Hello, welcome to the Friday, February 22nd, 2019 edition of the Santernet Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

I think it was about last week that I mentioned that Adobe fixed the leakage flaw in Acrobat and Reader.

This was the issue where you could include Smb links in a PDF document and Adobe would happily try to download the respective files

sending your NtLM hashed credentials out. Well, turns out the patch that you applied a week ago wasn't quite sufficient

to vulnerability still existed, even though in a slightly different version and Adobe today

fixed this flaw again.

Exploitation is pretty trivial in this case. It does affect Adobe Acrobat and Reader on Windows as well as on Mac OS.

And the usual reminder, you probably really for sure want to block outbound port 445

that will block leaks like this at least from leaving your network.

At the end of the month, Microsoft is usually publishing its non-security updates at the

third Tuesday of the month.

Well, looks like this month Microsoft sort of snuck in security fix for IIS. This fixes a denial of service condition that can be

triggered via invalid HTTP2 requests. What the attacker has to do is send a lot of settings frames.

The HTTP2 standard doesn't really limit how many of these settings frames you can send,

so it's technically not actually an invalid request that's being sent, but eventually IS will hang

and will stop responding and needs to be restarted. This update does add a configuration parameter that allows you to limit the number

of settings requests per frame as well as per minute. If a connection exceeds that number,

then it will just be killed. Currently I haven't heard of this being exploited out in the wild,

but this doesn't

sound to be terribly difficult to exploit, so definitely do update your systems.

...