"Expert" hackers used 11 0-days to infect Windows, iOS, and Android users:
A team of advanced hackers exploited no fewer than 11 zero-day vulnerabilities in a nine-month campaign that used compromised websites to infect fully patched devices running Windows, iOS, and Android, a Google researcher said.
Using novel exploitation and obfuscation techniques, a mastery of a wide range of vulnerability types, and a complex delivery infrastructure, the group exploited four zero-days in February 2020. The hackers' ability to chain together multiple exploits that compromised fully patched Windows and Android devices led members of Google's Project Zero and Threat Analysis Group to call the group "highly sophisticated."
On Thursday, Project Zero researcher Maddie Stone said that, in the eight months that followed the February attacks, the same group exploited seven more previously unknown vulnerabilities, which this time also resided in iOS. As was the case in February, the hackers delivered the exploits through watering-hole attacks, which compromise websites frequented by targets of interest and add code that installs malware on visitors' devices.
[...] The seven zero-days were:
- CVE-2020-15999 - Chrome Freetype heap buffer overflow
- CVE-2020-17087 - Windows heap buffer overflow in cng.sys
- CVE-2020-16009 - Chrome type confusion in TurboFan map deprecation
- CVE-2020-16010 - Chrome for Android heap buffer overflow
- CVE-2020-27930 - Safari arbitrary stack read/write via Type 1 fonts
- CVE-2020-27950 - iOS XNU kernel memory disclosure in mach message trailers
- CVE-2020-27932 - iOS kernel type confusion with turnstiles
Wikipedia has a good description of a Zero-day(0-day) vulnerability.
(Score: 0) by Anonymous Coward on Saturday March 27 2021, @10:46AM (11 children)
No Linux vulns? I am shocked, really, really shocked!
(Score: 4, Insightful) by zoward on Saturday March 27 2021, @11:09AM (9 children)
Nope. All Chrome. Windows. iOS. If you're running a Linux kernel (or BSD, Plan 9, etc) reading this on Firefox (or Palemoon, Waterfox, etc), you're safe for now. That's mostly because we're not the hacking group's target market, of course, not even a rounding error of the general population. We'd also probably know if were running malware, and keep backups, so ransomware means we'd laugh and treat it as an excuse to format the drive, restore from backups and try out a new distro.
(Score: 2, Insightful) by aristarchus on Saturday March 27 2021, @11:53AM (2 children)
Hurd this so many times. Is it that free software people have no money, or that the rare minority that actually have some idea of how their operating systems work are both too poor and too smart to be a plausible target?
(Score: 2) by Azuma Hazuki on Sunday March 28 2021, @03:56AM
Could be both. I do notice that people with money tend to buy their way out of having to think or take responsibility for themselves, or in the inverse, "necessity is the mother of invention." Count me into the "reading this on *nix in Firefox* group.
I am "that girl" your mother warned you about...
(Score: 0) by Anonymous Coward on Sunday March 28 2021, @12:54PM
Considering the sophistication of the attacks, I would guess they had a specific target in mind and it's more than a generic money grab. I'm guessing they were really trying to get the malware onto the corporate network at, say, JP Morgan Chase or Lockheed Martin and corporate policy at the target company forbids employees from using a traditional Linux distribution.
As anyone at Soylentnews knows, Android is built on a Linux kernel and it still has the occasional 0-day vulnerability. I think the biggest protection Arch/Debian/Fedora/FreeBSD/etc users have is just that there's more money to be made by targeting other platforms.
(Score: 3, Funny) by driverless on Saturday March 27 2021, @03:16PM (1 child)
It's more uneven than that, three of the seven were in Chrome. Windows only got one.
I guess this is why Google has a Project 0day, although you'd expect the emphasis would be on taking them out, not putting them in.
(Score: 2) by zoward on Saturday March 27 2021, @06:57PM
There's a link to the other four in the story - three are Windows, one is Chrome. if I read the summary correctly, they infected websites so the websites would infect visitors with malware. That's far more likely to be Windows or iOS users than Linux users.
