert faces captured by the glasses into unique biometric signatures, commonly known as faceprints, and compare them against a database of faceprints stored on the user's device. WIRED also found that faces the system failed to recognize were cropped, indexed, and stored locally for future processing.
NameTag first surfaced in February, when The New York Times, citing internal Meta documents, reported that the company was developing face recognition for its smart glasses and weighing a launch as soon as this year. One memo reportedly described releasing it during a "dynamic political environment," when privacy and civil liberties advocates would be distracted. Last week, WIRED reported that much of NameTag's machinery was already built into the Meta AI app, downloaded by millions of users, as early as January, even as Meta publicly said it had made no final decision about face recognition.
After WIRED's report, Stone dismissed the findings, writing that the company couldn't answer questions about how the system would work because "the feature does not exist." Andrew Bosworth, Meta's chief technology officer, called the reporting "incredibly misleading" and "absolutely dishonest."
Meta declined to answer 10 questions WIRED posed before publishing on Thursday, including whether it had already created the database of face profiles NameTag uses, how long the app retains photographs and biometric data of unrecognized people stored on a user's device, and whether that data would ever be sent back to Meta's servers.
Additionally, Meta did not respond to a question about whether it was building NameTag specifically for blind or low-vision users, and did not respond to criticism from privacy advocates who have warned the system could let stalkers and abusers identify strangers in public. It did not respond when asked whether it planned to let users opt in or opt out of the system.
The newly released version of Meta AI removes nearly all traces of the feature Meta said did not yet exist. Gone is the face-recognition software itself, along with the code that ran the NameTag recognition process and the "Person recognized" alert the app would have shown if someone were identified. The update also strips out a folder where the app would have stored the cropped images and biometric signatures of faces it captured but could not identify.
Meta did not answer WIRED's questions about why the code was removed or whether the changes were planned before WIRED's story was published.
A few fragments of the NameTag system remain in the latest version of Meta AI, including an internal debug menu label and a dormant link meant to open a recognized person's profile. The leftover code points to parts of the system that are no longer there.
Kade Crockford, director of the technology for liberty program at the American Civil Liberties Union of Massachusetts, says the removal didn't undo the original decision to ship the code, and pointed to it as evidence that consumer privacy needs stronger legal protection than Congress has been willing to provide. Crockford notes that the Massachusetts House of Representatives last week unanimously passed a consumer privacy bill that, if enacted as written, would impose strong enforcement provisions, and urged other states to follow, especially with a private right of action that lets aggrieved users sue. "State lawmakers need to do their job and step up to protect consumer privacy," they say.
"Meta's sneaky tactics in slipping the face-recognition code into its smart glasses show exactly why data privacy bills need the teeth of strong enforcement," Crockford says. "Companies like Meta prioritize their bottom line, so lawmakers need to speak in the only language its C-suite understands."
This story originally appeared on wired.com.
The most recent version of Meta AI, a companion app for its line of smart glasses, strips out the unactivated software components that powered the system Meta internally called NameTag. The version published the day of WIRED's report included several code libraries explicitly named for face recognition. Friday's release includes none of them.
Andy Stone, Meta's vice president of communications, told WIRED on Monday that the feature is purely exploratory, adding: "No final decision has been made on what to do here, if anything."
On Thursday, WIRED reported that Meta had quietly integrated substantial portions of the NameTag system into the Meta AI app. Though never publicly enabled, the feature was designed to convert faces captured by the glasses into unique biometric signatures, commonly known as faceprints, and compare them against a database of faceprints stored on the user's device. WIRED also found that faces the system failed to recognize were cropped, indexed, and stored locally for future processing.
NameTag first surfaced in February, when The New York Times, citing internal Meta documents, reported that the company was developing face recognition for its smart glasses and weighing a launch as soon as this year. One memo reportedly described releasing it during a "dynamic political environment," when privacy and civil liberties advocates would be distracted. Last week, WIRED reported that much of NameTag's machinery was already built into the Meta AI app, downloaded by millions of users, as early as January, even as Meta publicly said it had made no final decision about face recognition.
After WIRED's report, Stone dismissed the findings, writing that the company couldn't answer questions about how the system would work because "the feature does not exist." Andrew Bosworth, Meta's chief technology officer, called the reporting "incredibly misleading" and "absolutely dishonest."
Meta declined to answer 10 questions WIRED posed before publishing on Thursday, including whether it had already created the database of face profiles NameTag uses, how long the app retains photographs and biometric data of unrecognized people stored on a user's device, and whether that data would ever be sent back to Meta's servers.
Additionally, Meta did not respond to a question about whether it was building NameTag specifically for blind or low-vision users, and did not respond to criticism from privacy advocates who have warned the system could let stalkers and abusers identify strangers in public. It did not respond when asked whether it planned to let users opt in or opt out of the system.
