Handler on Duty: Manuel Humberto Santander Pelaez
Threat Level: green
Podcast Detail
SANS Stormcast Thursday, July 16th, 2026: DShield SIEM Update; MSFT Patches vs. Intel IPF; Zoom Patch; Forgotten UEFI Shims
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/10010.mp3
My Next Class
Click HERE to learn more about classes Johannes is teaching for SANS
DShield SIEM Update
https://isc.sans.edu/diary/Recent%20DShield%20SIEM%20Update/33156
Microsoft Patch Tuesday vs. Dell Intel Innovation Platform Framework (IPF) drivers
https://support.microsoft.com/en-us/servicing/os/windows-11/2026/07/july-14-2026-kb5101650-os-builds-26200-8875-and-26100-8875
Zoom Account Takeover Patch
https://www.zoom.com/en/trust/security-bulletin/zsb-26014/
Forgotten UEFI shims undermining Secure Boot
https://www.welivesecurity.com/en/eset-research/forgotten-uefi-shims-undermining-secure-boot/
My Upcoming Classes
https://www.sans.org/profiles/dr-johannes-ullrich
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 14th - Dec 18th 2026 |
Podcast Transcript
Hello and welcome to the Thursday July 16th, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Washington DC. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Cyber Defense Operations. Well today Guy gave a talk in the evening here at SANSFIRE about the honeypot and some of the additions that Guy created for the honeypot like our SIEM. And with that Guy also made live and made available a new version of the SIEM for the DShield honeypot. The two most notable additions is the addition of Suricata logs to the honeypot dashboard. And then also the addition of the Cowrie TTY logs. Cowrie, the honeypot that we are using for SSH and Telnet traffic, has the ability to log all the commands that an attacker may send to the honeypot. And this new addition to the dashboard will summarize these commands and also allow you to look up which particular attacker did execute what attacks against the honeypot. So you're getting more insight into what they actually attempt to do in the nice format of a Kibana interface. Well, given the size of yesterday's Microsoft patch used the update, it's no surprise that, well, we have some problems with this update. Microsoft today announced that there is an incompatibility with Dell devices that use the Intel Innovative Platform Framework or IPF. The drivers installed with this framework are in conflict with some of these patches and are causing problems. So Microsoft temporarily has disabled the update for these devices. If you are affected, you may see some changes in performance, power consumption or system behavior. Some people have reported overheating of the devices. A fix should be available in the next few days. And of course, we do still have some patches that were released by vendors other than Microsoft to talk about. Zoom, for example, did release an update for Zoom Workplace for Windows. Apparently, an improper input validation issue does allow unauthenticated account takeover over the network. Zoom rated this with a CVSS score of 9.8 and an update is available for you to download and install. And these had published a blog post with details regarding 11 shim bootloaders. They found that were still valid, still recognized by secure boot as authentic and they could have been used to essentially launch any other insecure bootloader. An attacker could have used this to completely compromise systems and essentially bypass secure boot. ESET found these bootloader or the shim bootloaders really quite a while ago, notified Microsoft. Microsoft did disable or basically revoke these bootloaders in the June update. So not this month. And well, kind of a good move from ESET to give us a month to apply all these patches before they're coming forward and announcing these findings publicly. Well, and that's it for today. So thanks for listening. Thanks for liking. Thanks for subscribing. Thanks for recommending this podcast and talk to you again tomorrow. Bye.





