SANS Stormcast Wednesday, January 14th, 2026: Microsoft, Adobe and Fortinet Patches; ConsentFix
Cybersecurity

SANS Internet StormCast

SANS Stormcast Wednesday, January 14th, 2026: Microsoft, Adobe and Fortinet Patches; ConsentFix

SANS Internet StormCastJan 14, 2026

AI Summary

The episode reviews Microsoft’s January Patch Tuesday (113 fixes, including one actively exploited and eight critical bugs), Adobe’s updates for ColdFusion and Acrobat Reader, and two Fortinet advisories covering an unauthenticated heap overflow and an SSRF issue. It also highlights a new OAuth‑based “ConsentFix” attack that tricks users into copying a consent URL to harvest tokens, bypassing redirect‑URI mitigations. Host Johannes Ullrich emphasizes the urgency of applying these patches, especially the ColdFusion file‑upload and FortiOS buffer overflow flaws, and warns organizations to educate users against social‑engineering token theft.

Episode Description

Microsoft Patch Tuesday January 2026

https://isc.sans.edu/diary/January%202026%20Microsoft%20Patch%20Tuesday%20Summary/32624

https://helpx.adobe.com/security.html

https://fortiguard.fortinet.com/psirt/FG-IR-25-783

https://fortiguard.fortinet.com/psirt/FG-IR-25-084

https://pushsecurity.com/blog/consentfix

Show Notes

SANS Stormcast – Wednesday, January 14 2026

Handler on Duty: Johannes Ullrich

Microsoft Patch Tuesday – January 2026

Microsoft released patches for 113 vulnerabilities. The update includes:

  • 1 already‑exploited vulnerability

  • 1 vulnerability disclosed today

  • 8 critical vulnerabilities

A summary of the Microsoft Patch Tuesday can be found in the SANS diary entry “January 2026 Microsoft Patch Tuesday Summary”.

Adobe Patches

Adobe released patches for five products. Of particular note are code‑execution vulnerabilities in:

  • ColdFusion – an arbitrary file‑upload issue that could be used to place a web‑shell.

  • Acrobat Reader – two critical vulnerabilities that allow code execution.

More details are available on Adobe’s security advisory page.

Fortinet Patches

Fortinet issued two advisories:

  1. FG‑IR‑25‑783 – A heap‑based buffer overflow affecting FortiOS and FortiSwitch Manager. It allows unauthenticated code execution. A workaround is to block access via the fabric interfaces.

  2. FG‑IR‑25‑084 – A server‑side request forgery (SSRF) in the FortiSandbox GUI that could be used to reach limited internal endpoints.

ConsentFix – A New OAuth‑Based ClickFix‑Style Attack

PushSecurity’s blog post describes the “ConsentFix” attack, which builds on the classic ClickFix technique.

  • Attackers present a fake CAPTCHA‑style dialog that instructs victims to copy‑paste an OAuth URL (including credentials) into the dialog.

  • The victim is asked to log in to Microsoft and grant permissions to a legitimate application.

  • Instead of the attacker running the application, they simply capture the OAuth consent URL that contains the access token/credentials.

  • This bypasses recent mitigations that limit redirect‑URI manipulation, by extracting the token directly from the URL bar after the user authorizes the request.

The technique demonstrates how attackers can still harvest OAuth tokens even when redirect‑URI protections are in place.

Podcast Transcript


Hello and welcome to the Wednesday, January 14th, 2026 edition of the

SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and

today I'm recording from Jacksonville, Florida. And this episode is

brought to you by the SANS.edu Graduate Certificate Program in

Cybersecurity Leadership.



Well of course the topic today is Microsoft's Patch Tuesday. We got our

first Patch Tuesday for 2026 and it was sort of well I would sort of

say a little bit average Patch Tuesday. Nothing really all that terribly

exciting. We got a total of 113 vulnerabilities addressed which

includes one vulnerability in Microsoft Edge which really is a

Chromium vulnerability ported over to Microsoft's Edge browser. Then

there were eight critical vulnerabilities in this set and one

vulnerability is already being exploited and the second one that has

been disclosed. Let's actually start with the disclosed vulnerability

because that's a relatively straightforward one. The problem here is

that the certificates being used for secure boot need to be rotated

as so often with cryptographic keys. They expire after a while these

certificates. So that's really what this is about. If that doesn't

happen then of course you end up with expired certificates which then

could be used by an attacker to essentially bypass secure boot. But

yes this new update now basically just loads the latest certificates

into the operating system which then should basically protect secure

boot again and prevent this expiration from happening.



