SANS Stormcast Wednesday, August 13th, 2025: Microsoft Patch Tuesday; libarchive vulnerability upgrade; Adobe Patches

August 12, 2025

Episode Transcript

Microsoft Patch Tuesday
https://isc.sans.edu/diary/Microsoft%20August%202025%20Patch%20Tuesday/32192
https://cymulate.com/blog/zero-click-one-ntlm-microsoft-security-patch-bypass-cve-2025-50154/
libarchive Vulnerability
A libarchive vulnerability patched in June was upgraded from a low CVSS score to a critical one. Libarchive is used by compression software across various operating systems, making this a difficult vulnerability to patch
https://www.freebsd.org/security/advisories/FreeBSD-SA-25:07.libarchive.asc
Adobe Patches
Adobe released patches for 13 different products.
https://helpx.adobe.com/security/Home.html

News Tech News

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Wednesday, August 13th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Cybersecurity Engineering. Well, it's Patch Tuesday, so we got to start with that. We got patches for a total of 111 different vulnerabilities. 17 of them were classified as critical, and one of the vulnerabilities was already disclosed prior to this patch, but well, not yet exploited, and also it's just a moderate vulnerability. Looking at the vulnerabilities this month, there is sort of one thing that I think is for the first time, at least that I noticed it really here. And that's what we are seeing some cloud vulnerabilities that are being disclosed here, like these Azure OpenAI, Azure Portal Elevation of Privilege vulnerabilities. This is something that Microsoft does now in order to be more transparent about vulnerabilities in its cloud infrastructure. A few months or was it a year or so ago, they sort of started that push to basically do what they did with trusted computing back in a day for their cloud properties. And the good part here is that there's nothing you need to do about these vulnerabilities. These are vulnerabilities that Microsoft already has taken care of for you because, well, they're in software that Microsoft operates in its cloud. Interestingly here, the Azure OpenAI Elevation of Privilege vulnerability that got a complete 10 out of 10 for its CVSS score. Couldn't sort of find a lot of details about this vulnerability, but definitely interesting that the privilege and elevation of privilege vulnerabilities is getting a full 10 here. There are a couple of other sort of critical vulnerabilities that fall in this category. Pretty much the top view vulnerabilities in our table that are critical are all Azure vulnerabilities. The remaining critical vulnerabilities, many of them in Office products, and then also sort of the usual set of graphics drivers and such that are vulnerable and, well, that lead to remote code execution vulnerabilities and are as a result rated critical. Aside from that, I don't think there's anything sort of super exciting here in this particular release. Like I said, many of the critical vulnerabilities, about half of them are these cloud vulnerabilities, so nothing really for you to take care of. Apply the remaining patches as they apply to you with sort of, you know, the usual caution and use your vulnerability management program. Nothing really to sort of specifically escalate here. There is one vulnerability where we also now have a blog post with additional details about this vulnerability and this is an interesting one. This vulnerability is rated important. It's yet one of those NTLM disclosure vulnerabilities in the well of all things link files, which I don't know, they're fairly straightforward file format, but still never ending issues with them. The old vulnerability here was essentially where the icon location could point to an SMB share and then the user would basically be tricked by clicking on this to load the icon from the SMB share and that would release NTLM hashes. The new variety of this vulnerability, vulnerability, well, it's basically just the next field here, the target path where basically the executable is located. That's, you know, what they're now using to trigger the request to an SMB share. I hope they tested a shortcut path as well, that that's not vulnerable and that would be the third vulnerability here in this particular file or maybe that was a prior vulnerability, not really tracking all of these link file vulnerabilities. But yeah, NTLM, I talked about this many times before, they have a never ending supply of the sort of SMB share leak vulnerabilities, block port 445 outbound as sort of an at least prevent these hashes from leaking outbound and if possible disable NTLM. That's where Microsoft is moving in the medium to long term to basically disable NTLM and switch all the way to Kerberos. Now the one already disclosed vulnerability is actually Kerberos vulnerability, but again, that one is rated only moderate. So that's sort of the quick summary here of the Microsoft vulnerabilities. Like I said, average, I would call it about patch Tuesday. And then we have an interesting decompression library vulnerability. This time it's libarchive and it's not a directory traversal vulnerability, but well, a good old unsigned integer overflow vulnerability that can lead to arbitrary code execution. The reason I mention this vulnerability now is a little bit where the odd part comes in. It was originally disclosed on May 10th. There was also a proof of concept being submitted with the vulnerability announcement, but it originally only got a CVSS score of 3.9. So basically not really noteworthy. In part, I believe, because in order to actually exploit the vulnerability, you need to create an archive with at least 4 billion nodes. So you have that good old 32 bit overflow issue happening here. And that requires at least 103 gigabytes of memory. So it's basically not a ton of systems around there where it is exploitable. But in particular, if you think about servers and such, certainly they often do these days have more than 103 gigabytes of memory. And that's why lately, and that was really sort of last a week, and this vulnerability was upgraded to a critical CVSS score and FreeBSD also did kind of in response to that publish its own advisory with the related patches. The other interesting part of libarchive is it's well part of pretty much anything that compresses and it's not limited to BSD and Linux, but it's also used on Windows. So definitely watch out for updates for this. I could see there, for example, particular anti-malware tools probably use libarchive in order to look into compressed files. And they may certainly be an attack target here for this vulnerability. And then of course we have to talk about Adobe on patch Tuesday. We got patches for 13 of Adobe's products. The one that I always focus on is Adobe Commerce. Adobe Commerce did receive updates for a number of different vulnerabilities. They do have a priority rating of two, which means that, well, Adobe Commerce is likely going to be attacked. That's really all this means. And I certainly agree with that. We have seen a lot of attacks like this. However, on the good side, even though there are a number of critical vulnerabilities, all but the denial of service vulnerabilities require authentication to exploit them. Not just authentication, but also admin privileges other than this security feature bypass vulnerability that does not require admin privileges, but only has a CVSS score of 5.9. So patch update, certainly just because the people will in particular go after the security feature bypass issues as sort of as enabling vulnerabilities. Other than that, nothing really too critical, luckily here for the Adobe Commerce users. Well, and this is it for today. So thanks again for listening and talk to you again tomorrow. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show