Hello and welcome to the Wednesday, June 11, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and this episode brought to you by
the SANS.edu Bachelor's Degree Program in Applied
Cybersecurity is recorded in Jacksonville, Florida. Well,
of course, today we have to start with Microsoft Patch
Tuesday. Microsoft released a little bit lighter, I would
say, than average Patch Tuesday with 67
vulnerabilities being patched, 10 vulnerabilities being rated
critical and then one being already exploited and one
being disclosed before today. It was actually one of the 67
vulnerabilities that had already been patched,
announced by Microsoft before today. But anyway, so let's
take a look at some noteworthy vulnerabilities here. The
first one, of course, the one that's already being
exploited. This is a WebDAV vulnerability. If you're not
familiar with WebDAV, it's an extension to HTTP. It is
essentially allowing you to use a web server, kind of like
a remote file system, SharePoint and systems like
this, like this. I have also seen this sometimes being
used, for example, to manage files on a web server. Not as
the greatest idea, but certainly has been used like
this. When I first saw WebDAV, I was a little bit afraid that
this is something like an IIS or the server component here.
However, this is in the client component. In order to exploit
this, you have to trick the client to actually connect to
a particular WebDAV resource. Well, this is not necessarily
that crazy difficult. The really interesting part here,
and sort of a little bit of difficult part here, is that
this vulnerability is in one of these leftover components
from Internet Explorer. So even if you don't use Internet
Explorer, you still have scripting engine, you have
MSHTML running on your system that's sort of left behind
from Internet Explorer. These libraries are still being
used, and that's where the vulnerability comes to play
here. So in order to patch this vulnerability, you must
apply the IE cumulative update, the Internet Explorer
cumulative update. So in this particular, if you're sort of
more selective in what patches you apply, you have to be a
little bit careful with this. The already known but not
exploit vulnerability is just the privilege escalation
vulnerability in the Windows SMB client. Yes, it can get
you to system privileges, but Microsoft actually considers
exploitation less likely for this vulnerability. And yes,
the victim here has to connect to a malicious SMB server.
Next, a couple critical vulnerabilities that are, I
think, noteworthy. First of all, there's an
unauthenticated remote code execution vulnerability in the
remote desktop service. I think that's the third month
in a row or so where we have these timing vulnerabilities.
And they're difficult to exploit. That's why Microsoft
thinks that it's less likely that we'll see an exploit for
this vulnerability. I don't think there was one for the
prior similar vulnerabilities. But RDP, of course, always a
big target. However, usually the exploit attempts are
really just brute forcing. Now, the second interesting
critical vulnerability that we have here is a problem in
Microsoft's cryptographic services. Basically, the
library that implements a lot of cryptographic protocols
like TLS. And there's apparently sort of some user
-offer-free vulnerability or such that allows arbitrary
code execution. Again, Microsoft suggests that
exploitation is less likely. That's a highly complex
exploit if it should ever materialize. However, given
the ubiquity of this library and basically where
potentially everything TLS could be affected, I
definitely would keep an eye out for this one to see if
there is an exploit materializing for it. This
could become a huge deal, but we really don't know enough at
this point to adequately sort of give advice whether you
should that patch now or such. I would definitely not put it
in the patch now category for now. Just follow your standard
patch procedures on this. And then, so a little bit, the
interesting one here but also boring one. Yes, many of the
critical vulnerabilities in this update affect Microsoft
Office. It's a little bit unusual to see critical
vulnerabilities in Microsoft Office because usually
Microsoft does not rate an Office vulnerability as
critical if they require you to open a document. Well, in
this case, you get code execution just by previewing
the document. So this makes them critical. Anyway, as I
said, I don't see any vulnerability here that I
would call a patch now vulnerability. Patch them, you
know, according to your standard procedure, hopefully
before next patch Tuesday in July. Well, a patch Tuesday,
of course, we also got patches from other companies, not just
from Microsoft. For example, Adobe delivered patches for
seven of its products. The ones I always look for is
Adobe Commerce and Adobe Acrobat Reader. Both of them
have vulnerabilities patched this month for Adobe Commerce.
One of them is actually a remote code execution
vulnerability via reflective cross-site scripting. The
issue here, however, is that all the vulnerabilities in
Adobe Commerce that are being patched this month require
authentication for exploitation, which, of
course, makes them a little bit less likely to be an
issue. For the Acrobat Reader vulnerabilities, on the other
hand, while there are a number of code execution
vulnerabilities, all of these different memory management
vulnerabilities that we're used to in Adobe Acrobat. And,
of course, there is a very good probability that
exploitation will happen for them, sort of given past
history. Well, that's pretty much it for today. A couple
other updates from SAP, Ivanti, Fortinet, and the
like. None of them really being so super critical to
waste a lot of time on right now. But, as usual, be aware
there are always some additional updates that sneak
in on Patch Tuesday. That's it for today. Thanks for
listening and talk to you again tomorrow. Bye.
