Podcast Detail

SANS Stormcast Thursday, June 11th, 2026: Framing Protections; npm improvements; Adobe Patches; New Defender 0-day

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9968.mp3

previous
Podcast Logo
Framing Protections; npm improvements; Adobe Patches; New Defender 0-day
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

How has use of framing protection security headers changed in the past 3 years?
https://isc.sans.edu/diary/How%20has%20use%20of%20framing%20protection%20security%20headers%20changed%20in%20the%20past%203%20years%3F/33068

Preparing for npm v12: install scripts and non-registry sources become opt-in
https://github.com/orgs/community/discussions/198547

Adobe Patches
https://helpx.adobe.com/security.html

Rogue Planet new Microsoft Defender Vulnerability
https://github.com/MSNightmare/RoguePlanet

My Upcoming Classes
https://www.sans.org/profiles/dr-johannes-ullrich

Podcast Transcript

 Hello and welcome to the Thursday, June 11th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. This episode is brought to you by
 the SANS.edu Graduate Certificate Program in
 Industrial Control System Security. Jan today published
 a diary on Content security Policy and how the XFrame Options
 header is sort of starting to get replaced, supplemented
 with the Frame Ancestor property in CSP. This is
 something that Jan looked first at three years ago, so
 what he published today was an update essentially to what was
 going on more recently. Now the XFrame Options header
 still works, so and so far there's nothing really wrong
 with it. However, officially it got now replaced with
 Content-Security Policy. And what Jan found is actually over the
 last years, over the last three years, there was a
 significant increase in the uptake of Content-Security Policy and
 the Frame Ancestor directive when it comes to Content-Security
 Policy. So it's overall a good thing that this has been
 improving. I would still kind of leave the XFrame Options
 header in place personally. Yes, it sort of does the same
 thing as Frame Ancestors. I find that with Content-Security
 Policy it's easier to sort of get lost the complexity and
 maybe have a syntax error or something like this. So the
 Frame Ancestor directive may not work as expected. And as
 far as I know, all existing browsers still support XFrame
 Options. So kind of a nice backup, I guess, in this case.
 And in a blog post, NPM did announce some changes in the
 upcoming NPM 12 release, which is expected in July. These
 changes are changes to default behaviors that are not really
 new features that are supposed to combat some of the attacks
 that we have seen recently. Now, probably the most
 significant change here is that install scripts will be
 turned off by default. Install scripts are often used for
 Cogniz integration, for CI, CD kind of pipelines and the
 like. But not really used that much. And of course, giving an
 attacker the ability to run arbitrary code, that's what
 has been abused heavily in recent attacks. So now by
 default, these scripts will not run. You can still allow
 them to run if you want to, or you can allow them just to run
 for specific repositories. Have to see how it all works
 out. The second part is that allow git and allow remote
 will no longer be enabled by default. This was usable by
 installers then to basically refer to specific URLs and
 such, and the load code from there versus via the normal
 sort of repository and the npm .js path. So that was also
 used in recent attacks. The blog post also points out
 while these default settings will change in version 12, if
 you want, you can already enable them in the current
 version. They're just not default settings at this
 point. So 11.16 does have the features. They're just not
 enabled by default, or the features are not disabled by
 default is probably a better way of putting it. The blog
 post also goes over some techniques and such you can
 use to allow some of these scripts, for example, to run
 and basically how to get ready for this change. And then we
 got a little bit patch Tuesday cleanup. First of all, Adobe
 did also publish updates yesterday for 11 different
 products. Two of the products that I'm usually watching here
 are Acrobat Reader and ColdFusion. Acrobat Reader
 fixes a couple of remote code execution vulnerabilities,
 only CVSS score of 7.8. ColdFusion does also publish a
 remote code execution vulnerability and for it the
 CVSS score is 9.8. So definitely take a look at
 these and these are definitely vulnerabilities you want to
 address. For the Acrobat Reader, I believe the CVSS
 score is lower because essentially the user has to
 open a file. So it's not sort of a real remote code
 execution other than that the file of course typically
 arrives from a remote source. And following patch Tuesday,
 we now got well, certainly Wednesday, thanks to Nightmare
 Clips, we got another vulnerability in Microsoft
 Defender. It's yet another one of those Burge escalation
 vulnerabilities where Microsoft Defender essentially
 overwrites its own files. In this particular case, it does
 require that the victim is mounting a disk image from an
 SMB share. So the attacker would have to trick the victim
 somehow into doing this. They also point out that this does
 not work by default on Windows Server because on Windows
 Server, normal users don't have the ability to mount disk
 images. So that way the exploit doesn't work. Well,
 and this is it for today. So thanks for listening. Thanks
 for liking. Thanks for subscribing to this podcast.
 And as always, talk to you again tomorrow. Bye.