NewsTechnical

SN 1086: The Apex Agentic Adversary - Visual Prompt Injection Strikes

Security Now (Audio)2h 53m

Security Now episode 1086 covers Fable 5's degraded performance due to strict safety guardrails, Chrome 150's massive 433 security fixes, visual prompt injection attacks (Inkjet), and severe FATFS library vulnerabilities affecting millions of embedded devices. The episode explores how AI is transforming both offensive and defensive cybersecurity capabilities.

Summary

This episode of Security Now covers multiple significant security developments. Anthropic's Fable 5 model, despite being more expensive than previous models, experiences intentionally degraded performance due to heightened safety guardrails implemented after government concerns. Users report false positives triggering fallbacks to Opus 4.8, particularly when code contains security-adjacent language. The guardrails appear to prioritize caution over usability, though this conservative approach protects users from potential misuse.

Google Chrome 150 achieves a milestone by fixing 433 security vulnerabilities in a single release, including 20 critical bugs. Most fixes involve memory safety issues like use-after-free and heap buffer overflows, suggesting AI-assisted vulnerability discovery is being deployed systematically across major codebases. This represents a shift in how software security is being remediated globally.

DeepKeep researchers discovered Inkjet, a sophisticated visual prompt injection technique that bypasses text-based guardrails. Attackers embed instructions in images using white-on-white text or distorted characters that OCR cannot read but visual language models can process. When VLMs autonomously retrieve and process images during normal workflows, they execute hidden instructions without triggering safety warnings. This affects deployed systems using GPT and Claude models for code generation and infrastructure provisioning.

RunZero researchers, led by H.D. Moore, identified seven severe vulnerabilities in the FATFS file system library used in millions of embedded devices including cameras, voting machines, ATMs, and IoT devices. Physical access via malicious SD cards or USB drives can achieve code execution on vulnerable systems. The maintainer is unresponsive, creating a remediation nightmare where downstream projects must independently discover and patch issues. Moore coins the term 'apex agentic adversary' to describe the new threat landscape where automated AI-assisted vulnerability discovery is accessible to both defenders and attackers.

Additional topics include Opera's Paste Protect feature against clipboard hijacking (available for only 2% of browsers), Vint Cerf's retirement and predictions about AI agents requiring formal protocols rather than natural language, Google's successful EU antitrust appeal regarding Android market dominance, AirDrop and QuickShare vulnerabilities, and the unresolvable EU Chat Control debate balancing privacy enforcement with communication monitoring.

About this episode

<p>From the sudden retirement of Internet pioneer Vint Cerf to the unstoppable advance of "apex agentic adversaries," get a front-row seat to the unfolding security revolution and its massive real-world stakes.</p><ul> <li>Why Fable5's re-release has disappointed.</li> <li>Opera becomes the first browser to offer "Paste Protect."</li> <li>Microsoft BlueHammer exploit is "hammering" systems.</li> <li>Industry legend (TCP creator) Vint Cerf on AI.</li> <li>Chrome turns 150 with too many fixes to load.</li> <li>Google fails to sidestep a $4.67 billion EU fine.</li> <li>One last (we can hope) Chat Control vote next week.</li> <li>AirDrop &amp; Android Quick Share are exploitable.</li> <li>How to bypass Claude's and ChatGPT's guardrails.</li> <li>My own Sunday spin with SpinRite.</li> <li>A legendary hacker uses AI on a widespread library</li></ul> <p>Show Notes - <a href="https://www.grc.com/sn/SN-1086-Notes.pdf">https://www.grc.com/sn/SN-1086-Notes.pdf</a></p> <p><strong>Hosts:</strong> <a href="https://twit.tv/people/steve-gibson">Steve Gibson</a> and <a href="https://twit.tv/people/leo-laporte">Leo Laporte</a></p> <p>Download or subscribe to <em>Security Now</em> at <a href="https://twit.tv/shows/security-now">https://twit.tv/shows/security-now</a>.</p> <p>You can submit a question to <em>Security Now</em> at the <a href="https://www.grc.com/feedback.htm" target="_blank">GRC Feedback Page</a>.</p> <p>For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: <a href="https://www.grc.com/securitynow.htm" target="_blank">grc.com</a>, also the home of the best disk maintenance and recovery utility ever written <a href="https://www.grc.com/sr/spinrite.htm" target="_blank">Spinrite 6</a>.</p> <p><strong>Join Club TWiT for Ad-Free Podcasts!</strong><br /> Support what you love and get ad-free audio <em>and</em> video feeds, a members-only Discord, and exclusive content. Join today: <a href="https://twit.tv/clubtwit" rel="payment">https://twit.tv/clubtwit</a></p> <p><strong>Sponsors:</strong><ul> <li><a href="https://blackhat.com/us-26/registration.html?&amp;utm_medium=paid-social&amp;utm_source=twi[…]aign=bh-usa%7Cdelprod2026%7Cawareness%7Cdel%7Cnam%7C&amp;utm_term=" rel="sponsored" target="_blank">blackhat.com/us-26 and use code TWIT</a></li> <li><a href="http://cohesity.com/Resilience" rel="sponsored" target="_blank">cohesity.com/Resilience</a></li> <li><a href="http://bitwarden.com/twit" rel="sponsored" target="_blank">bitwarden.com/twit</a></li> <li><a href="http://zscaler.com/security" rel="sponsored" target="_blank">zscaler.com/security</a></li> <li><a href="http://XBOW.com" rel="sponsored" target="_blank">XBOW.com</a></li> <li><a href="https://www.adaptivesecurity.com/?utm_source=podcast&amp;utm_medium=other&amp;utm_campaign=2026_NA_Podcast_security_now&amp;utm_id=701Rd00000d9YqPIAU" rel="sponsored" target="_blank">adaptivesecurity.com</a></li> </ul></p>

