April 2026 Archives

Winsage

June 3, 2026

Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes

Cybersecurity researchers have identified an unpatched vulnerability that could expose NTLMv2 hashes to attackers, linked to the "search:" URI handler. This issue is similar to CVE-2026-33829, which involved a spoofing vulnerability in the Windows Snipping Tool's ms-screensketch: URI handler. The flaw allows attackers to trick users into connecting to their SMB servers, disclosing NTLMv2 hashes for authentication exploitation. The new vulnerability operates using "search:" and "crumb=location:" parameters, resulting in a similar Net-NTLMv2 leak. Microsoft has chosen not to address this issue, stating only vulnerabilities classified as Important or Critical would be fixed. Recommendations to mitigate risks include blocking outbound SMB traffic, enforcing SMB signing, and disabling NTLM authentication where possible.

Winsage

June 1, 2026

Microsoft fixes KB5089549 Windows security update install issues

Microsoft resolved an issue causing installation failures and error code 0x800f0922 during the deployment of the May 2026 Windows 11 security update (KB5089549), which was linked to insufficient free space on the EFI System Partition (ESP). The problem mainly affected devices with 10 MB or less available space, leading to automatic rollbacks of the update. The resolution was provided through the release of the Windows 11 KB5089573 preview cumulative update on May 26, 2026. Users installing updates released on or after this date will not need a workaround, while those with earlier updates can use the Known Issue Rollback feature. Additionally, IT administrators in enterprise settings can manually address the issue through Group Policy configurations. The KB5089573 update introduced 30 changes to improve performance and reliability.

Tech Optimizer

May 29, 2026

Beyond VPNs: NordVPN’s New All-in-One App Redefines Digital Security

NordVPN has launched an updated application that combines its VPN services with next-generation antivirus capabilities, creating a comprehensive digital security suite. The new offering emphasizes three main features: an advanced VPN for private connectivity, a next-generation antivirus for threat protection, and the Dark Web Monitor™ for data breach monitoring. The updated antivirus solution uses artificial intelligence and behavioral analysis to identify threats in real-time, including phishing and malware. In April 2026, NordVPN reported blocking 4.8 million threats, with over 3 million instances of malware blocked. The company’s Threat Protection Pro includes malware and phishing protection, ad and tracker blocking, vulnerability scanning, and dark web monitoring. Independent evaluations have shown high detection rates for blocking malicious URLs. The cybersecurity industry is seeing a trend towards bundling multiple security tools into single subscription packages, with NordVPN aiming to simplify digital protection for users. The company maintains a commitment to privacy, ensuring minimal data collection for threat assessments.

Tech Optimizer

May 29, 2026

NordVPN isn’t just a VPN anymore, but a full security suite – here’s what you get now

NordVPN is transforming its VPN application to integrate modern threat protection capabilities, focusing on three core pillars: connect, protect, and monitor. The company is consolidating its security features, including browser protection, anti-malware, dark web monitoring, and phishing protection, into a comprehensive security app. In April 2026, NordVPN's threat protection and antivirus service blocked 4.8 million threats, highlighting the need for an evolved approach to cybersecurity. The new app aims to provide proactive protection against various online threats, reducing the complexity of managing multiple security applications. NordVPN's subscriptions start at a few dollars per month, with different tiers offering varying levels of security features, including a Basic plan, Complete plan, and Prime tier for comprehensive cybersecurity.

Winsage

May 28, 2026

Your Windows PC has a security deadline in June 2026

A Secure Boot certificate refresh is being deployed across supported Windows devices via Windows Update. The Secure Boot certificates from 2011 will begin to expire in June 2026, prompting Microsoft to introduce new 2023-dated certificates to maintain security. Most users will require minimal action if their PCs are updated, but older devices may face challenges. The current certificates include: - Microsoft Corporation KEK CA 2011: expires June 24, 2026 - Microsoft UEFI CA 2011: expires June 27, 2026 - Microsoft Windows Production PCA 2011: expires October 19, 2026 The new certificates will remain valid until 2038, with plans for post-quantum cryptography around 2030. While PCs using the 2011 certificates will continue to function, they will lose access to new security protections, making them vulnerable to emerging threats. A notable example of such a threat is the BlackLotus bootkit, which exploited vulnerabilities to bypass Secure Boot. Microsoft's rollout strategy involves a staged update process that typically takes around 48 hours and may require restarts. Users are advised to keep Windows updated and check their Secure Boot status. Known issues may arise for older PCs, systems that bypassed Windows 11 requirements, Legacy BIOS systems, and custom firmware configurations. IT teams managing devices should inventory their systems, monitor specific event IDs, test updates, and document devices that cannot be updated.

