Category: Security & Privacy

Using 7-Zip? Time to update, as your version may be vulnerable

Posted on by Martin Brinkmann

7-Zip is a popular open source archiver that is a popular option on Windows. While Windows comes with its own basic archive creation and extracting options, it is significantly slower compared to third-party apps such as 7-Zip.

A vulnerability in earlier versions of 7-Zip was discovered in April 2026 that could allow attackers to cause the application to crash or run arbitrary code.

The affected version is 7-Zip 26.00 and earlier versions appear also affected by the vulnerability. The latest version is 7-Zip 26.01 and this version is safe to use.

If you run the archiving software on your devices, you may want to check the installed version and update if it is 26.00 or earlier.

You can check the installed version under Settings > Apps > Installed Apps. Type 7-Zip into the search box and wait for the app to appear. The version is shown in its title.

Updating is a flawless process. Just download the latest version from the official developer website and run it after the download finished. The installed version will be updated and any attacks targeting the vulnerability won’t have an affect on the app or the system anymore.

You can also check the version when you launch 7-Zip on the system. Select Help > About 7-zip in that case to display the installed version.

Google introduces Approximate Location sharing in Chrome: here is what it does

Posted on by Martin Brinkmann

Mobile devices and web browsers support the sharing of the current location. This gives apps, websites and services access to a user’s location in the world. Ideally, to provide custom information, such as zooming to that location on a map, showing businesses nearby, providing directions, or loading specific information on a website.

While useful in that regard, location does reveal information about the user. The feature is usually locked behind a permission, but some apps may not start at all without it or block access to features.

Google announced on its official The Keyword blog that it is introducing approximate location sharing in Chrome. The feature lands in Chrome for Android first before it will also be introduced in the desktop versions of the browser.

Here is what it does: Google Chrome’s new Approximate Location Sharing feature enhances privacy by giving users a third option when websites request their whereabouts: sharing a general regional area rather than the exact coordinates. While users can still grant precise location access for tasks that genuinely need it—such as getting turn-by-turn navigation, placing a delivery order, or finding a nearby ATM—everyday browsing activities like checking local weather or reading regional news can now function perfectly well with just a neighborhood or city-level location.

In other words, websites and apps get information about a region a user is in and not the precise location. This new permission is intended for services that do not require accurate information and for users who do not want to share their exact location.

When a location prompt pops up on the mobile, users can now pick between “precise” and “approximate” and the usual options to “never allow”, “allow this time”, or “allow while visiting the site” options. Google says that the feature will land on desktop in Chrome in the coming months as well. For now, it is only available in Chrome for Android.

How useful is it for privacy? It can be used to share less-exact information about ones location. That is useful, especially for services that do not require it to function. If you want to get local news or weather, it does not really matter if the service that is providing the information knows the exact location or not. In that regard, it is a useful addition for users who share location but prefer it to be less exact whenever possible.

Firefox

How to enable Firefox’s secret ad-blocker

Posted on by Martin Brinkmann

For years, I asked myself why Mozilla did not add a good content blocker to Firefox. It would be a great fit. An organization that values privacy, an open source browser that blocks most tracking out of the box.

However, for Mozilla, integrating a content blocker would also mean torpedoing its main revenue stream coming from Google.

Mozilla never made the step and others, including Brave, led by Mozilla’s ex-CEO, stepped in to fill that gap.

This changed recently

Mozilla did integrate Brave’s Rust-based adblock engine into its Firefox browser. More precisely, it is part of Firefox 149 and Mozilla describes it as a prototype rich content blocking feature.

It is not yet available as an option in the user-facing interface, let alone as something similar to the Shield feature of Brave. Still, users who run Firefox 149 can enable the content blocker and make use of it right away for testing.

Here is how that works:

  1. Load about:config in the Firefox address bar.
  2. Search for privacy.trackingprotection.content.protection.enabled
  3. Set the value to True with a click on the toggle on its right.
  4. Search for privacy.trackingprotection.content.protection.test_list_urls.
  5. Paste https://easylist.to/easylist/easylist.txt|https://easylist.to/easylist/easyprivacy.txt as the value.
  6. Restart Firefox

This enables two EasyLists, but you can add any other list that uses the same format. Separate lists with the character |.

