Security Week 18: text bomb for iOS

If an imaginary collection of the best hits is collected from different types of vulnerabilities, then various kinds of input processing errors will take the best places there. One of the oldest ways to disable a program or an entire system is a zip bomb - a small archive that is deployed, depending on the time era, into hundreds of megabytes, gigabytes or petabytes of data. But then the archive, it still needs to be downloaded and try to unpack. Text bombs are much more interesting - messages whose format causes the program to crash or crash the entire system. In the world of instant messengers and mobile devices, this is especially true.

Last week, a single-message suspension mechanism for mobile devices was discovered in the iOS operating system for Apple mobile devices ( news ). iOS incorrectly processes at least one character of the Sindhi language , one of the official languages ​​in Pakistan, included in the Unicode standard. When displaying such a symbol on a phone or tablet, failures of varying degrees of difficulty occur, in the worst case, a reboot of the device is required. A message with a difficult symbol must be displayed on the screen, in the client of the social network or in the messenger, but a failure is also caused when the notification is displayed, if the message preview is enabled. In other words, after a reboot, you can run into the fall of software or the whole system again if someone decides to completely control you.

The discoverer of the text bomb is unknown. On Reddit, in the community of lovers of jailbreak iPhones, they posted a homemade patch from this scourge, mentioning Twitter messages (as in the screenshot at the beginning of the digest) that were distributed last week, for some reason with the addition of the Italian flag to the symbol from the Sindhi language. The flag does not participate in the operation of the bug. To avoid mass trolling, the publication of characters a la naturel was strictly prohibited in this community. You can peek at the character code in the codepatch for “hacked" iPhones. We will not publish it right here and we do not advise you. Not funny. This is a bug, but not a vulnerability: software crashes do not lead to code execution, at least there were no such messages. In the current beta version of iOS, the problem is solved, but before the official release of the update in social networks and instant messengers, a chant of revelry is likely.

The beta version of iOS 13.4.5 also closed two bugs in the mail client Apple Mail ( news ). According to the ZecOps team , both vulnerabilities lead to data leakage from the mail client when opening a prepared message. ZecOps claims that the old version of iOS 6 is also susceptible and that since 2018, vulnerabilities have been exploited by unnamed attackers “in the fields”. Apple, however, believes that there was no active attack.: “There is no immediate threat to users.”

If the text bomb in iOS is just annoying, what about a malicious GIF that allows you to steal access to your account in the Microsoft Teams service? CyberArk discovered this vulnerability ( news , study) Researchers found a weak spot not in the image processor, but in a mechanism that allows you to track who shared what in this platform for collaboration. Since Microsoft Teams can integrate a cloud service, private corporate servers, and software on users' computers, a rather complicated system of image attribution with the transfer of tokens identifying the subscriber was required. Add to this two subdomains on the Microsoft website, traffic to which theoretically can be switched to an attacker using the sub-domain takeover procedure, and we get the following scenario. You send the prepared GIF to the user. The picture is registered in the service with the transfer of user tokens to the * .microsoft.com subdomain. The attacker redirects traffic to this subdomain to himself and receives a token. Using authorization keys, you can already access the cloud service API on behalf of the affected user and receive various private information about the internal structure of the company.

What else happened

Nintendo Confirmed Hacking 160,000 Accounts Through Nintendo Network ID. This is a legacy-system, used, in particular, for accounts in the Nintendo 3DS and Wii U consoles. But through this old account you could also get into the company's modern network service, servicing, for example, Nintendo Switch. Hacking NNID has already led to the theft of virtual money from user accounts.

The source code for Team Fortress 2 and CS: GO multiplayer games has leaked . The source codes, usually distributed privately and only among the developer’s partners, Valve Software, were publicly available. According to Valve, this is a “reload” of the sources that have already surfaced in the network in 2018, so you should not expect the emergence of new exploits to attack gamers. Leak

was widely discussed last weeka database of 25,000 email addresses and passwords, allegedly owned by employees of the World Health Organization, the Bill and Melinda Gates Foundation, and the Wuhan Institute of Virology. Most likely, this is a sample from a huge database of earlier leaks from network services, which someone made for the sake of the day. Meanwhile, according to Google Threat Analysis Group (and other companies), the topic COVID-19 is actively used in phishing attacks on government agencies in different countries.

An interesting example of plausible password phishing for the Skype messenger was discovered .

Palo Alto Networks investigated a botnet targeted at vulnerable Zyxel NAS devices. And in ESET analyzedvulnerabilities in hubs for a smart home of three different manufacturers. The bad news: there is the possibility of remotely intercepting control over the entire home IoT infrastructure. The good news is that the vulnerabilities investigated have already been closed by manufacturers, some of them long ago. The bad news is: not all hub owners deliver updates on time.