Hello, welcome to the Thursday, October 31st, 2019 edition of the Sands and at Storm Center's Stormcast. My name is Johannes Ulrich.

I'm recording from Jacksonville, Florida.

Well, we finally got some details about the security content of this week's Apple updates so we had updates for iOS watch OS

TV OS but also for macOS Catalina and for Safari as well as for iCloud

for Windows and iTunes for Windows let Let's start with MacOS.

A number of privilege escalation vulnerabilities are being addressed here as usual.

There is very little detail from Apple, of course, here to go by.

A couple vulnerabilities that sort of stuck out as being somewhat interesting.

For example, the first one,

a vulnerability in accounts that allows a remote attacker to leak memory, which is kind of

odd as a vulnerability in this particular subsystem. A number of code execution vulnerabilities in, for example,

audio players, so parsing malicious audio file would trigger this.

Also interesting, malicious application may be able to gain root privileges via manpages. So not sure if the user would have to install it

and then by installing demand pages this would be triggered or by reviewing an arbitrary man

page, this particular exploit would be triggered. Again, very little detail here on what the

actual exploit mechanism is. Now, the

vulnerabilities being addressed in the iOS and iPad OS updates are pretty much a copy of what we

have for macOS, but there are also, I think it's 11 different vulnerabilities that are fixed in WebKit. Of course, these

vulnerabilities are addressed via the separate Safari update for Mac OS. As far as iTunes and

ICloud for Windows Go, the bulk of the vulnerabilities being addressed are again web kit issues.

There is one vulnerability that's common to all these Windows patches that Apple released,

and that's a graphics driver vulnerability that may lead to object code execution with

...