Microsoft Patches Zero Day And More

Fri Sep 12 2025

Cybersecurity Today: Microsoft Patches, Canadian Data Breach, NVIDIA's New Tool, and a Senator's Call for Investigation In this episode of Cybersecurity Today, host Jim Love discusses Microsoft's September patch update addressing 81 security flaws,...

Summary

Cybersecurity Today

Host: Jim Love
Episode: Microsoft Patches Zero Day And More
Date: September 12, 2025

Overview

In this episode, Jim Love delivers a rapid-fire update on some of the most pressing cybersecurity issues affecting organizations and individuals. He covers Microsoft's major September patch release—highlighting two dangerous zero-day vulnerabilities—details a confirmed Canadian government data breach, discusses Nvidia's open-source AI vulnerability scanner launch, and unpacks new political scrutiny facing Microsoft. The episode winds up with the resolution of the "bricked SSD" mystery. Jim's tone is practical, urgent, and, at times, wry—underscoring both the complexity and the constant evolution of cybersecurity threats.

Key Discussion Points and Insights

1. Microsoft Patch Tuesday: 81 Flaws Fixed, 2 Zero-Days Disclosed

[00:10–03:00]

Microsoft's September Update: 81 security vulnerabilities fixed:
- 41 Elevation of Privilege
- 22 Remote Code Execution
- 16 Information Disclosure
- Rest: Spoofing/Denial of Service
Two Critical Zero-Days:
- CVE-2025-555234: Windows SMB server flaw, allows relay attacks.
  - "Microsoft recommends enabling SMB signing and extended protection for authentication, but warns that admins should check compatibility first." (Jim Love, 00:47)
- CVE-2024-21907: JSON library in SQL Server. Easily exploited with crafted JSON data—can cause denial of service without authentication.
Nine Critically-Rated Flaws:
- 5 enable remote code execution (attackers can run their own code).
Urgency:
- "With two zero days already disclosed, attackers have had a head start. So despite any reservations about prior issues on patching, this one should probably be a top priority." (Jim Love, 01:51)

2. Wave of Security Updates from Other Vendors

[03:00–03:18]

Other major vendors (Adobe, SAP, VMware, etc.) have also issued important patches.
- Bleeping Computer offers a comprehensive list for those managing multi-vendor environments.

3. Canadian Government Data Breach: Multi-Factor Auth Provider Compromised

[03:19–05:07]

Affected organizations:
- Canada Revenue Agency
- Employment and Social Development Canada
- Canada Border Services Agency
How it Happened:
- "A routine software update between August 3 and August 15 introduced the vulnerability. The gap allowed a malicious actor to access phone numbers ... and email addresses..." (Jim Love, 03:57)
Scope: Email addresses and phone numbers were exposed; some victims received phishing messages.
Response:
- Multi-factor authentication service restored.
- No evidence of additional sensitive data exposure.

4. Nvidia’s Garak: Open Source LLM Security Toolkit Release

[05:08–06:36]

Launch of Garak:
- Free, open source AI "red teaming" toolkit for "pen testing" large language models.
Capabilities:
- Finds hallucinations, jailbreaks, prompt injections, data leaks, toxic outputs.
Compatibility:
- Works with Hugging Face, Replicate, OpenAI APIs, Light LLM, Llama CPP, and others.
Logging:
- Debugging, JSONL report of every attempt, hit log for confirmed vulnerabilities.
Quote:
- "With AI being embedded into more critical systems, Garak may help give organizations a scalable way to stress test their models and catch failures before attackers do." (Jim Love, 06:20)

5. Microsoft Faces Political Heat Over Security Practices

[06:37–08:15]

Senator Ron Wyden (D-Oregon):
- Pressing FTC to investigate Microsoft for "gross cybersecurity negligence".
- Points to continued support of outdated encryption (RC4) as a vector in big breaches (e.g., Ascension Health).
Wyden Quote (Paraphrased by Jim):
- "In a letter to the FTC chair, Wyden compared Microsoft to an arsonist selling firefighting services to their victims." (Jim Love, 07:26)
Microsoft Response:
- RC4 is now less than 0.1% of traffic; will be default-disabled in 2026.
Political Stakes:
- "Microsoft's patching services are no longer just a technical issue. They've become a matter of political oversight and a huge liability for the company." (Jim Love, 08:03)

