Tag
#microsoft
38 posts tagged #microsoft.
-
Analysis · Jun 2, 2026 · Colten Anderson
One CERT says it's exploited, Microsoft says it isn't, and you patch anyway
A pre-auth SYSTEM RCE on every domain controller doesn't need an exploitation rumor to earn the top of your patch queue. The interesting part is why the alarm and the data disagree, and why that disagreement shouldn't change your call.
-
Analysis · May 28, 2026 · Colten Anderson
The print stack regresses on schedule
KB5087424 broke 32-bit printing on Windows Server 2022 hotpatch fleets. It's the latest data point in a five-year arc of print-stack regressions that track Microsoft's deliberate retirement of the legacy spooler architecture.
-
Analysis · May 20, 2026 · Colten Anderson
BlueKeep: the wormable RDP bug Microsoft patched Windows XP for
CVE-2019-0708 was a pre-authentication, wormable RCE in Windows Remote Desktop. Microsoft was scared enough of a WannaCry repeat that it shipped patches for end-of-life XP and Server 2003. The worm never fully came, but the lesson did: RDP doesn't belong on the internet.
-
Analysis · May 20, 2026 · Colten Anderson
The year on-premise Exchange became the most-attacked software on earth
ProxyLogon and ProxyShell turned 2021 into open season on Exchange Server. Two unauthenticated RCE chains, tens of thousands of web-shelled servers, an FBI operation to clean them up. If you still run Exchange on-prem, you're operating a permanent top-tier target.
-
Analysis · May 20, 2026 · Colten Anderson
A mitigation blocks a path. OWASSRF found another door.
After ProxyNotShell, Microsoft told Exchange admins to apply URL-rewrite mitigations while the patch was finished. OWASSRF (CVE-2022-41080) walked around them by knocking on OWA instead of Autodiscover, and Play ransomware walked in. Mitigations aren't fixes.
-
Analysis · May 20, 2026 · Colten Anderson
Everyone hardened against macros. Follina didn't use one.
CVE-2022-30190 (Follina) ran code from a Word document with no macro at all, by abusing a Windows URL protocol handler to invoke the Support Diagnostic Tool. It defeated macro-based defenses, and Microsoft had reportedly closed an earlier report as 'not a security issue.'
-
Analysis · May 20, 2026 · Colten Anderson
Scattered Spider didn't need a zero-day. They brought a decade-old driver Windows still loads.
CVE-2015-2291 is a vulnerable Intel Ethernet driver. Scattered Spider loaded it to reach the kernel and patch out Defender, CrowdStrike, SentinelOne, and Palo Alto in memory. It's the classic bring-your-own-vulnerable-driver attack, and the defenses are switches you can flip today.
-
Analysis · May 20, 2026 · Colten Anderson
Still running SMBv1? The catalog has a 2017 reminder for you.
A cluster of old Windows bugs sits in the KEV catalog: an SMBv1 information-disclosure from the MS17-010 family that powered WannaCry, plus assorted legacy privilege-escalation flaws. They share one fix path: keep supported Windows patched, kill SMBv1, retire end-of-life.
-
Analysis · May 20, 2026 · Colten Anderson
noPac: any domain user to Domain Admin, no exploit code required
CVE-2021-42278 and CVE-2021-42287 chain into 'noPac,' which takes a standard domain user to Domain Admin in about one command. There's no memory corruption, just abused Active Directory name handling, riding on a default that lets ordinary users create computer accounts.
-
Analysis · May 20, 2026 · Colten Anderson
Known exploited, no patch: what to do in the weeks before a fix exists
When Microsoft disclosed CVE-2023-36884, it was already being used by a Russian group against governments, and there was no patch for weeks. Only mitigations. That scenario is more common than a patch-centric process assumes, and mitigations are the plan, not a consolation prize.
-
Analysis · May 20, 2026 · Colten Anderson
OMIGOD: an unauth root RCE in an agent you didn't know Azure installed
CVE-2021-38647 is an unauthenticated remote code execution as root in the OMI agent. Most victims didn't know they were running OMI, Azure silently deployed it on Linux VMs when you enabled common services. Invisible agents are invisible attack surface.
