Hello and welcome to the Wednesday, July 23rd, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu Bachelor's Degree Program in Applied
Cybersecurity. SharePoint is still at the top of
everybody's mind and the tool shell vulnerability is still
being exploited. Microsoft has now also released an update
for SharePoint 2016. Yesterday, we only had the
update for 2019 and for the subscription edition. Another
thing to point out here, there are actually two files that
need to download and apply for 2019 and 2016. The first one
is the security update for SharePoint itself. And then
there is a second one, the language pack. When you
install the security update for Microsoft SharePoint, you
will have to reboot your system and then you'll apply
the language pack. The language pack update does not
require another reboot, but you can't apply them at the
same time. Try it to save some time and, well, they're
actually then failing. So, make sure you apply one after
the other. There's another thing that I think has been a
little bit overlooked in all of this. And that's step four
here in Microsoft's response timeline that they published.
There's part of this update. The early exploits that were
used against SharePoint that took advantage of this
vulnerability, they all had in common that they stole the
system machine keys. And, well, that's actually a common
thing to do if you're exploiting a .NET application.
Because if you do have the machine keys, you can then
fake a view state. And, essentially, you can come back
and exploit the system again. So, if you're just updating
the patch and removing any backdoors or web shells or
other files that you may find that an attacker may have
created, this is not sufficient if the attacker
stole the machine keys. You must update the machine keys.
Otherwise, you're opening yourself up to a repeat
compromise. And the Didier found an interesting little privacy
issue that comes up if you're using WinZIP 710 or later. The
issue here is, well, the good old mark of the web. I'm
mentioning this at least like once a week or so here on the
podcast. But, typically, on Windows, the mark of the web,
it includes a zone ID 3 for indicating that the file was
downloaded from the Internet. And then it also typically
includes the URL it was downloaded from. Well, that,
of course, is something that you may not necessarily tell
people that you're sending files to. So, WinZIP now has
the option, and that's the default setting, to only
include the zone value. So, the recipient of a zip file,
including files that were downloaded from the Internet,
will still know that, hey, these files were downloaded
from the Internet. But they will no longer be able to see
what website the particular file was downloaded from. You
can uncheck this particular value, and then it will behave
just like it used to in older versions. And the FBI, with
other government agencies, has published a nice write-up
about the interlock ransomware. CISA and FBI have
done this a number of times in the past for various
ransomware groups. This is not usually because this
particular malware is brand new, but because it is sort of
one of the dominating ransomware samples that
they're seeing these days. It has very nice, hands-on
information about how to detect and how to prevent this
particular ransomware. Apparently, this ransomware
often arrives as, essentially, a fake browser update. And as
that is then being installed by the user. So, not so much
hoping for technical exploits here. They're also using the
famous click-fix technique, where, essentially, the user
is tricked into copy-pasting some PowerShell code into
their system. Well, with sort of the pretense of having to
bypass CAPTCHA in order to move on to the next page. And
Sophos released an update for its firewalls, fixing a total
of five different vulnerabilities, two of which
are rated critical by Sophos. One of the critical
vulnerabilities is an arbitrary file write
vulnerability that may lead to arbitrary code execution
without authentication. The next critical one is SQL
injection vulnerability in their transparent SMTP proxy,
which they call a legacy feature. Both of these
vulnerabilities only apply to very specific features. For
example, the arbitrary file upload vulnerability only
applies to devices in high -availability mode. And, well,
Sophos thinks that's only 0.05 % of devices. Same for the SQL
injection vulnerability. This SMTP proxy is a legacy
feature. And Sophos thinks only 0.73% of users have this
feature enabled. So, get it updated. You never know if
you're going to enable one of those features by mistake or
maybe intentionally and get it out of the way. Also, some of
these high vulnerabilities and such are probably things that
you should better update. Well, and that's it for today.
So, thanks again for listening and talk to you again
tomorrow. Bye.