The newly released version of Meta AI removes nearly all traces of the feature Meta said did not yet exist. Gone is the face-recognition software itself, along with the code that ran the NameTag recognition process and the "Person recognized" alert the app would have shown if someone were identified. The update also strips out a folder where the app would have stored the cropped images and biometric signatures of faces it captured but could not identify.
Meta did not answer WIRED's questions about why the code was removed or whether the changes were planned before WIRED's story was published.
A few fragments of the NameTag system remain in the latest version of Meta AI, including an internal debug menu label and a dormant link meant to open a recognized person's profile. The leftover code points to parts of the system that are no longer there.
Kade Crockford, director of the technology for liberty program at the American Civil Liberties Union of Massachusetts, says the removal didn't undo the original decision to ship the code, and pointed to it as evidence that consumer privacy needs stronger legal protection than Congress has been willing to provide. Crockford notes that the Massachusetts House of Representatives last week unanimously passed a consumer privacy bill that, if enacted as written, would impose strong enforcement provisions, and urged other states to follow, especially with a private right of action that lets aggrieved users sue. "State lawmakers need to do their job and step up to protect consumer privacy," they say.
"Meta's sneaky tactics in slipping the face-recognition code into its smart glasses show exactly why data privacy bills need the teeth of strong enforcement," Crockford says. "Companies like Meta prioritize their bottom line, so lawmakers need to speak in the only language its C-suite understands."
This story originally appeared on wired.com.
Microsoft June 2026 Patch Tuesday Fixes 3 Zero-Day, 200 Flaws
By Lawrence Abrams for bleepingcomputer
bleepingcomputer
Today is Microsoft's June 2026 Patch Tuesday, with security updates for 200 flaws and 3 publicly disclosed zero-day vulnerabilities.
This Patch Tuesday addresses 33 "Critical" vulnerabilities, 28 of which are remote code execution, 4 are elevation of privilege, and 1 is an information disclosure flaw.
The number of bugs in each vulnerability category is listed below:
When BleepingComputer reports on Patch Tuesday security updates, we only count those released by Microsoft today.
Therefore, the number of flaws does not include flaws in Mariner, Azure HorizonDB, Microsoft Copilot, Copilot Chat, M365 Copilot, Microsoft Exchange Online, and Microsoft Graph that were fixed by Microsoft earlier this month.
There were also a massive 360 Microsoft Edge/Chromium flaws that were fixed by Google this month, which were excluded from this Patch Tuesday roundup.
To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5094126 & KB5093998 cumulative updates.
Noteworthy vulnerabilities
This month's Patch Tuesday fixes 3 publicly disclosed zero-day vulnerabilities, none of which are known to have been exploited in attacks.
Microsoft classifies a zero-day flaw as publicly disclosed or actively exploited while no official fix is available.
The 2 publicly disclosed zero-days are:
CVE-2026-45586 - Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability
Microsoft has patched a publicly disclosed Windows CTFMON vulnerability that grants SYSTEM privileges.
"Improper link resolution before file access-- 'link following'-- in Windows Collaborative Translation Framework allows an authorized attacker to elevate privileges locally," explains Microsoft.
Microsoft has credited the flaw to an anonymous researcher, but has not shared any details on how it was disclosed.
CVE-2026-49160 - HTTP.sys Denial of Service Vulnerability
Microsoft has patched a publicly disclosed HTTP/2 denial of service flaw called HTTP/2 Bomb that was disclosed this month by researchers at the offensive security firm Calif.
"Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network," explains Microsoft.
The HTTP/2 Bomb attack is a denial-of-service technique that abuses how the HTTP/2 protocol compresses and manages web traffic headers, allowing attackers to send very small amounts of data that force servers to allocate disproportionately large amounts of memory.
Researchers found the attack could dramatically increase memory usage on affected servers. Attackers can also keep the memory tied up by manipulating flow-control settings, preventing the server from freeing resources and potentially causing performance issues or outages.
To help mitigate this attack, Microsoft has introduced a new "MaxHeadersCount" registry setting to limit the number of headers in a request, along with a support bulletin on how to use it.
"Microsoft also introduced a new MaxHeadersCount registry setting. This setting allows you to limit the number of headers included in HTTP/2 and HTTP/3 requests that are accepted by the HTTP server. For more information, see KB5102602," continued Microsoft.
This flaw was attributed to Quang Luong and Codex of Calif.io.
CVE-2026-50507 - Windows BitLocker Security Feature Bypass Vulnerability
Microsoft has patched a publicly disclosed Windows BitLocker bypass flaw that allowed local attackers to gain access to an encrypted drive.
"Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack," explains Microsoft.
While Microsoft attributed the flaw to an anonymous researcher, BleepingComputer has learned that this is a fix for the YellowKey vulnerability that was publicly disclosed last month by a cybersecurity researcher named Nightmare Eclipse.
The YellowKey vulnerability could be exploited by placing specially crafted files on a USB drive or EFI partition and booting into the Windows Recovery Environment (WinRE), where holding down the CTRL key triggered a command shell with unrestricted access to encrypted BitLocker-protected drives.
The flaw primarily affects systems that used TPM-only BitLocker protection on Windows 11 and Windows Server 2022/2025 devices. Microsoft previously shared temporary mitigations for the issue, including enabling TPM+PIN authentication instead of relying solely on TPM protection.
Nightmare Eclipse has released a wave of Windows zero-day vulnerabilities, including BlueHammer, MiniPlasma, RedSun, and UnDefend, in protest of Microsoft's handling of its bug bounty and vulnerability disclosure programs.
Recent updates from other companies
Other vendors who released updates or advisories in May 2026 include:
The June 2026 Patch Tuesday Security Updates
Below is the complete list of resolved vulnerabilities in the May 2026 Patch Tuesday updates, excluding flaws fixed before today.
To access the full description of each vulnerability and the systems it affects, you can view the full report here.
This Patch Tuesday addresses 33 "Critical" vulnerabilities, 28 of which are remote code execution, 4 are elevation of privilege, and 1 is an information disclosure flaw.
The number of bugs in each vulnerability category is listed below:
- 65 Elevation of Privilege Vulnerabilities
- 19 Security Feature Bypass Vulnerabilities
- 55 Remote Code Execution Vulnerabilities
- 30 Information Disclosure Vulnerabilities
- 7 Denial of Service Vulnerabilities
- 27 Spoofing Vulnerabilities
When BleepingComputer reports on Patch Tuesday security updates, we only count those released by Microsoft today.
Therefore, the number of flaws does not include flaws in Mariner, Azure HorizonDB, Microsoft Copilot, Copilot Chat, M365 Copilot, Microsoft Exchange Online, and Microsoft Graph that were fixed by Microsoft earlier this month.
There were also a massive 360 Microsoft Edge/Chromium flaws that were fixed by Google this month, which were excluded from this Patch Tuesday roundup.
To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5094126 & KB5093998 cumulative updates.
Noteworthy vulnerabilities
This month's Patch Tuesday fixes 3 publicly disclosed zero-day vulnerabilities, none of which are known to have been exploited in attacks.
Microsoft classifies a zero-day flaw as publicly disclosed or actively exploited while no official fix is available.
The 2 publicly disclosed zero-days are:
CVE-2026-45586 - Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability
Microsoft has patched a publicly disclosed Windows CTFMON vulnerability that grants SYSTEM privileges.
"Improper link resolution before file access-- 'link following'-- in Windows Collaborative Translation Framework allows an authorized attacker to elevate privileges locally," explains Microsoft.
Microsoft has credited the flaw to an anonymous researcher, but has not shared any details on how it was disclosed.
CVE-2026-49160 - HTTP.sys Denial of Service Vulnerability
Microsoft has patched a publicly disclosed HTTP/2 denial of service flaw called HTTP/2 Bomb that was disclosed this month by researchers at the offensive security firm Calif.
"Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network," explains Microsoft.
The HTTP/2 Bomb attack is a denial-of-service technique that abuses how the HTTP/2 protocol compresses and manages web traffic headers, allowing attackers to send very small amounts of data that force servers to allocate disproportionately large amounts of memory.
Researchers found the attack could dramatically increase memory usage on affected servers. Attackers can also keep the memory tied up by manipulating flow-control settings, preventing the server from freeing resources and potentially causing performance issues or outages.
To help mitigate this attack, Microsoft has introduced a new "MaxHeadersCount" registry setting to limit the number of headers in a request, along with a support bulletin on how to use it.
"Microsoft also introduced a new MaxHeadersCount registry setting. This setting allows you to limit the number of headers included in HTTP/2 and HTTP/3 requests that are accepted by the HTTP server. For more information, see KB5102602," continued Microsoft.
This flaw was attributed to Quang Luong and Codex of Calif.io.
CVE-2026-50507 - Windows BitLocker Security Feature Bypass Vulnerability
Microsoft has patched a publicly disclosed Windows BitLocker bypass flaw that allowed local attackers to gain access to an encrypted drive.
"Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack," explains Microsoft.
While Microsoft attributed the flaw to an anonymous researcher, BleepingComputer has learned that this is a fix for the YellowKey vulnerability that was publicly disclosed last month by a cybersecurity researcher named Nightmare Eclipse.
