Apple Patches iPhone Zero-Day

The most recent iPhone update—to version 16.2—patches a zero-day vulnerability that “may have been actively exploited against versions of iOS released before iOS 15.1.”

News:

Apple said security researchers at Google’s Threat Analysis Group, which investigates nation state-backed spyware, hacking and cyberattacks, discovered and reported the WebKit bug.

WebKit bugs are often exploited when a person visits a malicious domain in their browser (or via the in-app browser). It’s not uncommon for bad actors to find vulnerabilities that target WebKit as a way to break into the device’s operating system and the user’s private data. WebKit bugs can be “chained” to other vulnerabilities to break through multiple layers of a device’s defenses.

Tags: , , , ,

Posted on December 16, 2022 at 7:04 AM15 Comments

Comments

Clive Robinson December 16, 2022 9:27 AM

@ ALL,

Re : CVE-2022-42856

For those that don’t use TechCrunch because of the way the Yahho’s force themselves onto your browser,

There are other information sources, just one of which is,

‘https://thehackernews.com/2022/12/new-actively-exploited-zero-day.html

However before you go there or TecCrunch a look at,

https://www.cvedetails.com/cve/CVE-2022-42856/

Which currently tells you next to nothing, tells you most ICTsec and other ICT news sites will not have much of anything to tell you as of yet.

TimH December 16, 2022 10:15 AM

I wish these attack reports would just advise one feature: is the vector foiled by having javascript disabled in the browser?

Denton Scratch December 16, 2022 11:33 AM

a zero-day vulnerability that “may have been actively exploited[…]”

I thought a “zero-day” was a vuln that has not been observed being exploited in the wild. Obviously I’m wrong about that – evidently I’ve been labouring under a misapprehension for some years!

So what does Bruce mean by a “zero day”?

Andrew P December 16, 2022 11:43 AM

It would be interesting if Apple would indicate what, if any, protection Lockdown Mode provided against this CVE (and against all iOS CVEs).

Jinx December 16, 2022 12:17 PM

@Denton Scratch:

Usually, “zero-day” means a newly-disclosed vulnerability for which the developer or vendor has had zero days to remediate or mitigate.

Some zero-days may have been discovered independently, kept secret, and are actively being exploited at the time of disclosure. Some zero-days are new to everyone, and there is a race between the patchers and the exploiters. If the discoverer works with the vendor, it’s possible that the (at one time) zero-day can be announced at the same time as the patch. I guess that is what the article implies?

Quantry December 16, 2022 12:49 PM

@ Denton Scratch

hence my term “pre-zero-day”: like [a government] exploiting heart-bleed for years before disclosing it.

Clive Robinson December 16, 2022 1:01 PM

@ TimH, ALL,

Re : The heresy of not kow-towing to JavaScript.

“…is the vector foiled by having javascript disabled…”

You can be burned at the stake for saying such things, I know, I’m still brushing out the scorch marks from my “Flame Proof” protection…

Unfortunately a lot of very lazy people have turned a mess that was renamed as JavaScript back last century[1] into the veritable disaster and ICTsec hamster wheel of pain / Red Queen’s Race of today.

Nearly all that have JavaScript on their computers via their web browsers ~98% of Internet users, are getting right royally abused by it. In so many ways it’s not possible to list them all as the list grows alarmingly whilst you are writting.

I usually have both Cookies and JavaScript disabled and I’ve mentioned and advised this ever since this blog has existed, not just on this blog but other places.

Whilst the response here was initially cold, in other places it actually induced violent out burst from those who viewed me as “breaking their rice bowl”.

I used to say the same about other Web-tech like flash that nolonger realy exists and Java (not to be confused with JavaScrip). They have faded from Web client use thankfully, but,

“That scorched smell still lingers”

Just to be blunt,

“Untill developers understand the pit falls of client-side equivalent of “Off-Line” security, any code they right will be ‘insecure by default'”.

Understanding the finer points between “Off-line” and “On-line” security is majorly lacking in the ICT sector, especially in ICTsec which realy does surprise me…

To understand the differences start looking into,

1, Failed Credit-Card Security.
2, Failed Set-top-box Security.
3, Failed Sat-TV-box security.
4, Failed Smart-Card Security.
5, Failed DVD Security.
6, Failed DRM Security.
7, Failed CPU Enclave Security.
8, Failed Ecrypted RAM Security.

And quite a few more examples. You fairly quickly get to see the “failed” instances forming classes, and from there making the development of new instances all so much the easier for those that want to Crack, or Steal peoples Privacy.

But the short version is,

“Off-Line security is Faux-Security as the ‘Root of Trust’ is always vulnerable in some way to a hostile user”.

(We used to say it was “Game-over if they get Front-Pannel Access” back in the early 1980’s and probably back as far as the 1950’s but even I was not as such “a twinkle in the eye” back then 😉

All JavaScript realy does is make the deficiencies of “Off-Line” security more glaringly obvious… But “they” appear to care not a jot, HTML 5 is rather more than a “little shop of horrors and “they” pay the salaries of those behind JavaScript and HTML 5…

BUT… JavaScript “Type Issues” are far from new, people were making jokes about them over a decade ago,

https://web.archive.org/web/20200823123837/https://www.wired.com/2012/01/jokes-for-nerds-wat-moments-in-programming/

[1] Originally called “LiveScript” Brendan Eich’s “quick hack” was first shipped by “Netscape” as part of a “Navigator beta” back in September 1995… Even though it had a country mile of “horses apples” attached on December the 4th it was pushed out the door on an unsuspecting world… There are a number of reasons for it’s existance and none of them are good.

Firstly HTML was never ever designed to be interactive, thus had no method of handeling state for a server to be synced by, or any real kind of user input. Nor was HTML in any way designed to alow user side interaction. Adding these gave the first avalanche of security breeches.

