Apple Security is Garbage—Change My Mind

Apple just issued an urgent patch for every single platform. With a maximum VSS score of 10.0, this zero-click, zero-day “ForcedEntry” vulnerability is a huge deal.

Apple’s SVP of software engineering, Craig Federighi (pictured) is under fire for Apple’s piss-poor patching performance. It takes too long to ship updates—and when they are released, they’re huge. Plus, the much-heralded “BlastDoor” feature didn’t work to stop this exploit, which came from NSO’s Pegasus spyware factory.

Patch now, obvs. In today’s SB Blogwatch, we remember embarrassing quotes.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Metal Navy.

Federighi Eats His Words

What’s the craic? Nicole Perlroth reports—“Apple Issues Emergency Security Updates to Close a Spyware Flaw”:

NSO’s Pegasus spyware
Security researchers uncovered a flaw that allows highly invasive spyware from Israel’s NSO Group to infect anyone’s iPhone, iPad, Apple Watch or Mac computer without so much as a click. … Known as a “zero click remote exploit,” it is considered the Holy Grail of surveillance because it allows governments, mercenaries and criminals to secretly break into someone’s device without tipping the victim off.

The discovery means that more than 1.65 billion Apple products in use worldwide have been vulnerable to NSO’s spyware since at least March. … Over the past six years, NSO’s Pegasus spyware has turned up on the phones of activists, dissidents, lawyers, doctors, nutritionists and even children in countries like Saudi Arabia, the United Arab Emirates and Mexico. … NSO did not immediately respond to inquiries.

And Zack Whittaker adds—“Apple patches an NSO zero-day flaw affecting all devices”:

Reported its findings to Apple on September 7
Apple … said iOS 14.8 for iPhones and iPads, as well as new updates for Apple Watch and macOS, will fix at least one vulnerability. … The breach was significant because … the exploit broke through new iPhone defenses that Apple had baked into iOS 14, dubbed BlastDoor, which were supposed to prevent silent attacks by filtering potentially malicious code.

NSO Group declined to answer our specific questions. … Citizen Lab said it reported its findings to Apple on September 7. Apple pushed out the updates for the vulnerability, known officially as CVE-2021-30860.

Who found it? Bill Marczak, John Scott-Railton, Bahr Abdul Razzak, Noura Al-Jizawi, Siena Anstis, Kristin Berdan and Ron Deibert—“NSO Group iMessage Zero-Click Exploit Captured in the Wild”:

Despotism as a service
While analyzing the phone of a Saudi activist infected with NSO Group’s Pegasus spyware, we discovered a zero-day zero-click exploit against iMessage. The exploit, which we call FORCEDENTRY, targets Apple’s image rendering library, and was effective against Apple iOS, MacOS and WatchOS devices. [It] works by exploiting an integer overflow vulnerability in Apple’s image rendering library (CoreGraphics).

[It] is the latest in a string of zero-click exploits linked to NSO Group. … NSO Group’s business model contains the seeds of their ongoing unmasking: Selling technology to governments that will use the technology recklessly in violation of international human rights law ultimately facilitates discovery of the spyware.

Companies like NSO Group are facilitating “despotism as a service” for unaccountable government security agencies. Regulation of this growing, highly profitable, and harmful marketplace is desperately needed.

Wait. Pause. Why did it take Apple six days to fix a VSS 10.0 bug? Alex Russell—@SlightlyLate—thinks Apple’s patch engineering needs root-and-branch reform:

Deeply disruptive
It’s absolutely medieval that Apple requires a ~300MiB download + a system reboot — ~15 minutes end-to-end — to apply a WebKit patch.

Android and Windows and basically every other modern OS have figured one or both parts of this out. Cupertino [is] unique in its insistence that users must be taxed in a deeply disruptive way to get security fixes.

Aye, there’s the rub. redpawn points to another Apple restriction that makes the problem even worse:

Bask in Apple’s love
What could go wrong with browser lock-in? … Old dead WebKit has killed mountains of iPhones and iPads. Apple leaves behind older kit and the browser just crashes on modern web pages.

Forbid other browsers web engines and the ithings become useless. But also browser lock-in is vulnerability lock-in for up to date devices too.

Bask in Apple’s love.

Throwing money at the problem might not be a bad idea at this point. So says MohForce1:

Needs to do better
I know security is hard, having worked in software engineering for various industries over the years. But I really feel Apple should throw a big pile of money at this on-going problem and bring many of these brilliant sec researchers in-house. Give them full access to the source code and let them go to town. Yes, they have many already working in-house, but they need more: This was a zero-click exploit.

The platform has become so big, the more brilliant eyes you have focused on it, the better. … It needs to do better.

And Dan Gillmor has more ideas to spend Apple’s cash: [You’re fired—Ed.]

Apple could spend a rounding error of a rounding error of its cash and put the evil NSO out of business. But it just reacts.

Meanwhile everyone remains at risk from these slimeballs.

Hilariously, Chuck Hamlin recalls this embarrassing quote from Apple’s SVP of software engineering:

You were saying?
“It’s well understood in the security community that Android has a malware problem that iOS has succeeded in staying ahead of.”

You were saying, Craig Federighi?

Meanwhile, fellow_traveler appears to have found their own solution:

My iPad has been powered off since the last update. [I] turned it on to catch this one. Will have to turn it on again tomorrow, looks like.

And Finally:

Sail the seven seas

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 618 posts and counting.See all posts by richi