Kategorie

A critical vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript snippets into WooCommerce checkout pages. [...]

Long before Taco Tuesday became part of the pop-culture vernacular, Tuesdays were synonymous with security — and for anyone in the tech world, they still are.  Patch Tuesday, as you most likely know, refers to the day each month when Microsoft releases security updates and patches for its software products — everything from Windows to Office to SQL Server, developer tools to browsers.

The practice, which happens on the second Tuesday of the month, was initiated to streamline the patch distribution process and make it easier for users and IT system administrators to manage updates.  Like tacos, Patch Tuesday is here to stay.

In a blog post celebrating the 20th anniversary of Patch Tuesday, the Microsoft Security Response Center wrote: “The concept of Patch Tuesday was conceived and implemented in 2003. Before this unified approach, our security updates were sporadic, posing significant challenges for IT professionals and organizations in deploying critical patches in a timely manner.”

Patch Tuesday will continue to be an “important part of our strategy to keep users secure,” Microsoft said, adding that it’s now an important part of the cybersecurity industry.  As a case in point, Adobe, among others, follows a similar patch cadence.

Patch Tuesday coverage has also long been a staple of Computerworld’s commitment to provide critical information to the IT industry. That’s why we’ve gathered together this collection of recent patches, a rolling list we’ll keep updated each month.

In case you missed a recent Patch Tuesday announcement, here are the latest six months of updates.

For May, Patch Tuesday means 139 updates — but no zero-days

Microsoft this week released 139 updates affecting Windows, Office, .NET, and SQL Server (though there were no updates for Microsoft Exchange Server). Despite the absence of zero-days, the May Patch Tuesday update still requires Patch Now recommendations for Windows and Office. 

The combination of three unauthenticated network RCEs (Netlogon, DNS Client, and SSO Plugin for Jira and Confluence), four Word Preview Pane RCEs, the large TCP/IP vulnerability cluster, and the carry-over BitLocker recovery condition (still active on Windows 10 and Windows Server) warrants an accelerated deployment release schedule. 

More info is available here on Microsoft Security updates for May 2026.

Microsoft’s Patch Tuesday release for April is a whopper

Windows admins are going to be busy this month, dealing with the largest Patch Tuesday cycle in memory. The April release involves 165 updates and roughly 340 unique CVEs from Microsoft — including two zero-days, one of which is already being actively exploited in the wild. 

The Readiness team recommends “Patch Now” schedules for nearly every major product family: Windows, Office (with a zero-day), Microsoft Edge (Chromium), SQL Server, and Microsoft Developer Tools (.NET). April also brings Phase 2 of Microsoft’s Kerberos RC4 hardening with full enforcement set for July. There is a lot to cover, so here’s a useful infographic mapping the deployment risk for each platform.

More info is available here on Microsoft Security updates for April 2026.

For March, Patch Tuesday delivers fixes for 83 vulnerabilities

Microsoft’s March Patch Tuesday release addresses 83 vulnerabilities across Windows, Office, SQL Server, Azure, and .NET — with two publicly disclosed zero-days affecting SQL Server and .NET (though neither is being actively exploited in the wild.) Six additional vulnerabilities spanning the Windows Kernel, Graphics Component, SMB Server, Accessibility Infrastructure, and Winlogon are flagged as “Exploitation More Likely.”

The most significant change this month is the introduction of Common Log File System (CLFS) hardening with signature verification, which will affect how Windows handles log files across the operating system. More info on Microsoft Security updates for March 2026.

February’s Patch Tuesday release fixes 59 flaws, including 6 being exploited

The company’s Patch Tuesday release for February addresses 59 CVEs across the company’s product family — roughly half the volume of January’s 159 patches. Six vulnerabilities, affecting Windows Shell, MSHTML, Desktop Window Manager, Remote Desktop, Remote Access, and Microsoft Word, are already being actively exploited. (All five Critical-rated CVEs target Azureservices rather than Windows, however.) 

Both Windows and Office get a “Patch Now” recommendation, with CISA setting a March 3 enforcement deadline for all six exploited vulnerabilities. Two new enforcement timelines also take effect in April: Kerberos RC4 deprecation (CVE-2026-20833) and Windows Deployment Services hardening (CVE-2026-0386). More info on Microsoft Security updates for February 2026.

For January, Patch Tuesday starts off with a bang

The first Patch Tuesday release of 2026 addresses 112 CVEs across Microsoft’s product portfolio, including eight rated critical and three zero-day vulnerabilities. One zero-day (CVE-2026-20805), an information disclosure flaw in the Desktop Window Manager, is already under active exploitation, prompting CISA to add it to the Known Exploited Vulnerabilities catalog with a remediation deadline of Feb. 3, 2026. (Note: 95 of the vulnerabilities affect Windows.) More info on Microsoft Security updates for January 2026.

Ho ho ho! December’s Patch Tuesday delivers three zero-days

The December Patch Tuesday update addresses three zero-days (CVE-2025-64671, CVE-2025-54100, and CVE-2025-62221) but includes surprisingly few total patches (just 57). Notably, Microsoft has not published any critical updates for the Windows platform this month. That said, given the zero-days, we recommend a “Patch Now” release schedule for Windows and Microsoft Office. More info on Microsoft Security updates for December 2025.

