SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS Stormcast Thursday, May 14th, 2026: Flexbile Windows Proxy; News from Nightmare Eclipse; Adobe Patches

5 min

•May 14, 202617 days ago

Summary

This episode covers a Windows proxy tool for API testing, two critical vulnerabilities disclosed by Nightmare Eclipse researcher targeting BitLocker and Windows privilege escalation, and Adobe's latest security patches affecting 10 products including critical flaws in Adobe Connect and Commerce.

Insights

Proxifier enables targeted traffic isolation from specific binaries to testing proxies, reducing noise and improving API exploration efficiency compared to capturing all system traffic
BitLocker's reliance on proper shutdown procedures creates an exploitable window where USB-based attacks can prevent disk locking entirely
Nightmare Eclipse's vulnerability disclosures represent a pattern of releasing exploits after vendor rejection, indicating growing researcher frustration with bug bounty processes
Path traversal vulnerabilities in Adobe Commerce remain a persistent and relatively easy-to-exploit attack vector requiring immediate patching
Partial proof-of-concept releases can accelerate exploit development by other researchers, amplifying the impact of disclosed vulnerabilities

Trends

Increased disclosure of encryption bypass vulnerabilities targeting operating system-level security featuresResearchers weaponizing vulnerability disclosures as leverage against vendor bug bounty rejectionsGrowing adoption of application-level traffic isolation tools for security testing and API analysisPersistent prevalence of path traversal and deserialization vulnerabilities in enterprise softwarePartial PoC releases accelerating full exploit development timelines across security community

Topics

Windows Proxy Configuration and Traffic Isolation BitLocker Disk Encryption Vulnerabilities USB-Based Physical Attack Vectors Windows Privilege Escalation Exploits DLL Injection Attacks Adobe Connect Deserialization Vulnerabilities Adobe Commerce Cross-Site Scripting Path Traversal Vulnerabilities API Security Testing Burp Suite Integration Vulnerability Disclosure Practices Bug Bounty Program Rejections Proof of Concept Release Strategy Software Patching Cadence Memory Access Control Flaws

Companies

Microsoft

BitLocker encryption vulnerability and Windows privilege escalation flaws disclosed; rejected Nightmare Eclipse bug r...

Adobe

10 products patched including critical vulnerabilities in Adobe Connect and Adobe Commerce requiring immediate updates

PortSwigger

Burp Suite mentioned as target proxy for isolating and testing application API traffic using Proxifier tool

People

Johannes Ulrich

Host of Stormcast podcast, recording from San Diego, California

Rob

Contributed tool recommendation for Proxifier and demonstrated API testing methodology using proxy isolation

Nightmare Eclipse

Disclosed Yellow Key BitLocker vulnerability and Green Plasma privilege escalation flaw; previously released Blue Hammer

Quotes

"what this tool allows you is to essentially isolate the traffic from a specific application that you're trying to test"

Johannes Ulrich•Early in episode

"BitLocker, of course, well-respected disk encryption by Microsoft, but it relies on BitLocker actually locking the disk as the system is being shut down"

Johannes Ulrich•Mid-episode

"yellow key disabled BitLocker and we have a full exploit available for it"

Johannes Ulrich•Vulnerability summary

"a path traversal vulnerability, which tends to be not that terribly difficult to exploit"

Johannes Ulrich•Adobe Commerce discussion

Full Transcript

Hello and welcome to the Thursday, May 14, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from San Diego, California. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Cybersecurity engineering. In Diaries today we do have an interesting tool recommendation from Rob. Rob experimented with a tool called Proxifier. Now what Proxifier is good at is if you have a Windows system and you're trying to proxy the HTTP traffic from specific binaries. Now with network rules and such you're often able to direct traffic to particular destinations to a proxy but what this tool allows you is to essentially isolate the traffic from a specific application that you're trying to test and in the case of Rob well he directed a traffic to Burp Suite in order to better explore an API that a particular application was using. This approach is really kind of neat in order to cut down on the noise that you often get if you are just sending all traffic to a proxy and it can be sometimes challenging to figure out you know what traffic is actually originating from a specific binary this makes the entire process so much easier and then you have two new vulnerabilities being disclosed by nightmare eclipse the researcher who will make a name for himself by releasing for example blue hammer after their bug report was rejected by Microsoft's bug bounty program. The first vulnerability being released, and I think that's the more serious one, is called Yellow Key. This particular vulnerability attacks BitLocker in a rather effective way. So BitLocker, of course, well-respected disk encryption by Microsoft, but it relies on BitLocker actually locking the disk as the system is being shut down. And that's the part where yellow key comes into place by attaching a USB stick to a Windows system. And that USB stick must contain very specific files. The disk is not locked as the system is shut down. And then a user may be able to reboot the system into rescue mode and access the still encrypted disk without being well sort of hindered by any kind of access control Interesting vulnerability and also interesting find here apparently this was identified by reverse engineering some of the Windows binaries. The second vulnerability that was disclosed by Nightmare Eclipse is green plasma and that's sort of a more universal remote privilege escalation vulnerability it essentially just makes memory available to any user that can be used to inject dll's and such this particular vulnerability is not fully implemented in the proof concept being released so any attacker has to do a little bit more work here but others have already kind of elaborated on how the exploit works and how it could mate work given the partial proof of concept so yellow key disabled spit locker and we have a full exploit available for it and green plasma is well yet another privilege escalation flaw and we only have a partial proof of concept at least released by nightmare eclipse at this point i'm going to talk a little bit about adobe vulnerabilities that were patched yesterday i didn't mention them for the patched use the update because we be had all of these software supply chain vulnerabilities to talk about first Adobe Connect did receive an update that fixed a deserialization vulnerability that can execute arbitrary code so that one is certainly one to pay attention to and then well one of my favorite Adobe products when it comes to vulnerabilities Adobe Commerce we have two critical vulnerabilities here that deserve some attention. One is an ARP code execution vulnerability via cross-site scripting, which is sort of interesting. And then we also do have an ARP file system, right? It says here improper limitation of path name or restricted directory. Well, a path traversal vulnerability, which tends to be not that terribly difficult to exploit. So definitely get those patches out. We got a total of 10 Adobe products being patched in this Tuesday's patch, Tuesday update from Adobe. Well, and that's all we have time for today. So thanks for listening. Thanks for liking. Thanks for subscribing to the podcast. Remember, there's also a video version on YouTube if you prefer that format. That's it for today and talk to you again tomorrow. Bye. Thank you.