iOS Zero-Day Let SolarWinds Hackers Compromise Fully Updated iPhones

The Russian state hackers who orchestrated the SolarWinds supply chain attack last year exploited an iOS zero-day as part of a separate malicious email campaign aimed at stealing Web authentication credentials from Western European governments, according to Google and Microsoft. Ars Technica reports: In a post Google published on Wednesday, researchers Maddie Stone and Clement Lecigne said a "likely Russian government-backed actor" exploited the then-unknown vulnerability by sending messages to government officials over LinkedIn. Attacks targeting CVE-2021-1879, as the zero-day is tracked, redirected users to domains that installed malicious payloads on fully updated iPhones. The attacks coincided with a campaign by the same hackers who delivered malware to Windows users, the researchers said.

The campaign closely tracks to one Microsoft disclosed in May. In that instance, Microsoft said that Nobelium -- the name the company uses to identify the hackers behind the SolarWinds supply chain attack -- first managed to compromise an account belonging to USAID, a US government agency that administers civilian foreign aid and development assistance. With control of the agency's account for online marketing company Constant Contact, the hackers could send emails that appeared to use addresses known to belong to the US agency. In an email, Shane Huntley, the head of Google's Threat Analysis Group, confirmed the connection between the attacks involving USAID and the iOS zero-day, which resided in the WebKit browser engine.

Re:Russia! Russia! Russia!

[DamnOregonian]

Call me rational, but I have a sneaking suspicion that the intelligence services of the Russian Federation select their own targets based on their own priorities, and are not over there having a "Eureka!" moment over the US President giving them a list of red-lines.
Further, I suspect that they are not twirling their Snidely Whiplash mustaches saying, "Aha! He didn't say we couldn't attack THIS!"

I get that you don't like Biden. Really, I do.
But be fucking realistic.
The smoldering ashes of a state that arose from Our Great Adversary of the Cold War isn't populated by fucking morons who have no idea what the fuck they're doing when it comes to disruption of foreign regimes.

Ah, a politiball fan, I see

[raymorris]

Actually I expect Biden to be one of the better recent presidents.* I suspect history will record him as a sold, though unremarkable president.

Where you may have gotten the impression otherwise is that I'm not a political fanboi rooting for my favorite politiball team.
So him being okay doesn't mean that everything he does is automatically genius.

Giving Russia the okay to attack, communicating that he won't respond strongly as long as they don't attack those 16 targets, communicates extreme weakness. It's a

Solid, not "sold"

[raymorris]

That should read "I suspect history will record him as a solid, though unremarkable, president."

Re:

[DamnOregonian]

No, I got the impression because your rant against him was irrational.
1) President Biden gave them a list of 16 targets he doesn't want them to attack - where we're most vulnerable. Maybe that'll help.
He set out a list of red-lines. Told them if they attack critical infrastructure again, there's gonna be hell.
Maybe all talk, maybe not. What the fuck is the alternative? Launch a fucking nuke?
2) Some say that telling your adversary exactly where you're most vulnerable is - not smart. Nonsense. I'm sure Pu

Re:

[account_deleted]

Comment removed based on user account deletion

Christmas in July.

[Ostracus]

So in other words slashdot can do the smug dance over Apple as well as Microsoft.

Re:

[phantomfive]

It's good to know that iOS is secure.

Re:

[notathome]

The Linux PinePhone [pine64.org] doesn't have that vulnerability. j/k I love the XNU kernel.

This is the problem with a monoculture.

[dgatwood]

If Apple were forced to allow competing browser engines, only about half of all iOS users would be at risk. Because there's only one browser engine allowed, all iOS users are at risk.

Open up iOS.

Another problem is complacency

[Solandri]

When you promote your system as being ultra-secure, it breeds complacency in end-users. They figure they're safe because Apple "has their back". And they end up more likely to engage in risky behaviors, thus potentially increasing overall risk above that of a less-secure system where users know they have to watch out for themselves.

NASA encountered the same thing in the aftermath of the Challenger disaster. One of the problems they uncovered was too many inspectors. Each part was being inspected by three separate inspectors prior to a launch. NASA figured triple inspections would greatly reduce the chance of a problem being missed. It actually turned out to increase the chance of a problem being missed. Each inspector figured since two other people would also be inspecting the same part, it would be OK if they occasionally rushed an inspection or even skipped it altogether. After all, what are the chances all three of them would slack on inspecting the same part? Well, it turned out to be high enough that three inspectors were catching fewer problems than if they'd only had one or two inspectors.

Re:

[geekmux]

When you promote your system as being ultra-secure, it breeds complacency in end-users. They figure they're safe because Apple "has their back". And they end up more likely to engage in risky behaviors, thus potentially increasing overall risk above that of a less-secure system where users know they have to watch out for themselves.

Watch out for themselves? The most common way to attack someone digitally is still password compromise. Take a good hard look at any "Top XX Worst Passwords" list over the last 30 years. You'll notice they haven't changed. We have MFA to help protect against the "wordpass" crowd. They ignore it. Too much work.

Been doing this way too long to not have a fully vetted and justified-yet-jaded view that people don't even want to watch out for themselves. Ignorance continues to be very blissful. And peopl

Re:

[DamnOregonian]

Yes, risky behavior like... clicking a link.

One has a reasonable expectation that clicking a link wouldn't trigger the browser to gladly send every authentication cookie it had to an arbitrary IP address out on the internet.

I.e., this wasn't a user's lax security awareness. It was a major flaw in a browser that destroyed any rational concept of security.
I.e., a non-webkit browser, or rather, any correctly functioning browser would not have this issue.

Alternatively, you're right. We could stop clickin

Re:

[geekmux]

If Apple were forced to allow competing browser engines, only about half of all iOS users would be at risk.

Yes, and when Apple fixes this problem and the user base applies the patch, they would only have to still worry about half of all iOS users getting abused by 3rd party browsing engines they don't maintain or update.

The glass-half-empty problem, can be viewed many ways depending on what side of the table you're on.

Re: This is the problem with a monoculture.

[l0ungeb0y]

Last I checked, safari on MacOS and iOS was based on WebKit, which is open source. https://webkit.org/ [webkit.org] Maybe the problem is ignorant âoedevelopersâ who donâ(TM)t know what the fuck they are talking about and who do fuck all to help open source projects and instead get off on taking a shit on everything they can while crying and complaining and expecting someone else to put the work in to fix things for them

Hmm

[backslashdot]

Seems Apple got lucky they did not make it worm via the contact list or iMessages/WhatsApp.

Re:

[Gimric]

A worm would created too much attention. A targeted attack is much more dangerous.

The vital information is missing

[k2r]

The most vital information for any iOS user is: Has this bug been fixed, but it is neither available in the summary nor the article. I guess because it's more sensational to do so.

The bug has been fixed for a while, so there's no action to take:

"This issue is fixed in iOS 12.5.2, iOS 14.4.2 and iPadOS 14.4.2, watchOS 7.3.3."
https://cve.mitre.org/cgi-bin/... [mitre.org]

We're at iOS 14.6 currently.

Re:

[Canberra1]

Incorrect. Has anyone learned anything from this? Learned means someone scanned the rest of the source code for similar flaws, and had the guts to identify suspect code that is missing basic input checking? It also means those who reviewed and approved code to go into production also loose bonuses etc, more than likely if other near matches can be found. Dumb people repeat their mistakes. Apple has plenty of money. It can afford to announce ALL code has be rinsed and refactored to prevent another whoopsie.