SANS Stormcast Wednesday, January 14th, 2026: Microsoft, Adobe and Fortinet Patches; ConsentFix

Microsoft’s January Patch Tuesday delivered 113 fixes, including eight classified as critical. The most visible change is a secure‑boot certificate rotation that replaces expired keys, closing a path attackers could use to bypass firmware integrity checks. An already‑exploited LPC port vulnerability provides information disclosure, rated important rather than critical, but still warrants prompt remediation. Additional patches address long‑standing Office Word/Excel flaws and a new ElSass remote‑code‑execution issue that requires prior authentication, underscoring the need for rapid deployment across Windows environments.

Adobe’s update tackles five products, with ColdFusion’s arbitrary file‑upload flaw and two critical Acrobat Reader code‑execution bugs standing out. Both vulnerabilities can lead to web‑shell deployment or full system compromise if left unpatched, making them high priority for web‑application teams. Fortinet released two separate advisories: a heap‑based buffer overflow in FortiOS/FortiSwitchManager that enables unauthenticated code execution, and a sandbox GUI SSRF that could leak internal endpoints. The vendor‑provided work‑around—blocking fabric‑interface access—helps mitigate risk while administrators apply the patches, highlighting the importance of layered defense.

The episode also warns about a new “consent‑fix” attack that extends the classic click‑jacking trick to OAuth flows. Attackers present a fake CAPTCHA, then coax victims into granting permissions to a legitimate application while secretly capturing the redirected URL that contains OAuth tokens. By copying the URL into a command prompt, the thief harvests credentials without needing a malicious redirect endpoint. This evolution demonstrates how social engineering can bypass modern anti‑phishing controls, reinforcing the need for user education and strict OAuth redirect validation. Ulrich reminds listeners of upcoming SANS cybersecurity leadership classes in Orlando and Amsterdam for deeper training.