audit Archives

Winsage

May 13, 2026

Windows 11 Gets Its First Major Feature Updates of 2026

Users of Windows 11 received feature and security updates on Patch Tuesday, with significant enhancements introduced after four months of less notable updates. The cumulative update KB5089549 is available for Windows 11 versions 25H2 and 24H2, raising their build numbers to 26200.8457 and 26100.8457, respectively. Windows 11 version 26H1, available on Snapdragon X2-based laptops, received update KB5089548, bringing its build to 28000.2113. Key features in KB5089549 include: - Xbox Mode: Replaces Game mode and Full Screen Experience for a streamlined gaming interface. - Agents on the Taskbar: Allows interaction with AI agents directly from the Taskbar, supporting first- and third-party agents. - File Explorer Enhancements: Improved support for various archiving formats, retention of View and Sort preferences, resolution of the white “flash bang” bug, and enhanced reliability of explorer.exe processes. - Windows Driver Improvements: The Windows kernel will no longer trust cross-signed third-party drivers by default; only WHCP drivers and those on a trusted legacy list will be accepted after auditing for 100 hours and three reboots. - Drag Tray Enhancements: Rebranded as the Drop tray with a new management interface and smaller peek view to reduce accidental activation. For version 26H1, KB5089548 includes improvements to Narrator and Smart App Control, increased Microsoft 365 advertising visibility in Settings, refined Pen settings, a new Settings About page, and minor updates to File Explorer.

Tech Optimizer

May 6, 2026

Immudb Upgrade Brings Immutable Audit Trails To PostgreSQL Workloads – Open Source For You

Codenotary has released immudb 1.11, enhancing its open-source database into a comprehensive trust infrastructure layer. Key features include immutable audit logging, which allows organizations to create permanent, tamper-proof records of data and database activities, supported by cryptographic verification to prevent unauthorized alterations. The update also introduces compatibility with PostgreSQL, enabling existing applications to use immudb without modifications. Benefits for organizations include unalterable audit trails, simplified compliance and reporting, and reduced operational complexity. This release positions open source as a viable alternative to proprietary compliance and logging systems, addressing challenges in demonstrating data trustworthiness.

Tech Optimizer

May 5, 2026

Open Source Tamper-Proof Database Adds Immutable Audit Logging and Expands PostgreSQL Compatibility

Codenotary has released immudb 1.11, an open-source database that enhances immutable audit logging and compatibility with PostgreSQL. This version features integrated audit logging that captures database activities in a tamper-proof manner, eliminating the need for external logging systems. It allows organizations to create unalterable audit trails, streamline compliance processes, and maintain a reliable history of data interactions. Immudb 1.11 is compatible with existing PostgreSQL code, enabling seamless integration with various applications and tools. The database is particularly beneficial for sectors requiring trust and accountability, such as finance, software development, cybersecurity, regulated industries, AI systems, and supply chain management. Immudb has over 50 million downloads and supports a zero-trust approach to data management. The open-source version is available on GitHub.

Winsage

May 5, 2026

Unpatched flaws turn Ollama’s auto-updater into a persistent RCE vector, researchers say

Researchers at Striga have identified two vulnerabilities (CVE-2026-42248 and CVE-2026-42249) in Ollama’s Windows auto-updater that could allow an attacker to install a persistent executable that runs at user login. CVE-2026-42248 fails to properly verify signatures of downloaded content, while CVE-2026-42249 is a path traversal flaw that allows an attacker to inject malicious code into the user's Startup folder. Exploitation requires control over the update response, with potential methods including compromising the update infrastructure or redirecting the client. The vulnerabilities affect Ollama versions 0.12.10 through 0.17.5, and users are advised to disable auto-updates and remove shortcuts from the Startup folder to mitigate risks.

