Hello and welcome to the Tuesday, October 3, 2020,

edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Good reminder from DDA today that encrypted zip files do not encrypt the metadata that comes with the SIP file.

This includes the file name itself, but also the CRC 32 checksum.

Now these checksums, they're not cryptographic hashes, so sure, there are plenty of collisions,

or it would be easy to create a collision,

but still it can help someone narrow down what file is likely included in the encrypted SIP

file. A reader also points out that, well, it's even better because you also have the original

length of the file as part of the metadata available,

so that can then further be used to narrow down a particular file that may be included.

Probably the simplest way to avoid this issue is that you just sip the file twice.

That way the second time you sip the file the metadata will just

be the overall metadata for the first encrypted zip file and not the content of the first

encrypted zip file well and then I have an update to an update yesterday I talked about

XM soon going to release an updated version of its mail server

to fix the War on abilities being made public by the Saturday initiative.

Out of the six War on abilities, we have three fixed now, and the new version released today

was 4.96.1, and there's also an upcoming

version 4.97 that will fix these issues. The issues being fixed here are the more

important one, including the auth out-of-bounds right vulnerability, which had a CVSS score of 9.8.

The remaining vulnerabilities, there are some workarounds that you can apply, and the XM advisory.

...