SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS Stormcast Thursday, July 16th, 2026: DShield SIEM Update; MSFT Patches vs. Intel IPF; Zoom Patch; Forgotten UEFI Shims

4 min
Jul 16, 20262 days ago
Listen to Episode
Summary

This episode covers three critical security updates: DShield's enhanced SIEM dashboard with Suricata and Cowrie TTY logs for better attack visibility, a major Microsoft patch incompatibility affecting Dell devices with Intel IPF drivers, and a high-severity Zoom vulnerability (CVSS 9.8) allowing unauthenticated account takeover. Additionally, ESET disclosed 11 previously-unknown UEFI shim bootloaders that could bypass Secure Boot, which Microsoft revoked in June before public disclosure.

Insights
  • Enhanced honeypot telemetry through SIEM integration provides actionable intelligence on attacker behavior and command execution patterns
  • Large-scale OS patches create compatibility risks with hardware drivers, requiring coordinated vendor response and temporary rollbacks
  • Responsible disclosure practices (30-day embargo before public announcement) balance security researcher transparency with patch deployment timelines
  • Legacy bootloader vulnerabilities persist in Secure Boot implementations despite revocation mechanisms, indicating ongoing supply chain risks
  • Network-accessible authentication bypass vulnerabilities with high CVSS scores require immediate patching across enterprise deployments
Trends
Increased visibility into attacker tactics through honeypot command logging and SIEM dashboardsHardware-software compatibility issues emerging from large monthly patch cyclesResponsible disclosure timelines becoming standard practice in vulnerability managementPersistent UEFI/bootloader vulnerabilities as a critical attack surface despite Secure BootHigh-severity remote authentication bypass vulnerabilities in widely-deployed collaboration toolsCoordinated vendor response mechanisms for critical patch incompatibilitiesSIEM integration becoming essential for honeypot data analysis and threat intelligence
Companies
Microsoft
Released large patch update with compatibility issues; temporarily disabled update for affected devices; revoked UEFI...
Dell
Devices using Intel IPF drivers experienced incompatibility with Microsoft patches, causing performance and overheati...
Intel
Intel Innovative Platform Framework (IPF) drivers conflicted with Microsoft patches, requiring temporary update rollback
Zoom
Released security update for Zoom Workplace for Windows addressing improper input validation allowing unauthenticated...
ESET
Published blog post disclosing 11 valid UEFI shim bootloaders that could bypass Secure Boot; practiced responsible di...
People
Johannes Ulrich
Host of Stormcast episode, recording from Washington, D.C.
Guy
Presented honeypot enhancements and created new SIEM dashboard features for DShield
Quotes
"this new addition to the dashboard will summarize these commands and also allow you to look up which particular attacker did execute what attacks against the honeypot"
Johannes UlrichEarly in episode
"An attacker could have used this to completely compromise systems and essentially bypass secure boot"
Johannes UlrichUEFI shim discussion
"a fix should be available in the next few days"
Johannes UlrichMicrosoft patch discussion
Full Transcript
Hello and welcome to the Thursday, July 16, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Washington, D.C. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Cyber Defense Operations. well today Guy gave a talk in the evening here at Science Fire about the honeypot and some of the additions that Guy created for the honeypot like our seam and with that Guy also made live and made available a new version of the seam for the the shield honeypot the two most notable addition is the addition of Suricata logs to the Honeypot dashboard and then also the addition of Kaori TTY logs Kaori the Honeypot that we are using for SSH and Talnet traffic has the ability to log all the commands that an attacker may send to the honeypot And this new addition to the dashboard will summarize these commands and also allow you to look up which particular attacker did execute what attacks against the honeypot. So you're getting more insight into what they actually attempted to do in the nice format of a Kibana interface. Well, and given the size of yesterday's Microsoft patch used the update, it's no surprise that, well, we have some problems with this update. Microsoft today announced that there is an incompatibility with Dell devices that use the intel innovative platform framework or ipf the drivers installed with this framework are in conflict with some of these patches and are causing problems so microsoft temporarily has disabled the update for these devices if you are affected you may see some changes in performance power consumption or system behavior some people have reported overheating of the devices a fix should be available in the next few days and of course we do still have some patches that were released by vendors other than microsoft to talk about zoom for example did release an update for zoom workplace for windows apparently an improper input validation issue does allow unauthenticated account takeover over the network zoom rated this with a cvss score of 9.8 and an update is available for you to download and install. And he said published a blog post with details regarding 11 shim bootloaders They found that were still valid still recognized by secure boot as authentic and they could have been used to essentially launch any other insecure bootloader An attacker could have used this to completely compromise systems and essentially bypass secure boot. EZET found these bootloader or the shim bootloaders really quite a while ago notified Microsoft Microsoft did disable or basically revoke these bootloaders in the June update so not this month and well kind of a good move from EZET to give us a month to apply all these patches before they're coming forward and announcing these findings publicly. well and that's it for today so thanks for listening thanks for liking thanks for subscribing thanks for recommending this podcast and talk to you again tomorrow bye