Perpetual IT

Apple has just blasted out 11 email advisories detailing its most recent raft of security fixes.

Confusingly, some of these updates have been available for several days already – the most recent version of iOS is 13.5, and it was officially announced on Apple’s main Security update page on 20 May 2020.

In fact, the updates listed for iOS and watchOS are still flagged [2020-05-27T12:00Z] with the words “details available soon“, even though Apple’s Security Advisories have full details.

And Apple’s updates for its non-mobile software products are covered in detail in the Advisory emails, but are not yet mentioned at all on the HT201222 security page.

For completeness, the updates are numbered APPLE-SA-2020-05-25-1 to APPLE-SA-2020-05-25-11, and cover:

iOS 13.5 and iPadOS 13.5
iOS 12.4.7
macOS Catalina 10.15.5
Security Update 2020-003 for Mojave and High Sierra
tvOS 13.4.5
watchOS 6.2.5
watchOS 5.3.7
Safari 13.1.1 (this update is built in to the Catalina fix)
iTunes 12.10.7 for Windows
iCloud for Windows 11.2
icloud for Windows 7.19
Windows Migration Assistant 2.2.0.0

The bug fixed in Windows Migration Assistant seems to be a DLL loading flaw that affects the Windows version of the software – an app that might, ironically, be the last Windows program you ever need to run.

Note that DLL loading errors generally don’t allow attackers to perform what’s called remote code execution (RCE), but merely to trick you into using a legitimate program to load up an untrusted component that’s has already been downloaded locally onto your computer.

So crooks may be able to use this sort of bug to finish off an attack (or to make an existing intrusion worse), but not to break in to start with.

What was fixed?

We counted 63 distinct CVE-tagged vulnerabilities in the 11 advisory emails.

We shan’t go over every one of them here, but we’ll note that 11 of these vulnerabilities affected software right across Apple’s mobile, Mac and Windows products.

This is a reminder that vulnerabilities in cross-platform programming libraries may require vendors to put out updates for all the platforms on which that library is used.

Bugs such as buffer overflows and use-after-free errors can’t always be exploited on every platform, and even if they can, each variant of the exploit might need a lengthy phase of experimentation all of its own.

Nevertheless, where there’s a memory mismanagement flaw that can be triggered by remotely-supplied content, it’s wise to assume that if exploitation is possible on one platform, it can probably be figured out for other platforms, too.

For each patched bug, Apple lists its possible impact, so we filtered all the Impact: lines out of the 11 different advisories to give you an idea of the range of different issues fixed, which came to 41 in all.

We’ve shortened some of the lines slightly to make them easier to read, but the variety of bugs fixed in this round of patches is clear:

Apps may cause a system crash or write to kernel memory
Apps may execute arbitrary code with kernel privileges
Apps may gain elevated privileges
Apps may use arbitrary entitlements
Attackers in a privileged network position may intercept Bluetooth traffic
Files may be incorrectly rendered to execute JavaScript
Importing a malicious calendar invitation may exfiltrate user information
Inserting a USB device that sends invalid messages may cause a kernel panic
Local attacker may elevate their privileges
Local users may execute arbitrary shell commands
Local users may read kernel memory
Malicious PDFs may cause a crash or allow arbitrary code execution
Malicious apps may modify protected parts of the file system
Malicious apps may break out of their sandbox
Malicious apps may bypass Privacy preferences
Malicious apps may cause a denial of service or disclose memory contents
Malicious apps may determine another application's memory layout
Malicious apps may determine kernel memory layout
Malicious apps may execute arbitrary code with kernel privileges
Malicious apps may gain root privileges
Malicious audio files may lead to arbitrary code execution
Malicious emails may lead to heap corruption
Malicious emails may lead to unexpected memory modification or a crash
Malicious images may lead to arbitrary code execution
Malicious processes may cause Safari to launch an app
Malicious text messages may lead to application denial of service
Malicious web content may lead to a cross site scripting attack
Malicious web content may lead to arbitrary code execution
Malicious web content may lead to universal cross site scripting
Malicious web content may result in the disclosure of process memory
Malicious websites may exfiltrate autofilled data in Safari
Non-privileged user may modify restricted network settings
Notification contents may be visible from the lockscreen
Remote attackers may cause a denial of service
Remote attackers may cause a system crash or corrupt kernel memory
Remote attackers may cause arbitrary code execution
Remote attackers may leak memory
Remote attackers may modify the file system
Running the installer in an untrusted directory may cause arbitrary code execution
USB devices may cause a denial of serviceion
Videos may not pause in FaceTime if you exit FaceTime while the call is ringing

What does this mean?

