When you’re debugging a malware sample, you probably run it into a debugger and define some breakpoints. The idea is to take over the program control before it will perform “interesting” actions. Usually, we set breakpoints on memory management API call (like VirtualAlloc()) or process activities (like CreateProcess(), CreateRemoteThread(), …).
Today, as expected, Apple released iOS/iPadOS/macOS/watchOS/tvOS 26. Going forward, Apple will adopt the same OS number across its different offerings, setting us up for a potential year 2100 issue. Notably, VisionOS was not updated.
There are two options to apply the security updates: You may stick with the old major operating system version (iOS 18 or macOS 15), or you may upgrade directly to the "26" version. For more careful users, sticking with the older version will get you all the security fixes (and other bug fixes), but none of the new features and the potential instabilities and compatibility issues.
This update also includes a patch for an already-exploited vulnerability, CVE-2025-43300. Apple patched this vulnerability in August, but only for current operating systems. This update backports this patch for older versions of iOS.
I did some quick Google searches if OS 26 supports various popular security software. Here is a quick summary:
Crowdstrike: Falcon >= 7.29
Little Snitch >= 6.3
Microsoft Defender: supported (July 1st)
Palo Alto Networks GlobalProtect: "appears to work, firewall detection does not work on macOS 26" (reddit user report, 3 months ago)
Let me know if you have any firsthand experience with any security-related applications that either work or do not work.
| iOS 26 and iPadOS 26 | iOS 18.7 and iPadOS 18.7 | iOS 16.7.12 and iPadOS 16.7.12 | iOS 15.8.5 and iPadOS 15.8.5 | macOS Tahoe 26 | macOS Sequoia 15.7 | macOS Sonoma 14.8 | tvOS 26 | watchOS 26 | visionOS 26 |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2025-24088: An app may be able to override MDM-enforced settings from profiles. Affects CoreServices |
|||||||||
| x | |||||||||
| CVE-2025-24133: Keyboard suggestions may display sensitive information on the lock screen. Affects Text Input |
|||||||||
| x | |||||||||
| CVE-2025-24197: An app may be able to access sensitive user data. Affects Spotlight |
|||||||||
| x | x | x | |||||||
| CVE-2025-30468: Private Browsing tabs may be accessed without authentication. Affects Siri |
|||||||||
| x | |||||||||
| CVE-2025-31254: Processing maliciously crafted web content may lead to unexpected URL redirection. Affects Safari |
|||||||||
| x | |||||||||
| CVE-2025-31255: An app may be able to access sensitive user data. Affects IOKit |
|||||||||
| x | x | x | x | x | x | ||||
| CVE-2025-31259: An app may be able to capture a screenshot of an app entering or exiting full screen mode. Affects Screenshots |
|||||||||
| x | x | x | |||||||
| CVE-2025-31268: An app may be able to access protected user data. Affects Apple Online Store Kit |
|||||||||
| x | x | x | |||||||
| CVE-2025-31269: An app may be able to access protected user data. Affects Printing |
|||||||||
| x | x | ||||||||
| CVE-2025-31270: An app may be able to access protected user data. Affects Foundation |
|||||||||
| x | |||||||||
| CVE-2025-31271: Incoming FaceTime calls can appear or be accepted on a locked macOS device, even with notifications disabled on the lock screen. Affects FaceTime |
|||||||||
| x | |||||||||
| CVE-2025-43190: An app may be able to access sensitive user data. Affects Spell Check |
|||||||||
| x | x | x | x | x | x | ||||
| CVE-2025-43203: An attacker with physical access to an unlocked device may be able to view an image in the most recently viewed locked note. Affects Notes |
|||||||||
| x | x | ||||||||
| CVE-2025-43204: An app may be able to break out of its sandbox. Affects RemoteViewServices |
|||||||||
| x | |||||||||
| CVE-2025-43207: An app may be able to access user-sensitive data. Affects Music |
