{"id":29284,"date":"2023-09-03T11:47:31","date_gmt":"2023-09-03T18:47:31","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=29284"},"modified":"2023-09-03T14:57:03","modified_gmt":"2023-09-03T21:57:03","slug":"sb-2023-09-03","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2023\/09\/sb-2023-09-03\/","title":{"rendered":"Security Bits \u2014 3 September 2023"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>An excellent overview of the NightOwl saga we mentioned last time: <a href=\"https:\/\/www.intego.com\/mac-security-blog\/did-the-nightowl-app-really-join-macs-to-a-botnet-army\/\">Did the NightOwl app really join Macs to a botnet army? \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li>A fresh campaign has been launched to try pressure Apple into implementing the highly controversial on-device scanning of photos destined for iCloud it abandoned last year \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/23\/09\/01\/child-safety-advocacy-group-launches-campaign-against-apple\">appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 1 \u2014 Security Conference Season Brings Some Interesting Apple Vulnerabilities<\/h2>\n<p>Each August security researchers gather at Blackhat and Defcon and other major security conferences and share their juiciest work. Because security is in the zeitgeist at this time of the year, we also get more research just released by press release. Some of that work inevitably focuses on Apple\u2019s platforms, and so, gets a lot of clicks.<\/p>\n<p>This August four Apple stories caught the headlines, all are interesting, but none need your urgent attention, so <strong>no need to panic!<\/strong><\/p>\n<h3>An App Management Bug in macOS<\/h3>\n<p>First up is an issue affecting macOS Ventura that allows sandboxed apps to break out of their sandbox to modify other apps. This has the extra sting in the tail of being revealed without a fix, because the researcher has waited 10 months and Apple have not addressed the issue.<\/p>\n<p>One reason Apple may be being slow is that this is one of those <em>\u201cif you install a malicious app then \u2026\u201d<\/em> bugs, and it\u2019s also not remotely exploitable.<\/p>\n<p>What this bug does do is undermine a feature designed to protect Macs even when a user installs malware, and having that protection lessened is not good, but this is a very low-risk bug. So, Apple may have triaged it as a low priority and just not gotten to it yet. They should of course communicate with the dev, and they should fix it as part of the next major OS update at the very least.<\/p>\n<p>There\u2019s no evidence of this bug being abused in the wild and should an app be discovered trying to do this, Apple could easily block it with macOS\u2019s XProtect feature.<\/p>\n<p>For now \u2014 keeping the Mac\u2019s built-in protections enabled and the perennial advice not to install untrusted apps should keep regular folks safe.<\/p>\n<p><strong>More details<\/strong>: <a href=\"https:\/\/appleinsider.com\/articles\/23\/08\/20\/macos-ventura-app-management-exploit-revealed-10-months-after-discovery\">macOS Ventura App Management exploit revealed 10 months after discovery \u2014 appleinsider.com\/\u2026<\/a><\/p>\n<h3>Fake Airplane Mode on iOS<\/h3>\n<p>Next up \u2014 the folks at Jamf have released limited details of how a malicious iOS app could fake airplane mode, allowing it to sneak out data while you think you\u2019re off line.<\/p>\n<p>This is even lower risk because it assumes malware got onto the iPhone somehow, and all an attacker could do with this knowledge is hide it\u2019s network activity from the phone\u2019s user. It\u2019s cool to see how they found the relevant private APIs and abused them, but really, nothing to panic about at all!<\/p>\n<p><strong>More details:<\/strong> <a href=\"https:\/\/nakedsecurity.sophos.com\/2023\/08\/21\/snakes-in-airplane-mode-what-if-your-phone-says-its-offline-but-isnt\/?utm_source=pocket_saves\">\u201cSnakes in airplane mode\u201d \u2013 what if your phone says it\u2019s offline but isn\u2019t? \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/p>\n<h3>A Notification Bypass on macOS<\/h3>\n<p>Next we have a vulnerability from Apple-researcher extraordinaire Patrick Wardle describing a mechanism for bypassing the new notification in macOS Ventura that tells you an app has added a background process. This notification is new, and I think few users know what it means, but it is nice for power users to get this extra visibility.<\/p>\n<p>The risk here is that if you get tricked into installing malware, you won&#8217;t see a notification that might have been enough to make you think twice and realise your mistake. Again, not good, but nothing to lose sleep over.