Podcast Detail

SANS Stormcast Thursday, July 16th, 2026: DShield SIEM Update; MSFT Patches vs. Intel IPF; Zoom Patch; Forgotten UEFI Shims

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/10010.mp3

Podcast Logo
DShield SIEM Update; MSFT Patches vs. Intel IPF; Zoom Patch; Forgotten UEFI Shims
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Podcast Transcript

 Hello and welcome to the Thursday July 16th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Washington DC. And this episode is brought to you by
 the SANS.edu Graduate Certificate Program in Cyber
 Defense Operations. Well today Guy gave a talk in the evening
 here at SANSFIRE about the honeypot and some of the
 additions that Guy created for the honeypot like our SIEM.
 And with that Guy also made live and made available a new
 version of the SIEM for the DShield honeypot. The two most
 notable additions is the addition of Suricata logs to
 the honeypot dashboard. And then also the addition of the
 Cowrie TTY logs. Cowrie, the honeypot that we are using for
 SSH and Telnet traffic, has the ability to log all the
 commands that an attacker may send to the honeypot. And this
 new addition to the dashboard will summarize these commands
 and also allow you to look up which particular attacker did
 execute what attacks against the honeypot. So you're
 getting more insight into what they actually attempt to do in
 the nice format of a Kibana interface. Well, given the
 size of yesterday's Microsoft patch used the update, it's no
 surprise that, well, we have some problems with this
 update. Microsoft today announced that there is an
 incompatibility with Dell devices that use the Intel
 Innovative Platform Framework or IPF. The drivers installed
 with this framework are in conflict with some of these
 patches and are causing problems. So Microsoft
 temporarily has disabled the update for these devices. If
 you are affected, you may see some changes in performance,
 power consumption or system behavior. Some people have
 reported overheating of the devices. A fix should be
 available in the next few days. And of course, we do
 still have some patches that were released by vendors other
 than Microsoft to talk about. Zoom, for example, did release
 an update for Zoom Workplace for Windows. Apparently, an
 improper input validation issue does allow
 unauthenticated account takeover over the network.
 Zoom rated this with a CVSS score of 9.8 and an update is
 available for you to download and install. And these had
 published a blog post with details regarding 11 shim
 bootloaders. They found that were still valid, still
 recognized by secure boot as authentic and they could have
 been used to essentially launch any other insecure
 bootloader. An attacker could have used this to completely
 compromise systems and essentially bypass secure
 boot. ESET found these bootloader or the shim
 bootloaders really quite a while ago, notified Microsoft.
 Microsoft did disable or basically revoke these
 bootloaders in the June update. So not this month. And
 well, kind of a good move from ESET to give us a month to
 apply all these patches before they're coming forward and
 announcing these findings publicly. Well, and that's it
 for today. So thanks for listening. Thanks for liking.
 Thanks for subscribing. Thanks for recommending this podcast
 and talk to you again tomorrow. Bye.