MacInTouch Amazon link...

Apple security and privacy

Channels
Apple, Security

Ric Ford

MacInTouch
Ars Technica just posted an article about Apple disputing that the iPhone Mail bug found by ZecOps provides an exploit:
ZecOps responded to Apple's claim (as noted at the end of the article):
Ars Technica said:
That no-click iOS 0-day reported to be under exploit doesn’t exist, Apple says
ZecOps said:
According to ZecOps data, there were triggers in-the-wild for this vulnerability on a few organizations. We want to thank Apple for working on a patch, and we’re looking forward to updating our devices once it’s available. ZecOps will release more information and POCs [proofs of concepts] once a patch is available.
ZecOps said that based on the data collected on iPhones it believes were exploited, company researchers were able to write a proof-of-concept exploit that took full control of fully updated devices. ZecOps has declined to publish the exploit or other data until Apple releases a fix for the bug. Apple has already released the patch for a beta version of the upcoming 13.4.5, and as Thursday night’s statement said, the company plans make it generally available soon.
 


Ric Ford

MacInTouch
Here's more detailed discussion and a workaround for the CaptureTheFlag poison text message:
Graham Cluley said:
Text ‘bomb’ crashes iPhones, iPads, Macs and Apple Watches – what...
The problem occurs most irritatingly when your device attempts to display a message notification. If you have configured your iPhone, for instance, to display a new message notification which includes a preview of the message, then iOS fails to properly render the characters and crashes with unpredictable results.
Softpedia said:
How to Block the Latest Text Bomb on an iPhone
... So in just a few words, the bug is triggered by the message preview feature on your iPhone. When the message is received, the preview that you see on the screen contains the said text. And because iOS fails to correctly render the characters, it encounters a fatal error.

In other words, what you can do to make sure the bug doesn’t hit your device is prevent your iPhone from failing to read the weird character combination. And to do this, you need to disable the message previews. There are two ways to do this, and we’ll call them the easy way and the hard way.
 


I guess we'll have to wait and see. Apple has been releasing updates quietly for iOS 12 along with iOS 13 recently, and Apple even released an update for iOS 9 back in July.
True, but they only allowed those updates to devices for which the maximum supported OS was that version - if you had a fairly recent device that supported iOS 13, but wanted to stick to iOS 12 because of 13's bugginess, you had no choice but to upgrade to 13 to get those security fixes.
 


Ric Ford

MacInTouch
People might sometimes wonder why this forum doesn't offer/encourage image uploads. Here's Exhibit A:
ZDNet said:
Google discloses zero-click bugs impacting several Apple operating systems
In a report published today, Project Zero, Google's elite bug-hunting team, said they looked at one of Apple's multimedia processing components, which is most likely to be an attractive attack surface for any threat actor needing a way to silently hack an Apple user.

More specifically, Project Zero researchers looked at Image I/O, a framework that's built into all Apple operating systems and is tasked with parsing and working with image files.

The framework ships with iOS, macOS, tvOS, and watchOS, and most apps running on these operating systems rely on it to process image metadata.

Because of its central role all over the Apple app ecosystem, Image I/O is a dangerous attack surface that inherently enables a zero-click intrusion vector for any attacker, and needs to be as secure as possible against exploits.
We're looking at zero-click compromise of Apple operating systems (and other OSes) via vulnerabilities in image processing...

And just think think how easy it would be for malvertising to use that trick...
 



People might sometimes wonder why this forum doesn't offer/encourage image uploads. Here's Exhibit A:
We're looking at zero-click compromise of Apple operating systems (and other OSes) via vulnerabilities in image processing...
And just think think how easy it would be for malvertising to use that trick...
I've often wondered about that, since there are times when screenshots would be helpful. But I was unaware of this type of attack "surface." Strange word to use for this, but I understand it.
 


Ric Ford

MacInTouch
I've often wondered about that, since there are times when screenshots would be helpful.
People are certainly welcome to host images anywhere else on the Web (e.g. Dropbox, Imgur, iCloud, whatever). If we're lucky, some of those hosts might check images for malware, but it's not something I have the resources to do on MacInTouch. (I also think that running antivirus software is probably a good idea, considering the issues.)
 



Ric Ford

MacInTouch
On top of the zero-click Apple security holes, here's a stunning zero-day, and Apple's patch hasn't quite arrived yet....
Siguza said:
psychicpaper
Yesterday Apple released iOS 13.5 beta 3 (seemingly renaming iOS 13.4.5 to 13.5 there), and that killed one of my bugs. It wasn’t just any bug though, it was the first 0day I had ever found. And it was probably also the best one. Not necessarily for how much it gives you, but certainly for how much I’ve used it for, and also for how ridiculously simple it is. So simple, in fact, that the PoC I tweeted out looks like an absolute joke. But it’s 100% real.

