SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS Stormcast Wednesday, May 6th, 2026: Cleartext Passwords in Edge; SSL.com Root Rotation; DAEMONTOOLS Backdoor;

8 min

•May 6, 202628 days ago

Summary

This episode covers three critical security issues: Microsoft Edge storing decrypted passwords in memory creating bulk access risks, SSL.com's root certificate rotation affecting mutual TLS implementations, and a month-long supply chain compromise of DAEMONTOOLS that distributed signed malware.

Insights

Password manager security theater in browsers: decryption on startup defeats per-password authentication, enabling bulk password theft with limited system access
Root certificate rotations require proactive verification across Unix systems, mobile apps with certificate pinning, and mutual TLS implementations to avoid service disruptions
Supply chain compromises targeting legitimate software distribution channels remain undetected for extended periods, requiring continuous re-verification of downloaded tools
Certificate authority policy changes (server-only certificates) impact organizations using mutual TLS with public CAs, though internal PKI deployments are largely unaffected
Memory leaks in browsers represent a significant attack vector for password theft, making third-party password managers with dedicated security focus preferable to built-in solutions

Trends

Increased focus on password manager security as browsers implement security theater rather than genuine protectionSupply chain attacks targeting legitimate software distribution channels with signed malware remaining undetected for weeksCertificate pinning adoption in mobile applications as defense against rogue certificate authorities and social engineeringMutual TLS adoption in microservices architectures creating new certificate management complexity for organizationsRoot certificate rotation procedures becoming more complex across heterogeneous Unix and mobile environmentsPublic certificate authorities restricting certificate issuance to server-only use cases, forcing policy changes for mutual TLSMemory safety issues in browsers creating persistent password exposure risks despite per-use authentication prompts

Topics

Microsoft Edge password management security flaws Browser password decryption in memory Third-party password manager security SSL.com root certificate rotation Certificate pinning in mobile applications Mutual TLS implementation challenges Public certificate authority policy changes Unix root certificate file management DAEMONTOOLS supply chain compromise Signed malware distribution Software build architecture compromise Information stealer malware Backdoor installation vectors Certificate authority compromise detection Supply chain attack detection and response

Companies

Microsoft

Microsoft Edge browser stores decrypted passwords in memory, creating bulk access vulnerability despite per-password ...

SSL.com

Major commercial certificate authority rotating root certificates, affecting mutual TLS and certificate pinning imple...

DAEMONTOOLS

Legitimate disk image mounting software compromised for one month with signed malware, affecting Windows and potentia...

Kaspersky

Security firm that discovered and documented the DAEMONTOOLS supply chain compromise and associated malware commands.

People

Johannes Ulrich

Host recording the episode from Jacksonville, Florida, discussing security vulnerabilities and industry trends.

Rob

Provided news items on Microsoft Edge password management and SSL.com certificate rotation issues.

Quotes

"the passwords are already decrypted in memory so as raw points out this is sort of more a little bit security theater"

Johannes Ulrich•Early in episode

"the big risk here is that attacker can get bulk access to all of your passwords even with timely very limited access to your system"

Johannes Ulrich•Microsoft Edge discussion

"keeping your password secure, that's of the primary mission of a password manager. So they tend to be a little bit more detail oriented when it comes to protecting your passwords"

Johannes Ulrich•Password manager recommendation

"It looks like a complete compromise of the website and their build architecture"

Johannes Ulrich•DAEMONTOOLS discussion

"the website and the tools were compromised for about a month now"

