ISC StormCast for Tuesday, May 31st, 2022
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 30 May 2022
⏱️ 8 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Tuesday, May 31st, 2021, 2022 edition of the Sands and the Storms oners Stormcast. My name is Johannes Ulrich. |
| 0:10.3 | And I'm recording from Jacksonville, Florida. Due to Memorial Day here in the United States, we didn't have a podcast on Monday, but I'm recording this a little bit earlier as we do have |
| 0:23.0 | some breaking news that I think is worth putting out there a bit earlier than I would |
| 0:29.0 | usually record a podcast. So this breaking news is the MSMSDT vulnerability, often described as zero day, but essentially what |
| 0:41.9 | it comes down to is a novel way to execute code on a user system as a Microsoft Office |
| 0:50.2 | document is opened without triggering any prompts or additional user confirmation. |
| 0:56.6 | This was actually first spotted back in April and privately reported to Microsoft. |
| 1:04.3 | Microsoft didn't consider this vulnerability. |
| 1:08.0 | In part, it looks like whoever processed the report at Microsoft didn't completely |
| 1:13.7 | understand the implication of this vulnerability. Now, on Friday, it was sort of discovered |
| 1:20.9 | again after a sample that exploited the vulnerability was uploaded to Virus Total, and a Japanese researcher spotted |
| 1:30.8 | this technique being used. This Japanese researcher now underscore Sec is the Twitter handle |
| 1:38.1 | they're going by, did recognize that this is actually a pretty ingenious way to bypass many of the protections |
| 1:46.7 | that Microsoft has put in place in order to prevent things like macros and such from executing |
| 1:53.1 | without user permissions. So how does this work? Well, it starts out with an office document. |
| 1:59.0 | Now, it couldn't be any office documents. |
| 2:02.1 | So Excel, VERT. |
| 2:06.7 | VIRT seems to be the most commonly discussed at this point, but it's not limited to VIRT. |
| 2:13.2 | May even work in Outlook, for example, without the user actually opening any attachments or clicking on any links, but just by looking at an outlook message. |
| 2:18.3 | Now, Microsoft Office has a feature where we can specify externally hosted HTML templates. |
| 2:25.1 | So that's the first feature that's being abused here. |
| 2:28.4 | The document is being opened or viewed, and the HTML template document is downloaded. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.