Researchers Say They Caught an iPhone Zero-Day Hack in the Wild (vice.com) 31
In the summer of 2016, researchers at a digital rights organization and a cybersecurity firm announced they had caught one of the rarest fish in the cybersecurity ocean -- an in the wild attack against an iPhone, using unknown vulnerabilities inside Apple's vaunted operating system. Since then, only a handful of similar attacks have been caught and publicly disclosed. Now, a small startup said it has caught another one. From a report: ZecOps, a company based in San Francisco, announced on Wednesday that a few of its customers were targeted with two zero-day exploits for iOS last year. Apple will patch the vulnerability underlying these attacks on an upcoming release of iOS 13. "We concluded with high confidence that it was exploited in the wild," Zuk Avraham, the founder of ZecOps, told Motherboard. "One of [the vulnerabilities] we clearly showed that it can be triggered remotely, the other one requires an additional vulnerability to trigger it remotely."
"These vulnerabilities," ZecOps researchers wrote in a report they published Wednesday, "are widely exploited in the wild in targeted attacks by an advanced threat operator(s) to target VIPs, executive management across multiple industries, individuals from Fortune 2000 companies, as well as smaller organizations such as MSSPs." One of the two vulnerabilities, according to Avraham, is what's known as a remote zero-click. This kind of attack is dangerous because it can be used by an attacker against anyone on the internet, and the target gets infected without any interaction -- hence the zero-click definition. Vulnerabilities or exploits called zero-days are bugs in software or hardware that are unknown to their manufacturers and can be used to hack targets. They can be particularly effective attacks because they use flaws that are not patched yet, meaning there's no code deployed to specifically defend against them.
"These vulnerabilities," ZecOps researchers wrote in a report they published Wednesday, "are widely exploited in the wild in targeted attacks by an advanced threat operator(s) to target VIPs, executive management across multiple industries, individuals from Fortune 2000 companies, as well as smaller organizations such as MSSPs." One of the two vulnerabilities, according to Avraham, is what's known as a remote zero-click. This kind of attack is dangerous because it can be used by an attacker against anyone on the internet, and the target gets infected without any interaction -- hence the zero-click definition. Vulnerabilities or exploits called zero-days are bugs in software or hardware that are unknown to their manufacturers and can be used to hack targets. They can be particularly effective attacks because they use flaws that are not patched yet, meaning there's no code deployed to specifically defend against them.
FFS can we please stop pretending that ... (Score:1)
... "Zero Day" means anything.
Just because someone thinks they're the first doesn't mean they are.
It's impossible to know if an exploit has been used.
"Zero Day" is self congratulatory
It's a damned bug. Call it what it is !
Re:FFS can we please stop pretending that ... (Score:4, Informative)
... "Zero Day" means anything.
Just because someone thinks they're the first doesn't mean they are.
It's impossible to know if an exploit has been used.
"Zero Day" is self congratulatory
It's a damned bug. Call it what it is !
For the overly annoyed here, "Zero Day" merely implies that a vulnerability exists and has a 99% chance of being unpatched, which can be rather relevant for those who give a shit and need to mitigate risk through other means.
TL; DR - Shut the hell up already.
Re: (Score:2)
I, too, am one of the overly annoyed. Came here to find this argument. Overly used jargon does have negative consequences. It doesn't communicate what you specifically want it to, shuts the greater audience out of the conversation. And, quite frankly, takes more effort to educate everyone on the terminology, which ends up being endless disagreement anyway. 'Unpatched security flaw' is just as easy to say as "Zero-day hack" and carries a lot less presumptions that may or may not be true. Whether the ve
Re: FFS can we please stop pretending that ... (Score:2)
Those are describing the same thing with different presumptions.
Just because l33t h4k0r ASSUMES they're the first to exploit doesn't make it true.
Neither does a claim for identifying the flaw.
I ship software all the time knowing there are certain use cases which may or may not trigger an exploit possibility.
If you identify one in public, you only think you're the first. Often I have already been contacted in private over the same issue.
Your public announcement only forces me to admit what I have know all a
Re:FFS can we please stop pretending that ... (Score:5, Insightful)
It's a little funny, but it's almost a microcosm of the whole pandemic going on now. No one will really do shit about it until it's staring them right in the face. It's funny how the months and months a company had to fix something before public disclosure don't often amount to much, but after the announcement is scarcely takes more than a week to address.
Well, who's gonna pay for it? (Score:1)
Comment removed (Score:5, Informative)
Re: (Score:2)
There seems to be a widely held misconception that most companies and developers don't care about security which is patently false. Not everyone is Zoom; these people are the exception, not the norm. Most developers and most companies understand very well that the security of their products not only affects their reputation therefore their bottom line but also has a social impact.
