Returning to work after a long weekend is always rough—especially if you have to deal with a looming worm attack or yet another disinformation operation on your networks! Which was the case in the security world this week.

Despite dire warnings and an urgent update issued from Microsoft, customers are taking too long to patch a critical vulnerability that still remains in approximately 900,000 Windows computers. The bug is so serious that Microsoft even released a patch for Windows XP, which it hasn’t done in years.

Facebook and Twitter took down another batch of fake accounts and pages that appear to be linked to Iran. What Facebook didn’t take down was a doctored video of Nancy Pelosi, which earned the company a fair amount of blowback. The video doesn’t quite reach deepfake territory—it’s actually pretty crude—but this is as good a time as ever to mention that researchers are coming up with new strategies to fight manipulated images, like baking tamper-proofing into the camera itself.

Here’s some good news: Google is finally making Chrome extensions safer. But the company still follows you across your whole digital life. We map all the ways Google monitors you, and explain how to stop the tracking once and for all.

Emily Dreyfuss covers the intersection of tech and culture for WIRED.

Of course, it wouldn’t be a week in security news if there wasn’t an update from Robert Mueller. This week, we actually heard what his voice sounds like, because the now former special counsel made a rare public statement. It was just 10 minutes long and full of carefully crafted legal reasoning. Garrett Graff broke down in plain English what Mueller’s statement means.

In useful news, WIRED rounded up the four best password managers right now. If you don’t have one yet, make it your weekend resolution to remedy that.

Of course, there was more. As we do every Saturday, we’ve rounded up the security stories that WIRED didn’t break or cover in depth this week, but which you should know about. Click on the headline to read the full story, and stay safe out there!

“Hijinks at Mar-a-Lago” has become a story archetype of its own during the Trump administration, but this one’s got everything: a teenager, clueless Secret Service agents, close proximity to Trump himself, and a members only beach tunnel. According to the Palm Beach Post, the sneak-in happened last November while the college freshman was in Florida for Thanksgiving. Also in town for the holiday? The president. While hanging out at a nearby beach club, the teen strode down the beach to where Mar-a-Lago guests were in line to return to their hotel via an underground tunnel guarded by Secret Service agents. His lawyer says he got in line with them, made it past the Secret Service (who merely “wanded” him for metal) and into the club, where he wandered around for 20 minutes before being arrested. The teen, who pleaded guilty to one charge of entering a restricted area and will serve a year of probation, told the judge, “I wanted to see how far I could get.” Four months later, a Chinese woman would be arrested after sneaking into Mar-a-Lago with a suspicious number of devices in tow. Both incidents highlight the Winter White House’s barely-there security, and the risks that raises.

Three iTunes customers have filed suit against Apple, claiming the company violated state privacy laws by sharing data about their iTunes purchases and other music preferences to third parties without their knowledge or consent. The plaintiffs, who are seeking class action status, allege that Apple sold iTunes data directly to data brokers, who then turned around and sold it to advertisers, and that it allowed developers access to iTunes libraries, which developers turned around and sold to data brokers. The first allegation could be tricky to prove in court, since data brokers have many sources for information (like, say, app developers). As Variety notes, it’s the second allegation that could be the most damning if true. It would also be in violation of Apple’s rules for developers, as pointed out by the Verge.

The North Face did some very dumb things recently. First, it partnered with an ad agency to upload photos of North Face gear at famous outdoorsy locations to those places’ Wikipedia pages, in order to push those photos high up on Google’s image results. The move was disrespectful, entitled, and generally against Wikipedia’s rules. To make matters worse, the company then produced a video ad in which it bragged about how easily it had “hacked the results to reach one of the most difficult places: the top of the world’s largest search engine.” Needless to say, the Wikimedia Foundation was none too pleased. It issued a statement calling the stunt “unethical,” and compared it to defacing public property. After news of the advertising prank landed to jeers not cheers, the North Face apologized.

When the internet giant announced a major change to the way its Chrome browser would handle extensions back in January, people were upset. The proposed changes would disrupt ad-blockers, making them work not well or at all. Five months later, the backlash hasn’t deterred anyone. Google announced that the functionality of current popular ad blockers won’t be supported when it rolls out the new extension system. Developers will need to change the back-end, and even then the extensions still likely won’t work as well. There is one exception: Google will be letting paid “enterprise” clients have access to the old system, though 9to5Google notes the purpose of this exception likely has nothing to do with ad-blocking; it’s probably to allow paid customers to make bespoke extensions that do all sorts of other things.

More Great WIRED Stories