Hello and welcome to the Friday, September 8, 2023 edition of the Sansonet Stormontas Stormcast.

My name is Johannes Ulrich and today I'm recording from London, England.

Apple today released updates for macOS, iOS, iOS, iPad, OS, as well as watchOS, fixing two vulnerabilities, both of

which are already exploited in the wild. The first one, CVE 202023-41061. Interestingly, a validation

issue in the wallet framework. It could be exploited via a crafted attachment and lead to arbitrary

code execution. The second vulnerability is affecting the image I.O framework. It's a buffer

overflow also leading to code execution.

The image I.O. Warnability, according to the Apple announcement, was discovered by the Citizen Lab at the University of Toronto. The Citizen Lab has in the past discovered similar

vulnerabilities that were usually then linked to commercial spyware being used by governments

to spy on activists.

At this point, I don't see any details about this vulnerability on the Citizen Lab website.

And sticking with Apple here for another story, I ran into some, well, not sure if I should call it scareware or fleeceware earlier today.

The way it was advertised was by tagging users on Facebook. And then, of course, these users' friends will also see the respective messages.

It was a fairly deceptive message, what is sort of just clickbait, saying that, well,

someone has passed away.

The LinkedIn led to your standard scarer page, basically claiming that you are infected with malware.

The software itself was essentially... basically claiming that you are infected with malware.

The software itself was essentially a VPN product for iOS,

and interestingly, it was in the app store,

so it did pass Apple's review.

I did install it briefly.

It does appear to contain some VPN functionality. Didn't really have time to dive into it deeper. If it's just a VPN with some adverb protection,

...