Hello and welcome to the Tuesday, August 15, 2023 edition of the Sansonet Storm Center's

Stormcast. My name is Johannes Ulrich. And today I'm recording from Jacksonville, Florida, but

teaching virtually in Chicago, Illinois. Today, DDA wrote about false positives, false positives created by a tool called PDF ID that Didi wrote to basically do a quick triage for malicious PDFs.

Now, one of the strings that PDF ID looks for is slash JS for JavaScript, of course, JavaScript in PDFs is usually a good

indicator that something fishy is happening here. That's why he flags the string. The problem

with PDF IDs, it's a very simple tool. It does not actually parse the PDF structure. So it may contain false positives

because the string slash JS may actually show up in the binary part of the PDF, not necessarily as part of the PDF structure, where it really

matters.

So as an additional step to figure out if this particular occurrence of slash JS is really part of a JavaScript content of the PDF or false positive, DDA recommends a second tool PDF

parser.

PDF parser actually does parse the structure off the PDF and then identifies different

sections like JavaScript sections.

So that would then be an option that you run after PDF ID.

Given how simple PDF ID is if the number of false positives is not excessive. It may still be a nice tool

to run first and then sort out the false positives using PDF parser. And then we have an

interesting update from Microsoft relating to CVE 2023-32019.

This vulnerability was originally patched in June, and it's one of those information

disclosure vulnerabilities where an attacker who has some control over a system due to

a vulnerability in the Windows kernel is able to view heap memory from privilege processes,

and with that, of course, possibly gain secrets that are stored in that memory.

Back in June, Microsoft did release a patch for this vulnerability. It was sort of an interesting

patch. They released a patch but didn't

...