Feed aggregator

Microsoft today issued patches to plug at least 113 security holes in its various Windows operating systems and supported software. Eight of the vulnerabilities earned Microsoft’s most-dire “critical” rating, and the company warns that attackers are already exploiting one of the bugs fixed today.

January’s Microsoft zero-day flaw — CVE-2026-20805 — is brought to us by a flaw in the Desktop Window Manager (DWM), a key component of Windows that organizes windows on a user’s screen. Kev Breen, senior director of cyber threat research at Immersive, said despite awarding CVE-2026-20805 a middling CVSS score of 5.5, Microsoft has confirmed its active exploitation in the wild, indicating that threat actors are already leveraging this flaw against organizations.

Breen said vulnerabilities of this kind are commonly used to undermine Address Space Layout Randomization (ASLR), a core operating system security control designed to protect against buffer overflows and other memory-manipulation exploits.

“By revealing where code resides in memory, this vulnerability can be chained with a separate code execution flaw, transforming a complex and unreliable exploit into a practical and repeatable attack,” Breen said. “Microsoft has not disclosed which additional components may be involved in such an exploit chain, significantly limiting defenders’ ability to proactively threat hunt for related activity. As a result, rapid patching currently remains the only effective mitigation.”

Chris Goettl, vice president of product management at Ivanti, observed that CVE-2026-20805 affects all currently supported and extended security update supported versions of the Windows OS. Goettl said it would be a mistake to dismiss the severity of this flaw based on its “Important” rating and relatively low CVSS score.

“A risk-based prioritization methodology warrants treating this vulnerability as a higher severity than the vendor rating or CVSS score assigned,” he said.

Among the critical flaws patched this month are two Microsoft Office remote code execution bugs (CVE-2026-20952 and CVE-2026-20953) that can be triggered just by viewing a booby-trapped message in the Preview Pane.

Our October 2025 Patch Tuesday “End of 10” roundup noted that Microsoft had removed a modem driver from all versions after it was discovered that hackers were abusing a vulnerability in it to hack into systems. Adam Barnett at Rapid7 said Microsoft today removed another couple of modem drivers from Windows for a broadly similar reason: Microsoft is aware of functional exploit code for an elevation of privilege vulnerability in a very similar modem driver, tracked as CVE-2023-31096.

“That’s not a typo; this vulnerability was originally published via MITRE over two years ago, along with a credible public writeup by the original researcher,” Barnett said. “Today’s Windows patches remove agrsm64.sys and agrsm.sys. All three modem drivers were originally developed by the same now-defunct third party, and have been included in Windows for decades. These driver removals will pass unnoticed for most people, but you might find active modems still in a few contexts, including some industrial control systems.”

According to Barnett, two questions remain: How many more legacy modem drivers are still present on a fully-patched Windows asset; and how many more elevation-to-SYSTEM vulnerabilities will emerge from them before Microsoft cuts off attackers who have been enjoying “living off the land[line] by exploiting an entire class of dusty old device drivers?”

“Although Microsoft doesn’t claim evidence of exploitation for CVE-2023-31096, the relevant 2023 write-up and the 2025 removal of the other Agere modem driver have provided two strong signals for anyone looking for Windows exploits in the meantime,” Barnett said. “In case you were wondering, there is no need to have a modem connected; the mere presence of the driver is enough to render an asset vulnerable.”

Immersive, Ivanti and Rapid7 all called attention to CVE-2026-21265, which is a critical Security Feature Bypass vulnerability affecting Windows Secure Boot. This security feature is designed to protect against threats like rootkits and bootkits, and it relies on a set of certificates that are set to expire in June 2026 and October 2026. Once these 2011 certificates expire, Windows devices that do not have the new 2023 certificates can no longer receive Secure Boot security fixes.

Barnett cautioned that when updating the bootloader and BIOS, it is essential to prepare fully ahead of time for the specific OS and BIOS combination you’re working with, since incorrect remediation steps can lead to an unbootable system.

“Fifteen years is a very long time indeed in information security, but the clock is running out on the Microsoft root certificates which have been signing essentially everything in the Secure Boot ecosystem since the days of Stuxnet,” Barnett said. “Microsoft issued replacement certificates back in 2023, alongside CVE-2023-24932 which covered relevant Windows patches as well as subsequent steps to remediate the Secure Boot bypass exploited by the BlackLotus bootkit.”

Goettl noted that Mozilla has released updates for Firefox and Firefox ESR resolving a total of 34 vulnerabilities, two of which are suspected to be exploited (CVE-2026-0891 and CVE-2026-0892). Both are resolved in Firefox 147 (MFSA2026-01) and CVE-2026-0891 is resolved in Firefox ESR 140.7 (MFSA2026-03).

“Expect Google Chrome and Microsoft Edge updates this week in addition to a high severity vulnerability in Chrome WebView that was resolved in the January 6 Chrome update (CVE-2026-0628),” Goettl said.

As ever, the SANS Internet Storm Center has a per-patch breakdown by severity and urgency. Windows admins should keep an eye on askwoody.com for any news about patches that don’t quite play nice with everything. If you experience any issues related installing January’s patches, please drop a line in the comments below.

