SN 1086: The Apex Agentic Adversary - Visual Prompt Injection Strikes
Security Now episode 1086 covers Fable 5's degraded performance due to strict safety guardrails, Chrome 150's massive 433 security fixes, visual prompt injection attacks (Inkjet), and severe FATFS library vulnerabilities affecting millions of embedded devices. The episode explores how AI is transforming both offensive and defensive cybersecurity capabilities.
Summary
This episode of Security Now covers multiple significant security developments. Anthropic's Fable 5 model, despite being more expensive than previous models, experiences intentionally degraded performance due to heightened safety guardrails implemented after government concerns. Users report false positives triggering fallbacks to Opus 4.8, particularly when code contains security-adjacent language. The guardrails appear to prioritize caution over usability, though this conservative approach protects users from potential misuse.
Google Chrome 150 achieves a milestone by fixing 433 security vulnerabilities in a single release, including 20 critical bugs. Most fixes involve memory safety issues like use-after-free and heap buffer overflows, suggesting AI-assisted vulnerability discovery is being deployed systematically across major codebases. This represents a shift in how software security is being remediated globally.
DeepKeep researchers discovered Inkjet, a sophisticated visual prompt injection technique that bypasses text-based guardrails. Attackers embed instructions in images using white-on-white text or distorted characters that OCR cannot read but visual language models can process. When VLMs autonomously retrieve and process images during normal workflows, they execute hidden instructions without triggering safety warnings. This affects deployed systems using GPT and Claude models for code generation and infrastructure provisioning.
RunZero researchers, led by H.D. Moore, identified seven severe vulnerabilities in the FATFS file system library used in millions of embedded devices including cameras, voting machines, ATMs, and IoT devices. Physical access via malicious SD cards or USB drives can achieve code execution on vulnerable systems. The maintainer is unresponsive, creating a remediation nightmare where downstream projects must independently discover and patch issues. Moore coins the term 'apex agentic adversary' to describe the new threat landscape where automated AI-assisted vulnerability discovery is accessible to both defenders and attackers.
Additional topics include Opera's Paste Protect feature against clipboard hijacking (available for only 2% of browsers), Vint Cerf's retirement and predictions about AI agents requiring formal protocols rather than natural language, Google's successful EU antitrust appeal regarding Android market dominance, AirDrop and QuickShare vulnerabilities, and the unresolvable EU Chat Control debate balancing privacy enforcement with communication monitoring.
About this episode
<p>From the sudden retirement of Internet pioneer Vint Cerf to the unstoppable advance of "apex agentic adversaries," get a front-row seat to the unfolding security revolution and its massive real-world stakes.</p><ul> <li>Why Fable5's re-release has disappointed.</li> <li>Opera becomes the first browser to offer "Paste Protect."</li> <li>Microsoft BlueHammer exploit is "hammering" systems.</li> <li>Industry legend (TCP creator) Vint Cerf on AI.</li> <li>Chrome turns 150 with too many fixes to load.</li> <li>Google fails to sidestep a $4.67 billion EU fine.</li> <li>One last (we can hope) Chat Control vote next week.</li> <li>AirDrop & Android Quick Share are exploitable.</li> <li>How to bypass Claude's and ChatGPT's guardrails.</li> <li>My own Sunday spin with SpinRite.</li> <li>A legendary hacker uses AI on a widespread library</li></ul> <p>Show Notes - <a href="https://www.grc.com/sn/SN-1086-Notes.pdf">https://www.grc.com/sn/SN-1086-Notes.pdf</a></p> <p><strong>Hosts:</strong> <a href="https://twit.tv/people/steve-gibson">Steve Gibson</a> and <a href="https://twit.tv/people/leo-laporte">Leo Laporte</a></p> <p>Download or subscribe to <em>Security Now</em> at <a href="https://twit.tv/shows/security-now">https://twit.tv/shows/security-now</a>.</p> <p>You can submit a question to <em>Security Now</em> at the <a href="https://www.grc.com/feedback.htm" target="_blank">GRC Feedback Page</a>.</p> <p>For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: <a href="https://www.grc.com/securitynow.htm" target="_blank">grc.com</a>, also the home of the best disk maintenance and recovery utility ever written <a href="https://www.grc.com/sr/spinrite.htm" target="_blank">Spinrite 6</a>.</p> <p><strong>Join Club TWiT for Ad-Free Podcasts!</strong><br /> Support what you love and get ad-free audio <em>and</em> video feeds, a members-only Discord, and exclusive content. Join today: <a href="https://twit.tv/clubtwit" rel="payment">https://twit.tv/clubtwit</a></p> <p><strong>Sponsors:</strong><ul> <li><a href="https://blackhat.com/us-26/registration.html?&utm_medium=paid-social&utm_source=twi[…]aign=bh-usa%7Cdelprod2026%7Cawareness%7Cdel%7Cnam%7C&utm_term=" rel="sponsored" target="_blank">blackhat.com/us-26 and use code TWIT</a></li> <li><a href="http://cohesity.com/Resilience" rel="sponsored" target="_blank">cohesity.com/Resilience</a></li> <li><a href="http://bitwarden.com/twit" rel="sponsored" target="_blank">bitwarden.com/twit</a></li> <li><a href="http://zscaler.com/security" rel="sponsored" target="_blank">zscaler.com/security</a></li> <li><a href="http://XBOW.com" rel="sponsored" target="_blank">XBOW.com</a></li> <li><a href="https://www.adaptivesecurity.com/?utm_source=podcast&utm_medium=other&utm_campaign=2026_NA_Podcast_security_now&utm_id=701Rd00000d9YqPIAU" rel="sponsored" target="_blank">adaptivesecurity.com</a></li> </ul></p>
Key Insights
- Anthropic deliberately implemented overly cautious guardrails on Fable 5 after government intervention, causing false positives that degrade user experience by blocking legitimate security-adjacent code work.