The YellowKey vulnerability could be exploited by placing specially crafted files on a USB drive or EFI partition and booting into the Windows Recovery Environment (WinRE), where holding down the CTRL key triggered a command shell with unrestricted access to encrypted BitLocker-protected drives.
The flaw primarily affects systems that used TPM-only BitLocker protection on Windows 11 and Windows Server 2022/2025 devices. Microsoft previously shared temporary mitigations for the issue, including enabling TPM+PIN authentication instead of relying solely on TPM protection.
Nightmare Eclipse has released a wave of Windows zero-day vulnerabilities, including BlueHammer, MiniPlasma, RedSun, and UnDefend, in protest of Microsoft's handling of its bug bounty and vulnerability disclosure programs.
Recent updates from other companies
Other vendors who released updates or advisories in May 2026 include:
- Acer warned about 2 maximum-severity unpatched flaws in Acer Wave 7 Routers that could be used to hijack routers.
- Check Point released security updates for a Remote Access VPN and Mobile Access flaw that was exploited in Qilin ransomware attacks.
- Cisco released security updates for numerous products, including a Unified CM flaw with a PoC exploit and an SD-WAN zero-day exploited in attacks.
- Fortinet released security updates for numerous flaws in FortiOS, FortiSandbox, and FortiProxy.
- Google released Android's June security bulletin, fixing 124 flaws and one actively exploited vulnerability. The company also fixed a new Google Chrome zero-day that was exploited in attacks.
- Ivanti released security updates for vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) and Ivanti Sentry, with none exploited in the wild.
- Ubiquiti released security updates for 3 vulnerabilities with maximum severity ratings that could lead to remote code execution.
- SAP released the June security updates, which include fixes for 4 critical flaws.
- Veeam released security updates for a critical Backup & Replication security flaw that can be exploited to gain remote code execution (RCE) on domain-joined backup servers.
The June 2026 Patch Tuesday Security Updates
Below is the complete list of resolved vulnerabilities in the May 2026 Patch Tuesday updates, excluding flaws fixed before today.
To access the full description of each vulnerability and the systems it affects, you can view the full report here.
New Apple Feature Automatically Changes Your Compromised Passwords
By Mayank Parmar for bleepingcomputer
bleepingcomputer
At WWDC 2026, Apple announced an Apple Intelligence-powered feature that can automatically fix weak and compromised passwords.
Right now, Safari and the built-in Apple Passwords app can automatically flag weak, duplicate, or compromised passwords.
For example, if you enter a password when you're creating an account, Apple will warn you if it detects the password is weak, and Safari will help you create a secure password.
However, Apple's built-in password manager or Safari does not try to automatically fix your weak or compromised passwords. This changes with a new AI-powered security feature.
Apple says the built-in password app and Safari now use AI to "agentically" take action based on your behavior and secure your passwords automatically.
Right now, Safari and the built-in Apple Passwords app can automatically flag weak, duplicate, or compromised passwords.
For example, if you enter a password when you're creating an account, Apple will warn you if it detects the password is weak, and Safari will help you create a secure password.
However, Apple's built-in password manager or Safari does not try to automatically fix your weak or compromised passwords. This changes with a new AI-powered security feature.
Apple says the built-in password app and Safari now use AI to "agentically" take action based on your behavior and secure your passwords automatically.
Agentic password manager in iOS 27. Source: Apple
This feature will launch with iOS 27 for the Passwords app and Safari, which can automatically update eligible accounts to strong passwords.
Apple promises security and privacy with Apple Intelligence
Apple argues that you don't have to worry about safety or privacy, as these features are powered by the next generation of Apple Foundation Models.
Apple Intelligence privacy and security layer. Source: Apple
The foundation models are custom-built in collaboration with Google. Apple used Gemini models, likely its output, to fine-tune its own model and deeply integrated them into Apple Intelligence experiences.
"These latest models run on device and on servers using Private Cloud Compute," Apple wrote in a blog post.
"Every facet of the new Apple Intelligence architecture is built privacy-first, from the latest Apple Foundation Models to the core operating system technologies that integrate these models deep into Apple's platforms."
Most of these features run locally on new iPhones, but Apple also uses Private Cloud Compute to run some features in the cloud without sharing your personal data.
"When Private Cloud Compute is handling users' requests, their personal data is not stored nor made accessible to Apple or anyone else," Apple noted.
Apple says Apple Intelligence improvements and an Agentic password manager are set to arrive with iOS 27 later this year.
However, if you can't wait, you can sign up for the Developer Program and try the beta build today.
COMPUTEX 2026: Gaming Handhelds, Nvidia RTX Spark,
wild PC Mods & Server Rack Upgrades
© vocalbits.com