Microsoft this week released 139 updates affecting Windows, Office, .NET, and SQL Server (though there were no updates for Microsoft Exchange Server). Despite the absence of zero-days, the May Patch Tuesday update still requires Patch Now recommendations for Windows and Office. 

The combination of three unauthenticated network RCEs (Netlogon, DNS Client, and SSO Plugin for Jira and Confluence), four Word Preview Pane RCEs, the large TCP/IP vulnerability cluster, and the carry-over BitLocker recovery condition (still active on Windows 10 and Windows Server) warrants an accelerated deployment release schedule. The Readiness team suggests that testing start with internet-facing services, domain controllers, and Office endpoints. The May 2026 Assurance Security Dashboard breaks the cycle down by Microsoft product family for deployment risk assessment.

(More information about recent Patch Tuesday releases is available here.)

Known issues

Patch Tuesday arrived this month with a clean bill of health (at least with respect to reported and known issues) for Windows 11 24H2, 23H2, Windows 10 22H2, and Windows Server 2025. However, two items warrant attention.

• Windows 10 and Windows Server customers remain exposed to the April 2026 BitLocker recovery condition on devices set with the “Configure TPM platform validation profile for native UEFI firmware configurations” Group Policy and an invalid PCR7 (Platform Configuration Register 7) profile. 
• Microsoft also acknowledged on the Hardware Dev Center that Windows Update replaces manually-installed graphics drivers with older OEM versions from the catalogue, because its ranking uses four-part Hardware IDs rather than version numbers: “Customers who actively manage their display drivers experience unwanted downgrades through Windows Update.”

Issues resolved

• KB5089549 for Windows 11 25H2 and 24H2 resolves the April PCR7/BitLocker recovery condition and improves Boot Manager servicing so subsequent boot file updates do not trigger recovery.
• Secure Boot certificate distribution adds a new C:\Windows\SecureBoot folder of automation scripts for IT teams rolling out the Windows UEFI CA 2023 key replacement under CVE-2023-24932, ahead of the 2011 certificate expirations happening between June and October 2026.
• Simple Service Discovery Protocol (SSDP) notification reliability improves, so the service is less likely to become unresponsive under sustained load; this is relevant to networks running UPnP device discovery.

Major revisions and mitigations

Given this month’s Preview Pane issues, Microsoft offered mitigation advice:

• Microsoft Word Preview Pane RCEs — CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367, critical at CVSS 8.4, with the first two flagged “Exploitation More Likely.” The Preview Pane is the attack vector; viewing a malicious document in Outlook or File Explorer is enough to trigger exploitation. 

Windows lifecycle and enforcement updates

We’ve mentioned the CA certificate issue before, but it’s worth flagging again as we approach the EOS and enforcement dates for:

• SharePoint Server 2016 and 2019, Project Server 2016 and 2019, SQL Server 2016, and SQL Server 2014 ESU Year 2, all of which reach end of support in July.
• Secure Boot certificate enforcement — the 2011 KEK CA expires on June 24, the UEFI CA for third-party boot loaders on June 27, and the Windows Production PCA for the boot manager on Oct. 19. 
• Graphics driver HWID enforcement — the pilot moving driver submissions from four-part to two-part Hardware IDs plus Computer Hardware IDs runs to September, with broader enforcement planned for the fourth quarter of this year and Q1 of 2027.

Each month, the team at Readiness provides detailed, actionable testing guidance for Patch Tuesday releases. This guidance is based on assessing a large application portfolio and a comprehensive analysis of the patches and their potential impact on Windows platforms and application deployments.

This month’s Patch Tuesday flags two components as high-risk: the Ancillary Function Driver for WinSock, with an explicit Bluetooth focus, and the Telnet client. Microsoft also ships a pre-release security fix to the Common Log File System driver, and Secure Boot key rolling continues under CVE-2023-24932. TCP/IP is the most-patched component this cycle, with 11 separate updates. Lower-risk patches involve graphics, storage, virtualization, VPN, and Office MSI editions.

Ancillary Function Driver for WinSock 

The WinSock kernel driver (afd.sys) mediates every TCP and UDP socket on Windows, and the May update lands a regression-sensitive change to the Bluetooth interaction path. Failure here typically surfaces as audio dropouts, paired-device drops on sleep, slow reconnect on Wi-Fi handover, or a clean AFD-referenced bug check during sustained load. Watch the System event log for new errors from AFD, TCP/IP, or BTHUSB sources during your test window.

Success in testing these drivers looks silent: no stutters, no event-log churn, no handle leaks.

Your testing regime should include:

• Browse the web over HTTP and HTTPS on both IPv4 and IPv6; download a multi-gigabyte file and verify it completes without stalls.
• Establish a Remote Desktop session, idle 30+ minutes, then resume; place a Teams call with audio, video, and screen share.
• Disable and re-enable the NIC, switch between Wi-Fi and Ethernet, and sleep/resume the machine; expect the network to return cleanly with no AFD-referenced bug check.
• Toggle Bluetooth on and off from Settings and Action Center; pair and unpair headphones, mouse, keyboard, and phone, repeating through several cycles.
• Play audio over a Bluetooth headset for 10+ minutes during a Teams call; expect zero dropouts and clean mic/speaker switching as devices toggle.
• Transfer a file to and from a phone over Bluetooth; connect a Bluetooth keyboard and mouse, leave idle, and resume input.
• Sleep and resume the machine with Bluetooth peripherals connected; verify they reconnect without manual intervention.

