Not the new features



With the massive announcement of the Googlebook and its upcoming Android-based operating system completely dominating the headlines since last week, it is easy to forget that Google still has a massive fleet of Chromebooks to maintain. To that end, ChromeOS 148 is officially rolling out to the stable channel, and as you might expect given the platform’s new horizon, it is an incredibly quiet milestone.

If you are looking for groundbreaking user-facing features, productivity overhauls, or flashy new UI tricks in this release, you are going to be pretty disappointed. But while it is a boring update on the surface, it carries some critical backend changes that make it worth jumping into your settings menu to trigger the update if it hasn’t hit your device yet.

A pure security and maintenance milestone

The official enterprise release notes for ChromeOS 148 confirm that Google is entirely focused on the fundamentals right now: stability, security, and long-term maintenance.

The single major headline for this release is a backend Certificate Provisioning migration. Google is actively forcing a shift away from its legacy certificate enrollment solutions, moving administrators over to the more modern Certificate Provisioning API that initially debuted back in ChromeOS 142. It is a vital structural update for enterprise and school IT managers who need to ensure seamless, secure network authentication across their fleets before the old method is permanently deprecated at the end of 2026.

Beyond that, the changelog is a textbook definition of maintenance, packing the usual assortment of under-the-hood bug fixes, performance optimizations, and security patches designed to keep your current hardware running tightly.

Setting the stage for the LTS freeze

The quiet nature of ChromeOS 148 makes perfect sense when you look at the upcoming roadmap. Google’s release schedule highlights that ChromeOS 150 – which is slated to drop on Tuesday, July 21, 2026 – will serve as the next official Long-Term Candidate (LTC) release.

For the uninitiated, the Long-Term Support (LTS) channel is what schools and enterprise environments use to lock their devices into a hyper-stable software baseline for months at a time, receiving only critical security patches while skipping the standard four-week feature update cycle. Because Google engineers are gearing up to freeze the code for that massive 150 baseline this summer, these intermediate builds are all about squashing bugs and hardening security rather than introducing potentially volatile new software features.

It might be a boring changelog, but keeping your device on the latest stable build is still the best way to keep your data protected and your hardware running smoothly. The rollout is moving out in stages, so if you don’t see ChromeOS 148 waiting for you in Settings > About ChromeOS just yet, give it a few days to hit your specific device.

source

A cybersecurity researcher has released a proof-of-concept exploit for a Windows privilege escalation zero-day dubbed "MiniPlasma" that lets attackers gain SYSTEM privileges on fully patched Windows systems.

The exploit was published by a researcher known as Chaotic Eclipse, or Nightmare Eclipse, who released both the source code and a compiled executable on GitHub after claiming that Microsoft failed to properly patch a previously reported 2020 vulnerability.

According to the researcher, the flaw impacts the 'cldflt.sys' Cloud Filter driver and its 'HsmOsBlockPlaceholderAccess' routine, which was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020.

At the time, the flaw was assigned the CVE-2020-17103 identifier and reportedly fixed in December 2020.

"After investigating, it turns out the exact same issue that was reported to Microsoft by Google project zero is actually still present, unpatched," explains Chaotic Eclipse.

"I'm unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons. The original PoC by Google worked without any changes."

BleepingComputer tested the exploit on a fully patched Windows 11 Pro system running the latest May 2026 Patch Tuesday updates.

In our test, we used a standard user account, and after running the exploit, it opened a command prompt with SYSTEM privileges, as shown in the image below.

Will Dormann, principal vulnerability analyst at Tharros, also confirmed the exploit works in his tests on the latest public version of Windows 11. However, he said that the flaw does not work in the latest Windows 11 Insider Preview Canary build.

The exploit appears to abuse how the Windows Cloud Filter driver handles registry key creation through an undocumented CfAbortHydration API. Forshaw's original report said that the flaw could allow arbitrary registry keys to be created in the .DEFAULT user hive without proper access checks, potentially enabling privilege escalation.

While Microsoft reports having fixed the bug as part of its December 2020 Microsoft Patch Tuesday, Chaotic Eclipse now claims the vulnerability can still be exploited.

BleepingComputer contacted Microsoft about this additional zero-day and will update this story if we receive a response.

Update 5/18/26: ZeroTrust platform ThreatLocker posted on X that organizations should monitor the following Registry keys for modifications using their EDR platform to detect exploitation:

\Registry\User\Software\Policies\Microsoft\CloudFiles\BlockedApps*
 
and
 
\Registry\User\.DEFAULT\Volatile Environment*

Researcher behind the recent string of Windows zero-days

MiniPlasma is the latest in a string of Windows zero-day disclosures published by the researcher over the past several weeks.

