← SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS Stormcast Wednesday, December 10th, 2025: Microsoft, Adobe, Ivanti, Fortinet, and Ruby patches.
00:08:04
SANS Stormcast Wednesday, December 10th, 2025: Microsoft, Adobe, Ivanti, Fortinet, and Ruby patches.
Loading summary
Transcript1 lines
- [00:05]
A
Hello and welcome to the Wednesday, December 10, 2025 edition of the SANS Internet Storm Centers Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida and this episode is brought to you by the Sans Edu Bachelor's degree program in Applied Cybersecurity. Well, today of course, lots of patches to talk about and first of all, Microsoft's patch Tuesday for December it was a lighter patch Tuesday. Only 57 vulnerabilities being addressed here. Only three of these vulnerabilities were rated as critical. And then we had one vulnerability that's already being exploited and two that are publicly disclosed. Now, about the already being exploited vulnerability, that is a privilege escalation vulnerability in the micro Microsoft Cloud files mini filters driver. Some of those driver issues and yes, that's already being exploited, but again only privilege escalation vulnerability. The publicly known but not yet exploited vulnerabilities. Well, actually the First1Invoke WebRequest, a PowerShell function that's often used maliciously, but of course also in benign scripts. The problem here is that by default you may actually execute code here. So there is this use basic parsing parameter and what they changed here was that if you just use Invoke webrequest you'll actually get a warning telling you that you are here at the risk of actually executing code unless you add the useBasicParsing parameter. So really just clarified how to use this particular PowerShell function. And then the second already known vulnerability, it's really sort of a class of vulnerabilities that we have seen of course quite frequently lately. And that's all these AI copilots as you let them take over your ide, your development environment, you of course run the risk that they'll overstep their bounds and will actually execute code. And of course in some cases an attacker may have some control over the code being executed here and the GitHub Copilot plugin for Jetbrains. So Jetbrains is not Microsoft, but a company that makes a lot of integrated development environments. Then of course Microsoft is responsible for the copilot part that plugs into chatbrains and that's sort of where they added some additional constraints. We'll see how well they work to prevent some of these malicious code executions. Now, none of these vulnerabilities is rated critical. The critical ones are in Office and Outlook. So you're good old Outlook Office vulnerabilities we have every month. And with that, I don't really think that this is a terribly exciting patch Tuesday. Even like these three Known and already exploited vulnerabilities aren't really that terribly big of a deal. Next company to always release updates on Patch Tuesday is Adobe and we got updates for five products, which is on the lighter side for Adobe. But two of these products are sort of on my watch list of likely to be exploited products. One cold fusion and we do have a big vulnerability here, an arbitrary code execution due to an unconstrained file upload, so very likely something where an attacker could upload some kind of web shell. The second product Acrobat Reader also some code execution vulnerabilities being addressed here and then again that's typically being exploited by sending a malicious PDF to the victim. And Ivanti also jumped in here on Patch Tuesday, this time again with an update for Endpoint Manager. One interesting vulnerability here stored cross site scripting in admin sessions and this one rates with a css score of 9.6. Certainly something where an attacker could do quite a bit of damage if they can essentially remote control an administrator's browser as part of an admin session. At Fortinet is warning of an authentication bypass vulnerability that affects its 40 cloud single sign on login. This affects all products that are configured with 40 cloud and the mitigation here is well to turn it off until you update your device. Looks like some kind of cryptographic issue, maybe algorithm confusion or something like that and that's very common like in these single sign on systems if they haven't been dilated properly or if they're using some outdated library and the like that often leads to these type of vulnerabilities. And I have no idea if Fortinet software is written in Ruby, but we also had a patch today for the Ruby SAML library. Apparently this is sort of one of those parser discrepancy issues where different XML parsers parsers interpret data slightly different and that often leads then to vulnerabilities where for example username or claims or such aren't parsed properly or differently in different parsers. They had a similar vulnerability I think a couple months ago and didn't completely fix it. So this is really just an additional fix for this older vulnerability to hopefully this time completely mitigate it. Well, and this is it for today. Thanks for listening and would really appreciate a comment in the Apple Podcasts app. And that's it for today and talk to you again tomorrow. Bye.