Podcast Detail

SANS Stormcast Wednesday Apr 2nd: Apple Updates Everything;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9390.mp3

Podcast Logo
Apple Updates Everything;
00:00

Apple Patches Everything
Apple released updates for all of its operating systems. Most were released on Monday with WatchOS patches released today on Tuesday. Two already exploited vulnerabilities, which were already patched in the latest iOS and macOS versions, are now patched for older operating systems as well. A total of 145 vulnerabilities were patched.
https://isc.sans.edu/diary/Apple%20Patches%20Everything%3A%20March%2031st%202025%20Edition/31816

VMWare Workstation and Fusion update check broken
VMWare’s automatic update check in its Workstation and Fusion products is currently broken due to a redirect added as part of the Broadcom transition
https://community.broadcom.com/vmware-cloud-foundation/question/certificate-error-is-occured-during-connecting-update-server

NIM Postgres Vulnerability
NIM Developers using prepared statements to send SQL queries to Postgres may expose themselves to a SQL injection vulnerability. NIM’s Postgres library does not appear to use actual prepared statements; instead, it assembles the code and the user data as a string and passes them on to the database. This may lead to a SQL injection vulnerability
https://blog.nns.ee/2025/03/28/nim-postgres-vulnerability/

Podcast Transcript

 Hello and welcome to the Wednesday, April 2nd, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Jacksonville, Florida. Yesterday, Apple released
 updates, well, for almost everything. There were updates
 for iOS, iPadOS, WatchOS, TVOS, MacOS, VisionOS, Safari,
 and Xcode. The one thing that was missing from this lineup
 was WatchOS, but that actually just got released a couple of
 hours ago. Overall, we got updates for 145 different
 vulnerabilities, if I counted them correctly. Many of these
 vulnerabilities apply to multiple products because they
 all sort of share the same kernel and with that good
 amount of code. There are two interesting vulnerabilities
 here I want to point out. These vulnerabilities were
 already exploited in the wild, so-called zero-day
 vulnerabilities. They had been patched in the most recent
 versions of MacOS and iOS in the past, but now we got
 patches for older versions of the operating system. There is
 a WebKit vulnerability that was patched now for iOS,
 iPadOS, and then there was a USB restriction vulnerability
 that was patched for MacOS. Again, these were already
 patched for the newer versions, but now this patch
 was also offered for the older versions of MacOS. I mentioned
 that you may have issues downloading the WatchOS
 update. At least that's my experience so far and in the
 DShield Slack. Another user already mentioned some issues
 with that as well. There is something to keep in mind that
 this is also a feature update. The iOS and MacOS updates
 yesterday did enable some of Apple's AI features for
 Europe. Once users start using that, this will actually
 require a large multi-gigabyte download of the AI models. My
 suspicion is that this just led probably to a little bit
 more stress than normal on Apple servers. Also, the
 WatchOS update was literally released a couple hours ago.
 Initially, there are always some delays in getting them
 pushed out to all the front -end servers and such. So,
 yeah, if you have some issues downloading that Apple Watch
 update, try it again tomorrow. It should work better. Other
 than that, there isn't really anything super critical here
 in these updates. So, applying it tomorrow by the end of the
 week should be perfectly fine. Unless you're using one of
 these older versions of iOS, MacOS. Which usually means
 you're also using older hardware. Then, because of
 these, I still call them serodei vulnerabilities. But,
 of course, they have now been known and patched for newer
 versions for quite a while. Because of that, you may want
 to accelerate that a little bit. But I haven't seen any
 sort of widespread exploit of these vulnerabilities at this
 point. And if you're using VMware Workstation, there is
 an issue that apparently is affecting VMware Workstation
 users trying to check for updates. With all the
 transition that VMware and prodcom are going through with
 respect to URLs and such. They apparently messed up the URL
 that's being used to check if there is a new version of
 VMware available. You may see some certificate errors here,
 apparently. So, I guess they'll wait for them to fix
 it. Hopefully, sometime soon. But until then, if there are
 any updates for VMware Workstation, you can still
 install them. You can still download them. But there is no
 mechanism right now to sort of get automatically alerted of
 any updates. And then there is an interesting vulnerability
 in the programming language NIM. If it's being used with
 Postgres. And the reason I'm covering this is not because
 the name is super popular and such. But I think it
 illustrates a nice problem that sometimes happens if
 you're using sort of not too much abstraction around
 database libraries. Best practice if you're trying to
 avoid SQL injection is to use prepared statements. The
 problem is that your programming language or the
 library that you're using may represent something as a
 prepared statement that's actually not a prepared
 statement. In my definition of prepared statements, it means
 that the statement is being sent to the database separate
 from the data. Now, what happens in NIM here is that
 the language, the NIM Postgres interface here, is
 actually escaping the parameters, building dynamic
 SQL strings, and then sending them to the database as a
 string. So, it's sort of a little bit of fake prepared
 statements. Like, you know, Perl has done that way back in
 the day with old versions of MySQL and such that didn't
 support prepared statements natively. The problem here is
 that, well, they're not doing it correctly under certain
 circumstances. In particular, if in Postgres you set
 standard conforming strings to off, the default is on and it
 basically enforces some standards around how strings
 are formatted. For compatibility reasons, as the
 vulnerability note here points out, that's often turned off
 and as a result, you may be vulnerable in this case. So,
 interesting vulnerability and I think something to just be
 aware of just because it looks like a prepared statement may
 not mean that it actually is a prepared statement. And you
 may still rely on some library here to actually do the right
 thing as they are translating your data. Well, and that's it
 for today. I hope I didn't fall for any April 1st
 stories. I actually had one story about some Gmail end-to
 -end encryption feature that didn't quite sort of pass the
 smell test. If it turns out to be right, I may cover it
 tomorrow. Other than that, remember, I'm also teaching
 classes. And on the Stormcast page, you can also find links
 to that next upcoming moment. It's actually in Orlando, just
 here. So, if you're living somewhere up north, probably
 nice to enjoy the sun a little bit and then also San Diego in
 May. Anyway, that's it for today. Thanks for listening
 and talk to you again tomorrow. Bye.