iOS 14.8, iPadOS 14.8 tighten security, close off 'Blastdoor' attacks
Apple's update to iOS 14.8 and iPadOS 14.8 introduce fixes to two vulnerabilities, including one that enabled attacks that worked around Apple's Blastdoor protective system.
Monday's release of iOS 14.8 and iPadOS 14.8 to the public was unexpected and lacked any betas ahead of being issued. Apple described the patches as providing "important security updates and is recommended for all users."
Shortly after the release, Apple published the security content changes included in iOS 14.8 and iPadOS 14.8. The two fixes related to the CoreGraphics and WebKit sections of both operating systems.
Both updates state the impact of the vulnerabilities was that the processing of a "maliciously crafted" PDF file or web content "may lead to arbitrary code execution." Apple "is aware of a report that this issue may have been actively exploited."
The CoreGraphics patch is listed as issue CVE-2021-30860, reported by The Citizen Lab, while "an anonymous researcher" reported CVE-2021-30858, affecting WebKit.
The updates fix issues that allowed an attacker to bypass Apple's BlastDoor security sandbox, a system used to stop malicious code execution in Messages.
Following initial reporting on the Pegasus hacking tool in July, a second report by Citizen Lab in August revealed the vulnerability in iMessage, which allowed Pegasus to be installed on a target iPhone. The hack and the use of Pegasus is believed to have been performed on devices owned by journalists and human rights activists.
Update: After the iOS 14.8 update went live, Citizen Lab published a report about a zero-click exploit leveraging the CVE-2021-30860 vulnerability. According to Citizen Lab, the exploit appears to have been developed by NSO Group and was discovered when it actively targeted the smartphone of at least one Saudi activist. The exploit, which targeted Apple's image rendering library, was used to distribute the Pegasus spyware on affected devices.
Read on AppleInsider
Monday's release of iOS 14.8 and iPadOS 14.8 to the public was unexpected and lacked any betas ahead of being issued. Apple described the patches as providing "important security updates and is recommended for all users."
Shortly after the release, Apple published the security content changes included in iOS 14.8 and iPadOS 14.8. The two fixes related to the CoreGraphics and WebKit sections of both operating systems.
Both updates state the impact of the vulnerabilities was that the processing of a "maliciously crafted" PDF file or web content "may lead to arbitrary code execution." Apple "is aware of a report that this issue may have been actively exploited."
The CoreGraphics patch is listed as issue CVE-2021-30860, reported by The Citizen Lab, while "an anonymous researcher" reported CVE-2021-30858, affecting WebKit.
The updates fix issues that allowed an attacker to bypass Apple's BlastDoor security sandbox, a system used to stop malicious code execution in Messages.
Following initial reporting on the Pegasus hacking tool in July, a second report by Citizen Lab in August revealed the vulnerability in iMessage, which allowed Pegasus to be installed on a target iPhone. The hack and the use of Pegasus is believed to have been performed on devices owned by journalists and human rights activists.
Update: After the iOS 14.8 update went live, Citizen Lab published a report about a zero-click exploit leveraging the CVE-2021-30860 vulnerability. According to Citizen Lab, the exploit appears to have been developed by NSO Group and was discovered when it actively targeted the smartphone of at least one Saudi activist. The exploit, which targeted Apple's image rendering library, was used to distribute the Pegasus spyware on affected devices.
Read on AppleInsider
Comments
Cyber arms dealer exploits new iPhone software vulnerability, affecting most versions, say researchers
https://reut.rs/3tDEWTj
Apple researched it and found a fix to a problem that does not appear to be easily found and issued the fix. What more could you ask for?
http://www.stilldrinking.org/programming-sucks
¯\_(ツ)_/¯
it’s easier to test how something is defined to work. You have to know to write the test to begin with. Date ranges are an example. If a date is supposed to fall within a small range (lets say a week), testing the positive space is not too bad (7 days), but testing the complete negative space is impossible. An assumption can be made here, and that is to check just a few at the bounds, but how do you KNOW it will work for all cases if they aren’t all tested?
Integration tests are harder, because you can’t always tell how 1 or likely many many more components may fail in every way they work together. Again, its easier to check the defined paths, but each time you add a new component into the mix, there’s an exponential risk of some behavior not working as expected.