Hello, welcome to the Monday, August 8, 2020 edition of the Sands and its Storm Center's Stormcast. My name is Johannes Ulrich, and then I'm recording from Jacksonville, Florida.

Let's start today with patches or vulnerabilities. And first of all, with the mail server, Exim.

Xim, a very popular mail server, comes preinstalled on many Linux systems.

I think I've seen numbers of like 57% of all on-premise mail servers using XM.

Well, the problem here is that XM silently patched a vulnerability that may lead to a buffer overflow.

The vulnerability has been assigned CVE 2020-37-452, and as I'm recording this, I'm not seeing an official

advisory on XM's website, but you are okay if you're running XM version 495 or later.

A GitHub repository has been published with details about the vulnerability.

And of course, by not making this update as security relevant update, many Linux distributions

have not yet rolled out updated packages to fix this problem.

And your vulnerability scanners probably won't flag it either because it wasn't really

known as a vulnerability.

To be exploitable, XM has to be configured to resolve sender host names. The attacker would then send an email and as the mail

server resolves the host name name server would deliver the exploit.

With the GitHub repository released with details, developing an actual exploit,

should not be terribly hard.

So watch out for updates and apply them as they become available.

As a workaround, you may try disabling sender host name resolution if that's not already

disabled.

Duck, Duck Go is responding to criticism that its privacy-focused browser did not block

tracking scripts from Microsoft.

This is not an issue with the Duck, dot go search engine,

...