Fun. https://www.tenable.com/blog/cve-2023-41064-cve-2023-4863-cve-2023-5129-faq-... If you have an Apple device, it must be updated. If it's no longer supported/updated, throw it away. Anyone can send you a text or imessage (whatever that is) with a crafted webp image and p0wn your whole device: no clicks or user interaction required. Same bug in Chrome: update your Chrome. If you cannot on that device (i.e. Win7) then throw it away or find a new OS/browser. But at least you'd have to visit a malicious web page. Also affects linux webp libraries, so patch your stuff and restart any dynamically linked browsers/clients.
On 2023-10-04 20:16, Trevor Cordes wrote:
Fun.
https://www.tenable.com/blog/cve-2023-41064-cve-2023-4863-cve-2023-5129-faq-...
If you have an Apple device, it must be updated. If it's no longer supported/updated, throw it away.
I am pretty sure that one was taken care of during the last round of updates for iOS 16, if anyone's using that and won't (or can't) upgrade to the newest one.
Anyone can send you a text or imessage (whatever that is) with a crafted webp image and p0wn your whole device: no clicks or user interaction required.
Same bug in Chrome: update your Chrome. If you cannot on that device (i.e. Win7) then throw it away or find a new OS/browser. But at least you'd have to visit a malicious web page.
Win7? Aren't we all running *nix here? I am shocked.... :) -- Kind regards, Alberto Abrao
Err... all the UNIX versions of Chrome are vulnerable, too. And iOS and iPadOS both still uses a heck of a lot of FreeBSD kernel and libc, under the hood. -Adam -----Original Message----- From: Roundtable <roundtable-bounces@muug.ca> On Behalf Of Alberto Abrao Sent: Wednesday, October 4, 2023 8:37 PM To: Continuation of Round Table discussion <roundtable@muug.ca> Subject: Re: [RndTbl] CVE-2023-41064 On 2023-10-04 20:16, Trevor Cordes wrote:
Fun.
https://www.tenable.com/blog/cve-2023-41064-cve-2023-4863-cve-2023-5129-faq-...
If you have an Apple device, it must be updated. If it's no longer supported/updated, throw it away.
I am pretty sure that one was taken care of during the last round of updates for iOS 16, if anyone's using that and won't (or can't) upgrade to the newest one.
Anyone can send you a text or imessage (whatever that is) with a crafted webp image and p0wn your whole device: no clicks or user interaction required.
Same bug in Chrome: update your Chrome. If you cannot on that device (i.e. Win7) then throw it away or find a new OS/browser. But at least you'd have to visit a malicious web page.
Win7? Aren't we all running *nix here? I am shocked.... :) -- Kind regards, Alberto Abrao _______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable
On 2023-10-05 Adam Thompson wrote:
Err... all the UNIX versions of Chrome are vulnerable, too. And iOS and iPadOS both still uses a heck of a lot of FreeBSD kernel and libc, under the hood. -Adam
Ya, but the main point is the no-click no-action "push" aspect of the vulnerability unique to *phones*. Hacker can text you something you have no control over and BOOM. So the browser and other client stuff is a bit less critical. The chatter on this bug is that a lot of iOS devices in the wild IRL got hit with this hack to install Pegasus spyware. Of course, you'd never know at all that you were one of those... Not sure if Android has the same vulnerability -- you'd think it does? But the stuff I'm seeing blasted all over the place is Apple specific. Maybe they just hate Apple.
Anyone can send you a text or imessage (whatever that is) with a crafted webp image and p0wn your whole device: no clicks or user interaction required.
Quick comment on this. iOS 16 added a "lockdown mode" feature <https://support.apple.com/en-us/HT212650>, which disables a bunch of device features likely to be used for 0 days like this one. Notable quote relating to the iMessage attack vector:
Apple’s Security Engineering and Architecture team has confirmed to us, that Lockdown Mode blocks this particular attack. <https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/#:~:text=We%20believe%2C%20and%20Apple%E2%80%99s%20Security%20Engineering%20and%20Architecture%20team%20has%20confirmed%20to%20us%2C%20that%20Lockdown%20Mode%20blocks%20this%20particular%20attack.>
If you're the type of person who reads CVE pages, you should consider enabling lockdown mode. I've had it enabled since the day it was released with no major issues. On Wed, Oct 4, 2023 at 9:18 PM Trevor Cordes <trevor@tecnopolis.ca> wrote:
On 2023-10-05 Adam Thompson wrote:
Err... all the UNIX versions of Chrome are vulnerable, too. And iOS and iPadOS both still uses a heck of a lot of FreeBSD kernel and libc, under the hood. -Adam
Ya, but the main point is the no-click no-action "push" aspect of the vulnerability unique to *phones*. Hacker can text you something you have no control over and BOOM. So the browser and other client stuff is a bit less critical.