Telnet client

The Telnet client (telnet.exe) is an optional Windows feature, rarely enabled on modern endpoints. The high-risk flag matters wherever the feature is installed. Check first with Get-WindowsCapability -Online -Name “Telnet.Client~~~~0.0.1.0”. If installed, launch telnet.exe against a known good endpoint and confirm it opens, accepts input, and exits cleanly. If the feature is not in use, treat this update as an opportunity for attack-surface reduction and remove it.

Common Log File System security fix

Microsoft corrected two integer underflow vulnerabilities in the CLFS driver (clfs.sys) that could trigger a system crash or elevation of privilege. Regression risk is low, but CLFS underpins transaction logging across SQL Server, DTC, Failover Clustering, Hyper-V, Active Directory, and Event Log. Validate where these run. A bug check referencing clfs.sys after the update is the clearest red flag.

• Reboot, run a representative workload for 24 to 48 hours, and check System and Application logs for new errors referencing CLFS, NTFS, DTC, or FailoverClustering.
• On SQL Server, restart the service, run standard transactions, perform a backup and restore, and confirm Always On replication stays healthy.
• Patch each cluster node, verify all nodes return as Up, and move a clustered role across nodes.
• On a patched domain controller, run repadmin /replsummary and dcdiag /v; verify Group Policy still applies on clients.
• Confirm VSS writers report Stable via vssadmin list writers, then run a full backup and a test restore.

Secure Boot and BitLocker

Secure Boot validation continues under the CVE-2023-24932 key rolling work. The risk is a recovery prompt or an unbootable device. Run only on dedicated test machines with the recovery key backed up.

• Enable BitLocker on the OS drive, verify TPM protectors with manage-bde -protectors -get c:, then disable and confirm clean decryption.
• With Secure Boot enabled, trigger recovery via reagentc /boottore 1, unlock with the recovery key, and verify normal next boot.
• With both enabled, apply the Windows UEFI CA 2023 key update and confirm the system boots without a recovery prompt.
• Hibernate with Secure Boot and BitLocker on (powercfg /hibernate on, shutdown -h), then resume and confirm no recovery screen.

Other Windows components

TCP/IP has the highest patch volume; the rest receive routine updates with no functional changes.

• Networking: run sustained file transfers, VPN sessions, and stable throughput over IPv4 and IPv6 to cover tcpip.sys (six updates), the Native Wi-Fi driver, and the LLDP driver.
• VPN and filtering: exercise IKEv2 tunnels through sleep/wake and verify Windows Firewall rules to cover IKEEXT.dll and BFE.
• Graphics and shell: run sustained UI activity and GPU-accelerated workloads to cover the Desktop Window Manager, graphics memory manager, and the graphics kernel; watch for artifacts or flickering.
• Virtualization: exercise VM start/save/resume/stop and external/internal/private virtual switches to cover Hyper-V vmswitch.sys.
• Storage and sync: exercise cloud sync hydration, Storage Spaces pool operations, and RDP printer/clipboard redirection.

Microsoft Office and SharePoint

This month’s Office updates target MSI editions only: Excel 2016 (KB5002865), Word 2016 (KB5002858), Office 2016 shared libraries (KB5002866), and SharePoint Server 2016, 2019, Online Server, and Subscription Edition. Click-to-Run estates are unaffected.

• Open complex Excel workbooks with formulas, macros, and external data connections; save and reopen to verify integrity.
• Edit Word documents with embedded objects, tracked changes, and complex formatting.
• Across patched SharePoint editions, validate document library operations, co-authoring, and workflow execution.
• Confirm that Office add-ins and line-of-business integrations continue to operate.

The Readiness team recommends testing start with the high-risk items. The WinSock driver update warrants a Bluetooth-heavy regression pass across peripherals, audio, file transfer, and sleep/wake. The Telnet client flag is narrow but applies wherever the optional feature is enabled. The CLFS security fix is low regression risk, but its blast radius is wide: validate SQL Server, failover clusters, Hyper-V, Active Directory, and event logging where they exist. Secure Boot and BitLocker validation remains essential as CVE-2023-24932 key rolling continues. Microsoft Office is MSI-only this cycle.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

• Browsers (Microsoft Edge) 
• Microsoft Windows (both desktop and server) 
• Microsoft Office
• Microsoft Exchange and SQL Server 
• Microsoft Developer Tools (Visual Studio and .NET)
• Adobe (if you get this far) 

Browsers

For this Patch Tuesday, Microsoft Edge released the stable version (148.0.3967.54) on May 7, according to the Edge security release notes. This update cycle covers six Edge-engineered CVEs plus 127 Chromium upstream CVEs flowing through:

• CVE-2026-33111 — Copilot Chat (Microsoft Edge) — Information disclosure (CVSS 7.5, rated critical). This is the headline browser issue this month.
• CVE-2026-41107 — Microsoft Edge (Chromium-based) — Information disclosure (CVSS 7.4). External control of file name and path.
• CVE-2026-42838 — Microsoft Edge (Chromium-based) — Elevation of privilege (CVSS 5.4). Injection in a downstream component.
• CVE-2026-7896 through CVE-2026-8022 — Chromium upstream — 127 CVEs covering use-after-free, out-of-bounds read and write, type confusion, and integer overflow across V8, Blink, Skia, WebRTC, ANGLE, and DevTools. The same fixes ship in the Chrome Stable channel; see the Chrome releases blog for the upstream notes.

