Tech
April Patch Tuesday brings zero-days in Defender, SharePoint Server | Computer Weekly
The latest monthly Patch Tuesday update from Microsoft landed earlier on 14 April, including two notable zero-day flaws amid a total of over 160 distinct issues, and almost 250 accounting for third-party and Chromium releases.
Described as “monstrous” in its scope by Dustin Childs of TrendAI’s (formerly Trend Micro’s) Zero Day Initiative, this may be among the largest Patch Tuesday updates in history. Childs suggested that based on his own experience, this may be the result in a growing number of submissions uncovered by artificial intelligence (AI) tools.
Jack Bicer, vulnerability research director at Action1, said: “The elevated number of patches, combined with the presence of zero-days and multiple critical issues, makes this a release that should be prioritised for immediate attention.”
The first of the two zero-days is CVE-2026-32201, a spoofing vulnerability leading to cross-site scripting (XSS) in Microsoft SharePoint Server, that is known to have been exploited in the wild, but not yet made public. The root cause of the issue is supposedly an input validation failure that lets an attacker inject malicious scripts through improperly sanisised input fields.
Although the first of these carries a comparatively low Common Vulnerability Scoring System (CVSS) score of 6.5, Mat Lee, senior security engineer at Automox, said this understated the risk to users because it needs no authentication or special privileges.
“External threats can target internet-facing SharePoint instances directly. On-premises SharePoint servers exposed to the internet carry the highest risk. SharePoint often connects to back-end storage, directory services, and internal collaboration tools. A successful XSS exploit gives attackers a path deeper into your environment,” said Lee.
In one potential attack scenario, malicious JavaScript could be made to execute in the browser of a user visiting a compromised SharePoint page, which could enable the attacker to steal session cookies or authentication tokens to take over their accounts. Meanwhile, the XSS foothold opens up the possibility of phishing redirects or even malicious payloads, such as ransomware, making CVE-2026-32201 useful in a broader campaign.
Lee said security teams should be alert to unexpected script execution or iframe injection on externally accessible SharePoint pages, session token reuse or unexpected authentication events from unknown IP addresses, and users complaining of unexpected redirects or login prompts when visiting SharePoint pages.
Beyond patching immediately, security teams should audit their SharePoint exposure, prioritising on-prem instances that can be got at from the public internet, review content security policy (CSP) headers on SharePoint instances, and monitor authentication logs for strange behaviour.
The second zero-day, CVE-2026-33825, is an elevation of privilege (EoP) flaw in Microsoft Defender – this has been made public, but is not yet thought to have been exploited.
Action1’s Bicer explained that this flaw stems from “insufficient granularity” in access control, turning what should be limited access into total control. “What starts as a foothold can quickly become full system domination,” he said.
Bicer continued: “The flaw allows a local attacker with low privileges to exploit improper permission enforcement mechanisms. By leveraging this weakness, the attacker can execute code or actions with elevated privileges, ultimately achieving SYSTEM-level access. This type of vulnerability is particularly dangerous because it can be chained with other exploits to expand initial access into full system compromise.”
As such, he explained, CVE-2026-33825 is an increased risk in any environment in which an attacker has already established themselves. Successfully exploited, it can allow attackers to take full control of an organisation’s endpoints, enabling them to steal data, turn off security tools, and hop across networks to juicier targets.
“Even environments with strong perimeter defenses are at risk if internal systems are compromised,” said Bicer.
“Proof-of-concept [PoC] exploit code is available, and the vulnerability has been publicly disclosed. While no active exploitation has been confirmed, the presence of PoC code increases the likelihood of real-world attacks.”
Chromium bug
The April 2026 drop also incorporated a third zero-day flaw, CVE-2026-5281, a remote code execution (RCE) issue affecting Chromium browsers arising from a use after free condition in Google Dawn WebGPU. This was previously disclosed and added to the Cybersecurity and Infrastructure Security Agency’s (Cisa’s) Known Exploited Vulnerabilities (Kev) catalogue earlier in April.
Action1 field CTO Gene Moody said that browser-based vulnerabilities are one of the most asymmetric, and dangerous, risk categories around.
