Hello, welcome to the Tuesday, May 4, 2021 edition of the Sansonet Stormsendors Stormcast.

My name is Johannes Ulrich.

And then I'm recording from Jacksonville, Florida.

Just literally a few days after updating its operating systems, Apple today released another update for macOS, iOS, iPadOS, as well as

watchOS, fixing a number of different vulnerabilities that are currently actively been exploited.

All these vulnerabilities are affecting WebKit, which is Apple's browser engine. Didn't see an update for Safari itself.

Usually Apple does publish a standalone update for older versions of Safari, so that may still be

coming. Also unclear at this point if any other browsers that use WebKit are affected.

There appear to be two core vulnerabilities that are being addressed here, CVE 2021, 3665 and then 30663.

The first one is a memory corruption issue, the second one in integer overflow, both reported

by different researchers. Now, there's also an update for the older version of iOS, iOS 12.5,

which I believe is the oldest iOS version still supported for devices that don't support

iOS 14.5. This older version of iOS is affected by a total of four different vulnerabilities.

WatchOS only suffers from the memory corruption issue. So the quick summary,

get patching and no public exploit yet available for these vulnerabilities, but given that it

has already been exploited, that's probably not too far out. And talking about patching, I hope

you applied all the patches that Microsoft released a couple

weeks ago, in particular the ones for Exchange.

Turns out that we do have the first proof-of-concept exploit that was made public for one

of the four Exchange vulnerabilities that was patched with this last update.

CVE 2021-28482, the exploit was published to GitHub.

And it demonstrates code execution by launching MSPaint. Of course, it should be relatively straightforward

...