Hello and welcome to the Friday, April 24th, 2006 edition of the Sands Internet Stormsanders Stormcast.

My name is Johannes Ulrich, recorded today from Amsterdam, Netherlands.

And this episode is brought you by the sands.edu graduate certificate program in incident response.

Today I wrote a quick diary about a patch that Apple released yesterday. This patch fixes a single

vulnerability in iOS and iPad OS. And while it's not unusual for Apple to release these sort of single vulnerability updates,

these updates are usually reserved for currently exploited vulnerabilities.

And Apple's description of the vulnerability does not actually note that it's already exploited. On the other

hand, well, the nature of the vulnerability, it does describe it as a vulnerability in the notification

center where notifications that are marked for deletion are not actually deleted. And exactly

this particular vulnerability was noted in a press description of a recent criminal

case in which the FBI was able to recover at least partial signal messages by looking at

these notifications that were not deleted.

So and so far it is certainly already an exploited vulnerability and also not a terribly

difficult to exploit vulnerability.

It's a common problem with secure messengers that if they are using sort of these built-in

operating system messaging components,

that these components may, well, at a very least, not encrypt the messages to the same standard

as the originating application, but also that artifacts of sending messages or receiving messages

may often be retained in these additional operating system components,

as they're usually not designed for these threat models that these end-to-end encrypted messengers are often designed for.

So this isn't fundamentally new, and in Signal, you had the option to disable

notifications, but now Apple also fixed the bug slash vulnerability that the notification artifacts

...