SANS Stormcast Wednesday, August 13th, 2025: Microsoft Patch Tuesday; libarchive vulnerability upgrade; Adobe Patches

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9568.mp3

previous

Microsoft Patch Tuesday; libarchive vulnerability upgrade; Adobe Patches

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Wednesday, August 13th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in
 Cybersecurity Engineering. Well, it's Patch Tuesday, so
 we got to start with that. We got patches for a total of 111
 different vulnerabilities. 17 of them were classified as
 critical, and one of the vulnerabilities was already
 disclosed prior to this patch, but well, not yet exploited,
 and also it's just a moderate vulnerability. Looking at the
 vulnerabilities this month, there is sort of one thing
 that I think is for the first time, at least that I noticed
 it really here. And that's what we are seeing some cloud
 vulnerabilities that are being disclosed here, like these
 Azure OpenAI, Azure Portal Elevation of Privilege
 vulnerabilities. This is something that Microsoft does
 now in order to be more transparent about
 vulnerabilities in its cloud infrastructure. A few months
 or was it a year or so ago, they sort of started that push
 to basically do what they did with trusted computing back in
 a day for their cloud properties. And the good part
 here is that there's nothing you need to do about these
 vulnerabilities. These are vulnerabilities that Microsoft
 already has taken care of for you because, well, they're in
 software that Microsoft operates in its cloud.
 Interestingly here, the Azure OpenAI Elevation of Privilege
 vulnerability that got a complete 10 out of 10 for its
 CVSS score. Couldn't sort of find a lot of details about
 this vulnerability, but definitely interesting that
 the privilege and elevation of privilege vulnerabilities is
 getting a full 10 here. There are a couple of other sort of
 critical vulnerabilities that fall in this category. Pretty
 much the top view vulnerabilities in our table
 that are critical are all Azure vulnerabilities. The
 remaining critical vulnerabilities, many of them
 in Office products, and then also sort of the usual set of
 graphics drivers and such that are vulnerable and, well, that
 lead to remote code execution vulnerabilities and are as a
 result rated critical. Aside from that, I don't think
 there's anything sort of super exciting here in this
 particular release. Like I said, many of the critical
 vulnerabilities, about half of them are these cloud
 vulnerabilities, so nothing really for you to take care
 of. Apply the remaining patches as they apply to you
 with sort of, you know, the usual caution and use your
 vulnerability management program. Nothing really to
 sort of specifically escalate here. There is one
 vulnerability where we also now have a blog post with
 additional details about this vulnerability and this is an
 interesting one. This vulnerability is rated
 important. It's yet one of those NTLM disclosure
 vulnerabilities in the well of all things link files, which I
 don't know, they're fairly straightforward file format,
 but still never ending issues with them. The old
 vulnerability here was essentially where the icon
 location could point to an SMB share and then the user would
 basically be tricked by clicking on this to load the
 icon from the SMB share and that would release NTLM
 hashes. The new variety of this vulnerability,
 vulnerability, well, it's basically just the next field
 here, the target path where basically the executable is
 located. That's, you know, what they're now using to
 trigger the request to an SMB share. I hope they tested a
 shortcut path as well, that that's not vulnerable and that
 would be the third vulnerability here in this
 particular file or maybe that was a prior vulnerability, not
 really tracking all of these link file vulnerabilities. But
 yeah, NTLM, I talked about this many times before, they
 have a never ending supply of the sort of SMB share leak
 vulnerabilities, block port 445 outbound as sort of an at
 least prevent these hashes from leaking outbound and if
 possible disable NTLM. That's where Microsoft is moving in
 the medium to long term to basically disable NTLM and
 switch all the way to Kerberos. Now the one already
 disclosed vulnerability is actually Kerberos
 vulnerability, but again, that one is rated only moderate. So
 that's sort of the quick summary here of the Microsoft
 vulnerabilities. Like I said, average, I would call it about
 patch Tuesday. And then we have an interesting
 decompression library vulnerability. This time it's
 libarchive and it's not a directory traversal
 vulnerability, but well, a good old unsigned integer
 overflow vulnerability that can lead to arbitrary code
 execution. The reason I mention this vulnerability now
 is a little bit where the odd part comes in. It was
 originally disclosed on May 10th. There was also a proof
 of concept being submitted with the vulnerability
 announcement, but it originally only got a CVSS
 score of 3.9. So basically not really noteworthy. In part, I
 believe, because in order to actually exploit the
 vulnerability, you need to create an archive with at
 least 4 billion nodes. So you have that good old 32 bit
 overflow issue happening here. And that requires at least 103
 gigabytes of memory. So it's basically not a ton of systems
 around there where it is exploitable. But in
 particular, if you think about servers and such, certainly
 they often do these days have more than 103 gigabytes of
 memory. And that's why lately, and that was really sort of
 last a week, and this vulnerability was upgraded to
 a critical CVSS score and FreeBSD also did kind of in
 response to that publish its own advisory with the related
 patches. The other interesting part of libarchive is it's
 well part of pretty much anything that compresses and
 it's not limited to BSD and Linux, but it's also used on
 Windows. So definitely watch out for updates for this. I
 could see there, for example, particular anti-malware tools
 probably use libarchive in order to look into compressed
 files. And they may certainly be an attack target here for
 this vulnerability. And then of course we have to talk
 about Adobe on patch Tuesday. We got patches for 13 of
 Adobe's products. The one that I always focus on is Adobe
 Commerce. Adobe Commerce did receive updates for a number
 of different vulnerabilities. They do have a priority rating
 of two, which means that, well, Adobe Commerce is likely
 going to be attacked. That's really all this means. And I
 certainly agree with that. We have seen a lot of attacks
 like this. However, on the good side, even though there
 are a number of critical vulnerabilities, all but the
 denial of service vulnerabilities require
 authentication to exploit them. Not just authentication,
 but also admin privileges other than this security
 feature bypass vulnerability that does not require admin
 privileges, but only has a CVSS score of 5.9. So patch
 update, certainly just because the people will in particular
 go after the security feature bypass issues as sort of as
 enabling vulnerabilities. Other than that, nothing
 really too critical, luckily here for the Adobe Commerce
 users. Well, and this is it for today. So thanks again for
 listening and talk to you again tomorrow. Bye.