The silver lining here is that the length of the list and the variety of bugs shown above isn’t a sign of security weakness.

It’s tempting to look at a list like the one above, or the list of 114 vulnerabilities fixed by Microsoft in this month’s Patch Tuesday, as a sign that things are getting worse.

But by that argument, a company that never puts out updates at all and thus keeps its vulnerability count at zero, would come out as perfectly secure, even though it’s likely that such a company isn’t finding bugs because it carefully isn’t looking, rather than because it’s looking carefully.

Instead, you can see the breadth and depth of today’s “here’s what we just patched” lists as a sign of cybersecurity maturity and of ever-increasing attention to detail.

That’s because bugs don’t go as far as they used to for attackers, who often need to combine multiple flaws in order to pull off remote code execution exploits.

For example, bugs that can reliably crash apps with remotely supplied data often can’t easily be “weaponised”, or used to cause a crash that ends reliably in code execution.

Attackers may need to use a memory disclosure bug first, to figure out what programs are loaded where, without which their later attempt to exploit a code execution bug might crash completely instead of taking over control.

And attackers might need to mix a privilege elevation bug in there too, or a sandbox escape, otherwise they might end up with an attack that is so constrained in what it can see and do that they might as well not have bothered.

So the days of occasional patches only for the most serious bugs labelled “remote code execution” are over.

What to do?

Regular patching of all reported issues, even those that sound unimportant on their own, is a must…

…so we are going to say what we’ve always done, and that is, “Patch early, patch often.”

Even if you have set your Mac or your iDevice to update automatically, make a point of checking regularly that you really are up to date:

• On a Mac, go to System Preferences > Software Update.
• On an iPhone or iPad, go to System > General > Software Update.

---

Latest Naked Security podcast

How many vulnerabilities lurk inside the bazillions of open source libraries that today’s developers happily borrow to build their applications?

Predictably, the answer is a lot, at least according to application security company Veracode which decided to scan 85,000 applications to see how many flaws it could turn up in the 351,000 libraries used by them.

All told, around seven in ten applications had a security vulnerability traceable to one or more of those libraries, which might come as a shock to the developers who thought they were getting something for free.

But as the company’s State of Software Security (SOSS): Open Source Edition aptly puts it:

That free puppy that you adopt still needs to be fed, walked, and taken to the vet.

However, how much ‘walking’ application users will end up doing varies considerably depending on the language used to create it, with JavaScript software using the most open source libraries – over 1,000 in some cases.

At the other end of the scale was Python, using a hundredth the number of libraries as JavaScript applications, with .NET, Java, and Ruby somewhere in between.

When it came to flaws in the libraries themselves, the greatest density was found in PHP and Swift, the latter a specialised language used in Apple development. Again, despite the size of .NET, it had the lowest percentage of flaws of any library.

Nearly 30% of flaws were Cross-Site Scripting (XSS), with PHP (27.1%), Java (15.7%), and .NET (14.2%) manifesting the highest number of public proof-of-concept exploits. The equivalent figure for JavaScript was only 6.5%.

Importantly, many flaws are never assigned a Common Vulnerabilities and Exposures (CVE) ID, with six out of ten JavaScript vulnerabilities falling into this category.

That means developers can’t just add up CVEs to get some idea of which libraries and languages represent the biggest risk.

Nevertheless, this analysis suggests that if a generalisation can be made it’s that Java, JavaScript and Python are the library languages that cause flaw counts in applications to rise.

So how might developers counter flaws in libraries?

The good news is that three quarters can be fixed with a minor “non-breaking” update that can be implemented to the library without causing wider disruption to the application – this held true even for almost all the most concerning one percent of flaws that might be being actively exploited.

Veracode chief research officer Chris Eng commented:

Open source software has a surprising variety of flaws. An application’s attack surface is not limited to its own code and the code of explicitly included libraries, because those libraries have their own dependencies.

But as long as developers realise this and apply fixes, they can reduce the risk.

There’s also the issue of how many people are out there looking for flaws on everyone else’s behalf. Right now, that’s become a popular pastime, with at least one recent report finding that the number of flaws in open source software reached a record 6,000 in 2019.

