[HN Gopher] Hackers used zerodays to infect Windows, iOS, and An...
___________________________________________________________________
Hackers used zerodays to infect Windows, iOS, and Android users
Author : nikbackm
Score : 133 points
Date : 2021-03-19 08:13 UTC (14 hours ago)
(HTM) web link (arstechnica.com)
(TXT) w3m dump (arstechnica.com)
| sneak wrote:
| How long until we realize that JIT was a mistake and that we
| should offer orders of magnitude slower JS in browsers that is
| actually safe (or start building webpages without JS at all
| again, which will probably never happen) lest we give every
| website the ability to take over our device?
|
| I'd pay real money for a browser with a slow, safe JS
| interpreter.
| high_byte wrote:
| why do you assume an interpreter is any safer than JIT? kinda
| like saying arrays are better than matrices.
| mhh__ wrote:
| Timing attacks are easier with a JIT e.g. I have seen eBPF
| referred to as a spectre-accelerator
| throwaway33432 wrote:
| A JIT will write to memory and then turn the executable bit
| on.
|
| https://en.wikipedia.org/wiki/W%5EX
| high_byte wrote:
| you are implying this is the underlying cause for code
| execution exploit, it is not.
| Randor wrote:
| Actually with the font exploits an interpreter would be
| quite a bit safer. Many of the font exploit chains work
| by creating line vectors that result in an infinity or
| NaN throwing a floating point error (with the SeH handler
| already being overwritten). When running this by JIT...
| all of this is occurring on the physical CPU. If the
| floating point calculations were occurring inside an
| interpreter then the SEH chain can be protected by
| SEHOP/SAFESEH and the interpreter could implement bounds
| checks and while retaining the NX bit on everything
| executing.
| high_byte wrote:
| a. closing one attack vector does not justify slowing
| down the entire world. b. you can have the jit compile
| with any bound checks as you suggested, so still not
| justifying an interpreter. the only reason for an
| interpreter is simplicity, once you have a jit there's no
| logical reason to go back. also when you say NX bit, you
| do know the interpreter is running code still. it's just
| doesn't have to be RW (actually jit don't either) which
| still allows for ROP. there has to be some very specific
| exploit for these things to have a dramatic effect (ie.
| can be vs. cannot be exploited) many times there will be
| several methods to exploit a vuln.
| Randor wrote:
| Well, I feel like you are arguing for JIT just for the
| sake of arguing. The topic we are discussing in this
| thread is "Interpreted is safer than JIT" which is
| absolutely true.
|
| Yeah, there are newer ROP mitigations coming down the
| pipeline, I agree verifiable execution flow remains a
| major problem.
| Jonnax wrote:
| Most of those bugs were in font rendering.
| sneak wrote:
| I saw; such a security-focused browser would naturally use
| only local, trusted fonts and strongly sandbox media
| playback/decode of any kind, probably in a different process.
|
| We need slow and safe before we can have fast and safe.
| Either is better than the fast and unsafe we have now.
|
| We should probably unfuck the dangerous morass that is
| turing-complete font file formats at some point, too.
| novok wrote:
| The direction of webdev is webasm delivering full almost-
| desktop level apps and SPAs vs the documents with some
| minor scripting of the past.
|
| Slow & safe javascript will simply not be adopted by the
| market because there is zero incentive to do so. Change the
| incentives and you will get the change you want.
| floatboth wrote:
| Firefox at least uses the wasm sandbox for Graphite, the
| _really_ fancy turing-complete font thing:
|
| https://hacks.mozilla.org/2020/02/securing-firefox-with-
| weba...
|
| Same with Ogg container parsing.
| robocat wrote:
| The v8 engine has a ---jitless option, however it isn't clear
| to me whether Chrome allows that as a command line option.
|
| https://v8.dev/blog/jitless
| tyingq wrote:
| I believe you would do: chrome --js-flags="--
| jitless"
| swebs wrote:
| >The importance of keeping apps and OSes up to date and avoiding
| suspicious websites still stands. Unfortunately, neither of those
| things would have helped the victims hacked by this unknown
| group.
|
| Disabling Javascript would have helped. You can even use tools
| like uMatrix to set exceptions per site so you're not exposing
| yourself to every single site on the internet by default. Though
| you won't see online news sites suggest this since their revenue
| is so tied to Javascript being enabled.
