Handler on Duty: Manuel Humberto Santander Pelaez
Threat Level: green
Podcast Detail
SANS Stormcast Friday, July 17th, 2026: Windows Hello for Business; NGINX Vuln; 7-zip vuln
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/10012.mp3
My Next Class
Click HERE to learn more about classes Johannes is teaching for SANS
German Federal Information Security Office Analyzes Windows Hello for Business
https://www.heise.de/en/news/BSI-dissects-Windows-Hello-Where-Microsoft-s-login-reaches-its-limits-11366125.html
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/Windows_dissected/AP1_Windows-Hello-for-Business.pdf?__blob=publicationFile&v=7
NGINX Vulnerability
https://my.f5.com/manage/s/article/K000162097
7-Zip XZ Decompression CVE-2026-14266
https://www.zerodayinitiative.com/advisories/ZDI-26-444/
My Upcoming Classes
https://www.sans.org/profiles/dr-johannes-ullrich
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 14th - Dec 18th 2026 |
Podcast Transcript
Hello and welcome to the Friday July 17th, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Washington DC. This episode is brought to you by the SANS.edu Graduate Certificate Program in Purple Team Operations. Thanks to listener Gebhardt for pointing me to a study published by the German Federal Information Security Office that did in detail dissect Windows Hello for Business. It's part of a larger effort of the office to better understand and document some of the internals of Windows. In this particular study, they spent 169 pages looking at all the details and some of the potential security shortcomings of Windows Hello for Business. They're focusing on the business part of it because that's of course where people are more interested in all of these details. A couple of interesting findings here. So, first of all, the different security modes that you have available in Windows Hello. The enhanced sign-in security or ESS is quite important as it turns out as it ensures that some of the biometric data is actually protected by the TPM and not just stored as an encrypted file on the file system. Also surprising to me is that the biometric use of this feature actually does not give you additional entropy in how keys are being generated for Windows Hello compared to just a simple PIN. They do however point out that there are a number of advantages of doing biometrics over a PIN. One being that a PIN is easily lost without the user knowing that it was lost while in order to use the biometrics the attacker would have to steal the device which is much easier to discover than a stolen PIN. So, that's I think some important lessons here. They're also pointing out, I think that's not surprising to me, that if you have multiple users on the device that your risk increases. And then in doing some of the reverse analysis, they actually are uncovering some of the sort of not well documented features in Windows Hello and how they exactly work and how all of these different sort of bits and pieces of this larger ecosystem are exactly fitting together. So interesting document definitely if you are deploying Windows Hello for Business worthwhile read. It does fill a number of important gaps that are sort of left by the usual used Microsoft documentation of the feature. And of course, always good to sort of see a thorough reverse analysis and also documentation of security relevant features from a more independent agency. And F5 published its second major security announcement for its web server NGINX. It affects both NGINX Plus as well as the open source version of NGINX. And the vulnerable feature here are map expressions. Now, these map expressions or map directives are often used in order to, well, direct traffic like for A-B testing, I've seen it being used, or just to, for example, take things like a user agent and then split traffic based on the user agent. So for basically sort of a little bit more advanced routing features in NGINX. This is a heap based buffer overflow. So at least it's a denial of service vulnerability in order to be exploitable for remote code execution. Well, that really only works if address space layout randomization is not enabled. I would expect that most systems running NGINX will have it enabled. NGINX is not necessarily a server that I often see, for example, in IoT devices or such that don't use ASLR. So with that, get it patched, get it updated, but it does require fairly specific configurations. And again, with ASLR enabled, it's likely only exploitable as a denial of service. So let me have another heap based buffer overflow, this time in 7-zip. It affects the XZ decompression. The advisory was published by the Zeroday Initiative and reported to the 7-zip maintainers in early June. Well, they do have a patch available now, which led to the coordinated release of these details by the Zeroday Initiative. So if you're running 7-zip, well, be ready for some updates. Well and that's it for today. So thanks for listening. Thanks for liking. Thanks for subscribing and recommending this podcast and talk to you again on Monday. Bye.





