Hello, welcome to the Tuesday, October 29th, 2019 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich Entertainment recording from Jacksonville, Florida.

Last week, the Ph.P. Project did release a critical update for PHP 7. This was released for PHP 7.1.2 as well as for PHP 7.3, and the vulnerability

being fixed here is already being exploited in the wild. The vulnerability appears to be only

exploitable if PHP is run using PHP, FPM, the fast

CGI process manager in Engine X. In other versions of PHP, the vulnerability is present, but

doesn't appear to be exploitable.

Now overall exploitation is pretty straightforward.

It only requires a new liner carriage return in the URL which is URL encoded.

So percent 08, percent zero Ds, what you would typically see in a URL that's trying to exploit this vulnerability with

proof of concepts and working exploits being out there.

No surprise that this is already used in the wild and definitely something that you have

to pay attention to if you are running PHP 7 in this vulnerable configuration.

And in Diaries today, we have another one by Dedi. Today he's introducing SED bug.

That shell code debugger is actually quite useful, runs on Windows and can help you explain

shell code. And one thing that DDA is going over, this time is an option to actually

have SCD bug find the shell code for you in case it doesn't start at the beginning

of whatever file you're analyzing.

And Apple today released iOS 13.2 as well as TVOS 13.2. While these are first of all feature

updates, they also have some security content, sadly, not yet available.

There are no details yet about what security fixes are included in this update.

Also, iOS 12.4.3 was released.

...