Tag: flaw

Categories
Mobile Syrup

Exploit with Pixel screenshot editor lets you un-crop images

The March security update that rolled out earlier this month included some fixes for major vulnerabilities on Google’s Pixel smartphone line.

There was a patch for an exploit with Samsung-made modems that could allow attackers to access data like phone calls or text messages using only the victim’s phone number. However, that wasn’t the only major vulnerability. The March update also includes a fix for a high-severity flaw with the Pixel Markup tool for editing screenshots. In short, the flaw leaves data in the image file that could allow malicious actors to partially restore images that were cropped or edited.

Dubbed ‘aCropalypse,’ details emerged over the weekend courtesy of Simon Aarons and David Buchanan, reverse engineers who uncovered the flaw. Aarons posted an image showing how aCropalypse can be used to recover an image on Twitter — the image shows a cropped, redacted photo of a credit card shared in a chat, and then the recovered image that includes the unredacted credit card number. Meanwhile, Buchanan posted a blog post with a technical breakdown of the exploit — if you’re curious how, exactly, aCropalype works, it’s worth a read.

The flaw has existed for about five years. Markup was released in 2018 as part of Android 9 Pie, so it seems like aCropalypse has been around basically since the beginning. Although the March security patch fixes the problem for future images, edited screenshots taken prior to the patch are still vulnerable.

However, it’s hard to say just how worried Pixel owners should be. Aarons and Buchanan have a FAQ page coming — though at the time of writing, it wasn’t live — that should help explain some of the details. One important piece of information the duo shared with The Verge and 9to5Google is that some websites, like Twitter, process images in such a way that they aren’t vulnerable to aCropalypse. Not everything is like this, though — the pair pointed out Discord as an example, which didn’t patch out the vulnerability until January 17th.

With that in mind, it’s probably best to assume any screenshot you’ve taken and edited on a Pixel phone in the last five or so years could be reverse-engineered to recover the edited parts of the image.

Moreover, the March patch only rolled out to the Pixel 4a, 5a, 7 and 7 Pro, with the update delayed for the Pixel 6 series (though it’s supposed to roll out on March 20th).

You can learn more about the aCropalypse exploit here or try a demo of it here.

Source: Aarons, Buchanan, Via: The Verge

Categories
Mobile Syrup

Zoom rolls out fix for Mac app security flaw

Source: https://www.shutterstock.com/image-photo/london-uk-april-2nd-2020-popular-1691467153

Zoom has pushed out version 5.11.5 of its Mac app, which includes an important security fix for a relatively recent security flaw.

Security researcher and founder of the non-profit Objective-See Foundation Patrick Wardle uncovered the Zoom security flaw and presented it at last week’s Def Con hacking conference. Per The Verge, the exploit leverages the Zoom installer, which requires special user permissions to run. Wardle discovered that it was possible to ‘trick’ Zoom into installing a malicious program by adding Zoom’s cryptographic signature to the package.

Once installed, attackers can use the malicious program to gain more access to a user’s system, potentially to modify, delete, or even add files to the device.

As spotted by MacRumors, Zoom addressed the issue in its August 13th security bulletin, noting that version 5.11.5 of Zoom for Mac fixes the flaw and is now available.

In a tweet, Wardle congratulated Zoom on the quick fixing, noting that it looks like the installer now “invokes lchown to update the permissions of the update” package to prevent malicious apps from sneaking in.

As such, you’ll likely want to grab the latest Zoom update right away to make sure you are protected against the exploit. You can update Zoom by opening the app and clicking the name in the menu bar, then ‘Check for updates.’ If one’s available, you’ll need to click ‘Update’ to start the process.

Header image credit: Shutterstock

Source: Zoom Via: MacRumors, The Verge

Categories
Mobile Syrup

Intel found a flaw in AMD’s Spectre mitigation, AMD issues fix

Source: https://www.amd.com/en/corporate/newsroom-media

Intel’s security team found a flaw in AMD’s old ‘LFENCE/JMP’ patch to mitigate Spectre vulnerabilities across several generations of Ryzen and Threadripper CPUs.

In response, AMD issued a security bulletin recommending the use of alternate mitigation options. The update also had additional information for software developers.

Spectre is a type of security flaw that affects almost all modern Intel and AMD processors. It can potentially allow attackers to access sensitive data without detection. Worse, last week researchers found that Intel and Arm processors are susceptible to a new kind of ‘Spectre v2’ attack.

Intel uncovered the issue with LFENCE/JMP while investigating the new vulnerability. AMD implemented LFENCE/JMP in 2018 to mitigate against Spectre, but Intel’s researchers found it doesn’t adequately protect against the threat.

