Agregátor RSS

The Apache Software Foundation (ASF) has released security updates to address several security vulnerabilities in the HTTP Server, including a severe vulnerability that could potentially lead to remote code execution (RCE). The vulnerability, tracked as CVE-2026-23918 (CVSS score: 8.8), has been described as a case of "double free and possible RCE" in the HTTP/2 protocol handling. This issue

The Apache Software Foundation (ASF) has released security updates to address several security vulnerabilities in the HTTP Server, including a severe vulnerability that could potentially lead to remote code execution (RCE). The vulnerability, tracked as CVE-2026-23918 (CVSS score: 8.8), has been described as a case of "double free and possible RCE" in the HTTP/2 protocol handling. This issue Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

A newly identified supply chain attack targeting DAEMON Tools software has compromised its installers to serve a malicious payload, according to findings from Kaspersky. "These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers," Kaspersky researchers  Igor Kuznetsov, Georgy Kucherin, Leonid

A newly identified supply chain attack targeting DAEMON Tools software has compromised its installers to serve a malicious payload, according to findings from Kaspersky. "These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers," Kaspersky researchers  Igor Kuznetsov, Georgy Kucherin, Leonid Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Apple has held “exploratory” talks about manufacturing processors for its devices in the US, Bloomberg reports. The move seems to reflect Apple’s need to secure additional chip supplies to meet growing demand for its products, but could also represent a contingency plan to reduce the company’s reliance on Taiwan Semiconductor Manufacturing Company (TSMC’s) advanced manufacturing facilities in Taiwan.

I doubt this means Apple doesn’t want to work with TSMC, nor does it mean TSMC is cooling on Apple. I suspect company management is far more concerned about what might happen in the event China attacks TSMC’s home nation. 

Contingency planning 

That concern seems legitimate in the context of unravelling of international relations and a recently-disclosed warning the CIA gave to tech leaders back in 2023. Executives from Apple, AMD, and Qualcomm were all warned that China might attack Taiwan. Such an attack would comprise a huge threat to the entire tech industry. Speaking at the World Economic Forum in January, US Treasury Secretary Scott Bessent warned of an “economic apocalypse” if Tawain were to be blockaded or its capacity destroyed.

Apple derives nearly every chip it uses in its devices from factories in Taiwan. To reduce that risk, it is investing in TSMC factories for this in the US, including at the Fab 21 site in Arizona where small-scale processor production has already begun.

Checks and limits

Setting up new processor production facilities is expensive, takes time, and requires teams of specialized tooling engineers and operators hard to find in the US. In the medium term, you should expect those missing skill sets to be served by robotics, though that will also take time. Apple is investing in AI-augmented manufacturing across its supply chain right now.

Manufacturing processors at the scale Apple requires is not yet possible in the US, so it makes sense for the company to explore other options to meet demand. These early talks appear to show the company is considering the options available to it.

But even if its chip manufacturing supply weren’t threatened by growing international tensions, Apple has another challenge. It can’t make enough chips to satisfy demand. This was a central thesis during the company’s recent financial call when Apple CEO Tim Cook confessed Apple couldn’t meet demand for MacBook Neo, Mac mini, or Mac Studio because it couldn’t get sufficient supply of the high-end nodes it uses in SoC production. 

“The constraints that we have are driven by the availability of the advanced nodes that our SoCs are produced on…,” Cook said. “We’re seeing less flexibility in the supply chain than normal.”

 Those high-end nodes are, of course, made in Taiwan. 

The scale of the problem

To get a sense of the scale of the Apple supply chain, the company confirmed that it sourced 19 billion chips from across a dozen US states in 2025. Most, though not all, of these processors are far less advanced than the main processor in Apple’s devices; they’re lower tier and used for things like power management, Wi-Fi, or display drivers. Apple is investing hundreds of billions of dollars to expand its manufacturing supply chain in the US, including a commitment to assemble Mac minis here. But it will take a very long time to completely replicate what it has already, particularly in China and Taiwan. 