The disclosure spree began in April with BlueHammer, a Windows local privilege escalation flaw tracked as CVE-2026-33825, followed by another privilege escalation vulnerability, RedSun, and a Windows Defender DoS tool, UnDefend.

After their disclosure, all three vulnerabilities were spotted being exploited in attacks. According to the researcher, Microsoft silently patched the RedSun issue without assigning it a CVE identifier.

This month, the researcher also released two additional exploits named YellowKey and GreenPlasma.

YellowKey is a BitLocker bypass affecting Windows 11 and Windows Server 2022/2025 that spawns a command shell that gives access to unlocked drives protected by TPM-only BitLocker configurations.

Chaotic Eclipse has previously stated that they are publicly disclosing these Windows zero-days in protest of Microsoft's bug bounty and vulnerability-handling process.

"Normally, I would go through the process of begging them to fix a bug but to summarize, I was told personally by them that they will ruin my life and they did and I'm not sure if I was the only who had this horride experience or few people did but I think most would just eat it and cut their losses but for me, they took away everything,"alleged the researcher.

"They mopped the floor with me and pulled every childish game they could. It was soo bad at some point I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer but it seems to be a collective decision."

Microsoft previously told BleepingComputer that it supports coordinated vulnerability disclosure and is committed to investigating reported security issues and protecting customers through updates.

source

Authored by: Morey J. Haber, Chief Security Advisor, BeyondTrust, and James Maude, Field Chief
Technology Officer, BeyondTrust

As analyzed in the 2026 Microsoft Vulnerabilities Report, Microsoft disclosed 1,273 vulnerabilities in 2025, which represents a dip from 1,360 the prior year. The good news seems to be that total Microsoft vulnerabilities have remained in a stable range from 2020 – 2026.

But those numbers are the wrong ones to watch. Critical vulnerabilities doubled year-over-year, surging from 78 to 157, reversing a multi-year downward trend.

Stability in total vulnerability volume conceals instability in impact, and that is where organizations should focus their attention.

The most important clue in this data is not how many vulnerabilities were disclosed, but where they are concentrated and what they enable threat actors to potentially compromise.



Where the Risk Is Concentrating

The dominance of Elevation of Privilege vulnerabilities (accounting for 40% of all CVEs) combined with a 73% rise in Information Disclosure flaws, tells us attackers are prioritizing stealth and reconnaissance over noisy exploits.

Privilege is where vulnerabilities become breaches. Threat actors no longer need noisy exploits or mass malware campaigns if they can quietly escalate access and move laterally using legitimate credentials and Living Off the Land tactics.

This trend aligns with real-world breach patterns, where initial access is often mundane, but impact is amplified through excessive privilege, misconfigurations, and weak identity controls.

Nowhere is this more concerning than in cloud and business platforms. Microsoft Azure and Dynamics 365 decreased slightly in total vulnerability count, but critical vulnerabilities spiked dramatically, jumping from 4 to 37 in a single year.

Cloud platforms are not just infrastructure anymore. They are crucial to business operations, providing a wide variety of services, including identity and access management, business automation, control planes for entire enterprises, etc.

A critical flaw in these environments poses implications far beyond exposing data. It can cripple an entire workflow (and, ultimately, business operations) and can collapse trust boundaries at machine speed. When cloud vulnerabilities turn critical, the blast radius becomes the defining risk metric.



click image to download report

In practice, a single misconfigured identity in Azure can hand an attacker the keys to your entire tenant, and most organizations wouldn’t know until the damage was done. CVE-2025-55241, a critical Entra ID flaw patched in July 2025, illustrated this precisely: an attacker could forge tokens accepted across any tenant, leaving no trace in victim logs.

On the endpoint and server side, the results are mixed, but still disturbing. Total Microsoft Windows vulnerability numbers declined, yet critical counts remained stubbornly consistent and unnervingly high. Microsoft Windows Server vulnerabilities increased to 780, with 50 classified as critical. Servers remain high value targets because they often run with elevated privileges, host shared services, and provide the foundation for a wide variety of business infrastructure.

Threat actors understand that compromising a server often provides faster and deeper access than compromising a desktop alone. It's a refrain we hear consistently from CISOs: “We patched everything critical, so why are we still getting breached?” This data explains why.

Perhaps the most notable shift in the data is for productivity software. Microsoft Office vulnerabilities surged 234% year over year, rising from 47 to 157, with critical vulnerabilities jumping from 3 to 31 (a 10x increase from last year).

