Apple patches iOS, macOS, iPadOS, watchOS, kitchen-sinkOS bugs said to be exploited in the wild

In Brief Apple on Monday patched security flaws in its software said to have been exploited in the wild by miscreants to hijack gear.

WebKit, fixed in macOS Big Sur 11.3.1, can be tricked into executing arbitrary code by processing malicious web content – a bad webpage can take over the browser, in other words. “Apple is aware of a report that this issue may have been actively exploited,” it said in its advisory.

Specifically, there are two bugs: memory corruption flaw CVE-2021-30665, which was found by a trio at 360 ATA, and an integer overflow issue CVE-2021-30663, credited to an anonymous researcher. The same holes are fixed in iOS 14.5.1 and iPadOS 14.5.1, and the memory corruption problem is addressed in watchOS 7.4.1.

iOS 12.5.3 was released to fix up both holes plus WebKit buffer overflow blunder CVE-2021-30666, also found by the 360 ATA trio and also said to have been exploited in the wild to execute malicious code on iThings. The three researchers also found CVE-2021-30661, a use-after-free() in WebKit Storage again believed to have been exploited in the wild to hijack devices.

From micro-ops to micro-oops: Intel, AMD chip cache may leak secret data

More data-leaking design weaknesses in modern x86 microprocessors have been documented by academics, who believe it may not be possible to fully mitigate these flaws without taking a performance hit.

Intel, meanwhile, says there’s nothing to worry about, provided you’ve written and built your software correctly.

The team at the University of Virginia and University of California San Diego in the US took a look at the micro-op caches in Intel and AMD chips, and on Saturday said they found the caches can be abused to spill secret information in Spectre-like attacks. It is claimed today’s mitigations for Spectre can’t stop these leaks.

x86 processors execute complex instructions that can be broken down by CPU cores into multiple smaller operations, commonly called micro-ops. Today’s Intel and AMD processors store these instruction fragments in a cache, and as we saw with Spectre, if something’s cached in a core, it can probably be exploited to inadvertently leak information.

According to the boffins’ paper [PDF], it may be possible to exploit micro-op caches to leak information across privilege boundaries; transmit info from one thread to another if they are running on separate logical SMT cores within the same physical CPU core; and leak data via transient execution. These are difficult to exploit in practice, and if it were to happen, we imagine it would take place in highly targeted attacks in which malicious JavaScript or some other untrusted code manages to sneak data out of its sandbox.

Intel and AMD are aware of the team’s findings. In a canned statement, a spokesperson for Intel said it told the academics that its “existing mitigations were not being bypassed and that this scenario is addressed in our secure coding guidance,” which you can find here.

“Software following our guidance already have protections against incidental channels, including the micro-op cache incidental channel,” Chipzilla added. “No new mitigations or guidance are needed.” In other words, if you write your code so that it is resistant to timing attacks, you’ll be fine, apparently.

Red Hat distinguished engineer Jon Masters has personally blogged a rundown of the vulnerabilities here.

FBI partners with Have I Been Pwned

Ever since Troy Hunt set up Have I Been Pwned in seven years ago, it’s become a go-to resource for checking whether your details have been stolen and leaked from any number of databases on the internet, and now the FBI has teamed up with the dotcom.

After a combined US and EU police operation took down the Emotet botnet this year, the Feds decided to ask Hunt for help in reaching people hit by the malware.

“The FBI reached out and asked if Have I Been Pwned (HIBP) might be a viable means of alerting impacted individuals and companies that their accounts had been affected by Emotet,” Hunt said in a blog post.

“In all, 4,324,770 email addresses were provided which span a wide range of countries and domains. The addresses are actually sourced from 2 separate corpuses of data obtained by the agencies during the takedown.”

ISC warns of security BIND

Time to get patching your Berkeley Internet Name Domain (BIND) 9 systems after the Internet Systems Consortium (ISC) released a triple set of patches.

The primary flaw, CVE-2021-25216, affects BIND 9.5.0 to 9.11.29 configured to run Generic Security Service Algorithm for Secret Key Transactions (GSS-TSIG). This is not enabled by default, though plenty of people do. Successful exploitation can crash 64-bit installations, or crash or achieve remote-code execution against 32-bit builds. It was serious enough to cause America’s Cybersecurity and Infrastructure Security Agency to issue its own alert.

The other two issues are CVE-2021-25215, a DNAME-related crash bug, and CVE-2021-25214, another potentially remotely triggerable crash.

Experian scores exposed by blabbermouth partner service

It was discovered a partner of Experian had provided a pretty weak front-end for the credit-check giant’s back-end API, allowing the easy look-up of Americans’ scores and the reasons for their score.

Bill Demirkapi, a sophomore at the Rochester Institute of Technology in the US, found the online service when shopping around for student loans. He realized he could get the credit scores of anyone by supplying their name, address, and date of birth, all potentially publicly available information, and built a tool dubbed “Bill’s Cool Credit Score Lookup Utility,” to fetch the information.

“We have been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the matter,” Experian told infosec blogger Brian Krebs. “While the situation did not implicate or compromise any of Experian’s systems, we take this matter very seriously.”

In other words, Experian had that partner’s front-end tool closed down, but there may be others out there also misusing the API to provide free, unchecked lookups. ®

READ MORE HERE