SANS Stormcast Wednesday, October 15th, 2025: Microsoft Patchday; Ivanti Advisory; Fortinet Patches

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9656.mp3

previous

Microsoft Patchday; Ivanti Advisory; Fortinet Patches

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Wednesday, October 15th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in
 Cybersecurity Leadership. And of course, it's Microsoft
 Patch Tuesday, and we'll have to talk a little bit about
 some of the patches released today. But I want to start out
 with talking about some of the software that will no longer
 be supported after today. First of all, Windows 10.
 Windows 10, no official free updates after today. You can
 sign up for the extended security updates, which in the
 US costs you some money. I think it's like $20, $30 or
 such a year. It's not terribly expensive in the European
 Union. I believe it's free. Not sure exactly what it'll
 cost you in other countries. On the other hand, well, they
 really want you to upgrade to Windows 11. And that's sort of
 the obvious path here. There were some issues creating the
 disks to update to Windows 11. That should be also fixed now.
 Office 2016, 2019. Also no more updates after today.
 Microsoft's goal here is to get you to sign up for Office
 365. But if you insist in having your own copy of
 Office, there is still Office 2024 available. And that's
 also an extended update release. So you should get
 updates for quite a few years to come. Exchange server,
 Exchange server 2016, 2019. No more updates after today. Here
 you have the Exchange server subscription edition to use
 for those who still need the Exchange server on premise.
 And last time I pointed out that Microsoft really wants
 you to move away from that. Well, there are actually still
 some reasons why you need Exchange server on premise.
 And for those people, Exchange server subscription edition.
 And as the name implies, you are now signed up for an
 annual subscription with that version. And of course, for
 your sort of external email needs, you probably just want
 to go with the cloud solution again here and no longer
 maintain anything on premise, if you can help it at least
 nothing that's sort of exposed to the outside. So these are
 the big software packs that are no longer supported. Other
 than that, there were 157 different vulnerabilities that
 I counted. Now, you may see different counts around here.
 What I noticed in this particular update, there were
 a lot of Azure vulnerabilities. I don't count
 them since there's nothing really you need or have to do
 for these particular vulnerabilities. Also, some
 sort of in third party open source software were included
 sort of in the vulnerability feed here by Microsoft. So I
 focused on really the ones that you know, are Microsoft's
 own software. And here sort of interesting, we got some co
 -pilot spoofing vulnerabilities that are rated
 as critical. And that's of course, now with co-pilot
 becoming a bigger and bigger part, definitely something
 that you should consider here. Also, the Microsoft 365 co
 -pilot, also a critical spoofing vulnerability here
 for this software. Excel, we got again a bunch of different
 remote code execution vulnerabilities. One of them
 is rated critical. And also some generic Microsoft Office
 remote code execution vulnerabilities that are rated
 critical. And remember, if they're rated critical, it
 usually means no user interaction required. There
 are three vulnerabilities that were either publicly known
 already exploited. One of them in the Windows Gear modem
 driver. I wasn't really familiar with a gear modem. So
 did some googling and looks like that's basically a
 chipset that's often used in USB modems that are used like,
 you know, for receiving faxes and such if that's still a
 thing for you. But remember, even if you aren't receiving
 faxes with your PC, you probably have that driver
 installed. And it's a privilege escalation
 vulnerability. So it would be a typical vulnerability to be
 exploited by these, you know, vulnerable driver kind of
 exploits. And that's probably also how it got exploited. The
 other vulnerability in this category is a Windows remote
 access connection manager vulnerability. Again, a
 software that you're probably not using but have installed
 and that's also a privilege escalation vulnerability. So
 overall, it's quite a few different vulnerabilities here
 in this update. Nothing that I would sort of rate as overly
 critical in the sense that you must patch now. Roll it out in
 accordance with your normal vulnerability management
 system. And then we have two updates or two vulnerabilities
 being patched by Fortinet. First vulnerability is what
 they call a restricted CLI command bypass. And what it
 refers to is that a normal authenticated user is able to
 execute systems commands. The second vulnerability that
 they're addressing here is a weak authentication in the WAD
 GUI. This is really just a brute force protection is
 missing. So attackers are able to brute force usernames and
 passwords. If you have a good username and password, then it
 should be less of an issue. But again, apply the patches.
 None of them I would rate as super critical. The first one,
 you require authentication first to exploit it. The
 second one, well, if you have some reasonable passwords, it
 should hopefully take an attacker a while to guess
 those passwords. Well, and that's what we have time for
 today. There are a couple more Adobe updates and such I'll
 cover tomorrow. And thanks for listening. Thanks for
 subscribing. Thanks for liking this podcast and talk to you
 again tomorrow. Bye.