Open source libraries have become a ubiquitous part of software development. Flushed by the success of this, the next battle is to make sure that doesn’t create problems for the near future.

Latest Naked Security podcast

Apple’s latest iOS versions have only been out for a week.

The updates are new enough that Apple’s own Security updates page still lists [2020-05-26T14:00Z] the security holes that were fixed in iOS 13.5 and iOS 12.4.7 as “details available soon”.

But there’s a jailbreak available already for iOS 13.5, released by the well-known security research crew known as Unc0ver:

Unc0ver works on all devices on iOS versions between 11.0 and 13.5. Below you can find a list of all devices that have been specifically tested. [List follows.]

The jailbreakers themselves claim that iPhone 11 models of all types are supported, and have been tested even after updating to the latest 13.5 release.

However, the Unc0ver list doesn’t go back further than the iPhone 6S (or the iPad Mini 5 if you’re an iPad user), and no one yet seems to have tried jailbreaking a device running iOS 12 that had already been updated to the brand new version 12.4.7.

Nevertheless, the implication is that any device capable of running any version of iOS from 11.0 or later can be liberated from Apple’s walled garden, after which many or most of Apple’s lockdown and tamper-protection measures can be bypassed.

Proceed with care

Jailbreaking, as we have said before, is not for the faint-hearted.

Nevertheless, despite the criminal-sounding name, jailbreaking is legal – as far as we know, but remember that we are not lawyers! – in the US at least.

Circumventing “copyright protection” measures such as Apple’s phone strictures hasn’t always been lawful in the US, but in recent times the US Library of Congress, which gets to adjust the regulations every three years, has opened up over its past few regulatory reviews.

In 2018, for example, the Library of Congress:

…recommended a new exemption allowing for the circumvention of TPMs [technological protection measures] restricting access to firmware that controls smartphones and home appliances and home systems for the purposes of diagnosis, maintenance, or repair.

We can thank the “right to repair” movement for a lot of the lobbying for the ongoing legalisation of jailbreaking in the US, using common-sense slogans such as “Would you buy a bike if you couldn’t fix the chain?” and “Would you buy a car if it was illegal to replace the tyres?”

Indeed, today’s US right to repair probably owes more to American farmers – who resented that they had no access to a free market when it came to repairing or sevicing expensive equipment such as tractors – than to phone hacking enthusiasts, but the two groups of “modders” today find themselves united with a common cause.

How easy is finding a jailbreak?

Unfortunately, the right to repair doesn’t come, for phones at least, with a corresponding right that requires the vendor to tell you how to exercise that right.

A phone maker like Apple can’t use the law to prevent you trying to jailbreak your phone…

…but it can do its very best to stop you succeeding, and it doesn’t have to tell you what it did to stop you.

That’s why this latest iOS 13.5 jailbreak, announced so soon after iOS 13.5 itself came out, is receiving a lot of publicity.

Jailbreaks themselves, in another irony, often involve finding a security hole of their own and figuring out how to exploit it.

Is is safe?

The answer is, “Yes. And no.”

The main risk in jailbreaking an iDevice is that you are, of necessity, using it in a way that is not only unsupported but also entirely untested by Apple.

You end up using third party apps – even if they come from the App Store and are supposedly vetted by Apple – in a way that has never before been formally tested.

You’ll also typically end up using apps that simply aren’t available in the App Store, and may either be malicious by design, or be dangerous by mistake because they haven’t had the same sort of scrutiny as software that’s App Store approved.

Lastly, jailbreaking allows you to turn off some of the security barriers that are always in place on non-jailbroken phones.

For example, loading your own apps, modifying the behaviour of built-in apps, snooping on data from other apps, and peeking at other apps’ network traffic suddenly become possible, even though all those behaviours are usually blocked by Apple.

Even though a lot of the restrictions imposed by jailbreaking are there for commercial and money-making reasons, many of them keep you safer and more secure at the same time.

Should I try it?

Whether to jailbreak is a choice you have to make for yourself – assuming it’s your phone, you own it outright, and you haven’t made any promises to anyone else (such as the IT department at work) about “keeping it stock and patched”.

The good news is that the Unc0ver jailbreaks require installing a custom app, or building a custom version of an unlocking app and installing that in the same way that IT might deploy a corporate app at work.

