Podcast Detail

SANS Stormcast Wednesday, February 11th, 2026: Microsoft Patch Tuesday; Secure Boot Updates; Fake 7-Zip; FortiSlob

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9804.mp3

previous
Podcast Logo
Microsoft Patch Tuesday; Secure Boot Updates; Fake 7-Zip; FortiSlob
00:00

Podcast Transcript

 Hello and welcome to the Wednesday, February 11th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in
 Cybersecurity Engineering. Well, of course, top of the
 news today, Microsoft's Patch Tuesday and the number of
 patches was actually not that bad. We got patches for 59
 different Microsoft vulnerabilities. There were
 patches released earlier this month for Microsoft Edge.
 Those are the Chromium browser vulnerabilities that were sort
 of ported over to Microsoft Edge. But the big story is
 really that we have six vulnerabilities that are being
 addressed that were already exploited before today. And
 three of these vulnerabilities have been somewhat publicly
 known already. So those are, of course, those three are the
 ones that you need to pay most attention to. And a little bit
 lucky, I guess, these are actually three similar and
 related vulnerabilities. You may be familiar in Windows
 with technologies like smart screen and such, where if
 you're downloading some binary or some script and then you
 double click it, well, you'll get a warning that you're
 about to execute code that you downloaded from the internet.
 And these vulnerabilities allow to bypass exactly sort
 of these type of warnings. Now, it affects three
 different subsystems here, which is why we have three
 different vulnerabilities. One is Windows Shell, one is
 Microsoft Word, and then we also have a patch for MSHTML.
 That's the good old Internet Explorer HTML rendering
 engine. Of course, it has long been replaced with Microsoft
 Edge, which has its own rendering engine. But a lot of
 sort of other software still uses MSHTML, and that's why we
 need this patch. In addition, we got three more
 vulnerabilities that were already exploited. Two of them
 are privilege escalation vulnerabilities, one in remote
 desktop. And then we also do have a type confusion
 vulnerability in Windows Manager that also then results
 in privilege escalation. Now, the sixth vulnerability here
 is a denial of service vulnerability in the remote
 access connection manager. So, this is really sort of the
 big, big thing here. We also have critical vulnerabilities
 in Microsoft Azure. I already mentioned them, actually,
 because they were patched in Azure directly. So, I think
 last week I may have mentioned those vulnerabilities. And
 another sort of interesting critical vulnerability that
 affects Microsoft Windows Defender, but only on Linux.
 So, not on Windows. And it can lead to a remote code
 execution. We often have this in security software like
 this, that, you know, unpackers, decompression often
 leads to bad memory allocations and such. So,
 that's probably what's going on here. So, if you're running
 Windows Defender on Linux, well, definitely make sure you
 update that and patch that. That's certainly something
 that you have to pay attention to because, well, it's
 supposed to protect you and it's supposed to deal with
 sort of, you know, unfiltered input that it's inspecting.
 And that's sort of, you know, why this is important. But
 other than that, well, I wouldn't say there's sort of
 anything super critical here. Like all these vulnerabilities
 I mentioned earlier, they still require that the user
 downloads and then launches essentially a script. So, it
 really just makes these type of exploits, which are, of
 course, still very common and easier if an attacker takes
 advantage of these sort of security feature bypass
 vulnerabilities. And a little side note to the Microsoft
 patch Tuesday. There is also, well, actually has already
 started an effort underway by Microsoft to update
 certificates being used for secure boot. I think I
 mentioned that before, but secure boot was originally
 introduced in 2011. The CAs, the certificate authorities
 being used for it, they had a lifetime of 15 years and,
 well, 2011 plus 15 gets you to 2026. So, later this year,
 these root certificate authorities are going to
 expire. Over the last couple of years already, many new PCs
 that you may have purchased did come with these updated
 certificate authority, certificates. So, they should
 be all set. But as part of these monthly updates,
 Microsoft is now pushing out the certificates to any older
 PCs that don't have yet current certificates. If you
 miss these updates, well, your PC will continue to function.
 The problem is that any updates to the boot system
 will require current working certificates. So, you'll
 basically be stuck with whatever boot system you have.
 And if there are vulnerabilities that pop up,
 which has happened in the past, you won't be able to
 apply any patches to it. So, definitely make sure this
 happens. But if you are reasonably current on your
 Windows patches, this should automatically be taken care
 of. And there was actually a little bit of a similar thing
 happening with Apple last week, a couple of weeks ago,
 where they pushed updates to some of their older operating
 systems. Now, this wasn't anything about secure boot,
 but a couple of authorities that Apple uses for things
 like iMessage and such, they're about to expire. So,
 these certificates basically kept that working. And same
 thing there. If you don't update those certificates,
 then even future updates that may be released may not work
 or cannot be applied because, well, they wouldn't be
 properly signed for these old operating systems. Well, if
 you downloaded 7SIP lately, double-check that you got it
 from the right website. Apparently, there are some
 YouTube tutorials around that are redirecting users to a
 website that's very plausible, but is delivering a trojanized
 copy of the software. The malicious website here is 7
 -SIP.com. Very logic choice, actually, for someone to
 download the software from there. But the actual website
 is 7-SIP.org. So, not .com, it's .org. And there's also a
 dash between 7 and SIP. But, yeah, definitely make sure
 that you download your software from the correct
 source. And these things, of course, particular with the
 similarity here of the website, you would almost
 think that the fake website actually has kind of a better,
 more plausible domain name than the actual website. Well,
 that's it for today. We also had, of course, two Fortinet
 vulnerabilities, one in the sandbox and an authentication
 bypass in LDAP. But, well, too many of them. So, I'll just
 add the links to the show notes. And thanks for liking,
 subscribing, and talk to you again tomorrow. Bye.
 Thank you.