Researcher Dumps Three iOS Zero-days After Apple Failed To Fix Issues for Months (therecord.media) 64
A security researcher has published details about three iOS zero-day vulnerabilities, claiming that Apple has failed to patch the issues, which they first reported to the company earlier this year. From a report: Going by the pseudonym of Illusion of Chaos, the researcher has published their findings on Russian blogging platform Habr and has released proof-of-concept code for each vulnerability on GitHub. This includes:
1. A vulnerability in the Gamed daemon that can grant access to user data such as AppleID emails, names, auth token, and grant file system access.
2. A vulnerability in the nehelper daemon that can be used from within an app to learn what other apps are installed on a device.
3. An additional vulnerability in the nehelper daemon can also be used from within an app to gain access to a device's WiFi information.
1. A vulnerability in the Gamed daemon that can grant access to user data such as AppleID emails, names, auth token, and grant file system access.
2. A vulnerability in the nehelper daemon that can be used from within an app to learn what other apps are installed on a device.
3. An additional vulnerability in the nehelper daemon can also be used from within an app to gain access to a device's WiFi information.
Months? (Score:1)
Re: (Score:2)
Re: (Score:2)
Re:Months? (Score:5, Informative)
Then using the term zero-day for this is stupid. It is a bug. It was released with a bug. The bug has not been fixed.
"Day" refers to the number of days since the vendor released a fix for the problem. We still have no fix so it we are still waiting for "Day Zero" when we can start fixing our systems.
This came from the idea that normally most vulnerabilities had a vendor advisory telling people how to protect against the bug and it would take several days for people to reverse engineer the vulnerability. Thus, you would say "we need to be able to patch our systems within three days of a vulnerabilty", then when after a week an 8-day vulnerability came out you breathed a sigh of relief that you had patched so quickly and kept your company safe from any worm that cam out to exploit the vulnerability.
The bugs are Zero day vulnerabilities. Until we get a fix or at least a work around from Apple it remains that way. No matter how many people on Slashdot seem to want to try sematic tricks to make that go away.
Re:Months? (Score:5, Informative)
You don't seem to know what zero-day actually means. Zero-day is something that is cracked on the first day of release. It has zero to do with "the number of days since the vendor released a fix for the problem."
You are just wrong here's an article to help [norton.com]
Re: (Score:2)
OP is correct, the term absolutely originated in the warez scene. A much better researched article: https://bjorn.kuiper.nu/2013/1... [kuiper.nu]
It has since been appropriated for the vulnerability usage.
>>The term 0-day comes originally from the Warez scene [3]:
>>“0-day (pronounced as zero day) – This refers to any copyrighted work that has been released the same day as the original product, or sometimes even before.[6] It is considered a mark of skill among warez distro groups to crack and dis
Re: (Score:2)
"zero-day" does not even make sense in the other interpretation.
Zero days until the vulnerability is exploited... as opposed to five-day? How could anyone know how long in the future the vulnerability will be exploited?
Re: Months? (Score:2)
0-day simply means the number of days it has been since a software release by a vendor. In the case of warez, where the term originates, it means either the same day or any time before the program was officially released.
For example, it was very common (before Microsoft started giving them away anyways) for release groups to release windows RTM copies up to several months before Microsoft officially released it. That would be a 0-day release until the day after Microsoft's official release date.
0-day in cyb
Re: (Score:2)
"zero-day" does not even make sense in the other interpretation.
Zero days until the vulnerability is exploited... as opposed to five-day? How could anyone know how long in the future the vulnerability will be exploited?
If you think about it, this is actually completely the same thing. What used to happen was that a patch for Windows (and it was always Windows) was released. It's a binary which encodes the fixed software. Now, as a cracker, you have released software. If you can compare the new patched Windows with the old Windows you can see what's changed. If you can understand what's changed you can work out what was wrong before. If you are clever and knowledgable you can use your knowledge of what was wrong to wor
Re: Months? (Score:2)
That blog mostly gets it, though if one were to search Usenet or perhaps any published irc logs, you could probably find its usage as far back as the late 80s. They even cite a warez magazine from the BoW release group as the earliest example, but had they simply looked at the earlier releases of that same magazine they would have found even older references than the one they mention.
A good source of information, if one could find it, would be archives of the nfo files that were included with old warez rele
Re: (Score:2)
But yeah, that Norton article is basically wrong.