You need to plug your iPhone into your laptop and to go through Apple’s “trust this computer” dialog (including entering your unlock code) first, so it can’t happen unexpectedly.

Also, as far as we know, the Unc0ver jailbreak needs re-applying every time you reboot.

In other words, generally speaking: you can’t end up jailbroken by mistake, so a crook can’t secretly do it for you while you’re innocently browsing the internet; and you can get rid of the jailbreak in a hurry by rebooting your phone and starting over.

So we have just one piece of advice, namely that if it’s not your phone, or it’s your own phone and you use it for work, ask for permission from your IT department first.

We suspect that they will say, “No, please don’t do that,” and if they do, take it on the chin and comply.

They’ve got enough to worry about already without trying to keep control of jailbroken iPhones – or their mavericks cousins, “rooted” Android devices – as well.

---

Latest Naked Security podcast

Earlier this month, the US Senate narrowly voted to renew warrantless collection of Americans’ web-browsing histories.

This week, the US House of Representatives is expected to consider the act that reauthorizes that warrantless data collection: the USA Freedom Reauthorization Act. The House already passed the reauthorization act, sent it to the Senate, and will this week consider the Senate’s tweaks before sending it to President Trump for his signature.

On Friday, leading up to the House’s vote later this week, a group of seven internet companies and organizations suggested that legislators just might want to rethink the legislation’s disregard for Americans’ privacy.

The group includes Mozilla, Engine, Reddit, Reform Government Surveillance, Twitter, i2Coalition, and Patreon. They’re asking legislators to amend the bill in order to limit government access to internet browsing and search history without a warrant.

They wouldn’t have had to put together a plea to protect American’s online privacy if an amendment to the bill had passed in the Senate. Unfortunately, it didn’t: the amendment to curtail warrantless web history search missed passage by only one vote when four senators didn’t show up for the Senate’s vote.

This is where your web-browsing predilections come in

The reauthorization act restores government powers that expired in March with Section 215 of the Patriot Act.

Ah, the Patriot Act – that privacy-invading waste of time and taxpayer money. In February, The New York Times reported on a newly declassified study that found that a boondoggle of a surveillance program empowered by the Patriot Act cost $100 million from 2015 to 2019 but yielded only a single, solitary, significant investigation. In fact, over those four years, analyzing logs of American’s phone calls and text messages only twice generated information that the FBI didn’t already know.

And inside that boondoggle of the Patriot Act is Section 215: in 2001, it amended Title V, Section 501 of FISA, allowing intelligence agencies to collect metadata on calls (known as call detail records, or CDRs) that it stores in repositories and secure networks. Section 215 allows the government to demand “tangible things,” such as records deemed relevant to terrorism investigations.

The metadata has been used to secretly surveil Americans, sometimes for purposes that have absolutely nothing to do with protecting the country from terrorists, such as snooping on former girlfriends.

In a nutshell, Section 215 currently allows the government to collect the web browsing and internet searches of Americans without a warrant. Senator Ron Wyden, who voted against reauthorization of the Freedom Act and who co-authored the failed amendment to stop warrantless web surveillance, noted that the powers conferred by Section 215 have been “secretly interpreted and abused in the past.”

The use of these authorities to spy on innocent Americans’ web browsing and search histories is a screaming alarm warning us of future abuses.

Senators Wyden and Steve Daines had submitted an amendment to the reauthorization act that would have protected the web-browsing privacy rights of Americans. It failed by a hair, garnering 59 votes out of the 60 it needed to pass. Some of the senators who had pledged to outlaw warrantless web history browsing and internet search didn’t show up for the vote, making it even more frustrating for those who would rather keep people’s searches private unless the government gets a warrant.

In the wake of the amendment’s failure to pass in the Senate, the group of seven internet entities have put in another call for privacy, this time to the House.

Mozilla posted the letter signed by the seven internet entities and sent to House Speaker Nancy Pelosi, Minority Leader Kevin McCarthy, Chairman of the Judiciary Committee Jerry Nadler, and Ranking Member of the Judiciary Committee Jim Jordan.

The group argue that our search and browsing history paint a vivid picture of our most intimate private lives:

Search and browsing history can provide a detailed portrait of our private lives. It may reveal medical conditions, religious beliefs, and personal relationships, and it should be protected by effective legal safeguards.