- Chrome 150's 433 security fixes, mostly memory safety issues, suggests major vendors are systematically deploying AI-assisted vulnerability discovery to preemptively fix their codebases.
- Inkjet attacks work because visual language models process images before text-level guardrails are applied, creating a processing layer that text-based defenses were never designed to protect.
- White-on-white and distorted text embedding techniques defeat both human review and OCR-based security scanning while remaining readable to visual language models through their semantic processing capabilities.
- The FATFS library has no CVE history, no security mailing list, and an unresponsive maintainer, yet it's the de facto standard file system for millions of embedded devices, creating a massive remediation problem.
- Physical access via crafted SD cards or USB drives can achieve code execution on voting machines, security cameras, and ATMs due to automatic mounting of untrusted FAT filesystems.
- H.D. Moore argues that keeping FATFS vulnerabilities quiet in 2026 would be 'security theater' because AI-assisted vulnerability discovery makes them discoverable to anyone, not just security researchers.
- The asymmetry of security—defenders must be perfect everywhere while attackers need one vulnerability—becomes exponentially worse when AI can systematically discover exploitable flaws in legacy codebases.
- Vint Cerf predicts that AI agents will require formal, standardized protocols for interoperability rather than natural language, citing the ambiguity and precision failures seen in human communication chains.
- Visual language models' semantic processing of images gives them capabilities fundamentally different from OCR, but security architectures treating them as equivalent create exploitable blind spots.
- Responsible disclosure of vulnerabilities in unmaintained software is almost impossible when the maintainer is unresponsive and downstream projects use vendored copies without modification systems.
- Google Chrome and other vendors appear to be quietly using AI to fix software preemptively, similar to how Y2K was actually remediated across industries despite perceived inaction.
- Guardrails on commercial AI models like Claude and ChatGPT actually protect users by preventing indirect attacks through crafted media that unguarded models would execute.
- The collapse in cost of vulnerability discovery means well-intentioned and malicious actors now have similar capabilities, fundamentally changing the threat landscape.
- SpinRite 6.1's ability to recover SSDs with degraded front-end performance through level 3 refresh and optimization demonstrates the continued importance of non-AI tools addressing specific hardware problems.
Topics
Transcript
It's time for Security Now. Steve Gibson is here. Great show planned. We're going to talk about Fable 5. Actually, we're going to talk about AI used for security. One of the creators, the fathers of the internet, is retiring, and you won't believe how many bugs Google fixed in Chrome this time around. All that and more coming up next on Security Now. This episode is brought to you by Black Hat USA. If you listen to this show, you go deep on the technical detail. Well, so does Black Hat. For nearly three decades, it's been where the security industry's most rigorous research gets presented and pressure tested. More than 100 hands-on trainings taught by practitioners who've actually…
Full transcript available for MurmurCast members
Sign Up to AccessMore from Security Now (Audio)
SN 1085: A SOTA State-Sponsored Campaign - AI's New Superpower: Loop Engineering
Security Now Episode 1085 covers Windows 10 receiving another year of extended support, Meta's employee surveillance program backfiring with exposed data, state-sponsored credential attacks on Fortinet devices affecting 86,000+ organizations globally, and AI's emerging capability to discover vulnerabilities at scale through iteration and looping techniques.
SN 1081: AI Captured the Flag - Personal AI: Productivity Superpower or Privacy Threat?
The podcast discusses the significant impact of AI on cybersecurity practices and Capture the Flag (CTF) competitions, noting a shift in the ability to solve challenges using AI tools. This transition raises concerns about the future of skill measurement in the cybersecurity field, as traditional CTF competitions are being undermined by AI's capabilities.
SN 1076: FAST16.SYS - Unmasking the NSA's Most Diabolical Digital Sabotage
Security Now episode 1076 covers the discovery of FAST16.SYS, a sophisticated NSA-linked kernel rootkit from 2005 that subtly corrupted physics and engineering calculation software — predating Stuxnet by five years. The episode also covers a Bitwarden CLI supply chain attack, Iranian router malfunctions before the US/Israeli strikes, Meta's employee activity logging for AI training, and Steve Gibson's GRC e-commerce system rewrite.
SN 1075: Yes. Exactly. - The Zero-Day Ticking Clock
Security Now episode 1075 discusses the growing threat of AI-powered vulnerability discovery, particularly Anthropic's Project Mythos, which Mozilla confirmed found 271 bugs in Firefox. The episode also covers a disgruntled researcher publishing Windows zero-days, Microsoft's record bug bounty payouts, and a formal industry-wide warning signed by top cybersecurity leaders urging immediate action.
SN 1074: What Mythos Means - Marketing or Mayhem
Security expert Steve Gibson analyzes Anthropic's new Mythos AI model, which demonstrates superhuman capability in discovering software vulnerabilities. While Anthropic claims the model is too dangerous to release publicly, Gibson examines the evidence and concludes this represents a watershed moment for cybersecurity that exposes widespread flaws in existing software.