Although the Norton article is a little wordy and imprecise it's pretty accurate. In fact the two articles fully back each other up.
That's because the exploit of the vulnerability is the "warez" and the "original software" in this case is not the actual software, it is the binary patch or updated full binary which is released fixing the vulnerability. That patch still hasn't been released so this "exploit" of that patch will be available on day zero when it is released. It's a completely clear usage even
Re: (Score:2)
Although the Norton article is a little wordy and imprecise it's pretty accurate. In fact the two articles fully back each other up.
It makes many false statements right out of the gate. To wit:
A zero-day exploit is when hackers take advantage of a software security flaw to perform a cyberattack.
A zero day exploit isn't necessarily a cyberattack. Exploit, in this context, typically refers to either the act of exploiting a vulnerability, or an exploit kit. It can be, for example, an iphone jailbreak kit. It's also not necessarily done by "hackers" but by script kiddies as well.
And that security flaw is only known to hackers, meaning software developers have no clue to its existence and have no patch to fix it.
Security vulnerability is the correct term, and as long as it's known to anybody besides the developers before a patch is released to fix it, it's a zero day. Whethe
Re: (Score:2)
This is why, when a zero-day attack is detected, it needs to be mitigated immediately. In other words, there are “zero days” to fix vulnerability because it’s already been exploited.
This one's a whopper, mainly because the author doesn't know what the term zero day actually means. But let's entertain the idea that it was accurate: Is there ever a case where you're given more than "zero days" to fix a vulnerability? Of course there isn't. When there is a known vulnerability, you patch it as soon as you can. A developer also makes every effort to release a patch before they'll announce a vulnerability.
So there you go, first 3 statements it makes are wrong. I could go on but I don't really need to. This article is an executive summary at best, but is more aimed at PHBs. It doesn't accurately describe what zero day means, and it's painfully obvious that the author doesn't know what it means. He's got the general idea, but that's about it.
Most of what you say I largely agree with. However, you have to remember that the adoption of the term "zero day" in the security community came in a very specific context. In particular the argument between "full disclosure" and "responsible disclosure". You have to understand it accepting some of the, at least partially incorect, assumptions behind responsible disclosure.
The responsible disclosure people assumed that some researcher finds a vulnerability, reports it to the vendor, the vendor creates a
Re: (Score:2)
We now know clearly that this is wrong. There are multiple teams finding vulnerabilities, of which security researchers who publish are only one and probably not the one with the best resources. The Chinese, Russian, Israeli, UK and many other governments also have their own teams, who mostly keep their vulnerabilities secret for their own exploitation. During the whole of the time from when they find a vulnerability until the time that they vendor publishes an advisory (which may never happen) they have an exploit that other people don't know they have. "Zero day" is an important term which explains that. It's quite likely that some of the people pushing confusion here are doing it deliberately because they don't like people to understand the risks the vendors are taking.
That's fine, but it still doesn't change the meaning of the term.
Re: (Score:2)
This is correct- it originated in the warez scene and meant that the cracked version was released the same day the product officially became available for sale.
"Zero Day Warez - 2400 Baud - No Lamerz"
I still have my "Sysop Version" of the Courier HST 28.8/56.6 modem, It has a riveted tag indicating it was bought at a steep discount through the "Sysop Program" because I could prove to their satisfaction that I ran a BBS.
(And I did, until they logged on and verified it was there, played a game of GTW, and log
Re: (Score:2)
Sure, and if this was warez instead of a security exploit, that definition would be relevant.
Re: (Score:2)
You don't seem to know what zero-day actually means. Zero-day is something that is cracked on the first day of release.
/me *ROFLCPTERS* around the room!
Re: (Score:2)
It used to mean "cracked on release day", it's since been diluted to the point where it is almost useless.
Re: (Score:2)
It never meant that. You thought it meant that, so you misunderstood a lot of stories. But they still seemed to mean something, so you didn't notice they meant something different than you thought.
It is never too late to learn a new word. Some people learn new words every day.
Re: (Score:2)
When I was on dial up BBSes in the early 90s a "0-day" was, 100% of the time, a copy protection crack released on the same day as the software or the software itself found in the warez section.
Later, sometime in the mid 2000s, but could have been earlier, the security community adopted it to mean a vulnerability released on the same day as a piece of software, a new version of the software, a feature, or patch meant to fix a vulnerability. I.e. it took the cracking community "0 days" to p0wn you.