<\/p>\n<p><strong>More details:<\/strong> <a href=\"https:\/\/www.macobserver.com\/news\/malware-can-bypass-macos-background-task-manager-easily\/\">Malware Can Bypass macOS Background Task Manager Easily \u2014 www.macobserver.com\/\u2026<\/a><\/p>\n<h3>Fake Notifications on iOS<\/h3>\n<p>Finally, a flashy demo at Def Con demonstrated how some cheap equipment could be used to imitate an Apple TV, and trigger on-screen notifications inappropriately over Bluetooth. Hypothetically it might be possible to use these dialogues to trick users into revealing in their password, but I&#8217;m not sure many people would do that if they got a random Apple TV notification they were not expecting.<\/p>\n<p><strong>More details:<\/strong> <a href=\"https:\/\/appleinsider.com\/articles\/23\/08\/16\/a-cheap-bluetooth-transmitter-can-spoof-some-iphone-notifications\">A cheap Bluetooth transmitter can spoof some iPhone notifications \u2014 appleinsider.com\/\u2026<\/a><\/p>\n<h2>Deep Dive 2 \u2014 A Nice Example of How Clickbait Distorts Reality<\/h2>\n<p>The internet was briefly awash with stories warning of the massive danger from bacteria on Apple Watch and Fitbit straps. There was a real scientific study at the root of this story, it is valuable, it does contain useful advice, but it was not Apple or Fitbit focused, and its findings didn&#8217;t justify the tone of the headlines at all.<\/p>\n<p>Here&#8217;s some examples:<\/p>\n<ul>\n<li><em>&#8220;Apple Watch, Fitbit wristbands carry shocking levels of bacteria: experts&#8221;<\/em> \u2014 that implies the paper used the word &#8216;shocking&#8217;, that&#8217;s how journalists write, not scientists! A quick <code>\u2318+f<\/code> on the paper itself finds zero results for that word!<\/li>\n<li><em>&#8220;Apple Watch and Fitbit wristbands are &#8216;hotbeds&#8217; for harmful bacteria, study reveals&#8221;<\/em> \u2014 again, the headline implies the paper used the word &#8216;hotbed&#8217;, nope!<\/li>\n<li><em>&#8220;Apple Watches and Fitbits are \u2018hotbeds\u2019 for harmful bacteria that can \u2019cause nasty sores, boils and toilet trouble\u2019&#8221;<\/em> \u2014 again, quotation marks implying the paper said things it did not, what is it with fake quotes these days?<\/li>\n<li><em>&#8220;Alarming bacteria levels found on Apple Watch and Fitbit wristbands, reveals study&#8221;<\/em> \u2014 no, the paper does not raise <em>&#8216;alarm&#8217;<\/em>, that word is also not in the paper.<\/li>\n<li><em>&#8220;Is your Fitbit or Apple watch wristband making you sick? Study says they are a hotbed of bacteria like E.coli&#8221;<\/em> \u2014 No, your watchband is almost certainly not making you sick, and what is it with the word <em>&#8216;hotbed&#8217;<\/em>?<\/li>\n<li><em>&#8220;Apple Watch Is A Health Marvel, But Maybe A Health Hazard, Too, Report Claims&#8221;<\/em> \u2014 &#8216;hazard&#8217; is a bit strong, but at least the headline doesn&#8217;t make it look like the scientists used the word<\/li>\n<\/ul>\n<p>You can read the entire study online for free: <a href=\"https:\/\/www.scirp.org\/journal\/paperinformation.aspx?paperid=125218\">Prevalence and Disinfection of Bacteria Associated with Various Types of Wristbands \u2014 www.scirp.org\/\u2026<\/a><\/p>\n<p>Here&#8217;s some key points from the actual study:<\/p>\n<blockquote><p>\n  Wristbands, often worn daily without routine cleaning, may accumulate potentially pathogenic bacteria.<\/p>\n<p>  Bacteria found were common skin residents, of the genera Staphylococcus and Pseudomonas, and intestinal symbionts, like of the genera Escherichia.<\/p>\n<p>  The ability of many of these bacteria to significantly affect the health of <strong>immunocompromised hosts<\/strong> indicates a special need for <strong>healthcare workers and others in hospital environments<\/strong> to regularly sanitize these surfaces.\n<\/p><\/blockquote>\n<p>It would of course do none of us any harm to remember that just like our cloths, our watch bands are picking up the normal bacteria that&#8217;s around us all the time, so we should of course clean them from time to time. But there is nothing to be alarmed about, no need to panic, the paper did not reveal some kind of here-to-fore unknown health emergency!<\/p>\n<p>The paper&#8217;s actual call to arms is pretty tame compared to the headlines:<\/p>\n<blockquote><p>\n  There is a need for regular and popular sanitation of these surfaces.\n<\/p><\/blockquote>\n<p>When you ignore the hype, the paper has some interesting findings:<\/p>\n<blockquote><p>\n  Generally, it was found that rubber and plastic wristbands had higher bacterial counts, while metal ones, especially gold and silver, had little to no bacteria.<\/p>\n<p>  Common household disinfectants, such as Lysol Disinfectant Spray, 70% Ethanol, and Heinz Apple Cider Vinegar all proved at least somewhat effective on all materials (rubber, plastic, cloth, and metal), although antibacterial efficacy was significantly increased at two minutes compared to thirty seconds.