I dubbed it “psychic paper” because, just like the item by that name that Doctor Who likes to carry, it allows you get past security checks and make others believe you have a wide range of credentials that you shouldn’t have.
Bruce Schneier said:
iOS XML Bug - Schneier on Security
... Basically, it comes down to this:
  • XML is terrible.
  • iOS uses XML for Plists, and Plists are used everywhere in iOS (and MacOS).
  • iOS's sandboxing system depends upon three different XML parsers, which interpret slightly invalid XML input in slightly different ways.
So Siguza's exploit -- which granted an app full access to the entire file system, and more...
 


ZecOps's discovery of the 0-click iOS Mail app vulnerability has a not-so-small update. The team allegedly found more evidence that this issue goes back farther than previously thought, all the way to the iPhone 2G and iOS 3.1.3:
ZecOps blog said:
Seeing (Mail)Demons? Ancient Trigger, Exploitation Technique, and a Bounty
6. MailDemon appears to be even more ancient than we initially thought. There is a trigger for this vulnerability, in the wild, 10 years ago, on iPhone 2g, iOS 3.1.3
ZecOps has now introduced a bounty and contacted Forbes's Gordon Kelly who wrote a short summary while awaiting response from Apple.
Forbes said:
...
 


Forbes' Gordon Kelly posted two updates about the ZecOps 0-click iOS Mail app vulnerability. The May 12 update had Apple standing by their previous statement:
Forbes said:
900 Million iPhones Affected By Updated Apple iOS Warning
05/12 Update: ... Apple will deliver a fix in iOS 13.5, but there is currently no commitment to patch previous versions of iOS to protect older iPhones....
On May 13 things got more interesting as Kelly references other parties beginning to take action on this possible threat to iOS, including Germany's Federal Office for Information Security:
Forbes said:
900 Million iPhones Affected By Updated Apple iOS Warning
05/13 Update: while Apple continues to play down this vulnerability, significant action is being taken elsewhere. For example, Germany's Federal Office for Information Security (BSI) has issued a statement recommending the removal of the iOS Mail app. BSI President Arne Schönbohm states: “The BSI assesses these vulnerabilities as particularly critical. It enables the attackers to manipulate large parts of the mail communication on the affected devices. Futhermore, there is currently no patch available. This means that thousands of iPhones and iPads are at acute risk from private individuals, companies and government agencies. We are in contact with Apple and have asked the company to find a solution for the security of their products as soon as possible.” iOS 13.5 cannot arrive soon enough,
 


Ric Ford

MacInTouch
Here's more disturbing news about problems with iOS security:
Mike Peterson said:
Software 'bug broker' Zerodium to stop buying iOS exploits due to oversupply
A private company that buys software security bugs and exploits from hackers has said that it will stop rewarding developers of several types of iOS exploits because it simply has too many of them.

... Zerodium founder Chaouki Bekrar said that iOS security is "f— cked," adding that the lack of persistence and a security mechanism called pointer authentication codes are the only two things keeping iOS's security from "going to zero."
 


Today, I just received my first two robot messages from Apple.

I texted my daughter a picture of my haircut, and she replied she liked it. Within a second, I got a message from Apple telling me that my daughter liked "an image". The sound accompanying Apple's message was different than my usual alert sound. I've been on iOS 13.4.1 for more than a couple weeks, so I don't think that is it.

I mentioned this to my wife, and she said she just started receiving these. Someone replied to her message with "haha", and Apple sent "someone likes your joke."

Does Apple have AI monitoring iMessaging now? What is the point of a stupid robot sending followup messages? Has anyone else been receiving these? And, more to the point, does anyone know how to turn them off?
 


Today, I just received my first two robot messages from Apple.
I texted my daughter a picture of my haircut, and she replied she liked it. Within a second, I got a message from Apple telling me that my daughter liked "an image". The sound accompanying Apple's message was different than my usual alert sound. I've been on iOS 13.4.1 for more than a couple weeks, so I don't think that is it. I mentioned this to my wife, and she said she just started receiving these. Someone replied to her message with "haha", and Apple sent "someone likes your joke."

Does Apple have AI monitoring iMessaging now? What is the point of a stupid robot sending followup messages? Has anyone else been receiving these? And, more to the point, does anyone know how to turn them off?
When you say you “got a message from Apple”, do you mean in your Notification Center or do you mean via some other channel, like email?

