
Security Now 1085: Windows 10 Support Extended, Critical Networking Vulnerabilities, and State-Sponsored Cyber Threats
This episode of Security Now covers several critical developments in cybersecurity, beginning with Microsoft’s decision to extend support for Windows 10 for another year. The hosts discuss how Microsoft initially planned to end support for Windows 10 in October 2025 but was forced to extend it due to the operating system’s enduring popularity and users’ reluctance to upgrade to Windows 11. The reluctance stems from Windows 11’s higher hardware requirements, which many users find unnecessary since Windows 10 runs well on existing systems. Microsoft’s repeated extensions of support highlight the challenges of forcing users to adopt new software when they see no immediate benefit. The hosts also speculate that Microsoft may eventually release a 'junior' version of Windows 11 that strips away some features to run on older hardware, allowing users to transition without purchasing new devices. This decision reflects broader industry trends, such as the ongoing semiconductor shortage, which has kept PC prices high and made upgrades less appealing. The episode then shifts to urgent security updates for widely used networking devices. The Cybersecurity and Infrastructure Security Agency (CISA) issued directives requiring federal agencies to patch vulnerabilities in Ubiquiti’s UniFi OS and Cisco’s Unified Communications Manager within days of disclosure. The UniFi OS flaws included an access control bypass, a directory traversal vulnerability, and an improper input validation flaw—all of which could allow attackers to take full control of affected systems. Similarly, the Cisco vulnerability involved a server-side request forgery (SSRF) flaw that could grant attackers root access. The hosts emphasize the speed at which these vulnerabilities are being exploited in the wild, with attacks occurring within weeks of disclosure. They argue that the traditional patching cycle is no longer sufficient and that automation is necessary to keep up with the pace of threats. The discussion also touches on the possibility of 'zero-reboot' updates, where systems could apply patches without downtime, though this remains a technical challenge due to the way operating systems and firmware are designed. A major focus of the episode is a sophisticated state-sponsored cyber campaign, referred to as 'SODA' (State of the Art). The hosts detail how hackers, likely backed by a foreign government, compromised an Australian critical infrastructure provider, gaining access to credentials and mapping out networks for potential sabotage. The campaign’s scale is described as alarming, with the same group targeting multiple countries and sectors, including energy, communications, and military infrastructure. The hosts connect this campaign to a separate incident where hackers accidentally left a server directory exposed, revealing the extent of their operations. This highlights a broader issue: many such campaigns may go undetected because they do not make similar mistakes. The discussion underscores the growing threat of nation-state cyber operations and the need for improved defenses, including better monitoring and faster response times. The episode also explores the role of artificial intelligence in cybersecurity, particularly OpenAI’s 'Patch the Planet' initiative. This program uses AI to identify and fix vulnerabilities in open-source software, such as the Linux kernel, OpenBSD, and web servers like Nginx. The AI-driven approach has already uncovered hundreds of security issues, including critical flaws in widely used software. For example, the AI identified a 23-year-old use-after-free vulnerability in OpenBSD and multiple privilege escalation flaws in the Linux kernel. The hosts note that AI is accelerating vulnerability discovery but caution that it also introduces new risks, such as the potential for AI-generated exploits to be used by attackers. They highlight the importance of responsible disclosure, contrasting OpenAI’s coordinated approach with the reckless behavior of a group called Caliph, which publicly disclosed a major HTTP/2 vulnerability without giving maintainers time to patch it. The episode concludes with a discussion on the broader implications of AI in cybersecurity, including the need for better collaboration between AI developers, security researchers, and software maintainers. Finally, the hosts share a personal story about the late hacker Kevin Mitnick, reflecting on his legacy and the evolution of hacking culture. They also touch on the concept of 'looping' in AI, where models improve by iterating over problems repeatedly, and the risks posed by 'script kiddies' using AI to exploit vulnerabilities. The episode wraps up with a lighthearted 'Picture of the Week' segment, showcasing a poorly designed bike lane that abruptly ends, serving as a metaphor for the dead ends users might face when dealing with outdated or poorly implemented security measures.