Hello and welcome to the Wednesday, December 10th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu Bachelor's Degree Program in Applied
Cybersecurity. Well, today, of course, lots of patches to
talk about. And first of all, Microsoft's Patch Tuesday for
December. It was a lighter patch Tuesday, only 57
vulnerabilities being addressed here. Only three of
these vulnerabilities were rated as critical. And then we
had one vulnerability that's already being exploited and
two that are publicly disclosed. Now, about the
already being exploited vulnerability, that is a
privilege escalation vulnerability in the Microsoft
Cloud Files Mini filters, driver, some of those driver
issues. And yes, that's already being exploited. But
again, only a privilege escalation vulnerability. The
publicly known but not yet exploited vulnerabilities.
Well, actually, the first one, invoke web request, the
PowerShell function that's often used maliciously, but of
course, also in benign scripts. The problem here is
that by default, you may actually execute code here. So
there is this use basic parsing parameter. And what
they changed here was that if you just use invoke web
request, you'll actually get a warning telling you that you
are here at the risk of actually executing code unless
you add the use basic parsing parameter. So really just
clarified how to use this particular PowerShell
function. And then the second already known vulnerability.
It's a really sort of a class of vulnerabilities that we
have seen, of course, quite frequently lately. And that's
all these AI co-pilots. As you let them take over your IDE,
your development environment, you, of course, run the risk
that they'll overstep their bounds and will actually
execute code. And of course, in some cases, an attacker may
have some control over the code being executed here. And
the GitHub co-pilot plugin for JetBrains. So JetBrains is not
Microsoft, but a company that makes a lot of integrated
development environments. And then, of course, Microsoft is
responsible for the co-pilot part that plugs into
JetBrains. And that's sort of where they added some
additional constraints. We'll see how well they work to
prevent some of these malicious code executions.
Now, none of these vulnerabilities is rated
critical. The critical ones are in Office and Outlook. So
your good old Outlook Office vulnerabilities we have every
month. And with that, I don't really think that is a
terribly exciting Patch Tuesday. Even like these three
known and already exploited vulnerabilities aren't really
that terribly big of a deal. Next company to always release
updates on Patch Tuesday is Adobe. And we got updates for
five products, which is on the lighter side for Adobe. But
two of these products are sort of on my watch list of likely
to be exploited products. One ColdFusion. And we do have a
big vulnerability here. An arbitrary code execution due
to an unconstrained file upload. So very likely
something where an attacker could upload some kind of web
shell. The second product, Acrobat Reader. Also some code
execution vulnerabilities being addressed here. And then
again, that's typically being exploited by sending a
malicious PDF to the victim. And Avanti also jumped in here
on Patch Tuesday. This time again with an update for
Endpoint Manager. One interesting vulnerability
here. Stored cross-site scripting in admin sessions.
And this one rates with a COS score of 9.6. Certainly
something where an attacker could do quite a bit of
damage. If they can essentially remote control an
administrator's browser as part of an admin session. And
Fortinet is warning of an authentication bypass
vulnerability that affects its FortiCloud single sign-on
login. This affects all products that are configured
with FortiCloud. And the mitigation here is, well, to
turn it off until you update your device. Looks like some
kind of cryptographic issue. Maybe algorithm confusion or
something like that. And that's very common like in
these single sign-on systems. If they haven't been validated
properly or if they're using some outdated library and the
like. That often leads to these type of vulnerabilities.
And I have no idea if Fortinet's software is written
in Ruby. But we also had an patch today for the Ruby SAML
library. Apparently, this is sort of one of those parser
discrepancy issues. Where different XML parsers
interpret data slightly different. And that often
leads then to vulnerabilities where, for example, username
or claims or such aren't parsed properly or differently
in different parsers. They had a similar vulnerability, I
think, a couple months ago and didn't completely fix it. So
this is really just an additional fix for this older
vulnerability to hopefully this time completely mitigate
it. Well, and this is it for today. Thanks for listening.
And would really appreciate a comment in the Apple Podcasts
app. And that's it for today. Talk to you again tomorrow.
Bye.
Bye. Bye.
Bye.