The seven entities said that some of them didn’t collect the information to begin with. Mozilla, which develops the Firefox browser, put up a blog post pointing out that the browser has privacy features such as Enhanced Tracking Protection and DNS-over-HTTPS (DoH) – a privacy technology that is now the default setting for US users of Firefox.

It’s worth noting that the Brave browser has been found to be the least likely to leak unique identifying information about the computer using it when compared with Chrome, Firefox, Safari, Edge and Yandex.

Browser competition aside, the seven internet entities said that they all have multiple things in common when it comes to government snooping on web histories:

Some of us do not collect this information; some of us have pressed the courts to adopt a higher standard for this data; all of us believe this information should only be produced with a warrant. Congress should take this opportunity to resolve any potential ambiguity and provide strong legal protections for all search and browsing history.

The group said that privacy and security are essential to the economy, to businesses, and to the “continued growth of the free and open internet.” If the House succeeds in pulling back warrantless surveillance in its upcoming vote, that growth can continue, the seven entities said:

By clearly reaffirming these protections, Congress can help preserve user trust and facilitate the continued use of the internet as a powerful contributing force for our recovery.

The group pointed to the significant, bipartisan support for the Wyden/Daines amendment in the Senate: an amendment that would have protected Americans’ browsing history privacy.

This provision attracted the support of a Senate supermajority, and consumer groups and businesses across America. It enjoys broad bipartisan support among members of the House of Representatives, and should be included if the House reauthorizes the USA FREEDOM Act.

Congress should take this opportunity to resolve any potential ambiguity and provide strong legal protections for all search and browsing history.

Latest Naked Security podcast

You can’t read much about cybercrime these days without hearing mention of “the dark web”.

Often, the term is used with the metaphorical meaning of dark, to describe those parts of the internet that are evil, being dedicated to odious and often very serious criminal offences.

We’re not just talking about stories of websites where illegal drugs can be bought and sold, but also about much more worrying crimes including child abuse, terrorism and murder.

Sometimes, however, the term is used in the literal sense of dark to describe a part of the web where the network traffic going to and from it is effectively invisible or untrackable, so that it is dark in the sense of being unilluminated.

And there you have it: dark as in evil, and dark as in unilluminated.

Of course, the truth about the dark web is somewhere between “all good” and “all evil”.

Sometimes, for example, it’s nice to browse without having to think too hard about whether your traffic is being analysed every which way for marketing purposes, or snooped on and saved in a giant logfile by your ISP on the say-so of your government, or peeked at by your VPN provider, or otherwise being used by someone, somewhere, to draw unfair and unreasonable inferences about you.

Simply put: the ability to be both private and anonymous online, even if it’s only occasionally, seems to be a perfectly reasonable aspiration for any internet user.

It doesn’t make you a criminal, or imply you’ve got an evil streak, just because you use dark web technology such as the Tor browser to go online when you want to avoid being tracked.

On the other hand, the dark web undeniably attracts those who want to be anonymous and untraceable because they are evil, and because they want their web servers to be shielded from identification and takedown.

Note that sites on the dark web aren’t always secret or even particularly secretive – the special “untrackable” website URLs where some of them can be found are often openly publicised and widely known, as is the case with numerous drug-related marketplaces.

What’s kept in the dark is a list of who’s accessed them and when – as well as where the sites are physically located so that their traffic can’t easily be blocked, or their servers taken offline and seized by law enforcement.

This makes the dark web a bit of a double-edged sword – it’s good when it’s used for for evading oppressive censorship and the sort of surveillance that many of us consider unacceptable, but it’s bad when it’s used for evading detection for the sort of online crimes that almost all of us consider unacceptable.

So many questions

Here on Naked Security, this uncertainty about the dark web means we regularly receive questions such as:

• Why doesn’t the dark web just get closed down?
• Are there really any benefits to society in having a dark web at all?
• How big is the dark web?
• Is the dark web the same as the deep web?
• Is it really as private and as anonymous as some people claim?
• Will I get into trouble if I simply want to take a look?
• If I go on the dark web, does that make me a bigger target for hackers?

Sadly, some of the content we’ve seen where these questions are addressed gives you the sort of answers that only really make sense if you already know enough about the dark web to answer them anyway.

So, we decided to make a video to answer these questions in plain English, without being judgmental and without using jargon:

[embedded content]

If you enjoyed this video, please visit the Naked Security YouTube channel and subscribe!