Hello and welcome to the Friday, May 19th, 2020, edition of the Sands and at Storm Center's

Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Today we got a little bit as a surprise set of updates for Apple's operating systems and Safari. Now, this was

somewhat expected. I actually thought maybe they'll push it for next week because they released

another release candidate earlier this week, but well, we got it today. These updates patch about 60 different vulnerabilities. Three of the vulnerabilities

have already been exploited in the wild. That's, of course, the most interesting part of this

update, in particular the type of vulnerabilities that are being exploited here. The first one,

CVE 20203-323-3-3-3-7-3, is a web kit vulnerability. So typically this would be exploited as you

visit a malicious web page and it can lead to arbitrary code execution. Now, that code

execution would of course be constrained by your web browser sandbox. That's where the second

vulnerability comes in. And that's CVE 2020-209.

This vulnerability is an issue again with WebKit,

but it allows a remote ad hacker to break out of the Web sandbox.

So this is how an attacker would then actually start hitting the system.

And the third vulnerability is an out- bounds read that does allow the disclosure of sensitive

information.

Again, a WebKit vulnerability.

Not how to ensure what this refers to.

This can sometimes give the attacker hints as to, for example, how to exploit

one of these other vulnerabilities. And two of these vulnerabilities were actually the

mystery vulnerabilities that were addressed by the rapid update that was released a week or so ago.

So even if you installed the rapid security response update, you still have one of these

...