Secondly Web based organisations wanted to do things on the cheap. The correct place to do interaction with the user was not on the client –big security issue– but on the server. However Netscape and Mosaic they came from had made things badly and as a result the server side could not even do even minor CGI without dropping to it’s knees or hemorrhaging memory. So for Netscape it was imperitive that as much as possible be off-loaded onto the client…

Thirdly most of those playing with JavaScript were not actually Systrms Programers, some were not even Programers. Next to none of them knew anything about security… So the results were kind of predictable.

In 1995/6 I gave a series of accademic presentations about the dangers of incorrect handeling of “state”, “Data types”, and “Security” to post-grad and PhD CompSci types. The sheeplike blank looks I was getting told me it was time to get the heck away from “web-tech” and instead develop ways to “fence it off” and “mitigate it” because it was going to be a monumental “cl45t3r-f4ck” which it has been ever since and will no doubt continue to be for years to come…

It was no comfort when Brendan Eich, got not just flamed but toasted for his political/religious views. Unfortunatly his hand is still on the JavaScript tiller one way or another.

Clive Robinson December 16, 2022 1:17 PM

@ Denton Scratch,

You just need to add “previously” to your definition 😉

That is it was “previously” covertly used or not used at all… Now it is discovered / known officialy / publically it’s usage is overt.

But in all honesty “zero day” has kind of lost it’s meaning over the years, in part because attacks that have been tested technically start out as “zero day” even though tested legally.

Like the word “Hack” others such as journalists and prosecuters have taken a reasonable term, and quite deliberatly misused it to imply criminal intent or activity to further their own less than honest ends…

SpaceLifeForm December 16, 2022 6:47 PM

@ ALL

Re: Mosaic, Livescript, Netscape, etc

What Clive wrote above is accurate historical information. I am an OG too.

Security Sam December 18, 2022 8:47 AM

If you really do want security
But, you do abhor obscurity
You need write only memory
Or write once and read many.

Phillip December 20, 2022 8:02 AM

@Clive Robinson, @Denton Scratch, @Jinx:

I have thought “zero day” sounded rather ominous, owing to the many occurrences. Next, as per @Jinx, finding one in the wild might not be a real zero day, anyway, when an attacker might rinse and repeat.

About hacker, I remember when: if one could “hack”, one was merely proficient with a computer (ala scripting, programming, and such).

JonKnowsNothing December 20, 2022 3:00 PM

@Clive, All

re: Coring the Apple

rl tl;dr (try not to laugh too hard)

Backgrounder:

Recently a friend wanted to assist me getting an up to date cellphone. It is a holiday present, and knowing my circumstances, a most generous one. These days I do not turn away presents due to pride or shame. So, we did some “kicking the sales can” and I ended up with a new iPhone 14 Pro (not Max which is hung up at Foxconn in China), iOS16.2.

So I have a new phone and new service provider: no limits on talk, text, data. I have only minimal apps, maybe 3 or 4, as required to navigate modern accounts and settings. No social apps or fluff.

Interesting stuff:

So, I sent (1 text + 3 pictures) to several friends. A few friends got (1t+3p), the rest got (1t+1p) so (2p) hit the bit bucket between my phone and their phone or email.

Destination types:

3 iphones (8-13pro), android, email (windows, mac) (all receivers have unlimited talk, text, data)

I was able to replicate this anomaly, where if sending multiple images, only one image is received and all others are lost.

I contacted the carrier and talked to a friendly Tech but they hadn’t a clue about what wrong. They said that everything was WAI. No Errors Logged, no Errors Returned and no ideas on why n-1 pictures are lost to some destinations but not all.

Words like Log4J, Heartbleed, buffer overrun, misconfigured gateway and a general discussion of packet transmission and packet design were unknown topics.

I suggested to the Tech that they put all of the above in their notation section… just in case.

Takeaway:

If you think about this a bit, as you move up and down the stack, you may consider there are a number of places where such a fault could happen, and a lot of places were it cannot or should not.

I don’t expect any resolution anytime soon. It’s the way of the world now.

Clive Robinson December 20, 2022 8:28 PM

@ JonKnowsNothing,

“Recently a friend wanted to assist me getting an up to date cellphone. It is a holiday present, and knowing my circumstances, a most generous one.”

It is very kind of them, it would be an expensive gift in the UK where both phones and service contracts tend to be less expensive than the US.

I guess you will where able be doing more than one or two odd jobs etc on the “what comes aroind goes around” principle[1].

But the issue with photos is not unique to Apple and it’s been around one way or another for years.

Back in the early part of the 2000’s “Picture SMS” started as a service, of course it was not SMS at all… Odd things used to happen. Such as with multi-party SMS’s the recipients do not know it’s multi-party or who the other parties are. Howrver adding a picture attachment also tacked a CC-list in. Which in the UK at the time was very much against the rules (SMS were considered to be “telephone communications” thus had to follow “exchange / CO” rules with phone numbers… T-Mobile in the UK were not happy to have me phone them up and point out that and the applicable data protection rules…).

So as a “wild guess” I would say that some one has “cod’sd up” the linking of the disparate parts. Which of course won’t be helped by Apples changes to iMessaging to go via data connection where ever possible.

[1] I’m about the worst person ypu can find for trying to give gifts or help to, at the very least I get very very embarrassed go pink in the ears and try to scuttle away. However, I’m also one of the easiest to ask for practical help as I enjoy helping. Blaim my parents for making me stand on my own feet as an ethos and helping others as a moral duty. As my moter used to say “You helps them that can not help themselves, and you also help those who can help themselves as it gets the job done easier”. As my dad used to say “Hammer in one hand, nail in the other, and a helping hand holds the wood”.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.