Add these updates to your Patch Now deployment schedule for Edge-managed environments.

Microsoft Windows

Microsoft addressed 67 unique vulnerabilities across Windows, six rated critical and 61, important. Elevation of privilege dominates by volume (44 entries), followed by remote code execution (9), denial of service (7), information disclosure (4), and security feature bypass (3). The six critical entries span six distinct Windows features:

• CVE-2026-41089 — Windows Netlogon — Remote code execution (CVSS 9.8). Unauthenticated stack-based buffer overflow targeting domain controllers; the highest-impact Windows CVE this cycle.
• CVE-2026-41096 — Windows DNS Client — Remote code execution (CVSS 9.8). Unauthenticated heap-based overflow in name resolution.
• CVE-2026-40402 — Windows Hyper-V — Elevation of privilege (CVSS 9.3). The only non-RCE critical this cycle; guest-to-host escalation on virtualization hosts.
• CVE-2026-40403 — Windows Graphics Component — Remote code execution (CVSS 8.8). Rendering-path RCE.
• CVE-2026-35421 — Windows GDI — Remote code execution (CVSS 7.8). Exploitation via a malicious Enhanced Metafile (EMF) image opened in Microsoft Paint or any EMF-rendering application.
• CVE-2026-32161 — Windows Native WiFi Miniport Driver — Remote code execution (CVSS 7.5). Wireless networking attack surface.

Domain controllers and Hyper-V hosts are the deployment priority, given Netlogon’s unauthenticated profile and the guest-to-host escape. Add this Windows update to your Patch Now deployment schedule.

Microsoft Office

Microsoft released 27 Office CVEs — nine critical, 18 important. Remote code execution dominates with 15 entries; the rest split across information disclosure (4), elevation of privilege (4), spoofing (3), and tampering (1).

• SharePoint Server 2016 remote code execution — CVE-2026-40365, CVSS 8.8. Authenticated Site Owner can inject arbitrary code remotely via insufficient access-control granularity.
• Microsoft Word Preview Pane remote code execution — CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367, each with a reported CVSS of 8.4.
• Microsoft Office remote code execution — CVE-2026-40358 and CVE-2026-40363, each CVSS 8.4. Office 2019 32-bit editions affected.

SharePoint Server is the main priority, given the network-RCE profile — even with the authenticated-Site-Owner precondition. Office 2019 MSI estates pick up six critical fixes between the four Word RCEs and the two generic Office RCEs. The Team Events Portal CVE is addressed cloud-side — no on-premises action. Apply this month’s Office security updates (KB5002865, KB5002858, KB5002866, and the SharePoint set in Issues Resolved above) per the standard ring schedule.

Microsoft Exchange and SQL Server

This month, Microsoft SQL Server receives a single patch and Microsoft Exchange Server gets none:

• CVE-2026-40370 — SQL Server — Remote code execution (CVSS 8.8). External control of file name or path allows an authenticated attacker to execute code over a network. The fix is broadly distributed across SQL Server 2025, 2022, 2019, 2017, and 2016 SP3 via both GDR and CU channels.

SQL Server estates should deploy via GDR or CU per their standard patching cadence, prioritizing internet-exposed instances given the post-authentication blast radius implied by the CVSS 8.8. Add this update to your Patch Now deployment schedule for any internet-connected SQL Server.

Developer tools

Microsoft released 11 CVEs across its developer tooling, with one update rated critical (for Azure DevOps) and 10 rated important, covering the following areas:

• Visual Studio Code — five entries: CVE-2026-41109 security feature bypass involving GitHub Copilot, CVE-2026-41610 security feature bypass, CVE-2026-41611 remote code execution, CVE-2026-41613 elevation of privilege, and CVE-2026-41612 information disclosure in the Live Preview extension.
• .NET on Windows — four entries: CVE-2026-32175 (.NET Core tampering), CVE-2026-32177 and CVE-2026-35433 (.NET 10.0 elevation of privilege), and CVE-2026-42899 (ASP.NET Core denial of service on .NET 8.0).

Add these Microsoft updates to your standard developer update release schedule.

Adobe (and third-party updates)

I keep promising that this section should be retired (and it should), but Microsoft released a sizable third-party sweep through Azure Linux 3.0 and CBL Mariner 2.0 this month: 191 open-source CVEs spanning the Linux kernel, the Go runtime, Apache httpd, PHP, CoreDNS, valkey, Ruby, gnutls, Apache Thrift across its Node.js, Rust, and Java implementations, plus vim, postfix, expat, nmap, Prometheus, KEDA, and PgBouncer. This is a lot for anyone.

