Security Week 51: vulnerabilities in iOS and Intel processors

On December 10, Apple released a large set of patches for macOS, iOS (including iPadOS) and watchOS. Perhaps the most dangerous of the closed bugs was the FaceTime vulnerability, affecting all Apple mobile devices starting with iPhone 6s and iPad Air 2. As with the recently discovered vulnerability in WhatsApp, the problem was found in the processing system of incoming video files: a malicious video could lead to execution of arbitrary code. Vulnerability CVE-2019-8830 was discovered by Natalie Silvanovich, a researcher at the Google Project Zero team: last year she wrote in detail about the security of instant messengers, including FaceTime (you can start with an article a year ago with examples of previously discovered vulnerabilities in the application).

Another vulnerability was discovered by researcher Kishan Bagaria: he found out that the continuous sending of documents to nearby Apple devices leads to a denial of service. To do this, the ability to receive files through the AirDrop mechanism from anyone (and not just from users in your contact list) must be enabled on the iPad or iPhone. The bug was expectedly called AirDoS: the bottom line is that the request to receive the file must be accepted or rejected, and until this is done, other controls on the mobile device are not available. If you send requests constantly, the tablet or smartphone is in fact inoperative. The bug was closed in iOS 13.3 by introducing a limit on the number of attempts: if you reject the request three times in a row, all subsequent attempts to send a file from the same device are blocked automatically.

An interesting bug was discovered and closed in Intel processors (news, manufacturer's bulletin, vulnerability site). Researchers from universities in Austria, Belgium and the UK have found a way to compromise the Software Guard Extensions mechanism – it provides additional protection for critical data, such as encryption keys, isolating them from other processes in the system. The hacking method was chosen non-trivial: modification of the processor registers responsible for power consumption. In a normal situation, they are used to increase performance or additional energy saving beyond the standard processor settings.

The researchers proved that a significant decrease in voltage (for example, -232 mV for the Core i3-7100U processor or -195 mV for the Core i7-8650U) at the right time causes the SGX to malfunction and lead to data corruption: where there is damage, an opportunity opens up for gaining access to data that is otherwise inaccessible. As an example, experts demonstrated the extraction of encryption keys using RSA and AES algorithms.

As is usually the case with attacks of this type, it is not easy to select the correct voltage and moment for changing parameters. In addition, a real attack of this kind, although it can be performed remotely (which is uncharacteristic of hardware vulnerabilities), but requires full access to the operating system. Otherwise, you cannot get to the parameters of the processor. Closing the vulnerability in this case means updating the microcode, which still has to get to real devices (all Intel Core user processors from the sixth generation are affected, and some Xeon) in the form of a BIOS update.

Kaspersky Lab has published a full report (available after registration, a brief overview in this news) on cyber threats for 2019. Of particular interest in the report is a list of vulnerabilities that are actually used in malware. Unlike theoretical vulnerabilities, these are a particular threat and require immediate software updates. For the most popular exploited bugs, however, updates have been available for more than a year. At the top of the list are two vulnerabilities in the Microsoft Office Formula Editor, CVE-2017-11882 and CVE-2018-0802. The five most commonly used bugs generally relate to Microsoft Office. An example of a fresh vulnerability is the CVE-2019-0797 bug discovered in March, which at that time was already exploited in malicious attacks.

What else happened:

Critical vulnerabilities were discovered in two WordPress add-ons: Ultimate Addons for Beaver Builder and Ultimate Addons for Elementor. For operation, you only need to know the mailing address of the site administrator.

Another zero-day vulnerability in Windows (from 7 to 10 and in Windows Server from 2008) is closed by the December patch. The bug was found in the win32k.sys system library, it also contained the previously mentioned vulnerability CVE-2019-0797.

In the new version of Google Chrome 79, two critical vulnerabilities were closed, and at the same time, a new standard alarm appeared about the use of compromised login-password pairs. This option was previously available as an extension.

14 critical vulnerabilities closed in Adobe Reader and Adobe Acrobat. Plus two vulnerabilities that lead to the execution of arbitrary code in Adobe Photoshop.

Firefox add-on developers are now required to use two-factor authorization. In this way, Mozilla is trying to reduce the risk of attacks on the supply chain: in this case, we have in mind a scenario where malicious code is inserted into a legitimate extension after hacking the developer's computer.

Similar Posts

Leave a Reply