Apple patches actively exploited iPhone, iPad kernel vulns
Plus: Misconfigured server leaks Thomson Reuters data; VMware patches critical flaw in retired software; MalwareBytes apologies for a hoodie
In brief Apple has patched an iOS and iPad OS vulnerability that's already been exploited.
Crediting an anonymous security researcher with reporting the issue, Apple said the problem involves an out-of-bounds write issue – which involves adding data past the end or before the beginning of a buffer. The impacts can bedata corruption, a crash or the chance to execute arbitrary code with kernel privileges.
Apple issued patches for iOS 16.1 and iPad OS 16, to address this and 19 other vulnerabilities. Six of the flaws involved the kernel. Others hit Core Bluetooth, graphics and GPU drivers, or the iOS Sandbox.
Apple's security notice for the patches didn't provide many details on the nature of the already-exploited flaw - we're in the dark as to the nature of the vulnerability, the extent of exploitation, or who may have been attacking the flaw.
Looking over the patch notes, one may notice a list of people credited with notifying Apple of such vulnerabilities. Many of them may have been motivated by Apple's upgraded bug bounty program, which the company said has awarded nearly $20 million to researchers since being launched two and a half years ago.
"To our knowledge, this makes Apple Security Bounty the fastest-growing bounty program in industry history," Apple bragged in a statement, in which it also announced the debut of an Apple Security Research website.
The new site will serve as a way for security researchers working on Apple vulnerabilities to communicate with Cupertino. Apple said the new site is a two-way street where users can "hear about the latest advances in Apple security from our engineering teams, send us your own research, and work directly with us to be recognized and rewarded for helping keep our users safe."
Apple Security Research also includes trackers where researchers can follow the status of their reports. It provides more transparency, Apple said, by spelling out bounty info and evaluation criteria more plainly "so you can determine where you'd like to focus your research, and so you can anticipate whether your report qualifies for a particular reward."
It was reported over the weekend that now-former UK Prime Minister Liz Truss's phone was compromised by suspected Russian agents to obtain top secret information. This apparently happened over the summer while she was still foreign secretary.
Thomson Reuters database exposes 3TB of customer data to the web
Security researchers investigating the website of media company Thomson Reuters have found three exposed databases containing data they said could be worth millions of dollars on dark web forums for use in supply chain attacks.
According to the research team at Cybernews, the three databases were easy to find and crawl, but one server was juicier than others: it contained 3TB of "sensitive, up-to-date information from across the company's platforms."
The researchers said the ElasticSearch database included plain text data like password reset logs (though no actual passwords were exposed), SQL logs showing what Thomson Reuters clients were searching for, and documents returned through those searches.
"There is a high chance the open instance included much more sensitive data since the database holds more than 6.9 million unique logs that take up over 3TB of server disk," the researchers hypothesized.
Thomson Reuters said it appreciated the work of ethical security researchers and added that it immediately addressed the issue when notified. Two of the servers, Thomson Reuters said, were designed to be publicly accessible and so weren't a risk, while the third ElasticSearch one wasn't supposed to be exposed, but isn't a serious problem.
The ElasticSearch server, Thomson Reuters said, was a non-production device that "only houses application logs from the non-production environment associated with a small subset of Thomson Reuters's Global Trade customers," who it said it had already notified.
- This Windows worm evolved into slinging ransomware. Here's how to detect it
- Microsoft's Windows 10 Patch Tuesday update crashes OneDrive
- Apple boosts bug bounties but may not fix some bugs in past operating systems
- Biden now wants to toughen up chemical sector's cybersecurity
VMware encounters bug so serious it patches a retired product
VMware has patched a critical vulnerability in its Cloud Foundation platform serious enough that it reached back into the archives to fix software past its end-of-life.
The bug lies in the XStream open source library. If leveraged by an attacker, it could grant remote code execution capabilities with root permissions "due to an unauthenticated endpoint that leverages XStream for input serialization." The exploit can reportedly be executed remotely, is of a low level of complexity, and doesn't require any user interaction – the perfect storm for a would-be hacker.
VMware said that proof-of-concept exploit code targeting the vulnerability, logged as CVE-2021-39144 and rated at a 9.8/10 on the CVSSv3 scale, is already available online – making patching all the more essential.
The end-of-life product getting a patch is VMware NSX Data Center for vSphere, version 6.4 (this update brings it to version 6.4.14), which reached end of life in January of this year.
VMware also patched a second issue in the security bulletin, but thankfully this one is far less serious. According to the bulletin, VMware Cloud Foundation has an XML external entity vulnerability that could allow an unauthenticated attacker to launch a denial-of-service attack or disclose information.
Unlike the severe score of the XStream vulnerability, VMware said the latter issue only rated a 5.3 on the CVSSv3 scale.
Sorry for the hoodie
Humor and infosec don't often mix but Malwarebytes offered a welcome exception with a tweet published last week that apologised for using a cliched illustration of a hacker going about their nefarious business while wearing a hoodie.
An apology pic.twitter.com/8A3UtccX5K— Malwarebytes (@Malwarebytes) October 27, 2022
The Tweet saw The Register's production team cull some of our image library. However the tweet below from Reg Asia-Pac editor Simon Sharwood remains proudly online.
Security conf selfie pic.twitter.com/YI3iAFzSO2— Simon Sharwood (@ssharwood) June 22, 2022