|||||||||
| x | |||||||||
| CVE-2025-43208: An app may be able to read sensitive location information. Affects Airport |
|||||||||
| x | |||||||||
| CVE-2025-43231: An app may be able to access user-sensitive data. Affects LaunchServices |
|||||||||
| x | |||||||||
| CVE-2025-43262: USB Restricted Mode may not be applied to accessories connected during boot. Affects Trusted Device |
|||||||||
| x | |||||||||
| CVE-2025-43272: Processing maliciously crafted web content may lead to an unexpected Safari crash. Affects WebKit |
|||||||||
| x | x | x | x | ||||||
| CVE-2025-43273: A sandboxed process may be able to circumvent sandbox restrictions. Affects CoreMedia |
|||||||||
| x | |||||||||
| CVE-2025-43277: Processing a maliciously crafted audio file may lead to memory corruption. Affects CoreAudio |
|||||||||
| x | |||||||||
| CVE-2025-43279: An app may be able to access user-sensitive data. Affects Notification Center |
|||||||||
| x | |||||||||
| CVE-2025-43283: An app may be able to cause unexpected system termination. Affects GPU Drivers |
|||||||||
| x | |||||||||
| CVE-2025-43285: An app may be able to access protected user data. Affects AppSandbox |
|||||||||
| x | x | x | |||||||
| CVE-2025-43286: An app may be able to break out of its sandbox. Affects SharedFileList |
|||||||||
| x | x | x | |||||||
| CVE-2025-43287: Processing a maliciously crafted image may corrupt process memory. Affects ImageIO |
|||||||||
| x | |||||||||
| CVE-2025-43291: An app may be able to modify protected parts of the file system. Affects SharedFileList |
|||||||||
| x | x | x | |||||||
| CVE-2025-43292: An app may be able to access sensitive user data. Affects CoreMedia |
|||||||||
| x | x | ||||||||
| CVE-2025-43293: An app may be able to access sensitive user data. Affects SharedFileList |
|||||||||
| x | x | x | |||||||
| CVE-2025-43294: An app may be able to access sensitive user data. Affects MallocStackLogging |
|||||||||
| x | |||||||||
| CVE-2025-43295: An app may be able to cause a denial-of-service. Affects libc |
|||||||||
| x | x | x | x | ||||||
| CVE-2025-43297: An app may be able to cause a denial-of-service. Affects Power Management |
|||||||||
| x | |||||||||
| CVE-2025-43298: An app may be able to gain root privileges. Affects PackageKit |
|||||||||
| x | x | x | |||||||
| CVE-2025-43300: Processing a malicious image file may result in memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.. Affects ImageIO |
|||||||||
| x | x | ||||||||
| CVE-2025-43301: An app may be able to access contact info related to notifications in Notification Center. Affects Notification Center |
|||||||||
| x | x | x | |||||||
| CVE-2025-43302: An app may be able to cause unexpected system termination. Affects IOHIDFamily |
|||||||||
| x | x | x | x | x | x | x | x | ||
| CVE-2025-43303: An app may be able to access sensitive user data. Affects Bluetooth |
|||||||||
| x | x | x | x | x | |||||
| CVE-2025-43304: An app may be able to gain root privileges. Affects StorageKit |
|||||||||
| x | x | x | |||||||
| CVE-2025-43305: A malicious app may be able to access private information. Affects CoreServices |
|||||||||
| x | x | x | |||||||
| CVE-2025-43307: An app may be able to access sensitive user data. Affects Bluetooth |
|||||||||
| x | |||||||||
| CVE-2025-43308: An app may be able to access sensitive user data. Affects Touch Bar Controls |
|||||||||
| x | x | x | |||||||
| CVE-2025-43310: An app may be able to trick a user into copying sensitive data to the pasteboard. Affects WindowServer |
|||||||||
| x | x | x | |||||||
| CVE-2025-43311: An app may be able to access protected user data. Affects Touch Bar |
|||||||||
| x | x | x | |||||||
| CVE-2025-43312: An app may be able to cause unexpected system termination. Affects AMD |
|||||||||
| x | x | x | |||||||
| CVE-2025-43314: An app may be able to access sensitive user data. Affects StorageKit |
