This article is more than 1 year old
Apple patches iOS, macOS, iPadOS, watchOS, kitchen-sinkOS bugs said to be exploited in the wild
Plus: Micro-op CPU caches abused to leak data, and more
In Brief Apple on Monday patched security flaws in its software said to have been exploited in the wild by miscreants to hijack gear.
WebKit, fixed in macOS Big Sur 11.3.1, can be tricked into executing arbitrary code by processing malicious web content – a bad webpage can take over the browser, in other words. "Apple is aware of a report that this issue may have been actively exploited," it said in its advisory.
Specifically, there are two bugs: memory corruption flaw CVE-2021-30665, which was found by a trio at 360 ATA, and an integer overflow issue CVE-2021-30663, credited to an anonymous researcher. The same holes are fixed in iOS 14.5.1 and iPadOS 14.5.1, and the memory corruption problem is addressed in watchOS 7.4.1.
iOS 12.5.3 was released to fix up both holes plus WebKit buffer overflow blunder CVE-2021-30666, also found by the 360 ATA trio and also said to have been exploited in the wild to execute malicious code on iThings. The three researchers also found CVE-2021-30661, a use-after-free() in WebKit Storage again believed to have been exploited in the wild to hijack devices.
From micro-ops to micro-oops: Intel, AMD chip cache may leak secret data
More data-leaking design weaknesses in modern x86 microprocessors have been documented by academics, who believe it may not be possible to fully mitigate these flaws without taking a performance hit.
The team at the University of Virginia and University of California San Diego in the US took a look at the micro-op caches in Intel and AMD chips, and on Saturday said they found the caches can be abused to spill secret information in Spectre-like attacks. It is claimed today's mitigations for Spectre can't stop these leaks.
x86 processors execute complex instructions that can be broken down by CPU cores into multiple smaller operations, commonly called micro-ops. Today's Intel and AMD processors store these instruction fragments in a cache, and as we saw with Spectre, if something's cached in a core, it can probably be exploited to inadvertently leak information.
Intel and AMD are aware of the team's findings. In a canned statement, a spokesperson for Intel said it told the academics that its "existing mitigations were not being bypassed and that this scenario is addressed in our secure coding guidance," which you can find here.
"Software following our guidance already have protections against incidental channels, including the micro-op cache incidental channel," Chipzilla added. "No new mitigations or guidance are needed." In other words, if you write your code so that it is resistant to timing attacks, you'll be fine, apparently.
Ashish Venkat, who led the research, said this should be fixed at the silicon level rather than relying on constant-time code, which is difficult to write and not widely used. "The vulnerability we uncover is in hardware, and it is important to also design processors that are secure and resilient against these attacks," he said.
Red Hat distinguished engineer Jon Masters has personally blogged a rundown of the vulnerabilities here.
FBI partners with Have I Been Pwned
Ever since Troy Hunt set up Have I Been Pwned in seven years ago, it's become a go-to resource for checking whether your details have been stolen and leaked from any number of databases on the internet, and now the FBI has teamed up with the dotcom.
After a combined US and EU police operation took down the Emotet botnet this year, the Feds decided to ask Hunt for help in reaching people hit by the malware.
"The FBI reached out and asked if Have I Been Pwned (HIBP) might be a viable means of alerting impacted individuals and companies that their accounts had been affected by Emotet," Hunt said in a blog post.
"In all, 4,324,770 email addresses were provided which span a wide range of countries and domains. The addresses are actually sourced from 2 separate corpuses of data obtained by the agencies during the takedown."
ISC warns of security BIND
Time to get patching your Berkeley Internet Name Domain (BIND) 9 systems after the Internet Systems Consortium (ISC) released a triple set of patches.
The primary flaw, CVE-2021-25216, affects BIND 9.5.0 to 9.11.29 configured to run Generic Security Service Algorithm for Secret Key Transactions (GSS-TSIG). This is not enabled by default, though plenty of people do. Successful exploitation can crash 64-bit installations, or crash or achieve remote-code execution against 32-bit builds. It was serious enough to cause America's Cybersecurity and Infrastructure Security Agency to issue its own alert.
The other two issues are CVE-2021-25215, a DNAME-related crash bug, and CVE-2021-25214, another potentially remotely triggerable crash.
Experian scores exposed by blabbermouth partner service
It was discovered a partner of Experian had provided a pretty weak front-end for the credit-check giant's back-end API, allowing the easy look-up of Americans' scores and the reasons for their score.
Bill Demirkapi, a sophomore at the Rochester Institute of Technology in the US, found the online service when shopping around for student loans. He realized he could get the credit scores of anyone by supplying their name, address, and date of birth, all potentially publicly available information, and built a tool dubbed “Bill’s Cool Credit Score Lookup Utility,” to fetch the information.
“We have been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the matter,” Experian told infosec blogger Brian Krebs. “While the situation did not implicate or compromise any of Experian’s systems, we take this matter very seriously."
In other words, Experian had that partner's front-end tool closed down, but there may be others out there also misusing the API to provide free, unchecked lookups. ®