Security Now 1080: AI and Cybersecurity

This episode of Security Now explores the rapidly evolving intersection of artificial intelligence and cybersecurity, with a focus on how AI is reshaping vulnerability discovery, patch management, and the broader security landscape. The hosts, Steve Gibson and Leo Laporte, discuss several critical developments, beginning with Cisco’s alarming experience with Anthropic’s AI model, Mythos, which uncovered thousands of vulnerabilities in major software systems. The episode highlights the strain this places on the existing Common Vulnerabilities and Exposures (CVE) system, which was designed decades ago for a slower, human-driven discovery process. The conversation underscores the urgent need for modernizing vulnerability disclosure frameworks to handle the scale and speed of AI-driven discoveries, as well as the challenges of deploying patches quickly enough to mitigate risks before attackers exploit them. One of the central themes is the concept of "vulnerability debt repayment," a term Gibson uses to describe the industry’s need to address the backlog of security flaws in existing software. The hosts delve into how AI tools like Mythos and Microsoft’s Codename EM-Dash are exposing long-standing vulnerabilities in operating systems, browsers, and network appliances, many of which have persisted for years despite traditional fuzzing and manual reviews. The discussion explains that while AI can identify these flaws at unprecedented speeds, the bottleneck lies in human-driven patching processes, which are often slow and inconsistent. For example, the median enterprise takes about 20 days to deploy patches, while attackers can exploit vulnerabilities within hours of disclosure. This gap, Gibson argues, will only widen as AI-driven discovery becomes more widespread, making it imperative for organizations to adopt automated patching pipelines and prioritize vulnerabilities based on real-time threat intelligence rather than static severity scores. The episode also covers specific security incidents, including a serious vulnerability in Microsoft’s BitLocker encryption system, which was publicly disclosed by a hacker known as Nightmare Eclipse. The flaw, tracked as CVE-2026-45585, allows attackers with physical access to bypass BitLocker’s encryption by exploiting a design oversight in the Windows Recovery Environment (WinRE). Microsoft responded with a mitigation script that removes a problematic executable from the boot process, though the hosts note that this vulnerability is not a traditional coding error but rather a design flaw—highlighting that AI-driven security tools may not catch such issues without additional advancements. The discussion also touches on Ubiquiti’s recent patches for five critical vulnerabilities in its UniFi OS, which could allow remote attackers to take control of devices or access sensitive files. While these flaws were responsibly disclosed through Ubiquiti’s bug bounty program, the hosts emphasize the importance of keeping network appliances updated, especially as AI-driven attacks become more sophisticated. Another key topic is the broader implications of AI for cybersecurity, including how major companies like Microsoft are adapting their authentication and patching strategies. The episode mentions Microsoft’s decision to phase out SMS-based two-factor authentication (2FA) in favor of more secure methods, reflecting a growing recognition of the limitations of older security practices. The hosts also explore how AI is being integrated into development workflows, with Gibson sharing his own experience using AI tools like Claude to streamline server upgrades and code modifications. This personal anecdote illustrates how AI is becoming an indispensable assistant for developers, reducing the time and effort required for complex tasks while raising questions about dependency and the need for human oversight. The episode concludes with a forward-looking discussion on the future of vulnerability management, arguing that while AI will initially create disruption, it will ultimately lead to more secure software by forcing the industry to address long-standing technical debt and adopt more agile, automated security practices. For listeners interested in the full discussion, the episode is available at https://twit.tv/posts/transcripts/security-now-1080-transcript.