Podcast Detail

SANS Stormcast Wednesday July 30th, 2025: Apple Updates; Python Triage; Papercut Vuln Exploited

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9548.mp3

Apple Updates; Python Triage; Papercut Vuln Exploited

00:00

My Next Class

Application Security: Securing Web Apps, APIs, and Microservices	Las Vegas	Sep 22nd - Sep 27th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Denver	Oct 4th - Oct 9th 2025

… more classes

Apple Updates Everything: July 2025 Edition
Apple released updates for all of its operating systems patching 89 different vulnerabilities. Many vulnerabilities apply to multiple operating systems.
https://isc.sans.edu/diary/Apple%20Updates%20Everything%3A%20July%202025/32154

Python Triage
A quick python script by Xavier to efficiently search through files, even compressed once, for indicators of compromise.
https://isc.sans.edu/diary/Triage+is+Key+Python+to+the+Rescue/32152/

PaperCut Attacks
CISA added a 2024 Papercut vulnerability to the known exploited vulnerability list.
https://www.cisa.gov/news-events/alerts/2025/07/28/cisa-adds-three-known-exploited-vulnerabilities-catalog

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Application Security: Securing Web Apps, APIs, and Microservices	Las Vegas	Sep 22nd - Sep 27th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Denver	Oct 4th - Oct 9th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Dallas	Dec 1st - Dec 6th 2025

Podcast Transcript

 Hello and welcome to the Wednesday, July 30th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu graduate certificate program in
 penetration testing and ethical hacking. Well, and
 today was again Apple's surprise update. Everything
 day Apple doesn't have a schedule for this. Last time
 we had an event like this was, I believe, back in May. It was
 somewhat predictable based on sort of history and, of
 course, some of the beta releases and the RC releases
 that came out sort of a week and two ago. And that usually
 is a good indication that we soon have one of these updates
 coming from Apple. They update essentially all of the
 operating system, iOS, iPadOS, macOS, watchOS, tvOS,
 visionOS. Don't think they missed one here. A lot of the
 updates are in common across different operating systems.
 That's because they all pretty much run the same kernel.
 Also, Safari, meaning WebKit vulnerabilities, usually
 transfer over. I think watchOS does not have WebKit. So some
 of these vulnerabilities do not apply to the Apple Watch.
 Overall, 89 different vulnerabilities that were
 patched. Initially, I had 29 here. That's, well, just
 before recording this, I should double check because
 that number looked a little bit small. It was just a typo
 I had here in the early version of that. That Dairon
 hasn't updated quite yet as I'm recording this, but should
 update shortly. So 89 is the magic number here as far as
 the number of updates go. Now, severity of the updates,
 obviously a little bit crapshoot here when it comes
 to Apple. Apple's vulnerability descriptions are
 fairly terse, usually just one sentence. But they do
 sometimes say that, hey, that this particular vulnerability
 may elevate privileges or it crashes Safari, like in the
 case of one vulnerability here. So some of them are
 obvious sandbox escape, bridge escalation, denial of service
 vulnerabilities. Where it gets a little bit more tricky are
 vulnerabilities that basically sort of cause memory
 corruption. In particular, when they're affecting WebKit,
 this could be a super critical vulnerability in the sense
 that it could lead to a remote code execution as someone
 visits a malicious web page. So without any additional user
 interaction. However, it's not really clear what you can do
 with this memory corruption. That really depends on a lot
 of other factors that aren't really disclosed here by
 Apple. None of these vulnerabilities are explicitly
 labeled as exploited. So the assumption is they at least
 haven't been exploited at this point as far as Apple is
 aware. Patch, I wouldn't really rush this out
 necessarily. But something you probably want to get done over
 the next week for personal devices. Just apply the patch
 overnight and you should be all set and all good to go. So
 at this point, I patched some of my devices. Haven't had any
 issues at this point. But of course, that's a fairly small
 sample here. And then we also had a diary by Xavier. Xavier
 wrote a topic I always like. And that's how to do things
 with scripts. Faster, simpler. In this case, it's a simple
 triage problem. You got a bunch of files. Some of these
 files are zip files. And then you need to check if a certain
 pattern is inside those files. In particular, the zip files.
 So what Xavier did here is write a little Python script
 that, first of all, checks if a file is a zip file. Based on
 the first four bytes in the file. That has, of course,
 that typical PK and then the version number signature. And
 then if it's one of those files, it will then decompress
 the file. And then check if the decompressed version does
 have the particular signature in it. And then, of course, it
 will copy all the matching files into a special directory
 for further analysis. Real quick triage script. And like
 I said, I love these. Would be actually nice to benchmark
 some of the different options here. Like if you do it sort
 of with C-crep as a bash script. If you do it with good
 old Perl, which was sort of written to do stuff like this.
 And then, well, maybe someone can come up with a C solution
 or something else to sort of see how it performs. This, of
 course, is also very quick to write, which, well, is the
 real beauty of some of these solutions. And yesterday I
 mentioned that Cisco ISE vulnerability had already been
 exploited and was added to the non-exploited vulnerability
 database by CISA. There was another product here, a paper
 cut that was also mentioned as being already exploited. I
 didn't mention it yesterday because it was an older
 vulnerability, a 2023 vulnerability. But I still
 decided today to mention it because, first of all, there
 was a second vulnerability in that same release, a path
 traversal vulnerability that was exploited pretty soon
 after this vulnerability became known. So now we have
 the second one of these two vulnerabilities that's being
 exploited. The path traversal vulnerability caused quite a
 bit of pain with ransomware and such in some cases back in
 the day, meaning about two years ago. Horizon3.ai did a
 good write-up on that vulnerability. Haven't seen
 the same amount of detail yet for the cross-site request
 forgery vulnerability that was now also added to the non
 -exploited vulnerability database. But if you're
 running a paper cut, which is software they're using to
 manage print servers in large enterprises usually, well, if
 you're using that software, please make sure it's up to
 date. Yes, the patch is two years old, but this is one of
 those things, you know, printers, you only worry about
 them if they don't work. So they're easily overlooked in
 your normal patching cycle. Well, and that's it for today.
 So thanks for listening and talk to you again tomorrow.
 Bye.