Hello, welcome to the Wednesday, May 3rd, 2017 edition of the Sansanet Storm Center's Stormcast.

My name is Johannes Ulrich, and the I'm recording from Jacksonville, Florida.

Just a quick update on the Intel chipset vulnerability that we talked about yesterday.

We do see some initial scanning for this vulnerability at this point the majority of

the scans come from shadow server shadow server is part of the good guys they do notify users

that are affected by this vulnerability if they find vulnerable, they work closely with ISPs on this.

They do not publish lists of vulnerable hosts like others may be doing in the future.

Overall, you should have these ports blocked, whether you are vulnerable or not having these ports open if you're not vulnerable

does expose you to the risk of someone essentially just password brute forcing and such

these IPMI interfaces and such that tend to listen on some of these ports.

At least at this point I'm not aware of an exploit that is at hacking

this particular vulnerability, but always possible there's something out there that I haven't

seen yet. If you see something, please let us know. And SensePost came up with an interesting

way how to get access to a system that does synchronize

its email with a compromised email account via Outlook.

Turns out Outlook has a nice feature called Forms.

Now, Forms cannot be sent to a user as an email. They're used to create emails

that you're sending out, and as part of these forms, you can also add scripts. These scripts are treated

differently from any scripts that you may receive in an email. Outlook actually is going to phase out

parsing scripts in emails altogether, and for the most part, it's best practice for a long time

to disable this. But these scripts in forms, because forms are usually created by the user,

stored with the exchange server.

...