6. “Bricked SSDs” Mystery Solved: Firmware, Not Windows Update

[08:16–09:40]

Background: Users experienced SSD failures after a Windows 11 update. Fingers were pointed at Microsoft and Phison (SSD controller maker).
Investigation:
- Microsoft and Phison conducted extensive tests—couldn't replicate.
Solution (from Taiwan PC builders):
- Failing drives ran engineering/preview firmware, not consumer/production versions.
Quote:
- "Mystery solved. Windows Update wasn't bricking drives. Phison's controllers weren't to blame. The problem lay in a handful of drives running firmware that was never meant for release." (Jim Love, 09:22)
- "What's that that Sherlock Holmes used to say? When you eliminate the impossible, whatever remains, however improbable, must be the truth? Congratulations to these Sherlock Holmes in Taiwan." (Jim Love, 09:34)

Memorable Quotes and Moments

Patching Priorities:

"With two zero days already disclosed, attackers have had a head start. So despite any reservations about prior issues on patching, this one should probably be a top priority."
(Jim Love, 01:51)
Senatorial Critique:

"Wyden compared Microsoft to an arsonist selling firefighting services to their victims."
(Jim Love, 07:26)
Garak’s Promise for AI Security:

"With AI being embedded into more critical systems, Garak may help give organizations a scalable way to stress test their models and catch failures before attackers do."
(Jim Love, 06:20)
On SSDs and Sleuthing:

"What's that that Sherlock Holmes used to say? When you eliminate the impossible, whatever remains, however improbable, must be the truth? Congratulations to these Sherlock Holmes in Taiwan."
(Jim Love, 09:34)

Timestamps for Important Segments

Microsoft Patch Tuesday Details: 00:10–03:00
Other Vendor Patch Roundup: 03:00–03:18
Canadian MFA Breach: 03:19–05:07
Nvidia Garak AI Security Toolkit: 05:08–06:36
Political Pressure on Microsoft: 06:37–08:15
SSD Firmware Mystery Solved: 08:16–09:40

Takeaways

Critical updates and zero-days demand immediate response—especially in widely used infrastructures.
Breaches can stem from third-party providers—routine maintenance windows are a risk.
AI-driven systems pose emerging vulnerability vectors; tools like Garak provide hope for proactive defense.
Regulatory and political scrutiny over cybersecurity is intensifying, especially regarding tech giants with large market shares and vital contracts.
Not all high-profile failures are caused by platform updates; independent investigations sometimes yield surprising truths.

For more insights or to follow up on any stories, check the show notes and catch Jim’s special weekend interview with the "father of Zero Trust."

Loading summary...

Transcript

A (0:02)

