Podcast Detail

SANS Stormcast Wednesday, June 3rd, 2026: SVG Phishing; Android Patches; Poly Voice Vuln; Ivanti Neurons Priv Escelation

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9956.mp3

previous
Podcast Logo
SVG Phishing; Android Patches; Poly Voice Vuln; Ivanti Neurons Priv Escelation
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Podcast Transcript

 Hello and welcome to the Wednesday, June 3rd, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. This episode is brought to you by
 the SANS.edu Graduate Certificate Program in
 Cybersecurity Engineering. Xavier today wrote about a new
 wave of phishing emails that contain SVG files. SVG files
 typically open in the browser and that's the intent here.
 The SVG file format, well, it's really meant to sort of
 embed images inside HTML, XML. It's an XML format that
 basically contains vector graphics. However, in this
 particular case, well, it doesn't actually contain any
 graphics. Instead, inside of the SVG tag, we do have good
 old JavaScript. So, an intent here is really to use the SVG
 file as sort of a vessel in order to smuggle JavaScript
 into an environment, hopefully not have it inspected by any
 kind of content inspection. And with that, essentially to
 redirect the user to a phishing page. Interesting
 technique and definitely very calmly used lately. So, if you
 want to look at the details of Xavier's analysis, take a look
 at the diary in the show notes. And Google today
 published its June update for Android. And with that patched
 one vulnerability that's apparently already being
 exploited or as Google puts it, maybe under limited
 targeted exploitation. This is an elevation of privilege
 vulnerability in framework. One interesting observation
 here is last month in May, we only had sort of one listed
 vulnerability. And this was the result of Google stating
 that they will no longer really explain every single
 vulnerability they address, but only, well, those that
 they consider important enough. Now, all the
 vulnerabilities being listed today are critical or high.
 And we do have, well, 40 something or so
 vulnerabilities that are being listed here. So, certainly
 more active than what we had in May. I'm not sure if this
 is sort of a subtle change here in policy or if it's just
 a matter of, well, having more vulnerabilities to patch this
 month. And HP released an update for its Polyvoice
 product. This is HP's voice over IP line of products. And,
 well, this patch does fix a remote code execution
 vulnerability, a stack based buffer overflow. What makes it
 particularly sort of urgent is that Rapid7 accompanied this
 release with a blog post. And there they explain details how
 to exploit this vulnerability, including the release of a
 Metasploit module that will assist in exploitation. So,
 certainly don't delay rolling out this patch. And then we
 got an update from Ivanti for Ivanti Neurons for ITSM. This
 update fixes a single vulnerability. This is a
 privilege escalation vulnerability. So, nothing
 overly important here. Well, it's rated high, not critical.
 It does allow a normal authenticated user to escalate
 privileges to become an administrator. Well, and this
 is it for today. So, thanks for listening. Thanks for
 liking. Thanks for subscribing. And as always,
 talk to you again tomorrow. Bye.