Security Now Episode 1036: "Inside the SharePoint 0-day – Is Our Data Safe Anywhere?"
Released: July 30, 2025
Hosts: Steve Gibson & Leo Laporte
Episode Overview
On this episode of Security Now, Steve and Leo dissect the latest cybersecurity headlines with a deep-dive into a major SharePoint zero-day remote code execution (RCE) vulnerability. They explore the widespread impact, Microsoft’s bungled patch, and the broader question haunting security professionals: is our data truly safe anywhere? The duo also covers: browser privacy changes, major data breaches, an IT lawsuit shaking up the outsourcing industry, a North Korean laptop farm in the US, updates on passkeys security, and global policy battles over encrypted messaging. The show’s informative, jargon-rich, yet conversational style makes for an essential listen for anyone in the trenches of security.
Key Discussion Points and Insights
1. Major SharePoint Zero-Day: Context & Impact
- Background:
- The vulnerability was first revealed at Pwn2Own Berlin in May 2025, with a working exploit for on-premise instances of SharePoint.
- Microsoft attempted to patch it during July’s Patch Tuesday but failed to fix the root cause, resulting in widespread exploitation.
- Multiple hacking groups, including China-linked APTs, leveraged the flaw; high-profile victims include US federal agencies and health providers.
- Scale:
- At least 400 organizations confirmed compromised; upwards of 9,000 vulnerable servers exposed on the internet.
- “At least 400 enterprises have been compromised.” (Steve, 07:02)
- Notable breaches: DHS, National Nuclear Security Administration, National Institutes of Health (NIH).
- Technical Failure:
- Microsoft’s patch addressed symptoms, not cause—attackers rapidly bypassed it by reverse engineering.
- “They bungled the update once again, patching the symptom, not the cause.” (Steve, 06:10)
- Analysis:
- Attackers exploited a flaw in SharePoint’s machine key management, enabling persistent RCE and credential theft.
- Remediation requires not just patching, but key rotation and server restarts.
“You should just assume that if you are running on-prem SharePoint, you are compromised.” (Leo paraphrasing advice, 174:49)
2. Microsoft Patch Dynamics and The Security Status Quo
- Vendor Management & Legacy Risks:
- Many organizations run old, out-of-support SharePoint servers for cost reasons.
- Migrating to cloud-based SharePoint subscription is “a difficult sell to upper management” despite growing risk.
- Vendor Response:
- Microsoft: “We are supporting organizations across the full spectrum of cloud adoption… including on-prem.”
- Wired magazine, The Register, and security firms criticized Microsoft’s patch reliability and lag.
- Industry Model Broken:
- Steve argues the model of selling software, expecting timely admin action for critical updates, is no longer practical.
3. Browser Privacy and Steve Switches to Brave
- Why Switch from Firefox:
- Brave's built-in fingerprint randomization (passing EFF’s Cover Your Tracks) and vertical tabs clinched it.
- “The Brave browser looks like the right answer for that... I imported my Firefox settings into Brave. That worked flawlessly.” (Steve, 17:38)
- Brave v1.81 News:
- Will block Microsoft Recall feature by default, preventing the OS from snapshotting browsing activity—a privacy enhancement beyond what other browsers provide.
- “Brave is the only major web browser that disables Microsoft Recall by default in all tabs.” (Steve, 28:37)
4. Retraction: Passkeys and FIDO Not Broken
- Original Worry:
- Last week’s reporting suggested FIDO passkey authentication could be bypassed via MITM attack.
- Correction:
- Expel Security retracted, admitting logs only showed password phishing succeeded, not passkey bypass.
- Bluetooth proximity is still required for FIDO cross-device authentication—no bug.
- “Given that… this attack should not have been possible, it turns out that the attack was not possible and did not happen.” (Steve, 88:16)
5. Clorox vs. Cognizant: Outsourcing Debacle
- Lawsuit:
- Clorox filed a $380M suit after an IT provider gave out employee passwords to hackers targeting support staff (Scattered Spider group), resulting in an $830M breach.
- Security Lesson:
- Poor training and lack of verification at helpdesks (no manager name or ID asked) enabled the compromise.
- Steve’s Take:
- “Outsourcing gone awry.”
- Businesses must be accountable for their own IT security, not just chase savings.
- “You get what you pay for.” (Steve, 39:02)
6. The Neverending Wave of Data Breaches
- Allianz Life Breach:
- Hackers accessed the majority of Allianz's customers and partner data through a 3rd-party CRM using social engineering.
- Similar tactics (impersonation, tricking helpdesks) as in the Clorox breach.
- CIA Acquisition Research Center Website Hacked:
- Hackers compromised a major portal for US intelligence contract submissions; likely via SharePoint exploit.
- Drug/Alcohol Testing Service Breach:
- 750,000 individuals’ highly sensitive files breached; disclosure delayed a full year.
