Podcast Detail

SANS Stormcast Thursday, February 12th, 2026: WSL in Malware; Apple and Adobe Patches

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9806.mp3

previous
Podcast Logo
WSL in Malware; Apple and Adobe Patches
00:00

Podcast Transcript

 Hello and welcome to the Thursday, February 12, 2026
 edition of the SANS and the Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And today's episode is brought to
 you by the SANS.edu graduate certificate program in Purple
 Team Operations. In diaries today, the first one we have
 is Baik-Savier about the use of the Windows subsystem for
 Linux in Malware. Malware certainly has discovered this
 neat tool in newer Windows variants and well it's often
 sort of enabled, not necessarily used, or a user
 may not even be aware that this interesting tool is
 sitting there. So with the Windows subsystem for Linux,
 you essentially have a Linux container virtual machine,
 whatever you want to call it, that can easily be accessed
 from the Windows command line. You can also easily copy files
 into the file system accessible by this subsystem.
 And of course, Malware loves to use the ease of use of
 Linux and also the ability to, well, maybe easier hide some
 of the artifacts within this subsystem. The example that
 Xavier has is actually a JavaScript that checks if a
 particular system it is running on does have WSL
 available and then it takes advantage of it. And Apple
 today released its usual, well, update everything patch.
 Apple does not have a regular sort of patch cadence like
 Microsoft, so somewhat random that this came out the
 Wednesday after patch Tuesday. But this particular update was
 expected because, well, Apple sort of got ready to release
 the next increment in its operating systems. And with a
 couple new features, we of course also get a number of
 security fixes. In this case, 71 different vulnerabilities
 are being addressed. There is one vulnerability that is
 already being exploited, as Apple puts it, that this
 particular vulnerability was discovered by looking at a
 particular incident that was a fairly targeted and limited
 sort of impact incident. And there were two additional
 vulnerabilities that this particular incident that were
 already patched back in December. Not clear whether it
 just took longer to patch this last vulnerability or whether
 that wasn't initially discovered in the analysis of
 this incident. Definitely something that you do want to
 address. They're also covering some of the older versions of
 the operating systems. So you don't necessarily have to go
 all the way and update to the latest version of, for
 example, macOS 26. But macOS also the last two versions
 before that, 15 and 14, did receive updates. Now, one
 company that does always provide updates in sync with
 Microsoft's Patch Tuesday is Adobe. I usually cover them on
 Patch Tuesday itself. Didn't do it yesterday because I,
 well, didn't think and still don't think that this month's
 update are really that exciting. There are nine
 different products that are being patched, but sort of
 none of the big hitters that I'm considering usually like
 Acrobat or Magento. So the Adobe Commerce part or
 ColdFusion, those are the ones that I'm usually more worried
 about. Nevertheless, if you're running any of the Adobe
 applications that were patched yesterday, some of the
 vulnerabilities are certainly critical and do allow
 arbitrary remote code execution if a file is being
 opened by the user with malicious content. Well, and
 then talk about Microsoft's Patch Tuesday. We do have
 details regarding what I think is a pretty interesting and
 surprising vulnerability that was patched with yesterday's
 Patch Tuesday. And that's a vulnerability in Microsoft
 Notepad. Now, Microsoft Notepad did start out as,
 well, a simple text editor, maybe for some a little bit
 too simple. So Microsoft added more features to it. So in the
 later versions of Notepad, you're actually able to
 include links. And well, the idea is if you click on the
 link, the browser opens and displays the web page that
 you're linking to. The problem with this is, as a blog post
 here points out, that Notepad actually doesn't care what the
 actual protocol or schema is that's being used. So instead
 of HTTP or HTTPS, you could, for example, direct the
 Microsoft installer to pop up or any other software and then
 pass URLs to that software, which then may lead to
 arbitrary code execution. So this is a fairly easy to
 exploit scenario. And the proof of concept exploits are
 available for this particular vulnerability that was patched
 this week. So definitely pay attention to this. In order to
 be vulnerable, you must open a markdown file because the
 markdown may have things like URLs and, well, additional
 sort of markup in it. And that's sort of what's being
 exploited here. And notepad actually parsing markdown
 files. They don't have to have the .md extension. Other files
 that are marked out of files with other extensions may also
 be recognized as such. And the exploit will work. Well, and
 that's it for today. So thanks for listening. Thanks for
 liking. Thanks for subscribing to this podcast. And as
 always, talk to you again tomorrow. Bye.