Security Week 18: text bomb for iOS
Last week, a single-message suspension mechanism for mobile devices was discovered in the iOS operating system for Apple mobile devices (news) iOS incorrectly processes at least one language character cindhi, one of the official languages in Pakistan, included in the Unicode standard. When displaying such a symbol on a phone or tablet, failures of varying degrees of difficulty occur, in the worst case, a reboot of the device is required. A message with a difficult symbol must be displayed on the screen, in the client of the social network or in the messenger, but a failure is also caused when the notification is displayed, if the message preview is enabled. In other words, after a reboot, you can run into a crash of software or the whole system again if someone decided to completely control you.
The discoverer of the text bomb is unknown. On Reddit, in the jailbreak community of iPhones, posted a homemade patch from this misfortune, mentioning the messages on Twitter (as in the screenshot at the beginning of the digest) that were distributed last week, for some reason with the addition of the Italian flag to the symbol from the Sindhi language. The flag does not participate in the operation of the bug. To avoid mass trolling, the publication of characters a la naturel was strictly prohibited in this community. You can peek at the character code in code patch for “hacked” iPhones. We will not publish it right here and we do not advise you. Not funny. This is a bug, but not a vulnerability: software crashes do not lead to code execution, at least there were no such messages. In the current beta version of iOS, the problem is solved, but before the official release of the update in social networks and instant messengers, a chant of revelry is likely.
The beta version of iOS 13.4.5 also closed two bugs in the mail client Apple Mail (news) According to the team Zecops, both vulnerabilities lead to data leakage from the mail client when opening a prepared message. ZecOps claims that the old version of iOS 6 is also affected, and that since 2018, vulnerabilities have been exploited by unnamed attackers “in the fields”. Apple, however, believes that it cost without active attack: “There is no immediate threat to users.”
If the text bomb in iOS is just annoying, what about a malicious GIF that allows you to steal access to your account in the Microsoft Teams service? This vulnerability was discovered by CyberArk (news, study) Researchers found a weak point not in the image processor, but in a mechanism that allows you to track who shared what in this platform for collaboration. Since Microsoft Teams can integrate a cloud service, private corporate servers, and software on users’ computers, a rather complicated system of image attribution with the transfer of tokens identifying the subscriber was needed. Add to this two subdomains on the Microsoft website, the traffic to which theoretically can be switched to the attacker using the procedure sub-domain takeover, and we get the following scenario. You send the prepared GIF to the user. The picture is registered in the service with the transfer of user tokens to the * .microsoft.com subdomain. The attacker redirects traffic to this subdomain to himself and receives a token. Using authorization keys, you can already access the cloud service API on behalf of the affected user and receive various private information about the internal structure of the company.