“They turn every user into a roaming ingress point, effectively extending the attack surface to anywhere an employee clicks. When a critical browser flaw is disclosed, the risk calculus is fundamentally different,” said Moody.
“This is not a service sitting quietly on the edge waiting to be discovered, it is an actively used execution environment parsing untrusted content all day. Delaying patching in this context is equivalent to knowingly allowing users to operate in a hostile environment with degraded defences.
“Threat actors prioritise initial access above all else. Browser exploits are uniquely effective because they collapse the distance between attacker and target,” he added.
Finally, the April Patch Tuesday update includes eight flaws rated as critical in their severity. These are, in numerical order:
The MacBook Neo made quite a splash when it landed in March. $599 for a MacBook felt groundbreaking, and it was easy for casual onlookers to declare that Windows laptops had no true answer to it.
But what if I told you there was a Windows option that was better in almost every way? That’s the HP OmniBook 5, a laptop you’ve probably never heard of unless you watch the space closely. I’ve been recommending it ever since I tested it last month. The price has been fluctuating, but more often than not, the 14-inch model was selling for $500. You read that right: $500. Today, the cheapest, most consistent price you’ll find it for is $730 over at Walmart, but I’ve seen the HP frequently drop the price from $1,050 down to around $500.
And just take a look at what you get for the price, because it’s absolutely stacked. It comes with 16 GB of RAM and 512 GB of storage, double what you get on the $599 MacBook Neo. There’s a 16-inch version as well, if you like the idea of having a bit more screen real estate work with.
The HP OmniBook 5 is powered by the Qualcomm Snapdragon X, a highly efficient chip that gets great, all-day battery life that’s at least on par with the MacBook Neo. If you haven’t used a Windows laptops in a few years and still think they can’t compete with MacBooks in battery life, you’re sorely mistaken.
The 16 GB of memory on the OmniBook 5 is particularly important to note, as it’s one of the big points of contention with the MacBook Neo. Being stuck at 8 GB in 2026 feels cruel on principle, and while testing it I was able to load up the MacBook Neo and easily find its breaking point. The 16 GB of memory on the HP OmniBook 5 is enough that you’ll never have to worry about how many tabs, applications, installations, or downloads you have going simultaneously. Combined with the better multicore performance of the Snapdragon X, it enables a kind of freedom that lets you forget about the hardware and focus on the task at hand. Don’t get me wrong—the MacBook Neo has its place, but calling it the undisputed king of budget laptops just isn’t right.
The HP OmniBook 5 Is Only $500
Now, I know what you’re thinking. Specs and performance don’t tell the whole story, and Apple has never been known for offering tons of specs for cheap. But the OmniBook 5 14 is also an attractive design in a highly portable package. At 0.5 inches, it’s exactly the same thickness as the MacBook Neo and right around the same weight too. Does the MacBook Neo have a bit more style and personality? Absolutely—especially if you fancy one of the bolder color options. But I’d say the OmniBook 5 is a very pretty laptop in its own right. It’s also made of aluminum, sturdy and well-built in your hands. The hinge is balanced nicely, allowing you to open the lid with one finger. It doesn’t feel cheap.
After years of suffering in silence with her trauma, Vega eventually called out her accuser in one of the most public forums in existence: Facebook. Within just a few days, she was contacted by eight other women, most of them also American college students studying abroad, with eerily similar stories of their own encounters with Vela, who was known to many as “Manu.” This three-part docuseries traces how Vega found the courage to stand up to her attacker and how the far-reaching power of using one’s voice on social media can be used for more than just sharing memes and family photos. Ultimately, Vega’s efforts led authorities to determine that Manu had assaulted between 50 and 100 young women.
Star Wars: Maul—Shadow Lord
From The Mandalorian to Skeleton Crew, Disney+ has produced a dozen Star Wars TV shows since its streaming debut, and fans are always clamoring for more. This month, that means the premiere of Star Wars: Maul—Shadow Lord, a gritty, animated series for adults that is set after the events of the universe’s famous Clone Wars and told from the perspective of Maul, one of the space opera’s most notorious supervillains. But it unravels more like a crime-drama, as it follows Maul’s rogue attempts to use his Sith skills to rebuild his Shadow Collective, a massive crime syndicate composed of Sith leaders, Mandalorian warriors, bounty hunters, and more, all united by the goal of usurping Darth Sidious and destroying his Sith Order. IYKYK.
