Prime Cyber Insights: The Microsoft Zero-Day and the Surveillance Exposure

Welcome to Prime Cyber Insights. I am Aaron Cole, and we are starting 2026 with a heavy slate of security news that touches everything from the foundation of windows to the cameras on our street corners. I'm Lauren Mitchell. It's a busy week, particularly for those of us tracking the ripple effects of automated threats. Joining us today is Chad Thompson, who brings a unique systems level perspective on AI, automation and security, blending technical depth, real world experience and creative insight drawn from engineering and music production. Welcome, Chad. Thanks, Lauren Aaron. It's great to be here. Cybersecurity often feels like music production. You're managing a hundred different tracks or systems. and one out-of-sync frequency, like a zero-day, can distort the entire output if you aren't watching the levels. That's a perfect lead-in for Microsoft's January Patch Tuesday. They've addressed 114 flaws, but the headline is CVE-2026-20805. It's an information disclosure zero day in the desktop window manager or DWM that's already being exploited in the wild. Yeah, the real world implication here is that even though the CVSS score is a 5.5, it's being used as a critical bridge. Attackers are using it to leak memory details and bypass address space layout randomization, which essentially rolls out the red carpet for more severe remote code execution attacks. Exactly, Lauren. From a systems perspective, DWM is a frequent flyer because it has to draw everything on the display, giving it high privileged access. When we see 20 CVEs in this library since 2022, it tells us that attackers have found a reliable rhythm for climbing the privileged ladder. Aaron, did you catch the news on the secure boot certificates as well? I did, Chad. Microsoft is warning about certificates from 2011 nearing expiration. If organizations don't update to the 2023 versions by June, they face a security feature bypass risk. It's a classic case of technical debt meeting a hard deadline. They also finally purged those legacy Azure modem drivers that had been vulnerable for years. While we're talking about legacy issues, Aaron, we need to look at the browser as the new OS. We're seeing a targeted campaign using malicious Chrome extensions to hit HR and ERP platforms like Workday and NetSuite. These aren't just stealing cookies. They're actually blocking the security administration pages to prevent IT from responding. That's a sophisticated automation of the attack lifecycle. By injecting cookies bi-directionally, they bypass MFA entirely. It shows that as we automate our enterprise workflows, the attackers are automating their staying power within those same systems. It's a high-stakes game of keeping the signal clean. Speaking of signals, our final story today is the massive exposure of Flock Safety's surveillance network. Researchers found 60 feet condor cameras which use AI to track people, not just license plates, live streaming to the open internet without any password protection. This is a nightmare for digital risk management. Wait, what? It's more than a nightmare, Aaron. It's a total breach of public trust. These cameras were pan-tilt zoom enabled, meaning anyone could have moved them. The researchers, Ben Jordan and John Gaines, found this ethically, yet reports suggest they faced significant retaliation. It highlights the desperate need for better vulnerability disclosure policies in the physical security space. I'm Lauren Mitchell. And I'm Aaron Cole. We'll keep tracking these stories as they develop. Special thanks to Chad Thompson for his insights today. We'll see you next time on Prime Cyber Insights. Neural Newscast is AI-assisted, human-reviewed. View our AI Transparency Policy at neuralnewscast.com.