Clearly, this is done for testing purposes. Mozilla would very likely add controls to the preferences or another user facing interface to make this easier to configure and use.

For now, it is a work in progress implementation, but one that shows that Mozilla could finally integrate what many users of its browser have wanted (or did not know they wanted) for a long time.

Mozilla fixed 271 vulnerabilities in Firefox 150 thanks to AI

Posted on by Martin Brinkmann

When Mozilla released Firefox 150 earlier this week, it revealed that it had fixed what looked like the usual number of security issues in the browser. However, what Mozilla did not tell at the time was that it had fixed a significant number of vulnerabilities.

A post on the official Mozilla blog reveals that engineers fixed 271 vulnerabilities in total, a significant number. However, this time, Mozilla’s engineers did not hunt for vulnerabilities using traditional means. Instead, the company used Anthropic’s Mythos AI to do so.

Mozilla writes:

As part of our continued collaboration with Anthropic, we had the opportunity to apply an early version of Claude Mythos Preview to Firefox. This week’s release of Firefox 150 includes fixes for 271 vulnerabilities identified during this initial evaluation.

So, what is Claude Mythos?

Claude Mythos is a powerful, unreleased frontier AI model developed by Anthropic. Announced in April 2026, it is famous—and highly controversial—for its unprecedented capabilities in cybersecurity, specifically its ability to autonomously hunt down and exploit software vulnerabilities.

This is not the first time that Mozilla used an AI from Anthropic for that purpose. Back in February 2026, it used Claude and discovered 22 “security-sensitive bugs”.

Mozilla says that this is great news for software developers and what it calls defenders, legitimate developers who need to secure their applications against a constant barrage of threats.

While the use of AI continues to be controversial, it is usually ethical and privacy concerns that are raised. Good uses for AI, like using it to discover vulnerabilities before the bad guys find them, is probably something that most might not find nearly as problematic.

I would not go as far and say that the days of the 0-day threats are numbered, as Mozilla does, but it looks as if it can help. Still, threat actors could also leverage AI tools for finding vulnerabilities.

Brave is getting Container support and the feature has made a big jump recently

Posted on by Martin Brinkmann

Firefox fans have long heralded the browser’s Multi-Account Containers feature as an exclusive that users of Chromium-based browsers did not have. Soon, Brave Brower users may also make use of a Containers feature, ending Firefox’s exclusivity.

Brave has begun rolling out native Container support as an experimental flag in its desktop browser as of April 2026. It allows users of the browser to isolate web sessions better and even get options to open multiple accounts of the same site in a single browser window without using clunky workarounds or third-party extensions.

The Core Concept: Session Isolation

At its core, the Containers feature creates isolated islands within a single browser window. Each container acts as a separate, sandboxed environment. Data, including cookies, local storage, or cached files, can’t be seen or accessed by tabs in another container or by the default container-less environment.

Since data is sandboxed, it is possible to sign-in to the same site in different containers in the same browser window using a single profile, or to open a site with an account and without one at the same time. Furthermore, since data is separate, tracking becomes less effective as the trackers can only see what is going on in a single container and not the entire browser.

Containers works with tab groups and all core features of the browser, including browser extensions.

The feature is available in Brave Nightly only at the time. You need to load brave://flags, search for Enable Containers, and toggle the feature to Enabled to start using it. A restart of the browser is required as usual before it becomes available.

Since this feature is in Nightly, it may have bugs and may not be as polished as the stable version that Brave Software plans to ship in a later version of the browser.

WhatsApp is rolling out long-overdue username privacy feature

Posted on by Martin Brinkmann

If you use the popular messaging service WhatsApp, you know that you can only add contacts to the service with a phone number. Don’t have the number registered to a WhatsApp account? Then you can’t add the contact to the app.

Clearly, having to share your phone number is not always a good idea. While you may not have any issues sharing it with close friends or family, giving it to others is another matter.

It is a privacy and security issue. Other messengers support usernames, which do not reveal critical information to a third-party.

WhatsApp started to work on usernames about three years ago, but the Meta-owned app is just about to start rolling the feature out to a first batch of users, reports WABetaInfo.

