{"id":35924,"date":"2026-05-10T11:48:48","date_gmt":"2026-05-10T18:48:48","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=35924"},"modified":"2026-05-10T11:48:48","modified_gmt":"2026-05-10T18:48:48","slug":"sb-2026-05-10","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2026\/05\/sb-2026-05-10\/","title":{"rendered":"Security Bits \u2014 10 May 2026"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li><strong>Age Verification Developments:<\/strong>\n<ul>\n<li>\ud83c\uddfa\ud83c\uddf8 Apple have expanded their Digital ID technology to provide anonymous age verification in the US \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/apple-wallet-digital-id-just-took-its-first-step-toward-becoming-a-true-digital-passport-alternative\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li><em>\u201cA Digital ID in Apple Wallet created using a U.S. passport can be used to confirm that you\u2019re an adult.\u201d<\/em> \u2014 Apple<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/cyberinsider.com\/utah-becomes-first-us-state-to-require-age-verification-for-vpn-use\/\">Utah becomes first US state to require age verification for VPN use \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<li>Not <strong>quite<\/strong> as nuts as it sounds, VPN providers don&#8217;t need to provide age verification, websites with adult content need to block VPNs (not possible to do reliably of course!).<\/li>\n<\/ul>\n<\/li>\n<li><strong>iOS RCS support:<\/strong> Apple have officially announced that RCS will start rolling out with iOS 26.5, but it will be gradual, as carriers move to enable the feature on their networks \u2014 <a href=\"https:\/\/cyberinsider.com\/apple-brings-end-to-end-encryption-to-rcs-messaging-in-ios-26-5\/\">cyberinsider.com\/\u2026<\/a> <\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 More welcome enforcement actions in the US: <a href=\"https:\/\/cyberinsider.com\/ftc-orders-kochava-to-stop-selling-peoples-location-data\/\">FTC orders Kochava to stop selling people\u2019s location data \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<li>The SANS Institute did a good writeup of the <strong>malicious HomeBrew ads<\/strong> we discussed last time, including screenshots \u2014 <a href=\"https:\/\/isc.sans.edu\/diary\/rss\/32942\">isc.sans.edu\/\u2026<\/a>\n<ul>\n<li>Notice the initial link is clearly marked as an ad, though it could of course be an ad by the actual developers \u2026<\/li>\n<li>Bart&#8217;s advice remains \u2014 <em>&#8220;never click ads in search results, assume they&#8217;re all dishonest or malicious&#8221;<\/em> (because too many are!)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>\u2757 Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you, there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/cyberinsider.com\/google-pushes-massive-chrome-security-update-to-patch-127-flaws\/\">Google pushes massive Chrome security update to patch 127 flaws \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<li>There have been two notable <strong>Linux Kernel Zero-days<\/strong> in the last week:\n<ul>\n<li>Patches are slowly starting to roll out from the various distributions for the first, and similar fixes for the second should follow soon.<\/li>\n<li>There are workarounds for both vulnerabilities, but since they involve disabling kernel features, they should only be applied with an understanding of the impact this would have on the specific device. For typical home users, both workarounds should be safe, though.<\/li>\n<li>Server-focused advanced security products like Microsoft Defender for Linux&#8217;s optional EDR feature (endpoint detection &amp; response) have been updated to detect and block attempts to exploit these vulnerabilities.<\/li>\n<li>Both vulnerabilities are local <strong>privilege escalation<\/strong> bugs, allowing non-root users logged into the machine to gain root privileges<\/li>\n<li>This makes the bugs catastrophic for shared computing environments like shared hosting and school labs.<\/li>\n<li>For home users, the danger is much less \u2014 as we say on the show, <em>&#8220;if you already have malware on your device, it can now become root&#8221;<\/em>, but of course, you have a bigger problem: <strong>you already have malware!<\/strong><\/li>\n<li>\ud83e\uddef For most NosillaCastaways, in your personal capacity at least, these bugs can get a cautious fire-extinguisher emoji. Do still patch when official patches are released though!<\/li>\n<li><a href=\"https:\/\/cyberinsider.com\/copy-fail-gives-root-access-to-all-linux-systems-via-732-byte-exploit\/\">\u201cCopy Fail\u201d gives root access to all Linux systems via 732-byte exploit \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-linux-dirty-frag-zero-day-with-poc-exploit-gives-root-privileges\/\">New Linux &#8216;Dirty Frag&#8217; zero-day gives root on all major distros \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>\u26a0\ufe0f <strong>WhatsApp users<\/strong> \u2014 patch all your clients on all OSes ASAP: <a href=\"https:\/\/cyberinsider.com\/whatsapp-warns-of-instagram-reels-bug-that-could-load-risky-content\/\">WhatsApp warns of Instagram Reels bug that could load risky content \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<li>\u26a0\ufe0f <strong>Ollama Users<\/strong> \u2014 patch ASAP: <a href=\"https:\/\/thehackernews.com\/2026\/05\/ollama-out-of-bounds-read-vulnerability.html\">Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak \u2014 thehackernews.com\/\u2026<\/a> <\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>\u26a0\ufe0f <strong>Claude AI + Google Chrome users:<\/strong> <a href=\"https:\/\/cyberinsider.com\/claudebleed-allows-any-chrome-extension-to-control-anthropics-ai-assistant\/\">\u201cClaudeBleed\u201d allows any Chrome extension to control Anthropic\u2019s AI assistant \u2014 cyberinsider.com\/\u2026<\/a>\n<ul>\n<li>The issue has been <strong>partially fixed<\/strong> in the latest plugin update, but depending on your configuration, you might still be at risk!<\/li>\n<li><em>&#8220;According to the report, attackers could still bypass the new protections by abusing Claude\u2019s &#8216;Act without asking&#8217; mode or by triggering alternative side-panel execution flows that restored autonomous behavior.