In addition to all this, Microsoft issued a patch (CVE-2026-41103) for its own SSO Plugin for Jira and Confluence. This vulnerability allows an attacker to forge a Microsoft Entra ID identity via a crafted SAML response; patching requires updating the plugin within Atlassian rather than on a Microsoft platform. In other words, the Microsoft attack surface now extends to other vendors’ application stacks, with patching responsibilities split across vendors. 

With such diffusion of responsibility, what could go wrong?

​During the second day of Pwn2Own Berlin 2026, competitors collected $385,750 in cash awards after exploiting 15 unique zero-day vulnerabilities in multiple products, including Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux for Workstations. [...]

Hackers have injected credential-stealing malware into newly published versions of node-ipc, a popular inter-process communication package, in a new supply chain attack targeting npm. [...]

The Russian state-sponsored hacking group known as Turla has transformed its custom backdoor Kazuar into a modular peer-to-peer (P2P) botnet that's engineered for stealth and persistent access to compromised hosts. Turla, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA), is assessed to be affiliated with Center 16 of Russia's Federal Security Service (FSB)Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

On Thursday, Google Cloud CEO Thomas Kurian issued a call for “forward-deployed engineers” to apply for jobs in the company’s go-to-market AI team. Their task: help non-tech organizations scale up their AI deployments.

That term — forward-deployed engineers, FDE for short — has been coming up a lot lately in conversations with CTOs, software engineers, and experts tracking the technology and job markets.

Google currently has 1,513 openings for that specific role and OpenAI, which just this week launched an organization called the Deployment Company, has 31. Microsoft is on board, too; in March, it partnered with Accenture to launch a forward-deployment partnership.

OpenAI’s new Deployment Company is, not surprisingly, designed to “help organizations build and deploy AI systems they can rely on every day across their most important work,” the company said in a blog post.

Forward-deployed engineering has seen the fastest growth in jobs created by AI, with the number of positions increasing 42-fold between 2023 and 2025, LinkedIn reported in a study earlier this year. (AI engineer jobs, by comparison, have grown 13-fold in that same time frame.)

Vendors and service providers created the FDE position to help clients install AI, said Jack Gold, principal analyst at J.Gold Associates.

Many non-tech firms have taken shots at deploying AI projects internally, without success or quick ROI. Some of the reasons those efforts haven’t worked out include poor vision, lack of talent, skimpy budgets, and underestimating the complexity of deploying AI.

That’s led to the arrival of FDEs — essentially hired guns for AI deployments. They focus on successful outcomes for customers instead of writing code. 

“They have skills that the organization may not have, and usually have done similar work with others before, so they bring expertise that companies need,” Gold said. 

FDEs analyze strategies, battle plan, discover applications, build agentic frameworks, and roll out AI systems with help from customers’ own domain experts and engineers. They also work with AI models, solve context and reasoning problems, evaluate models, and put security and governance guardrails in place. 

A good FDE can provide a much higher probability of successful implementations, Gold said.

Many software engineers have worried that AI would make their careers irrelevant. But the FDE role embodies where the role is going, analysts and IT experts said.

Code can now be written using human language, allowing software engineers to focus  more on outcomes than servicing code, said Alex Spinelli, senior vice president for AI and developer platforms at Arm.

“I think that’s where engineering is moving to…, much more blending of the sort of technical product management thinking, design thinking, and architecture thinking,” Spinelli said.

While AI can make engineering invisible, it also opens a toolbox to solve business problems, said Stephen Jones, CUDA architect at Nvidia. “You have more tools than you ever had before to solve problems that were previously completely unsolvable,” he said.

The FDE roll in the future might well entail reducing AI costs for customers, said Deepak Seth, senior director analyst at Gartner. “Some companies are moving towards outcome-based pricing…. [And] when people start realizing the real cost of tokens, then companies will start looking at token efficiency.”

Gold said the FDEs’ implementation efforts can help drive those token savings. “If the implementation is optimized, it can save on token costs for processing the workflows, …especially as companies move to agents,” he said.

If you think about it, it’s in the national interest for Apple to work with Intel to develop at least some capacity for silicon production outside of Taiwan. It’s also in Apple’s interest, as its continued growth means it needs more and more chips to put inside an ever-expanding product catalog.

During Apple’s Q2 26 fiscal call, CEO Tim Cook said the lack of what he called “high-end nodes” is affecting sales, particularly for Macs. He shared this news even as the company’s MacBook Neo is setting new sales records for the Mac.

Apple’s success is creating a chip problem

The need to source all those chips might have prompted Apple to reach out to Intel on how the two firms could work together on processor production once again. Supply chain analyst Ming-Chi Kuo now believes Apple is evaluating Intel’s advanced node technologies with a view to processor supply. “Apple’s wafer plans at Intel reflect the technology lifecycle of the [Intel] 18A-P series: small-scale testing in 2026, ramp in 2027, continued growth in 2028, and decline in 2029,” he said.

