Hello and welcome to the Wednesday, March 15th, 2020, 3 edition of the Sands and its Storms anders

Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Well, it's patch Tuesday, so sorry, lots of patches in today's podcast, starting of course with Microsoft,

according to Renato's count, who as usual created the diary today for us. We got 76 vulnerabilities

patched, nine of them are critical and two are already being exploited.

One of the exploited vulnerabilities, it's a vulnerability in Microsoft Outlook, has actually been

exploited for about a year since April last year, in highly targeted attacks, in particular

against some Eastern European governments. Russia

supposedly was behind these attacks. And it does actually use a relatively old style vulnerability.

It's against Microsoft Outlook. And the trick here is that you can get Microsoft Outlook to connect

to an SMB share. We have had this in many other contexts

where a link pointing to an SMB share would result in the system automatically reaching out to that SMB share,

and with that of course passing credentials, which could be downgraded to NTLM hashes, which then, of course,

can easily be used in an NTLM relay attack.

So if you have outbound port 445 blocked, you're actually safe here, at least against the attack

leaking credentials to the outside.

This attack and the credentials were then often used to exfiltrate emails. But exploitation, now that the vulnerability is known,

is really relatively straightforward, just requires the right URL in the right Mappy property,

and you're pretty much all set there. CVSS for this

is 9.8. The second vulnerability is also sort of in a feature that has had issues before. Windows

Smart Screen, that's the entire mark of the web business, where if you download a file

from the internet, it has this mark of the web attached, so when you're opening it, it will

...