Podcast Detail

SANS Stormcast Wednesday, September 10th, 2025: Microsoft Patch Tuesday;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9606.mp3

previous
Podcast Logo
Microsoft Patch Tuesday;
00:00

Microsoft Patch Tuesday
As part of its September patch Tuesday, Microsoft addressed 177 different vulnerabilities, 86 of which affect Microsoft products. None of the vulnerabilities has been exploited before today. Two of the vulnerabilities were already made public. Microsoft rates 13 of the vulnerabilities are critical.
https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20September%202025/32270

Adobe Patches
Adobe released patches for nine products, including Adobe Commerce, Coldfusion, and Acrobat.
https://helpx.adobe.com/security/security-bulletin.html

SAP Patches
SAP patched vulnerabilities across its product portfolio. Particularly interesting are a few critical vulnerabilities in Netweaver, one of which scored a perfect 10.0 CVSS score.
https://onapsis.com/blog/sap-security-notes-september-2025-patch-day/


Podcast Transcript

 Hello and welcome to the Wednesday September 10th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu graduate certificate program in Purple
 Team Operations. And today, well, we got a Microsoft patch
 Tuesday and Microsoft fixed a total of 177 different
 vulnerabilities. However, out of these vulnerabilities, only
 86 affected Microsoft products. Now, what's the
 difference here? There were a number of Linux
 vulnerabilities listed in Microsoft's patch feed. And
 these vulnerabilities really affect, well, the Windows
 Subsystem for Linux. They do affect some of their cloud
 products like Azure. And there is a special Linux
 distribution that they're using in their cloud products.
 So that's where the difference here really comes from. They
 don't assign a severity to these vulnerabilities. And
 these are pretty much open source vulnerabilities we have
 known about for a while for the most part. There are also
 in this release a number of Azure vulnerabilities. Now, in
 the past, there has always been some controversy. Should
 Microsoft be more open and more public about any
 vulnerabilities they're fixing in their cloud products? These
 products, of course, they're nothing for you to patch or to
 do. You really just get a new version and it should be fixed
 automatically by Microsoft sort of on the back end. So
 that's why in the past, Microsoft hasn't always
 published them. But there are a number of them being
 published in this release. Of course, the big question with
 any Microsoft patch Tuesday, any Sarah days being addressed
 here? And the quick answer is no. There were, however, two
 vulnerabilities that had already been made public, but
 they have not been exploited yet, as far as Microsoft is
 aware. And 13 of these vulnerabilities were rated
 critical. Now, volumes of interest was a little bit
 tricky here. There was no real sort of big outstanding sort
 of worrying vulnerability. A lot of vulnerabilities, as
 often in office products, like there was a long list in Excel
 and such. Nothing really new or exciting here. There were
 two vulnerabilities that related to how Microsoft
 assigns URLs to different zones. There's like an
 intranet, an internet zone and the like. And of course,
 they're treated differently with respect to security
 policies. And well, they patch two vulnerabilities that could
 cause URLs to be misassigned to the wrong zone. The next
 two that I sort of pointed out here that I thought was a
 little bit odd, but really more based on the description
 here was a vulnerability in the kernel image system.
 Microsoft labeled them as remote code execution. But
 then when you sort of are reading the description, it
 says an authorized attacker needs to execute code look or
 is able to execute code locally with these
 vulnerabilities. The reason this can be used remotely is
 that, well, this authorized attacker could also be an
 authorized normal user just opening an image that they
 downloaded from an online source. And I think that's
 sort of where the critical category comes from, even
 though that the CVSS score here is quite a bit below
 critical. They're sort of in the six to seven range. So no
 real big sort of must patch now vulnerability here. Just
 apply them, you know, I would say at your leisure, but
 really you want to get done before next patch Tuesday, of
 course. And we do have a number of other vendors that
 have also released interesting patches today. So what about
 these other vendors that released patches today? First
 off Adobe, that's one I always like to cover because of their
 prominence and popularity of their software. And three
 products that I always watch when it comes to Adobe were
 hit here. One Adobe Acrobat Reader. So that's your
 favorite PDF software. We do have here one arbitrary code
 execution vulnerability with a severity of critical, but a
 CVSS score of only 7.8, which is a little bit below what you
 typically would call critical. Well, a use after free. So
 basically a standard memory management problem here that
 could probably be exploited. The second product here that I
 like to look at is Adobe Commerce or Magento. Well, the
 only one we have here is a security feature bypass
 without additional details. Really hard to tell how bad
 this is, but the CVSS score of 9.1 means we probably should
 pay attention here and patch this quickly. Finally, good
 old Code Fusion got a patch and this one fixes an Opry
 file system right. This type of vulnerability usually can
 be leveraged to some kind of code execution. You may see
 just write a file in the right location, then execute that
 file. So certainly something that's definitely stuff in the
 patch now kind of category. They also tend to be once the
 details are made public to be relatively straightforward to
 exploit these operating file system right vulnerabilities.
 So the CVSS score of 9.0 gives you another argument here to
 definitely prioritize this patching this particular
 vulnerability. And the third vendor I want to include in
 today's podcast is SAP. SAP released its September patches
 as well today. And there are two vulnerabilities that are
 particularly interesting. Now, in the show notes, I'll link
 to the write-up by Onapsis, not to SAP's original
 announcement, because for SAP, you can't access any of the
 vulnerability details without logging in as a customer. And
 Onapsis does a real great job in explaining some of these
 vulnerabilities in a little bit more detail. Now, there
 are two vulnerabilities I want to point out in particular,
 and that's two vulnerabilities in Netweaver. Netweaver,
 similar product to like, you know, WebLogic, for example,
 from Oracle. These products are often subject to
 deserialization vulnerabilities. And that's
 exactly what's happening here with Netweaver. CVSS score of
 10.0. The second vulnerability here, 9.9 CVSS score, is an
 insecure file operation vulnerability. It doesn't give
 you any details here, but possibly yet another sort of
 file write issue that I just talked about with Adobe Code
 Fusion. Also, the directory traversal vulnerability
 doesn't necessarily tell you whether there's any code
 execution possibility, but the CSS score of 9.6 probably
 implies that there is something at least close to
 code execution vulnerability here, in particular since it
 affects the AppApp platform, which is SAP's own programming
 language. Well, with that, lots of patching to do for you
 here. The SAP ones, I think, are the most critical patches
 today, followed by some of the Adobe ones. As far as the
 Microsoft patches go, again, just follow your standard
 patch practice. No need to sort of really accelerate and
 expedite any of the Microsoft patches. That's it for today.
 Thanks for listening. Thanks for liking and subscribing.
 And talk to you again tomorrow. Bye.
 Bye.