If it comes to fruition, the arrangement is a probable lifeline for Intel, which the US government feels is strategically important enough it acquired an $8.9 billion stake in the company to secure domestic advanced chip manufacturing capacity.

Intel could be TSMC’s +1

While the arrangement with Intel could end TSMC’s exclusive hold on chip production for Apple, it doesn’t seem to be a huge threat. The Taiwan-based company will continue to manufacture roughly 90% of Apple’s most powerful chips, even as the number of processors required to satiate Cupertino’s voracious appetite grows. For Intel, the promise of even 10% of Apple’s global processor demand is a lifeline for company revenue. TSMC, meanwhile, continues to invest in US chip manufacturing facilities.

Apple’s relationship with the US government suggests it also recognizes the government’s position on the national significance of Intel, which is why diverting at least some of its orders back to its old Mac processor supplier makes sense. It’s good business for Apple to maintain supplier flexibility, while it’s also good citizenship to support the government in its attempt to protect domestic chip manufacturing. 

Entry-range Apple, with a small touch of Intel

Industry and media speculation in recent months suggests that Intel will not be making the most advanced Apple Silicon chips, concentrating instead on older chip designs used in entry-level iPads, iPhones, and Macs. 

Speculation also suggests Apple intends to split up the iPhone launch cycle soon, offering advanced devices (bearing chips made by TSMC) in September, with lower-end product refresh events such as for the iPhone ‘e’ series each spring.  This is what Apple did this year, when it also introduced the MacBook Neo, a system also powered by an older processor. 

It’s plausible to think that Intel will eventually manufacture the Apple Silicon chip used inside the entry-level Mac. Of course, this would still be Apple Silicon — Intel would just make them in America. 

Could Apple’s entry-level Macs one day be made in America?

Of course, the decision to widen chip manufacturing in the US leans into Apple’s ongoing move to make more of its hardware in America, too. Apple already makes servers for Private Cloud Compute in the US and has confirmed it will begin manufacturing some Mac mini models later this year.

>“Apple is deeply committed to the future of American manufacturing, and we’re proud to significantly expand our footprint in Houston with the production of Mac mini starting later this year,” said Cook when this was announced.

>But with Intel expected to begin churning out processors for use across Apple’s entry-level devices, how likely is it that the company will begin to make more of the hardware that runs those chips in the USA as well? Does the decision to manufacture chips in the US make a future in which the MacBook Neo is “Made in the USA” possible?

>Even if it did, to what extent would the cost of manufacturing in the US make it difficult for Apple to maintain the $599 starting price on those Macs, unless the factories churning them out were almost totally automated? 

>You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.

Two vulnerabilities in the Avada Builder plugin for WordPress, with an estimated one million active installations, allow hackers to read arbitrary files and extract sensitive information from the database. [...]

Microsoft is updating the Edge web browser to ensure it no longer loads saved passwords into process memory in clear text at startup after previously stating it was "by design." [...]

Stolen browser sessions and authentication tokens are becoming more valuable than stolen passwords. Flare explains how the REMUS infostealer evolved around session theft and operational scalability. [...]

Cybersecurity researchers have disclosed a set of four security flaws in OpenClaw that could be chained to achieve data theft, privilege escalation, and persistence. The vulnerabilities, collectively dubbed Claw Chain by Cyera, can permit an attacker to establish a foothold, expose sensitive data, and plant backdoors. A brief description of the flaws is below - Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

The UK’s competition regulator has launched a broad antitrust investigation into Microsoft’s business software ecosystem, opening a new front in growing regulatory scrutiny of how cloud platforms, productivity software, and embedded AI capabilities may affect competition in enterprise technology markets.

UK’s Competition and Markets Authority (CMA) said in a statement that it had opened a Strategic Market Status (SMS) investigation into Microsoft’s business software operations under the country’s new digital markets regime.

The regulator said it will assess whether Microsoft has “substantial and entrenched market power” and a “position of strategic significance” in business software markets.

“The investigation will assess whether Microsoft is using its position in business software to limit competition in cloud services, cybersecurity, communications, and AI,” the regulator said in a statement.

The case is the fourth strategic market status (SMS) investigation the regulator has opened since the UK’s digital markets competition regime came into force in January 2025, following earlier SMS cases into Google search, Apple’s mobile platform, and Google’s mobile platform.

A designation decision is due by February 2027, the statement added.

“Our aim is to understand how these markets are developing, Microsoft’s position within them and to consider what, if any, targeted action may be needed to ensure UK organisations can benefit from choice, innovation and competitive prices,” CMA chief executive Sarah Cardell said in the statement.

The scope covers productivity software, PC and server operating systems, database management, and security software, the CMA said, naming Windows, Word, Excel, Teams, and Copilot. Microsoft has more than 15 million commercial users across its UK ecosystem.

AI integration central to the case

The CMA will examine how AI competitors integrate with Microsoft’s business software and whether customers can mix AI tools from rival suppliers within Microsoft environments, the regulator said, citing the rapid embedding of AI functionality and a shift towards agentic AI in workplace tools.

Microsoft has pushed Copilot across Microsoft 365 tiers and expanded agentic features inside Office and Teams over the past year.

