Feedback & Followups
- An excellent overview of the NightOwl saga we mentioned last time: Did the NightOwl app really join Macs to a botnet army? — www.intego.com/…
- A fresh campaign has been launched to try pressure Apple into implementing the highly controversial on-device scanning of photos destined for iCloud it abandoned last year — appleinsider.com/…
Deep Dive 1 — Security Conference Season Brings Some Interesting Apple Vulnerabilities
Each August security researchers gather at Blackhat and Defcon and other major security conferences and share their juiciest work. Because security is in the zeitgeist at this time of the year, we also get more research just released by press release. Some of that work inevitably focuses on Apple’s platforms, and so, gets a lot of clicks.
This August four Apple stories caught the headlines, all are interesting, but none need your urgent attention, so no need to panic!
An App Management Bug in macOS
First up is an issue affecting macOS Ventura that allows sandboxed apps to break out of their sandbox to modify other apps. This has the extra sting in the tail of being revealed without a fix, because the researcher has waited 10 months and Apple have not addressed the issue.
One reason Apple may be being slow is that this is one of those “if you install a malicious app then …” bugs, and it’s also not remotely exploitable.
What this bug does do is undermine a feature designed to protect Macs even when a user installs malware, and having that protection lessened is not good, but this is a very low-risk bug. So, Apple may have triaged it as a low priority and just not gotten to it yet. They should of course communicate with the dev, and they should fix it as part of the next major OS update at the very least.
There’s no evidence of this bug being abused in the wild and should an app be discovered trying to do this, Apple could easily block it with macOS’s XProtect feature.
For now — keeping the Mac’s built-in protections enabled and the perennial advice not to install untrusted apps should keep regular folks safe.
More details: macOS Ventura App Management exploit revealed 10 months after discovery — appleinsider.com/…
Fake Airplane Mode on iOS
Next up — the folks at Jamf have released limited details of how a malicious iOS app could fake airplane mode, allowing it to sneak out data while you think you’re off line.
This is even lower risk because it assumes malware got onto the iPhone somehow, and all an attacker could do with this knowledge is hide it’s network activity from the phone’s user. It’s cool to see how they found the relevant private APIs and abused them, but really, nothing to panic about at all!
More details: “Snakes in airplane mode” – what if your phone says it’s offline but isn’t? — nakedsecurity.sophos.com/…
A Notification Bypass on macOS
Next we have a vulnerability from Apple-researcher extraordinaire Patrick Wardle describing a mechanism for bypassing the new notification in macOS Ventura that tells you an app has added a background process. This notification is new, and I think few users know what it means, but it is nice for power users to get this extra visibility.
The risk here is that if you get tricked into installing malware, you won’t see a notification that might have been enough to make you think twice and realise your mistake. Again, not good, but nothing to lose sleep over.
More details: Malware Can Bypass macOS Background Task Manager Easily — www.macobserver.com/…
Fake Notifications on iOS
Finally, a flashy demo at Def Con demonstrated how some cheap equipment could be used to imitate an Apple TV, and trigger on-screen notifications inappropriately over Bluetooth. Hypothetically it might be possible to use these dialogues to trick users into revealing in their password, but I’m not sure many people would do that if they got a random Apple TV notification they were not expecting.
More details: A cheap Bluetooth transmitter can spoof some iPhone notifications — appleinsider.com/…
Deep Dive 2 — A Nice Example of How Clickbait Distorts Reality
The internet was briefly awash with stories warning of the massive danger from bacteria on Apple Watch and Fitbit straps. There was a real scientific study at the root of this story, it is valuable, it does contain useful advice, but it was not Apple or Fitbit focused, and its findings didn’t justify the tone of the headlines at all.
Here’s some examples:
- “Apple Watch, Fitbit wristbands carry shocking levels of bacteria: experts” — that implies the paper used the word ‘shocking’, that’s how journalists write, not scientists! A quick
⌘+fon the paper itself finds zero results for that word! - “Apple Watch and Fitbit wristbands are ‘hotbeds’ for harmful bacteria, study reveals” — again, the headline implies the paper used the word ‘hotbed’, nope!
- “Apple Watches and Fitbits are ‘hotbeds’ for harmful bacteria that can ’cause nasty sores, boils and toilet trouble’” — again, quotation marks implying the paper said things it did not, what is it with fake quotes these days?
- “Alarming bacteria levels found on Apple Watch and Fitbit wristbands, reveals study” — no, the paper does not raise ‘alarm’, that word is also not in the paper.
- “Is your Fitbit or Apple watch wristband making you sick? Study says they are a hotbed of bacteria like E.coli” — No, your watchband is almost certainly not making you sick, and what is it with the word ‘hotbed’?
- “Apple Watch Is A Health Marvel, But Maybe A Health Hazard, Too, Report Claims” — ‘hazard’ is a bit strong, but at least the headline doesn’t make it look like the scientists used the word
You can read the entire study online for free: Prevalence and Disinfection of Bacteria Associated with Various Types of Wristbands — www.scirp.org/…
Here’s some key points from the actual study:
Wristbands, often worn daily without routine cleaning, may accumulate potentially pathogenic bacteria.
Bacteria found were common skin residents, of the genera Staphylococcus and Pseudomonas, and intestinal symbionts, like of the genera Escherichia.
The ability of many of these bacteria to significantly affect the health of immunocompromised hosts indicates a special need for healthcare workers and others in hospital environments to regularly sanitize these surfaces.
It would of course do none of us any harm to remember that just like our cloths, our watch bands are picking up the normal bacteria that’s around us all the time, so we should of course clean them from time to time. But there is nothing to be alarmed about, no need to panic, the paper did not reveal some kind of here-to-fore unknown health emergency!
The paper’s actual call to arms is pretty tame compared to the headlines:
There is a need for regular and popular sanitation of these surfaces.
When you ignore the hype, the paper has some interesting findings:
Generally, it was found that rubber and plastic wristbands had higher bacterial counts, while metal ones, especially gold and silver, had little to no bacteria.
Common household disinfectants, such as Lysol Disinfectant Spray, 70% Ethanol, and Heinz Apple Cider Vinegar all proved at least somewhat effective on all materials (rubber, plastic, cloth, and metal), although antibacterial efficacy was significantly increased at two minutes compared to thirty seconds.
❗ Action Alerts
Worthy Warnings
- A timely reminder that ATM fraud is on the rise again post-pandemic: “Grab hold and give it a wiggle” – ATM card skimming is still a thing — nakedsecurity.sophos.com/…
- FBI warns about scams that lure you in as a mobile beta-tester — nakedsecurity.sophos.com/…
- Allister Jenks alerted our Slack community to a thread on Mastodon about a very interesting attempt to hack someone’s bank account: social.coop/…
Notable News
- Yet another speculative execution bug has been found in Intel CPUs. As with all of these, the biggest concern is on shared computers like those hosting cloud services, so mostly a headache for corporate server admins. The flaw is difficult to exploit and Intel have released microcode fixes, so keep an eye out for firmware and OS updates — www.infoq.com/…
- It’s not clear if Intel Macs are affected — www.intego.com/…
- Working with law enforcement partners in France, Germany, Latvia, the Netherlands, Romania & the UK, the US DOJ took down the QakBot botnet, and perhaps more controversially, with court approval, cleaned up infected devices — krebsonsecurity.com/…
- Because of the FBI’s partnership with Have I Been Pwnd, you can search to see if you were one of the botnet’s victims — www.troyhunt.com/…
Excellent Explainers
- What is SMS? How It works, why it’s insecure… and why we still need it — www.intego.com/…
- What every Apple user should know about software updates — www.intego.com/…
Palate Cleansers
- From Bart: to really understand just how amazing the JWST is, there’s nothing better than it’s view of a famous nebula every backyard astronomer knows as nothing more than a tiny smudge in the shape of a smoke ring: The Ring Nebula from Webb — apod.nasa.gov/…
- Bonus TV Recommendation: the Netflix documentary which tells the JWST story — Unknown: Cosmic Time Machine
- From Allison: A 4-year-old gets a patch accepted into the Linux Kernel — mastodon.social/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| A link to audio content, probably a podcast. | |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| A link to graphical content, probably a chart, graph, or diagram. | |
| A story that has been over-hyped in the media, or, “no need to light your hair on fire” | |
| A link to an article behind a paywall. | |
| A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. | |
| A tip of the hat to thank a member of the community for bringing the story to our attention. |
[…] Security Bits — 3 September 2023 […]