Apple patches iOS, macOS, iPadOS, watchOS, kitchen-sinkOS bugs said to be exploited in the wild

Plus: Micro-op CPU caches abused to leak data, and more


In Brief Apple on Monday patched security flaws in its software said to have been exploited in the wild by miscreants to hijack gear.

WebKit, fixed in macOS Big Sur 11.3.1, can be tricked into executing arbitrary code by processing malicious web content – a bad webpage can take over the browser, in other words. "Apple is aware of a report that this issue may have been actively exploited," it said in its advisory.

Specifically, there are two bugs: memory corruption flaw CVE-2021-30665, which was found by a trio at 360 ATA, and an integer overflow issue CVE-2021-30663, credited to an anonymous researcher. The same holes are fixed in iOS 14.5.1 and iPadOS 14.5.1, and the memory corruption problem is addressed in watchOS 7.4.1.

iOS 12.5.3 was released to fix up both holes plus WebKit buffer overflow blunder CVE-2021-30666, also found by the 360 ATA trio and also said to have been exploited in the wild to execute malicious code on iThings. The three researchers also found CVE-2021-30661, a use-after-free() in WebKit Storage again believed to have been exploited in the wild to hijack devices.

From micro-ops to micro-oops: Intel, AMD chip cache may leak secret data

More data-leaking design weaknesses in modern x86 microprocessors have been documented by academics, who believe it may not be possible to fully mitigate these flaws without taking a performance hit.

The team at the University of Virginia and University of California San Diego in the US took a look at the micro-op caches in Intel and AMD chips, and on Saturday said they found the caches can be abused to spill secret information in Spectre-like attacks. It is claimed today's mitigations for Spectre can't stop these leaks.

x86 processors execute complex instructions that can be broken down by CPU cores into multiple smaller operations, commonly called micro-ops. Today's Intel and AMD processors store these instruction fragments in a cache, and as we saw with Spectre, if something's cached in a core, it can probably be exploited to inadvertently leak information.

According to the boffins' paper [PDF], it may be possible to exploit micro-op caches to leak information across privilege boundaries; transmit info from one thread to another if they are running on separate logical SMT cores within the same physical CPU core; and leak data via transient execution. These are difficult to exploit in practice, and if it were to happen, we imagine it would take place in highly targeted attacks in which malicious JavaScript or some other untrusted code manages to sneak data out of its sandbox.

Intel and AMD are aware of the team's findings. In a canned statement, a spokesperson for Intel said it told the academics that its "existing mitigations were not being bypassed and that this scenario is addressed in our secure coding guidance," which you can find here.

"Software following our guidance already have protections against incidental channels, including the micro-op cache incidental channel," Chipzilla added. "No new mitigations or guidance are needed." In other words, if you write your code so that it is resistant to timing attacks, you'll be fine, apparently.

Ashish Venkat, who led the research, said this should be fixed at the silicon level rather than relying on constant-time code, which is difficult to write and not widely used. "The vulnerability we uncover is in hardware, and it is important to also design processors that are secure and resilient against these attacks," he said.

Red Hat distinguished engineer Jon Masters has personally blogged a rundown of the vulnerabilities here.

FBI partners with Have I Been Pwned

Ever since Troy Hunt set up Have I Been Pwned in seven years ago, it's become a go-to resource for checking whether your details have been stolen and leaked from any number of databases on the internet, and now the FBI has teamed up with the dotcom.

After a combined US and EU police operation took down the Emotet botnet this year, the Feds decided to ask Hunt for help in reaching people hit by the malware.

"The FBI reached out and asked if Have I Been Pwned (HIBP) might be a viable means of alerting impacted individuals and companies that their accounts had been affected by Emotet," Hunt said in a blog post.

"In all, 4,324,770 email addresses were provided which span a wide range of countries and domains. The addresses are actually sourced from 2 separate corpuses of data obtained by the agencies during the takedown."

ISC warns of security BIND

Time to get patching your Berkeley Internet Name Domain (BIND) 9 systems after the Internet Systems Consortium (ISC) released a triple set of patches.

The primary flaw, CVE-2021-25216, affects BIND 9.5.0 to 9.11.29 configured to run Generic Security Service Algorithm for Secret Key Transactions (GSS-TSIG). This is not enabled by default, though plenty of people do. Successful exploitation can crash 64-bit installations, or crash or achieve remote-code execution against 32-bit builds. It was serious enough to cause America's Cybersecurity and Infrastructure Security Agency to issue its own alert.

The other two issues are CVE-2021-25215, a DNAME-related crash bug, and CVE-2021-25214, another potentially remotely triggerable crash.

Experian scores exposed by blabbermouth partner service

It was discovered a partner of Experian had provided a pretty weak front-end for the credit-check giant's back-end API, allowing the easy look-up of Americans' scores and the reasons for their score.

Bill Demirkapi, a sophomore at the Rochester Institute of Technology in the US, found the online service when shopping around for student loans. He realized he could get the credit scores of anyone by supplying their name, address, and date of birth, all potentially publicly available information, and built a tool dubbed “Bill’s Cool Credit Score Lookup Utility,” to fetch the information.

“We have been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the matter,” Experian told infosec blogger Brian Krebs. “While the situation did not implicate or compromise any of Experian’s systems, we take this matter very seriously."

In other words, Experian had that partner's front-end tool closed down, but there may be others out there also misusing the API to provide free, unchecked lookups. ®

Similar topics


Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022