Cybersecurity Today
Host: Jim Love
Episode: Microsoft Patches Zero Day And More
Date: September 12, 2025
Overview
In this episode, Jim Love delivers a rapid-fire update on some of the most pressing cybersecurity issues affecting organizations and individuals. He covers Microsoft's major September patch release—highlighting two dangerous zero-day vulnerabilities—details a confirmed Canadian government data breach, discusses Nvidia's open-source AI vulnerability scanner launch, and unpacks new political scrutiny facing Microsoft. The episode winds up with the resolution of the "bricked SSD" mystery. Jim's tone is practical, urgent, and, at times, wry—underscoring both the complexity and the constant evolution of cybersecurity threats.
Key Discussion Points and Insights
1. Microsoft Patch Tuesday: 81 Flaws Fixed, 2 Zero-Days Disclosed
[00:10–03:00]
- Microsoft's September Update: 81 security vulnerabilities fixed:
- 41 Elevation of Privilege
- 22 Remote Code Execution
- 16 Information Disclosure
- Rest: Spoofing/Denial of Service
- Two Critical Zero-Days:
- CVE-2025-555234: Windows SMB server flaw, allows relay attacks.
- "Microsoft recommends enabling SMB signing and extended protection for authentication, but warns that admins should check compatibility first." (Jim Love, 00:47)
- CVE-2024-21907: JSON library in SQL Server. Easily exploited with crafted JSON data—can cause denial of service without authentication.
- CVE-2025-555234: Windows SMB server flaw, allows relay attacks.
- Nine Critically-Rated Flaws:
- 5 enable remote code execution (attackers can run their own code).
- Urgency:
- "With two zero days already disclosed, attackers have had a head start. So despite any reservations about prior issues on patching, this one should probably be a top priority." (Jim Love, 01:51)
2. Wave of Security Updates from Other Vendors
[03:00–03:18]
- Other major vendors (Adobe, SAP, VMware, etc.) have also issued important patches.
- Bleeping Computer offers a comprehensive list for those managing multi-vendor environments.
3. Canadian Government Data Breach: Multi-Factor Auth Provider Compromised
[03:19–05:07]
- Affected organizations:
- Canada Revenue Agency
- Employment and Social Development Canada
- Canada Border Services Agency
- How it Happened:
- "A routine software update between August 3 and August 15 introduced the vulnerability. The gap allowed a malicious actor to access phone numbers ... and email addresses..." (Jim Love, 03:57)
- Scope: Email addresses and phone numbers were exposed; some victims received phishing messages.
- Response:
- Multi-factor authentication service restored.
- No evidence of additional sensitive data exposure.
4. Nvidia’s Garak: Open Source LLM Security Toolkit Release
[05:08–06:36]
- Launch of Garak:
- Free, open source AI "red teaming" toolkit for "pen testing" large language models.
- Capabilities:
- Finds hallucinations, jailbreaks, prompt injections, data leaks, toxic outputs.
- Compatibility:
- Works with Hugging Face, Replicate, OpenAI APIs, Light LLM, Llama CPP, and others.
- Logging:
- Debugging, JSONL report of every attempt, hit log for confirmed vulnerabilities.
- Quote:
- "With AI being embedded into more critical systems, Garak may help give organizations a scalable way to stress test their models and catch failures before attackers do." (Jim Love, 06:20)
5. Microsoft Faces Political Heat Over Security Practices
[06:37–08:15]
- Senator Ron Wyden (D-Oregon):
- Pressing FTC to investigate Microsoft for "gross cybersecurity negligence".
- Points to continued support of outdated encryption (RC4) as a vector in big breaches (e.g., Ascension Health).
- Wyden Quote (Paraphrased by Jim):
- "In a letter to the FTC chair, Wyden compared Microsoft to an arsonist selling firefighting services to their victims." (Jim Love, 07:26)
- Microsoft Response:
- RC4 is now less than 0.1% of traffic; will be default-disabled in 2026.
- Political Stakes:
- "Microsoft's patching services are no longer just a technical issue. They've become a matter of political oversight and a huge liability for the company." (Jim Love, 08:03)
6. “Bricked SSDs” Mystery Solved: Firmware, Not Windows Update
[08:16–09:40]
- Background: Users experienced SSD failures after a Windows 11 update. Fingers were pointed at Microsoft and Phison (SSD controller maker).
- Investigation:
- Microsoft and Phison conducted extensive tests—couldn't replicate.
- Solution (from Taiwan PC builders):
- Failing drives ran engineering/preview firmware, not consumer/production versions.
- Quote:
- "Mystery solved. Windows Update wasn't bricking drives. Phison's controllers weren't to blame. The problem lay in a handful of drives running firmware that was never meant for release." (Jim Love, 09:22)
- "What's that that Sherlock Holmes used to say? When you eliminate the impossible, whatever remains, however improbable, must be the truth? Congratulations to these Sherlock Holmes in Taiwan." (Jim Love, 09:34)
Memorable Quotes and Moments
-
Patching Priorities:
"With two zero days already disclosed, attackers have had a head start. So despite any reservations about prior issues on patching, this one should probably be a top priority."
(Jim Love, 01:51) -
Senatorial Critique:
"Wyden compared Microsoft to an arsonist selling firefighting services to their victims."
(Jim Love, 07:26) -
Garak’s Promise for AI Security:
"With AI being embedded into more critical systems, Garak may help give organizations a scalable way to stress test their models and catch failures before attackers do."
(Jim Love, 06:20) -
On SSDs and Sleuthing:
"What's that that Sherlock Holmes used to say? When you eliminate the impossible, whatever remains, however improbable, must be the truth? Congratulations to these Sherlock Holmes in Taiwan."
(Jim Love, 09:34)
Timestamps for Important Segments
- Microsoft Patch Tuesday Details: 00:10–03:00
- Other Vendor Patch Roundup: 03:00–03:18
- Canadian MFA Breach: 03:19–05:07
- Nvidia Garak AI Security Toolkit: 05:08–06:36
- Political Pressure on Microsoft: 06:37–08:15
- SSD Firmware Mystery Solved: 08:16–09:40
Takeaways
- Critical updates and zero-days demand immediate response—especially in widely used infrastructures.
- Breaches can stem from third-party providers—routine maintenance windows are a risk.
- AI-driven systems pose emerging vulnerability vectors; tools like Garak provide hope for proactive defense.
- Regulatory and political scrutiny over cybersecurity is intensifying, especially regarding tech giants with large market shares and vital contracts.
- Not all high-profile failures are caused by platform updates; independent investigations sometimes yield surprising truths.
For more insights or to follow up on any stories, check the show notes and catch Jim’s special weekend interview with the "father of Zero Trust."