The Testaments
The Handmaid’s Tale marked a watershed moment for Hulu when, in 2017, it became the first streaming series to nab the Emmy for Outstanding Drama Series—solidifying the streamer’s reputation as a bona fide player. As that groundbreaking series signed off in 2025 after six seasons, it’s hardly surprising that Hulu would want to keep Margaret Atwood’s dystopian world alive, so now we have The Testaments. Set 15 years after the events of the original series, much of the series takes place at an elite prep school for young women learning to be the dutiful wives of the next wave of Commanders. Aunt Lydia (Ann Dowd) returns to terrify a new generation of young women, including Agnes (One Battle After Another’s breakout star Chase Infiniti), a pious young woman who is beginning to question the rules she has grown up obeying, and Daisy (Lucy Halliday), a Canadian teen and recent Gilead convert—all of whom have secrets they’re keeping.
Kara Swisher Wants to Live Forever
“There’s so much bad information that the good information gets drowned.” That’s the central thesis behind famed tech journalist Kara Swisher’s decision to dive headfirst into the science (and scams) of longevity—a multibillion-dollar industry that shows no signs of slowing—in this six-episode docuseries. Armed with her investigative skills and famously dry wit, Swisher talks to the brains behind brands promising wellness acolytes longer lives with everything from gene editing and AI-driven medical care to bleeding-edge anti-aging treatments. OpenAI CEO Sam Altman, outspoken “biohacker” Bryan Johnson, nepo baby venture capitalist Reed Jobs, and Nobel Prize–winning biochemist Jennifer Doudna are among those who help Swisher separate fact from fiction in the quest to live forever.
Margo’s Got Money Troubles
Margo Millet (Elle Fanning) is a clever, ambitious young woman with her whole life in front of her—until an affair with her English professor leaves her pregnant and suddenly thrust into adulthood. With mounting bills and limited options to gain real income, Margo ultimately turns to OnlyFans, where she quickly gains a large and lucrative following—and the judgment that comes along with that. Based on Rufi Thorpe’s bestselling 2024 novel, this dark dramedy cleverly uses its setup to challenge the many still-existing stigmas surrounding sex work and even single motherhood. While Fanning is the undoubted star, she is ably supported by an A-list team of costars, including Michelle Pfeiffer as her mom and former Hooters waitress Shyanne, and Nick Offerman as her dad Jinx, a former pro wrestler.
This Is a Gardening Show
First he was Between Two Ferns, now he’s got his own DIY gardening series. Emmy-winning actor-comedian Zach Galifianakis brings his absurdist comedy to this hilarious docuseries, which is (mostly) as earnest as it is funny. Each episode introduces viewers to a new group of gardeners. While it’s largely aimed at laughs, there’s also a real exploration of the many reasons why people choose to garden, which often leads to very real and important questions about mental health, sustainability, the disconnection many people feel in the modern world, the many flaws in our current “perverse” (Galifianakis’ word) food production system, and what that might mean for future generations. Appropriately, the series debuts on Earth Day (April 22).
Stranger Things: Tales From ’85
Much like Hulu wasn’t about to say goodbye entirely to The Handmaid’s Tale, just because Stranger Things said goodbye on New Year’s Eve doesn’t mean the gang from Hawkins, Indiana, is totally parting ways with Netflix. In this animated spinoff, the kids—Eleven, Mike, Will, Dustin, Lucas, and Max—are going back in time slightly, to 1985, where the friends are desperately trying to reacquaint themselves with “normal” life after their terrifying dealings with the Upside Down. But they soon realize that something is still amiss in Hawkins, and they quickly find themselves embroiled in yet another paranormal adventure. Much like the nostalgia-fueled live-action series, the animated show is meant to be reminiscent of the Saturday morning cartoons that were a staple of every ’80s kid’s pop culture diet. Notably, the show is also being heavily promoted as a more family-friendly entry in the series—meaning monsters for all. All 10 episodes will drop on April 23.