(Score: 0) by Anonymous Coward on Saturday March 27 2021, @03:21PM (2 children)
Because its not low hanging fruit?
There's more to computing than your Windoze box. Companies and universities are full of Linux servers, and the information stored on them is probably far more valuable than what's on people's cellphones or desktop.
(Score: 0) by Anonymous Coward on Sunday March 28 2021, @02:04AM
But if you are trying to chain off a browser attack, then you are talking much lower. Sure, there are a ton of Linux servers, but most admins are smart enough to not SSH into them to do their web browsing.
(Score: 0) by Anonymous Coward on Sunday March 28 2021, @07:36AM
And many of those linux servers get pwned because they use php shit or similar.
There's usually no need to pwn the OS when the other software that's run on it is easily pwnable.
(Score: 0) by Anonymous Coward on Sunday March 28 2021, @09:13AM
> not even a rounding error of the general population.
But many critical infrastructures do rely on linux. E.g. why bother with expensive hacks of each user when you can just hack the server. So I don't buy this argument.
(Score: 0) by Anonymous Coward on Saturday March 27 2021, @06:47PM
The system serves up an exploit that will match the web browser.
The only way to find if they have an exploit for Opera running on Red Hat Enterprise Linux is to browse with that. They also didn't try Brave on FreeBSD. Maybe there were exploits for that. It's too late to find out.
(Score: -1, Spam) by Anonymous Coward on Saturday March 27 2021, @10:51AM
Terry A. Davis, "Meet The Parents!" [archive.org] is a beautiful way to introduce bright minds into the reality of nature at it's finest.
(Score: 4, Insightful) by crafoo on Saturday March 27 2021, @02:12PM
chrome team not looking that hot. 2 heap buffer overflows, and 3 of the 7 0-days? Hey, I know a fun exercise, let's score the teams by diversity now.
(Score: 2) by EEMac on Saturday March 27 2021, @02:42PM (7 children)
3 buffer overflow, 2 type confusion. I could be wrong, but it sounds like C-style pointers again.
(Score: 4, Insightful) by driverless on Saturday March 27 2021, @03:19PM
It's the fact that browsers are the Augean Stables of code, except there are hordes of new oxen shitting into them faster than the old shit can be cleaned out. Wouldn't matter what language they're written in, you're going to get 0day in the browser, just different 0day depending on the language.
(Score: 3, Informative) by Mojibake Tengu on Saturday March 27 2021, @05:43PM (1 child)
iOS code is not C, but Swift, a safe language purposed for people who cannot understand pointers, quite similarly safe as Rust...
Rust programming language offends both my Intelligence and my Spirit.
(Score: 2) by maxwell demon on Monday March 29 2021, @07:16AM
Both iOS zero-days were kernel bugs. Is the kernel written in Swift?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Saturday March 27 2021, @05:58PM
Only C crashes. That's what the C stands for, duh.
(Score: 2) by darkfeline on Saturday March 27 2021, @10:40PM (1 child)
Ironically, all of the affected software here are not written in C, and the LInux kernel which is written in C was not implicated in this instance.
Join the SDF Public Access UNIX System today!
(Score: 2) by maxwell demon on Monday March 29 2021, @07:28AM
What language is the iOS kernel written in?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by leon_the_cat on Sunday March 28 2021, @07:49AM
Type confusion is caused by downcasting.
(Score: 0) by Anonymous Coward on Saturday March 27 2021, @11:06PM
one mans flaw is another mans feature?
/me wipes sweet from forhead: at least it's confirmed that one cannot stand very firm and solid on those 'em systems when forcefully trying to pushing against an adversary ... unless of course they are cotton candy systems spun out from a system yet unknown (and no, it's not just money, since, as far as we we know, computers are to manage numbers and thus money).
(Score: 0) by Anonymous Coward on Monday March 29 2021, @04:15PM
Is it even considered correct usage to utter something like: "3 is fewer than 5"?
3 is less than 5. It doesn't matter if there are countable or uncountable nouns being described by those numbers.
3 is less than 5.