0:00

Hello and welcome to the Thursday, April

0:02

11th, 2024 edition of the Sands and

0:04

its Storms Center's

0:09

Stormcast. My name is Johannes Ulrich

0:11

and today I'm recording from London,

0:13

England. Well

0:15

let's today start with a

0:18

critical update for the Windows

0:20

version of the programming language

0:22

Rust. This vulnerability in

0:24

the standard library has a

0:26

perfect CFS score of 10

0:28

even though the risk may

0:30

or may not a little

0:33

bit more limited depends really

0:35

on how you are using

0:37

the affected API and that's

0:39

the command API. Actually an

0:41

API that exists in pretty

0:43

much any language and has

0:45

had issues in pretty much

0:47

any language. The purpose of

0:49

the command API is to

0:52

execute a command via command.exe

0:54

and securely escape any

0:57

command parameters being passed

0:59

in order to avoid

1:01

OS command injection a very

1:04

common vulnerability where you for

1:06

example can use things like

1:08

semicolons and dollar symbols

1:10

and the like in order to

1:12

execute additional commands by passing them

1:14

as a command parameter. And before

1:17

you say isn't Rust supposed to

1:19

be a secure programming language? Yes

1:21

it is but with specific

1:23

issues around memory safety in mind

1:25

other vulnerabilities will of course still

1:28

occur in Rust just like in

1:30

any other language. Now

1:33

the tricky part about this particular

1:35

vulnerability is that it really affects

1:37

software created with Rust much

1:40

more than Rust itself so having

1:42

Rust installed on your system for

1:44

example will not really expose you

1:46

to any particular risks in this

1:48

case but if you're running software

1:50

that uses the command API and

1:53

was compiled using the old

1:55

version of the standard library

1:58

well then that particular binary

2:00

would expose you to this

2:02

vulnerability. And

2:04

then as typical as part of

2:07

patch 2, Staby also got updates

2:09

from Adobe 9 different products received

2:11

updates. I'm not going over all

2:13

the details here. There are for

2:16

example quite a few products that

2:18

are affected by a single out

2:20

of bounds read vulnerability. See if

2:22

that score only of 5.5. The

2:25

one product that I want to focus on a little

2:27

bit is Adobe's commerce

2:30

product used to be known

2:32

as Magento. This

2:35

product two vulnerabilities for being

2:37

addressed here. One is

2:39

an arbitrary code execution just

2:42

says here improper input validation

2:44

CVS score of 9

2:47

and then we also have a

2:49

stored cross-site scripting vulnerability with a

2:51

CVS score of 8.1 that

2:55

could lead to arbitrary code

2:57

execution. Given the history of

2:59

exploitation against this platform

3:01

I highly recommend that

3:03

you expedite this update.

3:07

And we got updates from 40 guard affecting

3:09

40 OS and 40 proxy.

3:11

There is one vulnerability being

3:13

addressed here. It's rated high

3:15

with a CVS score of

3:17

7.5 as it

3:21

says in the advisory that

3:23

due to this attack an

3:25

attacker may be able to

3:27

gain access to administrator cookies

3:29

in rare and specific conditions

3:31

via tricking the administrator into

3:33

visiting a malicious attacker controlled

3:36

website through the SSL

3:38

VPN. The Researcher

3:40

who is affiliated with Fortinet

3:42

is being credited with the

3:44

discovery of this vulnerability. So

3:46

I Assume we won't really

3:48

see a lot of detail

3:50

about this vulnerability anytime soon.

3:52

Hopefully You have some time

3:54

to upgrade and given some

3:56

of the specifics here. Exploitation

3:58

doesn't sound terribly. Straight forward

4:00

for this Warner Billie. Additional

4:04

wanna believe disclosed in forty

4:06

year or s and patched

4:08

relate tool as leading privileges

4:10

for. Authenticated attackers and

4:12

also d fingerprinting of the device

4:15

or an attacker may be able

4:17

to figure out the exact version

4:19

of the operating system so not

4:22

any. Mana. Believes that I

4:24

would rate as critical are worth

4:26

expediting patches for. And.

4:29

In this week's patch Tuesday the

4:31

had one worn ability of proxy

4:33

thrive or spoofing born a beliefs

4:36

that a motor self marked as

4:38

all are ready, exploited and already

4:40

made public the life. I had

4:42

a not much luck finding a

4:45

lot of details about this yesterday

4:47

or on Tuesday when I first

4:49

looked at it. Well as we

4:51

now have more details from Sauce

4:53

who reported this issue to Microsoft.

4:56

It actually turns out that this

4:58

was a of. Took Advantage

5:00

of Earth Signed a Driver It

5:02

was signed using the mix of

5:05

hard for a publisher certificate that

5:07

has been a prop program at

5:09

Husbands are problematic in the past

5:11

and a yes it does a

5:14

driver A Once the news to

5:16

apparently a do Melissa's things are

5:18

linked to the details right up

5:20

by some false but the short

5:22

summary here it is as that

5:25

the patch that was released on

5:27

through states actually just as at.

5:29

This try were at the two

5:31

and a certificate useless as driver.

5:33

it's a taught it to the

5:35

revocation list so it's no longer

5:37

is a being trusted. When

5:40

it's it's for two days when

5:42

a quick thanks to all the

5:45

concert and I saw a in

5:47

the reddit is cyber security of

5:49

forum here and when someone's asking

5:51

about good sources of to of

5:53

follow and that's it for today.

5:55

Thanks and talk to again tomorrow.