Category: Uncategorized

Microsoft today issued patches to plug at least 113 security holes in its various Windows operating systems and supported software. Eight of the vulnerabilities earned Microsoft’s most-dire “critical” rating, and the company warns that attackers are already exploiting one of the bugs fixed today.

January’s Microsoft zero-day flaw — CVE-2026-20805 — is brought to us by a flaw in the Desktop Window Manager (DWM), a key component of Windows that organizes windows on a user’s screen. Kev Breen, senior director of cyber threat research at Immersive, said despite awarding CVE-2026-20805 a middling CVSS score of 5.5, Microsoft has confirmed its active exploitation in the wild, indicating that threat actors are already leveraging this flaw against organizations.

Breen said vulnerabilities of this kind are commonly used to undermine Address Space Layout Randomization (ASLR), a core operating system security control designed to protect against buffer overflows and other memory-manipulation exploits.

“By revealing where code resides in memory, this vulnerability can be chained with a separate code execution flaw, transforming a complex and unreliable exploit into a practical and repeatable attack,” Breen said. “Microsoft has not disclosed which additional components may be involved in such an exploit chain, significantly limiting defenders’ ability to proactively threat hunt for related activity. As a result, rapid patching currently remains the only effective mitigation.”

Chris Goettl, vice president of product management at Ivanti, observed that CVE-2026-20805 affects all currently supported and extended security update supported versions of the Windows OS. Goettl said it would be a mistake to dismiss the severity of this flaw based on its “Important” rating and relatively low CVSS score.

“A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned,” he said.

Among the critical flaws patched this month are two Microsoft Office remote code execution bugs (CVE-2026-20952 and CVE-2026-20953) that can be triggered just by viewing a booby-trapped message in the Preview Pane.

Our October 2025 Patch Tuesday “End of 10” roundup noted that Microsoft had removed a modem driver from all versions after it was discovered that hackers were abusing a vulnerability in it to hack into systems. Adam Barnett at Rapid7 said Microsoft today removed another couple of modem drivers from Windows for a broadly similar reason: Microsoft is aware of functional exploit code for an elevation of privilege vulnerability in a very similar modem driver, tracked as CVE-2023-31096.

“That’s not a typo; this vulnerability was originally published via MITRE over two years ago, along with a credible public writeup by the original researcher,” Barnett said. “Today’s Windows patches remove agrsm64.sys and agrsm.sys. All three modem drivers were originally developed by the same now-defunct third party, and have been included in Windows for decades. These driver removals will pass unnoticed for most people, but you might find active modems still in a few contexts, including some industrial control systems.”

According to Barnett, two questions remain: How many more legacy modem drivers are still present on a fully-patched Windows asset; and how many more elevation-to-SYSTEM vulnerabilities will emerge from them before Microsoft cuts off attackers who have been enjoying “living off the land[line] by exploiting an entire class of dusty old device drivers?”

“Although Microsoft doesn’t claim evidence of exploitation for CVE-2023-31096, the relevant 2023 write-up and the 2025 removal of the other Agere modem driver have provided two strong signals for anyone looking for Windows exploits in the meantime,” Barnett said. “In case you were wondering, there is no need to have a modem connected; the mere presence of the driver is enough to render an asset vulnerable.”

Immersive, Ivanti and Rapid7 all called attention to CVE-2026-21265, which is a critical Security Feature Bypass vulnerability affecting Windows Secure Boot. This security feature is designed to protect against threats like rootkits and bootkits, and it relies on a set of certificates that are set to expire in June 2026 and October 2026. Once these 2011 certificates expire, Windows devices that do not have the new 2023 certificates can no longer receive Secure Boot security fixes.

Barnett cautioned that when updating the bootloader and BIOS, it is essential to prepare fully ahead of time for the specific OS and BIOS combination you’re working with, since incorrect remediation steps can lead to an unbootable system.

“Fifteen years is a very long time indeed in information security, but the clock is running out on the Microsoft root certificates which have been signing essentially everything in the Secure Boot ecosystem since the days of Stuxnet,” Barnett said. “Microsoft issued replacement certificates back in 2023, alongside CVE-2023-24932 which covered relevant Windows patches as well as subsequent steps to remediate the Secure Boot bypass exploited by the BlackLotus bootkit.”

Goettl noted that Mozilla has released updates for Firefox and Firefox ESR resolving a total of 34 vulnerabilities, two of which are suspected to be exploited (CVE-2026-0891 and CVE-2026-0892). Both are resolved in Firefox 147 (MFSA2026-01) and CVE-2026-0891 is resolved in Firefox ESR 140.7 (MFSA2026-03).

