A critical iPhone and iPad bug that lurked for 8 years may be under active attack

[Karlston]

A critical iPhone and iPad bug that lurked for 8 years may be under active attack

Malicious emails require little or no interaction; exploits active since at least 2018.

Enlarge

ZecOps

45 with 26 posters participating

A critical bug that has lurked in iPhones and iPads for eight years appears to be under active attack by sophisticated hackers to hack the devices of high-profile targets, a security firm reported on Wednesday.

 

The exploit is triggered by sending booby-trapped emails that, in some cases, require no interaction at all and, in other cases, require only that a user open the message, researchers from ZecOps said in a post. The malicious emails allow attackers to run code in the context of the default mail apps, which make it possible to read, modify, or delete messages. The researchers suspect the attackers are combining the zero-day with a separate exploit that gives full control over the device. The vulnerability dates back to iOS 6 released in 2012. Attackers have been exploiting the bug since 2018 and possibly earlier.

Enormous scope

“With very limited data we were able to see that at least six organizations were impacted by this vulnerability— and the full scope of abuse of this vulnerability is enormous,” ZecOps researchers wrote. “We are confident that a patch must be provided for such issues with public triggers ASAP.”

 

Targets from the six organizations include:

• Individuals from a Fortune 500 organization in North America
• An executive from a carrier in Japan
• A VIP from Germany
• Managed security services providers in Saudi Arabia and Israel
• A journalist in Europe
• Suspected: An executive from a Swiss enterprise

Zerodays, or vulnerabilities that are known to attackers but not the manufacturer or the general public, are rarely exploited in the wild against against users of iPhones and iPads. Some of the only known incidents a 2016 attack that installed spyware on the phone of a dissident in the United Arab Emirates, a WhatsApp exploit in May of last year that was transmitted with a simple phone call, and attacks that Google disclosed last August.

 

Apple has currently patched the flaw in the beta for iOS 13.4.5. At the time this post went live, a fix in the general release had not yet been released.

 

Malicious mails that trigger the flaw work by consuming device memory and then exploiting a heap overflow, which is a type of buffer overflow that exploits an allocation flaw in memory reserved for dynamic operations. By filling the heap with junk data, the exploit is able to inject malicious code that then gets executed. The code triggers strings that include 4141...41, which are commonly used by exploit developers. The researchers believe the exploit then deletes the mail.

 

A protection known as address space layout randomization prevents attackers from knowing the memory location of this code and thus executing in a way that takes control of the device. As a result, the device or application merely crashes. To overcome this security measure, attackers must exploit a separate bug that reveals the hidden memory location.

Little or no sign of attack

The malicious mails need not be prohibitively large. Normal-size emails can consume enough RAM using rich text format documents, multi-part content, or other methods. Other than a temporary device slowdown, targets running iOS 13 aren’t likely to notice any signs that they’re under attack. In the event that the exploit fails on a device running iOS 12, meanwhile, the device will show a message that says “This message has no content.”

 

ZecOps said the attacks are narrowly targeted but provided only limited clues about the hackers carrying them out or targets who were on the receiving end.

 

“We believe that these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade and used ‘as-is’ or with minor modifications (hence the 4141..41 strings),” ZecOps researchers wrote. “While ZecOps refrain from attributing these attacks to a specific threat actor, we are aware that at least one ‘hackers-for-hire’ organization is selling exploits using vulnerabilities that leverage email addresses as a main identifier.”

 

The most visible third-party organization selling advanced smartphone exploits is Israel-based NSO Group, whose iOS and Android exploits over the past year have been found being used against activists, Facebook users, and undisclosed targets. NSO Group has come under sharp criticism for selling its wares in countries with poor human-rights records. In recent months, the company has vowed to serve only organizations with better track records.

 

It's generally against security community norms to disclose vulnerabilities without giving manufacturers time to release security patches. ZecOps said it released its research ahead of a general release fix because the zeroday alone isn't enough to infect phones, the bugs had already been mentioned in the beta release, and the urgency created by the six organizations the firm believes are under active attack

 

To prevent attacks until Apple releases a general-availability patch, users can either install the beta 13.4.5 or use an alternate email app such as Gmail or Outlook. Apple representatives didn’t respond to an email seeking comment for this post.

