Zero click vulnerability in Apple’s macOS Mail(mikko-kenttala.medium.com) |
Zero click vulnerability in Apple’s macOS Mail(mikko-kenttala.medium.com) |
Maybe a good business is bug escrow company.
From wikipedia:
> Factoring is a financial transaction and a type of debtor finance in which a business sells its accounts receivable (i.e., invoices) to a third party (called a factor) at a discount.[1][2][3] A business will sometimes factor its receivable assets to meet its present and immediate cash needs.[4][5] Forfaiting is a factoring arrangement used in international trade finance by exporters who wish to sell their receivables to a forfaiter.[6] Factoring is commonly referred to as accounts receivable factoring, invoice factoring, and sometimes accounts receivable financing. Accounts receivable financing is a term more accurately used to describe a form of asset based lending against accounts receivable. The Commercial Finance Association is the leading trade association of the asset-based lending and factoring industries.[7]
For example, let's say I own a sheep farm. I hire people to trim the sheep, and they produce a bunch of cotton. Without the Bill of Exchange, if I want to pay the people I've hired then I will need to ship this cotton to the spinner, who then ships the spun cotton to the weaver, who then ships the woven cotton to the clothier, who then makes clothes and sells it to a consumer. Only after this has happened can I pay my employees with the money of the paying consumer.
With the Bill of Exchange, a bill is created when I deliver cotton to the spinner. This bill will require the spinner to pay me for the cotton delivered in e.g. three months. I can then take this bill to someone who trusts that the spinner will pay me in three months and ask them to buy the bill at a discount, such that they are paid in three months (when the bill expires). I can then use the proceeds from the sale of the bill to pay my employees immediately. And the buyer of the bill earns a bit of interest because he pays less for the bill than he is paid at maturity.
[1] https://professorfekete.com/articles/AEFMonEcon101Lecture5.p...
[2] https://professorfekete.com/articles/AEFMonEcon101Lecture6.p...
1. Company verifies the bug
2. Assigns it a price according to impact
3. Keeps details hidden until Apple pays them, then reveals the bug. Thus Apple is forced to pay, but bad actors dont get access.
Different bug markets can compete to correctly price bugs.
People tend to vastly overestimate the economic impact of an exploited security vulnerability. A vulnerability which can be patched in a centralized manner has a low value half-life: it rapidly decreases in value over time. I would guess over 90% of active daily users of macOS already have the patch for this bug due to automatic updates. New buyers are essentially guaranteed not to have the vulnerability at all. The vulnerability would have to be absolutely catastrophic to be worth something, and in that case it would probably be used for targeted exploitation and burned after a short period of time.
Contrast with something like heartbleed, which is still around. That is a vulnerability with serious half-life and significant economic impact. The pool of available victims who can be exploited by heartbleed is nontrivial and persistent years later. Criminals will actually pay for something like that.
What is a bugs correct price? The price that a bad actor would pay for it?
> 2020–05–24: PoC done and reported to Apple
> 2020–06–04: Catalina 10.15.6 Beta 4 with [hotfix released]
> 2020–07–15: Catalina 10.15.6 Update with hotfix released
Makes we wonder how many applications on Windows and MacOS actually support the system sandbox.
Are all past versions of OS X / Apple Mail affected? For what OS X Version does Apple provide a security update regarding this issue? Has anyone found a fix that prevents auto-uncompression (such as a "defaults write com.apple.mail xyz False" command)?
Due to several reasons, I am also on an older Version of OS X and this issue makes me a bit nervous.
> Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5
Or maybe the script has to exist in some folder this vulnerability doesn't have access to?
The core problem is that really dumb feature which auto-expands certain zip files. I need to turn that off.
MailWebAttachment.h contains a method:
- (BOOL)isAutoArchiveAttachment;
I bet that if I Swizzle that to always return false, this "feature" will go away. I'll found out this weekend...Edit: Is the author's PoC available anywhere? Not that I really need it...
Do you follow all security-related announcements for Mac OS and do your own back ports and fixes?
How did you decide 10.9 is the right balance of risk for you?
What could possibly go wrong? ;-/
They seem to have the same issues as everyone else.
[1] https://www.apple.com/business/docs/site/AAW_Platform_Securi...
Mutt may look old but at least it actually works.
Though I certainly shouldn't trust mutt to be bug free, given that it processes data that someone can send me freely. Gladly TUI programs are fairly easy to isolate in their own UNIX user account.
This is a case of the application working as designed, but in unintended ways. A logic flaw.
I say this because I don't see a lot of effort being put into solving these types of security issues, compared to e.g. memory safety issues.
Or is it just security theater ?
The end result of selling 0-click RCE vectors like this to brokers is sliced up bodies in embassies. Do folks think where the money coming from, and who would pay? No, its an 'easy' pay day.