The second issue and that's the one that's already being exploited is a

little bit tricky. It's a problem with the MLPC port. It's sort of an

RPC mechanism in Windows and this particular vulnerability is really

more information disclosure vulnerability that would allow an attacker

to essentially access some of the communication here on this port. And

yes that could then be leveraged to additional more severe exploits

probably. But by itself this vulnerability isn't really all that

critical. Actually it's just rated as important by Microsoft.



Among the critical vulnerabilities we had a number of vulnerabilities

that were Microsoft Office, Word, Excel vulnerabilities. There was one

vulnerability that was a little bit interesting at least from the

title. And that's a remote code execution vulnerability in LSASS. We

had some real high‑impact vulnerabilities in LSASS before like the

famous Blaster Worm. This is nothing like that. This particular

vulnerability in order to exploit it does require an authentication.

Also as Microsoft states in its advisory the attacker first needs to

prepare the system properly. Whatever that means. Probably sort of now

filling up some memory.



Adobe also released this update as usual. This time fixing five

different products. Among those products there are two that I always

pay attention to. Adobe ColdFusion. There is an arbitrary file upload

vulnerability that's being addressed here. So this could be abused to

upload something like a webshell. The second product here is Acrobat

Reader. Two critical vulnerabilities that would allow code execution.

So definitely update both of these particular. I would say here

ColdFusion is one that you really need to pay attention to. We had

similar vulnerabilities before. So wouldn't be surprised to see an

exploit for this relatively shortly.



And then we got two different updates from Fortinet. The first one

affects FortiOS and FortiSwitch Manager. It's a heap‑based buffer

overflow vulnerability. So with that allows for code execution and does

not require any authentication. There is a workaround listed here

where you essentially just don't allow access via the fabric

interfaces in your FortiOS and FortiSwitch Manager. Probably something

to consider anyway regardless on whether or not you're going to apply

the patch here for this vulnerability. But yes, certainly something

that you do want to address even though it only affects some

configurations of these devices.



The second vulnerability is in the Forti sandbox. So here if you're

using the GUI to basically inspect your sandbox results, there's a

possibility for malicious software to actually use a server‑side request

forgery. Now what can be done with this vulnerability is a little bit

limited like what endpoints can be accessed. But still, you know,

something to be aware of in particular since you're using this sandbox

to look at potentially malicious code.



In addition to all the new vulnerabilities, we also do have an

interesting new technique being used by attackers. PushSecurity has a

blog post about what they're calling the **consent fix attack**. Now

you're all familiar with the click fix attack. That's the fake capture

where the attacker is then tricking the victim into copy‑pasting

commands into some kind of run dialogue on their system. This actually

is going after OAuth secrets. So the way this attack works is that

again, the attacker is displaying a fake capture to the user, but then

instructs the user to log in in this example to Microsoft and give

Microsoft permissions for particular application.



Now, the typical trick here is then that after the user gives that

permission or assigns that permission to the application in Microsoft's

authentication interface, the victim is being redirected back to the

application that then receives the credentials to authenticate to

Microsoft's API. In this case, the attacker is not running that

application. It's a legitimate application that the attacker would like

to have access to. So the attacker is then basically asking the victim

to copy‑paste the URL, which includes the credentials, into the capture

dialog in order to capture these credentials. Interesting play here

on OAuth.



In the past, sometimes you have seen similar attacks by manipulating

the redirect URI, which is the URI that the user is being redirected

to after authenticating. But the applications and also OAuth providers

have sort of clamped down on some of these issues. So this is now the

next thing. Well, if I can't redirect the user to my URI, then let me

just grab it from their URL bar and let me have the user help with that.

So, amazing that some of this actually works, given that some of these

copy‑paste things aren't quite that terribly straightforward. But

apparently the attackers can make it work.



Well, that's it for today. Thanks for listening, thanks for liking,

and thanks for subscribing to this podcast. Remember, I'll be teaching

in Orlando and Amsterdam in April. So if you're interested, at the

bottom of the show notes on the InternetStorms website you'll see links

to currently offered classes. That's it!

End of article.

Comments

Want to join the conversation?

Loading comments...