Hello and welcome to the Wednesday, November 12, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu Graduate Certificate Program in Cyber
Defense Operations. And of course, today we have to start
with Microsoft's patch Tuesday. Microsoft patched,
according to our account, 80 different vulnerabilities.
Seen others come up with 60 something vulnerabilities.
Again, that all depends on what you're exactly counting
here, if some of the Edge vulnerabilities are really
chromium vulnerabilities are being included or not. But
either way, we got one vulnerability that is actually
actively being exploited and five that Microsoft rated
critical. So first, let's start with the actively
exploited vulnerability. That's actually just an
important vulnerability. It's a privileged escalation
vulnerability in the Windows kernel. We had plenty of them
before, so wouldn't really get too overly excited about them.
They're usually parts of more complex attack chains. But by
themselves, these vulnerabilities, because we
had so many of them in the past, are relatively
straightforward to exploit for an attacker. Looking at some
of the critical vulnerabilities, we do have a
remote code execution vulnerability in GDI+. The
reason I emphasize this one particular is because pretty
much any image being rendered at some point goes through
GDI+. So there's a huge attack surface here. And this is
definitely a vulnerability that you need to watch. There
was also a second, a little bit similar vulnerability, a
DirectX vulnerability that Microsoft calls a privilege
escalation issue, but still rates it as critical, which is
a little bit unusual. Usually privilege escalation is
important, but of course, all depends on the details. We
also got critical vulnerabilities in Microsoft
Office. Again, big attack surface here. So definitely a
vulnerability to watch. Overall, this Patch Tuesday
was, I think, a little bit lighter than sort of an
average Patch Tuesday, even though we did have, yes, a
Zero Day. But like I said, it's not really, to me at
least, an exciting Sarah Day. And I would suggest you just
apply these patches according to your vulnerability
management procedure. Don't do anything special here. There's
no reason to rush it out, which of course always has its
own risks associated with it. But then let's talk a little
bit about vulnerabilities that excite me a little bit more.
And one of them is in Gladinet's TrioFox file
sharing and remote admin tool. This tool was found to be
vulnerable during an incident response that Mandiant
conducted. So this is an already exploited
vulnerability. The big issue here is that this TrioFox
server includes code that will consider all code or all
requests as trusted if the host name is localhost. So
this is a pretty stupid decision, of course. And yet
again, one of those cases where headers are being
trusted that never should be trusted because they come from
users. And we all know all users are evil. Using this
spoofed host header, an attacker is able to access the
admin database page. This page then allows them to add
themselves as an administrator to the system. Once they're an
administrator, they're able to reconfigure the antivirus
setup for TrioFox. Nice. They actually have an antivirus
feature built in and it allows an administrator to basically
pick different antivirus engines and also upload their
own binary to act sort of as an antivirus scanner. So the
attacker now uploads a binary, then configures it as an
antivirus scanner, which will mean they now have arbitrary
code execution on the system. So interesting exploit chain,
but really the fundamental vulnerability is not that the
administrator can run code. That's a feature and that's a
legitimate feature here. But the problem is that they are
just simply trusting the host header, which never should be
trusted. And talking about miscellaneous vulnerabilities,
well, we got updates for Ivanti endpoint manager,
friend of the show, doesn't disappoint here with a path
traversal vulnerability that allows an unauthenticated
attacker to achieve remote code execution by enabling
arbitrary file rights. There is user interaction required
here, which is why this does not get us the complete 10.0
CVSS score, but only 8.8. There is essentially the attacker
needs to trick the user to do a malicious file import here,
in order for the attack to work. Not sure how you would
trick this, not familiar enough with this product to
really know how to exploit this vulnerability, but
typically some kind of phishing email or something
like this, some social engineering, maybe all that's
needed here in order to get full access to your Ivanti
endpoint manager. Well, and this is it for today. So
thanks again for listening. Thanks for liking. Thanks for
subscribing to this podcast. I think on YouTube. We just hit
now 5,000 subscribers. So people are looking at the
video version as well. Thanks for that. And talk to you
again tomorrow. Bye.
