SANS StormCast Highlights Web Security Updates, NPM Changes, and Critical Adobe Patches

11 Jun 2026

web_securitycontent_security_policyCSPX-Frame-OptionsNPMsupply_chain_attacksAdobe_patchesAcrobat_ReaderColdFusionMicrosoft_Defenderprivilege_escalationcybersecurity

The June 11, 2026, SANS Internet Storm Center StormCast discussed updates to web security headers, noting that the X-Frame-Options header is being supplemented by the Frame-Ancestors directive in Content-Security-Policy (CSP). While X-Frame-Options remains functional, adoption of Frame-Ancestors has increased significantly over the past three years. NPM announced changes in its upcoming version 12 (July 2026), including disabling install scripts and git/remote URL access by default to mitigate recent supply-chain attacks, though these can still be enabled manually. Adobe released patches for 11 products, addressing critical vulnerabilities in Acrobat Reader (CVSS 7.8) and ColdFusion (CVSS 9.8). Microsoft Defender was found vulnerable to a privilege escalation flaw requiring a user to mount a malicious disk image from an SMB share, though it does not affect Windows Server by default. The episode also referenced a diary entry by Jan on CSP evolution and provided guidance on preparing for NPM’s security changes.