[HN Gopher] iOS zero-day let SolarWinds hackers compromise fully... ___________________________________________________________________ iOS zero-day let SolarWinds hackers compromise fully updated iPhones Author : wil421 Score : 109 points Date : 2021-07-14 20:22 UTC (2 hours ago) (HTM) web link (arstechnica.com) (TXT) w3m dump (arstechnica.com) | lancemurdock wrote: | I am both terrified and in awe at the technical prowess it takes | to discover these vulnerabilities, let alone exploit them. | Meanwhile I sit here fumbling with writing custom hooks | booi wrote: | If I can write 4 lines of code without an error it's a good | day. | stevewodil wrote: | Thank you for making me feel okay with myself | andrew_ wrote: | I'm a 10x engineer. | | Guaranteed to be 10x bugs to lines written. | BitwiseFool wrote: | Heck, if I can get existing code to build properly on my | local machine before I even modify it, it's a good day. | LouisSayers wrote: | This made me laugh - I'm setting up some projects on a new | machine and going through this process atm. Tried to get | one going on Window Subsystem for Linux and had some issues | so putting it on my old Mac just to get it to run. I will | be happy when it does! | arthurcolle wrote: | There are so many layers of abstractions that interoperate to | some degree that these vulnerabilities will only continue to be | found/exploited, forever, in the end of time. | ukeepbelieving wrote: | Status Quo: yes | | Nonexistent ideal: No way, Jose. Your infotech is owned | because it is fundamentally unsound. | | There's a huge gap between cutting edge security research at | the hardware level and the implementation of consumer | hardware/os's | | Fuchsia is a good start. | ukeepbelieving wrote: | Lots of interesting stuff going on here: | | https://spectrum.ieee.org/tech-talk/computing/embedded- | syste... | | Microsoft IoT for Azure has some interesting hardware | developments pertinent to separation of public facing | hardware and out of band control mesh | TechBro8615 wrote: | It's a dichotomy - they rely on people like us to create the | bugs they can exploit :) | er4hn wrote: | The big takeaway I have here is that security is a balance | between usability and safety. In this case by having malicious | links that were obfuscated (behind HTML?) to appear as legitimate | LinkedIn links, the target clicking them was compromised. | | If mail clients were to open a modal for each link and say "Are | you sure you want to go to https://LinkMeIn.com/totally- | legit?email=victim123@gmail.com" would this cut down on these | attacks? | | Taking the idea too far: A system like this would probably link | to some sort of cloud database eventually to catch "emerging | threats" (novel URLs that look malicious) but then would that in | turn threaten end-to-end encryption of email by sending links in | emails to a cloud tracker? | millerm wrote: | I just wish all email clients would stop allowing HTML to hide | an actual link. It needs to stop. Anchor tags and any type of | onClick/onTouch event in an email should not do anything. Just | stop letting them obfuscate the freaking address, it's that | simple. Tell the marketing people to go to hell, and no they | cannot have their silly nicely printed link. :-) | Goety wrote: | That would be nice :) | tshaddox wrote: | Why do you want this specifically for HTML emails and not on | actual web sites? Surely it's just as much of a threat in | either place. | syrrim wrote: | Email is push, websites are pull. If you never choose to | visit a website, then you'll never see a link on it. Most | of the websites you do visit already prevent obfuscating | links. Emails just show up in your inbox when an attacker | wants them to. We could of course change that, and have | people only see emails from known contacts or that they | have requested. However, this destroys a major value | proposition of email. Instead, it makes sense to limit the | ability for senders to obfuscate the contents of email. | tshaddox wrote: | An attacker could email you an unobfuscated link to a | website which contains obfuscated links and the threat | model is exactly the same. Both require only that the | victim 1) trust an email enough to click a link and then | 2) trust the destination of that link enough to do the | unsafe thing. Unless your computer propagates the | "untrustworthiness" of the link from the email client to | the browser and continues to prevent unobfuscated links, | it seems like you've gained very little. | tinus_hn wrote: | You can't run Javascript in an email. | NikolaNovak wrote: | This. On phones especially it's getting increasingly hard, as | a nerd desiring to do so, to figure out what the sender's | email address and link's HTML target are :< | _trampeltier wrote: | Have you seen an link in outlook? This safelink feature? You | have almost no idea where you will go. | nijave wrote: | You shouldn't get compromised just clicking a link. There's | generally multiple levels of isolation to allow running | untrusted code (websites) on your machine/device and being able | to break through this is a serious failing | Veserv wrote: | Security is largely not a balance between usability and safety | at the levels most companies operate at. Both