Apple has a golden problem to further complicate the sum. Demand for its products is increasing. Apple confirmed this is across all its products. The company also saw growth in every market, including strong double-digit growth in Greater China and the rest of Asia-Pacific. People are flocking to its platforms, giving it an installed base of 2.5 billion devices — including “record numbers” of new Mac customers and record iPhone 17 sales. Meanwhile, demand for the MacBook Neo is “off the charts,” Cook said. This Apple adoption curve is real, and the challenge of meeting that demand is also real, which is why Cook warned that supply constraints would persist for months.

Apple needed to start somewhere

This is the background to Apple’s reported meetings with potential chip suppliers at Intel and Samsung, neither of which are likely to be able to match TSMC’s scale. Apple hasn’t made any decisions yet and these talks are described as preliminary. But they reflect the company’s need to protect its business against additional shocks while ramping its supply chain up to meet new demand. These discussions could go nowhere, of course. In the meantime, TSMC expects to make 100 million processors for Apple at its US factory this year.

That remains a drop in the ocean compared to the scale of demand Apple faces. It doesn’t meaningfully reduce Apple’s near-term risk, but is at least a start. The question for the rest of us will be if Apple, its partners, or the wider tech industry, can mitigate against these risks swiftly enough.

You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.

Společnost Apple oznámila hospodářské výsledky za uplynulý kvartál a vypíchla několik důležitých faktů. Citelný meziroční nárůst tržeb o 17 % na více než 111 miliard dolarů. Zisk rozpočtený na jednu akcii dosáhl 2,01 USD, což je o 22 % více než loni. Šéf firmy Tim Cook se nechal slyšet, že ...

CISA is warning that a newly-disclosed Linux kernel bug dubbed "CopyFail" is already being exploited, just days after researchers dropped a working root-level exploit. Tracked as CVE-2026-31431, the bug sits in the Linux kernel and gives low-level users a way to take full control of a system by modifying data they should only be able to read, effectively turning limited access into full root privileges on unpatched machines. The issue was disclosed by cybersecurity consultancy Theori, which said the flaw was discovered by its AI-powered penetration testing platform, Xint, and reported to the Linux kernel security team on March 23. Major Linux distributions pushed out patches ahead of public disclosure, which Theori published alongside a proof-of-concept exploit. The Python-based code works against Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, but the researchers warned that every mainstream Linux kernel built since 2017 is in scope of potential exploitation. "Same script, four distributions, four root shells — in one take. The same exploit binary works unmodified on every Linux distribution," Theori says. That level of reliability has not gone unnoticed. The CISA, the US government's cybersecurity agency, has added the bug to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to patch within two weeks, setting a May 15 deadline. Microsoft backed CISA's findings and said it is already seeing signs of activity following the PoC's release. "Given the availability of a fully working exploit proof-of-concept (PoC) and the race to patch systems, Microsoft Defender is seeing preliminary testing activity that might result most likely in increased threat actor exploitation over the next few days," the company warned. The mechanics help explain the urgency. The attack is local and requires little access, with no user interaction, so anyone who already has a foothold on a vulnerable box can try their luck. It is the kind of bug that turns a small break-in into full control pretty quickly. As The Register reported last week, the flaw stems from how the kernel handles certain cryptographic operations, opening a path to tamper with cached data in ways that were never meant to be user-controlled. With a reliable exploit now in the wild, that design quirk has effectively turned into a universal privilege-escalation trick. ®

Researchers dropped a reliable root exploit and it didn’t sit idle for long

CISA is warning that a newly-disclosed Linux kernel bug dubbed "CopyFail" is already being exploited, just days after researchers dropped a working root-level exploit.…

The FTC will ban data broker Kochava and its subsidiary, Collective Data Solutions (CDS), from selling location data without consumers' explicit consent to settle charges alleging that it sold precise geolocation data collected from hundreds of millions of mobile devices. [...]

