Feed aggregator

COLUMBUS, Ohio (WCMH) -- Supporters of a proposal to ban fluoride in Ohio's public drinking water urged lawmakers last week to end the decades-long practice, arguing residents should have the freedom to decide whether to consume the mineral. House Bill 182, introduced by Rep. Levi Dean (R-Xenia), would prohibit public water systems from adding fluoride [...]

COLUMBUS, Ohio (WCMH) -- Columbus Mayor Andrew Ginther delivered his annual state of the city address Tuesday night, laying out his priorities for the year ahead.  "This year, we have the biggest operating budget in the city’s history," Ginther said. "However, rising costs mean our dollars won’t stretch as far as they used to." Ginther [...]

Think your online alias keeps you safe? This episode reveals how advanced language models are making it trivial to de-anonymize users at scale, challenging everything we thought we knew about internet privacy.

• Anthropic & Mozilla improve Firefox's security.
• Apple & Google begin testing cross-platform RCS encryption.
• Ubuntu's SUDO starts echoing asterisks.
• Inviting a web proxy into your home.
• Apple devices cleared by Germany for NATO's use.
• A serious remote takeover of OpenClaw.
• TokTok won't encrypt messaging for visibility.
• Microsoft bans the term "Microslop" on Discord.
• Lot's of great listener feedback.
• LLMs could make Orwell's 1984 seem optimistic.

Show Notes - https://www.grc.com/sn/SN-1069-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit

Sponsors:

• bitwarden.com/twit
• zscaler.com/security
• guardsquare.com
• hoxhunt.com/securitynow

Microsoft Corp. today pushed security updates to fix at least 77 vulnerabilities in its Windows operating systems and other software. There are no pressing “zero-day” flaws this month (compared to February’s five zero-day treat), but as usual some patches may deserve more rapid attention from organizations using Windows. Here are a few highlights from this month’s Patch Tuesday.

Image: Shutterstock, @nwz.

Two of the bugs Microsoft patched today were publicly disclosed previously. CVE-2026-21262 is a weakness that allows an attacker to elevate their privileges on SQL Server 2016 and later editions.

“This isn’t just any elevation of privilege vulnerability, either; the advisory notes that an authorized attacker can elevate privileges to sysadmin over a network,” Rapid7’s Adam Barnett said. “The CVSS v3 base score of 8.8 is just below the threshold for critical severity, since low-level privileges are required. It would be a courageous defender who shrugged and deferred the patches for this one.”

The other publicly disclosed flaw is CVE-2026-26127, a vulnerability in applications running on .NET. Barnett said the immediate impact of exploitation is likely limited to denial of service by triggering a crash, with the potential for other types of attacks during a service reboot.

It would hardly be a proper Patch Tuesday without at least one critical Microsoft Office exploit, and this month doesn’t disappoint. CVE-2026-26113 and CVE-2026-26110 are both remote code execution flaws that can be triggered just by viewing a booby-trapped message in the Preview Pane.

Satnam Narang at Tenable notes that just over half (55%) of all Patch Tuesday CVEs this month are privilege escalation bugs, and of those, a half dozen were rated “exploitation more likely” — across Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server and Winlogon. These include:

–CVE-2026-24291: Incorrect permission assignments within the Windows Accessibility Infrastructure to reach SYSTEM (CVSS 7.8)
–CVE-2026-24294: Improper authentication in the core SMB component (CVSS 7.8)
–CVE-2026-24289: High-severity memory corruption and race condition flaw (CVSS 7.8)
–CVE-2026-25187: Winlogon process weakness discovered by Google Project Zero (CVSS 7.8).

Ben McCarthy, lead cyber security engineer at Immersive, called attention to CVE-2026-21536, a critical remote code execution bug in a component called the Microsoft Devices Pricing Program. Microsoft has already resolved the issue on their end, and fixing it requires no action on the part of Windows users. But McCarthy says it’s notable as one of the first vulnerabilities identified by an AI agent and officially recognized with a CVE attributed to the Windows operating system. It was discovered by XBOW, a fully autonomous AI penetration testing agent.

XBOW has consistently ranked at or near the top of the Hacker One bug bounty leaderboard for the past year. McCarthy said CVE-2026-21536 demonstrates how AI agents can identify critical 9.8-rated vulnerabilities without access to source code.

“Although Microsoft has already patched and mitigated the vulnerability, it highlights a shift toward AI-driven discovery of complex vulnerabilities at increasing speed,” McCarthy said. “This development suggests AI-assisted vulnerability research will play a growing role in the security landscape.”

