Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello and welcome to the Thursday, April
0:02
11th, 2024 edition of the Sands and
0:04
its Storms Center's
0:09
Stormcast. My name is Johannes Ulrich
0:11
and today I'm recording from London,
0:13
England. Well
0:15
let's today start with a
0:18
critical update for the Windows
0:20
version of the programming language
0:22
Rust. This vulnerability in
0:24
the standard library has a
0:26
perfect CFS score of 10
0:28
even though the risk may
0:30
or may not a little
0:33
bit more limited depends really
0:35
on how you are using
0:37
the affected API and that's
0:39
the command API. Actually an
0:41
API that exists in pretty
0:43
much any language and has
0:45
had issues in pretty much
0:47
any language. The purpose of
0:49
the command API is to
0:52
execute a command via command.exe
0:54
and securely escape any
0:57
command parameters being passed
0:59
in order to avoid
1:01
OS command injection a very
1:04
common vulnerability where you for
1:06
example can use things like
1:08
semicolons and dollar symbols
1:10
and the like in order to
1:12
execute additional commands by passing them
1:14
as a command parameter. And before
1:17
you say isn't Rust supposed to
1:19
be a secure programming language? Yes
1:21
it is but with specific
1:23
issues around memory safety in mind
1:25
other vulnerabilities will of course still
1:28
occur in Rust just like in
1:30
any other language. Now
1:33
the tricky part about this particular
1:35
vulnerability is that it really affects
1:37
software created with Rust much
1:40
more than Rust itself so having
1:42
Rust installed on your system for
1:44
example will not really expose you
1:46
to any particular risks in this
1:48
case but if you're running software
1:50
that uses the command API and
1:53
was compiled using the old
1:55
version of the standard library
1:58
well then that particular binary
2:00
would expose you to this
2:02
vulnerability. And
2:04
then as typical as part of
2:07
patch 2, Staby also got updates
2:09
from Adobe 9 different products received
2:11
updates. I'm not going over all
2:13
the details here. There are for
2:16
example quite a few products that
2:18
are affected by a single out
2:20
of bounds read vulnerability. See if
2:22
that score only of 5.5. The
2:25
one product that I want to focus on a little
2:27
bit is Adobe's commerce
2:30
product used to be known
2:32
as Magento. This
2:35
product two vulnerabilities for being
2:37
addressed here. One is
2:39
an arbitrary code execution just
2:42
says here improper input validation
2:44
CVS score of 9
2:47
and then we also have a
2:49
stored cross-site scripting vulnerability with a
2:51
CVS score of 8.1 that
2:55
could lead to arbitrary code
2:57
execution. Given the history of
2:59
exploitation against this platform
3:01
I highly recommend that
3:03
you expedite this update.
3:07
And we got updates from 40 guard affecting
3:09
40 OS and 40 proxy.
3:11
There is one vulnerability being
3:13
addressed here. It's rated high
3:15
with a CVS score of
3:17
7.5 as it
3:21
says in the advisory that
3:23
due to this attack an
3:25
attacker may be able to
3:27
gain access to administrator cookies
3:29
in rare and specific conditions
3:31
via tricking the administrator into
3:33
visiting a malicious attacker controlled
3:36
website through the SSL
3:38
VPN. The Researcher
3:40
who is affiliated with Fortinet
3:42
is being credited with the
3:44
discovery of this vulnerability. So
3:46
I Assume we won't really
3:48
see a lot of detail
3:50
about this vulnerability anytime soon.
3:52
Hopefully You have some time
3:54
to upgrade and given some
3:56
of the specifics here. Exploitation
3:58
doesn't sound terribly. Straight forward
4:00
for this Warner Billie. Additional
4:04
wanna believe disclosed in forty
4:06
year or s and patched
4:08
relate tool as leading privileges
4:10
for. Authenticated attackers and
4:12
also d fingerprinting of the device
4:15
or an attacker may be able
4:17
to figure out the exact version
4:19
of the operating system so not
4:22
any. Mana. Believes that I
4:24
would rate as critical are worth
4:26
expediting patches for. And.
4:29
In this week's patch Tuesday the
4:31
had one worn ability of proxy
4:33
thrive or spoofing born a beliefs
4:36
that a motor self marked as
4:38
all are ready, exploited and already
4:40
made public the life. I had
4:42
a not much luck finding a
4:45
lot of details about this yesterday
4:47
or on Tuesday when I first
4:49
looked at it. Well as we
4:51
now have more details from Sauce
4:53
who reported this issue to Microsoft.
4:56
It actually turns out that this
4:58
was a of. Took Advantage
5:00
of Earth Signed a Driver It
5:02
was signed using the mix of
5:05
hard for a publisher certificate that
5:07
has been a prop program at
5:09
Husbands are problematic in the past
5:11
and a yes it does a
5:14
driver A Once the news to
5:16
apparently a do Melissa's things are
5:18
linked to the details right up
5:20
by some false but the short
5:22
summary here it is as that
5:25
the patch that was released on
5:27
through states actually just as at.
5:29
This try were at the two
5:31
and a certificate useless as driver.
5:33
it's a taught it to the
5:35
revocation list so it's no longer
5:37
is a being trusted. When
5:40
it's it's for two days when
5:42
a quick thanks to all the
5:45
concert and I saw a in
5:47
the reddit is cyber security of
5:49
forum here and when someone's asking
5:51
about good sources of to of
5:53
follow and that's it for today.
5:55
Thanks and talk to again tomorrow.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More