&#8221;<\/em> \u2014 Cyber Insider<\/li>\n<\/ul>\n<\/li>\n<li>\u26a0\ufe0f <strong>WordPress Site Owners<\/strong> \u2014 check you don&#8217;t have the <em>Quick Page\/Post Redirect<\/em> plugin installed: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/popular-wordpress-redirect-plugin-hid-dormant-backdoor-for-years\/\">Popular WordPress redirect plugin hid dormant backdoor for years \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>\u26a0\ufe0f <strong>CPanel\/WHM Users<\/strong> \u2014 check your hosting company has been keeping your server patched, and if you can, check the sign-in logs for unexpected sign-ins:\n<ul>\n<li><a href=\"https:\/\/cyberinsider.com\/massive-cpanel-campaign-compromised-44000-servers-worldwide\/\">Massive cPanel campaign compromised 44,000 servers worldwide \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/cyberinsider.com\/critical-cpanel-zero-day-auth-bypass-exploited-since-february\/\">Critical cPanel zero-day auth bypass exploited since February \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks\/\">Critrical cPanel flaw mass-exploited in &#8220;Sorry&#8221; ransomware attacks \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>A reminder of why we need to stay vigilant: \ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ftc-americans-lost-over-21-billion-to-social-media-scams-in-2025\/\">FTC: Americans lost over $2.1 billion to social media scams in 2025 \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>A rare retrograde step: <a href=\"https:\/\/www.macobserver.com\/news\/instagram-ends-message-encryption-making-your-dms-less-private\/\">Instagram Ends Message Encryption Making Your DMs Less Private \u2014 www.macobserver.com\/\u2026<\/a>\n<ul>\n<li>A good reminder to treat all postings on any social media site as if everything you post in any format could easily become public at any stage.<\/li>\n<li>When you need secure messaging, use a messaging service with good security, not a social media platform!<\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\udde8\ud83c\udde6 \u26a0\ufe0f <strong>Canadian NosillaCastaways<\/strong> \u2014 now might be a good time to reach out to your elected representatives to share your views: <a href=\"https:\/\/cyberinsider.com\/apple-and-meta-warn-canadas-bill-c-22-forces-encryption-backdoors\/\">Apple and Meta warn Canada\u2019s Bill C-22 forces encryption backdoors \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<li>Some small but nice cybersecurity enhancements:\n<ul>\n<li><a href=\"https:\/\/cyberinsider.com\/signal-to-roll-out-anti-phishing-safeguards-following-account-takeovers\/\">Signal to roll out anti-phishing safeguards following account takeovers \u2014 cyberinsider.com\/\u2026<\/a> (none of Signal&#8217;s systems nor their encryption were broken, the attacks were purely social engineering)<\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-to-deprecate-legacy-tls-in-exchange-online-starting-july\/\">Microsoft to deprecate legacy TLS in Exchange Online starting July \u2014 www.bleepingcomputer.com\/\u2026<\/a> (needed, but could break legacy clients!)<\/li>\n<li><a href=\"https:\/\/cyberinsider.com\/meta-enhances-security-of-whatsapp-and-messenger-encrypted-backups\/\">Meta enhances security of WhatsApp and Messenger encrypted backups \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/cyberinsider.com\/proton-mail-rolls-out-quantum-resistant-encryption-for-all-users\/\">Proton Mail rolls out quantum-resistant encryption for all users \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/what-is-hacking\/\">What Is Hacking? Types, Techniques, and How to Protect Yourself \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li>Physicist Hannah Fry explains how agentic AI works using OpenClaw experimentation to illustrate: <a href=\"https:\/\/www.youtube.com\/watch?v=WnzR5aOElvw\">Why AI Agents are either the best or worst thing we\u2019ve ever built<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>An approachable yet deep interview with a leading Quantum Computing researcher: <a href=\"https:\/\/cyberinsider.com\/breaking-encryption-with-quantum-computing-interview-with-chris-peikert\/\">Breaking encryption with quantum computing \u2014 Interview with Chris Peikert \u2014 cyberinsider.com\/\u2026<\/a> (definitely a long read!)<\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><strong>From Bart:<\/strong> an excellent three-part long- read from Ars on the history of the Internet:\n<ul>\n<li><a href=\"https:\/\/arstechnica.com\/gadgets\/2025\/04\/a-history-of-the-internet-part-1-an-arpa-dream-takes-form\/\">An Ars Technica history of the Internet, part 1 \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/gadgets\/2025\/06\/a-history-of-the-internet-part-2-the-high-tech-gold-rush-begins\/\">A history of the Internet, part 2: The high-tech gold rush begins \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/gadgets\/2025\/09\/a-history-of-the-internet-part-3-the-rise-of-the-user\/\">A history of the Internet, part 3: The rise of the user \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<li>I join the story about \u00bc way through Part 2 in the age of Netscape Navigator &amp; Internet Explorer 3 \ud83d\ude42<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">\ud83c\udfa7<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcca<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83e\uddef<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> \ud83d\ude42<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcb5<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udccc<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa9<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa6<\/td>\n<td align=\"left\">A link to <strong>video content<\/strong>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Age Verification Developments: \ud83c\uddfa\ud83c\uddf8 Apple have expanded their Digital ID technology to provide anonymous age verification in the US \u2014 www.macobserver.com\/\u2026 \u201cA Digital ID in Apple Wallet created using a U.S. passport can be [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[147,214],"tags":[8209,8210,2060,50,569],"class_list":["post-35924","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-age-verification","tag-malicious-ads","tag-malware","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/35924","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=35924"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/35924\/revisions"}],"predecessor-version":[{"id":35926,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/35924\/revisions\/35926"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=35924"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=35924"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=35924"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}