ISC StormCast for Thursday, April 11th, 2024
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 11 April 2024
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Thursday, April 11th, 2004 edition of the Sands and at Storm Center's |
| 0:08.5 | Stormcast. My name is Johannes Ulrich and today I'm recording from London, England. Well, let's |
| 0:15.6 | today start with a critical update for the Windows version of the programming language Rust. This vulnerability |
| 0:24.5 | in the standard library has a perfect CSS score of 10, even though the risk, well, may or |
| 0:31.4 | may not a little bit more limited. It depends really on how you are using the affected API, and that's the command API. |
| 0:40.6 | Actually, an API that exists in pretty much any language and has had issues in pretty much any language. |
| 0:48.6 | The purpose of the command API is to execute a command via command.exe and securely escape any command parameters being passed in order to avoid OS command injection, a very common vulnerability, where you, for example, can use things like semicolons and dollar simples and the like in order to execute additional |
| 1:13.3 | commands by passing them as a command parameter. Before you say, isn't Rust supposed to be a |
| 1:19.7 | secure programming language? Yes, it is, but with specific issues around memory safety in mind, |
| 1:26.5 | other vulnerabilities will of course still occur in Rust, just like in any other language. |
| 1:32.3 | Now the tricky part about this particular vulnerability is that it really affects software created with Rust |
| 1:39.3 | much more than Rust itself. So having Rust installed on your system, for example, will not |
| 1:45.6 | really expose you to any particular risks in this case, but if you're running software |
| 1:51.0 | that uses the command API and was compiled using the old version of the standard library, |
| 1:58.2 | well, then that particular binary would expose you to this vulnerability. |
| 2:04.4 | And then as typical as part of Patch Tuesday, we also got updates from Adobe nine different |
| 2:10.4 | products received updates. |
| 2:11.9 | I'm not going over all the details here. |
| 2:14.8 | There are, for example, quite a few products that are affected by a single |
| 2:19.6 | out-of-bounds read vulnerability. CVS score only of 5.5. The one product that I want to focus on a little |
| 2:27.7 | bit is Adobe's Commerce product. Used to be known as Magento. Well, this product, two vulnerabilities for being addressed here. |
| 2:39.0 | One is an operator code execution, just says here, improper input validation, CVSS score of 9, |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.