The chatter on this bug is that a lot of iOS devices in the wild IRL got hit with this hack to install Pegasus spyware. Of course, you'd never know at all that you were one of those...
Not sure if Android has the same vulnerability -- you'd think it does? But the stuff I'm seeing blasted all over the place is Apple specific. Maybe they just hate Apple. _______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable
On 2023-10-04 8:16 p.m., Trevor Cordes wrote:
Fun.
https://www.tenable.com/blog/cve-2023-41064-cve-2023-4863-cve-2023-5129-faq-...
If you have an Apple device, it must be updated. If it's no longer supported/updated, throw it away.
See also... https://www.bleepingcomputer.com/news/security/google-assigns-new-maximum-ra... https://www.bleepingcomputer.com/news/security/apple-backports-blastpass-zer...
Anyone can send you a text or imessage (whatever that is) with a crafted webp image and p0wn your whole device: no clicks or user interaction required.
iMessage is Apple's augmented/proprietary message protocol, which allows for multi-media attachments to a text message. Based on what I read, I think the vulnerability in libwebp can only be exploited via iMessage and not via SMS text messages to iOS devices (since those wouldn't contain images). Fortunately, you can disable iMessage support in iOS, if you don't use it.
Same bug in Chrome: update your Chrome. If you cannot on that device (i.e. Win7) then throw it away or find a new OS/browser. But at least you'd have to visit a malicious web page.
Also affects linux webp libraries, so patch your stuff and restart any dynamically linked browsers/clients.
Yeah, the list of apps and other frameworks that use libwebp is huge, and includes pretty much every modern browser, and even embedded mini-browsers to implement OAuth2 and such, if I'm not mistaken. Even if this isn't as potentially nasty as the iMessage exploit, its scope is much larger. Too bad they don't just give you an option to not load WebP images. (Wonder who's using those currently, other than Google?...) -- Gilbert Detillieux E-mail: Gilbert.Detillieux@umanitoba.ca Computer Science Web: http://www.cs.umanitoba.ca/~gedetil/ University of Manitoba Phone: 204-474-8161 Winnipeg MB CANADA R3T 2N2
More background info... https://securityboulevard.com/2023/09/patch-everything-widely-used-webp-code... I didn't realize WebP had been around since 2010. Yikes, that's a long time for a vulnerability to be hanging around, patiently waiting to be adopted by us trusting souls! And, coincidentally... https://www.malwarebytes.com/blog/news/2023/09/pegasus-spyware-and-how-it-ex... ... the company behind Pegasus has also been around since 2010. Not going into conspiracy theory, but it does mean there has been a long window of vulnerability to be potentially exploited here, by very motivated (and well-funded) bad actors. Gilbert On 2023-10-05 10:48 a.m., Gilbert Detillieux wrote:
On 2023-10-04 8:16 p.m., Trevor Cordes wrote:
Fun.
https://www.tenable.com/blog/cve-2023-41064-cve-2023-4863-cve-2023-5129-faq-...
If you have an Apple device, it must be updated. If it's no longer supported/updated, throw it away.
See also...
https://www.bleepingcomputer.com/news/security/google-assigns-new-maximum-ra... https://www.bleepingcomputer.com/news/security/apple-backports-blastpass-zer... ...
-- Gilbert Detillieux E-mail: Gilbert.Detillieux@umanitoba.ca Computer Science Web: http://www.cs.umanitoba.ca/~gedetil/ University of Manitoba Phone: 204-474-8161 Winnipeg MB CANADA R3T 2N2 For best CS dept. service, contact <cs-support@lists.umanitoba.ca>.
