SANS Internet StormCenter StormCast: May 14, 2025 Edition Highlights Critical Security Updates
In this May 14, 2025 edition of the SANS Internet StormCenter StormCast, Johannes Ullrich presents the latest security updates from Microsoft and other companies, focusing on critical and exploited vulnerabilities. The highlight of this edition is Microsoft's "Patch Tuesday," which addressed 78 vulnerabilities, with 11 being critical. Among these, five were already being exploited at the time of release. Four of these vulnerabilities are privilege escalation issues, and one is a code execution vulnerability. One of the privilege escalation vulnerabilities affects the Windows Common Log File System, a recurring issue where the log file system driver operates with elevated privileges and often fails to parse various log formats. The code execution vulnerability is related to script engine memory corruption, exploitable only if Microsoft Edge is used in Internet Explorer mode. Ullrich emphasizes the importance of checking configurations to avoid unintentional use of this mode. Among other notable vulnerabilities, a remote code execution vulnerability in the Windows Remote Desktop service drew attention. Although classified as important rather than critical, it is exploitable without authentication but only during the Remote Desktop service restart. Ullrich speculated that denial-of-service vulnerabilities could trigger a restart, making the code execution vulnerability more exploitable. He stresses the importance of strictly controlling the RDP service, which is often targeted by ransomware groups. Outside of Microsoft, Ivanti patched two exploited vulnerabilities in its Mobile Endpoint Manager: an authentication bypass flaw and a remote code execution vulnerability. Ullrich notes that the combination of these vulnerabilities can have a significant impact. Fortinet also addressed an already exploited stack-based buffer overflow affecting several Forti products. Ullrich concludes by emphasizing the importance of vigilance and regular updates to protect against these vulnerabilities. He also encourages listeners to send feedback and suggestions to improve the podcast. For more details, watch the full video at the following address: https://www.youtube.com/watch?v=dkzm7ezMMLU