Microsoft Windows Updates: MOTW Bypass Patch and Windows 11 Shutdown Regression
Microsoft issued security updates to remediate a Windows Remote Assistance protection-mechanism failure, CVE-2026-20824, that can allow attackers to bypass Mark of the Web (MOTW)—a key Windows control used to flag and apply additional restrictions to files originating from the internet. Reporting notes the issue is not “wormable” and requires local execution plus user interaction, but it can materially weaken common download-based defenses and be chained with other techniques to increase the likelihood of successful payload execution.
Separately, Microsoft released an out-of-band/emergency fix after a Patch Tuesday update introduced a Windows 11 23H2 regression where some systems configured with Secure Launch restart instead of shutting down (and may also fail to hibernate). A documented workaround for affected endpoints is to invoke shutdown via Command Prompt using:
shutdown /s /t 0
Other items in the set are not part of these Windows security/patch events: a PowerToys feature update, an iOS upgrade opinion piece, and a Windows 11 edition comparison.
Related Entities
Organizations
Affected Products
Sources
Related Stories
Microsoft March Patch Tuesday Ships 83 Fixes and Windows 11 Cumulative Updates
Microsoft’s March Patch Tuesday security release shipped fixes for **83 vulnerabilities** across its enterprise software and services, and was notable for having **no actively exploited zero-days** for the first time in six months. Microsoft flagged **six** vulnerabilities as “more likely to be exploited,” and noted two issues—`CVE-2026-21262` and `CVE-2026-26127`—were **publicly known** at release. Researchers highlighted an Excel information-disclosure issue, `CVE-2026-26144`, describing a scenario where an attacker could potentially induce a *Copilot Agent* to exfiltrate data in a **zero-click** style workflow, and also pointed to Office flaws `CVE-2026-26110` and `CVE-2026-26113` (CVSS 8.4) that could enable **arbitrary code execution** via the Office preview pane. Microsoft also released **mandatory Windows 11 cumulative updates** `KB5079473` (25H2/24H2) and `KB5078883` (23H2) that incorporate the March 2026 Patch Tuesday security fixes, along with additional non-security changes. The updates advance build numbers to **26200.8037/26100.8037** (25H2/24H2) and **22631.6783** (23H2), expand “high-confidence device targeting” to increase coverage for automatic delivery of new **Secure Boot certificates**, and include reliability improvements such as better File Explorer search across drives and changes to **Windows Defender Application Control (WDAC)** behavior for COM objects (policy listing support).
4 days ago
Microsoft January Patch Tuesday Security Updates for Windows 10/11
Microsoft shipped its January Patch Tuesday security updates for **Windows 10** (including ESU/LTSC) and **Windows 11**, addressing a large set of vulnerabilities and rolling in additional platform hardening changes. Windows 10’s *KB5073724* (ESU) updates systems to build `19045.6809` (and LTSC 2021 to `19044.6809`) and includes security/bug fixes plus a phased update to handle **expiring Secure Boot certificates**; it also removes legacy **Agere modem drivers** (`agrsm64.sys`, `agrsm.sys`, `smserl64.sys`, `smserial.sys`), which can break dependent modem hardware. Windows 11 cumulative updates *KB5074109* (25H2/24H2) and *KB5073455* (23H2) are mandatory and include fixes for issues such as WSL mirrored networking failures (“No route to host”) impacting VPN access and RemoteApp connection failures in Azure Virtual Desktop environments. Third-party analysis of the same Patch Tuesday release reported **112 vulnerabilities** (with **8 marked critical**) and at least one vulnerability observed exploited in the wild: **CVE-2026-20805**. The critical issues highlighted include multiple **remote code execution** vulnerabilities across Windows components and Office applications (including **LSASS**, Word, Excel, and Office), plus **elevation of privilege** flaws such as **CVE-2026-20822** (Windows Graphics Component, use-after-free leading to potential SYSTEM privileges) and **CVE-2026-20854** (LSASS RCE over the network without requiring elevated privileges). Organizations should prioritize rapid deployment of the January Windows updates, with particular attention to exploited-in-the-wild items and critical RCE/EoP paths.
2 months ago
Microsoft Windows 11 Updates Trigger Boot Failures and Security-Driven Driver/Privilege Changes
Microsoft attributed **Windows 11 no-boot failures** seen after installing the January 2026 cumulative update `KB5074109` (Windows 11 **24H2/25H2**) to devices that had previously **failed to install the December 2025 security update** and were left in an “**improper state**” after rollback. Affected systems can crash on startup with a BSOD `UNMOUNTABLE_BOOT_VOLUME`; Microsoft said the issue appears limited to **physical devices** (no confirmed VM impact) and is working on a **partial mitigation** to prevent additional systems from entering a no-boot scenario, while continuing to investigate why some devices fail updates or end up unstable after rollback. Separately, Microsoft’s recent Windows 11 servicing and security work included **deliberately disabling legacy dial-up modem drivers** (e.g., `AGRSM64.SYS`/`AGRSM.SYS`, `SMSERL64.SYS`/`SMSERIAL.SYS`) due to reported vulnerabilities including **CVE-2023-31096** (EoP) and **CVE-2025-24052** (stack-based buffer overflow), which can present risk even if the modem hardware is unused—at the cost of breaking connectivity for niche systems relying on those drivers. Microsoft also patched **nine bypasses** reported by Google Project Zero that could undermine the new **Windows Administrator Protection** feature by enabling silent admin privilege gains via legacy Windows/UAC behaviors (including a token/Logon Sessions-related technique involving `NtQueryInformationToken` and DOS device object directory creation), ahead of broader availability beyond Insider builds.
1 months ago