 

 

Source: A critical iPhone and iPad bug that lurked for 8 years may be under active attack (Ars Technica)  

[Karlston]

That no-click iOS 0-day reported to be under exploit doesn’t exist, Apple says

Other critics also question evidence and say 0day may have been confused with simple bug.

Enlarge

Titanas

53 with 43 posters participating

Apple is disputing the accuracy of this week’s report that found attackers have been exploiting an unpatched iOS bug that allowed them to take full control of iPhones.

 

San Francisco-based security firm ZecOps said on Wednesday that attackers had used the zero-day exploit against at least six targets over a span of at least two years. In the now-disputed report, ZecOps had said the critical flaw was located in the Mail app and could be triggered be sending specially manipulated emails that required no interaction on the part of users.

 

Apple declined to comment on the report at the time. Late on Thursday night, however, Apple pushed back on ZecOps’ findings that (a) the bug posed a threat to iPhone and iPad users and (b) there had been any active exploit at all. In a statement, officials wrote:

Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.

A fair number of independent researchers have also questioned the ZecOps conclusion. Generally, the critics said that the evidence ZecOps based its findings on wasn’t persuasive. The disputed findings were based on evidence that the malicious emails were deleted, presumably to hide attacks, but that data that remained in logs indicated the deletions and crashes were the result of an exploit.

 

The critics said if the exploit was able to delete the emails ,it would have been able to delete the crash log data as well. The critics said that failure and some technical details contained in the ZecOps report strongly suggested the flaw was a more benign bug that was triggered by certain types of emails. Also skeptical, the critics said, is that an advanced exploit would cause a crash at all. Those doubts have continued ever since.

 

HD Moore, vice president of research and development at Atredis Partners and an expert in software exploitation, told me on Friday:

It looks like ZecOps identified a crash report, found a way to reproduce the crashes, and based on circumstantial evidence assumed this was being used for malicious purposes. It sounds like after he reported it to Apple, Apple investigated, found out these were just crash bugs, and that shuts the door on this being actually in-the-wild-exploitation of a new iOS zero-day.

 

It could be Apple is wrong, but given their sensitivity to this stuff, they probably did a decent job of investigating it. Through the grapevine I heard that the internal security team that handled this investigation at Apple was pissed off about it, since ZecOps went straight to press before they had a chance to review.

Other critics have delivered their critiques on Twitter.

 

“Looks like you have a real vuln but the evidence of exploitation looks weak… and no info in your post on post-exploitation chaining to lead to info disclosure or code execution,” researcher Rich Mogul wrote. “Any update you can share? Pretty big claim of a no-click mail 0-day being used.”

 

 

While Mogul left open the possibility of a real-world exploitation of a vulnerability, he said ZecOps didn’t provide adequate proof to rule out an intentional bug crash. Another criticism is here.

 

ZecOps, meanwhile, appeared to stand by its report, saying on Twitter:

According to ZecOps data, there were triggers in-the-wild for this vulnerability on a few organizations. We want to thank Apple for working on a patch, and we’re looking forward to updating our devices once it’s available. ZecOps will release more information and POCs once a patch is available.

ZecOps said that based on the data collected on iPhones it believes were exploited, company researchers were able to write a proof-of-concept exploit that took full control of fully updated devices. ZecOps has declined to publish the exploit or other data until Apple releases a fix for the bug. Apple has already released the patch for a beta version of the upcoming 13.4.5, and as Thursday night’s statement said, the company plans make it generally available soon.

 

The controversy, Apple’s denial, and the rarity of zero-click vulnerabilities in iOS are certainly reasons for skepticism. It will be worth reviewing the additional information ZecOps has pledged to publish once Apple releases a fix.

 

Update 4/25/2020, 5:45 PM California time: ZecOps founder and CEO Zuk Avraham told me on Saturday that he still stands by his findings and would like Apple to provide more details. Specific questions he has are (1) how many triggers were there for this vulnerability (both malicious and non malicious) since iOS 6 and (2) how did Apple confirm that all of these triggers are not malicious? I've sent thise questions to Apple and will update if Apple provides answers.

 

 

Source: That no-click iOS 0-day reported to be under exploit doesn’t exist, Apple says (Ars Technica)