-
Analysis · May 20, 2026 · Colten Anderson
PetitPotam: make a domain controller authenticate to you, relay it, own the domain
CVE-2021-36942 lets an attacker coerce a Windows machine, including a domain controller, into authenticating to them. Relay that to Active Directory Certificate Services and you can mint a certificate as the DC. It's an Active Directory configuration problem as much as a patch.
-
Analysis · May 20, 2026 · Colten Anderson
The attacker installed a second antivirus to crash your first one
CVE-2024-38094 is a 7.2. It requires authentication. Most teams filed it below the criticals. It was still the entry point for a two-week, full-domain compromise, and the cleanup tactic was installing rogue antivirus to make the real EDR fall over.
-
Analysis · May 20, 2026 · Colten Anderson
A bug that won $100k at Pwn2Own in March was encrypting SharePoint by winter
The CVE-2023-29357 + CVE-2023-24955 chain gives unauthenticated RCE on SharePoint. It was demoed at Pwn2Own in March 2023, patched mid-year, had a public PoC by late 2023, and hit the KEV list in early 2024. That timeline is something you can plan around.
-
Analysis · May 20, 2026 · Colten Anderson
Two years of Patch Tuesdays, one message: the exploited Windows bug is almost always a privilege escalation
Across 2025 and 2026, Microsoft kept fixing already-exploited Windows flaws, storage drivers, Hyper-V, the network stack, even a 20-year-old third-party modem driver. They don't each need their own post. Together they make one point about patching Windows fast.
-
Analysis · May 20, 2026 · Colten Anderson
A clickable link in a SYSTEM dialog is a SYSTEM shell waiting to happen
CVE-2019-1388 turned a hyperlink in the UAC certificate dialog into a path to NT AUTHORITY\SYSTEM. No exploit code, just clicks: open the cert, click 'Issued by,' and the browser launches as SYSTEM. The lesson is what any interactive element in a privileged process really is.
-
Analysis · May 20, 2026 · Colten Anderson
The same crew beat the same defense twice in three months. The patch was the problem.
CVE-2023-24880 let Magniber ransomware bypass SmartScreen with malformed MSI signatures. It worked because Microsoft's earlier fix for nearly the same bug addressed one symptom and left the root cause standing. Narrow patches invite variants, and the attacker just comes back.
-
Analysis · May 20, 2026 · Colten Anderson
Lazarus didn't bring a vulnerable driver. They used the one already on every Windows PC.
The standard defense against driver-based kernel attacks is a blocklist of known-bad drivers. CVE-2024-21338 routes around it: the vulnerable driver is appid.sys, the AppLocker component Windows ships by default. You can't blocklist a core part of the OS.
-
Analysis · May 20, 2026 · Colten Anderson
The warning your careful users count on, that quietly never fired
CVE-2024-21412 bypasses Windows SmartScreen with a shortcut inside a shortcut. The file looks like a JPEG, the user double-clicks, and the safety prompt that was supposed to appear simply doesn't. It's also a bypass of the previous SmartScreen fix.
-
Analysis · May 20, 2026 · Colten Anderson
Microsoft said 'no known exploitation.' The exploit may have been three months old.
When Microsoft patched CVE-2024-26169 in March 2024, the advisory said it wasn't aware of attacks. Symantec later found a Black Basta exploit tool built weeks earlier. The technique it used, an IFEO Debugger key, is one you can detect even when you can't patch in time.
-
Analysis · May 20, 2026 · Colten Anderson
The FBI dismantled QakBot in 2023. In 2024 it was test-driving a Windows zero-day.
CVE-2024-30051 is a DWM Core Library privilege escalation to SYSTEM, used as a zero-day. Kaspersky tied it to QakBot, the botnet taken down nine months earlier, and found the exploit was already in several groups' hands before the patch.
-
Analysis · May 20, 2026 · Colten Anderson
The boring privilege-escalation bug is the one that finishes the job
CVE-2024-30088 is a local Windows kernel race condition. It needs an attacker who's already inside, which is exactly why it gets deprioritized. APT34 used it to turn a foothold into SYSTEM, then dropped a password filter to skim every cleartext login.
-
Analysis · May 20, 2026 · Colten Anderson
The Print Spooler keeps getting exploited. The fix is usually to turn it off.
PrintNightmare wasn't one bug. The KEV catalog holds a string of Print Spooler entries, from PrintNightmare to SpoolFool to the flaw APT28 paired with GooseEgg. They share a root cause, and for most servers the durable answer isn't a patch, it's disabling a service you don't need.