Now it jus
Re: (Score:2)
The longer you misunderstand the exact meaning of a word, the more certain you'll be of what the meaning is.
But then when you try to tell other people, and they correct you, and you argue, it really is insufferable. Especially if you blurt out how long you've been wrong. You don't comprehend that the context you were seeing the word used in failed to inform you of the narrow meaning; what you thought it meant made sense, too. So you naturally didn't notice.
Re: (Score:2)
You are correct. It originated in the warez scene in the 1980s, and I speak from experience.
Re: (Score:2)
Thank you! Someone else with a memory!
Re: (Score:2)
Yup. I was a courier for a slew of warez boards, and "Zero day" meant you had the good stuff hot off the wire. :)
I remember laboriously downloading the full release of MS Word at 14.4Kbs, then passing it out to transfer boards...
Re: Months? (Score:2)
Re: (Score:2)
I see your point, but they still align with most of the definition of zero day: No patch available, immediate and unauthorized disclosure to the public. Additionally, with exploits developed for the vuln.
Re:Months? (Score:4, Informative)
"Zero day" once referred to the number of days since the vendor has known about the exploit.
Now it is a broad term that means any unpatched exploit.
Re: (Score:2)
"Zero day" once referred to the number of days since the vendor has known about the exploit.
Now it is a broad term that means any unpatched exploit.
Almost. It was actually the time from the moment that the vendor passed on the knowledge of the report (just like in the Warez scene - it's from the day of release, not from the day you start writing your software). At one point there was a discussion about when this happened with vendors trying to have lists of favoured customers who would get to patch before the others. That's probably the point where this confusion began and some people began thinking that day zero was the day of the report or the day
Re: (Score:1)
Seems everyone has a different definition of Zero day.
MY understanding is that the Zero Day means that the exploit ALREADY happened when it was discovered/reported to vender for patching. As in Already exploited.
Having Proof of concept, reported to vendor, who does nothing to patch for months, is a Zero Day, meaning there is likely to be exploits active in the wild.
Failed to address for months? (Score:1)
Failed to address for months?
By definition they are not "zero-day" vulnerabilities.
Re:Failed to address for months? (Score:5, Informative)
Re: (Score:2)
Re: Failed to address for months? (Score:2)
Re: (Score:2)
Unpatched vulnerability is fine. However it's not an "unpatched exploit" it could be an "exploit for an unpatched vulnerabilty" but "zero-day" is a reasonable term. The Wikipedia article is pretty fine and correct. There are a bunch of people here who misunderstand the way that "zero-day" is use here and are confused because day zero happens after the software release. What they have to realise is that in the case of software vulnerabilities, day zero is the day that the patch to fix the vulnerability w
Re: (Score:2)
This is why the term "zero day" is so problematic, because it starts counting from the day that the bug is disclosed, every newly disclosed bug effectively becomes "zero day".
The term carried far more weight when it referred to counting the number of days *since* the bug's existence prior to discovery (which is at best the number of days since the company last updated the software).
Re:Failed to address for months? (Score:5, Interesting)
"Zero Day" is yet another good term ruined by misuse.
Another good one was "Shelter In Place" before the recent pandemic. Before it meant exactly what the words meant: No matter what place you are in, a grocery store, at school, at work, at the gas station, you stop there and take shelter. You do not go home, you do not travel, you do not go outside. Often it was done in response to chemical spills, active shooters, or other short-term emergencies where going out in the open is problematic. Far too many media called the stay home orders "shelter in place", now many plebes think it means "travel to your home at your convenience and stay there".
If we're limiting it to computer terms: "broadband" becoming an ever-sliding target for high speed Internet rather than the opposite of baseband, or dating myself, "hacker" being an evil person rather than a person who assembles together systems MacGyver style. So many good terms adopted, abused, and ruined by the masses.
Re: (Score:2)
The meaning of "shelter in place" never changed.
You simply didn't comply with it. But the meaning didn't change.
Re: (Score:2)
>"So many good terms adopted, abused, and ruined by the masses."
Yep. Like "male"/"female". "Racism" (which used to mean malevolent action, and now means just about anything/everything). "Shot" (instead of injection or vaccination). "Neuter or spay" (which is really just "neuter", otherwise what is meant is "castrate or spay"). "Mad" (which means crazy, when what was meant was "angry").
