Hello, welcome to the Thursday, November 1st, 2018 edition of the Sancton Storm Center's Stormcast. My name is Johannes Ulrich and I am recording from Jacksonville, Florida.

Brad took a look at what's new with encrypted word documents that are spreading malware. Encrypted documents, of course,

have been used for quite a while in order to usually bypass some simple antivirus filters.

Now, in this case, the password is one, two, three, four. It's mentioned within the body of the email. And the emails

themselves are typically either resumes or invoices, or at least that's what they claim to be.

Brad is in particular discussing the various payloads that he has seen with these type of malicious

documents over the last few years

looks like more recently these emails are mostly distributing the Nymai Malware.

Overall, some basic security awareness should probably take care of these type of emails.

They have been around for so long that I think

your users have probably seen them before. And then we have details regarding an interesting

vulnerability in iOS and MacOS that was patched with the release of iOS 12 and MagOS Mojave. So this is not something that

was patched yesterday when Apple released a number of updates, but this vulnerability was patched

a couple months ago and the researcher discovering it now is releasing some details about

the problem.

And it's a good thing that Kevin Backhouse, who is this researcher, did hold back the details

to give people time to patch because this is actually quite severe and easy to exploit, at least potentially

easy to exploit vulnerability.

The problem here is in how these operating systems deal with ICMP errors.

If an operating system sends an ICMP error back, it will copy the headers of the packet that caused

the errors as part of the ICMP payload. So once a packet is received, for example, a UDP

packet to a closed port, the operating system will create an error message and will copy the headers from this

...