Log this: iOS and macOS zero-day patches roll; Apple devs under fire
Apple is patching every current OS it has. WebKit has critical zero-day vulnerabilities, exploitable to execute arbitrary code on Macintosh, iPhone, iPad, and Apple Watch.
But Tim’s crew is coming under increasing criticism—not only for introducing these naive bugs in the first place, but also for unreliable patches, battery drain, lag, and bloat. Plus Apple’s inability to share useful information with other infosec researchers.
“Doesn’t play well with others,” is the damning report card. In this week’s Security Blogwatch, Apple gets a failing grade.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Hello again, PMJ-lite.
iFAIL
What’s the craic? Lawrence Abrams reports—Apple fixes 2 iOS zero-day vulnerabilities actively used in attacks:
[The] vulnerabilities are tracked as CVE-2021-30665 and CVE-2021-30663, and both allow arbitrary remote code execution (RCE) on vulnerable devices simply by visiting a malicious website. … Webkit is Apple's browser rendering engine that is required to be used by all mobile web browsers in iOS and other applications that render HTML, such as Apple Mail and the App Store.
…
The list of affected devices includes: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, … iPod touch (7th generation), macOS Big Sur, Apple Watch Series 3 and later. The zero-days were addressed by Apple … in the iOS 14.5.1, iOS 12.5.3, macOS Big Sur 11.3.1, and the watchOS 7.4.1 updates.
And Dan Goodin adds—Webkit flaws in just-released iOS 14.5 lets attackers execute malicious code.:
A week after Apple issued its biggest iOS and iPadOS update since last September’s … 14.0, the company has released a new update to patch two zero-days that allowed attackers to execute malicious code on fully up-to-date devices. … Last week, Apple fixed CVE-2021-30661, another code-execution flaw in iOS Webkit, that also might have been actively exploited.
…
CVE-2021-30665 was discovered by researchers from China. [’30663] was discovered by an anonymous source.
…
Google’s Project Zero [says it] brings the number of zero-days actively exploited against iOS … to seven. With a total of 22 zero-days found so far in 2021, those exploiting the Apple mobile OS make up almost 33 percent.
Use the source, Puke. Apple’s faceless drones scribble thuswise—About the security content of iOS 14.5.1:
Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
…
A memory corruption issue was addressed with improved state management. … An integer overflow was addressed with improved input validation.
Clear as mud. Matt Tait—@PwnAllTheThings—sounds deeply frustrated:
One thing that would be really neat and helpful for Apple to do with these updates for [in-the-wild] exploits (which … would probably benefit them more than anyone else), is to be more proactive on explaining which models they saw active exploitation on. … ITW exploits are a rare place where you get real data on platform security ROI and it's a horrible shame to drop that granularity. And [it’s] a lost opportunity for Apple to capitalize on and plug their hardware security investment if it's doing its job of protecting from ITW exploits.
…
Keeping ITW exploit techniques [secret] is probably a net negative for consumer security. … Platformsec folks and researchers can't model attacks and share systemic defensive techniques across platforms.
…
[They] should be less squeamish about publishing this data and doing comprehensive writeups. Because it kills me how valuable this data is to platformsec & policy squinting for metrics while their colleagues sit on a goldmine of real data. … ITW exploit techniques can and do shift the needle a lot on both if published and analyzed properly.
However, CRandyHill hopes Apple could at least learn from its mistakes:
I'm curious as to whether most zero days in WebKit follow similar patterns. … And whether there is something Apple could be doing to reduce the number of future security flaws—i.e., using a memory safe language like Swift in the most risky areas, or … using static analysis tools.
But all is not well in iThing land. Heed Ranger1850’s tale of woe:
Installed 14.5.1 update on my iPhone 11 and my iPad. In both cases, the Safari bookmark bar is now missing and the favorites don’t show when clicking the url line.
…
Tried restarting (both iPhone 11 and iPad) and still nothing shows up. … I also installed the 11.3.1 update in my MBPro and the favorites bar shows up but has a completely different ribbon of favorites than it did before.
Look around, Buzz. What do you see? u/DingDongsEverywhere:
The UI has become frustrating and lacking features. Tons of bugs on the regular now. Battery drain is a crap shoot every release. iOS Safari is … ugh. WTF happened?
…
Just tons of QOL issues that I don't remember Apple having in the past. Sure they were never perfect, but their releases tended to be solid with a lack of bugs.
And macOS customers ain’t happy, neither. Here’s schafdog, for one:
A macOS 0.0.1 update that is 2.5 GB and only contains a WebKit fix? … Please start doing security patches again.
“I’m a Mac.” … “And I’m a PC.” (Ask your parents.) Kim Zetter brings the snark: [You’re fired—Ed.]
Maybe iOS needs a patch Tuesday going forward?
Meanwhile, it’s back to basics, with BrianZ:
0-days suck, no matter the platform. Get to patchin' kids!
The moral of the story?
Stop believing your own PR. Like Apple, you might once have been different, but dev entropy is inevitable (cf. death and taxes).
And finally
A welcome return to form for a pandemic-stripped-down PMJ
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
This week’s zomgsauce: Dariusz Sankowski (via Pixabay)