AI vulnerabilities Archives

Winsage

August 13, 2025

August Patch Tuesday: Authentication hole in Windows Server 2025 now has a fix

A second hole in AI systems has been discovered, raising concerns among cybersecurity experts about command injection vulnerabilities. Multiple AI-related vulnerabilities have emerged, including those linked to GitHub Copilot and Azure OpenAI, prompting organizations to reassess their AI strategies. It is important for organizations to understand their AI usage, the specific services they employ, and their responses to vulnerabilities. Discussions often focus on data residency, retention, and ownership, but security measures and policies of AI service providers are also crucial. Chief Security Officers are encouraged to reevaluate risk assessment methods, as vulnerabilities are categorized by severity, leading to questions about the reliability of these ratings. Organizations are urged to establish an internal framework for effective risk measurement.

Winsage

July 12, 2025

Researcher tricks ChatGPT into revealing security keys – by saying “I give up”

Security researcher Marco Figueroa revealed vulnerabilities in AI models, specifically GPT-4, that can be exploited through simple user prompts. He described an incident where researchers tricked ChatGPT into revealing a Windows product key by using a 'guessing game' prompt, bypassing safety measures. The phrase "I give up" was identified as a trigger that led the AI to disclose sensitive information. Although the product keys were not unique and had been shared online, the vulnerabilities could allow malicious actors to extract personally identifiable information or share harmful content. Figueroa recommends that AI developers implement logic-level safeguards to detect deceptive framing and consider social engineering tactics in their security measures.

Winsage

July 10, 2025

How to trick ChatGPT into revealing Windows keys? I give up

A researcher successfully exploited vulnerabilities in ChatGPT by framing inquiries as a guessing game, leading to the disclosure of sensitive information, including Windows product keys from major corporations like Wells Fargo. The researcher used ChatGPT 4.0 and tricked the AI into bypassing safety protocols designed to protect confidential data. The technique involved embedding sensitive terms within HTML tags and adhering to game rules that prompted the AI to respond with 'yes' or 'no.' Marco Figueroa, a Technical Product Manager, noted that this jailbreaking method could be adapted to circumvent other content filters. He emphasized the need for improved contextual awareness and multi-layered validation systems in AI frameworks to address such vulnerabilities.

Winsage

July 10, 2025

Researchers Trick ChatGPT into Disclosing Windows Product Keys

Researchers have successfully bypassed ChatGPT's guardrails, allowing the AI to disclose valid Windows product keys by disguising requests as a guessing game. The technique involved using HTML tags to hide sensitive terms from filters while still enabling AI comprehension. They extracted real Windows Home/Pro/Enterprise keys by establishing game rules and using the phrase "I give up" to trigger disclosure. This vulnerability highlights flaws in keyword-based filtering and suggests that similar techniques could expose other restricted content. The attack exploits weaknesses in AI's contextual interpretation and emphasizes the need for improved content moderation strategies, including enhanced contextual awareness and detection of deceptive framing patterns.

Winsage

December 11, 2024

Microsoft fixes zero-day security flaw in latest Windows update

Microsoft addressed 71 vulnerabilities in its December Patch Tuesday update, including a critical zero-day flaw. Of these, 59 vulnerabilities affect various versions of Windows, including Windows 10, Windows 11, and Windows Server. CVE-2024-49138 is a high-risk buffer overflow issue that allows privilege escalation and could enable full control over affected systems. Microsoft classified 16 Remote Code Execution (RCE) vulnerabilities as critical, with nine related to the Remote Desktop service. CVE-2024-49112 affects the Lightweight Directory Access Protocol (LDAP) and could allow code injection without user login. CVE-2024-49117 affects Hyper-V, allowing code execution from a guest system on the host system. Additionally, eight security vulnerabilities in Microsoft Office were resolved, including three RCE vulnerabilities. CVE-2024-49063 is the first identified security flaw in Microsoft's open-source AI project, Muzic. The next Patch Tuesday is scheduled for January 14, 2025.

Tech Optimizer

June 13, 2024

AI internet security is coming for AI PCs says Trend – Pickr

AI applications are vulnerable in ways that other applications are not, including risks where prompts cause AI applications to "misbehave" or have their behavior changed by tampering. Trend Micro plans to launch a security solution for consumer AI PCs that will safeguard AI applications and use neural processing units to handle email security. The company aims to protect AI from being tampered with and improve security for emails. Trend Micro believes that securing AI is crucial for the value of the AI era and plans to address both enterprise and individual consumer security needs. Traditional device security solutions can still be used on regular PCs or AI PCs to protect against traditional vulnerabilities and new risks from using local AI applications.