Hello and welcome to the Monday, April 10th, 2020,

3 edition of the Sandin at Storm Center's Stormcast.

My name is Johannes Ulrich, and the time recording from Jacksonville, Florida.

Quite a few interesting diaries over the weekend, so let's start with Friday.

Friday Xavier wrote about how detect suspicious API usage with Yara rules.

Yara rules, well, the open source language to detect malware.

That's how I always describe it.

But essentially it allows you to create patterns and efficiently search binaries for those patterns.

Now, what Xavier is looking at here is particular behavior that's often associated with malware,

in particular the virtual alloc function with the page execute read-write attribute set,

which basically means that, well, anything can be done with this just

assigned memory. And he presents a quick Yara rule to look for just this particular behavior.

Give it a try and let Xavi know if this is something that works for you.

Let me got a little surprise from Apple on Friday.

Apple released an update for iPad OS, iOS, and Mac OS on Friday.

An update was sort of expected.

That's very typical a couple weeks after there's sort of a larger update that we had recently for these operating systems.

There's often a smaller update fixing some outstanding bugs. But in this case, the update also fixed to already exploited vulnerabilities.

The vulnerabilities were reported by Amnesty International, so likely exploited in a more targeted sense in that particular context.

What's sort of interesting is the two vulnerabilities together. The first vulnerability is a web kit vulnerability. We had hundreds of web kit vulnerabilities. They,

like in this case, allow arbitrary remote code execution as you visit a malicious webpage,

but that code would typically run inside the Safari sandbox. However, the second vulnerability does allow then approach escalation to run code using

...