SANS Stormcast Thursday April 17th: Apple Updates; Oracle Updates; Google Chrome Updates; CVE News;

April 16, 2025

SANS Stormcast Thursday April 17th: Apple Updates; Oracle Updates; Google Chrome Updates; CVE News;

Episode Transcript

Apple Updates
Apple released updates for iOS, iPadOS, macOS, and VisionOS. The updates fix two vulnerabilities which had already been exploited against iOS.
https://isc.sans.edu/diary/Apple%20Patches%20Exploited%20Vulnerability/31866
Oracle Updates
Oracle released it quarterly critical patch update. The update addresses 378 security vulnerabilities. Many of the critical updates are already known vulnerabilities in open-source software like Apache and Nginx ingress.
https://www.oracle.com/security-alerts/cpuapr2025.html
Oracle Breach Guidance
CISA released guidance for users affected by the recent Oracle cloud breach. The guidance focuses on the likely loss of passwords.
https://www.cisa.gov/news-events/alerts/2025/04/16/cisa-releases-guidance-credential-risks-associated-potential-legacy-oracle-cloud-compromise
Google Chrome Update
A Google Chrome update released today fixes two security vulnerabilities. One of the vulnerabilities is rated as critical.
https://chromereleases.googleblog.com/2025/04/stable-channel-update-for-desktop_15.html
CVE Updates
CISA extended MITRE s funding to operate the CVE numbering scheme. However, a number of other organizations announced that they may start alternative vulnerability registers.
https://euvd.enisa.europa.eu/
https://gcve.eu/
https://www.thecvefoundation.org/

News Tech News Technology

Show Transcript

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Thursday, April 17th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Orlando, Florida. And well, let's start with a surprise update from Apple. Apple released a minor update for its operating systems, in particular iOS, iPadOS, MacOS, TVOS and VisionOS. This update fixes a couple of bugs but also fixes two already exploited vulnerabilities. One of these vulnerabilities affects core audio and can be exploited by making the user play a malicious crafted audio stream. The next one allows the attacker with arbitrary read and write capability to then be able to bypass pointer authentication. This already is being exploited as well. So you definitely do want to update these operating systems from Apple. Patches, again, should be available as of today. And talking about Oracle, of course, we are still kind of not sure what exactly happened with these decommissioned Oracle servers that apparently were breached and where user credentials were stolen. However, CISA now published some guidance as to how to deal with this particular issue and how to protect yourself from any sort of follow-on exploits. They're focusing rightfully so on the issue of possibly stolen credentials. So essentially make sure that you're changing credentials that may have been exposed. But they're also including here specifically credentials for sort of machine authentication, basically any kind of API keys or such that may be exposed as part of that breach. And of course, watching your authentication logs for any unusual activity. All good advice and something that you should always follow if you suspect that any credentials from your environment are involved in a breach like this. And Google Chrome did release an update. This update fixes two security vulnerabilities. One of them is critical. It's a code execution vulnerability in codex, as they call it. So probably could be exploited via video and audio file. The second vulnerability is only ranked as high and affects the USB interface in Google Chrome. Luckily, Google Chrome is reasonably good in updating itself. These vulnerabilities are also not yet exploited, according to Google. So apply the update at your convenience. And probably a good idea just to restart Google Chrome, which in many cases will apply the latest update. And we got some good updates regarding the CVE numbering scheme. As a last minute measure, CISA has extended its funding for MITRE to maintain the CVE numbering scheme for at least another 11 months. At least that's sort of what I heard as the time frame for this extension of the funding. Now, on the other hand, there's also some other announcements around CVEs. First of all, the CVE board, or at least part of the CVE board, also did make public a new initiative, the CVE Foundation. There's not a lot of details. It's just of a quick one-page announcement on the website at this point. But apparently the attempt here is to put the CVE numbering system on a more sort of international base and likely funded by companies that are represented on the CVE board already, which are kind of your usual suspects, large internet-related companies, also some other international entities. At the same time, we also had the European Union moving forward with their own CVE-like system. And this was sponsored by ENISA, the European Network Information Security Agency. This will likely run in parallel of CVE. One of the concerns here is that with now two and possibly three systems running, that one of the main value of CVE numbers is being diminished, and that's to have one unique identifier for vulnerabilities. Still a little bit too early to see how this will all shake out in the end. But for now, it looks like MITRE will continue to operate the CVE numbering system as before. Now, we're going to also remember that this is really just assigning CVE numbers, things like enriching CVE data or vulnerability data. That's typically done by the National Vulnerability Database, or NVD, which is operated by NIST. That particular effort appears to be continuing to have funding and also may get some new steam as they're trying to catch up with some of the backlog in vulnerabilities that they're dealing with. Well, that's it for today. So thanks again for listening. As usual, if you like the podcast, please subscribe. Let others know about it. Like it. Leave good reviews for this podcast. And if you run into someone from Sands, well, also let them know that you like this podcast. Thanks. And that's it for today. Talk to you again tomorrow. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich