Podcast Detail

SANS Stormcast Wednesday, January 14th, 2026: Microsoft, Adobe and Fortinet Patches; ConsentFix

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9766.mp3

previous
Podcast Logo
Microsoft, Adobe and Fortinet Patches; ConsentFix
00:00

Microsoft Patch Tuesday January 2026
Microsoft released patches for 113 vulnerabilities. This includes one already exploited vulnerability, one that was made public before today and eight critical vulnerabilities.
https://isc.sans.edu/diary/January%202026%20Microsoft%20Patch%20Tuesday%20Summary/32624

Adobe Patches
Adobe released patches for five products. The code execution vulnerabilities in ColdFusion and Acrobat Reader deserve special attention.
https://helpx.adobe.com/security.html

Fortinet Patches
Fortnet patched two products today, one suffering from an SSRF vulnerability.
https://fortiguard.fortinet.com/psirt/FG-IR-25-783
https://fortiguard.fortinet.com/psirt/FG-IR-25-084

ConsentFix: Analysing a browser-native ClickFix-style attack that hijacks OAuth consent grants
Attackers are tricking victims to copy/paste OAUTH URLs, including credentials, to a fake CAPTCHA
https://pushsecurity.com/blog/consentfix

Podcast Transcript

 Hello and welcome to the Wednesday, January 14th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in
 Cybersecurity Leadership. Well of course the topic today is
 Microsoft's Patch Tuesday. We got our first Patch Tuesday
 for 2026 and it was sort of well I would sort of say a
 little bit average Patch Tuesday. Nothing really all
 that terribly exciting. We got a total of 113 vulnerabilities
 addressed which includes one vulnerability in Microsoft
 Edge which really is a Chromium vulnerability ported
 over to Microsoft's Edge browser. Then there were eight
 critical vulnerabilities in this set and one vulnerability
 is already being exploited and the second one that has been
 disclosed. Let's actually start with the disclosed
 vulnerability because that's a relatively straightforward
 one. The problem here is that the certificates being used
 for secure boot need to be rotated as so often with
 cryptographic keys. They expire after a while these
 certificates. So that's really what this is about. If that
 doesn't happen then of course you end up with expired
 certificates which then could be used by an attacker to
 essentially bypass secure boot. But yes this new update
 now basically just loads the latest certificates into the
 operating system which then should basically protect
 secure boot again and prevent this expiration from
 happening. The second issue and that's the one that's
 already being exploited is a little bit tricky. It's a
 problem with the MLPC port. It's sort of an RPC mechanism
 in Windows and this particular vulnerability is really more
 information disclosure vulnerability that would allow
 an attacker to essentially access some of the the
 communication here on this port. And yes that could then
 be leveraged to additional more severe exploits probably.
 But by itself this vulnerability isn't really all
 that critical. Actually it's just rated as important by
 Microsoft. Among the critical vulnerabilities we had a
 number of vulnerabilities that were Microsoft Office, Word,
 Excel vulnerabilities. There was one vulnerability that was
 a little bit interesting at least from the title. And
 that's a remote code execution vulnerability in LSASS. We had
 some real high high impact vulnerabilities in LSASS before
 like the famous Blaster Worm. This is nothing like this.
 This particular vulnerability in order to exploit it does
 require an authentication. Also as Microsoft states in
 its advisory the attacker first needs to prepare the
 system properly. Whatever that means. Probably sort of now
 filling up some memory. And Adobe also released this
 update as usual. This time fixing five different
 products. Among those products there are two that I always
 pay attention to. Adobe ColdFusion. There is an
 arbitrary file upload vulnerability that's being
 addressed here. So this could be abused to upload something
 like a webshell. The second product here is Acrobat
 Reader. Two critical vulnerabilities that would
 allow code execution. So definitely update both of
 these particular. I would say here ColdFusion is one that
 you really need to pay attention to. We had similar
 vulnerabilities before. So wouldn't be surprised to see
 an exploit for this relatively shortly. And then we got two
 different updates from Fortinet. The first one
 affects FortiOS and FortiSwitch Manager. It's a
 heat-based buffer overflow vulnerability. So with that
 allows for code execution and does not require any
 authentication. There is a workaround listed here where
 you essentially just don't allow access via the fabric
 interfaces in your FortiOS and FortiSwitch Manager. Probably
 something to consider anyway regardless on whether or not
 you're going to apply the patch here for this
 vulnerability. But yes, certainly something that you
 do want to address even though it only affects some
 configurations of these devices. The second
 vulnerability is in the Forti sandbox. So here if you're
 using the GUI to basically inspect your sandbox results,
 there's a possibility for malicious software to actually
 use a server-side request forgery. Now what can be done
 with this vulnerability is a little bit limited like what
 endpoints can be accessed. But still, you know, something to
 be aware of in particular since you're using this
 sandbox to look at potentially malicious code. In addition to
 all the new vulnerabilities, we also do have an interesting
 new technique being used by attackers. PushSecurity has a
 blog post about what they're calling the consent fix
 attack. Now you're all familiar with the click fix
 attack. That's the fake capture where the attacker is
 then tricking the victim into copy pasting commands into
 some kind of run dialogue on their system. This actually is
 going after OAuth secrets. So the way this attack works is
 that again, the attacker is displaying a fake capture to
 the user, but then instructs the user to log in in this
 example to Microsoft and give Microsoft permissions for
 particular application. Now, the typical trick here is then
 that after the user gives that permission or assigns that
 permission to the application in Microsoft's authentication
 interface, the victim is being redirected back to the
 application that then receives the credentials to
 authenticate to Microsoft's API. Now, in this case, the
 attacker is not running that application. It's a legitimate
 application that the attacker would like to have access to.
 So the attacker is then basically asking the victim to
 copy paste the URL, which includes the credentials into
 the capture dialog in order to capture these credentials. So
 interesting play here on OAuth. So, in the past,
 sometimes you have seen similar attacks by
 manipulating the redirect URI, which is the URI that the user
 is being redirected to after authenticating. But the
 applications and also OAuth providers have sort of clamped
 down on some of these issues. So this is now the next thing.
 Well, if I can't redirect the user to my URI, then let me
 just grab it from their URL bar and let me have the user
 help with that. So, amazing that some of this actually
 works, given that some of these copy paste things aren't
 quite that terribly straightforward. But
 apparently the attackers can make it work. Well, and this
 is it for today. So thanks for listening. Thanks for liking
 and thanks for subscribing to this podcast. Remember, I'll
 be teaching in Orlando and Amsterdam in April. So if
 you're interested at the bottom of the show notes on
 the InternetStorms on our website, you'll see links to
 currently offered classes. That's it! chinese john john
 500 they Thank you.