\n<\/p><\/blockquote>\n<h2>\u2757 Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2023\/08\/23\/using-winrar-be-sure-to-patch-against-these-code-execution-bugs\/\">Using WinRAR? Be sure to patch against these code execution bugs\u2026 \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>A timely reminder that ATM fraud is on the rise again post-pandemic: <a href=\"https:\/\/nakedsecurity.sophos.com\/2023\/08\/15\/grab-hold-and-give-it-a-wiggle-atm-card-skimming-is-still-a-thing\/\">\u201cGrab hold and give it a wiggle\u201d \u2013 ATM card skimming is still a thing \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2023\/08\/16\/fbi-warns-about-scams-that-lure-you-in-as-a-mobile-beta-tester\/\">FBI warns about scams that lure you in as a mobile beta-tester \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Allister Jenks alerted <a href=\"https:\/\/podfeet.com\/slcak\">our Slack community<\/a> to a thread on Mastodon about a very interesting attempt to hack someone&#8217;s bank account: <a href=\"https:\/\/social.coop\/@BjornToftMadsen\/110971514208956658\" target=\"%5Fblank\" rel=\"noopener\">social.coop\/&#8230;<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>Yet another speculative execution bug has been found in Intel CPUs. As with all of these, the biggest concern is on shared computers like those hosting cloud services, so mostly a headache for corporate server admins. The flaw is difficult to exploit and Intel have released microcode fixes, so keep an eye out for firmware and OS updates \u2014 <a href=\"https:\/\/www.infoq.com\/news\/2023\/08\/downafall-attack-intel-cpus\/\">www.infoq.com\/\u2026<\/a>\n<ul>\n<li>It\u2019s not clear if Intel Macs are affected \u2014 <a href=\"https:\/\/www.intego.com\/mac-security-blog\/does-the-downfall-vulnerability-affect-intel-macs\/\">www.intego.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Working with law enforcement partners in France, Germany, Latvia, the Netherlands, Romania &amp; the UK, the US DOJ took down the QakBot botnet, and perhaps more controversially, with court approval, cleaned up infected devices \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2023\/08\/u-s-hacks-qakbot-quietly-removes-botnet-infections\/\">krebsonsecurity.com\/\u2026<\/a>\n<ul>\n<li>Because of the FBI\u2019s partnership with Have I Been Pwnd, you can search to see if you were one of the botnet\u2019s victims \u2014 <a href=\"https:\/\/www.troyhunt.com\/data-from-the-qakbot-malware-is-now-searchable-in-have-i-been-pwned-courtesy-of-the-fbi\/\">www.troyhunt.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/what-is-sms-how-it-works-why-its-insecure-and-why-we-still-need-it\/\">What is SMS? How It works, why it&#8217;s insecure\u2026 and why we still need it \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/everything-you-need-to-know-about-software-updates\/\">What every Apple user should know about software updates \u2014 www.intego.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><strong>From Bart:<\/strong> to really understand just how amazing the JWST is, there&#8217;s nothing better than it&#8217;s view of a famous nebula every backyard astronomer knows as nothing more than a tiny smudge in the shape of a smoke ring: <a href=\"https:\/\/apod.nasa.gov\/apod\/ap230814.html\">The Ring Nebula from Webb \u2014 apod.nasa.gov\/\u2026<\/a>\n<ul>\n<li>Bonus TV Recommendation: the Netflix documentary which tells the JWST story \u2014  <a href=\"https:\/\/www.netflix.com\/title\/81473680\">Unknown: Cosmic Time Machine<\/a><\/li>\n<\/ul>\n<\/li>\n<li><strong>From Allison:<\/strong> A 4-year-old gets a patch accepted into the Linux Kernel \u2014 <a href=\"https:\/\/mastodon.social\/@nixCraft\/110900072073406421\">mastodon.social\/\u2026<\/a><\/p>\n<\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em><\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. An excellent overview of the NightOwl saga we mentioned last time: Did the NightOwl app really join Macs to a botnet army? \u2014 www.intego.com\/\u2026 A fresh campaign has been launched to try pressure Apple [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[5598,6054,50,569,4586],"class_list":["post-29284","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-bad-actors","tag-hacker","tag-security","tag-security-bits","tag-vulnerability"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/29284","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=29284"}],"version-history":[{"count":1,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/29284\/revisions"}],"predecessor-version":[{"id":29285,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/29284\/revisions\/29285"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=29284"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=29284"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=29284"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}