That AI overlay has not yet reset the lock-in question, but soon will, said Dario Maisto, senior analyst at Forrester. “Copilots have the potential to make employees and organizations more dependent on existing vendors, as any other feature embedded in the suites,” Maisto said. “At this stage, they do not change the enterprise lock-in conversation but will in the near future as adoption scales.”

For CIOs, switching away is no easier than swapping any other layer of the stack, Maisto added, describing diversification as as difficult as finding enterprise-grade alternatives to other Microsoft products.

What the CMA will examine

The investigation will assess whether Microsoft has SMS in business software and whether it uses that position to limit customer choice, the CMA statement added. It will look at product bundling, interoperability limits, and default settings that may stop customers from switching or weaken competitive pressure from rivals.

UK customers may not always be able to combine Microsoft software with products from other providers, the regulator said, limiting access to the best products at competitive prices.

An SMS finding would also let the CMA act on an unresolved concern from its earlier cloud market investigation, which found that Microsoft’s software licensing was reducing competition in cloud services. AWS previously told the regulator that Microsoft’s 2019 and 2022 licensing changes made it harder to run Microsoft products on Google Cloud, AWS, and Alibaba.

Wider scope than previous SMS cases

The case is wider in scope than any previous SMS investigation, covering productivity tools, operating systems, database management, and security software in a single ecosystem-level review. The previous three designations each targeted a narrower set of activities.

The SMS status does not assume wrongdoing, the CMA said. If Microsoft is designated, the regulator can impose conduct requirements or pro-competition interventions, subject to the relevant legal tests.

The probe runs alongside the CMA’s ongoing engagement with AWS and Microsoft on cloud egress fees and product interoperability, announced in March after the regulator decided not to pursue SMS designation on cloud services.

Sovereignty push runs in parallel

For enterprise customers, the investigation comes as many organizations pursue multi-cloud strategies while simultaneously consolidating technology stacks around a smaller number of strategic vendors.

Maisto said interoperability is likely to become an increasingly important — and difficult issue for regulators and enterprise buyers.

“Interoperability is a big topic these days, but it is easier said than done,” he said. “What works on paper in a policy may not work in reality.”

Maisto also pointed to growing European discussions around “tech sovereignty”.

“The European Commission is considering rules to restrict use of US cloud platforms to process sensitive government data,” he said. “The Commission is expected to present its ‘Tech Sovereignty Package’ on May 27 to define sectors that have to be hosted on European cloud capacity.”

At the same time, Maisto said he does not expect regulatory intervention alone to significantly alter market concentration trends.

“We do not foresee a massive decrease in market concentration,” he said.

Microsoft did not immediately respond to a request for comment.

Microsoft is introducing a new capability that will allow it to remotely roll back problematic Windows drivers delivered through Windows Update. [...]

In Your Biggest Security Risk Isn't Malware — It's What You Already Trust, we made a simple argument: the most dangerous activity inside most organizations no longer looks like an attack. It looks like administration. PowerShell, WMIC, netsh, Certutil, MSBuild — the same trusted utilities your IT team uses every day are also the preferred toolkit of modern threat actors. Bitdefender's analysis [email protected]

OpenAI has disclosed that two of its employee devices in its corporate environment were impacted via the Mini Shai-Hulud supply chain attack on TanStack, but noted that no user data, production systems, or intellectual property were compromised or modified in an unauthorized manner. "Upon identification of the malicious activity, we worked quickly to investigate, contain, and take steps to Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

On Thursday, Microsoft shared mitigations for a high-severity Exchange Server vulnerability exploited in attacks that allow threat actors to execute arbitrary code via cross-site scripting (XSS) while targeting Outlook on the web users. [...]

“If you can’t measure it, you can’t fix it.” 

That’s a common saying in business, and it tends to be true. But what if the thing you want to fix is your employees’ attitudes? 

The AI revolution makes it possible to measure emotions and mental states. So why not use it widely and fix what’s broken? 

That’s the idea behind emotion AI, which is also called “affective computing,” “sentiment analysis,” or “algorithmic affect management.” The idea is to use sensors and AI to detect, interpret, classify, and act upon human emotions in the workplace. 

Thanks to improvements and breakthroughs in a wide range of technologies (including computer vision, natural language processing, speech and voice analysis, biometrics, machine learning and deep learning, and edge computing hardware) emotion AI is now possible. 

Many companies have come forward to provide ready-to-use solutions for emotional AI apps, including Cogito, Affectiva, Hume AI, Entropik, and HireVue.

The idea is simple: Collect data from employees, process it through AI, and get a result that shows how an employee feels. Depending on the solution, the data comes from: 

• Vocal features — pitch, tone, cadence, micro-pauses, vocal stress
• Facial expression — video analysis of video calls and through desktop cameras
• Text — mass sentiment analysis on emails, Slack/Teams messages, survey responses, and performance reviews
• Physiological biosignals — heart rate variability, galvanic skin response (via wearables)
• Behavioral telemetry — keystroke cadence, mouse dynamics, app-switching patterns
• Posture and gaze — computer vision analysis from cameras installed in workplaces

Despite the progress and variety of solutions, this whole area is problematic for businesses. 