COLUMBUS, Ohio (WCMH) -- Despite financial woes, Columbus City Schools continues to invest money into the district’s Career-Technical Education program that allows students to enter the workforce right after high school. On Tuesday, the district celebrated the return of the pharmacy technician program with a ribbon-cutting for a brand-new laboratory. The new facility offers the [...]

COLUMBUS, Ohio (WCMH) -- Gov. Mike DeWine (R) has begun his final year in office, but says he has no intention of slowing down. Last week, the Governor talked about the year ahead and what legacy he hopes to leave behind. For the most part, it seems DeWine wants to focus on what he can [...]

LANCASTER, Ohio (WCMH) — The Lancaster Fire Department responded to a record number of calls in 2025 and is expecting another busy year in 2026. The department has been keeping track of data for decades. In Chief Slade Schultz's office, there are pictures of equipment from 1916 and 1935 on the wall. They include information [...]

COLUMBUS, Ohio (WCMH) – The Columbus Division of Police said that last year, it had an 83 percent homicide case solve rate, above the national average. Columbus police leaders said even though the arrest in the double murder case of Spencer and Monique Tepe was the one to make national headlines, last year's solve rate [...]

COLUMBUS, Ohio (WCMH) -- Every election cycle, politicians focus on talking to the middle class. Clearly, that's where most people live. But the middle is changing, and it's reflective of a larger trend in economic and technological changes. "There's no official government definition of middle class,” Ohio State University economics professor Bruce Weinberg said. The [...]

GROVEPORT, Ohio (WCMH) -- The Groveport Madison Schools District had to get creative to keep up with its growth. In order to accommodate more students, all of the district's libraries have been converted into classrooms. However, a project at the high school is making sure students still have access to reading. “Even here in our [...]

COLUMBUS, Ohio (WCMH) -- Five Ohio State players have declared for the 2026 NFL Draft as tight end Max Klare has added himself to the list. The junior from Indiana announced Tuesday afternoon he will skip his senior year and enter the pros. Klare transferred to Ohio State for the 2025 season after playing two [...]

COLUMBUS, Ohio (WCMH) – An Alabama man will spend at least the next six years in prison after firing a gun at a Columbus police officer last April in the Short North. Skyler Allen, 29, was sentenced this week to between six and seven and a half years in prison after pleading guilty to first-degree [...]

COLUMBUS, Ohio (WCMH) -- BrewDog announced Monday that it has closed two of its Columbus taprooms, shuttering its Short North and Franklinton locations after nearly eight years. The Scotland-based brewing company said in separate posts on each location's social media accounts that it had made the "tough decision" to close the bars at 1175 N. [...]

GRANDVIEW HEIGHTS, Ohio (WCMH) – A Grandview Heights eatery that was known for its American fare and craft beer has permanently closed. Rail Craft Kitchen and Bar at 1064 Dublin Road shut down earlier this month after operating at the location for just under three years. NBC4 reached out to the restaurant group that owns [...]

COLUMBUS, Ohio (WCMH) -- President Donald Trump ended temporary protected status for Somali residents in the U.S., affecting Columbus' large Somali population. With over 60,000 estimated Somali Americans living in Columbus, central Ohio is home to the nation's second-largest Somali population. On Tuesday morning, Press Secretary Karoline Leavitt confirmed on X that Trump ended temporary [...]

COLUMBUS, Ohio (WCMH) -- As the Blue Jackets prepare for their first home game in eight days, the front office is set to discuss the midseason coaching change that has shaken up the franchise. General manager Don Waddell and new coach Rick Bowness will address the media at noon Tuesday at Nationwide Arena after parting [...]

COLUMBUS, Ohio (WCMH) -- Prologue Bookshop announced this month that it is relocating this spring to a larger space in Columbus' Short North Arts District. The independent bookstore, currently located at 841 N. High St., is moving about a block south to 787 N. High St. The new location was most recently home to Happy [...]

CHICAGO (WCMH) — Residents of a Chicago apartment building say local police and Columbus law enforcement have around-the-clock security guarding the apartment of a man accused of killing Spencer and Monique Tepe. According to a woman who lives in the same building as Dr. Michael McKee, investigators have been in and out of the suspect’s [...]

COLUMBUS, Ohio (WCMH) – Five central Ohio correctional institutions have received a combined total of nearly $1 million in state grants to support addiction treatment. In late December, the Ohio Attorney General’s Office announced the fourth round of recipients for the Opioid Remediation Grant Program. Facilities can use the funding to hire full-time addiction-services coordinators [...]

COLUMBUS, Ohio (WCMH) -- Momentum is building behind a renovation of Nationwide Arena after a vote this month by Franklin County commissioners. The board voted on Jan. 6 to increase the county's share of casino-tax revenue dedicated to Nationwide Arena, marking another early step toward financing a planned $400 million renovation of the 25-year-old Columbus [...]

The top residential real estate deals in Franklin and Delaware Counties in 2025 were all over $1.5 million, with the top sale in Franklin County selling for $4.2 million and the top sale in Delaware County selling for $1.74 million.