Podcast Detail

SANS Stormcast Tuesday, May 12th, 2026: Apple Patches; Encrypted RCS; CAPTCHAs; Checkmarx vs TeamPCP;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9928.mp3

previous
Podcast Logo
Apple Patches; Encrypted RCS; CAPTCHAs; Checkmarx vs TeamPCP;
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Podcast Transcript

 Hello and welcome to the Tuesday May 12, 2026 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich, recording today from San Diego,
 California. And this episode is brought to you by the SANS
 .edu graduate certificate program in penetration testing
 and ethical hacking. Today we got, well, one of Apple's
 typical patch days. And now Apple does not have a regular
 patch schedule. This particular update was kind of
 expected for this week. Not sure if anybody really
 predicted Monday as being the patch day for Apple. It again
 affects pretty much all of their operating system and
 fixes about 80 different flaws. The flaws are not
 really all that remarkable. It's your usual mix kind of
 for Apple. Also, based on sort of what we sort of
 historically get from Apple, the number of patches is just
 about average. So there is no sign of like any inflation as
 we have seen in some cases with AI generated patch
 vulnerability reports. For iOS, iPadOS, you'll get
 updates for the 26 as well as for the 18 version. So the
 current and the next to current version from macOS, it
 goes back to versions. So all the way to macOS Sonoma 14,
 tvOS, watchOS and VisionOS only get updates for the
 current version of the operating system. In addition
 to the security updates, there's of course always a
 number of features that are being updated with these sort
 of in-between operating system releases from Apple. There is
 one particular feature that is kind of interest from a
 security point of view, and that's end-to-end encrypted
 RCS messaging. RCS is the standard that's supposed to
 eventually replace SMS, and initial versions released by
 Apple and Google were more focusing on some of the
 usability issues, like for example markup and the like.
 But of course, one of the big problems with SMS from a
 security point of view is that there's no authentication and
 no encryption. While Apple is not fixing that with this
 update in iOS, now RCS messages can be end-to-end
 encrypted if you're either using two iPhones on the
 latest version of iOS, or if you're using iOS on one side
 and then an Android phone on the other side with the latest
 version of Google Messenger, which also supports this
 encrypted RCS standard. There should be a small lock icon
 and the word encrypted that you'll see sort of in your
 messaging window. From my point of view, this is a real
 nice feature to have, but usability of course is always
 kind of an issue here. How well it's communicated to the
 user, whether or not a particular connection is
 encrypted or not encrypted. And there's certainly a chance
 that things will sort of flip forth and back, in particular
 since not all carriers are supporting this feature. Both
 ends of the connection also must use a carrier that
 actually supports end-to-end encrypted RCS messages. And a
 few months ago, I did implement captchas on a couple
 of sort of data intense pages on our website, in part
 because bots really sort of caused some performance issues
 on the site. So I figured it's a good time now to go back to
 see how well the captchas worked. And well, no surprise,
 they do appear to block most, if not all, bots. And yes, as
 a result, out of 300 requests to some of these data intense
 pages like our IP info page, well, only one request
 actually passes the bot filter. There are a couple of
 IP addresses I list in the diary that sort of stick out
 for the number of requests we are receiving for them, given
 that even after several months now and these particular bots
 don't really get any results from the page, it kind of
 tells you that they're not really looking that closely,
 that if their bots are actually still working, which
 kind of also means that these bots are super cheap for them
 to run. And just as a side note here, we do of course
 offer our data for free for download. We just ask that you
 use the API. So another thing, well, it's easier for you if
 you use the API and don't screen scrape off our IP info
 page and the like. But well, it's also easier for us to
 actually give you the data via the API. So please use it.
 Checkmarx is continuing its battle with Team PCP this
 weekend. Team PCP apparently published a modified version
 of the Checkmarx Jenkins AST plugin to the Jenkins
 Marketplace. And well, this download was available from
 Saturday to Sunday. So if you downloaded it, definitely pay
 attention. And if you're using the Jenkins AST plugin, then
 please take a quick look at the Checkmarx Advisory
 because it has additional ways to identify any potential
 malicious download like checksums and the like in case
 you aren't sure when your particular version was
 downloaded. Well, this is it for today. Thanks for
 listening. Thanks for liking. Thanks for subscribing. And as
 always, special thanks for any feedback and good reviews on
 your favorite podcast platform. Thanks and talk to
 you again tomorrow. Bye.