Tag
#windows
24 posts tagged #windows.
-
Analysis · May 25, 2026 · Colten Anderson
Microsoft patched a SYSTEM bug in 2020. It still works in 2026.
A pseudonymous researcher published MiniPlasma, a working PoC for CVE-2020-17103, and the only thing standing between you and a SYSTEM shell is a driver you cannot turn off.
-
Analysis · May 20, 2026 · Colten Anderson
BlueKeep: the wormable RDP bug Microsoft patched Windows XP for
CVE-2019-0708 was a pre-authentication, wormable RCE in Windows Remote Desktop. Microsoft was scared enough of a WannaCry repeat that it shipped patches for end-of-life XP and Server 2003. The worm never fully came, but the lesson did: RDP doesn't belong on the internet.
-
Analysis · May 20, 2026 · Colten Anderson
Scattered Spider didn't need a zero-day. They brought a decade-old driver Windows still loads.
CVE-2015-2291 is a vulnerable Intel Ethernet driver. Scattered Spider loaded it to reach the kernel and patch out Defender, CrowdStrike, SentinelOne, and Palo Alto in memory. It's the classic bring-your-own-vulnerable-driver attack, and the defenses are switches you can flip today.
-
Analysis · May 20, 2026 · Colten Anderson
Still running SMBv1? The catalog has a 2017 reminder for you.
A cluster of old Windows bugs sits in the KEV catalog: an SMBv1 information-disclosure from the MS17-010 family that powered WannaCry, plus assorted legacy privilege-escalation flaws. They share one fix path: keep supported Windows patched, kill SMBv1, retire end-of-life.
-
Analysis · May 20, 2026 · Colten Anderson
Two years of Patch Tuesdays, one message: the exploited Windows bug is almost always a privilege escalation
Across 2025 and 2026, Microsoft kept fixing already-exploited Windows flaws, storage drivers, Hyper-V, the network stack, even a 20-year-old third-party modem driver. They don't each need their own post. Together they make one point about patching Windows fast.
-
Analysis · May 20, 2026 · Colten Anderson
A clickable link in a SYSTEM dialog is a SYSTEM shell waiting to happen
CVE-2019-1388 turned a hyperlink in the UAC certificate dialog into a path to NT AUTHORITY\SYSTEM. No exploit code, just clicks: open the cert, click 'Issued by,' and the browser launches as SYSTEM. The lesson is what any interactive element in a privileged process really is.
-
Analysis · May 20, 2026 · Colten Anderson
The same crew beat the same defense twice in three months. The patch was the problem.
CVE-2023-24880 let Magniber ransomware bypass SmartScreen with malformed MSI signatures. It worked because Microsoft's earlier fix for nearly the same bug addressed one symptom and left the root cause standing. Narrow patches invite variants, and the attacker just comes back.
-
Analysis · May 20, 2026 · Colten Anderson
Lazarus didn't bring a vulnerable driver. They used the one already on every Windows PC.
The standard defense against driver-based kernel attacks is a blocklist of known-bad drivers. CVE-2024-21338 routes around it: the vulnerable driver is appid.sys, the AppLocker component Windows ships by default. You can't blocklist a core part of the OS.
-
Analysis · May 20, 2026 · Colten Anderson
The warning your careful users count on, that quietly never fired
CVE-2024-21412 bypasses Windows SmartScreen with a shortcut inside a shortcut. The file looks like a JPEG, the user double-clicks, and the safety prompt that was supposed to appear simply doesn't. It's also a bypass of the previous SmartScreen fix.
-
Analysis · May 20, 2026 · Colten Anderson
Microsoft said 'no known exploitation.' The exploit may have been three months old.
When Microsoft patched CVE-2024-26169 in March 2024, the advisory said it wasn't aware of attacks. Symantec later found a Black Basta exploit tool built weeks earlier. The technique it used, an IFEO Debugger key, is one you can detect even when you can't patch in time.
-
Analysis · May 20, 2026 · Colten Anderson
The FBI dismantled QakBot in 2023. In 2024 it was test-driving a Windows zero-day.