Winsage

May 28, 2026

Microsoft will let you uninstall Copilot app as Windows 11 clean-up moves ahead

Microsoft has introduced a new Group Policy option in the Windows 11 April 2026 Update that allows administrators to remove the Microsoft Copilot app across all devices within an organization. This change responds to user feedback about the app's deep integration into the operating system. Previously, users could uninstall Copilot, but it often reappeared after system updates or reinstalls. The new policy enables businesses and IT administrators to block or remove Copilot automatically, eliminating the need for manual uninstalls. Additionally, Microsoft is extending this policy to Microsoft 365 Copilot integrations. While the policy is not available for Windows Home users, similar results can be achieved through the Registry Editor or PowerShell commands.

AppWizard

May 25, 2026

Over 200 Fake Android Apps Are Quietly Stealing Money From Phone Bills

Zimperium identified a sophisticated malware campaign that exploited nearly 250 Android applications, posing as popular games and social media platforms. The malware ensnared users into premium subscription services without consent, using techniques like JavaScript injection and interception of one-time passwords. The campaign primarily targeted users in Malaysia, Romania, Thailand, and Croatia, with the malware capable of reading SIM cards and activating for specific mobile carriers. Zimperium first detected the scam in March 2025 and monitored it until at least January 2026. Google stated that none of the compromised applications were available on its app store and emphasized that Android users are protected by Google Play Protect. The hackers deployed three malware variants, with the first using an automated subscription engine, the second targeting users in Thailand with premium SMS messages, and the third combining SMS fraud with real-time notifications to attackers via Telegram. The campaign primarily affected Malaysian SIM card users, with significant activity also in Thailand and Romania. Despite the campaign's last known activity in January, parts of its infrastructure remain operational. The attacks highlight vulnerabilities in application security and the challenges of policing app downloads from third-party marketplaces.

Winsage

May 23, 2026

Windows 11 now lets you remove Microsoft Copilot app with Group Policy or Registry, as it tries to win back users

Recent feedback from Windows 11 users has led Microsoft to simplify the process of uninstalling Copilot due to dissatisfaction with its integration. A Group Policy option titled “Remove Microsoft Copilot app” has been introduced in the April 2026 Update, allowing users to remove Copilot via User Configuration > Administrative Templates > Windows Components > Windows AI. Users can also uninstall Copilot directly from the installed apps list or by right-clicking the icon, although it may reappear after a fresh installation due to certain updates. To uninstall Copilot and Microsoft 365 Copilot using Group Policy, the following conditions must be met: both apps must be installed, the user did not install them independently, and the Copilot app has not been used for over 28 days. This policy is supported on Pro, Enterprise, Education, and IoT Enterprise or LTSC versions of Windows 11. Windows 11 Home users can manually remove Copilot by creating a registry key at HKEYCURRENTUSERSoftwarePoliciesMicrosoftWindowsWindowsAI and setting a DWORD value named RemoveMicrosoftCopilotApp to 1. Alternatively, users can execute a PowerShell script to remove Copilot. Microsoft has not provided an uninstall option for Copilot in the Start menu.

Winsage

May 21, 2026

Microsoft Defender Zero-Day Vulnerabilities RedSun and UnDefend Actively Exploited on Windows 10, 11, and Server (April 2026 CVE Analysis)

In April 2026, two zero-day vulnerabilities, RedSun and UnDefend, were discovered in Microsoft Defender, affecting Windows 10, Windows 11, and Windows Server platforms. These vulnerabilities allow attackers to escalate privileges to SYSTEM and bypass Defender’s protections. RedSun exploits a flaw in Defender's remediation process, enabling low-privileged users to overwrite critical system files. UnDefend allows attackers to disrupt Defender’s updates, keeping it outdated and ineffective. Both vulnerabilities are actively being exploited, with attackers leveraging them to gain persistent access and deploy ransomware. The primary targets are organizations using Windows systems with Defender enabled, particularly in sectors like finance, healthcare, and government. Mitigation strategies include applying updates for related vulnerabilities, monitoring for suspicious activities, and implementing additional security measures.

Winsage

May 18, 2026

Old Windows Flaw Returns to Spotlight With MiniPlasma Exploit

Security researcher Chaotic Eclipse has introduced a Windows exploit called MiniPlasma, which may allow privilege escalation from standard user accounts to SYSTEM level access, even on patched versions of Windows. This exploit is linked to CVE-2020-17103, a flaw in the Windows Cloud Filter driver that was addressed by Microsoft in December 2020. Tests have reportedly demonstrated the exploit functioning on a patched Windows 11 Pro system, achieving SYSTEM access from a standard user account. The exploit involves an undocumented registry-key path within the .DEFAULT user hive, raising concerns about the effectiveness of the 2020 fix. There is a discrepancy between public and Canary builds of Windows 11, with the exploit working on the public build but not on the Canary build. Microsoft’s April 2026 Patch Tuesday updates included another entry related to the Windows Cloud Files Mini Filter Driver elevation-of-privilege issue. Defenders are advised to monitor the CVE-2020-17103 record for further clarification regarding the status of the original fix and the implications of the MiniPlasma exploit.