security Apple issues emergency security updates for all of its platforms

[Fasterthannothing]

Summary

  iOS 16.3.1, iPadOS 16.3.1 and macOS 13.2.1 patch a new WebKit zero-day that’s being used to attack Apple users

 

Quotes

Quote

 Apple has released emergency security updates in order to patch a new zero-day vulnerability that’s being used to hack vulnerable iPhones, iPads and Macs.

As reported by BleepingComputer(opens in new tab), this zero-day vulnerability (tracked as CVE-2023-23529(opens in new tab)) was discovered by an anonymous researcher and has now been patched with the release of iOS 16.3.1, iPadOS 16.3.1 and macOS 13.2.1.

The flaw itself is a WebKit confusion issue and if exploited by an attacker, it could be used to execute arbitrary code on vulnerable iPhones, iPads and Mac after a user navigates to a malicious website.

To make matters worse, Apple is aware of a recent report which indicates that this zero-day vulnerability “may have been actively exploited” in the wild. This is why the iPhone maker has quickly released emergency security updates for iOS, iPadOS and macOS.

 

My thoughts

This is a massive security breach by far the biggest one Apple has ever had and it has massive security implications.

 

Sources

  https://www.tomsguide.com/news/apple-patches-webkit-zero-day-vulnerability-with-ios-1631-update-your-iphone-now

[WhitetailAni]

56 minutes ago, Fasterthannothing said:

This is a massive security breach by far the biggest one Apple has ever had and it has massive security implications.

Lol no it's not. This kind of bug happened twice last year with 15.3.1 and 15.7.2/16.1.2.

Are they serious? Yes, and you should update. Is this one the biggest ever? No.

[Fasterthannothing]

4 minutes ago, FakeKGB said:

Lol no it's not. This kind of bug happened twice last year with 15.3.1 and 15.7.2/16.1.2.

Are they serious? Yes, and you should update. Is this one the biggest ever? No.

I don't believe those were actively exploited atleast it was never said that they were

[dalekphalm]

This is serious yes. Anyone using affected devices should update.

 

Also, it's fantastic that Apple rushed out a fix so quickly. It sucks that this vuln was discovered - but I don't see any other way Apple should have acted. They did the right thing.

[Forbidden Wafer]

This reminds me of the Safari flaw when reading PDFs that let people jailbreak from the internet and then apply a security patch. Comex was all the rage.

https://www.digitaltrends.com/mobile/hackers-uncover-new-pdf-exploit-for-ios-jailbreak/

[WhitetailAni]

1 hour ago, Fasterthannothing said:

I don't believe those were actively exploited atleast it was never said that they were

Apple said both were actively exploited.

[Rolling2405]

3 hours ago, Fasterthannothing said:

Apple has released emergency security updates

It was an important update for security as protection of data since it fixed the iClloud backup bug. Apple should have put a lot more urgency into getting update out sooner. It them three weeks between iOS 16.3 to the release of 16.3.1. That's way too long for an extremely important update.

[ToboRobot]

6 minutes ago, Rolling2405 said:

It was an important update for security as protection of data since it fixed the iClloud backup bug. Apple should have put a lot more urgency into getting update out sooner. It them three weeks between iOS 16.3 to the release of 16.3.1. That's way too long for an extremely important update.

What is the acceptable time frame for security updates?
 

[Rolling2405]

2 hours ago, ToboRobot said:

What is the acceptable time frame for security updates?
 

I'm not sure exactly but I would probably say a week at most. By taking three weeks it shows that Apple did not give it the urgency it required. I'm sure that if they were trying their best and really working on it they could have gotten the update out in a week or less.

[ToboRobot]

29 minutes ago, Rolling2405 said:

I'm not sure exactly but I would probably say a week at most. By taking three weeks it shows that Apple did not give it the urgency it required. I'm sure that if they were trying their best and really working on it they could have gotten the update out in a week or less.

And you base this on what exactly? 

How do you say, "all bugs can be fixed in 1 week?" regardless of what they are, the complexity involved, or the potential to cause further issues by rushing out an update as fast as possible...

You have to find the bug.  Fix it.  Test it.  Ensure that it doesn't introduce other vulnerabilities.  Ensure that it doesn't break functionality. 

