Hello and welcome to the Wednesday, April 9th,

2025 edition of the Sands and the Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Well, of course, it's Patch Tuesday today, so we have to start with Microsoft Patches.

We do have sort of an average Patch Tuesday. Renato, who did our diary today,

counted in 125 vulnerabilities. I've seen others, quote, 134 vulnerabilities. It typically depends on

whether or not you count the chromium vulnerabilities that apply to Microsoft Edge or not.

But either way, let's look at some of the interesting vulnerabilities that are sort of worth noting.

And to start out, we got sort of a column a friend of the show, the log file system driver.

This is a Windows component that has led to at least five Saturday vulnerabilities over the

last couple years.

And yes, we do have another ProH escalation vulnerability here that is already being exploited

and apparently being exploited by ransomware actors as well.

So not just one of those state actor style vulnerabilities.

Now, why is this component continuing to be the source of so many warn abilities?

Pretty straightforward reasoning behind this is it is a kernel driver, so it runs with

colonel privileges. It must run kernel driver, so it runs with kernel privileges.

It must run with kernel privileges, well, in some ways, because it has to read all the different

logs that it is parsing. And then, of course, it has to parse those logs, and logs sometimes

do contain, well, hostile content. And that's sort of the

reason here yet again, where a problem in the log parser is being exploited to then elevate

privileges, essentially execute code as the driver, which then gets you full system access. So that story just keeps repeating.

...