At a glance.
- Apple patches vulnerability used in Unc0ver jailbreak.
- Fraud-detection scripts on popular websites raise privacy concerns.
- Sign in with Apple flaw could have allowed account takeover.
- StrandHogg 2.0 is more serious than its predecessor.
- Sandworm exploiting Exim vulnerability.
Apple patches vulnerability used in Unc0ver jailbreak.
The Verge reports that iOS 13.5.1, which was rolled out on Monday, fixes a kernel vulnerability exploited by the Unc0ver jailbreak. Apple didn't go into much detail, simply describing the vulnerability (which it tracks as CVE-2020-9859) as a "memory consumption issue" that could allow an application to "execute arbitrary code with kernel privileges."
Decipher reports that the flaw is a newer version of a bug that was patched in 2018 with iOS 12. That vulnerability was first discovered by researchers at Synacktiv, who said in a blog post last week that the exact same bug was reintroduced in iOS 13. Luca Moro of Synacktiv explained in the 2018 post that the vulnerability "is located in the lio_listio syscall and is triggerable by a race condition. It can effectively be used to free a kernel object twice, leading to a potential Use After Free."
Fraud-detection scripts on popular websites raise privacy concerns.
The Register reported last week that eBay's website was found to be running port scans against visitors' computers. Security researcher Charles Belmer explained that the site runs a script that uses WebSockets to scan for a number of ports known to be used by remote administration tools, including VNC, RDP, and Ammy Admin. These are legitimate tools, but they're commonly abused by malware to control compromised systems. Another researcher, Dan Nemec, found that the script apparently belongs to ThreatMetrix, an online fraud detection platform owned by LexisNexis, and its purpose is presumably to flag potentially illegitimate users.
While eBay's desire to prevent fraud is understandable, most observers seem to agree that scanning a user's local machine without their knowledge is a violation of privacy. eBay responded to the Register's request for a comment, saying it is "committed to creating an experience on our sites and services that is safe, secure and trustworthy," but the company didn't comment on privacy or security concerns.
BleepingComputer says researchers at DomainTools were able to identify several hundred additional sites that appear to be using the ThreatMetrix script. These include websites belonging to Citibank, TD Bank, Ameriprise, Chick-fil-A, Lendup, BeachBody, and Equifax. Some of the sites perform a port scan immediately, while others only port scan users when they attempt to log in or check out. BleepingComputer suspects Netflix, Target, Walmart, ESPN, and others may be using the script on their sites as well, although the researchers weren't able to trigger the port scanning feature on these sites during their testing. Like eBay, these companies are presumably conducting this scanning in an attempt to prevent fraud, but they also don't appear to ask for permission.
Sign in with Apple flaw could have allowed account takeover.
Security researcher Bhavuk Jain discovered a vulnerability in Apple's "Sign in with Apple" single-sign-on feature that could allow an attacker to take over any compatible account with just a user's Apple ID email address. Sign in with Apple generates unique JSON Web Tokens (JWTs) via Apple's infrastructure to authenticate user accounts on third-party sites. Jain found that he "could request JWTs for any Email ID from Apple and when the signature of these tokens was verified using Apple’s public key, they showed as valid. This means an attacker could forge a JWT by linking any Email ID to it and gaining access to the victim’s account."
Apple has since fixed the flaw and awarded $100,000 to Jain through its bug bounty program. Jain also said Apple conducted "an investigation of their logs and determined there was no misuse or account compromise due to this vulnerability."
StrandHogg 2.0 is more serious than its predecessor.
Researchers at Promon disclosed a critical privilege-escalation flaw in Android that could allow a malicious app to hijack legitimate apps and use malicious overlays to trick users into giving up sensitive information and granting privileges. The researchers call the vulnerability "StrandHogg 2.0" based on its similarities to the StrandHogg flaw discovered last year. They explain that the new vulnerability can enable an attacker to "gain access to private SMS messages and photos, steal victims’ login credentials, track GPS movements, make and/or record phone conversations, and spy through a phone’s camera and microphone." Attacks using the new vulnerability will be stealthier than those that exploited the first StrandHogg flaw.
Threatpost notes that Google has patched the flaw in Android versions 9, 8.1, and 8, but older versions are still vulnerable.
Sandworm exploiting Exim vulnerability.
The US National Security Agency issued an alert on Thursday warning that Unit 74455 of Russia's GRU, also known as "Sandworm," has been targeting a vulnerability (CVE-2019-10149) in the Exim Mail Transfer Agent (MTA) since at least last August, CyberScoop reports. NSA says the threat actor has "used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA." A patch for the vulnerability was released last year, and NSA "adds its encouragement to immediately patch to mitigate against this still current threat."
RiskIQ says it's detected more than 900,000 vulnerable Exim instances since May 1st, although this number is slowly decreasing as patches are implemented. Decipher quotes researchers from GreyNoise Intelligence who say exploitation of the Exim vulnerability has been small-scale and targeted. GreyNoise's founder Andrew Morris said, "This is an exploit that we know isn’t being aggressively wormed in the way that some others are. It’s not being thrown into botnets. It’s quiet. It’s being used more manually and selectively by the bad guys. There’s more target checking and verification."