Forgot your password?
typodupeerror
Security Facebook IOS Twitter Apple

iOS Developer Site At Core of Facebook, Apple Watering Hole Attack 88

Posted by Soulskill
from the web-of-trust dept.
msm1267 writes "The missing link connecting the attacks against Apple, Facebook and possibly Twitter is a popular iOS mobile developers' forum called iphonedevsdk which was discovered hosting malware in an apparent watering hole attack that has likely snared victims at hundreds of organizations beyond the big three. It's not clear whether the site remains infected, but researcher Eric Romang dug into the situation and determined that the site was hosting malicious JavaScript that was redirecting visitors to another site, min.liveanalytics. That site had been hosting malware as of Jan. 15."
This discussion has been archived. No new comments can be posted.

iOS Developer Site At Core of Facebook, Apple Watering Hole Attack

Comments Filter:
  • Obligatory (Score:4, Funny)

    by bigredradio (631970) on Wednesday February 20, 2013 @04:03PM (#42958271) Homepage Journal
    Where's your God now?
  • by BasilBrush (643681) on Wednesday February 20, 2013 @04:05PM (#42958287)

    The fix to patch the vulnerability and remove the malware if it's there is available today. Mac users should do a software update.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Any user with Java on their system, regardless of OS, should do an update (or disable Java...).

      • by Anonymous Coward
        Non-mac users don't go to iphonedevsdk, because you cant use an sdk to dev for an iphone on anything but a mac. Ergo, we are immune to this attack.
    • by _xeno_ (155264) on Wednesday February 20, 2013 @04:48PM (#42958729) Homepage Journal

      The fix to patch the vulnerability and remove the malware if it's there is available today.

      The keyword there is "today." The actual Java patch was available earlier, it's just Apple only bothered patching their version of Java until - well, after they got bitten by the vulnerability, apparently. Apple had been content to just say "applets are no longer supported" and leave it at that.

      • by the_B0fh (208483)

        http://support.apple.com/kb/HT5573

        This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a webpage, click on the region labeled "Missing plug-in" to go download the latest version of the Java applet plug-in from Oracle.

        You do realize that Apple has handed over Java support on OSX back to Oracle, right?

        • by _xeno_ (155264)

          You do realize that Apple has handed over Java support on OSX back to Oracle, right?

          For Java 7, yes, Apple doesn't support that. For Java 6, they still do. The Apple version of Java still exists, was vulnerable to the Java 0-day, and missed the patches that fixed it that were first released a couple of weeks ago. Their fix was instead to just disable applets entirely, which is great unless your IT department requires an applet to use their wi-fi network. (Seriously.)

          And, yes, there are still some Mac OS X apps that require Apple's version of Java, because it's not completely compatible wit

          • You do realize that Apple has handed over Java support on OSX back to Oracle, right?

            For Java 7, yes, Apple doesn't support that. For Java 6, they still do. The Apple version of Java still exists, was vulnerable to the Java 0-day, and missed the patches that fixed it that were first released a couple of weeks ago.

            Now that's odd, are you claiming that the 0-day works in Apple's Java 6 despite only working under Java 7? http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0431 [nist.gov]

      • The fix to patch the vulnerability and remove the malware if it's there is available today.

        The keyword there is "today." The actual Java patch was available earlier, it's just Apple only bothered patching their version of Java until - well, after they got bitten by the vulnerability, apparently. Apple had been content to just say "applets are no longer supported" and leave it at that.

        RTFA. Seriously. There was a patch - but it didn't fully fix the hole. Not to mention that "Apple's version of Java" wasn't affected, only Java 7.

  • by coinreturn (617535) on Wednesday February 20, 2013 @04:07PM (#42958313)
    will be nothing but hate.
    • by eksith (2776419)

      A lot of comments above are already full of hate :/ And I don't get why they blame Apple for this when clearly Oracle is at fault for letting Java stagnate this much.

      When Cisco took over Linksys we ended up with lackluster hardware. No big deal. But when Oracle let their bought product stagnate, the damage is a lot more severe if only due to its sheer ubiquity and dependence.

      • by exomondo (1725132)

        I don't get why they blame Apple for this when clearly Oracle is at fault for letting Java stagnate this much.

        The reason is because this flaw exists in Apple's implementation of Java 6 - which is still required by many people as not all apps work on Oracle's Java 7 (which was patched for this vulnerability some time ago).

        • I don't get why they blame Apple for this when clearly Oracle is at fault for letting Java stagnate this much.

          The reason is because this flaw exists in Apple's implementation of Java 6 - which is still required by many people as not all apps work on Oracle's Java 7 (which was patched for this vulnerability some time ago).

          Funny - there's no mention of Java 6 here [nist.gov], only Java 7.

          • by exomondo (1725132)

            Funny - there's no mention of Java 6 here [nist.gov], only Java 7.

            Why are you only looking at one vulnerability?
            As reported by Ars Technica, the 15th February, Facebook was victim of a watering hole attack, involving a “popular mobile developer Web forum“. The attack was using a Java 0day that has been urgently patched, in Oracle Java CPU of first February, by version 7 update 11 and version 6 update 39. http://eromang.zataz.com/2013/02/20/facebook-apple-twitter-watering-hole-attack-additional-informations/ [zataz.com]

            • It's the only vuln linked to as far as I can see.
              • by exomondo (1725132)

                It's the only vuln linked to as far as I can see.

                The article just mentions that there was an exploit added to the Cool Exploit Kit that exploits that specific vulnerability, it doesn't make any suggestion that was the one used or that the Cool Exploit Kit was used, it could have been any of the many 0-day exploits patched very recently.

