SANS Stormcast Monday, January 12th, 2026: PEB Manipulation; YARA Update; VideoLAND and Apache NimBLE Patches

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9762.mp3

previous

PEB Manipulation; YARA Update; VideoLAND and Apache NimBLE Patches

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Monday, January 12, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu undergraduate certificate program in Applied
 Cybersecurity. Got some diaries to talk about from
 this weekend. First, Xavier, again, about malware analysis
 tricks here in this particular case about malicious process
 environment blocks. The process environment block is a
 data structure that's maintained with Windows
 processes holding things like, for example, the command line
 being used to execute the process and other metadata
 about the particular process. Now, of course, the process
 was started by the user. This structure is read-writable by
 the user, which means that any process can manipulate that
 structure as well and leave bad information in this
 structure. So Xavier is going a little bit over how to
 accomplish this, some proof of concept code here, how to
 rewrite the particular structure for a process that
 user can get a handle on. And well, then also how to hide
 this particular structure, not just to manipulate it. So
 interesting post for anybody doing malware analysis. If you
 wonder how do you actually get the real structure? Well, the
 trick here, as Xavier points out, is to actually log the
 structure on process creation before the process gets a
 chance to manipulate it. And Dirac wrote a quick diary about
 the latest version of Yara 1.11.0 and how it's adding hash
 function warnings. What this means is that if you're
 matching a hash function in a Yara rule, but the hash that
 you're using couldn't possibly match this particular hash
 function because it's too long, for example, then you'll
 get a warning that while this particular match will never be
 fulfilled. And well, it's supposed to catch things like
 typos in hashes that you may have like, you know, if you
 add an extra space or such, which of course often happens
 when you simple copy paste at these hashes. And the video
 LAN project did release an update for VLC, the video
 player that is sort of the showcase product off of video
 LAN. And yes, its code is used quite a bit and quite popular
 if you're trying to do things like video conversions or
 simple video streaming and the like. So there are about 16
 issues that are being fixed in this update. There's only one
 CVE assigned to the update. They're a little bit vague on
 the exact impact of the vulnerabilities, but they're
 essentially memory corruption vulnerabilities. So what
 they're saying here is that yes, we know they'll crash the
 system, whether or not they can be used to do something
 like remote code execution or data leakage. Well, that
 depends a little bit on how this is actually compiled and
 you know what other kind of conditions exist on a
 particular system. I would definitely recommend updating
 VLC. It has been exploited in the past. So given its
 popularity, it's something that you want to maintain on a
 Linux system that should be pretty straightforward with
 just some simple app update or whatever your distribution
 uses. On other operating systems, it's often installed
 as of a third party product. So make sure that it's getting
 updated. And the Apache project did release a security
 update for its nimble Bluetooth low energy stack.
 This Bluetooth low energy stack is typically found in
 IOT devices. So it's one of those things where you have to
 usually wait for vendor updates to fix these issues
 for you. There are two particular interesting
 vulnerabilities. One allows the attacker to actually take
 over an existing pairing connection. So you have your
 phone or whatever connected to a particular Bluetooth low
 energy device, and then the attacker can inject the packet
 that will basically take over that connection. There's also
 sort of a pause encryption feature in Bluetooth low
 energy that's apparently badly implemented here and can lead
 to data being leaked in addition to a couple other
 lower priority vulnerabilities. And Redhead
 in an advisory is warning of a newly patched vulnerability in
 the Undertow HTTP server core. Undertow is basically a web
 server and it's often used with Java applications.
 Redhead is pointing out here Wildfly and JBoss EAP in their
 advisory. But other Java applications may be affected
 as well. And the problem here is that the Undertow is not
 validating the host header correctly in HTTP requests it
 receives. It just passes then on to the application. And if
 the application of course counts on the server doing the
 input validation here, well, then you end up with a
 problem. From an application developer point of view, it
 probably wouldn't hurt to validate data like that that
 you are receiving from the web server. But either way,
 probably something that you do want to update in particular,
 if you're running one of these explicitly named applications
 in the advisory. Well, and that's it for today. So thanks
 for listening. Thanks for subscribing. Thanks for
 recommending this podcast. Remember, we still have stuff
 that contest going on. If you find a mistake in the podcast,
 just send me an email or contact me via social media,
 and you're qualifying for an Internet Storm Center sticker.
 So that's it for today and talk to you again tomorrow.
 Bye.