What you’re describing sounds like iMessage Tapbacks, in which case the notification you’re receiving is not because Apple sent you a “message” but rather a notification from iMessage because of the Tapback communication you received from the sender. More information about Tapbacks:
 


Today, I just received my first two robot messages from Apple.
I texted my daughter a picture of my haircut, and she replied she liked it. Within a second, I got a message from Apple telling me that my daughter liked "an image". The sound accompanying Apple's message was different than my usual alert sound. I've been on iOS 13.4.1 for more than a couple weeks, so I don't think that is it.
I mentioned this to my wife, and she said she just started receiving these. Someone replied to her message with "haha", and Apple sent "someone likes your joke."

Does Apple have AI monitoring iMessaging now? What is the point of a stupid robot sending followup messages? Has anyone else been receiving these? And, more to the point, does anyone know how to turn them off?
If you turn off Notifications for Messages using the System Preferences > Notifications pane, you should stop getting notifications of responses to your messages.
 




Here are the latest Apple updates to invisible anti-malware files (XProtect and MRT):
I appreciate you and Howard keeping us abreast of this. The System Preferences function for this has not been working under Mojave for me for some time. It just wants me to update to Catalina.
 


Ric Ford

MacInTouch
I appreciate you and Howard keeping us abreast of this. The System Preferences function for this has not been working under Mojave for me for some time. It just wants me to update to Catalina.
I like Howard's SilentKnight for checking, but the updates seem to happen pretty automatically for me (on macOS 10.12).

Apple's attempts to push Mojave users into Catalina are... let's just say I don't "appreciate" them in the slightest.
 


The System Preferences function for this has not been working under Mojave for me for some time. It just wants me to update to Catalina.
System Preferences will never display updates for XProtect, MRT and all other background security and database updates. As long as you have the appropriate options selected to update those, they should happen automagically within 24 hours of posting. SilentKnight is a good option if you have things properly set up and they aren't happening.
 


Ric Ford

MacInTouch
While the federal government publicly assaults Apple for not giving it a master key to every Apple device in the world (and even lies about it), other companies keep selling Apple-cracking systems to police and governments, etc.
NBC News said:
iPhone spyware lets police log suspects’ passcodes when cracking doesn’t work
Software called Hide UI, created by Grayshift, a company that makes iPhone-cracking devices for law enforcement, can track a suspect's passcode when it's entered into a phone, according to two people in law enforcement, who asked not to be named out of fear of violating non-disclosure agreements.

The spyware, a term for software that surreptitiously tracks users, has been available for about a year but this is the first time details of its existence have been reported, in part because of the non-disclosure agreements police departments sign when they buy a device from Grayshift known as GrayKey.
Wired said:
The FBI Backs Down Against Apple—Again
After claiming for months that Apple alone could unlock the two iPhones of Pensacola, Florida shooter Mohammed Saeed Alshamrani, the agency announced today that it had managed to do so without Cupertino’s help—and without undermining the encryption that protects over 1 billion iOS devices worldwide.

... The FBI recovered Alshamrani's iPhone 5 and an iPhone 7 Plus in the wake of shooting; the devices were badly damaged, which the Justice Department implied in January made it more difficult to break in through traditional methods. The stance was always curious. The FBI confirmed it had managed to get the iPhones up and running, and has access to forensics tools from companies like Cellebrite that claim the ability to break into any iOS device. Older models like Alshamrani’s should have been relatively trivial to crack. But as with the 2015 San Bernardino, California shooting, the high-stakes case proved all too tempting for the agency to try to set a bad precedent.
 


VentureBeat said:
Apple accuses U.S. of ‘false claims’ on Pensacola terror investigation
A long-running dispute between Apple and the U.S. government regarding the company’s cooperation with law enforcement officials deepened today, as the two sides exchanged accusations regarding their respective roles in the 2019 Pensacola, Florida naval air station terror attack investigation. Following an announcement by Attorney General William Barr suggesting that Apple had not cooperated with efforts to access iPhones possessed by deceased gunman Mohammed Saeed Alshamrani, Apple today accused the government of making “false claims” in a manner that would ultimately hurt national security.
 


Ric Ford

MacInTouch
Here's an update on the privacy problems posed by Apple's Siri systems:
The Guardian said:
Apple whistleblower goes public over 'lack of action'
... “I listened to hundreds of recordings every day, from various Apple devices (eg. iPhones, Apple Watches, or iPads). These recordings were often taken outside of any activation of Siri, eg in the context of an actual intention from the user to activate it for a request. These processings were made without users being aware of it, and were gathered into datasets to correct the transcription of the recording made by the device,” he said.

