Handler on Duty: Didier Stevens
Threat Level: green
Podcast Detail
SANS Stormcast Wednesday Apr 2nd: Apple Updates Everything;
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9390.mp3
My Next Class
Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Apple Patches Everything
Apple released updates for all of its operating systems. Most were released on Monday with WatchOS patches released today on Tuesday. Two already exploited vulnerabilities, which were already patched in the latest iOS and macOS versions, are now patched for older operating systems as well. A total of 145 vulnerabilities were patched.
https://isc.sans.edu/diary/Apple%20Patches%20Everything%3A%20March%2031st%202025%20Edition/31816
VMWare Workstation and Fusion update check broken
VMWare’s automatic update check in its Workstation and Fusion products is currently broken due to a redirect added as part of the Broadcom transition
https://community.broadcom.com/vmware-cloud-foundation/question/certificate-error-is-occured-during-connecting-update-server
NIM Postgres Vulnerability
NIM Developers using prepared statements to send SQL queries to Postgres may expose themselves to a SQL injection vulnerability. NIM’s Postgres library does not appear to use actual prepared statements; instead, it assembles the code and the user data as a string and passes them on to the database. This may lead to a SQL injection vulnerability
https://blog.nns.ee/2025/03/28/nim-postgres-vulnerability/
Discussion
New Discussions closed for all Podcasts older than two(2) weeks
Please send your comments to our Contact Form
Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Podcast Transcript
Hello and welcome to the Wednesday, April 2nd, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. Yesterday, Apple released updates, well, for almost everything. There were updates for iOS, iPadOS, WatchOS, TVOS, MacOS, VisionOS, Safari, and Xcode. The one thing that was missing from this lineup was WatchOS, but that actually just got released a couple of hours ago. Overall, we got updates for 145 different vulnerabilities, if I counted them correctly. Many of these vulnerabilities apply to multiple products because they all sort of share the same kernel and with that good amount of code. There are two interesting vulnerabilities here I want to point out. These vulnerabilities were already exploited in the wild, so-called zero-day vulnerabilities. They had been patched in the most recent versions of MacOS and iOS in the past, but now we got patches for older versions of the operating system. There is a WebKit vulnerability that was patched now for iOS, iPadOS, and then there was a USB restriction vulnerability that was patched for MacOS. Again, these were already patched for the newer versions, but now this patch was also offered for the older versions of MacOS. I mentioned that you may have issues downloading the WatchOS update. At least that's my experience so far and in the DShield Slack. Another user already mentioned some issues with that as well. There is something to keep in mind that this is also a feature update. The iOS and MacOS updates yesterday did enable some of Apple's AI features for Europe. Once users start using that, this will actually require a large multi-gigabyte download of the AI models. My suspicion is that this just led probably to a little bit more stress than normal on Apple servers. Also, the WatchOS update was literally released a couple hours ago. Initially, there are always some delays in getting them pushed out to all the front -end servers and such. So, yeah, if you have some issues downloading that Apple Watch update, try it again tomorrow. It should work better. Other than that, there isn't really anything super critical here in these updates. So, applying it tomorrow by the end of the week should be perfectly fine. Unless you're using one of these older versions of iOS, MacOS. Which usually means you're also using older hardware. Then, because of these, I still call them serodei vulnerabilities. But, of course, they have now been known and patched for newer versions for quite a while. Because of that, you may want to accelerate that a little bit. But I haven't seen any sort of widespread exploit of these vulnerabilities at this point. And if you're using VMware Workstation, there is an issue that apparently is affecting VMware Workstation users trying to check for updates. With all the transition that VMware and prodcom are going through with respect to URLs and such. They apparently messed up the URL that's being used to check if there is a new version of VMware available. You may see some certificate errors here, apparently. So, I guess they'll wait for them to fix it. Hopefully, sometime soon. But until then, if there are any updates for VMware Workstation, you can still install them. You can still download them. But there is no mechanism right now to sort of get automatically alerted of any updates. And then there is an interesting vulnerability in the programming language NIM. If it's being used with Postgres. And the reason I'm covering this is not because the name is super popular and such. But I think it illustrates a nice problem that sometimes happens if you're using sort of not too much abstraction around database libraries. Best practice if you're trying to avoid SQL injection is to use prepared statements. The problem is that your programming language or the library that you're using may represent something as a prepared statement that's actually not a prepared statement. In my definition of prepared statements, it means that the statement is being sent to the database separate from the data. Now, what happens in NIM here is that the language, the NIM Postgres interface here, is actually escaping the parameters, building dynamic SQL strings, and then sending them to the database as a string. So, it's sort of a little bit of fake prepared statements. Like, you know, Perl has done that way back in the day with old versions of MySQL and such that didn't support prepared statements natively. The problem here is that, well, they're not doing it correctly under certain circumstances. In particular, if in Postgres you set standard conforming strings to off, the default is on and it basically enforces some standards around how strings are formatted. For compatibility reasons, as the vulnerability note here points out, that's often turned off and as a result, you may be vulnerable in this case. So, interesting vulnerability and I think something to just be aware of just because it looks like a prepared statement may not mean that it actually is a prepared statement. And you may still rely on some library here to actually do the right thing as they are translating your data. Well, and that's it for today. I hope I didn't fall for any April 1st stories. I actually had one story about some Gmail end-to -end encryption feature that didn't quite sort of pass the smell test. If it turns out to be right, I may cover it tomorrow. Other than that, remember, I'm also teaching classes. And on the Stormcast page, you can also find links to that next upcoming moment. It's actually in Orlando, just here. So, if you're living somewhere up north, probably nice to enjoy the sun a little bit and then also San Diego in May. Anyway, that's it for today. Thanks for listening and talk to you again tomorrow. Bye.