SN 1075: Yes. Exactly. - The Zero-Day Ticking Clock

The episode opens with Steve Gibson revisiting his coverage of Anthropic's Project Mythos, an AI system capable of autonomously discovering security vulnerabilities. Gibson's central thesis from the prior week — that Mythos represents a genuine, non-marketing threat shift — was validated when a who's who of cybersecurity professionals, including Bruce Schneier, former CISA director Jen Easterly, and Cloudflare's CISO, co-authored a 23-page paper titled 'The AI Vulnerability Storm: Building a Mythos-Ready Security Program.' Gibson titled the episode 'Yes, Exactly' to underscore that the industry's top experts independently reached the same conclusions he had.

A major news item involves a disgruntled security researcher using the moniker 'nightmare-eclipse' who began publicly releasing working zero-day exploit code for Windows vulnerabilities, including 'Red Sun' and 'Blue Hammer,' both local privilege escalation flaws in Microsoft Defender. The researcher claims Microsoft's Security Response Center (MSRC) mistreated him, ruined his business, and dismissed his disclosures. Within 24 hours of posting the proof-of-concept code to GitHub, threat actors were actively exploiting the vulnerabilities in the wild. All currently patched Windows systems remain vulnerable to at least one of these exploits, and the only known mitigation is disabling Windows Defender — the very component being abused.

On the flip side, Microsoft announced record bug bounty payouts: $2.3 million from this year's Zero Day Quest competition, with over 80 high-impact cloud and AI vulnerabilities found during a live hacking event. Gibson notes the irony of Microsoft 'gleefully bragging' about how many critical bugs researchers found when sufficiently motivated by cash prizes.

A separate story covers Microsoft's suspension of Windows Hardware Developer accounts, including those for WireGuard, VeraCrypt, and MemTest86, due to incomplete identity verification. Developers claimed they received no warning; Microsoft said they had been emailing for six months. Microsoft has since offered a fast-track reinstatement process, though full compliance requirements must still be met.

Gibson also covers a sophisticated adware campaign by a company called Dragon Boss Solutions, whose software aggressively disabled antivirus tools, blocked AV vendor domains via hosts file manipulation, and silently installed system-level payloads. Critically, the operator abandoned the update domain, which security firm Huntress re-registered — discovering it had command-and-control reach into 23,500 endpoints, including 221 academic institutions, 41 operational technology networks, 35 municipal governments, and multiple Fortune 500 companies. Gibson frames this as a systemic Internet design flaw: abandoned domains tied to auto-updating software create ready-made backdoors.

Mozilla's Firefox CTO confirmed that Mythos was used on Firefox and found 271 bugs — patched in version 150 — with at least 13 rated high severity. This is presented as definitive proof that Mythos is not marketing hype. The cybersecurity industry paper further cites data from zerodayclock.com showing that average time-to-exploit has collapsed from 2.3 years in 2018 to just 10 hours in 2026, driven largely by AI-assisted attack automation. The paper urges CISOs to immediately adopt LLM-based vulnerability discovery, prepare for simultaneous high-volume patch events, build tabletop exercises, and accept that human-speed defenses can no longer match machine-speed attacks.

The episode closes with reflections on the future of software development, with Gibson arguing that AI will eventually make software provably correct, comparing it to chess engines surpassing grandmasters. He also briefly discusses Project Hail Mary the film versus the book, a listener-inspired exploration of AI-assisted open source repository security, and personal steps he has already taken — including shutting down exposed SSH servers — in response to the Mythos threat.