SANS Stormcast Thursday, July 10th, 2025: Internal CA with ACME; TapJacking on Android; Adobe Patches;

July 09, 2025

Episode Transcript

Setting up Your Own Certificate Authority for Development: Why and How.
Some tips on setting up your own internal certificate authority using the smallstep CA.
https://isc.sans.edu/diary/Setting%20up%20Your%20Own%20Certificate%20Authority%20for%20Development%3A%20Why%20and%20How./32092
Animation-Driven Tapjacking on Android
Attackers can use a click-jacking like trick to trick victims into clicking on animated transparent dialogs opened from other applications.
https://taptrap.click/usenix25_taptrap_paper.pdf
Adobe Patches
Adobe patched 13 different products yesterday. Most concerning are vulnerabilities in Coldfusion that include code execution and arbitrary file disclosure vulnerabilities.
https://helpx.adobe.com/security/security-bulletin.html

News Tech News

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Thursday, July 10th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and this episode brought to you by the SANS.edu Graduate Certificate Program in Incident Response is recorded in Jacksonville, Florida. In diaries today, I just did a quick write-up about setting up your own certificate authority for development purposes. So this particular write-up doesn't focus on how to do it super secure, but how to do it convenient and integrate it well with various development tools and development websites that you may have, which in particular means also integrating it with the ACME protocol. The ACME protocol, you may be familiar with it from tools like CertBot that are commonly used to retrieve certificates from Let's Encrypt. But if you set up your own server authority, well, you want to stay simple and use tools like that. Well, and you actually can use CertBot. There is an open source server authority from SmallStep that implements the ACME protocol, relatively straightforward to set up. They also have commercial products, but this particular product is free and open source and also well -documented and not really all that difficult to set up. One thing to particular note if you are using your own internal server authority is that you're not bound by any of the constraints of some of the public server authorities. Like, for example, the certificate lifetime, you can create longer, shorter certificates, whatever you would like. You just have to add that certificate authority manually to your operating system or to your browser's list of trusted certificate authorities. Also, keep in mind that when you're doing this, your certificates will not show up in certificate transparency lists. That's actually a big advantage for development websites. So you're not leaking the names of these websites to the world. And researchers from the University in Wien and Bayreuth have identified an interesting vulnerability in Antroid that reminds me very much of clickjacking and web applications. In clickjacking, an attacker would include a transparent iframe on their site. That iframe would then include some user interface element the attacker would like the victim to click on. And then, well, the victim is tricked into clicking on that invisible user interface, like usually some kind of permission button. This is very similar to what's happening here with what they call tab trap on Android. In Android, an application may be able to interact with other applications, in particular, open up certain user interface elements. According to the researchers, 70% of the applications they looked at in the Google Play Store are vulnerable to this in that they don't restrict what the calling application can do to the dialogue that is being opened. In particular, the calling application may set an animation. That animation includes setting the transparency of the dialogue. And then you basically have the simple clickjacking again, where the user is being tricked into clicking on a particular element in that animated window. That window is invisible because of the transparency setting. The other issue here is that these applications also allow interaction with that dialogue while it's being animated. So from a defensive point of view, application developers need to make sure that any user elements that other applications have access to cannot be rendered with a custom animation. And you probably also don't want to allow the user to interact with that element while it's being animated, but wait for the animation to complete. And a little bit patch Tuesday cleanup. We also got updates from Adobe that I didn't cover yesterday. 13 different products here are being updated. The one that I'm sort of always paying a little bit attention to is ColdFusion. Because of course, that's typically exposed in the form of your websites. ColdFusion here addresses a number of vulnerabilities that you probably should pay attention to. For example, there are a few arbitrary file system read vulnerabilities, as well as some remote code execution vulnerabilities that you probably should pay attention to. Well, and that's it for today. Thanks for listening. Thanks for liking, subscribing. And also thanks for commenting and leaving comments in like Apple's podcast platform about the podcast. And talk to you again tomorrow. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show