So how did we come to this arbitrary 1 week number?  What about microsofts monthly cadence?  Do they also release critical patches in 1 week, or sometimes does it take longer because software is hard?

[HenrySalayne]

6 hours ago, dalekphalm said:

Also, it's fantastic that Apple rushed out a fix so quickly.

Quickly? It took them a month. The original report is from 12th of January.

Apple felt the need to push the fix with an extraordinary update because it was already actively used. Most security patches fly under the radar and get implemented with their regular cycle.

[Rolling2405]

12 minutes ago, ToboRobot said:

And you base this on what exactly? 

How do you say, "all bugs can be fixed in 1 week?" regardless of what they are, the complexity involved, or the potential to cause further issues by rushing out an update as fast as possible...

You have to find the bug.  Fix it.  Test it.  Ensure that it doesn't introduce other vulnerabilities.  Ensure that it doesn't break functionality. 

So how did we come to this arbitrary 1 week number?  What about microsofts monthly cadence?  Do they also release critical patches in 1 week, or sometimes does it take longer because software is hard?

I'm just saying that update should have come out faster since it was to fix a massive security vulnerability as well as fix the iCloud backup which is also extremely important.

[ToboRobot]

4 minutes ago, Rolling2405 said:

I'm just saying that update should have come out faster since it was to fix a massive security vulnerability as well as fix the iCloud backup which is also extremely important.

By all means it should be released as soon as possible.  Why do you think it was possible to release a quality update faster?  

[Rolling2405]

2 minutes ago, ToboRobot said:

By all means it should be released as soon as possible.  Why do you think it was possible to release a quality update faster?  

I guess I am just thinking that with the amount of resources they have they should have been able to release without causing any additional bugs. To me it just seems like they didn't work as hard and as fast as they could have and should have.

[mecarry30]

1 hour ago, Rolling2405 said:

I guess I am just thinking that with the amount of resources they have they should have been able to release without causing any additional bugs. To me it just seems like they didn't work as hard and as fast as they could have and should have.

Just because they have a large amount of resources doesn't mean that when something like this pops up it takes priority over everything else. It probably became pretty high priority, but with the M2 Pro and M2 Max chips launching 5 days later along with the new HomePod, I think they may have put it on a slightly lower priority than it should have been.

Also, it's weird that they didn't use Rapid Security Response for this, because I thought that situations like these were exactly what it was designed for.

[leadeater]

2 hours ago, HenrySalayne said:

Quickly? It took them a month. The original report is from 12th of January.

I'd rather wait a month than get a software update that required an OS rebuild 

[Kisai]

9 hours ago, FakeKGB said:

Lol no it's not. This kind of bug happened twice last year with 15.3.1 and 15.7.2/16.1.2.

Are they serious? Yes, and you should update. Is this one the biggest ever? No.

Certain kinds of exploits get blown out of proportion because media has no understanding of the difference between "this is an exploit in webkit that requires a specifically crafted URL for the user to be phished with to exploit" and "the phone on my desk is being hacked by internet gremlins, despite not being turned on."

 

Most stories make it sound like a device can be hacked even though it's turned off. "an exploit in webkit" means that the web browser and ANY webview (eg apps IAP's) can exploit it. So while it can be critical, it requires the user to actively do something in an exploitable page or app, and most users will not be exposed to such things because they don't visit hostile websites on their phones. Mac's you can use firefox and avoid it entirely.

 

When people encounter web browser exploits, it's usually a consequence of visiting toxic dumpsterfire sites because "the hackers" know certain sites are browsed by less tech-savvy people.

 

[Arika]

The vulnerability is "bad", but you still need to go to a website that would allow the exploit to take place. if all you use are the same websites and the same apps every day, then you'd've most likely been pretty safe.

i'm normally very critical of Apple, but i see no issues with how they handled it. technology is so complicated these days that it is impossible for exploits to not exist.

 

1 hour ago, Kisai said:

Certain kinds of exploits get blown out of proportion because media has no understanding of the difference between "this is an exploit in webkit that requires a specifically crafted URL for the user to be phished with to exploit" and "the phone on my desk is being hacked by internet gremlins, despite not being turned on."

to be fair (and i hate being fair to the media), most users have no idea either.