Especially a Company like Apple, who has built a well-deserved reputation of making privacy and security-from-practical-exploits twin pillars of their design-goals for both their hardware and software.
Thank you, Parent, for a most erudite and knowledgeable comment injected into what will no doubt devolve into yet-another finger-pointing Platform War...
Re: (Score:2)
Especially a Company like Apple, who has built a well-deserved reputation of making privacy and security-from-practical-exploits twin pillars of their design-goals for both their hardware and software.
From where I see it, their security mostly relies on a simultaneously anti-competitive app whitelist model.
Re:FFS can we please stop pretending that ... (Score:4, Insightful)
A "zero day" means the people who are supposed to fix the bug don't yet know about it. If every script kiddie and his mom knows about the exploit, it's still a zero-day if Apple hasn't released a patch yet.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:3)
These vulnerabilities are widely exploited in the wild in targeted attacks by an advanced threat operator(s) to target VIPs, executive management across multiple industries, individuals from Fortune 2000 companies, as well as smaller organizations such as MSSPs.
Not to mention the President of the United States.
Re: (Score:3)
It's impossible to know if an exploit has been used.
Well that's not true. If you spot it in the wild, you know it was used. What you can't know is if an exploit has NOT been used before.
Re: (Score:2)
It's impossible to know if an exploit has been used.
Well that's not true. If you spot it in the wild, you know it was used. What you can't know is if an exploit has NOT been used before.
Actually, if you spot it in the wild, e.g., that someone spots the code on a webserver, in an App, or in intercepted internet traffic, you only really know that there is a potential that it will be successful. Only if you can demonstrate the actual exploit causing whatever modified behavior in a particular unit or units can you say that it was (successfully) "used". Which is the only thing that really "counts".
There likely are several thousand (or more) potential exploits for any and all platforms floating
Re: (Score:1)
You've misread the phrase entirely.
A "Zero Day" outbreak is a pandemic whose imminent pandemic status is mainly known to some blue-lipped Manchu in Wuhan, after prompt suppression of Li Wenliang.
Meanwhile, none of the flush and privileged Milanese have fled to their opulent second homes in The Hamptons, because not even the jet set are yet looped into reliable word.
Zero day doesn't mean "first use" (Score:3)
> ... "Zero Day" means anything.
> Just because someone thinks they're the first doesn't mean they are.
Zero day doesn't have anything to do with first use.
X-day is the days after the vendor released the patch, which causes the vulnerability to be widely known.
Each month on patch Tuesday when Microsoft releases fixes for the Windows vulns of the month, everyone can see what was patched, and therefore what the vulnerabilities are in unpatched systems. If you wait 7 days to install the patches, that's se
Re: FFS can we please stop pretending that ... (Score:2)
The term "zero-day" originally referred to the number of days since a new piece of software was released to the public, so "zero-day" software was software that had been obtained by hacking into a developer's computer before release. Eventually the term was applied to the vulnerabilities..." - Wikipedia
The fact that the usage has changed doesn't negate the fact that the current usage is simply incorrect.
"Eventually the term was applied to the vulnerabilities that allowed this hacking, and to the number of d
Re: (Score:2)
Get them all (Score:1)
And where are the cries to ban iphones ? (Score:1)
Re: And where are the cries to ban iphones ? (Score:3)
Re: (Score:2)
apple talks a lot about security but they suck at writing software.
Right.
Name one actual self-replicating, non-Trojan, malware infection that has successfully infected more than a few hundred OS X/MacOS, iOS, iPadOS, WatchOS or TVOS user in all the years since OS X Server 1.0 debuted in 1999. That's 21 years, by the way.
I'll wait...
IMHO, that speaks to them walking the walk; rather than simply talking the talk.
Already Patched (Score:4, Informative)
This has already been patched. The patch will be released as part of iOS/iPadOS 13.4.5, which is currently undergoing testing.
And it is not a vulnerability in iOS/iPadOS itself; but rather in Mail.app. So, if you use another Mail app, you're safe.
https://www.macrumors.com/2020... [macrumors.com]
Re: (Score:2)
Interesting. When I read the article, I immediately told my iPhone to update, and it did...to 13.4.1. That seems to be several minor versions behind the one you're referring to. Unless it's going to do the 13.4.2 (or whatever the next version is) after it finishes installing 13.4.1?
Re: (Score:2)
After the update to 13.4.1, my phone tells me it's up to date. So where are versions 13.4.2 through 13.4.4? According to this:
https://en.wikipedia.org/wiki/... [wikipedia.org]
there are no intermediate versions, it jumps directly from 13.4.1 to 13.4.5 (Beta 2). Guess I don't understand Apple's numbering system.
No older iOS versions like v12.4.7? (Score:2)
Or will Apple be only be fixing for v13.4.5? :(