10-Year-Old Open Source Flaw Could Affect 'Almost Every Apple Device' (thecyberexpress.com) 23
storagedude shares a report from the Cyber Express: Some of the most widely used web and social media applications could be vulnerable to three newly discovered CocoaPods vulnerabilities -- including potentially millions of Apple devices, according to a report by The Cyber Express, the news service of threat intelligence vendor Cyble Inc. E.V.A Information Security researchers reported three vulnerabilities in the open source CocoaPods dependency manager that could allow malicious actors to take over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications, potentially affecting "almost every Apple device." The researchers found vulnerable code in applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more.
The vulnerabilities have been patched, yet the researchers still found 685 Pods "that had an explicit dependency using an orphaned Pod; doubtless there are hundreds or thousands more in proprietary codebases." The newly discovered vulnerabilities -- one of which (CVE-2024-38366) received a 10 out of 10 criticality score -- actually date from a May 2014 CocoaPods migration to a new 'Trunk' server, which left 1,866 orphaned pods that owners never reclaimed. While the vulnerabilities have been patched, the work for developers and DevOps teams that used CocoaPods before October 2023 is just getting started. "Developers and DevOps teams that have used CocoaPods in recent years should verify the integrity of open source dependencies used in their application code," the E.V.A researchers said. "The vulnerabilities we discovered could be used to control the dependency manager itself, and any published package." [...] "Dependency managers are an often-overlooked aspect of software supply chain security," the researchers wrote. "Security leaders should explore ways to increase governance and oversight over the use these tools." "While there is no direct evidence of any of these vulnerabilities being exploited in the wild, evidence of absence is not absence of evidence." the EVA researchers wrote. "Potential code changes could affect millions of Apple devices around the world across iPhone, Mac, AppleTV, and AppleWatch devices."
While no action is required by app developers or users, the EVA researchers recommend several ways to protect against these vulnerabilities. To ensure secure and consistent use of CocoaPods, synchronize the podfile.lock file with all developers, perform CRC validation for internally developed Pods, and conduct thorough security reviews of third-party code and dependencies. Furthermore, regularly review and verify the maintenance status and ownership of CocoaPods dependencies, perform periodic security scans, and be cautious of widely used dependencies as potential attack targets.
The vulnerabilities have been patched, yet the researchers still found 685 Pods "that had an explicit dependency using an orphaned Pod; doubtless there are hundreds or thousands more in proprietary codebases." The newly discovered vulnerabilities -- one of which (CVE-2024-38366) received a 10 out of 10 criticality score -- actually date from a May 2014 CocoaPods migration to a new 'Trunk' server, which left 1,866 orphaned pods that owners never reclaimed. While the vulnerabilities have been patched, the work for developers and DevOps teams that used CocoaPods before October 2023 is just getting started. "Developers and DevOps teams that have used CocoaPods in recent years should verify the integrity of open source dependencies used in their application code," the E.V.A researchers said. "The vulnerabilities we discovered could be used to control the dependency manager itself, and any published package." [...] "Dependency managers are an often-overlooked aspect of software supply chain security," the researchers wrote. "Security leaders should explore ways to increase governance and oversight over the use these tools." "While there is no direct evidence of any of these vulnerabilities being exploited in the wild, evidence of absence is not absence of evidence." the EVA researchers wrote. "Potential code changes could affect millions of Apple devices around the world across iPhone, Mac, AppleTV, and AppleWatch devices."
While no action is required by app developers or users, the EVA researchers recommend several ways to protect against these vulnerabilities. To ensure secure and consistent use of CocoaPods, synchronize the podfile.lock file with all developers, perform CRC validation for internally developed Pods, and conduct thorough security reviews of third-party code and dependencies. Furthermore, regularly review and verify the maintenance status and ownership of CocoaPods dependencies, perform periodic security scans, and be cautious of widely used dependencies as potential attack targets.
Apple uses open source software!!! (Score:2)
Shocking ;)
The xkcd cartoon on the subject (Score:5, Insightful)
https://xkcd.com/2347/ [xkcd.com]
Re: (Score:1)
Apple is just dumb in the way they leech off open source and Don't contribute back their own work and Don't bother integrating all the updates from the ecosystem they're freeriding off of - including security fixes.
You mean their 284 repos that don't exist here: https://github.com/apple [github.com]
Or do you mean their 509 upstream contributions that don't exist here: https://github.com/apple-oss-d... [github.com]
Yes, sure is a shame
Re: (Score:2)
Mod up. The rotten Apple fanbois are busy flaming again...
Re: (Score:2)
EVERYBODY uses open source software.
Can't open cyberexpress link with Safari (Score:3)
Huh.
I'm using an iPad, and I cannot load the page https://thecyberexpress.com/co... [thecyberexpress.com] with Safari, although the base link to thecyberexpress works.
But the link opens readily with Edge on my iPad.
Is it just me, or is that a bad script that detects Safari on the page for that link?
Re: (Score:2)
Re: (Score:2)
The site can handle Seamonkey - a browser which often falls through the JS gaps - so it seems to be a problem specific to Safari.
Apple Developers ... (Score:5, Funny)
... must be coocoo for cocoa pods.
Re: (Score:2)
Can't be beat!
evidence of absence is not absence of evidence (Score:2)
whut?
Re: evidence of absence is not absence of evidence (Score:2)
Re: (Score:1)
I think the original poster was reacting to the fact that the quote should be "absence of evidence is not evidence of absence," not "evidence of absence is not absence of evidence" (which makes no sense).
Cliches (Score:2, Insightful)
When I read people say things like "evidence of absence is not absence of evidence", or "it's not a matter of if but when" my opinion of what they have to say is lowered. I don't discount them completely, mind you... but my salt shaker is at hand.
In this case, the fact that the vulnerability is 10 years old and nothing has yet surfaced leads me to suspect that it's not a big deal. Handing me a cliche isn't likely to turn me into a worry wart over the whole thing. You can use that tired trope to justify bein
Re: (Score:2)
Re: (Score:3)
Well, okay. I think "All Xs are Ys, but not all Ys are Xs" still has value. You caught me. :) Apparently my objection to cliches does not extend to myself.
I choose to ignore my hypocrisy and stand firm on my point.
“evidence of absence is not absence of evide (Score:1)
Who are the EVA Researchers that got the Saganism (aphorism) “evidence of absence is not absence of evidence” backwards? I don’t see this misquote in TFA though.
Could Affect Who on What? (Score:2)
Almost every Apple device that runs some software (CocoaPods?) that I and most of the world has never heard of.
It affects apps, not the OS (Score:3)
It's a bit misleading - the problem isn't an Apple iOS problem, it's an app problem.
Some app developers use some libraries and it turns out the site that maintains them is vulnerable to a supply chain attack.
So it's less about Apple and more about iOS developers using libraries.
Re: (Score:2)
But...open source exposes security flaws! (Score:2)
I mean, everybody can inspect the code for themselves, right? So open source software is much more trustworthy, right?
The reality is that most security flaws can hide in plain sight.
relax everyone (Score:1)