Podcast Detail

SANS Stormcast Wednesday, June 11th, 2025: Microsoft Patch Tuesday; Acrobat Patches

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9488.mp3

Microsoft Patch Tuesday; Acrobat Patches

00:00

My Next Class

Application Security: Securing Web Apps, APIs, and Microservices	Washington	Jul 14th - Jul 19th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Las Vegas	Sep 22nd - Sep 27th 2025

… more classes

Microsoft Patch Tuesday
Microsoft today released patches for 67 vulnerabilities. 10 of these vulnerabilities are rated critical. One vulnerability has already been exploited and another vulnerability has been publicly disclosed before today.
https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20June%202025/32032

Adobe Vulnerabilities
Adobe released patches for 7 different applications. Two significant ones are Adobe Commerce and Adobe Acrobat Reader. All vulnerabilities patched for Adobe Commerce can only be exploited by an authenticated user. The Adobe Acrobat Reader vulnerabilities are exploited by a user opening a crafted PDF, and the exploit may execute arbitrary code.
https://helpx.adobe.com/security/Home.html

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Application Security: Securing Web Apps, APIs, and Microservices	Washington	Jul 14th - Jul 19th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Las Vegas	Sep 22nd - Sep 27th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Denver	Oct 4th - Oct 9th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Dallas	Dec 1st - Dec 6th 2025

Podcast Transcript

 Hello and welcome to the Wednesday, June 11, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and this episode brought to you by
 the SANS.edu Bachelor's Degree Program in Applied
 Cybersecurity is recorded in Jacksonville, Florida. Well,
 of course, today we have to start with Microsoft Patch
 Tuesday. Microsoft released a little bit lighter, I would
 say, than average Patch Tuesday with 67
 vulnerabilities being patched, 10 vulnerabilities being rated
 critical and then one being already exploited and one
 being disclosed before today. It was actually one of the 67
 vulnerabilities that had already been patched,
 announced by Microsoft before today. But anyway, so let's
 take a look at some noteworthy vulnerabilities here. The
 first one, of course, the one that's already being
 exploited. This is a WebDAV vulnerability. If you're not
 familiar with WebDAV, it's an extension to HTTP. It is
 essentially allowing you to use a web server, kind of like
 a remote file system, SharePoint and systems like
 this, like this. I have also seen this sometimes being
 used, for example, to manage files on a web server. Not as
 the greatest idea, but certainly has been used like
 this. When I first saw WebDAV, I was a little bit afraid that
 this is something like an IIS or the server component here.
 However, this is in the client component. In order to exploit
 this, you have to trick the client to actually connect to
 a particular WebDAV resource. Well, this is not necessarily
 that crazy difficult. The really interesting part here,
 and sort of a little bit of difficult part here, is that
 this vulnerability is in one of these leftover components
 from Internet Explorer. So even if you don't use Internet
 Explorer, you still have scripting engine, you have
 MSHTML running on your system that's sort of left behind
 from Internet Explorer. These libraries are still being
 used, and that's where the vulnerability comes to play
 here. So in order to patch this vulnerability, you must
 apply the IE cumulative update, the Internet Explorer
 cumulative update. So in this particular, if you're sort of
 more selective in what patches you apply, you have to be a
 little bit careful with this. The already known but not
 exploit vulnerability is just the privilege escalation
 vulnerability in the Windows SMB client. Yes, it can get
 you to system privileges, but Microsoft actually considers
 exploitation less likely for this vulnerability. And yes,
 the victim here has to connect to a malicious SMB server.
 Next, a couple critical vulnerabilities that are, I
 think, noteworthy. First of all, there's an
 unauthenticated remote code execution vulnerability in the
 remote desktop service. I think that's the third month
 in a row or so where we have these timing vulnerabilities.
 And they're difficult to exploit. That's why Microsoft
 thinks that it's less likely that we'll see an exploit for
 this vulnerability. I don't think there was one for the
 prior similar vulnerabilities. But RDP, of course, always a
 big target. However, usually the exploit attempts are
 really just brute forcing. Now, the second interesting
 critical vulnerability that we have here is a problem in
 Microsoft's cryptographic services. Basically, the
 library that implements a lot of cryptographic protocols
 like TLS. And there's apparently sort of some user
 -offer-free vulnerability or such that allows arbitrary
 code execution. Again, Microsoft suggests that
 exploitation is less likely. That's a highly complex
 exploit if it should ever materialize. However, given
 the ubiquity of this library and basically where
 potentially everything TLS could be affected, I
 definitely would keep an eye out for this one to see if
 there is an exploit materializing for it. This
 could become a huge deal, but we really don't know enough at
 this point to adequately sort of give advice whether you
 should that patch now or such. I would definitely not put it
 in the patch now category for now. Just follow your standard
 patch procedures on this. And then, so a little bit, the
 interesting one here but also boring one. Yes, many of the
 critical vulnerabilities in this update affect Microsoft
 Office. It's a little bit unusual to see critical
 vulnerabilities in Microsoft Office because usually
 Microsoft does not rate an Office vulnerability as
 critical if they require you to open a document. Well, in
 this case, you get code execution just by previewing
 the document. So this makes them critical. Anyway, as I
 said, I don't see any vulnerability here that I
 would call a patch now vulnerability. Patch them, you
 know, according to your standard procedure, hopefully
 before next patch Tuesday in July. Well, a patch Tuesday,
 of course, we also got patches from other companies, not just
 from Microsoft. For example, Adobe delivered patches for
 seven of its products. The ones I always look for is
 Adobe Commerce and Adobe Acrobat Reader. Both of them
 have vulnerabilities patched this month for Adobe Commerce.
 One of them is actually a remote code execution
 vulnerability via reflective cross-site scripting. The
 issue here, however, is that all the vulnerabilities in
 Adobe Commerce that are being patched this month require
 authentication for exploitation, which, of
 course, makes them a little bit less likely to be an
 issue. For the Acrobat Reader vulnerabilities, on the other
 hand, while there are a number of code execution
 vulnerabilities, all of these different memory management
 vulnerabilities that we're used to in Adobe Acrobat. And,
 of course, there is a very good probability that
 exploitation will happen for them, sort of given past
 history. Well, that's pretty much it for today. A couple
 other updates from SAP, Ivanti, Fortinet, and the
 like. None of them really being so super critical to
 waste a lot of time on right now. But, as usual, be aware
 there are always some additional updates that sneak
 in on Patch Tuesday. That's it for today. Thanks for
 listening and talk to you again tomorrow. Bye.