Hello and welcome to the Monday, January 12, 2026
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu undergraduate certificate program in Applied
Cybersecurity. Got some diaries to talk about from
this weekend. First, Xavier, again, about malware analysis
tricks here in this particular case about malicious process
environment blocks. The process environment block is a
data structure that's maintained with Windows
processes holding things like, for example, the command line
being used to execute the process and other metadata
about the particular process. Now, of course, the process
was started by the user. This structure is read-writable by
the user, which means that any process can manipulate that
structure as well and leave bad information in this
structure. So Xavier is going a little bit over how to
accomplish this, some proof of concept code here, how to
rewrite the particular structure for a process that
user can get a handle on. And well, then also how to hide
this particular structure, not just to manipulate it. So
interesting post for anybody doing malware analysis. If you
wonder how do you actually get the real structure? Well, the
trick here, as Xavier points out, is to actually log the
structure on process creation before the process gets a
chance to manipulate it. And Dirac wrote a quick diary about
the latest version of Yara 1.11.0 and how it's adding hash
function warnings. What this means is that if you're
matching a hash function in a Yara rule, but the hash that
you're using couldn't possibly match this particular hash
function because it's too long, for example, then you'll
get a warning that while this particular match will never be
fulfilled. And well, it's supposed to catch things like
typos in hashes that you may have like, you know, if you
add an extra space or such, which of course often happens
when you simple copy paste at these hashes. And the video
LAN project did release an update for VLC, the video
player that is sort of the showcase product off of video
LAN. And yes, its code is used quite a bit and quite popular
if you're trying to do things like video conversions or
simple video streaming and the like. So there are about 16
issues that are being fixed in this update. There's only one
CVE assigned to the update. They're a little bit vague on
the exact impact of the vulnerabilities, but they're
essentially memory corruption vulnerabilities. So what
they're saying here is that yes, we know they'll crash the
system, whether or not they can be used to do something
like remote code execution or data leakage. Well, that
depends a little bit on how this is actually compiled and
you know what other kind of conditions exist on a
particular system. I would definitely recommend updating
VLC. It has been exploited in the past. So given its
popularity, it's something that you want to maintain on a
Linux system that should be pretty straightforward with
just some simple app update or whatever your distribution
uses. On other operating systems, it's often installed
as of a third party product. So make sure that it's getting
updated. And the Apache project did release a security
update for its nimble Bluetooth low energy stack.
This Bluetooth low energy stack is typically found in
IOT devices. So it's one of those things where you have to
usually wait for vendor updates to fix these issues
for you. There are two particular interesting
vulnerabilities. One allows the attacker to actually take
over an existing pairing connection. So you have your
phone or whatever connected to a particular Bluetooth low
energy device, and then the attacker can inject the packet
that will basically take over that connection. There's also
sort of a pause encryption feature in Bluetooth low
energy that's apparently badly implemented here and can lead
to data being leaked in addition to a couple other
lower priority vulnerabilities. And Redhead
in an advisory is warning of a newly patched vulnerability in
the Undertow HTTP server core. Undertow is basically a web
server and it's often used with Java applications.
Redhead is pointing out here Wildfly and JBoss EAP in their
advisory. But other Java applications may be affected
as well. And the problem here is that the Undertow is not
validating the host header correctly in HTTP requests it
receives. It just passes then on to the application. And if
the application of course counts on the server doing the
input validation here, well, then you end up with a
problem. From an application developer point of view, it
probably wouldn't hurt to validate data like that that
you are receiving from the web server. But either way,
probably something that you do want to update in particular,
if you're running one of these explicitly named applications
in the advisory. Well, and that's it for today. So thanks
for listening. Thanks for subscribing. Thanks for
recommending this podcast. Remember, we still have stuff
that contest going on. If you find a mistake in the podcast,
just send me an email or contact me via social media,
and you're qualifying for an Internet Storm Center sticker.
So that's it for today and talk to you again tomorrow.
Bye.