“Expect Google Chrome and Microsoft Edge updates this week in addition to a high severity vulnerability in Chrome WebView that was resolved in the January 6 Chrome update (CVE-2026-0628),” Goettl said.

As ever, the SANS Internet Storm Center has a per-patch breakdown by severity and urgency. Windows admins should keep an eye on askwoody.com for any news about patches that don’t quite play nice with everything. If you experience any issues related installing January’s patches, please drop a line in the comments below.

A surreal drum duet between two East Asian world leaders has set the internet abuzz – and put a spotlight on Japan and South Korea’s diplomatic relationship.

Decked out in matching blue jackets, South Korean President Lee Jae Myung and Japan’s Prime Minister Sanae Takaichi on Tuesday played drums to the beats of K-pop hits – including Dynamite by BTS and Golden from hit film KPop Demon Hunters.

The performance, a nod to Takaichi’s past life as a drummer in a heavy metal band, wrapped up Lee’s official visit to Japan this week.

It’s also part of Lee’s diplomatic overtures to regional powers including Japan, with whom South Korea has a fraught history but shares a security alliance.

The drumming session from Tuesday, which Lee described as “a little clumsy”, has now spawned a viral video.

During Lee’s visit to Nara, Takaichi’s hometown, he gifted the Japanese prime minister a drum set. The two leaders also exchanged signed drumsticks after their performance.

“When we met at APEC last year, [Lee] said it was his dream to play the drums, so we prepared a surprise,” Takaichi later wrote on X.

Footage of the jam session has won praise on social media.

“Music seems to have the power to connect hearts at a deeper level than words ever could,” one X user wrote in Korean. “Exchanges like this may be quiet, but they will surely help move relations between Korea and Japan forward.”

There have long been sore spots between the two neighbours, including historical grievances from Japan’s colonial rule and territorial disputes.

But both countries are allies of the US, and have worked together to counter China’s increasing assertiveness in the region.

On Tuesday, Takaichi said in a statement that cooperation between Japan, South Korea and the US has become increasingly important amid heightened tensions in the region’s “strategic environment”.

Lee and Takaichi have also agreed to boost economic cooperation – a pledge that comes as China has been tightening its export of rare earths and dual-use goods to Japan.

“Just seeing them actually playing drums together – not just posing – looks like they are having so much fun, and that’s what matters most,” an X user wrote in Japanese.

“Both Korea and Japan are facing tough situations, but if we can meet each other halfway, I truly believe things will move in a positive direction.”

Lee’s smoothness as a diplomat has boosted his approval ratings back home.

Days before his viral jam session with Takaichi, he met Chinese President Xi Jinping in Beijing, with whom he took selfies on a Chinese smartphone.

Last October, he flattered US President Donald Trump with a large golden crown.

The only leader he hasn’t been able to charm is North Korea’s Kim Jong Un. Pyongyang has rejected Lee’s overtures for peace and shown little interest in reconciliation. This week, Pyongyang demanded an apology from Seoul after accusing it of flying surveillance drones in its territory.

Lee’s rise to become president of South Korea had previously sounded alarm bells in Tokyo and Washington. Relatively unknown outside his own country at the time, Lee had a reputation as a firebrand who was sympathetic to socialist economic causes.

The US feared South Korea would tilt towards China, South Korea’s largest trading partner.

Japan, meanwhile, feared a repeat of a spat in 2019, when South Korea threatened to pull out of an intelligence-sharing agreement after Japan tightened its exports to the country.

That fight broke out after a South Korean court ordered Japanese companies to compensate the survivors of Japan’s wartime forced labour, an issue Japan now considers resolved.

Since taking office, however, Lee has walked a diplomatic tightrope among the region’s major powers, from the US to China and now Japan.

Lee heaped praise on Takaichi’s drumming skills in a post on X, and likened their diplomatic efforts to the musical duet.

“Even if our timing was slightly different, our intention to find the same rhythm was shared,” he wrote. “In that same spirit, we will continue to build a future-oriented Korea–Japan relationship together, with one heart.”

The UK government says X limiting Grok AI image edits to users who pay a monthly fee is “insulting” to victims of misogyny and sexual violence.

It follows backlash after Elon Musk’s AI engine digitally changed images of people by undressing them – something it says it now can only do for those who pay a monthly instalment.

The BBC’s technology editor Zoe Kleinman explains what’s happened and why.