Buffy the Vampire Slayer
Buffy the Vampire Slayer is officially dead—at least for now. In mid-March, Sarah Michelle Gellar announced via Instagram that Hulu had put a stake through the heart of the long-awaited Buffy reboot, which would see the ’90s icon reprise her role as the vampire world’s biggest headache. But just because there presumably won’t be new episodes to enjoy doesn’t mean you can’t revisit the beloved original series.
OpenAI on Tuesday announced the next phase of its cybersecurity strategy and a new model specifically designed for use by digital defenders, GPT-5.4-Cyber.
The news comes in the wake of an announcement last week by competitor Anthropic that its new Claude Mythos Preview model is only being privately released for now—because, the company says, it could be exploited by hackers and bad actors. Anthropic also announced an industry coalition, including competitors like Google, focused on how advances in generative AI across the field will impact cybersecurity.
OpenAI seemed to be seeking to differentiate its message on Tuesday by striking a less catastrophic tone and touting its existing guardrails and defenses while hinting at the need for more advanced protections in the long term.
“We believe the class of safeguards in use today sufficiently reduce cyber risk enough to support broad deployment of current models,” the company wrote in a blog post. “We expect versions of these safeguards to be sufficient for upcoming more powerful models, while models explicitly trained and made more permissive for cybersecurity work require more restrictive deployments and appropriate controls. Over the long term, to ensure the ongoing sufficiency of AI safety in cybersecurity, we also expect the need for more expansive defenses for future models, whose capabilities will rapidly exceed even the best purpose-built models of today.”
The company says that it has homed in on three pillars for its cybersecurity approach. The first involves so-called “know your customer” validation systems to allow controlled access to new models that is as broad and “democratized” as possible. “We design mechanisms which avoid arbitrarily deciding who gets access for legitimate use and who doesn’t,” the company wrote on Tuesday. OpenAI is combining a model where it partners with certain organizations on limited releases with an automated system introduced in February, known as Trusted Access for Cyber or TAC.
The second component of the strategy involves “iterative deployment,” or a process of “carefully” releasing and then refining new capabilities so the company can get real-world insight and feedback. The blog post particularly highlights “resilience to jailbreaks and other adversarial attacks, and improving defensive capabilities.” Finally, the third focus is on investments that the company says support software security and other digital defense as generative AI proliferates.
OpenAI says that the initiative fits into its broader security efforts, including an application security AI agent launched last month known as Codex Security, a cybersecurity grants program that began in 2023, a recent donation to the Linux Foundation to support open source security, and the “Preparedness Framework” that is meant to assess and defend against “severe harm from frontier AI capabilities.”
Anthropic’s claims last week that more capable AI models necessitate a cybersecurity reckoning have been controversial among security experts. Some say the concern is overstated and could feed a new wave of anti-hacker sentiment—consolidating power even more with tech giants. Others, though, emphasize that vulnerabilities and shortcomings in current security defenses are well known and really could be exploited with new speed and intensity by an even broader range of bad actors in the age of agentic AI.
Nicolas Cage set to return to ‘Longlegs’ franchise with new movie
This Windows Laptop Makes the MacBook Neo Look Overpriced
Help to Buy mostly helped high earners, IFS says
-
Fashion1 week agoIndia’s exports face reset as EU links trade to carbon metrics: EY
-
Entertainment7 days agoQueen Elizabeth II emotional message for Archie, Lilibet sparks speculation
-
Tech6 days agoAs the Strait of Hormuz Reopens, Global Shipping Will Take Months to Recover
-
Tech7 days agoAzure customers up in arms over ‘full’ UK South region | Computer Weekly
-
Entertainment1 week agoLamar Odom shocking response to Khloé Kardashian account of his overdose
-
Fashion7 days agoCII submits 20-pt agenda to Indian govt to back firms hit by Iran war
-
Tech6 days agoThis AI Button Wearable From Ex-Apple Engineers Looks Like an iPod Shuffle
-
Tech1 week agoA Single Strike Won’t Shut Off the Gulf’s Desalination System