You can add a username in the settings. Once you do, you may share the username with others to get them to add you to the messenger. Good news is that you can further protect the username with a code, which others need to provide when they try to add you.

However, there are quite a few limitations regarding usernames. Here are noteworthy ones:

  • The username can be between 3 and 23 characters in length.
  • It needs to start with a letter, and can only contain letters, numbers, underscore, and a period.
  • It can’t be a domain name or start with www.
  • It can’t be taken, if someone on Instagram or Facebook picked it already. The user who picked it can get it on WhatsApp.

Support for usernames is a welcome addition. While some Internet users prefer to use other messaging clients, those who offer more privacy, WhatsApp’s users will certainly benefit from the feature.

No official ETA or confirmation by Meta at this point though. Might take months or even longer before the feature lands for most users.

Report: Windows has a new 0-day vulnerability called BlueHammer

Posted on by Martin Brinkmann

The next Windows Patch Day is just a week away and it is unclear whether it will include a fix for a recently disclosed 0-day vulnerability.

The new security vulnerability has been disclosed on GitHub, including proof of concept code to exploit the issue. However, there is no explanation how the issue works.

Well-known security researcher Will Dormann commented on the issue and confirmed that it is working. He admitted that it “may not be 100%” reliable though. It seems that frustration with MSRC, the Microsoft Security Research Center, and how it operates, was the reason for the public disclosure of the vulnerability. Whether that is true or not can’t be verified though.

So, what do we know about the vulnerability so far?

  • What it is: “BlueHammer” is an unpatched zero-day Local Privilege Escalation (LPE) vulnerability affecting Microsoft Windows.
  • Impact: It allows a local attacker with limited, low-level user access to escalate their permissions to SYSTEM or elevated administrator rights. This effectively grants the attacker full control over the compromised machine.
  • Current Status: Microsoft has not yet released an official patch or mitigation, making it a true zero-day.

Security experts (such as Will Dormann) describe it as a flaw that combines a TOCTOU (Time-of-Check to Time-of-Use) vulnerability with path confusion. At a high level, it appears to weaponize Windows Defender-related interfaces (the leaked source code contains files like windefend.idl and windefend_c.c). By bypassing the system’s original validation, a local attacker can gain access to the Security Account Manager (SAM) database, which stores local account password hashes, ultimately allowing them to spawn SYSTEM-level shells.

Good news is that the flaw is a local privilege escalation, which means that attackers can’t exploit it to hack into Windows PCs remotely. However, if they were to gain access to a Windows system, they could use it to expand access or even take over a system completely.

Would you trust AI to handle your email inbox?

Posted on by Martin Brinkmann

It was inevitable. Google is rolling out new AI functionality on its Gmail service to personal Google accounts. Called AI Inbox, it is designed to “help you manage a busy inbox”, says Google.

What that means? AI is scanning emails to identify the ones that require immediate attention. The feature has its own entry point on Gmail. When you activate AI Inbox, you get two different sections:

  • Suggested To-dos: Here, the AI lists incoming emails that need your immediate attention or action. High-priority tasks are identified and the AI explains to you in bold, what you need to do.
  • Catch-up Topics: This offers summaries of “important updates across projects and topics”, especially if they are scattered in different email threads or unrelated emails.

Google is limiting the feature currently to English-language users from the United States who are subscribed to Google AI Ultra, which costs 275 Euros per month currently (three month 50 percent introductory offer may be available).

You also need to enable smart features in Gmail to make use of it. Smart Features refers to a bundle of features, including translations, Smart Compose, or personalized search.

The Pros and Cons of letting AI handle your inbox

While there are certain pros to letting AI handle your email inbox, such as saving time, prioritization, or tone and grammar help, there are significant downsides.

Besides privacy and security concerns, there is the risk of missing important emails or of costly mistakes that the AI may make when it starts to hallucinate.

Privacy aside, the best way for users who want to make use of AI to tame their inbox is to use it as a helper, not the ultimate tool on autopilot. This is true for most AI solutions and services nowadays: you always have to verify that the AI did not miss something or introduced something that should not be there or that does not exist in the first place.

Would I use AI Inbox? I would not and the reason could not be simpler: I have no desire to give AI access to my emails because of privacy. Add a medium-sized inbox to that, and I do not have a need for any AI functionality at the time of writing.

