SANS Stormcast Thursday, July 16th, 2026: DShield SIEM Update; MSFT Patches vs. Intel IPF; Zoom Patch; Forgotten UEFI Shims
4 min
•Jul 16, 20262 days agoSummary
This episode covers three critical security updates: DShield's enhanced SIEM dashboard with Suricata and Cowrie TTY logs for better attack visibility, a major Microsoft patch incompatibility affecting Dell devices with Intel IPF drivers, and a high-severity Zoom vulnerability (CVSS 9.8) allowing unauthenticated account takeover. Additionally, ESET disclosed 11 previously-unknown UEFI shim bootloaders that could bypass Secure Boot, which Microsoft revoked in June before public disclosure.
Insights
- Enhanced honeypot telemetry through SIEM integration provides actionable intelligence on attacker behavior and command execution patterns
- Large-scale OS patches create compatibility risks with hardware drivers, requiring coordinated vendor response and temporary rollbacks
- Responsible disclosure practices (30-day embargo before public announcement) balance security researcher transparency with patch deployment timelines
- Legacy bootloader vulnerabilities persist in Secure Boot implementations despite revocation mechanisms, indicating ongoing supply chain risks
- Network-accessible authentication bypass vulnerabilities with high CVSS scores require immediate patching across enterprise deployments
Trends
Increased visibility into attacker tactics through honeypot command logging and SIEM dashboardsHardware-software compatibility issues emerging from large monthly patch cyclesResponsible disclosure timelines becoming standard practice in vulnerability managementPersistent UEFI/bootloader vulnerabilities as a critical attack surface despite Secure BootHigh-severity remote authentication bypass vulnerabilities in widely-deployed collaboration toolsCoordinated vendor response mechanisms for critical patch incompatibilitiesSIEM integration becoming essential for honeypot data analysis and threat intelligence
Topics
DShield SIEM Dashboard UpdatesSuricata Log IntegrationCowrie TTY Command LoggingMicrosoft Patch IncompatibilityIntel IPF Driver ConflictsDell Device Compatibility IssuesZoom Workplace VulnerabilityUnauthenticated Account TakeoverUEFI Shim Bootloader VulnerabilitiesSecure Boot BypassBootloader RevocationResponsible DisclosureHoneypot TelemetryKibana InterfacePatch Management
Companies
Microsoft
Released large patch update with compatibility issues; temporarily disabled update for affected devices; revoked UEFI...
Dell
Devices using Intel IPF drivers experienced incompatibility with Microsoft patches, causing performance and overheati...
Intel
Intel Innovative Platform Framework (IPF) drivers conflicted with Microsoft patches, requiring temporary update rollback
Zoom
Released security update for Zoom Workplace for Windows addressing improper input validation allowing unauthenticated...
ESET
Published blog post disclosing 11 valid UEFI shim bootloaders that could bypass Secure Boot; practiced responsible di...
People
Johannes Ulrich
Host of Stormcast episode, recording from Washington, D.C.
Guy
Presented honeypot enhancements and created new SIEM dashboard features for DShield
Quotes
"this new addition to the dashboard will summarize these commands and also allow you to look up which particular attacker did execute what attacks against the honeypot"
Johannes Ulrich•Early in episode
"An attacker could have used this to completely compromise systems and essentially bypass secure boot"
Johannes Ulrich•UEFI shim discussion
"a fix should be available in the next few days"
Johannes Ulrich•Microsoft patch discussion
Full Transcript