Hello, welcome to the Wednesday, August 12th, 2020 edition of the Sandtonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

I want to deviate a little bit from the usual patch Tuesday podcast by not starting with Microsoft's patches,

but instead highlighting vulnerability in the Bulletin.

The Bulletin is a commercial bulletin board system written in PHP, and it has a rather intricate

template system, which has been the source of some critical vulnerabilities in the past. Last September, the bulletin

fixed CVE 2019 16759, which was a code injection vulnerability, and apparently this patch was

not complete, which did allow for a bypass of the patch, and details were

published on Sunday by a researcher who calls himself SinoFex. So yes, the bulletin is again

vulnerable to code injection attack. Attackers are able to execute arbitrary PHP code on the server.

The exploit is trivial, and an example, really more than just proof of concept, has been

released as part of this blog post.

So I would expect exploitation to already be underway.

The blog post also mentions a possible workaround, that essentially means disable

PHP, static HTML, and ad module rendering. No idea what it'll break, but certainly worth a try. So well, let's talk about

Microsoft vulnerabilities next. Microsoft patched 120 vulnerabilities for patch Tuesday. Two of these

vulnerabilities have already been exploited. CVE 2020 1464. This is a Windows spoofing

vulnerability. What it means is that signatures of files may incorrectly be validated and an attacker

could use that to bypass some security features by, for example, loading inappropriately signed files.

The second vulnerability is probably more severe.

That's a remote code execution that's affecting Internet Explorer.

It's part of the scripting engine that's vulnerable here, and that's CVE 2020-1380.

...