As per AMD’s security bulletin, the weakness in LFENCE/JMP spans the following chips:

  • Gen 1, 2, and 3 AMD Epyc processors
  • AMD Ryzen 2000, 3000, and 5000 series desktop processors
  • AMD Ryzen 4000 and 5000 series desktop processors with Radeon graphics
  • 2nd and 3rd Gen Ryzen Threadripper
  • AMD Ryzen Threadripper Pro
  • AMD Athlon 3000 series mobile processors with Radeon graphics
  • AMD Ryzen 2000 and 3000 series mobile processors
  • 2nd Gen AMD Ryzen mobile processor with Radeon graphics
  • AMD Ryzen 3000, 4000, and 5000 series with Radeon graphics
  • AMD Athlon, Athlon 3000, and Ryzen 3000 mobile processors with Radeon graphics for Chromebook

You can view the full list here.

The researchers who found the flaw performed the exploit on Linux, but so far there haven’t been examples of the using the exploit on platforms like Windows.

Finally, The Verge points out that patches for Spectre-related vulnerabilities have been known to cause performance issues, especially on older hardware. However, benchmarking platform Phoronix tested the impact of initial patches for Intel and AMD chips in 2019 and found AMD CPUs were less affected than Intel.

Image credit: AMD

Source: Tom’s Hardware, AMD Via: The Verge

Categories
Mobile Syrup

You should download iOS 15.3 to fix a bug that could reveal your browsing data

Apple dropped a series of updates on January 26th that fix a previously reported WebKit bug that could allow websites to see other sites you accessed on your Apple device.

If you use an iPhone or iPad, you’ll want to update to iOS or iPadOS 15.3 as soon as possible to fix the bug. There’s less of a rush for Mac users to update since they can mitigate the bug by using other web browsers — however, if you regularly use Safari on your Mac, you should download the Safari 15.3 update right away.

The bug, first reported to Apple in late November by FingerprintJS, affects web browsers that use WebKit, the open-source foundation for Apple’s Safari browser. Apple also mandates the use of WebKit on iOS and iPadOS, meaning any browser made for Apple’s mobile OS (including Chrome, Firefox, et al.) is also impacted by the bug.

A short explanation is that WebKit’s implementation of a commonly-used JavaScriptAPI for storing web data on devices allowed websites to view the names of other sites that had stored data on a given device. Typically, browsers apply same-origin policy to prevent this. You can learn more about the bug and how it works here.

The iOS 15.3, iPadOS 15.3, and Safari 15.3 updates all include a fix for the issue. It’s good to see the fix applied, especially after FingerprintJS highlighted Apple’s lack of response earlier this month.

9to5Mac confirmed that a beta version of the update fixed the problem using a demo tool provided by FingerprintJS on its website.

If you use an Apple device, you’ll want to install the update right away. Here’s how:

  • iPhone/iPad – Open Settings > General > Software Update.
  • macOS – Click the ‘Apple’ menu in the top-left corner > System Preferences > Software Update > Update Now (You can also click ‘More info’ to view a list of available updates and specifically install the Safari update).

Source: Apple (iOS/iPadOS | Safari) Via: The Verge

Categories
Mobile Syrup

Bug affecting Safari on macOS, all iOS browsers, could reveal browsing history

Apple prepared a fix for a WebKit bug that could reveal users’ recent browsing history and possibly their identity. However, it’s not clear when the tech giant will release updates with the fix.

According to MacRumors, a WebKit commit (typically refers to a revision made to code) on GitHub fixes a bug. However, Apple has not said when users could expect macOS, iOS or iPadOS updates to arrive with the fix. A January 14th blog post from FingerprintJS noted that the bug was reported to Apple on November 28th, 2021.

MacRumors previously reported about the bug on January 16th, which involves a JavaScript API called IndexedDB, a commonly-used tool for storing data on people’s computers. Specifically, the bug exists in the way WebKit — the open-source engine powering Apple’s Safari browser — implemented IndexedDB.

In short, the bug allows any website that uses IndexedDB to access the names of IndexedDB databases generated by other websites. Put another way, a website can access a list of other websites you’ve visited (even from different tabs or windows) if they’ve stored data using this API. Typically, browsers apply same-origin policy to IndexedDB to prevent sites from accessing anything outside of their own IndexedDB database.

Moreover, sometimes websites include unique user-specific identifiers in IndexedDB database names. MacRumors pointed to YouTube as an example, which creates databases that include users’ authenticated Google User ID in the name. Malicious actors could use this identifier to fetch personal information about users through Google APIs, such as their profile picture or name.

The WebKit bug affects Safari on macOS Monterey, iOS 15 and iPadOS 15. On iOS and iPadOS, Apple also forces third-party browsers to use the WebKit engine — that means browsers like Chrome and Edge running on iOS/iPadOS 15 are also affected. However, the bug doesn’t affect older versions of macOS, or iOS and iPadOS 14.

