Podcast Detail

SANS Stormcast Thursday, June 18th, 2026: QUIC Challenge; Android 17; Oracle CSPU; JetBrains Plugins;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9978.mp3

previous
Podcast Logo
QUIC Challenge; Android 17; Oracle CSPU; JetBrains Plugins;
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Podcast Transcript

 Hello and welcome to the Thursday, June 18, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Bachelor's Degree Program in Applied
 Cybersecurity. If you didn't know it, as part of the
 Bachelor's Program, you're actually going to do an
 internship as one of the options with the Internet
 Storm Center, looking at Honeypot alerts and
 essentially figuring out sort of what's going on there out
 in the internet. Today we do have a guest post by Varun
 Mardula, who writes about QUIC, and better actually HTTP
 3 in this particular case. QUIC is one of those weird
 protocols. Probably should have been a transport layer
 protocol, like TCP and UDP, but well, that wasn't really
 feasible. So Google decided to actually go with sort of a new
 protocol layer over UDP. Now this is a protocol that has
 become really popular recently. I believe the latest
 numbers I've seen is something like 30% of web traffic is
 using QUIC these days. It's supported by all the major
 browsers and many web servers. The problem, of course, with a
 very new and different protocol like this in
 particular since it's encrypted and there is no sort
 of clear text version of QUIC is that your good old
 inspection tools don't really work well. All HTTPS, TLS
 inspection tools typically rely on setting up a proxy and
 that's sort of what that diary is about that well once you're
 using QUIC these proxies become pretty much blind for
 what's actually going on on your network. So really one of
 the few options that you have to deal with this is to block
 any UDP packets at least outbound to port 443. Now I
 want to do a couple additions here to this particular diary.
 First of all it's not just 443 that's just default port for
 HTTP 3. So that's when you're running HTTP over QUIC there
 are other things they can do over QUIC like SMB for example
 in recent versions of Windows there's also DNS over QUIC
 which basically is just like DNS over HTTPS but now using
 that QUIC layer any port is possible just like you can use
 HTTPS over any port. So you really have to be much more
 careful about outbound UDP traffic not just port 443.
 Another sort of interesting detection technique here is
 your browser learns about a particular website's QUIC
 capabilities via an HTTPS DNS record. So filtering those
 records can also help blocking QUIC or just monitoring those
 records to see you know what websites are actually
 advertising that they are supporting QUIC. And Google
 today released Android 17. Now this update also includes
 fixes for about 21 if I counted them correctly
 vulnerabilities. Many of them high nothing critical. Now
 what's interesting here is that this brings Android 17 up
 to the July 1st patch level. So Android 17 currently is
 about two weeks ahead of the other Android versions as far
 as security patches go. It's not clear how many of these
 vulnerabilities affect older versions of Android but I
 guess we'll see early July which ones they'll then patch
 for some of the earlier versions of Android. And
 Oracle published another one of its monthly critical
 security patch updates. This one fixes 245 vulnerabilities.
 That's sort of close to what we usually see in the
 quarterly critical patch updates. So first critical
 security patch update we had last month in May going
 forward. It'll also always be at the third Tuesday of the
 month. So kind of to be a little bit off from
 Microsoft's patches so not to have too much overlap here.
 But again the nomenclature that Oracle adopted now is
 critical patch update. It's the quarterly update that
 patches everything and then critical security patch
 update. These are the monthly updates and those as they
 described as more focused. Now here for example we had a lot
 of vulnerabilities in the Fusion middleware. That's
 always one of those highly targeted a piece of software.
 Definitely if you're running this pay attention and apply
 these patches. I've talked a lot about not just supply
 chain issues but also about malicious plugins for Visual
 Studio Code. Well Visual Studio Code is not the only
 IDE being targeted by attackers. JetBrains also has
 similar issues. Aikido just discovered a number of
 malicious plugins that were specializing in stealing AI
 keys. Now these plugins that sort of follows the standard
 playbook here are modified legitimate plugins. So the
 user thinks they're downloading a plugin that will
 actually help them interact with various AI tools. As part
 of the setup the user has to enter their API key for the
 particular AI tool they're going to use. Well and as soon
 as they hit apply there's a function being called that's
 sort of linked to the apply button that will take the API
 key and send it off to the attacker. Interestingly that
 it's been sent off just an IP address so there's no hostname
 as always with it. It's also sent in the clear over HTTP
 but apparently still works. Well and that's it for today
 thanks again for listening. Remember no podcast on Friday
 because of the Juneteenth holiday so talk to you again
 on Monday. Bye.