Some of us fix security bugs to keep people safe. Some of us try to earn an honest living doing so. Others try to earn a dishonest living with pain and death in their wake. Are you using your skills to improve life on this rock, or are you trying to make it worse for a pay day?
Why would you think that?
* Most compression container formats support relative and absolute paths outside of the current directory, for semi-legitimate reasons (like decompressing an entire raw filesystem, or using an archive format as an ad-hoc installation system). Many high-level languages have bindings that are unsafe by default in this regard.
* Most compression formats can be manipulated to contribe pathological inputs that require massive amounts of memory or CPU time. This makes them good vectors for DoSes.
* Compression and compression container formats themselves are complicated, for historical reasons. Many also have reference implementations with colorful security histories with regards to memory safety.
Android with syncing enabled does much better in real world tests. Notably in hong kong, they were able to crack the iPhones, but not the Pixels[0]
I'm pretty sure without iCloud and a long enough password (or fast enough self destruct mode) iPhones could be as secure, but I don't know anyone that uses an iPhone and does not use iCloud in any way.
[0]: https://qz.com/1844937/hong-kongs-mass-arrests-give-police-a...
Edit: your linked article says nothing about icloud
In general less complexity is better, but it also constrains things. For example it took until recently for third party iOS to be able to do NFC. Android had it since ~2012.
I seriously wonder: what difference did it make? Was there any groundbreaking thing iOS users missed for 8 years?
Apple is just great in omitting things and keeping focus to deliver a great product and then expand on that basis.
Most famous example: First iPhones didn’t have MMS
https://qz.com/1844937/hong-kongs-mass-arrests-give-police-a...
4-digit passcode hasn't been the default passcode option in iOS for a long time.
On the Android side, Google makes good software changes to Android, but ultimately the security is dependent on the handset maker (e.g. Samsung) and SoC maker (e.g. Qualcomm). Security will vary between Android phones. The bigger Android phone makers are more able to make security investments than the cheaper phone makers.
In any case, the biggest vulnerability in any system is the end user. No amount of idiot-proofing will stop people from being scammed on an iPhone, nor will it stop someone on Android. When these companies market their "Secure Enclave" or "Titan Security", they're really just dressing up otherwise expected or boring features. The T2 chip was basically a dedicated PRNG chip with basic encoding capabilities, yet Apple paraded it as a boon for device security and game-changer for the end user. In reality, it doesn't solve any practical issues with computer security.
I've tried about every OS on the planet, and I've used them on a decent handful of different devices. I won't tell you what to think or do, but Apple's devices are difficult to appraise and hurt my head when I try to consider their impact on my overall "security". I'd much rather just use a Linux system that's transparent about it's vulnerabilities. Much of that same reasoning is why I still use Android these days.
This is an extremely misleading description of the scope of T2’s duties.
As you can see, the price is so low it hardly even matters if there is a difference. There are literally millions of people in the US alone who personally have the liquid net worth to purchase a remote wormable persistent compromise that you can use to mass infect any Android or iPhone. Essentially every business with more than maybe 10 employees has enough assets to purchase such a weapon on the market. Just today I read on HN that the US government inked a deal for $22B over 10 years for 120k AR headsets from Microsoft [5] which comes out to ~$183k/headset. So, a weapon you can use to fully compromise any phone you want is equal in cost to a mere 15(!) headsets. That contract alone would be enough to purchase 10,000(!) vulnerabilities at existing clearing prices and $22B is only ~1/200th of the yearly US government budget.
Frankly, the entire thing is like two people jumping and comparing who is closer to landing on the moon.
[1] https://www.google.com/about/appsecurity/android-rewards/
[2] https://developer.apple.com/security-bounty/
[3] https://zerodium.com/program.html See Mobiles payout.
[4] https://www.statista.com/statistics/276306/global-apple-ipho....
[5] https://techcrunch.com/2021/03/31/microsoft-wins-contract-wo...
Security is usually the last priority for nearly every for profit entity because it doesn't drive revenue.
They aren’t perfect but I don’t think it’s fair to say they don’t try.
The author specifically said that they were looking based on bug bounty guidelines. The next person in the same shoes will look at some other company's products instead.
“By signing the agreement, you will accept an exclusive sale of your research to ZERODIUM and transfer all related intellectual property rights to us, meaning that the research becomes the exclusive property of ZERODIUM and you are not allowed to re-sell, share, publish, or report the research to any other person or entity.”
Let's turn it around. In Russia, the average salary is around $600 per year. Would you turn down a $50k payout? That's 83 years of an average salary.
Consider that you may be in a privileged position if you can say no to that kind of money.
The solution to this is for vendors to match what the market is paying. If an RCE is worth $50k on Zerodium, perhaps it's worth something similar to Apple not to have headlines about so-and-so exploit being used for cutting up bodies in an embassy.