| Jonnax wrote:
| The reason why general computing sites don't recommend it is
| because users won't be happy when they can't sign into their
| bank or use other websites they wish to use.
|
| The average user doesn't know anything about how sites are
| constructed. Telling them to use uMatrix is non sensical.
|
| Though that's not to say there's good advice on these kinds of
| sites.
|
| I've seen a "Windows 10 tips" list from a very popular site
| telling users that "they don't like being patronised about
| their own computer" and recommends turning off UAC (Essentially
| running their account as root)
|
| Or even saying that updating your OS is frustrating so here's
| how to disable it.
|
| Absolutely dangerous advice but that's the level of general
| computer sites.
| cute_boi wrote:
| Yep
|
| Regarding Update/UAC Please blame microsoft.
|
| I don't want forced updates when I am working. And many time
| I have encountered issues like computer not booting. After
| updates they prompts "Please install our cool new software
| called edge".
|
| I want security update not the marketing update. So I make a
| compromise and disable update all together. Why not give
| linux style update where I can review each and every package.
| httpsterio wrote:
| Because you most likely didn't buy the product called
| Windows 10. Rather, you're using the service and you are in
| fact the product.
|
| W10 education and enterprise licenses allows you to manage
| the updates yourself.
| Jonnax wrote:
| The reason is that the product is Windows 10 as a whole.
|
| Linux Distros are just bundles of software that make up the
| operating system.
|
| So if your compromise is that you don't want new Windows 10
| updates because they also bundle in new features rather
| than using an OS like linux, then it'd be your fault if you
| get hacked via an exploit that was patched in an update.
|
| Microsoft aren't going to care.
| Silhouette wrote:
| _Microsoft aren 't going to care._
|
| Then the obvious solution is to make them care. We
| penalise corporations for financial negligence and
| failing to take proper precautions and report correctly.
| We increasingly penalise them for violations of privacy
| and data protection rules, where similarly they are
| expected and required to provide adequate infrastructure
| to comply with the regulatory obligations. If failing to
| implement reasonable security practices and provide
| appropriate security updates to users with no strings
| attached started costing the hardware manufacturers and
| software developers and resellers the same kinds of
| penalty per violation as some of the financial or privacy
| regulations, we'd soon see those security updates
| universally available without forcing all the unwanted
| user-hostile changes at the same time.
| Jonnax wrote:
| There isn't law that mandates they split security updates
| from feature updates.
|
| What if they rewrote a component to have new features and
| it also fixed a security issue?
|
| What's the difference between a security patch and a bug
| fix?
|
| At the end of the day if someone gets so angry that
| Microsoft added Paint 3D in an update that they disabled
| updates.
|
| What's the obligation here? They chose not to update
| their computer.
| CraneWorm wrote:
| you know, windows LTSC exists
| gibspaulding wrote:
| Not in any real way for most people. It's only available
| to enterprise accounts, and from what I saw when I worked
| in IT, Microsoft strongly discourages it's use for normal
| user desktops.
| kevingadd wrote:
| The unpleasant answer is that if you give people linux
| style updates, every Windows 10 install becomes part of a
| botnet like the bad old days. No operating system I know of
| other than Linux actually gives you the option to do
| updates piecemeal and security is one of the main reasons
| why.
|
| For the record I hate this, but history has shown that if
| you don't try your absolute hardest to get security updates
| installed onto users' machines, they're going to constantly
| get owned by malicious third parties. Chrome and Firefox
| aggressively auto-update for the same reason (if you try to
| manually install old Chrome for testing it'll obliterate
| itself on next launch!) The vast majority of users simply
| do not pay attention to security and will not make the
| right decisions if you offer them choices about updates and
| security, because they don't have enough knowledge or
| context to make the right choices.
| deepstack wrote:
| > Disabling Javascript would have helped
|
| Thank you for saying that. I'm one of first in 2005/2006
| advocating JS rendering in the browser. JS in the browser has
| really gotten out of hand. I no longer advocate to do
| everything on the client/browser side. A web site should just
| work without JS.
| moooo99 wrote:
| Normal websites should absolutely, but actual webapps don't
| necessarily need to. Modern JS allows for very capable audio,
| video and 3d web applications inside the browser. The
| alternative if it wasn't for JS would be to build desktop
| apps, which would introduce a completely new set of problems
| and potential security risks.
| deepstack wrote:
| > audio, video and 3d web applications
|
| For sure, audio, video do not need JS to function.