Johannes Ulrich•DAEMONTOOLS timeline

Full Transcript

Hello and welcome to the Wednesday, May 6, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Industrial Control System Security. Well, in diaries today, we got two kind of news items from Rob. First one affects Microsoft Edge. Microsoft Edge manages passwords like all browsers pretty much do these days. And well, it stores passwords in an encrypted file on your system. However, once you start Edge, it will load all of these passwords into the browser's memory and decrypt them. even though you as a user have to sort of authenticate yourself for each password individually as you use it to pre-fill these passwords into a website well the passwords are already decrypted in memory so as raw points out this is sort of more a little bit security theater so what's the threat here well at first you may say well it's not really a big deal because in order to gain access to the memory you have to be logged in as the user if you are having all the privileges of the user you can probably do things like capture keystrokes load the browser extensions and things like this so you would have access to the passwords as they're being used but the big risk here is that attacker can get bulk access to all of your passwords even with timely very limited access to your system. The other problem, of course, is that any kind of memory leak and browser sadly are kind of known for them could be exploited in order to then gain access to these passwords, given the exact nature of the memory leak, of course. So that the real risk here That why Microsoft probably should do something about it and fix it even though that they classified it as intended behavior as it was reported to Microsoft Other browsers you should do is a little bit different and your best bet still is to go with a third party password manager. Some of them had similar issues in the past, but fixed them because well, after all, keeping your password secure, that's of the primary mission of a password manager. So they tend to be a little bit more detail oriented when it comes to protecting your passwords. second news item here is that zell.com one of the larger commercial certificate authorities is rotating their root certificates today ideally nobody really should worry about this and should notice it typically whenever you update your operating system and such they're often updated root certificate authority files being loaded into your operating system however well reality is it depends a little bit on how you're managing your root certificates in particular in the unix world there are sometimes several sort of certificate authority files that are on your system also if you're doing things like mutual tls or such you may have very specific root certificates and then in particular in mobile applications many developers are these days using certificate pinning or at least certificate authority pinning but they only allow certificates from a specific sort of authority to be used in order to protect themselves from rogue certificate authorities or, well, attackers are good at social engineering, being able to obtain a certificate to impersonate a particular company. So that's why you probably should double check and make sure how you're using azel.com's certificates, if you're using them at all. Again, if you're just using them in a browser and you not managing any servers using them then nothing really to worry about Another little site issue here that not just SSL Remember that certificate authorities will now, and I'm talking about public server authorities, will no longer issue certificates that are server and client certificate. Typically, you only get server certificates now. This has recently been changed, and there's a particular issue if you are doing mutual TLS, because then, well, if you're using the same certificate for the server as well as client function, well, you must have both of these properties set in your certificate. For mutual TLS, most people are using internal certificates, particularly if you're using it sort of in a, between containers and such, in like a microservices architecture. So again, shouldn't really worry you too much, But if you're using any public server authorities for some externally exposed mutual TLS purposes, then this may be a problem for you. And today's supply chain compromise was found by Kaspersky and does affect daemon tools. If you're not familiar with Daemon Tools, well, the name already sounds a little bit malicious, but it's not. It's a set of usually legitimate tools that can be used to mount various disk images. They exist for Mac and Windows. Kaspersky talks about the Windows version. Not sure if the Mac version got compromised too. But if you're downloading a version of Daemon Tools from the legitimate website, you will receive a malicious version of Daemon Tools, basically a backdoor one, that is also signed with a legitimate Daemon Tools certificate. So it looks like a complete compromise of the website and their build architecture. Wouldn be surprised if the Mac version has similar malicious code embedded had had a chance to give it a try yet Once you running the malicious version it will access a site called daemontools now the legitimate website for daemontools is daemon so very simple here easy to mix up and i think what's worse is that according to krasperski the website and the tools were compromised for about a month now i just before recording this went to the demon tools website for any kind of notice update didn't see anything but there was also like no news or blog or any sort of page like this but you typically would find a notice like this so not sure if they're aware not sure if the tools have been replaced with safe versions at this point i would treat them still as malicious and if you downloaded demon tools for the last month. Sorry, you have to double check again. They're just downloading the command and the attacker could have then pretty much executed any command. Kaspersky is documenting in their blog some of the commands that they have seen and they basically installs off the usual information stealer, backdoors and the like. So nothing too crazy here necessarily. Basically just your standard malware at this point. Well, that's it for today. Thanks for listening, for liking, for commenting on the podcast. And a couple of you also sent a little bit feedback as to what content you would like to see more, less of what actually helped you. Always really useful. So, you know, also in the future, if there is a particular topic that really helped you, let me know. Or if there's a topic where you felt that really just wasted your time, let me know that too. And I can basically pick different topics. The goal here is really to make this short and impactful and really help you basically have a better day. So thanks and talk to you again tomorrow. Bye.