Hello and welcome to the Wednesday, November 5th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu graduate certificate program in cloud
security. And we got patches from Apple. Now the patches
were actually released on Monday. I didn't get them into
the Monday or Tuesday podcast. So covering them now, we got a
total of 110 vulnerabilities addressed in these patches.
And as typical for Apple, we got updates for pretty much
every single product of theirs with a lot of overlap between
those products, just because the underlying operating
system has a lot of overlap as well. There are a couple of
vulnerabilities here that I sort of point out, and that's
memory corruption vulnerabilities in ImageIO,
also in font parser. These type of vulnerabilities have
in the past been exploited for remote code execution. Apple's
nodes to their patches are always very sparse. So really
hard to tell how exploitable these memory corruptions are
and whether they actually will lead to code execution. Also,
we got at least one memory corruption in WebKit that of
course affects Safari and anything sort of exposed via a
website that a user may visit. There's also, as usual for
Apple, a separate Safari update. The reason you have
this is because some of the older operating systems, well,
they may now need a newer version of Safari to address
the WebKit issues that Apple patched because they
originally came with an older version of Safari. But for the
current operating systems, you shouldn't really see a
separate Safari update. Xcode also was updated, and that's
also whenever they update the operating system. Of course,
Xcode, which is Apple's development environment, well,
has to be updated as well. So overall, nothing terribly
exciting, nothing that's already being exploited, but
certainly patches that you probably want to apply
sometime this week if possible. Well, I've got an
interesting blog post by Proofpoint showing how cyber
criminals are targeting trucking and logistic. So
what's happening here is that these criminals, their end
goal is to steal trucks or to load being transported by
those trucks. But in order to do so, they need to know which
trucks actually has load worth stealing. A lot of times, it
sort of happens randomly, where basically just parked
trailers and such are being stolen with whatever load they
have. But for cyber criminals, of course, much better to then
being able to figure out which truck actually has a high
value load. The way this particular scheme works is
that they initially compromise one company, one trucking or
logistics company, just via standard fake emails and
phishing. And once they take control of one company,
they're using legitimate remote managing and monitoring
tools like your standard log me in and things like that, in
order to then basically see what they're working on. But
they're also using that initial access to then infect
other trucking companies by, for example, posting fake
loads and fake offers for work on various systems that these
trucking companies use. And those fake offers are then
often being used to trick a victim into clicking on
malicious links and downloading, installing
malicious malware just by, for example, posting PDFs and the
likes. So basically, standard phishing tricks. But by being
inside these systems, it's, of course, a lot more convincing
than to get a user to execute or open an attachment. The end
goal, as I said, is just to figure out which truck has a
particular value below it and then steal it. And apparently
the losses for these particular schemes are ranging
in the billions at this point. From a defensive point of
view, well, you always need to control these remote
management tools. That's probably, I think, the biggest
lesson here from this particular compromise. They're
often used as ransomware attacks and other attacks
where an attacker, in order to gain persistent access to a
system, just installs a legitimate remote management
tool instead of an obvious malicious one, which, of
course, is much easier to detect by anti-malware
endpoint protection systems. And we don't just have patches
from Apple. Google also released its usual scheduled
monthly update. This is the November 2025 update that they
published for Android. The vulnerability is actually kind
of so similar in scope to what I just talked about when it
came to Apple. So we have a couple of vulnerabilities here
that sort of could lead to these single click or no click
exploits, where just viewing an image or something like
this will lead to a system compromise. For example, we
have here one vulnerability in what Google refers to as
system. So basically, the basic operating system that
does allow remote code execution and is assigned a
severity of critical affecting Android back to version 13. A
little bit more detail here from Google than we do get
from Apple with this severity and also the type actually
indicating that remote code execution is possible here
with this particular vulnerability. As usual, apply
these Android patches as as they become available for your
particular device. Of course, there may be a delay depending
on your carrier and what device you are using. Well,
and that's it for today. So thanks for listening and
special thanks to anybody who is recommending this podcast
on Apple's podcast site and also leaving a comment there.
And that's it for today and talk to you again tomorrow.
Bye.