|
| Yes you need JS for 3d webGL, but it also opened another
| can of worm that allows company to fingerprint GPU pretty
| much anyone who is not using Safari regardless if you are
| in incognito mode.
|
| What most web developer don't realize browser was build to
| be a sandbox to protect you from the world wide web. Seems
| like the current trend is tear down that sandbox for
| usability and functions. Which is fine, then advertise that
| browser with JS enabled pretty much open you all that risk.
| It should be in the educational to the public as well as
| the first page of any browser that doesn't sandbox GPU
| finger printing.
| zzo38computer wrote:
| This is true, and web browsers will need better user
| configuration to control such things, including fine
| controls to control what exactly a script does. The web
| developer console is a good start, but it doesn't even
| start to go far enough at all.
| zzo38computer wrote:
| Most should work without JS (and also without CSS too,
| usually), yes.
|
| Even in the few cases where it is needed, it should be
| designed to work OK without. I did see once where if
| JavaScript was disabled, it displayed a link to documentation
| instead; that is a good idea. (Unfortunately, the
| documentation didn't work without JavaScript enabled; they
| should fix that.) If it is accessing data, you can link to
| the documentation and/or to the data directly, in order to
| deal with it by yourself, with your own software, if the user
| wishes to do so. Sometimes the script is used to perform
| calculations, or automatically convert or render something;
| you can still add a <noscript> block to just mention what it
| is, links to source codes, or in some cases (e.g. automatic
| time zone conversion) just omit that part entirely will do.
| Simply writing "This page requires JavaScript enabled to
| work" is worthless; don't do that.
| ekianjo wrote:
| Umatrix is not available for firefox on android anymore. Thanks
| Mozilla !
| forgotmypw17 wrote:
| Still works great in Pale Moon.
| ekianjo wrote:
| Afaik there is no Pale Moon on Android.
| forgotmypw17 wrote:
| sorry, i misread the comment i replied to.
|
| android and ios are indeed a wasteland in terms of
| browser security.
| [deleted]
| DelightOne wrote:
| What does it have to do with Mozilla?
| ekianjo wrote:
| Mozilla removed most extensions with their new Firefox on
| Android.
| ce4 wrote:
| I use F-Droid's Fennec, which has addon-collections re-
| enabled. Bit of a hassle if you want something that's not
| yet included in an existing collection, but possible:
|
| https://f-droid.org/de/packages/org.mozilla.fennec_fdroid
| /
| Bancakes wrote:
| I find the vast majority of websites need JS. Even if it's a
| simple download link, the incompetent devs tied it to JS.
| hosteur wrote:
| Yes uMatrix is crucial. But alas it has been discontinued as I
| understand.
| zeepzeep wrote:
| Yes :'( uMatrix is dead. But uBlock advanced mode seems ok-
| ish and is still supported.
| pabs3 wrote:
| uMatrix has been archived and is no longer maintained:
|
| https://news.ycombinator.com/item?id=24532973
| https://github.com/gorhill/uMatrix
|
| I'm not sure what is supposed to replace it though.
| waxyalan wrote:
| uBlock in medium mode or higher
|
| https://github.com/gorhill/uBlock/wiki/Blocking-
| mode:-medium...
| grey4228 wrote:
| 'uBlock Origin' not uBlock
| pabs3 wrote:
| Sounds like disabling web fonts would have helped too.
| ddtaylor wrote:
| What sites were targeted?
| upofadown wrote:
| The actual exploited bugs were mostly found in the OS but this is
| really about browsers. A contemporary browser pretty much exposes
| your entire OS to remote attacks. You want to exploit font
| interpretation? No problem, the browser will happily download
| your malicious font.
|
| There has to be a better way. This isn't working...
| fsflover wrote:
| The better way is to use Qubes OS for security through
| isolation. You then use hardware virtualization to isolate
| untrusted application (including browsers) from the rest of
| system. Doesn't work on mobile though.
| uncledave wrote:
| Processes were a form of robust virtualisation once. It's
| just pushing the problem down another layer. There are
| vulnerabilities in virtualisation layers too.
| cutemonster wrote:
| > Processes were ..
|
| Was it ever robust? Or just that there weren't yet so many
| exploits?
| uncledave wrote:
| It's a good question. Perhaps the same is true now with
| virtualisation.