usability and | safety could have been achieved in this case by just not being | vulnerable to the attack as was the case for many other | browsers. Then you could click the link and still be safe | without any usability tradeoff in this specific case. | | Obviously, there are ways to sacrifice usability to gain | security, but it is by no means required or sufficient to do | so. There are plenty of ways to completely demolish usability | without gaining any safety. And even in cases where it is | necessary to tradeoff, most problems are so far from the actual | edge of what is possible that you only need to sacrifice a | negligible amount of usability to gain order of magnitude | improvements in safety if you are working with someone who | knows what they are doing. | dboreham wrote: | For regular users, the answer to any question "Are you sure..." | is always yes. | ASalazarMX wrote: | Sigh. We had to disable Windows Scripting Engine company-wide | because someone complained that his invoice won't download no | matter how many times he tried. His invoice in this case was | a ransomware payload that the browser was fortunately | stopping. Some people care, some care some of the time, and | some just don't care. | wruza wrote: | Few years ago I almost self-signed Transmission-bt app | bundle via Xcode CLI tools because OSX falsely detected | some KeRanger malware in it and tried to remove the app. | And I was committed to run it by any means, cause I was | tired of uTorrent. | | Turned out it wasn't a false positive, their dist site got | pwned. Other than that, I'm very careful with pc security. | tester756 wrote: | so, why was it disabled then? | ASalazarMX wrote: | Chrome identified the ZIP download as malicious. It was | sheer luck, otherwise the user would have opened the ZIP | and executed the obfuscated VBS inside. | ineedasername wrote: | Everyone is always sure. If they aren't the first few times | then they quickly get in the habit of just clicking "okay". | eli wrote: | This would generate a ton of "false positives" (go look at a | link in a random email newsletter and see what the actual URL | is). People who do a lot of email stuff on their phone would be | trained to click Yes a hundred times a day. | | Meanwhile it seems very unlikely to stop such a determined | attacker. They just need to compromise a site that you might | plausibly want to visit, or create a convincing enough | lookalike. The URL need not look suspicious. | | IMHO expecting users to be able to discern "safe" from "unsafe" | links by just looking at them represents a failure of our | infosec systems. | milkytron wrote: | Could this be used as an argument for allowing iOS to support | other browser engines? | jmull wrote: | Not a lot. It's almost a wash. Let's say another engine takes | half the market. Now you've got twice the attack surface , but | the vulnerable population is half as large for each. | | But some attacks are only worth it if the pool of vulnerable | devices is large enough. So the fragmentation helps, bust | mostly for lower stakes attacks. | 1e-9 wrote: | The Project Zero stats imply three times the rate of detected | zero-days versus last year. Apparently, this is largely due to | the increasing output of private companies finding and selling | exploits. Three of the four exploits discussed in this article | were developed by the same private company and sold to two | different government-backed actors. | TechBro8615 wrote: | The current title might be slightly misleading - the SolarWinds | hack did not include an iOS compromise, as I initially thought | when reading the headline. To quote the article: | | > These are two different campaigns, but based on our visibility, | we consider the actors behind the WebKit 0-day and the USAID | campaign to be the same group of actors | | Same group, but different campaign. | [deleted] | miles wrote: | Use plaintext email | | https://useplaintext.email | | https://news.ycombinator.com/item?id=20513987 | sbuk wrote: | Doesn't help if the mail client detects URLs and presents them | as links, like a majority of mail apps do. Seeing the link | won't stop end users from clicking it if it's blue and | underlined, and the slightly cleverer copy and paste. | | The best bet it to rewrite links and parse the through a proxy | that scans them on click. It's a shame free mail services don't | do this. The only one I think offers this is Outlook. | eli wrote: | Would that have helped here? Wasn't the problem in clicking the | link? | miles wrote: | Assuming the messages were delivered via email, plain text | offers the distinct advantage of non-obfuscated links. | | More on the same theme: | | The only safe email is text-only email | | https://theconversation.com/the-only-safe-email-is-text- | only... | | https://news.ycombinator.com/item?id=15224199 | hsbauauvhabzb wrote: | What if the link contains a spelling mistake your brain is | trained to overlook naturallly? | eli wrote: | Or it's a legitimate link apparently from someone you | trust to a site you haven't visited before? Or to a site | you trust but was compromised? These were very | sophisticated attackers. ___________________________________________________________________ (page generated 2021-07-14 23:00 UTC)