EDIT: Oops. Divide 83 by 12. But you'll find it hard to locate someone willing to say no to 7 years of salary for ~zero additional work.
From the wikipedia page for Meltdown: "On 8 May 1995, a paper called "The Intel 80x86 Processor Architecture: Pitfalls for Secure Systems" published at the 1995 IEEE Symposium on Security and Privacy warned against a covert timing channel in the CPU cache and translation lookaside buffer (TLB). This analysis was performed under the auspices of the National Security Agency's Trusted Products Evaluation Program (TPEP)."
i.e. did they know even in 1995?
(NSA shortened the key as well so it wasn’t all bunnies and chocolate)
There should likely be a governing body that independently values an exploit and forces companies to pay
Like how the SEC’s whistleblower program works
Its completely broken to have corporations pinky promise not to sue you if you tell them and arbitrarily decide payouts if at all
Well I didn't know, until now. I saw the bug bounty page at Apple before, was dazzled by the numbers, and didn't think twice about approaching them if I found a bug. Now after this article I know better than to trust them to pay.
Is there a way to verify whether Zerodium might be advertising large payouts (for attention) and then offering much smaller payouts for the actual bugs?
It's pretty risky for Zerodium. There's nothing stopping a researcher from collecting a payout and then reporting the bug to the vendor.
Wouldn't the payout contract prohibit reporting to anyone else?
(Just guessing though.)
and tbh, it's probably the same answer for most providers these days.
An alternative is public offer when Apple promises to not release a fix without payment. If it's not a bug, no need for a fix.
Work was done but not paid. Shitty business on Apple side...
V2: “This file unexpectedly tried to access [folder].”
The exact same mechanism Apple already used with GateKeeper and FS access for programs at runtime.
Why does it need to be more complicated than that?
Had to make `-(BOOL)isAutoArchivePart` in `MCMimePart` return false.
...and they made the same basic mistake of allowing one of the single most exploitable attack vectors ever. They kinda shoulda known better, honestly.
My ultimate point is that the biggest liability is the user, and those "security updates" don't really matter when the biggest attack vectors don't even consider these exploits in the first place.
- Apple is a $2T company, that we trust with our data. That valuation is in part based on that trust. It's entitled of Apple to produce a product that contains shitty exploitable symlink handling and continue to have no meaningful repercussions (which is true in the industry as a whole).
If this was a bug in a small, under-resourced FOSS email client, or the exploit required many highly skilled person-years to find, maybe I'd feel differently.
7 years of salary is a lifechanging amount of money too, but I admit the thrust of the argument isn't quite as strong with a basic error. :)
A better comment is probably "We've tried the alternative, and it doesn't seem to work. It's better to pay market rate."
>This is supported by a look at smartphone cracking company Cellebrite’s effectiveness at breaking into different phones. Cellebrite can easily open up any iPhone X or earlier iPhone, but the same software used on a Google Pixel 2 or Galaxy S9 extracts very little information, and nothing at all in the case of the Huawei P20 Pro.
>That’s not to say that these Android devices are unbreakable. It's just that it requires a different, more labor-intensive process to get the data requested.
>The sheer variety of Android hardware and customized software builds makes it hard for phone-crackers to build a universal tool to break into Android phones. Meanwhile, a "jailbreak" released late last year permanently bypasses the security functions of every iPhone model from the iPhone 4s to the iPhone X.
This perfectly squares with what I personally know from law enforcement friends but I'm just an internet stranger.
https://edition.cnn.com/2019/01/12/middleeast/khashoggi-phon...
https://edition.cnn.com/2019/01/12/middleeast/khashoggi-phon...
... based on?
Or cut and paste. ;-)
For example, I have set up a tag to automatically connect friends phones to my WiFi network. You can also stick tags on places to trigger specific actions/mode/app: office, meeting room, car, bedroom.
Also one thing that could have been great to share pictures/files/urls with your computer or other phones: Android beam [1]. Sadly Google is removing it.
MacOS 10.9 was pretty much when Apple jumped the shark. That was the last version I ran before switching back to Linux, and I ran it pretty damn long in the tooth as well -- until ~2018ish.
I still have a few VM images with MacOS 10.9 that I spin up from time to time in order to run commercial software like Adobe Acrobat.
This was the first time I've actually backported a security fix. Apple Mail is easily where I'm most vulnerable, because it's not merely an outdated app which opens untrusted content—it opens untrusted content which anyone can push to me!
They might pay out over a long period of time for some guarantee that you'll play by their rules, though.
If you have written a hardened, safe browser engine then you are free to share it to the world, otherwise I wouldn't downplay their efforts.
Not OP, but I'll stop complaining when Apple lets me use other browser engines.
