Hello, welcome to the Monday, July 23rd, 2018 edition of the Sancturnd Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Last week we had the Oracle Critical Patch update and I noted that there was a new easy-exploitable web logic vulnerability that was addressed with

that update. We do have an exploit public now for this vulnerability. That's CVE 2018-2893.

And yes, this vulnerability is already exploited in the wild.

So time is up, you better already have your systems patched,

assure that the system hasn't already been compromised

if you find a system that has not yet been patched.

Now, the one exploit we have seen being used so far does appear to install a back door.

Haven't had really a chance to look at it into too much depth, so it's not just the crypto

miners, but they're probably going around already, just haven't really seen a specific one yet.

And James Walker of Portswicker noted in a blog post that the most recent version of Microsoft

Edge apparently no longer blocks cross-site scripting by default. Starting with InExplorer 8,

which I believe was released 2008, Microsoft introduced

this feature, which is a very simple, reflective cross-site scripting filter. Essentially,

it looks at scripts that you're sending to the server and then obfuscates them if they come

back at the browser. The feature itself had some critics.

For example, there were some bypass methods, of course, and it sometimes ran into false positives.

But overall, it did provide a somewhat meaningful protection against many sort of common cross-site

scripting attacks. So it's a little bit

odd that it would all for a sudden no longer be working. Haven't had a chance to test it myself yet.

And at this point, I haven't seen an official response from Microsoft, whether this was

intentional or whether this was a bug. In general, of course, you should never rely on these browser protections.

...