Key Insights

  • Anthropic deliberately implemented overly cautious guardrails on Fable 5 after government intervention, causing false positives that degrade user experience by blocking legitimate security-adjacent code work.
  • Chrome 150's 433 security fixes, mostly memory safety issues, suggests major vendors are systematically deploying AI-assisted vulnerability discovery to preemptively fix their codebases.
  • Inkjet attacks work because visual language models process images before text-level guardrails are applied, creating a processing layer that text-based defenses were never designed to protect.
  • White-on-white and distorted text embedding techniques defeat both human review and OCR-based security scanning while remaining readable to visual language models through their semantic processing capabilities.
  • The FATFS library has no CVE history, no security mailing list, and an unresponsive maintainer, yet it's the de facto standard file system for millions of embedded devices, creating a massive remediation problem.
  • Physical access via crafted SD cards or USB drives can achieve code execution on voting machines, security cameras, and ATMs due to automatic mounting of untrusted FAT filesystems.
  • H.D. Moore argues that keeping FATFS vulnerabilities quiet in 2026 would be 'security theater' because AI-assisted vulnerability discovery makes them discoverable to anyone, not just security researchers.
  • The asymmetry of security—defenders must be perfect everywhere while attackers need one vulnerability—becomes exponentially worse when AI can systematically discover exploitable flaws in legacy codebases.
  • Vint Cerf predicts that AI agents will require formal, standardized protocols for interoperability rather than natural language, citing the ambiguity and precision failures seen in human communication chains.
  • Visual language models' semantic processing of images gives them capabilities fundamentally different from OCR, but security architectures treating them as equivalent create exploitable blind spots.
  • Responsible disclosure of vulnerabilities in unmaintained software is almost impossible when the maintainer is unresponsive and downstream projects use vendored copies without modification systems.
  • Google Chrome and other vendors appear to be quietly using AI to fix software preemptively, similar to how Y2K was actually remediated across industries despite perceived inaction.
  • Guardrails on commercial AI models like Claude and ChatGPT actually protect users by preventing indirect attacks through crafted media that unguarded models would execute.
  • The collapse in cost of vulnerability discovery means well-intentioned and malicious actors now have similar capabilities, fundamentally changing the threat landscape.
  • SpinRite 6.1's ability to recover SSDs with degraded front-end performance through level 3 refresh and optimization demonstrates the continued importance of non-AI tools addressing specific hardware problems.

Topics

Fable 5 guardrails and performance degradationChrome 150 security fixes and AI-assisted vulnerability discoveryInkjet: visual prompt injection attacks bypassing text-based defensesFATFS library vulnerabilities in embedded systemsApex agentic adversary conceptAI-driven code generation and testingClipboard hijacking and paste attacksVint Cerf's retirement and agentic AI protocolsEU antitrust enforcement and Google finesChat Control regulatory debateAirDrop and QuickShare security flawsSpinRite SSD recoveryResponsible vulnerability disclosureSupply chain security in embedded systemsNatural language vs. formal standards for AI agents

Transcript

It's time for Security Now. Steve Gibson is here. Great show planned. We're going to talk about Fable 5. Actually, we're going to talk about AI used for security. One of the creators, the fathers of the internet, is retiring, and you won't believe how many bugs Google fixed in Chrome this time around. All that and more coming up next on Security Now. This episode is brought to you by Black Hat USA. If you listen to this show, you go deep on the technical detail. Well, so does Black Hat. For nearly three decades, it's been where the security industry's most rigorous research gets presented and pressure tested. More than 100 hands-on trainings taught by practitioners who've actually…

Full transcript available for MurmurCast members

Sign Up to Access

More from Security Now (Audio)

Get AI summaries like this delivered to your inbox daily

Get AI summaries delivered to your inbox

MurmurCast summarizes your YouTube channels, podcasts, and newsletters into one daily email digest.