Flaw Allows Hacking Macs, iOS Devices with Single Network Packet

Apple has fixed a serious vulnerability in macOS and iOS that could allow hackers to compromise devices over the local network by sending them a single malformed Internet Protocol (IP) packet.

The remote code execution flaw, identified as CVE-2018-4407, stems from a heap buffer overflow in the networking stack of Apple’s XNU operating system kernel, more specifically in the Internet Control Message Protocol (ICMP) packet-handling code. The vulnerability was discovered by Kevin Backhouse, a researcher with code analysis firm Semmle.

Because the XNU kernel is used by both Apple’s macOS and iOS operating systems, iPhones, iPads and Macs are all affected. The flaw was reported to apple in August and was silently patched in iOS 12, released Sept. 17, and macOS Mojave (10.14.1), released Sept. 24.

On Oct. 30, Apple released security updates 2018-001 for macOS High Sierra and 2018-005 for macOS Sierra that fix this and other vulnerabilities. Backhouse also published a blog post with detailed information about the flaw.

“To trigger the vulnerability, an attacker merely needs to send a malicious IP packet to the IP address of the target device,” the researcher said. “No user interaction is required. The attacker only needs to be connected to the same network as the target device. For example, if you are using the free WiFi in a coffee shop then an attacker can join the same WiFi network and send a malicious packet to your device.”

Because the flaw is located in a fundamental part of the kernel—the networking stack—the attack cannot be blocked by antivirus software. Backhouse’s proof-of-concept exploit, which he has not published yet, only crashes affected devices, but with additional effort, the flaw can be exploited for remote code execution.

The good news is that in the researcher’s tests, the flaw doesn’t appear to be exploitable directly over the internet, so attackers have to be on the same local network as their victims. In its default state, the application firewall built into macOS does not block the attack, but enabling stealth mode does.

Emotet Trojan Starts Mysteriously Exfiltrating Email Messages

Emotet, a modular Trojan that is typically used to distribute other malware, recently received an update that allows it to steal victims’ email messages going back six months.

The new email harvesting module was spotted by researchers from security firm Kryptos Logic. It leverages the Outlook Messaging API (MAPI), which is included in Windows, to crawl email folders and grab the header, subject and part of the body of all emails from the past 180 days.

Emotet first appeared in 2014 and started out as a Trojan focused on stealing online banking credentials. It returned in 2017 with an improved codebase, modular architecture and a new goal: the distribution of malware for other paying cybercriminal groups.

This year, the Trojan’s creators have focused on targeting state governments, municipalities, utilities and other organizations in the United States, prompting US-CERT to issue an alert in July in which it warned that Emotet infections have cost local governments up to $1 million per incident to remediate.

It’s not clear what the attackers plan to do with the new functionality and the email content they steal. Given the kind of organizations the group targeted recently, the messages likely contain confidential and sensitive data that could be valuable in a cyberespionage scenario. The insider information gathered could also be used to launch very credible phishing attacks.

“While Emotet’s operators may have simply moved to server-side extraction, harvesting data in mass provides a weaponized data-driven analytical capability which should not be underestimated, given how effective surgical email leaks have been in the recent past,” the Kryptos Logic researchers said in a report.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin