Hello, welcome to the Wednesday, March 25th, 2020 edition of the Sansonet Storms and Stormcast. My name is

Johannes Ulrich. And I'm recording from Jacksonville, Florida. Microsoft released yet another update

to their advisory regarding the type 1 font parsing remote code execution vulnerability.

The one thing they sort of clarified is a little bit the targeted attacks they have seen.

They only targeted Windows 7 and Microsoft states that the attack against Windows 10 is unlikely due to mitigations that were put in place in the first version released in 2015, according to Microsoft.

They're further stating that the possibility of remote code execution is negligible for Windows 10 and elevation of privilege is not possible.

And talking about vulnerabilities for which there is no patch two days ago, a user reported

denial of service vulnerability publicly to the MAMCashD team.

Now, MMMCashD is a very popular, fast, noSQL database, and MMMCash 160 and MMMCash 1601 are vulnerable.

Now, the MMCashD team did respond rather quickly and released a fix version 162.

So if you're running M-Kash-D, do apply the fix.

It's only a denial-of-service vulnerability and you definitely should not expose M-KashECD to the open internet, which sadly

keeps happening. And Adobe released an update for its Creative Cloud desktop application. This

vulnerability being addressed with the update does allow for arbitrary file deletion.

Now, a couple news websites did label this as a sort of emergency patch because it was not

released on Adobe's patch Tuesday.

I believe that Adobe in recent months has more and more moved away from publishing all

of its patches on patch Tuesday.

So they have adopted a more spread out model here.

And really only the flash updates, if there are any,

they have to be sort of released on patch Tuesday if possible,

because they also affect Microsoft software that's then typically patched

...