Impact: Visiting a malicious website may lead to address bar spoofingĭescription: An inconsistent user interface issue was addressed with improved state management.ĬVE-2017-7085: xisigr of Tencent's Xuanwu Lab () "It’s impossible not to screw up.Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13 "There’s just so many things that can potentially happen, and in WebCore the browser developer has to keep track of all these possibilities," Todesco says. WebKit by contrast uses an automated reference counting system called "smart pointers" that Todesco argues still leaves room for error. A hacker can fill that void with an object of their choosing, like a spy who picks up someone else's name tag at a conference registration table.īy contrast, Chrome's own version of WebCore includes a safeguard known as a "garbage collector" that cleans up pointers to missing objects, so they can't be mistakenly left unassigned and vulnerable to an attacker. WebCore requires that a browser developer keep careful track of which data "object"-anything from a string of text to an array of data-references another object, a finicky process known as "reference counting." Make a mistake, and one of those references might be left pointing at a missing object. "The question is whether they can get rid of enough of the low hanging fruit, and it seems like Google is doing a better job there." Burnett adds that Chrome's sandbox, which isolates the browser from the rest of the operating system, is also "notoriously" difficult to bypass-more so than WebKit's-making any Chrome bugs that do persist less useful for gaining further access to a device.Īnother specific element of WebKit's architecture that can result in hackable flaws, says Luca Todesco, an independent security researcher who has released WebKit and full iOS hacking techniques, is its so-called document object model, known as WebCore, which WebKit browsers use to render websites. "You’re going to find similar bug classes in both browsers," says Burnett. Google also offers a bug bounty for Chrome flaws, which incentivizes hackers to find and report them, whereas Apple offers no such bounty for WebKit unless a WebKit bug is integrated into an attack technique that penetrates deeper into iOS. But she argues that Chrome's bugs are fixed faster, which she credits in part to Google's internal efforts to find and eliminate security flaws in its own code, often through automated techniques like fuzzing. Amy Burnett, a founder of security firm Ret2 who leads trainings in both Chrome and WebKit exploitation, says that it's not clear which of the two browsers has the most exploitable bugs. The problem with making WebKit mandatory, according to security researchers, is that Apple's browser engine is in some respects less secure than Chrome's. While vulnerabilities in those apps offer only an initial foothold into an iOS device-a hacker still has to find other bugs that allow them to penetrate deeper into the phone's operating system-those surface-level flaws have nonetheless helped to make the recent spate of iOS attacks possible. According to iOS-focused security researchers, that means taking a hard look at two key inroads into an iPhone's internals: Safari and iMessage. Zero-day exploit brokers are complaining that hackers are glutting the market with iOS attacks, reducing the prices they command.Īs Apple prepares for its iPhone 11 launch on Tuesday, the recent stumbles suggest it's time for the company to go beyond fixing the individual security flaws that have made those iPhone attacks possible, and to instead examine the deeper issues in iOS that have produced those abundant bugs. Another five iOS exploit chains were exposed in malicious websites that took over scores of victim devices. The security reputation of iOS, once considered the world's most hardened mainstream operating system, has taken a beating over the past month: Half a dozen interactionless attacks that could take over iPhones without a click were revealed at the Black Hat security conference.
0 Comments
Leave a Reply. |