The list just goes on and on. Oh well.
Re: (Score:2)
That is a good take on it.
Honestly (Score:2)
Re: (Score:3)
Yeah, it's a game for dealing with bad response from the party that messed up. If apple doesn't improve their behavior or make things right with this researcher he will likely dump the vulns on discovery next time. Otoh, giving a vendor time to respond appropriately should give the researchers funding to continue their work.
Re: (Score:2)
People have been pining for a return to the "old" Apple. Well, here it is.
Re: (Score:2)
Apple's bad behavior doesn't justify bad behavior in return.
Security industry standard for nearly 40 years has been responsible timed disclosure. Notify the company and also start a clock. If the company sits on it (like Apple now does), the public disclosure also includes the back-and-forth with the company and they get egg on their face.
If the company takes action immediately they can craft their own public response. "Today we worked with security researchers and are announcing an urgent security patch"
Re: (Score:2)
Apple's bad behavior doesn't justify bad behavior in return.
Security industry standard for nearly 40 years has been responsible timed disclosure.
Responsible timed disclosure is a quite serious risk for some security researchers. It means creating a two way communication channel over a long period of time so that they can't claim they didn't get your notification which can be reversed by the vendor in order to find you. Multiple researchers have found themselves in legal trouble at that stage. If your vendor has any history of bad behaviour (as with Apple) you may be better advised to simply release so that at least the enemy secret services have mor
Translation: (Score:3)
"Researcher decides to publicly disclose iOS bugs after Apple fails to fix them for months"
"Zero-day" has taken on a tautological definition. and does not usefully contribute to the significance of the issue.
Re: (Score:2)
I think "zero-day" has become newspeak for "you should be scared." The problem with that sort of mentality is that they label EVERY bug as zero-day, and you get desensitized to it to the point that even if something really is a zero-day, all you feel like doing when you hear about another one is shrugging and moving on with your day.
Can't wait for the next scary trigger word to come along and make zero-day into a has-been.
Re: (Score:2)
This could be solved entirely if the term "zero day" was only ever used to describe bugs uncovered within the first 24 hours that the software susceptible to that exploit had been available to the public.
In other words, hardly ever.
They just work (Score:4, Funny)
Re: (Score:2)
And if not, you're holding it wrong.
What I'm more interested in is (Score:5, Insightful)
Did the Researcher get any money for Bug Bounties?
Re: (Score:2)
Obviously none of the Apple ones. Publishing would be basically tantamount to cancelling the bug bounty you would've gotten.
These issues seem related to apps though - is Apple scanning apps to see if they make use of these vulnerabilities? I mean you can't just run arbitrary code very easily on iOS anymore (or jailbreaking would still be a very common thing), so perhaps these issues aren't as urgent as other issues.
After all, there are going to be bugs. If
Re: (Score:2)
Probably lawsuits. :(
Zero-Day (Score:5, Insightful)
I like how all the comments so far are talking about whether this is or isn't really a zero-day, and discussing the fine details of the definition of zero-day, and not a word on Apple's apparent disinterest.
Nerds.
Re: (Score:2)
Well we had to give YOU something to do. Think of it as job security and taking care of our own.
Apple's internal policy on bugs is to ignore... (Score:5, Interesting)
I used to work at Apple
Apple's internal policy on bugs and security issues is to ignore them as much as possible and rank them by which ones are most likely to get them negative press.
The ones which are the most likely to, or do get them negative press are the ones that get addressed first.
You know how your iPhone always seems to have issues connecting to your car properly? Most people assume that's their car's fault... it's not.. it's your iPhone, but because people blame their car, Apple has not fixed that bug in over a decade, and it gets worse with every release of iOS.
Re: (Score:3)
Sounds like a lot of Windows hardware driver manufacturers. Their shitty slapped-together driver pukes for no discernible reason but they don't care because they know customers will just blame Microsoft (looking at you Broadcom).
Re: (Score:2)
It's not just Apple's too.
If day zero is the day of public launch of the sof (Score:1)
New Conspiracy Theory (Score:3)
Apple didn't fix them for a reason, and actually knew about them before they were informed. In fact Apple built these "security bugs" into iOS for the NSA and FBI. That's how they exploit iPhones to secretly surveil Apple users.