Podcast Detail

SANS Stormcast Thursday, May 14th, 2026: Flexbile Windows Proxy; News from Nightmare Eclipse; Adobe Patches

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9932.mp3

Flexbile Windows Proxy; News from Nightmare Eclipse; Adobe Patches

00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Proxying the Unproxyable? Sending EXE traffic to a Proxy
https://isc.sans.edu/diary/Proxying%20the%20Unproxyable%3F%20Sending%20EXE%20traffic%20to%20a%20Proxy/32982

New Nightmare Eclipse Vulnerabilities Disclosed
https://github.com/Nightmare-Eclipse/YellowKey
https://github.com/Nightmare-Eclipse/GreenPlasma

Adobe Patches
https://helpx.adobe.com/security.html

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Network Monitoring and Threat Detection In-Depth	Online \| Arabian Standard Time	Jun 27th - Jul 2nd 2026
Network Monitoring and Threat Detection In-Depth	Riyadh	Jun 27th - Jul 2nd 2026
Application Security: Securing Web Apps, APIs, and Microservices	Washington	Jul 13th - Jul 18th 2026
Application Security: Securing Web Apps, APIs, and Microservices	Online \| British Summer Time	Jul 27th - Aug 1st 2026
Application Security: Securing Web Apps, APIs, and Microservices	Las Vegas	Sep 21st - Sep 25th 2026
Network Monitoring and Threat Detection In-Depth	Amsterdam	Nov 9th - Nov 14th 2026
Application Security: Securing Web Apps, APIs, and Microservices	Washington	Dec 14th - Dec 18th 2026

Podcast Transcript

 Hello and welcome to the Thursday May 14th, 2026
 edition of the SANS Internet StormCast. My name is Johannes
 Ullrich, recording today from San Diego, California. This
 episode is brought to you by the SANS.edu Graduate
 Certificate Program in Cybersecurity Engineering. In
 Diaries today we do have an interesting tool
 recommendation from Rob. Rob experimented with a tool
 called Proxifier. Now what Proxifier is good at is if you
 have a Windows system and you are trying to proxy the HTTP
 traffic from specific binaries. Now with network
 rules and such you are often able to direct traffic to
 particular destinations to a proxy. But what this tool
 allows you is to essentially isolate the traffic from a
 specific application that you are trying to test. And in the
 case of Rob, he directed the traffic to Burp Suite in order
 to better explore an API that a particular application was
 using. This approach is really kind of neat in order to cut
 down on the noise that you often get if you are just
 sending all traffic to a proxy. And it can be sometimes
 challenging to figure out what traffic is actually
 originating from a specific binary. This makes the entire
 process so much easier. And then we have two new
 vulnerabilities being disclosed by Nightmare
 Eclipse. The researcher who made a name for himself by
 releasing for example Bluehammer after their bug
 report was rejected by Microsoft's Bug Bounty
 Program. The first vulnerability being released,
 and I think that's the more serious one, is called Yellow
 Key. This particular vulnerability attacks
 BitLocker in a rather effective way. So BitLocker of
 course, well respected disk encryption by Microsoft, but
 it relies on BitLocker actually locking the disk as
 the system is being shut down. And that's the part where
 Yellow Key comes into place by attaching a USB stick to a
 Windows system. And that USB stick must contain very
 specific files. The disk is not locked as the system is
 shut down. And then a user may be able to reboot the system
 into rescue mode and access the still encrypted disk
 without being, well, sort of hindered by any kind of access
 control. Interesting vulnerability and also
 interesting find here. Apparently this was identified
 by reverse engineering some of the Windows binaries. The
 second vulnerability that was disclosed by Nightmare Eclipse
 is Green Plasma. And that's sort of a more universal
 remote privilege escalation vulnerability. It essentially
 just makes memory available to any user that can be used to
 inject DLLs and such. This particular vulnerability is
 not fully implemented in the proof of concept being
 released. So any attacker has to do a little bit more work
 here, but others have already kind of elaborated on how the
 exploit works and how it could mate work given the partial
 proof of concept. So Yellow Key disabled spitlocker and we
 have a full exploit available for it. And Green Plasma is,
 well, yet another privilege escalation flaw. And we only
 have a partial proof of concept, at least released by
 Nightmare Eclipse at this point. And then we'll talk a
 little bit about Adobe vulnerabilities that were
 patched yesterday. I didn't mention them for the patched
 Tuesday update because, well, we had all of these software
 supply chain vulnerabilities to talk about. First, Adobe
 Connect did receive an update that fixed a de-serialization
 vulnerability that can execute arbitrary code. So that one is
 certainly one to pay attention to. And then, well, one of my
 favorite Adobe products when it comes to vulnerabilities,
 Adobe Commerce. We have two critical vulnerabilities here
 that deserve some attention. One is an arbitrary code
 execution vulnerability via cross-site scripting, which is
 sort of interesting. And then we also do have an arbitrary
 file system, right? It says here, improper limitation of
 path name or restricted directory. Well, a path
 traversal vulnerability, which tends to be not that terribly
 difficult to exploit. So definitely get those patches
 out. We got a total of 10 Adobe products being patched
 in this Tuesday's patch Tuesday update from Adobe.
 Well, and that's all we have time for today. So thanks for
 listening. Thanks for liking. Thanks for subscribing to the
 podcast. Remember, there's also a video version on
 YouTube if you prefer that format. That's it for today
 and talk to you again tomorrow. Bye.