| ancarda wrote:
| The only thing that comes to mind is having most websites be
| _sites_ and not _apps_. Most sites don 't need custom fonts,
| JavaScript, and CSS.
|
| If Firefox & Chrome had support for something lightweight like
| Gemini (https://gemini.circumlunar.space/) then most sites
| could just use that.
|
| With that sort of setup, restrictions on the web like uMatrix
| would be a lot less painful because most sites wouldn't ever
| need to be whitelisted.
| zzo38computer wrote:
| I agree, and on my computer I disable custom fonts in the web
| browser anyways.
|
| A better web browser is really needed; one of things it can
| have is support for the Gemini protocol and file format. (It
| can also omit many things, as well as adding things.)
| edoceo wrote:
| What else to omit? Not snark. I'm playing with a Firefox
| fork and ripping stuff out (pocket).
| dkdk8283 wrote:
| Rip out the clipboard API along with all the other
| functions that allow sites to manipulate text selection
| semantics, sticky overlays, and all of the other UX
| garbage that has accumulated over the years.
| ancarda wrote:
| Could I make a suggestion? It'd be great if it were
| possible to white-blacklist all web features? We can do
| this for some features like location, but I can't
| selectively turn off images, JavaScript, or web fonts
| (only globally).
|
| It might be nice to have a prompt like "This page wants
| to use a web font" like how you get for location. I
| realize that may be a lot of work to add in though.
|
| Really, I'd just like to re-enable webfonts on Netflix so
| the subtitles don't look like garbage, but keep the fonts
| off on almost all websites. If anyone at Netflix is
| reading this, please fallback to something like sans-
| serif and not serif.
| edoceo wrote:
| We on the same page. My current rough draft blocks every
| thing by default and has a an accept_list.
|
| I wish servo was in a better place to fork
| sodality2 wrote:
| >If Firefox & Chrome had support for something lightweight
| like Gemini (https://gemini.circumlunar.space/) then most
| sites could just use that.
|
| But they wouldn't, because they couldn't track people.
| sloshnmosh wrote:
| My guess is that the watering hole websites were probably browsed
| by minorities frowned upon by the Chinese state.
|
| The Volexity blog covers some of the earlier watering hole
| attacks in more detail.
| brundolf wrote:
| It hints but doesn't outright say that these attacks were highly
| targeted to specific people, and not the general public; is that
| known?
| dave_sullivan wrote:
| Been playing with tools like angr lately and learning more about
| binary analysis.
|
| It seems to me that "automatic exploit generation" is improving
| quite a bit where the infrastructure for analysis is a little
| tricky to set up, but then you can direct that infrastructure to
| analyze the code for you. The bad guys and good guys are in a
| race to find new exploits faster (they always have been) but I've
| been pretty amazed by the direction I see things going with
| automation.
|
| I might just go back to pen and paper at this point.
| ancarda wrote:
| >I might just go back to pen and paper at this point.
|
| Maybe you kid, but... I've been using a physical calendar on
| the wall this year. I also replaced my Apple Watch with a Casio
| F-91W some time ago.
|
| You know what's really great? My calendar or watch never gets
| hacked and it's never unavailable because some overnight
| software update broke it! Sure, the F-91W technically runs
| software, but it has no connectivity. That's the important
| part.
|
| Now if I could just figure out what to do with my phone... I
| don't think dumb phones are particularly secure, so maybe it
| makes sense to keep using Android? Or eventually switch to
| Linux on my phone?
| cyberpunk wrote:
| If only the F-91w had a countdown/timer function instead of a
| stopwatch... :)
| sausage_dog wrote:
| I suppose this year is different but what about when you're
| outside and you want to check your calendar? Do you copy
| everything to a pocket calendar and risk them going out of
| sync?
| ancarda wrote:
| So far that hasn't really come up. How often do you need to
| check your calendar outside? Maybe I don't need to very
| much because I work from home.
|
| Here's some possible scenarios though:
|
| * If I need to remember when something is going to happen,
| such as "I'm leaving my house to meet a friend at 4 PM", I
| can just commit to memory what time it was suppose to be.
|
| * If there's a lot of stuff happening, then I'd make a note
| on my phone. If the times of events change while I'm out,
| it doesn't really matter if my calendar at home is out of
| sync. I'm just going to cross the day off when I get back.