|||||||||
| x | x | x | |||||||
| CVE-2025-43315: An app may be able to access user-sensitive data. Affects MigrationKit |
|||||||||
| x | x | x | |||||||
| CVE-2025-43316: A malicious app may be able to gain root privileges. Affects DiskArbitration |
|||||||||
| x | x | ||||||||
| CVE-2025-43317: An app may be able to access sensitive user data. Affects AppleMobileFileIntegrity |
|||||||||
| x | x | x | x | x | |||||
| CVE-2025-43318: An app with root privileges may be able to access private information. Affects Sandbox |
|||||||||
| x | |||||||||
| CVE-2025-43319: An app may be able to access protected user data. Affects MediaLibrary |
|||||||||
| x | x | x | |||||||
| CVE-2025-43321: An app may be able to access protected user data. Affects AppKit |
|||||||||
| x | x | x | |||||||
| CVE-2025-43325: An app may be able to access sensitive user data. Affects Icons |
|||||||||
| x | |||||||||
| CVE-2025-43326: An app may be able to access sensitive user data. Affects GPU Drivers |
|||||||||
| x | x | x | |||||||
| CVE-2025-43327: Visiting a malicious website may lead to address bar spoofing. Affects Safari |
|||||||||
| x | |||||||||
| CVE-2025-43328: An app may be able to access sensitive user data. Affects Sandbox |
|||||||||
| x | |||||||||
| CVE-2025-43329: An app may be able to break out of its sandbox. Affects Sandbox |
|||||||||
| x | x | x | x | ||||||
| CVE-2025-43330: An app may be able to break out of its sandbox. Affects ATS |
|||||||||
| x | x | ||||||||
| CVE-2025-43331: An app may be able to access protected user data. Affects AppleMobileFileIntegrity |
|||||||||
| x | |||||||||
| CVE-2025-43332: An app may be able to break out of its sandbox. Affects Security Initialization |
|||||||||
| x | x | x | |||||||
| CVE-2025-43333: An app may be able to gain root privileges. Affects Spotlight |
|||||||||
| x | |||||||||
| CVE-2025-43337: An app may be able to access sensitive user data. Affects AppleMobileFileIntegrity |
|||||||||
| x | |||||||||
| CVE-2025-43340: An app may be able to break out of its sandbox. Affects AppleMobileFileIntegrity |
|||||||||
| x | |||||||||
| CVE-2025-43341: An app may be able to gain root privileges. Affects Storage |
|||||||||
| x | x | ||||||||
| CVE-2025-43342: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit |
|||||||||
| x | x | x | x | x | x | ||||
| CVE-2025-43343: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit |
|||||||||
| x | x | x | x | x | |||||
| CVE-2025-43344: An app may be able to cause unexpected system termination. Affects Apple Neural Engine |
|||||||||
| x | x | x | x | x | |||||
| CVE-2025-43346: Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory. Affects Audio |
|||||||||
| x | x | x | x | x | x | ||||
| CVE-2025-43347: An input validation issue was addressed. Affects System |
|||||||||
| x | x | x | x | x | |||||
| CVE-2025-43349: Processing a maliciously crafted video file may lead to unexpected app termination. Affects CoreAudio |
|||||||||
| x | x | x | x | x | x | x | x | ||
| CVE-2025-43353: Processing a maliciously crafted string may lead to heap corruption. Affects Libinfo |
|||||||||
| x | x | x | |||||||
| CVE-2025-43355: An app may be able to cause a denial-of-service. Affects MobileStorageMounter |
|||||||||
| x | x | x | x | x | x | x | x | ||
| CVE-2025-43356: A website may be able to access sensor information without user consent. Affects WebKit |
|||||||||
| x | x | x | x | x | x | ||||
| CVE-2025-43357: An app may be able to fingerprint the user. Affects Call History |
|||||||||
| x | x | ||||||||
| CVE-2025-43358: A shortcut may be able to bypass sandbox restrictions. Affects Shortcuts |
|||||||||
| x | x | x | x | x | |||||
| CVE-2025-43359: A UDP server socket bound to a local interface may become bound to all interfaces. Affects Kernel |
|||||||||
| x | x | x | x | x | x | x | x | ||