AppWizard

May 5, 2026

Meta enhances security of WhatsApp and Messenger encrypted backups

Meta has enhanced the security and transparency of its end-to-end encrypted backup system for WhatsApp and Messenger. The improvements focus on refining the distribution and verification of encryption keys, and allow for independent audits of certain infrastructure components. The updates are based on Meta's Hardware Security Module (HSM)-based Backup Key Vault architecture, which securely stores recovery secrets in tamper-resistant hardware, ensuring that neither Meta nor cloud service providers can access users' message archives. For encrypted backups, users' devices generate a 256-bit encryption key locally, which encrypts all backup data before uploading it to cloud storage. The key remains on the device in an encrypted format, with the user's password not visible to Meta or third parties. An encrypted version of the backup key is stored in the HSM-based vault using the OPAQUE password-authenticated key exchange protocol, enhancing recovery security without revealing the password. The recent updates include an over-the-air (OTA) fleet key distribution mechanism, which avoids hardcoding trusted infrastructure keys into Messenger applications. Clients receive a “validation bundle” containing the HSM fleet's public keys during runtime, with signatures verified against Cloudflare’s Key Transparency system. The vault operates across at least seven data centers using majority-consensus replication to ensure availability and integrity. Meta plans to publish cryptographic proof of each new HSM fleet deployment, allowing advanced users and researchers to verify these deployments through the open-source “mbt” (Meta Binary Transparency) CLI tool, which conducts multiple checks to confirm that fleet keys are untampered.

Tech Optimizer

May 4, 2026

Wiz ZeroDay.Cloud Event Reveals 20-Year-Old PostgreSQL Vulnerabilities

Cybersecurity researchers at Wiz’s ZeroDay.Cloud event in London exploited two significant vulnerabilities in PostgreSQL, tracked as CVE-2026-2005 and CVE-2026-2006, which were disclosed on May 4, 2026. The vulnerabilities were found in the pgcrypto extension, affecting public-key decryption and symmetric decryption functions. CVE-2026-2005 allows privilege escalation via a buffer overflow during public-key decryption, while CVE-2026-2006 enables attackers to corrupt memory through inadequate checks in symmetric decryption. PostgreSQL has released patches for these vulnerabilities across versions 14.21 to 18.2, and MariaDB addressed a related issue in versions 11.4.10 and 11.8.6. Database administrators are advised to apply updates and audit logs for suspicious activity.

Tech Optimizer

April 30, 2026

Inside the Architecture of an MCP Server for PostgreSQL

The Model Context Protocol (MCP) serves as a standard interface between large language models (LLMs) and external systems like PostgreSQL, emphasizing the importance of control over mere connectivity. An MCP server must act as a mediation and policy layer, enforcing security boundaries and ensuring that connections default to read-only. It should validate AI-generated SQL as untrusted input, encapsulate queries within transactions, and apply execution-time controls. The server must separate query generation from execution approval to manage operational costs and enforce guardrails on query types, such as limiting the number of rows returned. Token efficiency is crucial, with design considerations for compact data representation and schema introspection. In production, connection management is vital to prevent data leakage among multiple AI agents, and observability through logging executed queries and metadata is necessary for debugging and compliance. Long-running sessions require support for paginated responses to manage context effectively. Overall, the MCP server must integrate security, query safety, token efficiency, and observability into its design from the outset.

Winsage

April 28, 2026

FinalWire releases AIDA64 8.30 with FPS tracking and next-gen CPU support, but drops 32-bit Windows support