Yes, IMO their business model is more accurately described as “gilded cages/jails” than just general “gilded/good-appearing stuff”. They deeply care about the strength of their DRM — including at the expense of end-user security, eg. you can’t access the internet through the Tor browser installed the normal macOS way without macOS broadcasting that you used Tor Project products to Apple’s DRM servers.¹
> They are pretty serious about trying to prevent data exfiltration from locked iOS devices as well.
They definitely care about the appearance of trying to prevent that exfiltrating (they don’t publicly appear to help the FBI do it), but they don’t try hard enough to actually prevent it (including in situations were preventing exfiltration seems to have been proven possible, see nearby comment https://news.ycombinator.com/item?id=26667141).
¹Edit: ocsp.apple.com, enabling targeting of the people who need or want security the most.
To the people downvoting: I’m trying to make an evidence based refutation of the less supported speculation/assertions in the parent post. If you have counter-evidence or any reason to downvote other than fanboyism, please explain it so we or I can learn.
Your first point is intended to refute the effort put into stopping jailbreaking in iOS. The example you give is about privacy on Mac OS.
Last, accusing folks of being fanboys is a particularly weak argument. It says, if you don’t agree with me then your blind allegiance to a corporation renders you incapable of critical thought. Basically, if you don’t agree with me, you’re dumb. There is no practical engagement with that thesis.
The only things end to end encrypted are listed on this page: https://support.apple.com/en-us/HT202303
If you turn on iCloud syncing, basically you're falling back to simple "in transit" and "at rest" encryption.
A lot of iPhone cracks involve just attacking your iCloud account, and then reading all of your messages from backups. This is not possible on Pixel which encrypt your device backups with on-device hardware encryption.
Unless Apple is really bad and somehow collects my keys from keychain, or collects keys passed to CryptoKit, etc., straight out of RAM, and sends them to 3-letter agencies ... if I think that's happening, then I will look for new devices.
Can you set up a new android phone from an old phone’s backup? If so, how could this work?
This is a standard way to set up a new iPhone: “restore” from a backup of your previous phone. Especially handy when your old phone is no longer available (lost/broken)
https://security.googleblog.com/2018/10/google-and-android-h...
Not that I fully understand how hard it is to circumvent.
This is a legal requirement to operate the service in China. Apple’s choice is between offering iCloud in China or not offering it at all in China, not between offering it with local servers or with out-of-country servers.
What Apple does in China is more than complying with local laws. They appear to be exceptionally proactive in staying in the regime‘s good graces.
This is not even remotely true, even if you define "major tech company" to mean "major US tech company".
Both AWS and Azure have actual cloud regions in China (delivered with a local JV partner just like Apple's cloud services are).
Even Google operates there in various ways - they have four offices there, they manufacture hardware there, and they sell tons of ads to Chinese companies via their local subsidiaries (for display outside of China obviously).
Guess how much Microsoft pays for breaking the Windows Secure Boot implementation? $9k.
The better comparison is active users, weighted according to how many apply automatic updates. The vulnerability half-life probably isn't as devastating as you might think it is since Apple has centralized control to push out updates, limited only by users deliberately not installing them.
I would consider a vulnerability in OpenSSH to be far more economically devastating, and there isn't even a company with a market cap behind that software.
If there is no intent to abuse the bug when not paied then there is no additional threat there from simply notifying the company that some threat is already present. How it can become a black-mail?
So every report about discovered bug can be considered as black-mail? If one discovers a bug, reports it to the company and says that after 3 months it will be public it's a black-mail too?
Or the payment request makes it different? And if person doesn't threat to publish the bug then it's ok?
[0] https://www.justia.com/criminal/offenses/white-collar-crimes...
Whoever, with intent to extort from any person, firm, association, or corporation, any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to injure the property or reputation of the addressee or of another or the reputation of a deceased person or any threat to accuse the addressee or any other person of a crime, shall be fined under this title or imprisoned not more than two years, or both.
https://uscode.house.gov/view.xhtml?path=/prelim@title18/par...
Most countries have a culture against whistleblowers, starting from childhood ("don't be a tattletale", "don't be a rat").
I agree with you on a moral basis: what difference does it make if I get payed not to publish it vs. If I just publish it without even asking to get paid. But I'm not sure the law would agree with us.
In this case you aren't just a vigilante targetting apple, there is established practice stretching decades.
There is also a duty on you as a security proffeshional, and there is a significant public interest in knowing about the vulnerability. So , most likely, it will be you doing your job.
Who is wondering why Patreon and a blog post isn't sufficient to facilitate value transfer in metaphorical openssh scenarios?
Can you provide a reference for Apple's JV partners being government owned? Any company in China of course has to do as the Party tells them to, so I guess the difference is largely academic, but I haven't seen it mentioned before that Apple's China partners are government-owned.
https://techcrunch.com/2018/07/17/apples-icloud-user-data-in...
There are conflicting reports and vague language around how exactly the keys are handled.