|
| * If I find out a later date will change ("the user group
| has been moved to Thursdays"), then I'll leave myself a
| reminder on my phone. Most of the things on my calendar are
| actually little post-it notes, so I can move things around.
| I only write things in ink when they will never change,
| like national holidays that are already scheduled/set in
| stone.
|
| So far, I haven't really run into any pain points. The
| drawbacks of paper calendars just aren't enough to overcome
| the drawbacks of electronic calendars.
| LinuxBender wrote:
| I have a $12 flip phone, pay as you go, not in my name. It
| can't browse the web and if someone sends me binary data in a
| text message its shows up the same as if I read binary data
| in my terminal. The phone has no idea what to do with it.
| Battery life would be great if the did not remove the cell
| sites near me. I think this model was replaced by one that is
| $29 but its basically the same thing. Check Walmart or an
| equivalent store.
| generalizations wrote:
| I would do that also, if I could replace the live traffic
| of google maps. Did you find a solution to that, or do you
| just not need it?
| xet7 wrote:
| a) Some do like paper maps.
|
| b) Google Maps could advice direction to some smaller not
| so well maintained roads, that could increase travel time
| a lot, or lead to some road where it's hard to turn back.
| So maybe planning ahead and writing driving instructions
| at home before driving would be better. Or just trying to
| follow main street signs for major roads.
|
| c) There are some DIY projects like Raspberry Pi
| navigator:
| https://www.raspberrypi.org/forums/viewtopic.php?t=70517
| 0xdeadbeefbabe wrote:
| It's a tedious game though: but, but, you your Casio is still
| vulnerable to EMP and you have to be awake to read it.
| rany_ wrote:
| Why is "expert" in quotes? Aren't 11 zerodays impressive?
| sdflhasjd wrote:
| It's in quotes because it's a quote from Maddie Stone as
| opposed to a judgement made by the author.
| tiddles wrote:
| Totally off topic, but I'm often tripped up by these multiple
| uses of quotes like this. Why do we use the same symbols out
| of a huge space for both quoting and sarcasm ?
| rzzzt wrote:
| BBC articles tend to use it a lot, it's probably part of
| their style guide. I snicker quietly at each title that "is
| worded" like "this", imagining a Dr. Evil air quoting each
| segment dutifully.
| smolder wrote:
| Not a linguist or anything, but I'd say there's really just
| two categories: direct quotes (usually with a source), and
| then scare quotes which are used to communicate that you
| don't endorse the usage of the contained word(s).
| Bancakes wrote:
| Sarcasm should be put in single quotes.
| corty wrote:
| There are separate symbols for sarcasm, but in "serious"
| writing emoji aren't considered appropriate. And
| sites/software likes to restrict them, like e.g. HN, which
| is why the sarcasm above is marked by quotes instead of the
| appropriate emoji. Some earlier internet cultures used :>
| But I fear that is understood less widely nowadays.
| codetrotter wrote:
| On Reddit people sometimes put /s at the end of a
| sentence to indicate sarcasm.
|
| And then there is also the irony punctuation which looks
| like this: [?]
|
| https://en.wikipedia.org/wiki/Irony_punctuation
|
| But I have never seen anyone actually ever use it. In
| fact I only ever heard about it so rarely that I almost
| miswrote and was about to say that interrobang is
| sometimes used for indicating sarcasm. But when I looked
| it up I read that interrobang is for showing surprise of
| course!
|
| As for your :> there was a guy that used to use it on an
| IRC channel that I was on. But I never understood quite
| what he meant by that kind of smiley. And later I looked
| it up and in his case I think the description I saw on
| Urban Dictionary fit pretty well, which said it was like
| a mischievous or devious smile. And I guess that also
| fits good for when you are sarcastic. Ever since I read
| that definition of :> it makes me think of this cartoon
| grinch smile
| https://meme.fandom.com/wiki/The_Grinch_Smile
| [deleted]
| [deleted]
| cyberpunk wrote:
| It looks like the chain here was 'visit some site via browser'
| -> 'kernel exploit' on ios, windows and android.
|
| I'd call whoever is responsible for such a valuable amount of
| 0days expert/nation state level for sure.
| headmelted wrote:
| Probably a stupid question to ask, and I realise the bigger
| picture here is that there are sophisticated groups searching for
| complicated exploits all the time, but are _these_ specific
| exploits addressed already in the latest software updates for the
| affected platforms?
|
| Wasn't clear to me from the article, although I may just have
| missed it being the idiot that I am.
| iSnow wrote:
| Usually, security researchers communicate exploits to the
| companies that build platforms before publishing so they get a
| chance to plug the holes. Of course it happens that those
| companies just don't react but with such a high-profile zoo of
| exploits, their security guys would be scrambling.
| boringg wrote:
| Curious why there isn't more specificity in the article? Is it to
| protect the sites and allow them time to fix? I'm not asking in a
| derogatory fashion, more trying to figure out the level of
| potential exposure I have myself. Tough to determine from the
| article.
| [deleted]
| jokoon wrote:
| I really don't understand why people decide to work in computer
| security, today it's really an arms race. I see how it's like
| games of lockpicking, but honestly I don't understand the value
| of it.
|
| It's like being in the arms trade: what matters is who you decide
| to trade with.
|
| Honestly, I'd rather see myself as anti-cyber-war at this point,
| like anti-war protests, meaning telling people to use computers
| for less critical tasks, and disengaging from certain areas.
| qw3rty01 wrote:
| Unlike lockpicking or actual arms races, it _is_ possible to
| write software such that the only weak point is the people
| using it. Ideally all software would be formally verified, but
| that 's a bit too cost/time expensive to be practical for
| everything, so instead computer security focuses a lot on
| minimizing attack surface and getting as close as possible to
| that "humans are the weak point" goal. Even if a 0day exists
| for particular software, if there's no way to reach it, then
| it's as good as being nonexistent.
| cutemonster wrote:
| > telling people to use computers for less critical tasks, and
| disengaging from certain areas.
|
| I think I a bit can understand how you think. Looking at some
| health care related apps, I was surprised to see how buggy they
| were (the user interface) and silly built, wrt security.
|
| On the other hand, without computers, the alternative seems to
| be that the health care staff picks up the phone and just
| assumes you are the one you say you are
| anonymouse008 wrote:
| Which ones may I ask? I've been shocked to learn how many
| online EHR/EMRs work... it's a bit frightening to think it
| would be trivial to find large densities of ailments /
| preconditions to exploit at a state level.
| kube-system wrote:
| If you don't want it to happen, then why not become one of the
| people trying to prevent attacks from being successful?
|
| The best way to stop future attacks is to make current attacks
| unsuccessful.
| GartzenDeHaes wrote:
| Hackers ARE using zerodays to infect EVERYTHING. I really can't
| understand why people continue to just assume that their
| endpoints and networks are clean. Worse, they then use the lack
| of security events to justify not buying the tools and expertise
| that are necessary to identify compromises.
|
| EDIT: not just zerodays. Many organizations have patch schedules
| that are too slow.
| Taylor_OD wrote:
| I think the average person doesn't know how to prevent it and
| believes that learning out would be beyond their abilities.
| trepatudo wrote:
| Even if it this worked on Linux, would a chrome running in
| flatpak sandbox be able to escalate privileges?
| pacificmint wrote:
| If a PC is infected I can (and should) reinstall everything from
| scratch. That should remove the malware, barring some super
| resistant malware that hides in the BIOS or something like that.
|
| What do you do on an iOS device? Does a full device reset
| reinstall the OS, or does it simply remove all user settings?
|
| I feel like the locked down nature of iOS makes it harder to
| attack, but if an attack goes thru it would also make it harder
| to clean up the attack?
| jsty wrote:
| If you're going against an adversary capable and willing to
| drop multiple zero days to breach you, let alone 11, I wouldn't
| wager much on a simple system wipe getting you back to a good
| state (iOS or not).
|
| Given the price of iOS devices vs good security consultant
| hourlies, the easiest and most effective clean-up for a few
| devices is likely just starting over.
| saurik wrote:
| A full reinstall of iOS--done by putting the device into DRU
| mode and then entirely re-imaging it over USB with iTunes from
| a firmware image--really does reinstall everything on the
| system that can possibly be changed by anyone (like, excepting
| code that is so fixed it isn't upgradeable even by Apple)... if
| anything you sometimes get some settings left around in awkward
| places for some of the lower-level components (that maybe could
| be used to smuggle intent or even attacks across the
| reinstall). iOS is actually really _really_ good about this in
| comparison to a lot of other devices.