Why companies want to use emotion AI

The range of business goals driving emotion AI is vast. The most defensible reason is safety. Workers in risky jobs, such as factory workers and truck drivers, could be protected with AI tools that help avoid injury and death. A common example is technology that detects when a truck driver is dozing off and either sounds an alarm or switches to autopilot to take control of the truck and pull over. 

Another goal is better customer service. Companies like MetLife use software that monitors call center agents’ voice, tone, and pitch to make sure they don’t get snippy or express frustration with customers. 

HR departments could use AI to understand the workplace mood by analyzing company communications and employee surveys. Companies can also check for employee burnout and use the technology for hiring. By applying emotion AI to a video job interview, companies might make better hires. 

Emotion AI in the workplace can offer other benefits such as lowering employee turnover, healthcare expenses, and safety risks while boosting customer satisfaction, worker productivity, and insight into team or managerial dysfunction.

What’s wrong with emotion AI

While measuring, then acting upon, the emotions and mental states of employees sounds like a powerful idea, it’s often based on bad science. 

Emotion AI systems that lean on facial expressions, for example, are based on a theory by Paul Ekman, an American psychologist at the University of California, San Francisco. He theorized back in the late 1960s that a small set of basic human emotions produces universal, reliably readable facial expressions across cultures. 

But Ekman’s theory was shown to be problematic by a 2019 meta-analysis led by Lisa Feldman Barrett, in an article published in Psychological Science in the Public Interest. She looked at more than 1,000 studies and concluded that you can’t always reliably infer people’s emotional states from facial movements alone. 

Most emotion AI solutions are based on the assumption that everyone’s emotions can be interpreted the same way, and that’s almost certainly wrong, given how different people can be in appearance, voice, personality and physiology. 

Like many areas of business and leadership in recent years, AI is often seen as a solution to the challenges of managing a lot of employees. 

Emotion AI holds out the promise that leaders can bypass the need to inspire, motivate and educate employees so that their actions are aligned with company goals, and instead try to achieve this alignment through hyper-surveillance. 

But that’s unfair, say some emotion AI supporters. Many organizations use emotion AI systems claiming to help employees in some way. Research suggests that this might backfire. 

A 2024 Finnish case study found that workplace emotion-tracking technology tends to undermine wellbeing more than support it and has a bunch of problems. First, the technology often fails to work. Specifically, it claims to identify mental states like “stressed” or “engaged,” which turn out not to faithfully reveal actual internal moods. 

Second, the quality of emotional AI output often varies by race. The study found that the faces of black people were wrongly labeled as “angry” or “contemptuous” more often, even when showing the same facial expressions as white participants. That’s just one example of bias that might come from treating employees differently based on an AI’s flawed ability to interpret human emotional expression. 

Third, they found that claims of “anonymous aggregation” turn out to be false in practice with smaller teams. The data can unintentionally reveal identities, leading to privacy violations. 

Fourth, emotion AI may have the practical effect of requiring “emotional labor,” which means mustering up and conveying the right emotions as part of the job, on an ever-growing range of professions. 

And finally, emotion AI is prone to mission creep. Companies often deploy it for one purpose then drift toward increasing worker surveillance. 

Emotion AI may have no future

While emotion AI is growing in some sectors of the economy, it’s being forcibly shrunk through growing regulatory action. The European Union last year banned emotion AI in the workplace and in educational settings, with narrow exceptions for medical or safety reasons. Multinational corporations are gravitating to the European standard. 

There’s even been limited legal or regulatory action against the technologyin a few states, including California, New York, and Illinois.

Some companies have voluntarily rejected emotion AI. Microsoft, for example, announced in June 2022 that it would retire the Azure Face API’s emotion-recognition capabilities (along with inference of gender, age, smile, facial hair, hair, and makeup) as part of an overhaul of its Responsible AI Standard. 

The company’s Chief Responsible AI Officer, Natasha Crampton, explained the change by citing “the lack of scientific consensus on the definition of ’emotions,’ the challenges in how inferences generalize across use cases, regions, and demographics, and the heightened privacy concerns around this type of capability.” Microsoft also worried that such technology “can subject people to stereotyping, discrimination, or unfair denial of services.”

So while there are real and helpful uses for emotion AI in some cases, the science behind it is weak, the results are often misleading, employees generally dislike it and find it stressful, bias is likely built in, privacy violations are likely — and it might not even be legal internationally or even across all American states. 

Tempting as it is, emotion AI is too problematic to deploy. 

AI disclosures: I don’t use AI for writing. The words you see here are mine. I used a few AI tools via Kagi Assistant (disclosure: my son works at Kagi) as well as both Kagi Search and Google Search as one part of my fact-checking for this column. I used a word processing product called Lex, which has AI tools, and after writing the column, I used Lex’s grammar checking tools to hunt for typos and errors and suggest word changes.

Microsoft has disclosed a new security vulnerability impacting on-premise versions of Exchange Server that it said has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-42897 (CVSS score: 8.1), has been described as a spoofing bug stemming from a cross-site scripting flaw. An anonymous researcher has been credited with discovering and reporting the issue. "Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]