I can see AI Inbox as a useful addition in certain cases, for instance, when so many emails arrive in an inbox that humans can’t keep anymore or when someone needs AI because of a packed day and little time to manage emails.

What is your take on this? Would you use AI features on Gmail or your email service? Or do you plant to stay away from them?

What you need to know about Firefox’s new built-in VPN feature

Posted on by Martin Brinkmann

Mozilla published Firefox 149 to the stable channel this week and it comes with a bunch of new features and changes. Besides split-view, which allows users to display two webpages side-by-side in a single browser tab, Mozilla advertises a free built-in VPN as one of the main new features.

Mozilla describes the feature in the following way:

Firefox now offers a free built-in VPN. Whether you’re using public Wi-Fi while traveling, searching for sensitive health information, or shopping for something personal, this feature gives you a simple way to stay protected. Once you sign in and turn it on, you can hide your location and IP address by routing it through a secure proxy while you browse in Firefox. You will get 50 GB of protection every month, with the option to turn it on or off for specific websites. This feature is progressively rolling out in the US, UK, Germany and France starting today.

The paragraph is different when you check out the linked support page:

VPN is a built-in Firefox feature that adds privacy by routing your browser traffic through a secure proxy server and masking your IP address. The feature includes a monthly data limit of 50 GB. Firefox will notify you when you are approaching this limit with a prompt in the browser. It is available to a limited set of users during the initial rollout, starting with Firefox version 149.

The latter is accurate, as it confirms that the solution is actually a secure proxy and not a VPN. Mozilla has likely picked VPN as it is more popular. Microsoft, actually, did the same when it introduced the Secure Network feature in Edge.

The main difference between a secure proxy and a VPN solution is that the integrated proxy only protects data from a single application, in this case Firefox.

Once activated, Firefox will route all traffic through the proxy. This protects the device IP of the user and improves privacy and security.

Mozilla says that Firefox users get 50 gigabytes of free traffic per month. This is ten times the amount that Microsoft gives Edge Secure Network users for free each month.

Another difference between the two solutions is that Mozilla relies on its own partner network for the feature, whereas Microsoft partnered up with Cloudflare.

Mozilla says that it does not log visited websites or “the content of your communications”. It does “collect technical data”, which it says is “needed to provide, maintan, and ensure the performance and stability of the service”. It also collects interaction data to “understand usage of the feature and help guide improvements”.

The feature is rolling out to users in the US, UK, Germany, and France only at the moment. You see a VPN icon in the address bar once it is available. A click displays the option to start using it.

Note: You do need to sign in to a Mozilla account to use the proxy. Once that is out of the way, you can complete the onboarding process. Users who do not want to use it can right-click on the icon to remove it from the toolbar.

Toggle browser.ipprotection.enabled to TRUE on about:config to enable it immediately, or set it to FALSE to disable the feature.

Now You: do you use a proxy or VPN when you are on the Internet?

Google Chrome 146: Security update fixes two vulnerabilities that are already exploited

Posted on by Martin Brinkmann

It is this time of the week again. Google has just released a security update for its Chrome web browser to patch two security issues with known attacks in the wild.

The update, which is available for Chrome on all desktop platforms and for Android, addresses two security issues. Google rates both with a severity rating of high.

The first issue is an out of bounds write in Skia, the specialized 2D graphics engine that is responsible for nearly everything that you see on the screen. It draws shapes, renders text, or displays images.

The second vulnerability is an inappropriate implementation in V8, another core component of all Chromium-based browsers. It is Google’s open source JavaScript and WebAssembly engine.

Google writes:

[N/A][491421267] High CVE-2026-3909: Out of bounds write in Skia. Reported by Google on 2026-03-10

[N/A][491410818] High CVE-2026-3910: Inappropriate implementation in V8. Reported by Google on 2026-03-10

Google is aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wild.

Most unmanaged Chrome installations should receive the update automatically. You can speed it up by loading chrome://settings/help, if Chrome is open. Windows users may also run winget upgrade google.chrome.exe from the command line to upgrade the browser without opening it.

Expect upgrades for other Chromium-based browsers in the coming hours and days as well, as all use the very same components.