Cybersecurity Today: Microsoft Patches, Canadian Data Breach, NVIDIA's New Tool, and a Senator's Call for Investigation
In this episode of Cybersecurity Today, host Jim Love discusses Microsoft's September patch update addressing 81 security flaws, including two zero-day vulnerabilities. Highlights include a data breach in Canada affecting email and phone numbers, NVIDIA's release of an open-source LLM vulnerability scanner, and US Senator Ron Wyden's call for the FTC to investigate Microsoft's security practices. The episode also clears up the mystery behind the bricked SSDs after a Windows 11 update.
00:00 Microsoft Patches 81 Flaws
02:29 Canadian Government Data Breach
03:38 NVIDIA's Garrick: AI Vulnerability Scanner
05:01 Senator Urges FTC to Probe Microsoft
06:52 Mystery of Bricked SSDs Solved
08:24 Conclusion and Upcoming Interview
Episode Transcript
Microsoft Patches 81.
Flaws two are zero days.
The government of Canada confirms abreach of emails and phone numbers.
NVIDIA releases Garrick, an opensource LLM vulnerability scanner,
and a US Senator urges the FTC toprobe Microsoft Security Practices
and the case of the bricked SSDs.
(00:22):
The mystery is finally solved.
This is Cybersecurity Today.
I'm your host, Jim Love Microsoftreleased, its September, patch Tuesday
update, fixing 81 security flaws, but twoof them were publicly disclosed before
Microsoft released this month's fixes.
(00:42):
There are a lot of issuesin the current update.
41 are elevation of privilege,bugs 22 are remote code execution
and 16 are information disclosure.
The rest includes spoofingand denial of service issues.
The first of the two zero daysCVE 20 25 55 2 3 4 is a Windows
(01:04):
SMB server vulnerability that canbe abused in relay style attacks.
Microsoft recommends enabling SMBsigning and extended protection for
authentication, but warns that adminsshould check compatibility first
so they don't break older systems.
(01:25):
The second zero day CVE 20 24 21 90 7 is the Newton soft JSON library
used by SQL server attacks can sendcrafted JSON data that triggers a stack
overflow leading to a denial of servicewithout even needing authentication.
(01:46):
Nine of the flaws included are ratedcritical, including five that could
allow remote code execution, the kindof vulnerabilities that let attackers
run their own code on your systems.
With two zero days already disclosed,attackers have had a head start.
So, despite any reservations aboutprior issues on patching, this one
(02:07):
should probably be a top priority.
And it's a busy time.
September has brought fixesfrom a wide range of vendors.
Bleeping computer has put togethera pretty comprehensive list covering
Microsoft, Adobe, SAP, VMware, and others.
Well worth checking.
If you haven't seen it, I'llput a link in the show notes.
(02:29):
the government of Canada has confirmedthat individuals email addresses and
phone numbers tied to accounts atthe Canada Revenue Agency Employment
and Social Development Canada andCanada Border Services Agency were
accessed in a recent cyber attack.
The Treasury Board secretary, itsaid it was two Keys Corporation,
(02:49):
the provider of the Federalmultifactor authentication service.
That discovered the incident on August17th and promptly alerted authorities
a routine software update betweenAugust 3rd and August 15th introduced
the vulnerability the gap allowed amalicious actor to access phone numbers
linked to CRA and ESDC accounts andemail addresses tied to CBSA accounts
(03:16):
some of those affected phone numbers.
Later received spam textmessages with links to a fake
government of Canada website.
The multifactor service has since beenrestored and there's no indication
that additional or more sensitivepersonal data has been accessed.
We'll update this more asinformation comes our way.
(03:38):
We've been covering story after storyabout weaknesses in large language models,
but here's at least a step forward.
Nvidia has launched Garrick afree open source toolkit that
read teams large language models.
The tool whose name standsfor generative ai, red teaming
(03:59):
and assessment kit acts like apenetration testing framework for ai.
It probes models for weaknesses suchas hallucinations, gelb brakes, prompt
injections, data leaks, and toxic outputs.
Garrick works across a wide range ofsystems hugging, face replicate, open
AI APIs, light LLM, REST interfaces,and even the guff models like Lama cpp.
(04:27):
It logs its results in three ways.
A main debugging log, A-J-S-O-N-Lreport of every probing attempt
and a hit log that capturesonly confirmed vulnerabilities.
The tool is Apache licensed andbacked by research formalizing how
to test AI models for security risks.
(04:48):
With AI being embedded into morecritical systems, Garrick may help
give organizations a scalable wayto stress test their models and
catch failures before attackers do.
It's worth checking out.
At the very least,
Microsoft is taking political heat from asenior Democratic senator in Washington.
(05:10):
Senator Ron Wyden of Oregon hasasked the Federal Trade Commission
to investigate what he's called thecompany's gross cybersecurity negligence.
Wyden pointed to Microsoft's continuedsupport for the outdated encryption
standards like RC four, which he arguesenabled ransomware attacks, including
(05:31):
the Ascension Health breach that exposeddata on more than 5.6 billion people.
In a letter to the FTC chair, widencompared Microsoft to an arsonist selling
firefighting services to their victims.
He argued that itsdominance in enterprise.
It leaves organizations with littlechoice but to accept insecure defaults.
(05:55):
Microsoft responded that RC four nowmakes up less than 0.1% of its traffic
and will be disabled by default insome Windows products starting in 2026.
Fairly or not this criticism matters.
Wyden isn't just any senator.
He's the ranking member of theSenate Finance Committee, one of
(06:17):
the most powerful posts in Congress,
and he has a long record ofpushing cybersecurity issues
into the national spotlight.
it's not just regulation.
Microsoft has a huge number ofgovernment contracts, and the Senate
Finance Committee is a perfectplace to stall some of those.
The message is clear.
Microsoft's patching services areno longer just a technical issue.
(06:41):
They've become a matter ofpolitical oversight and a huge
liability for the company.
but here's at least one pieceof good news for Microsoft.
The mystery is finally solved.
The Windows update didn't brick SSDs.
After Microsoft's last Windows11 update reports started
(07:03):
circulating of failed SSDs.
The presumed culpritwas the update itself.
And Phizon, a major maker of SSDcontrollers was also caught up in
the speculation with some suggestingits chips were behind the failures.
Fortunately, both companiestreated the issue seriously.
(07:23):
Microsoft did a lot of testingand said its telemetry showed
no increase in disc failures.
Fissan ran more than 4,500 hoursof testing and 2200 test cycles.
They couldn't reproduce theproblem on production drives.
the answer finally came froma PC building group in Taiwan.
(07:45):
they discovered what wasunder everybody's nose.
The failing drives were runningengineering or preview firmware,
not the final consumer version.
So on drives with productionfirmware, the failures didn't occur.
Mystery solved windows update wasn'tbricking drives F'S controllers
(08:07):
weren't to blame the problem, lay ina handful of drives running firmware.
That was never meant for release
what's that, that Sherlock Holmesused to say, when you eliminate
the impossible, whatever remains,however improbable must be the truth.
Congratulations to these Sherlock Holmes'in Taiwan, and that's our show for today.
(08:31):
You can reach me with tips, comments,even constructive criticism if you like.
And if you've got time, check out myinterview with the father of Zero Trust
this Saturday on our weekend show.
It'll be available with yourcoffee on Saturday morning.
I'm your host, Jim Love.
Thanks for listening.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
My Favorite Murder with Karen Kilgariff and Georgia Hardstark
My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.