[StDragon]

1 hour ago, Kisai said:

When people encounter web browser exploits, it's usually a consequence of visiting toxic dumpsterfire sites because "the hackers" know certain sites are browsed by less tech-savvy people.

• Drive-by downloads occur when an infected ad server rotates into view that's hosting the exploit.
• Malicious URLs could come in the form of unsolicited text messages.

Yes, the user would have to click on them, but it doesn't take much to social engineer a user. "Thank you for your payment, click here for the receipt", or "Your Amazon package was delayed", and "Your password was reset, if this wasn't you, click here to report"

[Kisai]

4 minutes ago, StDragon said:

• Drive-by downloads occur when an infected ad server rotates into view that's hosting the exploit.
• Malicious URLs could come in the form of unsolicited text messages.

Yes, the user would have to click on them, but it doesn't take much to social engineer a user. "Thank you for your invoice, click here for the receipt", or "Your Amazon package was delayed", and "Your password was reset, if this wasn't you, click here to report"

That requires a level of sophistication that zero-day exploits don't get to enjoy. Infected ad servers are rare, because in order to get those ad servers, or crafted ads into rotation, you have to be trusted, and nobody does that anymore. https://support.google.com/adsense/answer/7532444?hl=en

 

Quote

Authorized Digital Sellers, or ads.txt is an IAB Tech Lab initiative that helps ensure that your digital ad inventory is only sold through sellers (such as AdSense) who you've identified as authorized. Creating your own ads.txt file gives you more control over who's allowed to sell ads on your site and helps prevent counterfeit inventory from being presented to advertisers.

Now that said, go look at ads.txt on sites you visit and see how many of those ad vendors you recognize. Some sites, just accept everything.

 

 

 

[StDragon]

5 minutes ago, Kisai said:

That requires a level of sophistication that zero-day exploits don't get to enjoy. Infected ad servers are rare, because in order to get those ad servers, or crafted ads into rotation, you have to be trusted, and nobody does that anymore. https://support.google.com/adsense/answer/7532444?hl=en

 

Now that said, go look at ads.txt on sites you visit and see how many of those ad vendors you recognize. Some sites, just accept everything.

 

 

 

Not that rare. Many of those servers are poorly maintained and are juicy targets to infect and host malware.

At the moment, the Healthcare industry is a prime target of ransomware attacks. Doesn't take much to crawl on LinkedIn to find out who's who in the industry and whom to target.

Don't play around with cyber security. Don't play footsie with your infrastructure, keep that shit patched!!!

[HenrySalayne]

4 hours ago, leadeater said:

I'd rather wait a month than get a software update that required an OS rebuild 

We all have no idea if it actually took Apple one full month to create a fix and validate it or if they just escalated the exploit to top priority once they knew it was actively used and created a fix within a week. Probably a little bit of both.

 

[mr moose]

Did they do it fast enough?  let me check my crystal ball.

[Donut417]

19 hours ago, Fasterthannothing said:

This is a massive security breach by far the biggest one Apple has ever had and it has massive security implications.

Yeah, I made sure my devices were updated. Made sure my parents iPhones were updated. Texted my sister and said the fact this was news worthy means you need to update their devices immediately. 

[dalekphalm]

14 hours ago, Rolling2405 said:

I'm not sure exactly but I would probably say a week at most. By taking three weeks it shows that Apple did not give it the urgency it required. I'm sure that if they were trying their best and really working on it they could have gotten the update out in a week or less.

That's completely arbitrary. I'm not a programmer, but I did do some coding in high school and college - and bugs can sometimes be incredibly complicated to deal with.

 

On top of that, creating a patch if you rush it, can cause way way more problems.

13 hours ago, HenrySalayne said:

Quickly? It took them a month. The original report is from 12th of January.

Apple felt the need to push the fix with an extraordinary update because it was already actively used. Most security patches fly under the radar and get implemented with their regular cycle.

A month is fairly quickly in the software world. Sometimes it takes them multiple months to release a fix. They acted quickly, IMO. The fact that it was actively exploited probably did escalate the rollout.