SANS Stormcast Thursday April 17th: Apple Updates; Oracle Updates; Google Chrome Updates; CVE News;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9412.mp3

previous

next

Apple Updates; Oracle Updates; Google Chrome Updates; CVE News;

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Thursday, April 17th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Orlando, Florida. And well, let's start with a surprise
 update from Apple. Apple released a minor update for
 its operating systems, in particular iOS, iPadOS, MacOS,
 TVOS and VisionOS. This update fixes a couple of bugs but
 also fixes two already exploited vulnerabilities. One
 of these vulnerabilities affects core audio and can be
 exploited by making the user play a malicious crafted audio
 stream. The next one allows the attacker with arbitrary
 read and write capability to then be able to bypass pointer
 authentication. This already is being exploited as well. So
 you definitely do want to update these operating systems
 from Apple. Patches, again, should be available as of
 today. And talking about Oracle, of course, we are
 still kind of not sure what exactly happened with these
 decommissioned Oracle servers that apparently were breached
 and where user credentials were stolen. However, CISA now
 published some guidance as to how to deal with this
 particular issue and how to protect yourself from any sort
 of follow-on exploits. They're focusing rightfully so on the
 issue of possibly stolen credentials. So essentially
 make sure that you're changing credentials that may have been
 exposed. But they're also including here specifically
 credentials for sort of machine authentication,
 basically any kind of API keys or such that may be exposed as
 part of that breach. And of course, watching your
 authentication logs for any unusual activity. All good
 advice and something that you should always follow if you
 suspect that any credentials from your environment are
 involved in a breach like this. And Google Chrome did
 release an update. This update fixes two security
 vulnerabilities. One of them is critical. It's a code
 execution vulnerability in codex, as they call it. So
 probably could be exploited via video and audio file. The
 second vulnerability is only ranked as high and affects the
 USB interface in Google Chrome. Luckily, Google Chrome
 is reasonably good in updating itself. These vulnerabilities
 are also not yet exploited, according to Google. So apply
 the update at your convenience. And probably a
 good idea just to restart Google Chrome, which in many
 cases will apply the latest update. And we got some good
 updates regarding the CVE numbering scheme. As a last
 minute measure, CISA has extended its funding for MITRE
 to maintain the CVE numbering scheme for at least another 11
 months. At least that's sort of what I heard as the time
 frame for this extension of the funding. Now, on the other
 hand, there's also some other announcements around CVEs.
 First of all, the CVE board, or at least part of the CVE
 board, also did make public a new initiative, the CVE
 Foundation. There's not a lot of details. It's just of a
 quick one-page announcement on the website at this point. But
 apparently the attempt here is to put the CVE numbering
 system on a more sort of international base and likely
 funded by companies that are represented on the CVE board
 already, which are kind of your usual suspects, large
 internet-related companies, also some other international
 entities. At the same time, we also had the European Union
 moving forward with their own CVE-like system. And this was
 sponsored by ENISA, the European Network Information
 Security Agency. This will likely run in parallel of CVE.
 One of the concerns here is that with now two and possibly
 three systems running, that one of the main value of CVE
 numbers is being diminished, and that's to have one unique
 identifier for vulnerabilities. Still a
 little bit too early to see how this will all shake out in
 the end. But for now, it looks like MITRE will continue to
 operate the CVE numbering system as before. Now, we're
 going to also remember that this is really just assigning
 CVE numbers, things like enriching CVE data or
 vulnerability data. That's typically done by the National
 Vulnerability Database, or NVD, which is operated by
 NIST. That particular effort appears to be continuing to
 have funding and also may get some new steam as they're
 trying to catch up with some of the backlog in
 vulnerabilities that they're dealing with. Well, that's it
 for today. So thanks again for listening. As usual, if you
 like the podcast, please subscribe. Let others know
 about it. Like it. Leave good reviews for this podcast. And
 if you run into someone from Sands, well, also let them
 know that you like this podcast. Thanks. And that's it
 for today. Talk to you again tomorrow. Bye.