Microsoft earlier provided patches to address nine browser vulnerabilities, which are not included in the Patch Tuesday count above. In addition, Microsoft issued a crucial out-of-band (emergency) update on March 2 for Windows Server 2022 to address a certificate renewal issue with passwordless authentication technology Windows Hello for Business.

Separately, Adobe shipped updates to fix 80 vulnerabilities — some of them critical in severity — in a variety of products, including Acrobat and Adobe Commerce. Mozilla Firefox v. 148.0.2 resolves three high severity CVEs.

For a complete breakdown of all the patches Microsoft released today, check out the SANS Internet Storm Center’s Patch Tuesday post. Windows enterprise admins who wish to stay abreast of any news about problematic updates, AskWoody.com is always worth a visit. Please feel free to drop a comment below if you experience any issues apply this month’s patches.

COLUMBUS, Ohio (WCMH) -- Emergencies can happen anywhere, at any time and often with only a few medical resources nearby. The Ohio State University medical students and residents are practicing responding to a disaster and learning to use what they have available to save lives. Dr. Nicholas Kman, a professor of emergency medicine, said they’re helping students build confidence [...]

COLUMBUS, Ohio (WCMH) – The sudden resignation of The Ohio State University’s president on Monday has many wondering what the search for a new president will look like. On Monday, Ted Carter resigned after a little more than two years on the job after disclosing an "inappropriate relationship” with a podcaster who was “seeking public [...]

REYNOLDSBURG, Ohio (WCMH) -- Ohio students are required to learn financial literacy before graduating high school, but one central Ohio school is going beyond the requirement with a new hands-on opportunity. Students at Reynoldsburg High School Livingston Campus are operating a fully functioning, student-run credit union branch inside the school. The branch opened recently after [...]

COLUMBUS, Ohio (WCMH) — Fans and others around Ohio are still processing the news that two former Columbus Crew players, Yaw Yeboah and Derrick Jones, have been banned from the league for betting on games. Major League Soccer made the announcement Monday. “This is basically two years’ worth of kind of collecting and selling," Josh [...]

The family of a man who was killed last year in a crash with a Columbus police officer who was responding to a call filed a wrongful death lawsuit Monday against the officer and the city.

LANCASTER, Ohio (WCMH) -- A local business has begun its journey to rebuild. In July, FIDO, a Lancaster dog daycare and boarding facility, was hit by flooding. The building was a complete loss and demolition began Tuesday morning. “To see it go down is sorrow, but at the same time, we’re just so excited to [...]

COLUMBUS, Ohio (WCMH) -- Franklin County canceled its tornado siren test for Wednesday due to the possibility of severe weather. The Outdoor Warning Siren System test, which normally takes place at noon on Wednesdays, was canceled to avoid confusion. If sirens are heard, that means a tornado warning has been issued by the National Weather [...]

COLUMBUS, Ohio (WCMH) -- A Franklin County magistrate granted a preliminary injunction Monday to block Ohio from using unclaimed funds for sports stadiums while a lawsuit plays out in court. The 39-page ruling from Magistrate Jennifer Hunt states that the portion of Ohio's budget that created the Ohio Cultural and Sports Facility Performance Grant Fund [...]

GAHANNA, Ohio (WCMH) – An Ohio-based furniture store is preparing to take over the former Union Bank in Gahanna. On Thursday, Woodcraft Furniture Co. purchased the 14,095-square-foot building at 461 Beecher Road and the approximately 1.7 acres it sits on for $2.2 million. The business is aiming to begin welcoming customers in mid-April before holding a [...]

COLUMBUS, Ohio (WCMH) — A crash between a dump truck and another vehicle has caused Interstate 270 to close in southwest Columbus. According to the Franklin County Sheriff's Office, Nearly a quarter of I-270 is shut down in both directions after a serious crash. The highway is currently closed between the U.S. 62 (Harrisburg Pike) [...]

MANSFIELD, Ohio (WCMH) — Weeks before the grand opening of an iconic gas station in western Ohio, the City of Mansfield could be home to the second of such business, according to a social media post. On Monday, Mayor Jodie Perry announced on Facebook that a petition for annexation was filed with the City of [...]

COLUMBUS, Ohio (WCMH) -- Gov. Mike DeWine gave his eighth and final state of the state Tuesday at noon. In his annual speech, DeWine reflected on his goals for the upcoming year and urged legislators to move forward with his priorities, particularly those involving education and youth. Term-limited, the state of the state will be [...]