Apple fixes all current operating systems. WebKit presents critical zero-day vulnerabilities that can be exploited to execute arbitrary code on Macintosh, iPhone, iPad, and Apple Watch.
But Tim’s crew is falling apart Growing criticism – not only for introducing these naive bugs in the first place, but also for unreliable fixes, battery drain, lag, and bloating. Additionally, Apple’s inability to share useful information with other infosec researchers.
“Don’t play well with others,” is the damning report. In this week Security Blogwatch, Apple gets a failing grade.
Your humble blogger has curated these blog posts for your entertainment. Not to mention: Hello again, PMJ-lite.
What is the craic? Lawrence Abrams reports –Apple fixes 2 iOS zero-day vulnerabilities actively used in attacks:
[The] vulnerabilities are tracked as CVE-2021-30665 and CVE-2021-30663, and both allow arbitrary remote code execution (RCE) on vulnerable devices simply by visiting a malicious website. … Webkit is Apple’s browser rendering engine that should be used by all mobile web browsers in iOS and other applications that render HTML, such as Apple Mail and the App Store.
The list of affected devices includes: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later,… iPod touch (7th generation), macOS Big Sur, Apple Watch Series 3 and later. Zero days were addressed by Apple… in the iOS 14.5.1, iOS 12.5.3, macOS Big Sur 11.3.1, and watchOS 7.4.1 updates.
And Dan Goodin adds:Webkit flaws in newly released iOS 14.5 allow attackers to execute malicious code:
A week after Apple released its biggest iOS and iPadOS update since last September … 14.0, the company released a new update to fix two zero days that allowed attackers to run malicious code on devices fully up to date. … Last week Apple fixed CVE-2021-30661, another code execution flaw in iOS Webkit, which could also have been actively exploited.
CVE-2021-30665 was discovered by Chinese researchers. [’30663] was discovered by an anonymous source.
Google Project Zero [says it] brings the number of actively exploited zero days against iOS… to seven. With a total of 22 zero days found so far in 2021, those who operate the Apple mobile operating system represent nearly 33%.
Use the source, Puke. Apple’s faceless drones scribble in the direction –About the security content of iOS 14.5.1:
Processing maliciously crafted web content can lead to the execution of arbitrary code. Apple is aware of a report that this issue may have been actively exploited.
A memory corruption issue was addressed through improved state management. … An integer overflow has been resolved by better validation of inputs.
Clear as mud. Matt Tait—@PwnAllTheThings– seems deeply frustrated:
One thing that would be really interesting and useful for Apple with these updates for [in-the-wild] exploits (which … would probably benefit them more than anyone else) is to be more proactive in explaining which models they saw active exploitation. … ITW exploits are a rare place where you get real data on the ROI of platform security and it’s a horrible shame to let that granularity go. And [it’s] a missed opportunity for Apple to capitalize and plug its investment in hardware security if it does its job of protecting against ITW exploits.
Keep ITW’s operating techniques [secret] is probably a net negative for consumer safety. … The people and researchers at Platformsec cannot model attacks and share systemic defense techniques between platforms.
[They] should be less reckless about publishing this data and making full entries. Because it kills me how valuable this data is to platform security and policies by squinting metrics while their colleagues sit on a gold mine of real data. … ITW’s exploitation techniques can and do change the needle a lot if published and analyzed properly.
however, CRandyHill hope Apple could at least learn from its mistakes:
I’m curious if most zero days in WebKit follow similar patterns. … What if there is something Apple could do to reduce the number of future security vulnerabilities, that is, by using an in-memory safe language like Swift in the riskiest areas, or… by using static analysis tools.
But all is not well in iThing land. Aware Ranger1850story of misfortune:
Update 14.5.1 installed on my iPhone 11 and iPad. In both cases, the Safari bookmarks bar is now missing and bookmarks are not displayed when you click on the URL line.
I tried restarting (iPhone 11 and iPad) and nothing is showing. … I also installed update 11.3.1 in my MBPro and the favorites bar appears but has a completely different favorites ribbon than it did before.
Take a look around you, Buzz. What do you see? u / DingDongsEverywhere:
The user interface has become frustrating and lacking in functionality. Tons of regular bugs now. Battery drain is a crap on every ride. iOS Safari is… uh. WTF arrived?
Just tons of quality of life issues that I can’t remember from Apple in the past. Of course, they were never perfect, but their versions tended to be solid with a lack of bugs.
And macOS customers aren’t happy either. Here is schafdog, for a:
A 2.5GB macOS 0.0.1 update that only contains a WebKit patch? … Please start making security patches again.
“I am a Mac.” … “And I am a PC.” (Ask your parents.) Kim zetter bring the snark: [You’re fired—Ed.]
Maybe iOS needs a patch on Tuesday in the future?
Meanwhile, it’s back to basics, with BrianZ:
0 days, regardless of the platform. Learn to patch kids!
The moral of the story?
Stop believing your own PR. Like Apple, you might have been different before, but development entropy is inevitable (cf. death and taxes).
A welcome return to form for a stripped-down PMJ in the event of a pandemic
Previously on “And finally”
Have you read Security Blogwatch by Richi Jennings. Richi curates the best blog posts, the best forums, and the weirdest websites… so you don’t have to. Hateful messages can be directed to @RiCHi or [email protected] Ask your doctor before reading. Your mileage may vary. E&OE. 30.
This week’s Zomgsauce: Dariusz Sankowski (via Pixabay)