Pradipta eManuel
Microsoft has unleashed a significant wave of security updates this January 2026 Patch Tuesday, addressing a substantial 113 security vulnerabilities across its diverse Windows operating systems and supported software ecosystem. A concerning eight of these vulnerabilities have been classified as "critical," the highest severity rating, and Microsoft has issued a stark warning that one of these flaws is already being actively exploited by attackers in the wild. This proactive advisory underscores the immediate threat posed by this particular vulnerability, urging swift action from system administrators.
The zero-day vulnerability plaguing Microsoft’s systems this January, identified as CVE-2026-20805, stems from a flaw within the Desktop Window Manager (DWM). The DWM plays a pivotal role in how Windows manages and renders graphical elements on a user’s screen, making its compromise a potentially far-reaching issue. Kev Breen, senior director of cyber threat research at Immersive, highlighted that despite Microsoft assigning CVE-2026-20805 a moderate CVSS score of 5.5, the confirmation of its active exploitation is a critical indicator of its real-world danger. Threat actors are actively leveraging this weakness to gain unauthorized access and potentially compromise systems.
Breen elaborated on the nature of such vulnerabilities, explaining their common use in undermining Address Space Layout Randomization (ASLR). ASLR is a fundamental security control within operating systems designed to thwart memory-based attacks, such as buffer overflows. By exposing memory addresses, this DWM vulnerability can be combined with other code execution flaws, transforming what would typically be a complex and unreliable exploit into a practical and repeatable attack vector. Breen pointed out that Microsoft’s limited disclosure regarding the exact components involved in these exploit chains significantly hampers defenders’ ability to proactively identify and mitigate related malicious activity. Consequently, rapid patching remains the most effective immediate defense against this threat.
Chris Goettl, vice president of product management at Ivanti, echoed these concerns, noting that CVE-2026-20805 impacts all currently supported and extended security update-supported versions of the Windows operating system. Goettl cautioned against underestimating the severity of this vulnerability based solely on its "Important" rating and relatively modest CVSS score. He emphasized that a risk-based prioritization methodology necessitates treating this vulnerability with a higher severity than its vendor rating or assigned CVSS score might suggest. This pragmatic approach acknowledges that real-world exploitability often transcends theoretical scoring.
Among the critical vulnerabilities patched this month are two Microsoft Office remote code execution bugs, identified as CVE-2026-20952 and CVE-2026-20953. These vulnerabilities are particularly insidious as they can be triggered simply by previewing a specially crafted message within the Office Preview Pane, requiring no direct user interaction beyond opening an email or document. This makes them prime candidates for phishing and social engineering attacks, where attackers can deliver malicious content with minimal effort.
In a concerning development that echoes a similar issue addressed in October 2025, Adam Barnett from Rapid7 reported that Microsoft has once again removed a pair of modem drivers from Windows. This action is being taken due to the discovery of functional exploit code for an elevation of privilege vulnerability within a very similar modem driver, tracked as CVE-2023-31096. Barnett pointed out the peculiar nature of this situation, noting that this vulnerability was originally published by MITRE over two years ago, accompanied by a detailed public write-up from the original researcher. The current Windows patches remove the agrsm64.sys and agrsm.sys drivers. These, along with another previously removed driver, were originally developed by the same now-defunct third-party vendor and have been integrated into Windows for decades. While the removal of these drivers will likely go unnoticed by the majority of users, Barnett cautioned that active modems might still be present in specific environments, including some industrial control systems.
Barnett raised two critical questions regarding this ongoing issue: how many more legacy modem drivers remain embedded within fully patched Windows systems, and how many more elevation-to-SYSTEM vulnerabilities will emerge from these outdated components before Microsoft effectively blocks attackers who have been "living off the land" by exploiting this entire class of older device drivers? He further clarified that even without direct evidence of exploitation for CVE-2023-31096, the prior credible write-up from 2023 and the removal of another Agere modem driver in 2025 serve as strong signals for those actively searching for Windows exploits. Importantly, Barnett stressed that the mere presence of these drivers, regardless of whether a physical modem is connected, is sufficient to render a system vulnerable.
Beyond the active exploitation and legacy driver issues, Immersive, Ivanti, and Rapid7 all drew attention to CVE-2026-21265, a critical Security Feature Bypass vulnerability affecting Windows Secure Boot. This vital security feature is designed to protect systems against sophisticated threats like rootkits and bootkits by ensuring that only trusted software loads during the boot process. The vulnerability is intricately linked to a set of certificates that are scheduled to expire in June 2026 and October 2026. Once these older certificates expire, Windows devices that have not been updated with newer 2023 certificates will no longer be able to receive crucial Secure Boot security fixes, creating a significant security gap.
Barnett provided a critical caution regarding the process of updating bootloaders and BIOS, emphasizing the absolute necessity of thorough preparation tailored to the specific OS and BIOS combination in use. Incorrect remediation steps could inadvertently render a system unbootable. He highlighted the long lifecycle of the Microsoft root certificates that have been instrumental in signing the Secure Boot ecosystem since the era of Stuxnet, noting that fifteen years is an exceptionally long time in information security. Microsoft did issue replacement certificates in 2023, alongside patches for CVE-2023-24932, which addressed relevant Windows updates and subsequent steps to remediate the Secure Boot bypass exploited by the BlackLotus bootkit. The upcoming expiration of the older certificates now poses a new challenge.
In the realm of third-party software, Chris Goettl also noted that Mozilla has released updates for Firefox and Firefox ESR, addressing a total of 34 vulnerabilities. Of these, two are suspected of being exploited: CVE-2026-0891 and CVE-2026-0892. Both are resolved in Firefox 147 (MFSA2026-01), and CVE-2026-0891 is also addressed in Firefox ESR 140.7 (MFSA2026-03).
Goettl further anticipates Google Chrome and Microsoft Edge updates to be released this week. He also highlighted a high severity vulnerability in Chrome WebView, tracked as CVE-2026-0628, which was resolved in the earlier January 6th Chrome update.
As is customary, the SANS Internet Storm Center provides a detailed per-patch breakdown, offering insights into severity and urgency. System administrators are advised to closely monitor resources like askwoody.com for any emerging information regarding potential compatibility issues with the January patches. Users experiencing any difficulties during the installation of these updates are encouraged to share their experiences in the comments section of relevant security news outlets.