| saurik wrote:
| DRU -> DFU (typo :()
| corty wrote:
| Reinstalling everything from scratch is a good start, but
| persistence of an exploit can easily be achieved through most
| data backups. Nobody wants to part with their important Word
| and Excel files, so those will get restored onto the fresh
| machine, carrying all the usual embedded macro nasties that an
| attacker planted there.
|
| Of course you can try to be diligent and skip everything that
| is potentially a problem, but it is even harder than
| reinstalling and the data you are dropping is usually more
| valuable than the OS installation.
| pabs3 wrote:
| There is a bootrom exploit called checkm8 (and corresponding
| jailbreak called checkra1n) for some iOS devices, you could
| exploit that, which lets you run code before any possible
| malware, then use that code to wipe the device and reinstall
| iOS, although I expect it would be hard to obtain a pristine
| copy of all the firmware in all the parts of the SoC.
|
| https://checkra.in/
| cyberpunk wrote:
| Maybe a better link:
| https://googleprojectzero.blogspot.com/2021/03/in-wild-serie...
| strogonoff wrote:
| It seems that a watering hole attack by definition targets users
| of a particular organization, but articles on this event make no
| mention of which organizations would that be, sounding like it
| affects general public. Wondering who should be worried.
|
| Related: can community recommend some forums, periodic
| publications or other sources that aggregate information security
| news?
| gerdesj wrote:
| "can community recommend some forums"
|
| Keep an eye on r/sysadmin in Reddit.
| strogonoff wrote:
| Thanks!
| [deleted]
| molsongolden wrote:
| Risky.biz podcast
|
| r/netsec
| choeger wrote:
| I said this once and I'll say it again: To counter such threats
| we need a healthy heterogeneous ecosystem. According to the
| article, the attack would have been prevented by using Firefox,
| (because it relied on a Chrome CVE). It also did not work on
| Linux and presumably not on Apple's ARM CPUs.
|
| But unfortunately we don't get exponential security. Normally,
| one would expect that n variables (Browser, OS, CPU architecture)
| with three choices each should give you 3^n required exploits to
| cover all combinations.
|
| But unfortunately, n is rather small nowadays, the number of
| choices shrinks every year, and -even more worrying- the attack
| vectors compose extremely well so you actually just need 3n
| exploits.
|
| So I am a little bit at a loss here how we can make such attacks
| non-economical again.
| sdeep27 wrote:
| >>how we can make such attacks non-econimical again Does it say
| how they monetized these attacks? Or how would you expect?
| arnaudsm wrote:
| Exactly how biodiversity protects us from diseases.
| foolmeonce wrote:
| But this is reversed for a watering hole bug against an
| organization. They only needed to get into one stack one
| member of the org uses and stay. Their reason for releasing
| multiple chains of attack at once instead of whenever their
| current attack is patched is unclear unless they want to get
| into multiple organizations where some avoid a diversity of
| exploitable software.
| wdr1 wrote:
| > I said this once and I'll say it again: To counter such
| threats we need a healthy heterogeneous ecosystem.
|
| How does that balance against the thread of each
| platform/ecosystem having its own variants of security issues?
| enkid wrote:
| But these are attacks that worked across multiple systems.
| Heterogeneity is going to lead to more systems with less
| overall security work being done per system. Sure, using
| Firefox would have prevented the attacks we know about, but
| who's to say Google found all of the attacks. They exploit
| Chrome, Samsung browser, Windows, Android, iOS, and Safari. It
| seems silly to say "if we had one more, it would have stopped
| them."
| caslon wrote:
| > They exploit Chrome, Samsung browser, Windows, Android,
| iOS, and Safari. It seems silly to say "if we had one more,
| it would have stopped them."
|
| Samsung's browser and Chrome share 100% of attack surface;
| Safari and Chrome share likely near 70%. Windows and Android
| have Chrome built-in at the OS layer, iOS has Safari built in
| at the OS layer.
|
| In this case, something like Firefox which shares much less
| attack surface _would in fact solve the problem, because the
| problem is that other things have Chrome at the OS-level._
| [deleted]
| modeless wrote:
| > Safari and Chrome share likely near 70%
|
| This is wrong. I'd say it's more like 5%. Blink forked from
| WebKit 7 years ago and development has been very active on
| both sides since then. And probably the majority of the
| attack surface is outside Blink/WebKit proper to start with
| (e.g. JS engine, font libraries, media decoding,
| networking, etc).