  • malware (Score:5, Interesting)

    by Mr.123 (661787) on Wednesday February 20, 2013 @04:08PM (#42958317)
    The site in question has been hosting malware on and off for over a year now. They were flagged at least half a dozen times by google over the past year for hosting malware. The site then went down for weeks while overhauling the entire forum software and then bam, this happens. Unfortunately some very good discussions happen on the site and I just can't quit using it.
    • by edxwelch (600979)

      It used to be a great site for App Store marketing tips, but since has gone downhill some what

  • by mark-t (151149) <markt@PARISlynx.bc.ca minus city> on Wednesday February 20, 2013 @04:11PM (#42958345) Journal

    What the heck is a "watering hole attack"?

    • Re: (Score:2, Troll)

      by smooth wombat (796938)

      People come to you.

      Animals need to go to a watering hole to get their water, iOS folks need to go to this site to get their software.

      • by Anonymous Coward

        Quote : "iOS folks need to go to this site to get their software."

        Ehhhhh....no.

      • by Anonymous Coward

        People come to you.

        Animals need to go to a watering hole to get their water, iOS folks need to go to this site to get their software.

        Not really. It's more of a 'candy store' attack. It's a popular, but not necessary. site.

      • by mark-t (151149)

        The only place iOS folks really need to go for their software is to Apple's online developer portal.

        I've been developing for iOS for 2 years now, and had not ever heard of this particular web forum prior to this article.

        • by the_B0fh (208483)

          Come now, stop feeding the trolls.

        • by BitZtream (692029)

          Really? Were developing with a rule against using a search engine? They turn up in plenty of my search results for various iOS dev related things.

          They were one of 'the first' iOS dev sites, earlier enough that I'd venture to say they were probably there before apple's iOS SDK existed but my memory may be a bit off, that was 5 years ago.
          Not knowing about this site indicates you live in a virtual box.

      • It may not be entirely accurate, but what retarded mods are flagging this Troll?

    • by ThisIsSaei (2397758) on Wednesday February 20, 2013 @04:18PM (#42958433)
      It's where you target a page used by multiple targets. Here a mobile developers forum was hit, that forum was not the real target but the people who use it frquently were. "Poisoning the watering hole" if you will.
    • by Anonymous Coward on Wednesday February 20, 2013 @04:23PM (#42958501)

      What the heck is a "watering hole attack"?

      It's where troopers metaphorically attack a swagman by a billabong (the 'watering hole') causing him to leap to his death and subsequently haunt the area. I won't go into detail on how this applies in relation to computer security, but I'm sure you get the gist of it.

    • by rb12345 (1170423) on Wednesday February 20, 2013 @04:27PM (#42958535)
      Traditionally, you had "spear phishing" attacks which had attackers sending malware or phishing emails directly to their targets. This is relatively easy to spot and filter. The "watering hole" attacks work by compromising a trusted third-party site used by the targets. For example, if your attacker know you read Slashdot or use some specialised forum site, they could attempt to compromise those sites and use them to host exploits as part of the normal pages (infected banner ads or modified page content).
    • by MadKeithV (102058)

      What the heck is a "watering hole attack"?

      I'm not quite sure, I was half expecting a Hurd of GNUs in a drinking frenzy.

  • This is a good reminder that with web-security you're only as secure as the weakest link. A new exploit pushed from a popular dev site on a trusted platform like Java is going to hit you hard and you can't avoid it directly. The real story here is how quickly / properly people responded, and how well defensive infastructure and policy stopped the intrusion. There's months and months of good security analytical reading right here. We can also compare company to company as it hit more than one.
    • a trusted platform like Java

      Sorry, what? Several things come to mind when I think about Java, "trusted" is not one of those things. Java is a textbook example of a single piece of the platform (the browser plugins) giving the entire thing a bad name, even if it's not justified. Anyone who still browses around the general internet with a browser that has the Java plugins enabled is either unaware of what the Java plugin is, or stupid. If you're a Java developer, have one browser with your plugins enabled that you use only to develo

      • I have a completely secure computer for you, it's called a rock.

        Yes, running a no-script browser is techincally safer, but it's also technically useless as you're missing out on the content provided by those scripted services. Do you manually type in captcha hashes? Do you ignore all video posted anywhere? You'll never run a single script, ever? A browser is inherently insecure as it's entire purpose is to download and render remote scripts.

        It's very ignorant to insist that you're bullet-proof, or to in

        • Yes, running a no-script browser is techincally safer, but it's also technically useless as you're missing out on the content provided by those scripted services. Do you manually type in captcha hashes? Do you ignore all video posted anywhere? You'll never run a single script, ever?

          Where did you get that from? The interface of the major application I work on is over 1.5MB of Javascript. I don't disable Javascript. I disable plugins from automatically starting plugin content. This has nothing to do with scripting. I'm talking about Java, not Javascript. Hopefully you know the difference, if you don't then don't bother to reply to things like this. As for video specifically, if I come across a Flash video on a news site or whatever that they embedded in a way where click-to-start

  • Apple devs wouldn't know security if it bit them in the iPhone so this is less than surprising. Then you use a browser exploit that targets macs, which is (debatably) easier to make and tada. I'm going to take a wild guess that Facebook's devs aren't too bright either, based solely on their coding and design work aka the Facebook website.
  • Ah, the weakly supported claims that China is at an all-out "cyberwar" now become clearer. The Chinese army must have created the site min.liveanalytics.org. Then they deviously drew in visitors from a popular site, including some from major US corporations. For any machine that was vulnerable, China has thusly "hacked" the corporations owning those machines. Hackers get cred, the news media gets to scream that the sky is falling, and the US government gets to increase funding for the "war on cyberterror".

  • There's an update to the first article - looks like almost the same attack (via the same JavaScript inclusion, using a different exploit of course) was active on Fedoraforum.org last July.

What this country needs is a dime that will buy a good five-cent bagel.

Working...