Microsoft Office remains one of the most abused attack surfaces because it sits at the intersection of human behavior, daily operations, and business continuity.

Macros, document sharing, preview panes, HTML rendering, new AI capabilities, and add-ins create a unique landscape for exploitation. When Office vulnerabilities spike, users remain the most reliable entry point via social engineering.

The category trends reinforce a clear pattern: Elevation of Privilege and Information Disclosure are rising together. Attackers are prioritizing stealth and reconnaissance, and when threat actors know your environment better than your own team does, every subsequent incursion becomes easier.

What Organizations Should Do About It

The immediate defense priority is narrowing the blast radius before the next patch cycle. That means auditing standing admin rights, treating service accounts and AI agents with the same scrutiny as human identities, and disabling the Windows preview pane (seven CVEs in 2025 exploited it as an entry point).

For organizations, the takeaway is clear. Patch management alone is insufficient, and organizations must prioritize vulnerabilities that enable privilege escalation, identity abuse, and lateral movement first. That requires context, knowledge of exploits, mappings to frameworks like MITRE ATT&CK, and not just CVSS scores. It also requires rethinking trust assumptions across cloud, endpoint, server, and productivity layers.

The organizations that are ahead of this aren't simply patching faster. They're thinking differently about what privilege means in a cloud-first environment.

In the organizations we work with, AI agents have quickly evolved from a future concern into a present reality almost overnight, and most lack the AI security posture management necessary for proper governance.

Patch management matters, but patches fail to fix excessive privilege or enforce least privilege for AI agents. The ghost in this data isn’t the vulnerability count. It’s everything those vulnerabilities unlock when the identity controls aren’t there to stop them.

For the 2026 landscape and beyond, the 2026 Microsoft Vulnerabilities Report reinforces a hard truth. Threat actors are not breaking down the front door anymore with brute force exploits. They are walking in, escalating quietly, and operating as trusted users, human and machine alike.

If security programs don’t focus on privilege reduction, identity visibility, and continuous risk assessment, the numbers may look stable year over year, but the attack surface and business impact will continue to increase.

Download the complete 2026 Microsoft Vulnerabilities Report now for detailed analysis of Microsoft's vulnerability and security landscape—and what it all means for you.

source

The thickness number is the headline. But it's the fourth or fifth most remarkable thing about this device.



• Multiple credible sources confirm Apple's first foldable iPhone — likely called iPhone Ultra, though Apple hasn't confirmed any name — will measure approximately 4.5mm when unfolded and 9mm to 9.5mm when folded, making it thinner than any current iPhone when open.

• The device uses a 7.76-inch inner OLED display and a 5.49-inch outer display, both with a 4:3 aspect ratio, powered by the A20 Pro chip on TSMC's 2nm process with 12GB RAM.

• Samsung Display developed a near-creaseless panel with a 0.15mm crease depth and under 2.5 degree crease angle specifically for this device — far below the visible crease on current foldables.

• Space constraints forced real trade-offs: no telephoto camera (just two 48MP sensors), Touch ID via power button instead of Face ID, and a possible absence of internal MagSafe magnets — with leaked cases suggesting Apple may offload that function to a case accessory.

• Mass production, originally planned for June 2026, has been pushed to August. A September launch alongside the iPhone 18 Pro remains the target, but early supply will be tight. Starting price is expected above $2,000.

"At 4.5mm unfolded, the iPhone Ultra would be thinner than the iPhone Air, thinner than the 13-inch iPad Pro, and thinner than any iPhone Apple has ever sold. That's not a spec tweak — that's a structural statement about what Apple thinks a foldable should feel like."

The Thinness Number in Context

The 13-inch iPad Pro is Apple's thinnest current product at 5.1mm. The iPhone Air — Apple's recent slim-focused phone — sits at 5.6mm. At 4.5mm unfolded, the iPhone Ultra would be thinner than both. It would be thinner than most slab phones on the market. In a foldable. That's not an incremental design achievement. That's a different category of engineering.

The camera bump is the honest asterisk here. Case schematics show a protruding square camera plateau that adds roughly 4.5mm at its highest point, pushing the maximum local thickness to around 9mm at the lens. The body is genuinely 4.5mm. The back isn't flat. Both things are true simultaneously.



What Apple Sacrificed to Get There

This is where it gets interesting. A 4.5mm unfolded chassis doesn't leave room for everything. Face ID requires a TrueDepth camera array that simply won't fit. Apple is using Touch ID in the power button instead — the same approach used on iPads. The telephoto camera is gone. Two 48MP sensors handle main and ultra-wide. The internal magnet ring for MagSafe may also be absent, based on dummy unit analysis that shows no magnets where they'd normally sit. Cases with magnets are already in production. Apple may be moving MagSafe outside the phone entirely.

