Published May 16, 2019
A severe class of vulnerability rises from the grave to trouble us again. One of the world's most popular communication apps turns out to have a glorious error in its code that requires an instant fix to fix, and it's time to update your Apple devices ̵
- Zombies on prowl
- News about a vulnerability in WhatsApp
- A number of updates from Apple
It's alive night that processor-based vulnerabilities came back to haunt us again here on the checklist – did you really think Specter and Meltdown was the last thing we had heard about them? Let's not waste time diving right into what's happening this week.
Zombies on Prowl
This week we get a word that it is a new exploitation for Intel processors that create waves in the security community. This utilization can affect almost all Intel processor models produced since 2011 – which probably means it can affect the Intel CPUs in the Mac. TechCrunch says that bad guys using this exploit can trick a processor into giving up access to secret data it holds. If you have tracked security news for a while, or if you are listening for the checklist for a long time, this may sound a little familiar, and for a good reason: All this is reminiscent of last year's Specter and Meltdown errors that caused so much turmoil. This new bug, called ZombieLoad, is a potent one.
Before we dive into the specifications of ZombieLoad, we still understand what Specter / Meltdown was about and why they were so big.
Both errors use a technologically sophisticated and advanced procedure to exploit a vulnerability in a very important but also very back-stage process in CPUs. To put it simply, your processor is quick for you, it is best to guess which part of a program your system needs to access the next. To save time, it requires the data and code required to run it into a particular buffer on the processor. If the guess was correct, the processor immediately runs the instructions in the queue. If not, discard it and run the requested code instead. Using Meltdown or Specter can allow anyone to steal the "guessed" information before it is discarded, which may include your passwords, secret encryption keys, and more.
Scientists say ZombieLoad is very similar to the holistic, but uses a slightly different approach to stealing information the processor is not meant to reveal. When the CPU runs code and ends up in a situation with which it does not understand, it becomes its own firmware, also called microcode, for help in handling the unknown data and avoiding a disturbing crash. Now it is normally an app not allowed to view data from other apps – it's a pretty basic security assessment, right? ZombieLoad breaks down these barriers and leaks app data stored in the processor's kernel so that malware can steal the potentially valuable information away.
As with Specter and Meltdown, processors created by AMD and ARM can still be vulnerable in some cases, but scientists generally believe they are more immune to these concerns. Intel has already pushed out firmware updates for everything from Xeon and Sandy Bridge processors to their latest and greatest models.
So what can you do to be safe and avoid these concerns? The answer to that question is an easy one, at least: Stay updated. Intel's updates continue to be pushed out through Google and Microsoft, but MacOS users may already be protected. If you've recently updated to the latest version of macOS, you've already received the repair from Apple and you're good to go. According to TechCrunch, Apple updates ensure that malicious websites cannot use ZombieLoad on your computer. Moreover, most users should not notice any changes – but the TechCrunch noticed that those who "opted for complete ZombieLoad correction" could face delays. Is that likely for you?
Probably not. For the average user, all you need to install is the MacOS update – and for the non-average user you've probably already taken the right steps to protect yourself. So, take a deep breath, make your updates, and relax. The likelihood of running into ZombieLoad in the wild is slim, and there are your chances of facing serious problems associated with it.
For more detailed information on these concerns, check out the page created to inform the public: ZombieLoadAttack.com.
News about a vulnerability in WhatsApp
Ah, Facebook – Can't they ever disappoint? Apple Insider says WhatsApp, which Facebook owns these days, has shared with the public that it has solved a vulnerability in the VoIP (Voice over IP) protocol. This was not just a vulnerability, but this was a serious error that allowed hackers to infect devices and install spyware without user knowledge. The errors affected both Android systems and iPhones.
Using the error in the road WhatsApp handled digital phone calls, hackers can dial one of their targets and automatically force that user's phone to download and run spyware payload. The victims did not even have to pick up the phone or even notice the call; Hackers just had to reach out and trigger it on their own.
The Good News: It only took the WhatsApp team in ten days to solve the problem when it was identified, an impressive fast turnaround, all in all. However, the bad news is that there is nothing to tell how long the error was in the software before WhatsApp discovered the problem in early May. Oh, and really bad news? Facebook says they know hackers actually exploit the error this time, affecting an "unknown" number of spyware users.
So how concerned should you be about this event? Fortunately, "not very" – and not at all if you are not using WhatsApp. If you do so, as long as you have made the updates, you should be A-OK to continue without worrying about being affected by this error. Unfortunately, there is nothing to tell if damage has been done on the other hand, developers are not sure how long the error was in the code.
Surveys from security researchers in this clutter indicate that there have been no rogue hackers exploiting the loopholes, but rather an Israeli provider called the NSO group – a team that often works with governments wishing to target the cellular operating systems for intelligence gathering purposes. So, unless your alter ego is in secret, James Bond, you will probably not end up in the cross hairs of a targeted malware campaign using a weak WhatsApp vulnerability.
What if it's true for you, though? Let's assume you're a vocal political activist worried about being targeted for your actions – or maybe you're just paranoid. Can you tell if you were targeting this attack? Unfortunately not. One concern that bothers the phone owners right now, especially on iOS, is the lack of tools (officially or otherwise) to determine if your device has been compromised in one way or another.
You have to resort to several basic methods of knowing something that is wrong, such as seeing battery and bandwidth consumption. If you continuously use more of these resources than you would normally expect, there may be something wrong with your device. Of course, you can also try to delete programs that you do not use as a precaution – the fewer programs you have on your phone, the fewer opportunities for one to become a channel to spy on your activities.
A series of updates from Apple
Updates have been the key to most issues presented on today's checklist, so why not end things with even more updates? Earlier this week, Apple dropped many of its biggest products. While iOS 12.3 has an up-to-date user experience for those who enjoy using Apple TV, the Wallet App has some upgrades by itself as Apple prepares to launch its own credit card later this year. In between all the good stuff, however, was the real flesh of these patches: a series of cross-platform updates, correcting some nasty bugs here and there.
In iOS 12.3, there are 23 errors and vulnerabilities patched. Users who have not yet updated may remain exposed to the dangers they pose. One of the most crucial issues patched in 12.3 contains an error in CoreAudio. This is the system in the iPhone that causes every sound to flow, including videos online, and this error allowed the evil to manipulate CoreAudio to perform its own malicious code. The specifications are not quite clear – Apple holds many of these things under cover. Users remain potentially vulnerable if they encounter a malicious video online without these updates.
macOS also has updates, with the latest version being 10.14.5. AirPlay 2 makes your way to Mac, with better support for sharing everything you can imagine from your desktop to your TV, while enhancing Apple News and fixing some pesky software bugs. Oh, and there are also security updates – 26 of them, in fact. CoreAudio gives a new look here, but some fixes for the macOS kernel are the most critical. The core has nothing to do with popcorn – it's actually the heart and soul of the operating system, the most critical and basic component that drives everything else. Some of the errors patched this week fixed issues that allowed code to run with core terms – in other words, full access without limitations.
Apple Watch also received an important update to version 5.2.1. Eighteen security patches at all make up for this tiny device, including the core and CoreAudio errors, plus one in the system diagnostic routine. This system, designed to help WatchOS diagnose problems, should be foolproof, but it also has an error that allows arbitrary code execution.
You know the morale of this story – it's time to update!
With dozens of new fixes available at all and with many of these nasty bugs squashed, there is no good reason not to connect and update the device as soon as possible. Don't forget – Apple will even allow you to configure your phone to automatically update it overnight while you sleep. What can be easier than that? Take advantage of this opportunity and enjoy a safer and safer experience.