Hello and welcome to the Wednesday, July 30th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu graduate certificate program in
penetration testing and ethical hacking. Well, and
today was again Apple's surprise update. Everything
day Apple doesn't have a schedule for this. Last time
we had an event like this was, I believe, back in May. It was
somewhat predictable based on sort of history and, of
course, some of the beta releases and the RC releases
that came out sort of a week and two ago. And that usually
is a good indication that we soon have one of these updates
coming from Apple. They update essentially all of the
operating system, iOS, iPadOS, macOS, watchOS, tvOS,
visionOS. Don't think they missed one here. A lot of the
updates are in common across different operating systems.
That's because they all pretty much run the same kernel.
Also, Safari, meaning WebKit vulnerabilities, usually
transfer over. I think watchOS does not have WebKit. So some
of these vulnerabilities do not apply to the Apple Watch.
Overall, 89 different vulnerabilities that were
patched. Initially, I had 29 here. That's, well, just
before recording this, I should double check because
that number looked a little bit small. It was just a typo
I had here in the early version of that. That Dairon
hasn't updated quite yet as I'm recording this, but should
update shortly. So 89 is the magic number here as far as
the number of updates go. Now, severity of the updates,
obviously a little bit crapshoot here when it comes
to Apple. Apple's vulnerability descriptions are
fairly terse, usually just one sentence. But they do
sometimes say that, hey, that this particular vulnerability
may elevate privileges or it crashes Safari, like in the
case of one vulnerability here. So some of them are
obvious sandbox escape, bridge escalation, denial of service
vulnerabilities. Where it gets a little bit more tricky are
vulnerabilities that basically sort of cause memory
corruption. In particular, when they're affecting WebKit,
this could be a super critical vulnerability in the sense
that it could lead to a remote code execution as someone
visits a malicious web page. So without any additional user
interaction. However, it's not really clear what you can do
with this memory corruption. That really depends on a lot
of other factors that aren't really disclosed here by
Apple. None of these vulnerabilities are explicitly
labeled as exploited. So the assumption is they at least
haven't been exploited at this point as far as Apple is
aware. Patch, I wouldn't really rush this out
necessarily. But something you probably want to get done over
the next week for personal devices. Just apply the patch
overnight and you should be all set and all good to go. So
at this point, I patched some of my devices. Haven't had any
issues at this point. But of course, that's a fairly small
sample here. And then we also had a diary by Xavier. Xavier
wrote a topic I always like. And that's how to do things
with scripts. Faster, simpler. In this case, it's a simple
triage problem. You got a bunch of files. Some of these
files are zip files. And then you need to check if a certain
pattern is inside those files. In particular, the zip files.
So what Xavier did here is write a little Python script
that, first of all, checks if a file is a zip file. Based on
the first four bytes in the file. That has, of course,
that typical PK and then the version number signature. And
then if it's one of those files, it will then decompress
the file. And then check if the decompressed version does
have the particular signature in it. And then, of course, it
will copy all the matching files into a special directory
for further analysis. Real quick triage script. And like
I said, I love these. Would be actually nice to benchmark
some of the different options here. Like if you do it sort
of with C-crep as a bash script. If you do it with good
old Perl, which was sort of written to do stuff like this.
And then, well, maybe someone can come up with a C solution
or something else to sort of see how it performs. This, of
course, is also very quick to write, which, well, is the
real beauty of some of these solutions. And yesterday I
mentioned that Cisco ISE vulnerability had already been
exploited and was added to the non-exploited vulnerability
database by CISA. There was another product here, a paper
cut that was also mentioned as being already exploited. I
didn't mention it yesterday because it was an older
vulnerability, a 2023 vulnerability. But I still
decided today to mention it because, first of all, there
was a second vulnerability in that same release, a path
traversal vulnerability that was exploited pretty soon
after this vulnerability became known. So now we have
the second one of these two vulnerabilities that's being
exploited. The path traversal vulnerability caused quite a
bit of pain with ransomware and such in some cases back in
the day, meaning about two years ago. Horizon3.ai did a
good write-up on that vulnerability. Haven't seen
the same amount of detail yet for the cross-site request
forgery vulnerability that was now also added to the non
-exploited vulnerability database. But if you're
running a paper cut, which is software they're using to
manage print servers in large enterprises usually, well, if
you're using that software, please make sure it's up to
date. Yes, the patch is two years old, but this is one of
those things, you know, printers, you only worry about
them if they don't work. So they're easily overlooked in
your normal patching cycle. Well, and that's it for today.
So thanks for listening and talk to you again tomorrow.
Bye.