These aren't failures. They're deliberate choices. Each one bought back a fraction of the thickness that enabled the 4.5mm target.

The Crease Problem Apple Solved

Every foldable phone has a crease. Most are visible in direct light. Samsung's Galaxy Z Fold 7 crease is the current best-in-class, and it's still noticeable. The panel Samsung Display developed for the iPhone Ultra targets a 0.15mm crease depth — significantly lower than anything currently shipping. A crease angle under 2.5 degrees means the display surface is nearly flat even at the fold point. For Apple, shipping a foldable with a visible crease would have been unacceptable. The near-creaseless display is arguably the most technically difficult part of this entire product.

September Target, August Production, Real Risk

Mass production has slipped from June to August. That leaves a tight window for a September launch alongside the iPhone 18 Pro models. Ming-Chi Kuo flagged supply shortages potentially extending into 2027. If you plan to buy one at launch, treat it like an early Vision Pro situation — limited stock, high demand, and a wait list that forms on announcement day.

source

Former executive says Microsoft missed the AI race

Microsoft’s aggressive, multi-billion-dollar push into artificial intelligence was supposed to be a flawless victory. The integration of Copilot into Windows 11, Microsoft 365, and GitHub was designed to usher in a new era of agentic computing. Yet, beneath the polished keynote presentations and massive infrastructure investments, a dramatically different reality is what we saw.

As first reported by Windows Latest, according to a highly respected former Microsoft executive, the company’s AI strategy is fundamentally failing to connect with real users, spurring calls for a massive internal “factory reset.”

The executive in question is Mat Velloso, who was most recently the Vice President of Product for the Developer Platform at Meta’s Superintelligence Labs. He also led AI developer products at Google DeepMind (including the Gemini API and Google AI Studio). But before his stints at Google and Meta, Velloso spent over 12 years at Microsoft, where he served as a Partner Director managing AI innovation in Windows and, interestingly, spent four years as the Technical Advisor to Microsoft CEO Satya Nadella.

When someone with Velloso’s resume, having observed the AI arms race from the highest levels of Microsoft, Google, and Meta, says Microsoft has “missed the AI wave,” it can rip the lid off the deep tensions within Redmond.

Ex-Microsoft exec says Microsoft missed the AI wave



Microsoft’s behavior over the last few months is nothing short of shocking. Both the Windows and Xbox divisions suddenly started prioritizing user feedback and implementing requested features after years of ignoring them.

It’s also not a small task to assemble and organize OEMs, ODMs, and chipset vendors in an event like WinHEC that had its last occurrence almost a decade ago (2018).

Explaining this sudden pivot to listening to customers, Velloso remarked that despite making Bing the company’s biggest AI bet, it failed to capture a single percentage point of search market share from Google. More damning is the state of Copilot.

According to Velloso, less than 3% of paying users actively use Copilot, even though Microsoft has pre-deployed it directly into the Windows 11 taskbar and across the Office suite.



Out of Microsoft’s 450 million Microsoft 365 user base, the company has only managed to convert roughly 15 million paid Copilot seats. This means a staggering 96.7% of users are rejecting the premium AI features, yielding just a 3.3% paid adoption rate. When viewed against Microsoft’s estimated $37.5 billion quarterly AI spending, this is an alarmingly low adoption rate.

But it’s not just software; Velloso also called out the current state of AI hardware. Over the past year, Microsoft has heavily pushed OEMs to include Neural Processing Units (NPUs) in their latest laptops to power advanced Windows 11 capabilities. We have tracked Microsoft’s push for NPU-powered AI features in Windows 11, but as Velloso noted, OEMs invested heavily in NPUs only to find out that “nobody cares because not a single valuable usecase was built for those in Windows/Office.”

Furthermore, he highlighted that GitHub, a platform that should be thriving as the centerpiece of the AI coding revolution, has seen its Service Level Agreement (SLA) reliability drop below 90%. Combine this with rising Cost of Goods Sold (COGS) and shareholders beginning to ask difficult questions, Microsoft was forced to start listening to customers because the AI bet isn’t paying off as smoothly as anticipated.

Microsoft’s executive exodus

All this friction appears to be taking a toll on Microsoft’s leadership. Recently, news broke that Julia Liuson, the highly respected head of Microsoft’s Developer Division (DevDiv), was retiring after 34 years with the software giant.

While official channels framed this as a standard retirement, Mat Velloso critiqued the news, saying, “Looks like Microsoft just went from hit refresh to hit factory reset.” He also listed a massive string of high-profile departures and reassignments across the company, including leaders from Xbox, GitHub, AI Infrastructure, Teams, and OneNote.

This public commentary drew the ire of Frank X. Shaw, Microsoft’s Lead Communications executive. Shaw replied to Velloso, defending the departing executives and accusing Velloso of jamming a “negative frame” onto normal corporate retirements.

All Velloso had to do was point out the harsh financial realities that the market is currently digesting. He moved from Microsoft to Google in early 2024, and while Google’s shares surged by roughly 230%, Microsoft’s stock growth remained essentially flat at 0%.

“I suppose the whole market is also wrong about this,” Velloso fired back. “But what do I know? I only saw both companies, how they operate, their strengths and their flaws. Microsoft missed the internet wave, the mobile wave and now it missed the AI wave. It is what happens when you keep doing the same things expecting different results.”



He urged Microsoft’s leadership to stop “gaslighting,” deflecting blame, and burying skeletons, arguing that hitting a complete internal “factory reset” is the only pragmatic way to fix the hard problems plaguing the operating system and enterprise software stack.

OpenAI is cutting out the middleman (Microsoft)

Apart from the internal challenges, Microsoft is increasingly being affected by its closest allies. The company has staked its entire generative AI future on its multi-billion-dollar partnership with OpenAI. However, OpenAI is rapidly building out its own enterprise infrastructure, threatening Microsoft’s historic dominance in the corporate sector.

Just days ago, OpenAI officially launched the “OpenAI Deployment Company” (DeployCo), a new business unit backed by over $4 billion in initial investment from global firms. This new venture features 150 “Forward Deployed Engineers” (FDEs) tasked with embedding directly into Fortune 500 companies to help them build and deploy custom AI solutions.

Historically, this hands-on, enterprise-level consulting was Microsoft’s bread and butter. As Velloso reminisced about his early career as a consultant, he noted that Microsoft’s incredible penetration into large enterprises was built on “armies of people spending time, listening, understanding business goals and solving them with technology in every industry vertical.”

Now, top AI labs like OpenAI are replicating this same playbook. They no longer want to delegate enterprise deployment to hyperscalers like Microsoft Azure. By cutting out the middleman and owning the direct relationship with businesses, OpenAI is stepping directly into the highly lucrative services layer where the real enterprise AI dollars are headed. This presents a huge structural threat to Microsoft’s long-term enterprise revenue, especially as users continue to push back against forced Copilot web app integrations.

Why Microsoft is far from dead: “The moat is unbreakable”

Despite these severe criticisms, Velloso defended his former employer against apocalyptic tech media narratives. When a prominent tech publication recently claimed that “AI is killing Microsoft” and compared their current trajectory to the disastrous 2008 era, Velloso stepped in to shut the narrative down.

“Nope, they are not dying,” Velloso stated. “I know I criticize them a lot and that’s because I care, but boy if you think Microsoft is dying you haven’t watched how many times they recovered from problems.”

He pointed out that while AI startups and labs might be building flashy deployment companies, completely replacing legacy enterprise software is incredibly difficult. When asked about companies claiming they can fully automate software businesses, Velloso recommended talking to Fortune 500 CIOs to see how realistic that really is.

“There’s a reason why all the top AI labs are hiring large consulting teams,” he explained. “The last mile is the hardest and Microsoft has the best distribution for that. Their moat is unbreakable.”

This is the ultimate paradox of Microsoft in 2026. They are simultaneously struggling to convince users to adopt their new AI features, yet their foundational grip on the enterprise ecosystem is still solid. Millions of businesses depend on Active Directory, Azure, Office, and Windows. While it is easy to spin up an AI agent in Python, integrating it securely into a legacy corporate environment requires the kind of massive distribution network that Microsoft has spent four decades building.

A necessary wake-up call



All the “new” features in Windows 11, including the much-awaited movable taskbar and resizable Start menu, are a result of everything that went wrong in the company and leadership finally doing something about it.

When a company realizes that pushing a 3.3% adoption-rate AI chatbot down users’ throats isn’t translating to stock growth or user satisfaction, they are compelled to reconsider their strategy.

We are finally seeing the results of this “factory reset” in real time. Microsoft is dismantling sluggish web wrappers, committing to native UI performance for Windows 11 apps, overhauling driver quality standards, and explicitly prioritizing long-ignored user feedback.

Microsoft’s pivot back to platform fundamentals proves that while AI might be the future, you cannot build that future on a crumbling foundation. The market forced Microsoft to listen, and for frustrated Windows users, that is arguably the best thing that could have possibly happened.

source