“The recordings were not limited to the users of Apple devices, but also involved relatives, children, friends, colleagues, and whoever could be recorded by the device. The system recorded everything: names, addresses, messages, searches, arguments, background noises, films, and conversations. I heard people talking about their cancer, referring to dead relatives, religion, sexuality, pornography, politics, school, relationships, or drugs with no intention to activate Siri whatsoever.

“These practices are clearly at odds with the company’s ‘privacy-driven’ policies and should be urgently investigated by data protection authorities and Privacy watchdogs.”
 


Here's an update on the privacy problems posed by Apple's Siri systems:
The article says that recordings were made without an intent to activate Siri, but was Siri actually activated? There have been plenty of times where my phone thought I said "Hey Siri" and Siri activated, including the familiar audio chime and graphic on the display. I assume all audio from that point until I tapped the display to cancel Siri was sent to Apple. But the article implies (without actually saying) that devices have been sending audio to Apple even when Siri is not active (no chime, no display change, etc.). If true, that would be a far worse scenario.

Unfortunately, the Guardian doesn't ask this question, let alone attempt to find an answer.
 


Ric Ford

MacInTouch
There's apparently an "unc0ver" jailbreak that exploits a zero-day vulnerability and works on even the latest iOS 13.5 release...
Frank McShan said:
Jailbreak Tool 'unc0ver' 5.0 Released With iOS 13.5 Compatibility
The team behind the "unc0ver" jailbreaking tool for iOS has released version 5.0.0 of its software that claims to have the ability to jailbreak "every signed iOS version on every device" using a zero-day kernel vulnerability by Pwn20wnd, a renowned iOS hacker. The announcement comes just days after it was announced that the tool would soon launch.
 


Ric Ford

MacInTouch
Here's more about Apple security problems with iOS:
Motherboard said:
How iPhone Hackers Got Their Hands on the New iOS Months Before Its Release
Several people, including security researchers, hackers, and bloggers, have had access to an early version of the new iOS 14 for months.

... They said this is “the first time ever” an upcoming version of iOS leaked so many months in advance of its release and was widely traded in jailbreaking circles. Even the public beta for the operating system isn't yet available; the first public version of it is reportedly scheduled to be released on June 22. The leaked version is dated December 10, 2019 and has been traded widely since February.

Last year, a Motherboard investigation revealed the existence of a gray market where smugglers steal early prototypes, or “dev-fused” iPhones from factories in China and then sell them to security researchers and collectors around the world.
 


Ric Ford

MacInTouch
There's apparently an "unc0ver" jailbreak that exploits a zero-day vulnerability and works on even the latest iOS 13.5 release...
Here's more about the iPhone jailbreak from Sophos:
NakedSecurity said:
New iPhone jailbreak released
... Whether to jailbreak is a choice you have to make for yourself – assuming it’s your phone, you own it outright, and you haven’t made any promises to anyone else (such as the IT department at work) about “keeping it stock and patched”.

The good news is that the Unc0ver jailbreaks require installing a custom app, or building a custom version of an unlocking app and installing that in the same way that IT might deploy a corporate app at work.

You need to plug your iPhone into your laptop and to go through Apple’s “trust this computer” dialog (including entering your unlock code) first, so it can’t happen unexpectedly.

Also, as far as we know, the Unc0ver jailbreak needs re-applying every time you reboot.

In other words, generally speaking: you can’t end up jailbroken by mistake, so a crook can’t secretly do it for you while you’re innocently browsing the internet; and you can get rid of the jailbreak at will simply by rebooting your phone.
 


A while back, when all this issue of installing Adobe Acrobat security updates came up, and I posted here, I looked through the recent history of macOS security updates and could not find any direct relations to Apple Preview PDF, but that doesn't mean there [aren't] potential security holes.

There are, however, security issues for image processing, and Apple Preview does that, too. So, you should only be running/using Apple Preview if you are running a supported macOS and the latest security update, which currently is:
  • macOS 10.15 Catalina: macOS 10.15.4 Update
  • macOS 10.14 Mojave: macOS 10.14.6 Update + Security Update 2020-002
  • macOS 10.13 High Sierra: macOS 10.13.6 Update + Security Update 2020-002
And there it is, to confirm my statement on 15th May… a PDF security issue fixed with yesterday's security updates for macOS 10.13 and above. If you are running macOS 10.12 or earlier you should not use Preview for opening PDF documents!
Apple said:
About the security content of macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra
FontParser. Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.4
Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution.
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2020-9816: Peter Nguyen Vu Hoang of STAR Labs working with Trend Micro Zero Day Initiative
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts