Security Bits Logo

Security Bits – Google’s Ad Filter, iBoot Leak, iOS Teluga Text Bug

Security Medium 1 — Google’s Ad Filter

On February 15 Google’s Chrome browser gained a nice new feature for controlling ads. It’s been reported on as an ad blocker, but that coverage misses a very important subtlety. Google itself calls the feature ad filtering, and an ad filter describes this feature very well indeed.

Google is an advertising company, it is not in their interest to destroy the advertising industry. They’re trying to solve a subtly different problem — the rise of ad blockers!

Google started by questioning why ad blockers were becoming so popular. They concluded, correctly IMO, that one of the big factors is that many ads cross the line and are positively user hostile. Angry users are motivated enough to go out and seek ways toget rid of the noise-making page-blocking junk that’s ruining their web browsing experience.

If you take that as a given, then it makes sense that what’s needed is a tool that blocks the obnoxious ads, but lets all the other ads through. In other words, you need an ad filter!

For a filter to work it needs a set of rules to apply. Google could have made up their own rules, but they realised (quite correctly IMO), that that would never fly — it would be seen by many as Google abusing their market dominance. Instead, Google decided to program their filter to apply a set of rules established by the Coalition for Better Ads an industry group that Google are members of.

So what do the Coalition for Better Ads think is unacceptable?

  • Popup ads
  • Auto-playing video with sound
  • Prestitial ads with a count-down
  • Large sticky ads
  • and more…

So, Google’s Chrome browser blocks ads from advertisers that breach the Coalition for Better Ads’ standards, and displays all other ads.

Links

Security Medium 2 — iBoot Leak

This week the source code for the iOS 9 boot loader was leaked online. Perhaps unsurprisingly, Apple named their iOS boot loader iBoot.

A boot loader’s job is to start the process of booting an operating system. When you power on a device the very first thing that happens is that the device’s firmware loads and initialises the hardware, it then hands over to the bootloader which boots the OS. When you have a secure boot system, like Apple does, the boot loader is the trust-anchor for that secure process, so it’s very important code.

A secure boot system is designed to only boot code that has been digitally signed by a trusted key. In this case, it means that if everything is functioning normally, it’s impossible to boot an iOS device into an OS that has not been digitally signed by Apple. This provides protection from all sorts of malicious attacks, but, it also prevents permanent jailbreaks (those that survive reboots). This is why bugs in iBoot are exactly the kind of thing jail breakers would give their right arm for, and why Apple always has to patch their OS each time a successful jailbreak is found, because if a device can be jailbroke, it cann’t be secured!

What happened this week is that the iOS 9 version of iBoot was published on GitHub. Apple used the DMCA to get it taken down, but short of a time machine, there is no way to un-publish something like this, so it’s now out there.

It looks like the source for this leak was the jailbreaking community. It seems that an intern working at Apple snuck the code out back when iOS 9 was current, and gave it to friends of his in the Jailbreaking commuity who promised to never ever share it. It seems they kept their promise for a long time, but as is inevitable, it eventually leaked.

So, is this something regular users need to worry about? Nope!

The security provided by iBoot is based on sound cryptography, not obscurity. Assuming there are no bugs in the implementation, knowing how it works does not let you in because you need Apple’s private key to digitally sign OSes, and that key did not leak.

Notice the assumption in the above paragraph? Thats where things get a little grey, and why Apple were keen to get the leaked code taken down. iBoot was written by humans, so, it almost certainly has bugs in it. Those bugs can be found without seeing the source code but it’s much easier to find these things when you can see the source code!

So, today, there are both bad guys and good guys pouring over the code trying to find bugs that could be used to bypass iBoot’s security protections (not all bugs have security implications).

Since this code was written Apple have released iOS 10 and iOS 11, so the code that’s now public is not the code running in a fully patched and up-to-date iOS device today. But, the code running today is descended from iOS 9, so it is entirely possible that a security-affecting bug found in the iBoot 9 source code could work against iOS 11.

Ultimately, right now, this leak only has the potential to have a security impact in the future. It has no impact on your device’s security today. Some day it might, but then again, nothing may ever come of this. This is nothing more than a possible future problem, and a bit of an embarrasment for Apple (how did the intern get the code, and get it out?).

Links

Security Medium 3 — the iOS Telugu Text Bug

Another bug has been found in how iOS interprets text in messages. This time the bug is in iOS itself rather than in the Messages app, so it has a broader reach and is crashing some 3rd party messaging apps as well as Apple’s own Messages app. Facebook Messenger, Gmail, Outlook, & WhatsApp are known to be affected, but others could be too.

The bug is in how iOS11 deals with a single Indian character — the Telugu. If you send someone a message that contains that character using one of the affected apps, their iOS device will first have a springboard crash, and after it recovers from that, the app in question will crash each time you try launch it. Notice that unlike with the previous text bomb, this one doesn’t crash the whole OS, so while it can deprive you of access to some of your messaging apps, it won’t stop your phone from booting, which definitely makes this bug less disruptive.

Also lessening the damage is that fact that a work-around has been found to recover access to at least the Messages app if this happens to you (and the same approach may work with other apps too). You’ll need a friend to send you another message that doesn’t contain the Telugu character, then open the app, and without opening it, delete the thread that has the Telugu character in it.

Thankfully, a fix is on the way very soon. The problem does not exists in the latest iOS 11.3 beta, and Apple have promised a patch for iOS 11.2 “soon”, probably as part of iOS 11.2.6.

Links

Notable Security Updates

  • Grammarly have issued an update to patch a critical flaw — nakedsecurity.sophos.com/…
  • Adobe releases critical Flash update — helpx.adobe.com/…
  • WordPress automatically pushed an update that inadvertently broke future automatic updates. An update to the update has been released, but any site that auto-updated will need to be manually updated once to re-enable automatic updates — nakedsecurity.sophos.com/…
  • Microsoft released Patch Tuesday updates for Windows, IE, Edge & Office — krebsonsecurity.com/…

Notable News

  • Intel releases new Spectre microcode update for Skylake; other chips remain in beta — arstechnica.com/…
  • From July, Google’s Chrome browser will mark HTTP websites ‘Not secure’ (browser currently give HTTP websites a neutral rating) — arstechnica.com/… & nakedsecurity.sophos.com/…
  • A hack of a third-party JavaScript library led to Cryptocurrency mining malware being injected into thousands of sites around the world, including US government sites — nakedsecurity.sophos.com/…
  • MacUpdate found distributing malware-infected versions of popular apps including FireFox, OnyX & Deeper (editorial by Bart: yet more reason to avoid sites like these – get your software from a trusted store like the MacApp Store, or, from the developer’s site instead) — blog.malwarebytes.com/…
  • It’s been a bad week for Facebook in Europe:
    • 🇩🇪 A German court finds Facebook’s current privacy settings to be illegal because of a lack of informed consentnakedsecurity.sophos.com/…
    • 🇧🇪 A Belgian court ruled today that it’s illegal under Belgian privacy laws to track Belgian internet users who do not have a Facebook account (and have hence accepted Facebook’s TOS), and are logged into that account. Facebook have been ordered to stop the illegal tracking, delete any data they have collected illegally, and to pay a fine of €0.25M per day (up to a max of €100M) they fail to comply. Facebook will appeal the ruling — www.tijd.be/… (Note: you’ll have to trust my translation of the story from Dutch, I couldn’t find an English-language source when writting the shownotes, presumably because the new just broke an hour ago)
  • Facebook is being accusing of abusing cellphone numbers supplied for 2FA with SMS messages that seem to be designed to boost user retention. It’s not clear if this is a bug, or if the SMS messages are intentional — gizmodo.com/… & nakedsecurity.sophos.com/…
  • Security researchers have found a privilege escalation bug in Skype’s auto-update process on Windows which allows any user on a Windows PC with Skype installed to gain Administrator rights. What’s worse is that MS have no immediate plans to fix the problem. Because this problem requires local access, it’s not quite the end of the world, but it’s a big issue on shared computers or computers that should be locked down for one reason or anther, say in a school or corporate setting — www.macobserver.com/…

Suggested Reading

Palate Cleansers (both from Allison)

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top