-
Analysis · May 20, 2026 · Colten Anderson
Zerologon: a crypto mistake that hands over the domain in seconds
CVE-2020-1472 is a cryptographic flaw in the Netlogon protocol that lets an unauthenticated attacker with network access to a domain controller reset its machine-account password to empty, becoming domain admin. CVSS 10, no credentials, seconds to exploit.
-
Analysis · May 18, 2026 · Colten Anderson
Microsoft titled it Spoofing. It's session hijacking.
CVE-2026-42897 is the first real test of Exchange Server Subscription Edition's new servicing model. Four days in, the answer is a mitigation that breaks four OWA features and an SU with no ship date.
-
Analysis · May 18, 2026 · Colten Anderson
KB5089549 fails at 35% because your ESP is full
May's Windows 11 cumulative dies at the boot-file write step on machines with under 10 MB free in the EFI System Partition. Here's the registry fix, the detection query, and the WSUS decision.
-
Field Note · May 15, 2026 · Colten Anderson
A 30-minute Patch Tuesday triage you can actually run
How to get from 150 CVEs to the 4-8 that change your week, using only public signals and a clock.
-
Analysis · May 11, 2026 · Colten Anderson
The June 2026 Secure Boot cliff: tomorrow is your last clean window
Three Microsoft Secure Boot certificates from 2011 expire in June. May 12 is the last Patch Tuesday before the cliff, and the registry trigger isn't going to set itself.
-
Analysis · May 9, 2026 · Colten Anderson
Skip the optional preview: KB5083631 isn't worth your Tuesday morning
May 12 ships the same 34 fixes plus the month's security patches in one tested package. The preview brings the same risk for none of the upside.
-
Analysis · May 5, 2026 · Colten Anderson
SharePoint's two-week window: patched servers were still exploitable
Organizations that patched SharePoint on July 9 did everything right and were still vulnerable. Microsoft's first fix was incomplete, and ransomware operators had the gap memorized.
-
Analysis · May 5, 2026 · Colten Anderson
The 6.5 that enabled 400 compromises: authentication bypasses and the CVSS blind spot
CVE-2025-49706 scored CVSS 6.5. It enabled unauthenticated RCE across 400+ SharePoint servers. Authentication bypasses are consistently underscored, and consistently the vulnerability class that turns a bad bug into a mass-exploitation campaign.
-
Analysis · May 5, 2026 · Colten Anderson
The patch that wasn't: why SharePoint's fix needed a fix
CVE-2025-53770 bypassed Microsoft's July patch for SharePoint within days. The problem isn't bugs. It's that incomplete fixes are a pattern, and patch compliance frameworks can't measure patch quality.
-
Analysis · May 3, 2026 · Colten Anderson
Cerdigent was a false positive. Check what Defender actually removed.
Defender definition 1.449.424.0 flagged two legitimate DigiCert root CA certificates as a high-severity trojan. The alert was a false positive, but if auto-remediation ran before the fix shipped, your certificate store may now be missing trust anchors that TLS depends on.
-
Analysis · May 1, 2026 · Colten Anderson
Microsoft: the Patch Day cinematic universe
Licensing, patches, email blocking, Copilot, Recall, Windows replacement. Every subplot lands on the same sysadmin's desk.
-
Analysis · May 1, 2026 · Colten Anderson
Hotpatch goes default in Autopatch. You have 10 days.
Microsoft flips hotpatch on by default for all Autopatch tenants May 11. If you haven't inventoried your fleet against the requirements, you're about to get a split patching model you didn't plan for.
-
Analysis · May 1, 2026 · Colten Anderson
A 4.3 that mattered: the 13-day gap between patch and exploitation flag
Microsoft patched CVE-2026-32202 on April 14 without marking it exploited. APT28 had been using it since at least December. The gap between those two facts is where triage models break.
-
Analysis · May 1, 2026 · Colten Anderson
Windows Defender is the attack surface now, and two of the three exploits don't have patches
Three tools dropped in April turn Defender's own privileged operations into privilege escalation and detection evasion. Microsoft patched one. The other two work on fully patched systems.
-
Analysis · Apr 29, 2026 · Colten Anderson
Microsoft April 2026 Patch Tuesday: the CVE count is the wrong unit
Roughly 160+ CVEs landed in April. About six of them change what an IT team does this week.