| CVE-2025-43362: An app may be able to monitor keystrokes without user permission. Affects LaunchServices |
|||||||||
| x | x | ||||||||
| CVE-2025-43366: An app may be able to disclose coprocessor memory. Affects IOMobileFrameBuffer |
|||||||||
| x | |||||||||
| CVE-2025-43367: An app may be able to access protected user data. Affects Siri |
|||||||||
| x | x | ||||||||
| CVE-2025-43368: Processing maliciously crafted web content may lead to an unexpected Safari crash. Affects WebKit Process Model |
|||||||||
| x | x | ||||||||
| CVE-2025-43369: An app may be able to access protected user data. Affects SharedFileList |
|||||||||
| x | |||||||||
| CVE-2025-43372: Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory. Affects CoreMedia |
|||||||||
| x | x | x | x | x | |||||
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Johannes wrote a diary entry "Increasing Searches for ZIP Files" where he analyzed the increase of requests for ZIP files (like backup.zip, web.zip, …) for our web honeypots.
I took a look at my logs, and noticed that too. But it's not only ZIP files, but other archives too:
| Type |
| zip |
| rar |
| 7z |
| gz |
| tar |
I even had requests for .tar.zip files.
And when it comes to backup files, the following non-archive types are also popular requests:
| Filename |
| backup.sql |
| backup.json |
| backup.bak |
| backup.sh |
Looking at the User Agent Strings for these requests, none indicated that these scans were performed by researchers.
And comparing the source IPs of these requests with our researchers list: not a single match.
So it's safe to say that these scans are done with malicious intent, and that you should take Johannes' advice and don't have these types of files on your web servers, and even better, have some policy to avoid this.
Didier Stevens
Senior handler
blog.DidierStevens.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Since the last update [5], over the past few months I added several enhancements to DShield SIEM and webhoneypot sensor collection that included an update to the interface to help with DShield sensor analysis. I updated the main dashboard to have all the main analytic tools listed on the left for quick access to all the sub-dashboards.
YARA is an excellent tool that most of you probably already know and use daily. If you don't, search on isc.sans.edu, we have a bunch of diaries about it[1]. YARA is very powerful because you can search for arrays of bytes that represent executable code. In this case, you provide the hexadecimal representation of the binary machine code.
When I am thinking about the security of manufacturing environments, I am usually focusing on IoT devices integrated into production lines. All the little sensors and actuators are often very difficult to secure. On the other hand, there is also "big software" that is used to manage manufacturing. One example is DELMIA Apriso by Dassault Systèmes. This type of Manufacturing Operation Management (MOM) or Manufacturing Execution System (MES) ties everything together and promises to connect factory floors to ERP systems.
A user reported a bug in pdf-parser: when dumping all filtered streams, an error would occur:
The reason for the error, is that not all streams have filters applied to them, and thus dumping a filtered stream that has no filter caused a bug.
I have fixed this:
But I would like to point out that I think that a better way to look at the content of all the filtered streams, is to have pdf-parser produce JSON output and then display this with myjson-filter.py, like this:
Now you see the content of the streams, and to which object they belong. And if there are no filters, you also see this: 'No filters'.
Finally, the PDF comments that you saw in screenshot 2, are also gone: you only get streams.
Didier Stevens
Senior handler
blog.DidierStevens.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
