The past week has been eventful. Let’s start with three vulnerabilities in Apple’s mobile OS that were supposedly exploited in real attacks. In a brief message from Apple, two vulnerabilities are attributed to the WebKit engine — they allow arbitrary code execution. Another hole in the core of iOS and iPadOS allows you to increase privileges.
All three vulnerabilities were closed in the January 26 OS update 14.4. Apple reports that it is aware of the active exploitation of these three bugs. Details of this attack are unknown, but there is a recent example of exploiting zero-click vulnerabilities in iOS 13, disclosed in the report of the Citizen Lab organization at the end of December last year.
On Thursday, January 28, a specialist from the Google Project Zero team, Samuel gross, published description of another security mechanism implemented in iOS 14. Using reverse engineering, the expert analyzes structural changes in the operation of the built-in iMessage messenger. Apparently, the current version of the Apple mobile OS introduces strict isolation of all incoming data processing tools. This should make it more difficult to create new attack methods, even with the use of currently unknown vulnerabilities. On the one hand, Apple is not limited to treating individual bugs, on the other – even with new protection mechanisms, attacks on devices with the subsequent installation of a backdoor are quite possible. One way or another, you should update your iPhone or iPad to the latest OS version.
Vulnerability in the sudo utility, a universal tool for temporarily increasing user rights, was discovered by Qualys experts. Using the sudoedit command can cause a buffer overflow with subsequent elevation of user rights in the system. The vulnerability got into the utility code in 2011.sudo versions 1.8.2–1.8.31p2 and 1.9.0–1.9. 5p1 are affected. Patches for popular Linux distributions were released on January 26.
Finally, last week it became known about an attack on the information security experts themselves. The review article appeared in the Vice edition, technical details – in publications of Google Threat Analysis Group and Microsoft. At the end of last year, several Twitter accounts (examples are shown in the screenshot above) actively communicated with security experts, offering to participate in the analysis of an exploit for a vulnerability in Windows Defender. Those who entered into correspondence were sent a project for the Visual Studio IDE with a malicious appendage.
Most likely, this was a backup method of attack, and the main method was a pseudoblog, where an exploit was placed for a vulnerability in the Chrome browser. It is not known for what purpose, but links to the blog were actively distributed on Twitter and other sites, such as Reddit. Virtual personalities had full-fledged biographies, LinkedIn profiles, and GitHub accounts. On Twitter, there are several indications of a successful attack, although often only a VM specially raised to open such links “suffered”. However, this story suggests that social engineering works on professionals as well.