Hello and welcome to the Tuesday, February 14th, 2020,

edition of the Sandin and Stormsterners Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Well, Apple today updated pretty much everything in Apple's portfolio. We got updates for

Safari, iOS, iPad OS, Mac OS, TVOS, and watchOS. The trigger for this particular set of

updates appears to be a critical vulnerability in a web kit that is already being exploited,

and that may lead to remote code execution if a user visits a malicious web page.

This particular vulnerability, CVE 202023-29, effects at least Safari, iPad, iPad iOS as well as Mac OS.

Interestingly, there has been no security content published yet for TVOS and watchOS.

Not sure why that was delayed.

Usually it's only delayed if there are still some other operating systems

that haven't been patched yet, but with everything being patched, not really clear what

was special here about TVOS and watchOS. In addition to this already exploited vulnerability,

we also have a vulnerability that affects iPad OS, iOS, and Mac OS, CVE 20203-23-514. Now, this is more sort of a

privilege escalation sandbox escape vulnerability and could potentially be chained here with the first vulnerability in order

to get then full kernel level access to the device.

And then the third vulnerability, less severe.

It's a Mac OS issue and it only affects shortcuts and may lead to an app being able to observe some protected user data.

That's CVE 2020, 23, 522.

So recommendation here is update, update relatively quickly because this is already being exploited. However,

no details have been made available as far as I'm aware regarding this one already being

exploited vulnerability. But who needs fancy surrethes in Safari if you can just use simple fishing tricks using some old weaknesses

...