| lozaning wrote:
| >Windows and Android have Chrome built-in at the OS layer
|
| How is Chrome built into Windows at the OS layer? Wouldn't
| that be IE or Edge?
| kitsunesoba wrote:
| Edge is now Chromium based and soon Edge-Chromium
| webviews will ship with the OS. The old IE/Edge webviews
| will remain for legacy but they'll eventually get
| stripped.
| Alterlife wrote:
| > Edge
|
| I think that's OP's point. Edge uses chromium.
| macspoofing wrote:
| >To counter such threats we need a healthy heterogeneous
| ecosystem.
|
| And how do you get that?
|
| >But unfortunately, n is rather small nowadays, the number of
| choices shrinks every year, and -even more worrying- the attack
| vectors compose extremely well so you actually just need 3n
| exploits.
|
| Let me tell you about early-to-mid 2000s. Now that was a time
| of very low 'n'. Compared to then, we live in a heterogenous
| nirvana.
| dmos62 wrote:
| Diversity is a sign of health in an ecosystem. But, increasing
| diversity directly isn't really viable. Question is, why is
| diversity low?
|
| In my opinion, Web, OSes and CPUs suffer from being overly
| complicated, closed-source ridden, non-modular systems-within-
| systems. Basicly, the opposite of what the Unix philosophy
| advocates.
| qrbLPHiKpiux wrote:
| Diversity is low because of the massive amounts of capital
| Google has. Both in terms of money and power.
| dmos62 wrote:
| If a Web browser were easier to implement, we would have
| more than ~3 well maintained engines. In other words, why
| should Web require massive amounts of capital?
| EVa5I7bHFq9mnYK wrote:
| Feature creep. Everyone wants to leave a footprint in the
| world. Same thing with legislation.
| zzo38computer wrote:
| I agree. They are too complicated. Some more work toward
| making better one will be helpful.
|
| Protocols and instruction sets etc will need to be not too
| complicated, in addition to being open source and fully
| documented.
| tedunangst wrote:
| Pretty sure the iOS exploits worked on Apple CPUs.
| donatj wrote:
| The scare quotes in the title read as sarcasm but they clearly
| didn't intend them as such. An odd choice as I almost overlooked
| the article assuming it was a tale of some failed hackers.
| ChrisSD wrote:
| The author uses quotes as actual quotes instead of as scare
| quotes. I'm not a fan of "scare" quotes so I'd be very pleased
| if other journalists did the same even if it takes some getting
| used to.
| egeozcan wrote:
| I use "(!)" when I mean sarcasm:
|
| > Expert (!) hackers used...
|
| I hope then it's clear they are not experts really and when I
| say "experts" it's clear that I'm just quoting.
| justusthane wrote:
| I would not understand that you were using that to indicate
| sarcasm--I would think you were emphasizing the fact that
| they're experts. I also don't think that usage is in any
| style guide, so you're not going to see journalists doing
| it.
|
| On the other hand, using quotation marks to indicate
| sarcasm or irony is normal use and is in style guides.
|
| You just have to rely on context to differentiate. The
| headline of the linked article is pretty ambiguous and like
| GP I read them as sarcasm. I think it was a poor choice to
| include them at all in this case--they don't add anything
| to the headline.
| egeozcan wrote:
| I don't know why started using it but it's in wiktionary
| so everyone should (!) understand it:
| https://en.wiktionary.org/wiki/(!)
|
| I don't know why started using it but it's in wiktionary
| so "everyone should" understand it:
| https://en.wiktionary.org/wiki/(!)
|
| I guess, as you also mentioned, without enough context
| around it, both are hard to understand.
| egeozcan wrote:
| corrected link https://en.wiktionary.org/wiki/%28%21%29
| kjakm wrote:
| It's surrounded by quotation marks...because it's a quotation.
| Pretty standard. I'd estimate about half the headlines I see on
| the BBC News website these days have one of two words in
| quotes. It seems to allow them to create a clickbaity headline
| while not being inaccurate.
| gtirloni wrote:
| Are scare quotes the only type of quotes these days? I remember
| in school we were taught they could be used for emphasis.
| Number157 wrote:
| Seems like it. The media tend to use quotes to emphasize that
| the thing they are writing is not something they believe.
|
| X is dangerous VS X is "dangerous"
|
| The implication is true vs not true.
___________________________________________________________________
(page generated 2021-03-19 23:02 UTC)