Hello, welcome to the Friday, December 7th, 2018 edition of the Sanct Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Early this week, Adobe released an update for Flash fixing a vulnerability that was already exploited in the wild. Now I told you may have a week

or so to patch this before the exploit is more widely available. Well I was off by a couple

days. Sorry for that. Proof-of-concept exploit has been released to GitHub so better get on with patching.

And then we also had Apple updates yesterday, and one of the notable omissions was an update

for watchOS. Well, this was released today, so a day late, probably because it also

included some major new features,

and Apple probably wanted to sort of have them stand out a little bit.

The vulnerabilities being addressed here are all vulnerabilities that were also addressed in

the other operating system updates.

So a number of elevation of privilege vulnerabilities here in the kernel.

Also again, web kit vulnerabilities. No issue so far with this update. So get it done, get it patched.

Nothing really sort of overly urgent with this particular update, however.

And then in Diaries today we got the one by Rob about how to exfiltrate data in penetration

tests.

Of course, a penetration tester will take a little bit of different route off than a normal

attacker would, because typically the goal of a penetration test is not necessarily to

exfiltrate as much data as possible,

but more to illustrate the severity of a particular vulnerability,

and also to illustrate how various controls would have helped or may have helped if they are in place.

So, for example, there are a number of ways that Rob goes over how to obfuscate or encrypt

...