Microsoft patches 81 flaws, 2 are 0 days the government of Canada confirms a breach of emails and phone numbers, Nvidia releases Garak, an open source LLM vulnerability scanner and a US Senator urges the FTC to probe Microsoft security practices and the case of the bricked SSDs. The mystery is finally solved. This is Cybersecurity today. I'm your host Jim Love. Microsoft released its September patch Tuesday update fixing 81 security flaws, but two of them were publicly disclosed before Microsoft released this month's fixes. There are a lot of issues in the current update, 41 are elevation of privilege bugs, 22 are remote code execution and 16 are information disclosure. The rest includes spoofing and denial of service issues. The first of the two 0 days CVE2025 555234 is a Windows SMB server vulnerability that can be abused in relay style attacks. Microsoft recommends enabling SMB signing and extended protection for authentication, but warns that admins should check compatibility first so they don't break older systems. The second zero day CVE2024 21907 is the NewtonSoft JSON library used by SQL Server. Attacks can send crafted JSON data that triggers a stack overflow leading to a denial of service without even needing authentication. Nine of the flaws included are rated critical, including five that could allow remote code execution, the kind of vulnerabilities that let attackers run their own code on your systems. With two zero days already disclosed, attackers have had a head start. So despite any reservations about prior issues on patching, this one should probably be a top priority. And it's a busy time. September has brought fixes from a wide range of vendors. Bleeping Computer has put together a pretty comprehensive list covering Microsoft, Adobe, SAP, VMware and others, all well worth checking. If you haven't seen it, I'll put a link in the show notes. The Government of Canada has confirmed that individuals email addresses and phone numbers tied to accounts at the Canada Revenue Agency, Employment and Social Development Canada and Canada Border Services Agency were accessed in a recent cyber attack. The Treasury Board Secretariat said it was Two Keys Corporation, the provider of the federal Multi Factor Authentication Service, that discovered the incident incident on August 17 and promptly alerted authorities. A routine software update between August 3 and August 15 introduced the vulnerability. The gap allowed a malicious actor to access phone numbers linked to CRA and ESDC accounts and email addresses tied to CBSA accounts. Some of those affected phone numbers later received spam text messages or with links to a fake Government of Canada website. The Multi Factor service has since been restored, and there's no indication that additional or more sensitive personal data has been accessed. We'll update this more as information comes our way. We've been covering story after story about weaknesses in large language models, but here's at least a step forward. Nvidia has launched Garruk, a free open source toolkit that read teams large language models. The tool, whose name stands for Generative AI Red Teaming and Assessment Kit, acts like a penetration testing framework for AI. It probes models for weaknesses such as hallucinations, jailbreaks, prompt injections, data leaks, and toxic outputs. Garak works across a wide range of systems, hugging face replicate, OpenAI APIs, Light LLM rest interfaces, and even the GGov models like Llama CPP. It logs its results in three ways a main debugging log, a JSON L report of every probing attempt, and a hit log that captures only confirmed vulnerabilities. The tool is Apache licensed and backed by research formalizing how to test AI models for security risks. With AI being embedded into more critical systems, Garak may help give organizations a scalable way to stress test their models and catch failures before attackers do. It's worth checking out, at the very least, Microsoft is taking political heat from a senior Democratic senator in Washington. Senator Ron Wyden of Oregon has asked the Federal Trade Commission to investigate what he's called the company's gross cybersecurity negligence. Wyden pointed to Microsoft's continued support for the outdated encryption standards like RC4, which he argues enabled ransomware attacks in including the Ascension health breach that exposed data on more than 5.6 billion people. In a letter to the FTC chair, Wyden compared Microsoft to an arsonist selling firefighting services to their victims. He argued that its dominance in enterprise it leaves organizations with little choice but to accept insecure defaults. Microsoft responded that RC4 now makes up less than 0.1% of its traffic and and will be disabled by default in some Windows products starting in 2026. Fairly or not, this criticism matters. Wyden isn't just any senator. He's the ranking member of the Senate Finance Committee, one of the most powerful posts in Congress. And he has a long record of pushing cybersecurity issues into the national spotlight. It's not just regulation. Microsoft has a huge number of government contracts, and the Senate Finance Committee is a perfect place to stall some of those. The message is clear. Microsoft's patching services are no longer just a technical issue. They've become a matter of political oversight and a huge liability for the company. But here's at least one piece of good news for Microsoft the mystery is finally solved. The Windows Update didn't brick SSDs After Microsoft's last Windows 11 update, reports started circulating of failed SSDs. The presumed culprit was the update itself, and Fison, a major maker of SSD controllers, was also caught up in the speculation, with some suggesting its chips were behind the failures. Fortunately, both companies treated the issue seriously. Microsoft did a lot of testing and said its telemetry showed no increase in disk failures. Fison ran more than 4500 hours of testing and 2200 test cycles. They couldn't reproduce the problem on production drives. The answer finally came from a PC building group in Taiwan. They discovered what was under everybody's nose. The failing drives were running engineering or or preview firmware, not the final consumer version. So on drives with production firmware, the failures didn't occur. Mystery solved. Windows Update wasn't bricking drives. Fison's controllers weren't to blame. The problem lay in a handful of drives running firmware that was never meant for release. What's that that Sherlock Holmes used to say? When you eliminate the impossible, whatever remains, however improbable, must be the truth? Congratulations to these Sherlock Holmes in Taiwan. And that's our show for today. You can reach me with tips, comments, even constructive criticism if you like. And if you've got time, check out my interview with the father of Zero Trust this Saturday on our weekend show. It'll be available with your coffee on Saturday morning. I'm your host, Jim Love. Thanks for listening.