What everyone calls SMS almost always includes MMS, which is a layered superset of SMS capabilities (using OTT IP, FWIW). MMS is capable of sending images. While they normally get transcoded at least once, and usually 3 times (wtf, I know), it is possible for a sufficiently-sophisticated attacker to send webP images bypassing all the transcoding. To do so, the attacker would need an SS7 connection, but while expensive, that's not a massive technical hurdle. So... sadly that's still a zero-click vuln on every cell phone with a carrier that isn't still in the dark ages. -Adam Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: Roundtable <roundtable-bounces@muug.ca> on behalf of Gilbert Detillieux <Gilbert.Detillieux@umanitoba.ca> Sent: Thursday, October 5, 2023 10:48:04 AM To: Continuation of Round Table discussion <roundtable@muug.ca> Subject: Re: [RndTbl] CVE-2023-41064 On 2023-10-04 8:16 p.m., Trevor Cordes wrote:
Fun.
https://www.tenable.com/blog/cve-2023-41064-cve-2023-4863-cve-2023-5129-faq-...
If you have an Apple device, it must be updated. If it's no longer supported/updated, throw it away.
See also... https://www.bleepingcomputer.com/news/security/google-assigns-new-maximum-ra... https://www.bleepingcomputer.com/news/security/apple-backports-blastpass-zer...
Anyone can send you a text or imessage (whatever that is) with a crafted webp image and p0wn your whole device: no clicks or user interaction required.
iMessage is Apple's augmented/proprietary message protocol, which allows for multi-media attachments to a text message. Based on what I read, I think the vulnerability in libwebp can only be exploited via iMessage and not via SMS text messages to iOS devices (since those wouldn't contain images). Fortunately, you can disable iMessage support in iOS, if you don't use it.
Same bug in Chrome: update your Chrome. If you cannot on that device (i.e. Win7) then throw it away or find a new OS/browser. But at least you'd have to visit a malicious web page.
Also affects linux webp libraries, so patch your stuff and restart any dynamically linked browsers/clients.
Yeah, the list of apps and other frameworks that use libwebp is huge, and includes pretty much every modern browser, and even embedded mini-browsers to implement OAuth2 and such, if I'm not mistaken. Even if this isn't as potentially nasty as the iMessage exploit, its scope is much larger. Too bad they don't just give you an option to not load WebP images. (Wonder who's using those currently, other than Google?...) -- Gilbert Detillieux E-mail: Gilbert.Detillieux@umanitoba.ca Computer Science Web: http://www.cs.umanitoba.ca/~gedetil/ University of Manitoba Phone: 204-474-8161 Winnipeg MB CANADA R3T 2N2 _______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable
On 2023-10-05 Adam Thompson wrote:
What everyone calls SMS almost always includes MMS, which is a layered superset of SMS capabilities (using OTT IP, FWIW).
Ya, even if iMessage tries to take over on Apple as the MMS replacement, iOS devices must still speak MMS to communicate with Android phones.
MMS is capable of sending images. While they normally get transcoded at least once, and usually 3 times (wtf, I know), it is possible for a sufficiently-sophisticated attacker to send webP images bypassing all the transcoding. To do so, the attacker would need an SS7 connection, but while expensive, that's not a massive technical hurdle.
If the carriers (of which there actually aren't many in terms of "big" players) are already transcoding then in theory they could also check or block/strip images that have the hack in them? The bug description makes it sound like it would be trivial to do.
So... sadly that's still a zero-click vuln on every cell phone with a carrier that isn't still in the dark ages.
Then the next question is with Apple pushing iOS updates out fairly quickly, what is Android doing? I've yet to see any new OS update from Samsung. I guess it's just their usual head-in-the-sand nothing-to-see-here response? Since webp never really took off, makes you wonder why they pushed it out to every browser and device so eagerly... malware on purpose? People thought it was "safe" because it was a huge company pushing it? No one checked the source? If I was conspiracy minded... Now excuse me while I go setup my firefox to run in firejail...
On Fri 06 Oct 2023 at 00:10:46 -05:00, Trevor Cordes <trevor@tecnopolis.ca> wrote:
On 2023-10-05 Adam Thompson wrote:
What everyone calls SMS almost always includes MMS, which is a layered superset of SMS capabilities (using OTT IP, FWIW).
Ya, even if iMessage tries to take over on Apple as the MMS replacement, iOS devices must still speak MMS to communicate with Android phones.
Not just to communicate with Android phones, but also with (like I'm using) browser-based VoIP carrier MMS facilities, which is the only way I'm willing to do significant texting, with full-size desktop keyboard and mouse convenience. Hartmut
participants (6)
-
Adam Thompson -
Alberto Abrao -
Chris Audet -
Gilbert Detillieux -
Hartmut W Sager -
Trevor Cordes