Podcast Detail

SANS Stormcast Friday, July 17th, 2026: Windows Hello for Business; NGINX Vuln; 7-zip vuln

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/10012.mp3

Podcast Logo
Windows Hello for Business; NGINX Vuln; 7-zip vuln
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Podcast Transcript

 Hello and welcome to the Friday July 17th, 2026 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich, recording today from Washington DC. This
 episode is brought to you by the SANS.edu Graduate
 Certificate Program in Purple Team Operations. Thanks to
 listener Gebhardt for pointing me to a study published by the
 German Federal Information Security Office that did in
 detail dissect Windows Hello for Business. It's part of a
 larger effort of the office to better understand and document
 some of the internals of Windows. In this particular
 study, they spent 169 pages looking at all the details and
 some of the potential security shortcomings of Windows Hello
 for Business. They're focusing on the business part of it
 because that's of course where people are more interested in
 all of these details. A couple of interesting findings here.
 So, first of all, the different security modes that
 you have available in Windows Hello. The enhanced sign-in
 security or ESS is quite important as it turns out as
 it ensures that some of the biometric data is actually
 protected by the TPM and not just stored as an encrypted
 file on the file system. Also surprising to me is that the
 biometric use of this feature actually does not give you
 additional entropy in how keys are being generated for
 Windows Hello compared to just a simple PIN. They do however
 point out that there are a number of advantages of doing
 biometrics over a PIN. One being that a PIN is easily
 lost without the user knowing that it was lost while in
 order to use the biometrics the attacker would have to
 steal the device which is much easier to discover than a
 stolen PIN. So, that's I think some important lessons here.
 They're also pointing out, I think that's not surprising to
 me, that if you have multiple users on the device that your
 risk increases. And then in doing some of the reverse
 analysis, they actually are uncovering some of the sort of
 not well documented features in Windows Hello and how they
 exactly work and how all of these different sort of bits
 and pieces of this larger ecosystem are exactly fitting
 together. So interesting document definitely if you are
 deploying Windows Hello for Business worthwhile read. It
 does fill a number of important gaps that are sort
 of left by the usual used Microsoft documentation of the
 feature. And of course, always good to sort of see a thorough
 reverse analysis and also documentation of security
 relevant features from a more independent agency.
 And F5 published its second major security announcement
 for its web server NGINX. It affects both NGINX Plus as
 well as the open source version of NGINX. And the
 vulnerable feature here are map expressions. Now, these
 map expressions or map directives are often used in
 order to, well, direct traffic like for A-B testing, I've
 seen it being used, or just to, for example, take things
 like a user agent and then split traffic based on the
 user agent. So for basically sort of a little bit more
 advanced routing features in NGINX. This is a heap based
 buffer overflow. So at least it's a denial of service
 vulnerability in order to be exploitable for remote code
 execution. Well, that really only works if address space
 layout randomization is not enabled. I would expect that
 most systems running NGINX will have it enabled. NGINX is
 not necessarily a server that I often see, for example, in
 IoT devices or such that don't use ASLR. So with that, get it
 patched, get it updated, but it does require fairly
 specific configurations. And again, with ASLR enabled, it's
 likely only exploitable as a denial of service. So let me
 have another heap based buffer overflow, this time in 7-zip.
 It affects the XZ decompression. The advisory
 was published by the Zeroday Initiative and reported to the
 7-zip maintainers in early June. Well, they do have a
 patch available now, which led to the coordinated release of
 these details by the Zeroday Initiative. So if you're
 running 7-zip, well, be ready for some updates. Well and
 that's it for today. So thanks for listening. Thanks for
 liking. Thanks for subscribing and recommending this podcast
 and talk to you again on Monday. Bye.