A sophisticated China-nexus advanced persistent threat (APT) group has been attributed to attacks targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025. The activity is being tracked by Cisco Talos under the moniker UAT-8302, with post-exploitation involving the deployment of custom-made malware families that have been put

A sophisticated China-nexus advanced persistent threat (APT) group has been attributed to attacks targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025. The activity is being tracked by Cisco Talos under the moniker UAT-8302, with post-exploitation involving the deployment of custom-made malware families that have been put Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Critical vulnerabilities can exist in open source software your scanners don't check. HeroDevs reveals how EOL software creates blind spots in CVE feeds and SCA tools, and how you can receive a free end-of-life scan for your projects. [...]

Critical vulnerabilities can exist in open source software your scanners don't check. HeroDevs reveals how EOL software creates blind spots in CVE feeds and SCA tools, and how you can receive a free end-of-life scan for your projects. [...]

Lidar dává sekačce jistotu i pod stromy nebo v těsných stezkách u domu • Pevný Lidar vidí jen dopředu, ale s větším rozlišením • 4G modul s prvním rokem zdarma usnadní vzdálenou správu

Real estate giant Cushman & Wakefield has confirmed a data breach after two cybercrime groups, ShinyHunters and Qilin, separately claimed responsibility for attacks on the company. A spokesperson told The Register the attack was "limited" in scope and stemmed from vishing (voice phishing), suggesting an employee was socially engineered. The representative said: "Cushman & Wakefield recently became aware of a limited data security incident due to vishing. We have activated our response protocols, including taking steps to contain the unauthorized activity and engaging third-party expert advisors to support a comprehensive response.  "Our systems and operations continue to run normally, and we are working diligently to investigate the incident. We recognize the trust placed in us to protect sensitive data and we take this responsibility very seriously." Cushman & Wakefield (C&W) did not address the apparent dual targeting by both ShinyHunters, which operates a pay-or-leak model, and Qilin, currently viewed as the world's most prolific ransomware group. There is no previously established coalition between ShinyHunters and Qilin, which suggests the two alleged attacks are separate but coincidentally timed. In a message sent to The Register, ShinyHunters claimed they attacked the company on May 1, while Qilin listed C&W on its data leak site on May 4. Qilin's website listing did not detail how it allegedly attacked C&W, although ShinyHunters claimed it stole "over 500,000 Salesforce records containing PII and other internal corporate data." ShinyHunters set a May 6 deadline for C&W to make contact to prevent the data from being leaked, but the cybercriminals claimed this had yet to happen. ShinyHunters has been on something of a tear recently. Known for its large-scale, high-impact attacks, the group's latest wave of activity began in March when it laid claim to an expansive supply chain attack after breaching Salesforce customers via the CRM giant itself. At the time, it said it had stolen data belonging to Salesforce and more than 100 of its high-profile customers. Since then, big-name brands like ADT, Carnival Cruise Line, Rockstar Games, Vimeo, and others have all confirmed ShinyHunters-linked cyberattacks, although not all were explicitly linked to its earlier Salesforce compromise. ®

Cushman & Wakefield activated incident response protocols after serial extortionists issued separate threats

Real estate giant Cushman & Wakefield has confirmed a data breach after two cybercrime groups, ShinyHunters and Qilin, separately claimed responsibility for attacks on the company.…

When a Linux system is compromised, the logs should tell you what happened. In a lot of cases, they don't.

The ShinyHunters extortion gang stole personal information belonging to over 119,000 people after hacking the Vimeo online video platform in April, according to data breach notification service Have I Been Pwned. [...]

Technologický vývoj v oblasti akumulátorů dosahuje kritického bodu zlomu, přičemž se trh připravuje na masivní nástup takzvaných semi-solid-state baterií (QSSB). Tato technologie představuje funkční most mezi stávajícími lithium-iontovými články s tekutým elektrolytem a budoucí vizí celopevných ...