{"id":4158,"date":"2026-01-19T01:43:07","date_gmt":"2026-01-19T01:43:07","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/01\/19\/microsoft-fixes-three-zero-days-on-busy-patch-tuesday\/"},"modified":"2026-01-19T01:43:07","modified_gmt":"2026-01-19T01:43:07","slug":"microsoft-fixes-three-zero-days-on-busy-patch-tuesday","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2026\/01\/19\/microsoft-fixes-three-zero-days-on-busy-patch-tuesday\/","title":{"rendered":"Microsoft Fixes Three Zero-Days on Busy Patch Tuesday"},"content":{"rendered":"<div>\n<p><img decoding=\"async\" src=\"https:\/\/ft365.org\/wp-content\/uploads\/2025\/06\/localimages\/ea721ff9-8ba4-4d88-b386-57e9e1606077.jpg?width=64&#038;height=64&#038;mode=crop&#038;scale=both&#038;format=webp\" alt=\"Photo of Phil Muncaster\" loading=\"lazy\"><\/p>\n<\/div>\n<div id=\"cphContent_pnlArticleBody\">\n<div id=\"layout-9736453a-35a8-4cfa-b6f6-62d815bd9867\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>It\u2019s set to be a busy month for system administrators after Microsoft released security updates to fix over 100 CVEs yesterday, including one being actively exploited.<\/p>\n<p>CVE-2026-20805 is one of three zero-day bugs fixed on the first Patch Tuesday of 2026 \u2013 the other two being publicly disclosed but not yet used in attacks.<\/p>\n<p>It\u2019s listed as an information disclosure vulnerability in the Desktop Window Manager.<\/p>\n<p>\u201cThis CVE quietly leaks sensitive memory details, giving attackers the inside knowledge they need to weaken system protections and prepare for deeper compromise,\u201d explained Action1 director of vulnerability research, Jack Bicer.<\/p>\n<p>\u201cAn authorized local attacker can trigger the flaw to disclose a section address from a remote ALPC port residing in user-mode memory. Although no data modification or denial-of-service\u00a0occurs, the exposed memory information can undermine address space layout randomization (ASLR) and other defenses, making additional exploits more reliable.\u201d<\/p>\n<p><em>Read more on Patch Tuesday: Microsoft Fixes Three Zero-Days in Final Patch Tuesday of 2025<\/em><\/p>\n<p>The other two zero-days include CVE-2026-21265:\u00a0a security feature bypass vulnerability related to secure boot certificate expiration.<\/p>\n<p>This relates to the expiration of Microsoft\u2019s original 2011 Root of Trust certificates\u00a0this year.<\/p>\n<p>\u201cThese certificates sign nearly every Windows bootloader since Windows 8, and they are set to expire in June and October 2026,\u201d explained Ryan Braunstein, security manager at Automox.<\/p>\n<p>\u201cIf you bought a motherboard or computer between 2012 and 2025, CVE-2026-21265 applies to you.\u201d<\/p>\n<p>He claimed that, among other things, hackers could chain the CVE with others to prevent systems from updating their forbidden signature database\u00a0before deploying a rootkit.<\/p>\n<p>\u201cThis is not a vulnerability you can patch once and forget,\u201d Braunstein warned.<\/p>\n<p>\u201cIt requires an audit of your entire hardware environment and coordination between OS and firmware updates. Some BIOS updates may require manual acceptance of the new UEFI certificates rolled out in 2023.\u201d<\/p>\n<h2>A Zero Day From 2023<\/h2>\n<p>The third zero-day is CVE-2023-31096: an elevation of privilege (EoP) in the Agere Modem driver that ships with some Windows versions.<\/p>\n<p>\u201cThis vulnerability was originally published via MITRE over two years ago, along with a credible public writeup by the original researcher. Today\u2019s Windows patches remove agrsm64.sys and agrsm.sys,\u201d explained Rapid7 lead software engineer, Adam Barnett.<\/p>\n<p>\u201cAll three modem drivers were originally developed by the same now-defunct third party\u00a0and have been included in Windows for decades. These driver removals will pass unnoticed for most people, but you might find active modems still in a few contexts, including some industrial control systems.\u201d<\/p>\n<p>Among the 114 CVEs patched by Microsoft this month, 57 are EoP, while a further 22 are remote code execution and 22 are classed as information disclosure. Just eight are classed as critical, although \u2013 as always \u2013 context matters\u00a0and will vary for each organization.<\/p>\n<\/p><\/div>\n<p><em>Image credit:\u00a0CHERRY.JUICE \/ Shutterstock.com<\/em><\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>It\u2019s set to be a busy month for system administrators after Microsoft released security updates to fix over 100 CVEs yesterday, including one being actively exploited. CVE-2026-20805 is one of three zero-day bugs fixed on the first Patch Tuesday of 2026 \u2013 the other two being publicly disclosed but not yet used in attacks. It\u2019s<\/p>\n","protected":false},"author":2,"featured_media":4159,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4158","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4158-f7bbe925-33a4-4166-a819-51ea74e46c2d.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4158-f7bbe925-33a4-4166-a819-51ea74e46c2d-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4158-f7bbe925-33a4-4166-a819-51ea74e46c2d.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4158-f7bbe925-33a4-4166-a819-51ea74e46c2d.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4158-f7bbe925-33a4-4166-a819-51ea74e46c2d.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4158-f7bbe925-33a4-4166-a819-51ea74e46c2d.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4158-f7bbe925-33a4-4166-a819-51ea74e46c2d.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4158-f7bbe925-33a4-4166-a819-51ea74e46c2d.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4158-f7bbe925-33a4-4166-a819-51ea74e46c2d.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4158-f7bbe925-33a4-4166-a819-51ea74e46c2d.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4158-f7bbe925-33a4-4166-a819-51ea74e46c2d-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4158","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=4158"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4158\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/4159"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=4158"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=4158"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=4158"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}