Hello, welcome to the Monday, November 5th, 2018 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

Well, in Diaries over the weekend, we got the second part for Pascal's diary about how to analyze persistence on OS10 or Mac OS. In this case,

he goes beyond launch agent. That was his first diary to other things like Ron Jobs, ad and

the like in order for an attacker to run commands after the system got infected.

So the intent here is to help out people that have to respond to incidents that involve

Max and Ad and Grom Jobs alike.

Those are features that you may be familiar with if you have dealt with Unix before.

The prior day about launch agents, of course, is more macOS-specific feature.

And talking about Incent response, we have a second diary from DDA,

which talks about an RTF document that used CVE 2017-11882.

This particular vulnerability was made public about a year ago, and it's the famous equation

editor vulnerability.

So this has been used quite heavily since then, even though Microsoft did discontinue the

equation editor.

In his diary, the DEA explains how to analyze and exploit taking advantage of this vulnerability

and how to figure out what code it's trying to execute.

And looks like security researcher Rishi Liang has another remote code exploit in the works

for Microsoft Edge.

A second researcher, Alexander Kockoff, apparently contributed a sandbox escape to this particular exploit. So given this

exploit, it is possible to execute arbitrary code on a Windows system. Not much details yet,

just a tweet announcing that details will be announced shortly. Now, originally it appears that this vulnerability was found

...