Ultimately, that means iOS and iPadOS users can’t really do anything to protect themselves from the bug beyond installing the software patch whenever Apple makes it available. For macOS users, however, switching to another browser would work.

Those interested in learning more about the bug should check out a deep-dive on it from FingerprintJS.

Source: MacRumors, (2), FingerprintJS

Categories
Mobile Syrup

Apple’s iOS/iPadOS 15.2.1 update fixes HomeKit flaw that crashed devices

Apple rolled out iOS and iPadOS 15.2.1 on Wednesday. The minor update brings several bug fixes, including a patch for a denial-of-service vulnerability found in HomeKit.

Trevor Spiniolas discovered the vulnerability and published details about it on January 1st. At the time, Spiniolas accused Apple of being slow to respond to his initial disclosure, which he made in August 2021. The bug affects iOS and iPadOS versions as far back as 14.7 and possibly earlier versions too — iPhone and iPad owners should update their devices to avoid the bug.

The vulnerability, if exploited, would lead to HomeKit devices with really long names crashing iPhones and iPads. HomeKit is an API used for connecting smart home gadgets to iOS devices, and it backs up device names to iCloud. That means users hit with the problem would experience it again if they re-connected that same iCloud account.

Apple published a security notice for the iOS 15.2.1 update — it only lists the HomeKit issue and notes the following fix: “A resource exhaustion issue was addressed with improved input validation.”

However, there are other items in the 15.2.1 update. According to The Verge, the patch also fixes a bug that impacted the performance of third-party CarPlay apps and a bug that stopped the Messages app from loading certain photos sent through iCloud.

To download the update, open the Settings app on your iPhone or iPad > Tap ‘General’ > Tap ‘Software Update.’

Source: Apple Via: The Verge

Categories
Mobile Syrup

Security flaw in widely-used logging system impacts Minecraft, iCloud, more

A massive security vulnerability dubbed ‘Log4Shell’ that potentially impacts millions of devices has security teams scrambling to apply patches.

The vulnerability affects an open-source logging library called ‘log4j’ used by apps and services across the internet, according to The Verge. Logging, for those not familiar, is a common process where apps keep a running list of activities they perform that can be reviewed later in case of an error. Nearly every network security system runs some kind of logging process — that gives libraries like log4j significant reach and, by extension, huge impact when there’s a vulnerability like this.

The log4j flaw could allow remote code execution on vulnerable servers if exploited. That could give attackers the ability to import malware that would compromise machines.

Worse, the vulnerability is fairly easy to exploit. Attackers need to make an application save a special string of characters in the log — since apps often log a range of events, covering everything from chat messages to system errors — it’s not hard to inject the string.

For example, the exploit was first spotted on sites hosting Minecraft servers. Those sites discovered that attackers could trigger Log4Shell by posting chat messages. A new version of Minecraft that rolled out Friday includes a patch for the vulnerability.

However, Minecraft is far from the only impacted service. A blog post from security company LunaSec claims that Valve’s popular PC gaming platform Steam and Apple’s iCloud are both vulnerable to Log4Shell. Other vulnerable platforms will likely be discovered in the coming weeks.

The Verge reports that an update released for the log4j library mitigates the vulnerability. However, considering the sheer number of impacted apps and services, and the time it’ll take to update everything, Log4Shell will remain a significant problem.

Source: Ars Technica, The Verge

Categories
Mobile Syrup

MediaTek fixed chip flaws that could allow apps to eavesdrop on users

Vulnerabilities in the artificial intelligence (AI) and audio processing components of recent MediaTek chips could have allowed eavesdropping on device owners. However, the flaw was reportedly never exploited in the wild.

MediaTek has fixed the vulnerabilities as of October, according to Check Point Research (via Android Police). While resolved, the vulnerabilities were quite serious and impacted a wide range of devices. As of Q2 2021, MediaTek powered about 43 percent of the worldwide smartphone market, making it the number one phone chip manufacturer by volume.

Although a list of impacted devices and/or chipsets wasn’t made available, Android Police reports that it sounds like the vulnerabilities affected modern MediaTek Dimensity chips and other MediaTek chips that use the ‘Tensilica’ APU platform.

In total, Check Point found four vulnerabilities that, when exploited together, could allow an app to pass commands to the audio interface. In other words, a malicious app could interact with the audio interface in ways that it shouldn’t be able to do and, in some cases, could even hide malicious code in the audio chip itself.

Researchers claim that malicious apps could have eavesdropped on customers using the vulnerability. Worse, device manufacturers could have used to create an eavesdropping campaign. However, the vulnerabilities weren’t caught being exploited in the wild.

In a statement to Android Police, MediaTek said:

“Regarding the Audio DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to all OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.”

If your phone has a MediaTek chip in it, you should make sure to install the latest security updates if you haven’t already.

Source: Check Point Research Via: Android Police