FinalWire has released AIDA64 version 8.30, featuring the AIDA FPS module for real-time FPS data capture in DirectX 11 and 12 games, available exclusively in the Extreme edition. The update includes an optimized performance test for APX SHA3 for Intel Diamond Rapids and Nova Lake processors, support for Turing 4.6 and 12.3-inch LCD displays, compatibility with Intel Core Ultra 250K Plus and 270K Plus, enhanced support for Intel Wildcat Lake and Nova Lake processors, preliminary support for AMD Zen 6 architecture APUs, support for Aqua Computer Ampinel and Thermal Grizzly WireView Pro II sensors, extended support for Adaptec RAID controllers, USB-NVMe pass-through support for Realtek RTL9220 controllers, support for EXPO 1.2 memory profiles, and detailed GPU information for Intel Arc Pro B65 and B70 as well as NVIDIA RTX Pro 4500 Blackwell Server Edition. The update enhances support for Intel's Nova Lake CPUs and introduces a new SHA3 benchmark optimized for APX architectures. It also lays groundwork for support of AMD's upcoming Zen 6 Medusa Point mobile processors and introduces support for AMD's EXPO 1.2 technology. AIDA64 version 8.30 discontinues support for 32-bit Windows and Windows XP x64, requiring users on those platforms to revert to an earlier version. The new web-based AIDA64 SensorPanel Tools allows users to create image sets for SensorPanel Manager. The update is available across the Extreme, Engineer, Business, and Network Audit editions.

Tech Optimizer

April 26, 2026

CanisterSprawl: pgserve Compromised on npm: Malicious Versions Harvest Credentials and Exfiltrate to a Decentralized ICP Canister

On April 21, 2026, compromised versions of pgserve (1.1.11, 1.1.12, and 1.1.13) were published on npm, containing a 1,143-line credential-harvesting script that executes during the postinstall phase of npm install. The malware functions as a supply-chain worm, reinjecting itself into other packages if it finds an npm publish token. Stolen credentials are encrypted using RSA-4096 and AES-256 and exfiltrated to a decentralized Internet Computer Protocol (ICP) canister. The last legitimate release was v1.1.10, published on April 17, 2026. The malware was detected by StepSecurity AI Package Analyst and Harden Runner, which flagged the compromised versions as Critical / Rejected and confirmed live exfiltration during analysis. The injected script performs operations such as harvesting environment variables, collecting filesystem secrets, encrypting payloads, and propagating to other npm packages and Python packages if a PyPI token is detected. The exfiltration domains have been added to a global block list.

Winsage

April 25, 2026

New Windows RPC Vulnerability Lets Attackers Escalate Privileges Across All Windows Versions

PhantomRPC is a significant architectural vulnerability in the Windows Remote Procedure Call (RPC) framework that allows local privilege escalation to SYSTEM-level access across all Windows versions. Discovered by Kaspersky's Haidar Kabibo at Black Hat Asia 2026, this vulnerability stems from the RPC runtime's failure to verify the legitimacy of a responding server during calls to offline or disabled servers. Attackers can exploit this by setting up a malicious RPC server that impersonates a legitimate endpoint, using the RpcImpersonateClient API to escalate privileges from low-privileged accounts to SYSTEM or Administrator levels. Five distinct exploitation paths have been identified: 1. gpupdate.exe coercion: An attacker can intercept an RPC call made by the Group Policy Client service when executing gpupdate /force, granting SYSTEM-level access if TermService is disabled. 2. Microsoft Edge startup: Launching msedge.exe triggers an RPC call to TermService, allowing privilege escalation from Network Service to Administrator via a spoofed endpoint. 3. WDI background service: The Diagnostic System Host polls TermService regularly, enabling an attacker to exploit this without user interaction. 4. ipconfig.exe and DHCP Client: Running ipconfig.exe initiates an RPC call to the DHCP Client service, allowing a Local Service attacker to elevate privileges if DHCP is disabled and a fake server is present. 5. w32tm.exe and Windows Time: An attacker can expose a named pipe endpoint, allowing them to impersonate any privileged user executing the Windows Time executable. The vulnerability was reported to Microsoft on September 19, 2025, but Microsoft categorized it as moderate severity and closed the case without a patch, as the attack requires SeImpersonatePrivilege, which is granted by default to certain accounts. Organizations are advised to implement defensive measures such as enabling RPC monitoring, ensuring legitimate services are running, and restricting SeImpersonatePrivilege. Kaspersky has provided tools for auditing environments for exploitable RPC call patterns through the PhantomRPC GitHub repository.