Hello, welcome to the Wednesday, January 16th, 2019 edition of the Sandsonant Storms,

Stormcast. My name is Johannes Ulrich. And I'm recording from Jacksonville, Florida.

Microsoft today released updates for Skype for Business and Team Foundation server. A little bit odd that these were published today sort of out of the ordinary.

They're only rated as important and moderate.

For Skype for Business, it's a spoofing vulnerability.

Apparently it can then also lead to cross-site scripting.

Team Foundation server, there's one cross-side scripting vulnerability

and an information disclosure vulnerability. At this point, no real reason to rush these out.

But probably kind of more interesting almost is vulnerability in SCP, the Secure Copy Command

that comes with SSH.

This vulnerability was found by Harry Centonov F Secure.

The problem here is that the SCPs actually derived well from good old RCP, an 80s command used back then to transfer files without

encryption and RCP allowed the server to actually specify the file name.

SEP still does that, the protocol still does that but the client is supposed to verify that

the file being delivered, the name is actually

the file name expected.

Well, apparently SCP doesn't do a great job with this.

The result is that an attacker running a malicious SCP server could override arbitrary files

on the user's system.

Interestingly, all major versions of SCP are affected.

OpenSH, PUDD, as well as WinnSCP.

There is no patch for PUDD available at this point.

...