7. The State of Secure Authentication: Security Theater
- “Optional” Authentication:
- Authentication ‘accelerators’ (password managers, authenticators) offer convenience, but fallback options (“I forgot my password,” or “I don’t have my authenticator”) undermine security:
- “We’re allowed… feel-good security theater… which would most fairly be described as optional.” (Steve, 66:52)
- True security means no fallbacks—if you can’t authenticate, access is denied.
- Authentication ‘accelerators’ (password managers, authenticators) offer convenience, but fallback options (“I forgot my password,” or “I don’t have my authenticator”) undermine security:
- Squirrel System Mention:
- Designed for true opt-in, irrevocably removing all backup options.
- Practical Implication:
- Current “MFA” implementations mostly represent “security theater,” as attackers can exploit fallback pathways.
8. Geopolitics, Cyberwar & Regulation
- Ukraine’s Cyber Blitz:
- Massive operation wiped Russian servers, exfiltrated 100TB of data from Crimea occupation authorities; cyber-warfare is integral to modern conflict.
- UK Backs Down from Apple Encryption Mandate:
- After US pressure, UK retreating from demands for cloud backdoors.
- EU’s “Chat Control” Reemerges:
- Denmark revives controversial bill for client-side scanning of private messages for CSAM, potentially undermining encryption. Debate ongoing.
- North Korean “Laptop Farm” in Arizona:
- US woman convicted for facilitating remote work access for North Korean IT operatives, enabling sanctions evasion.
Notable Quotes & Memorable Moments
Picture of the Week
[16:10]
“Every time I have a programming question and I really need help, I post it on Reddit and then log into another account and reply to it with an obscenely incorrect answer. People don't care about helping others, but they love correcting others...Works 100% of the time.”
— Read by Steve Gibson
On the SharePoint Catastrophe
[140:05]
“They bungled the update once again, patching the symptom, not the cause.”
— Steve Gibson
[174:49]
"You should just assume that if you are running on-prem SharePoint, you are compromised."
— Security researcher (quoted by Leo)
On Security Theater
[66:52]
“We’re allowed… feel-good security theater… which would most fairly be described as optional. With optional authentication, not being able to produce the required magical six digits on demand simply means it's necessary to jump through some additional hoops… The problem is the bad guys are more than happy to jump through those same hoops.”
— Steve Gibson
On Outsourcing IT
[39:02]
“But again, h. Having, you know, outsourcing this means, you know, you get what you asked for.”
—Steve Gibson
On Browser Privacy & Brave
[28:37]
“Brave is the only major web browser that disables Microsoft Recall by default in all tabs..."
— Steve Gibson
On Cyberwar
[51:33]
“So it’s clear from all of this that the battlefield is becoming more and more cyber. Not only is more cyber technology being employed for kinetic military operations, but all nations have become quite dependent upon the convenience created by today’s networking for operational management.”
— Steve Gibson
Important Timestamps
| Time | Topic | |--------|-----------------------------------------| | 04:09 | SharePoint Zero-Day—Origins, Scope | | 07:40 | News: Clorox sues Cognizant ($380M) | | 15:48 | Picture of the Week | | 17:38 | Steve switches to Brave browser | | 28:37 | Brave blocks Microsoft Recall | | 31:32 | Deep dive: Clorox credential breach | | 47:09 | Windows 10 ESU/W10 EOL rollout update | | 51:33 | Ukraine's cyber operation in Crimea | | 58:39 | Allianz Life insurance data breach | | 66:52 | Steve's rant: Security theater | | 76:21 | CIA Acquisition Research Center hacked | | 86:08 | North Korean laptop farm uncovered | | 88:16 | FIDO passkey man-in-the-middle retracted| | 91:52 | “Is our data safe anywhere?” discussion | | 99:59 | UK pulls back on Apple encryption fight | | 107:54 | EU "Chat Control" resurfaces | | 138:50 | SharePoint RCE—deep technical analysis | | 174:30 | Closing thoughts on SharePoint fiasco |
Final Thoughts
- Assume compromise if running on-prem SharePoint; immediate patching (latest update only!), machine key rotation, and full forensic review are mandatory.
- Legacy software and poor vendor patch hygiene remain leading causes of systemic compromise—"the model must change."
- Authentication is only as strong as its weakest (fallback) link; MFA with fallback is really “optional” authentication.
- Privacy matters: Brave is raising the bar for browser privacy with active default protections.
- Social engineering is as dangerous as technical hacking, as multi-million dollar breaches show.
- Data breach ‘fatigue’ is real, but the fight for better practices continues.
- Policy fights over encryption and privacy are ongoing; vigilance is required against legislative overreach.
Listen/Read More
Next Week: More security news, likely updates on fallout from the SharePoint exploit, and ongoing analysis of the ever-evolving cybersecurity landscape.