{"id":2435,"date":"2022-08-26T21:39:15","date_gmt":"2022-08-26T16:39:15","guid":{"rendered":"https:\/\/testing.dicecamp.com\/insights\/?p=2435"},"modified":"2022-09-08T17:50:21","modified_gmt":"2022-09-08T12:50:21","slug":"a-cybersecurity-view-of-apples-zero-day-security-flaw","status":"publish","type":"post","link":"https:\/\/testing.dicecamp.com\/insights\/a-cybersecurity-view-of-apples-zero-day-security-flaw\/","title":{"rendered":"A Cybersecurity View of Apple\u2019s Zero-Day flaws"},"content":{"rendered":"\n

Just last week, Apple released a series of emergency security updates<\/strong> as a response to two zero-day vulnerabilities found in iPhone, Mac, and iPad devices.<\/p>\n\n\n\n

Though the news surfaced at Apple\u2019s official website<\/a>, it however lacked important details on the possible exploitation of the vulnerabilities.<\/p>\n\n\n\n

The hackers would have \u201cactively exploited\u201d the security loopholes, mentioned Apple. <\/p>\n\n\n\n

To address the sensitivity of the matter, various cybersecurity agencies and specialists around the globe helped iOS users discern the potential impacts and security measures. <\/p>\n\n\n\n

Although Apple hasn\u2019t disclosed how, and when it got to the vulnerability, the iPhone maker cited an \u201canonymous researcher\u201d working as an ethical hacker <\/strong>in favor of the company. <\/p>\n\n\n\n

The two bugs identified by the penetration test<\/strong> (aka pen test) are dubbed as \u201cout of bounds<\/strong>\u201d write flaws. <\/p>\n\n\n\n

Each resides in the Kernel and in the Webkit engine respectively, offering hackers two easy ways to jump in, and control an iDevice. <\/p>\n\n\n\n

Vulnerable devices<\/strong> include:  iPhones dating back to the 6S model, iPad 5th generation and later, iPad Air 2 and later, iPad mini 4 and later, all iPad Pro models and the 7th generation iPod touch.<\/p>\n\n\n\n

The tech giant says new updates<\/strong> offer better \u201ccontrol of bounds<\/strong>\u201d in the system, and that hackers would no longer exploit devices after the updates are installed.<\/p>\n\n\n\n

Before we jump to the vulnerability details make sure you\u2019ve updated your iPhone, Mac, iPad, and iPod systems to the latest security updates, as the updates are recommended to be installed urgently, for all users. <\/p>\n\n\n\n

About the Vulnerabilities<\/h1>\n\n\n\n

Apple identified the two security vulnerabilities as out of bounds <\/strong>write flaws. <\/p>\n\n\n\n

Simply put, an out of bounds write flaw lets an application write a program outside its allocated memory resources potentially getting unauthorized access to other programs. <\/p>\n\n\n\n

Such a bug impacts the application controls in two ways. Either the app crashes, or more dangerously, gets to write arbitrary code remotely.<\/p>\n\n\n\n

This is done following a phenomenon known as Arbitrary Code Execution (ACE)<\/strong>.<\/p>\n\n\n\n

1: The Webkit Zero-day<\/h2>\n\n\n\n

Denoted as CVE-2022-32893<\/strong>, this vulnerability was found in the Safari web engine: \u201cWebkit\u201d.<\/p>\n\n\n\n

A hacker could exploit this security flaw to execute a malicious arbitrary code essentially through a website. <\/p>\n\n\n\n

Quite troublesome, the impacts are not just limited to Safari Web Browsing functionalities as we explain shortly in the article.<\/p>\n\n\n\n

2: The Kernel Zero-day<\/h2>\n\n\n\n

The other vulnerability, denoted as CVE-2022-32894<\/strong>, affects the Kernel of the iOS. <\/p>\n\n\n\n

For a one-liner overview, the kernel of an operating system is that part of the code that is tasked for resource allocation. <\/p>\n\n\n\n

This includes for example assigning memory, and processing resources to other components in the system.<\/p>\n\n\n\n

Thus the kernel has direct access <\/strong>to all the applications and hardware of the system. <\/p>\n\n\n\n

With this kernel-hit security flaw, a hacker can use a malicious application to run an arbitrary code (ACE) with kernel privileges, getting unrestricted access<\/strong> to all the applications in the device as well as the hardware components.<\/p>\n\n\n\n

In the following section we explain in how many ways hackers could use the above vulnerabilities to control a device remotely.<\/p>\n\n\n\n

Expert\u2019s Views on the impact of Vulnerabilities<\/h1>\n\n\n\n

At the Sophos\u2019 official blog<\/a> page, Paul Duckline, a cybersecurity expert, comes forward with his view on the potential impacts of the zero day bugs. These are presented as follows.<\/p>\n\n\n\n

First, it\u2019s surprising to know that the Webkit vulnerability can provide access to all HTML based applications and functionalities in the device. <\/p>\n\n\n\n

Therefore, the Webkit vulnerability caused a risk to \u2018all\u2019 the web-rendering applications of the device and not just the Safari exclusive content. <\/p>\n\n\n\n

You must know that the Webkit engine sits behind all the HTML functionalities in an iOS device, even behind those apps that display \u201cAbout Us\u201d and \u201cHelp\u201d pages using HTML\u2019s convenience.<\/p>\n\n\n\n

Since Apple has made it compulsory for all apps on the App Store to base their web functionalities on Webkit engine, a malicious web page containing an ACE, implanted by a hacker, could get a foothold on all the apps.<\/p>\n\n\n\n

The second vulnerability<\/strong> is more shocking and dangerous in impact since it resided at the kernel level. <\/p>\n\n\n\n

The Kernel privilege loophole can give a cybercriminal full control of your iDevice, something that\u2019s only reserved for Apple.<\/p>\n\n\n\n

Simply put, if a hacker got successful in implementing an ACE exploiting this bug, they can do the following to your iDevice:<\/p>\n\n\n\n