Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
IOS Security

iOS Zero-Day Let SolarWinds Hackers Compromise Fully Updated iPhones (arstechnica.com) 22

The Russian state hackers who orchestrated the SolarWinds supply chain attack last year exploited an iOS zero-day as part of a separate malicious email campaign aimed at stealing Web authentication credentials from Western European governments, according to Google and Microsoft. Ars Technica reports: In a post Google published on Wednesday, researchers Maddie Stone and Clement Lecigne said a "likely Russian government-backed actor" exploited the then-unknown vulnerability by sending messages to government officials over LinkedIn. Attacks targeting CVE-2021-1879, as the zero-day is tracked, redirected users to domains that installed malicious payloads on fully updated iPhones. The attacks coincided with a campaign by the same hackers who delivered malware to Windows users, the researchers said.

The campaign closely tracks to one Microsoft disclosed in May. In that instance, Microsoft said that Nobelium -- the name the company uses to identify the hackers behind the SolarWinds supply chain attack -- first managed to compromise an account belonging to USAID, a US government agency that administers civilian foreign aid and development assistance. With control of the agency's account for online marketing company Constant Contact, the hackers could send emails that appeared to use addresses known to belong to the US agency. In an email, Shane Huntley, the head of Google's Threat Analysis Group, confirmed the connection between the attacks involving USAID and the iOS zero-day, which resided in the WebKit browser engine.

This discussion has been archived. No new comments can be posted.

iOS Zero-Day Let SolarWinds Hackers Compromise Fully Updated iPhones

Comments Filter:
  • by Ostracus ( 1354233 ) on Wednesday July 14, 2021 @07:59PM (#61583523) Journal

    So in other words slashdot can do the smug dance over Apple as well as Microsoft.

  • by dgatwood ( 11270 ) on Wednesday July 14, 2021 @10:17PM (#61583671) Homepage Journal

    If Apple were forced to allow competing browser engines, only about half of all iOS users would be at risk. Because there's only one browser engine allowed, all iOS users are at risk.

    Open up iOS.

    • by Solandri ( 704621 ) on Thursday July 15, 2021 @03:40AM (#61584037)
      When you promote your system as being ultra-secure, it breeds complacency in end-users. They figure they're safe because Apple "has their back". And they end up more likely to engage in risky behaviors, thus potentially increasing overall risk above that of a less-secure system where users know they have to watch out for themselves.

      NASA encountered the same thing in the aftermath of the Challenger disaster. One of the problems they uncovered was too many inspectors. Each part was being inspected by three separate inspectors prior to a launch. NASA figured triple inspections would greatly reduce the chance of a problem being missed. It actually turned out to increase the chance of a problem being missed. Each inspector figured since two other people would also be inspecting the same part, it would be OK if they occasionally rushed an inspection or even skipped it altogether. After all, what are the chances all three of them would slack on inspecting the same part? Well, it turned out to be high enough that three inspectors were catching fewer problems than if they'd only had one or two inspectors.
      • When you promote your system as being ultra-secure, it breeds complacency in end-users. They figure they're safe because Apple "has their back". And they end up more likely to engage in risky behaviors, thus potentially increasing overall risk above that of a less-secure system where users know they have to watch out for themselves.

        Watch out for themselves? The most common way to attack someone digitally is still password compromise. Take a good hard look at any "Top XX Worst Passwords" list over the last 30 years. You'll notice they haven't changed. We have MFA to help protect against the "wordpass" crowd. They ignore it. Too much work.

        Been doing this way too long to not have a fully vetted and justified-yet-jaded view that people don't even want to watch out for themselves. Ignorance continues to be very blissful. And peopl

      • Yes, risky behavior like... clicking a link.

        One has a reasonable expectation that clicking a link wouldn't trigger the browser to gladly send every authentication cookie it had to an arbitrary IP address out on the internet.

        I.e., this wasn't a user's lax security awareness. It was a major flaw in a browser that destroyed any rational concept of security.
        I.e., a non-webkit browser, or rather, any correctly functioning browser would not have this issue.

        Alternatively, you're right. We could stop clickin
    • Re: (Score:3, Insightful)

      by geekmux ( 1040042 )

      If Apple were forced to allow competing browser engines, only about half of all iOS users would be at risk.

      Yes, and when Apple fixes this problem and the user base applies the patch, they would only have to still worry about half of all iOS users getting abused by 3rd party browsing engines they don't maintain or update.

      The glass-half-empty problem, can be viewed many ways depending on what side of the table you're on.

    • Last I checked, safari on MacOS and iOS was based on WebKit, which is open source. https://webkit.org/ [webkit.org] Maybe the problem is ignorant âoedevelopersâ who donâ(TM)t know what the fuck they are talking about and who do fuck all to help open source projects and instead get off on taking a shit on everything they can while crying and complaining and expecting someone else to put the work in to fix things for them
  • by backslashdot ( 95548 ) on Wednesday July 14, 2021 @10:39PM (#61583697)

    Seems Apple got lucky they did not make it worm via the contact list or iMessages/WhatsApp.

  • by k2r ( 255754 ) on Thursday July 15, 2021 @02:18AM (#61583933)

    The most vital information for any iOS user is: Has this bug been fixed, but it is neither available in the summary nor the article. I guess because it's more sensational to do so.

    The bug has been fixed for a while, so there's no action to take:

    "This issue is fixed in iOS 12.5.2, iOS 14.4.2 and iPadOS 14.4.2, watchOS 7.3.3."
    https://cve.mitre.org/cgi-bin/... [mitre.org]

    We're at iOS 14.6 currently.

    • Incorrect. Has anyone learned anything from this? Learned means someone scanned the rest of the source code for similar flaws, and had the guts to identify suspect code that is missing basic input checking? It also means those who reviewed and approved code to go into production also loose bonuses etc, more than likely if other near matches can be found. Dumb people repeat their mistakes. Apple has plenty of money. It can afford to announce ALL code has be rinsed and refactored to prevent another whoopsie.

Keep your boss's boss off your boss's back.

Working...