CVE-2024-30051 is a DWM Core Library privilege escalation to SYSTEM, used as a zero-day. Kaspersky tied it to QakBot, the botnet taken down nine months earlier, and found the exploit was already in several groups' hands before the patch.
-
Analysis · May 20, 2026 · Colten Anderson
The boring privilege-escalation bug is the one that finishes the job
CVE-2024-30088 is a local Windows kernel race condition. It needs an attacker who's already inside, which is exactly why it gets deprioritized. APT34 used it to turn a foothold into SYSTEM, then dropped a password filter to skim every cleartext login.
-
Analysis · May 20, 2026 · Colten Anderson
The Print Spooler keeps getting exploited. The fix is usually to turn it off.
PrintNightmare wasn't one bug. The KEV catalog holds a string of Print Spooler entries, from PrintNightmare to SpoolFool to the flaw APT28 paired with GooseEgg. They share a root cause, and for most servers the durable answer isn't a patch, it's disabling a service you don't need.
-
Analysis · May 19, 2026 · Colten Anderson
YellowKey is unpatched and your travel laptops are exposed today
A public PoC, a TPM-only default, and no patch in sight. TPM+PIN stops the live exploit, but the researcher says a second variant is waiting.
-
Field Note · May 15, 2026 · Colten Anderson
Nine PowerShell checks before you trust a Windows host
A short, native-PowerShell audit a Windows admin can run on any host in about ten minutes. The bad answers are unambiguous and the fixes are cheap.
-
Analysis · May 11, 2026 · Colten Anderson
The CVSS 4.3 that APT28 was already using
Microsoft shipped the fix for CVE-2026-32202 without an exploitation flag while Russian state actors had a five-month head start. Vendor-tag triage missed it. The federal deadline is tomorrow.
-
Analysis · May 11, 2026 · Colten Anderson
The June 2026 Secure Boot cliff: tomorrow is your last clean window
Three Microsoft Secure Boot certificates from 2011 expire in June. May 12 is the last Patch Tuesday before the cliff, and the registry trigger isn't going to set itself.
-
Analysis · May 10, 2026 · Colten Anderson
The seven-year gap is the story, not the CVE
Microsoft patched CVE-2018-8639 in December 2018. CISA added it to the KEV catalog in March 2025. The interesting number isn't the bug's age. It's the distance between when a fix shipped and when the exposed fleet was acknowledged.
-
Analysis · May 10, 2026 · Colten Anderson
The second bug is the easy one now
Two unrelated actors weaponized the same Task Scheduler zero-day at the same time. The reason isn't sophistication, it's that missing-auth on local RPC is sitting under most of Windows.
-
Analysis · May 8, 2026 · Colten Anderson
The researcher who reported two Windows bugs to Microsoft was exploiting a third
CVE-2025-26633 turns MMC's localization feature into a code execution vector. EncryptHub exploited it as a zero-day while simultaneously disclosing other vulnerabilities to Microsoft for credit.
-
Analysis · May 6, 2026 · Colten Anderson
Six zero-days in three years: the CLFS pattern Microsoft can't outrun
Microsoft patched a CLFS zero-day on April 8 but left Windows 10 without a fix for five weeks. Two unrelated ransomware groups were already using it. It was the sixth CLFS zero-day since 2022.
-
Analysis · May 3, 2026 · Colten Anderson
Cerdigent was a false positive. Check what Defender actually removed.
Defender definition 1.449.424.0 flagged two legitimate DigiCert root CA certificates as a high-severity trojan. The alert was a false positive, but if auto-remediation ran before the fix shipped, your certificate store may now be missing trust anchors that TLS depends on.
-
Analysis · May 1, 2026 · Colten Anderson
Microsoft: the Patch Day cinematic universe
Licensing, patches, email blocking, Copilot, Recall, Windows replacement. Every subplot lands on the same sysadmin's desk.
-
Analysis · May 1, 2026 · Colten Anderson
A 4.3 that mattered: the 13-day gap between patch and exploitation flag
Microsoft patched CVE-2026-32202 on April 14 without marking it exploited. APT28 had been using it since at least December. The gap between those two facts is where triage models break.