Buongiorno, grazie al DSA 5449-1 [1] ricevuto via email scopro che:
--8<---------------cut here---------------start------------->8---
The following vulnerabilities have been discovered in the WebKitGTK
web engine:
CVE-2023-32439
An anonymous researcher discovered that processing maliciously
crafted web content may lead to arbitrary code execution. Apple is
aware of a report that this issue may have been actively
exploited.
--8<---------------cut here---------------end--------------->8---
Per chi non lo sapesse WebKit è **software libero** ed è la "web engine"
(la libreria software che interpreta e visualizza il contenuto delle
pagine web) usata da moltissimi browser: Safari, quelli di iOS e iPadOS,
Gnome Web ma anche su console Playstation, Nintendo e televisori con
WebOS [2].
La notizia era già stata data sotto forma di _propaganda_ /un tanto al
chilo/ da diversi giornali "generalisti" nazionali [3] e non, senza dare
il benché minimo riferimento (nemmeno in successivi articoli di
aggiornamento, AFAIU) ai report tecnici che descrivono il problema.
Il baco riportato sopra fa parte di una serie di vulnerabilità descritte
come zero-day in questo interessante articolo di The Hacker News:
https://thehackernews.com/2023/06/zero-day-alert-apple-releases-patches.html
«Zero-Day Alert: Apple Releases Patches for Actively Exploited Flaws in
iOS, macOS, and Safari»
--8<---------------cut here---------------start------------->8---
[...]
This includes a pair of zero-days that have been weaponized in a mobile
surveillance campaign called Operation Triangulation
[https://thehackernews.com/2023/06/new-zero-click-hack-targets-ios-users.html]
that has been active since 2019. The exact threat actor behind the
activity is not known.
* CVE-2023-32434 - An integer overflow vulnerability in the Kernel that
could be exploited by a malicious app to execute arbitrary code with
kernel privileges.
* CVE-2023-32435 - A memory corruption vulnerability in WebKit that
could lead to arbitrary code execution when processing specially
crafted web content.
The iPhone maker said it's aware that the two issues "may have been
actively exploited against versions of iOS released before iOS 15.7,"
crediting Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko,
and Boris Larin for reporting them.
The advisory comes as the Russian cybersecurity vendor dissected the
spyware implant used in the zero-click attack campaign targeting iOS
devices via iMessages [...]
The sophisticated implant, called TriangleDB
[https://thehackernews.com/2023/06/new-report-exposes-operation.html],
operates solely in the memory, leaving no traces of the activity
following a device reboot. It also comes with diverse data collection
and tracking capabilities.
This includes "interacting with the device's file system (including file
creation, modification, exfiltration, and removal), managing processes
(listing and termination), extracting keychain items to gather victim
credentials, and monitoring the victim's geolocation, among others."
[...] Also patched by Apple is a third zero-day CVE-2023-32439, which
has been reported anonymously and could result in arbitrary code
execution when processing malicious web content.
The actively exploited flaw, described as a type confusion issue, has
been addressed with improved checks.
--8<---------------cut here---------------end--------------->8---
La pagina dedicata al CVE-2023-3249 dal NIST [4] riporta alcuni link di
riferimento a "release notes" di aggiornamento emesse da Apple, alcune
delle quali [5] indicano che il bug sul sistema di bug tracking di
WebKit è il numero 256567:
https://bugs.webkit.org/show_bug.cgi?id=256567
«EnumeratorNextUpdateIndexAndMode and HasIndexedProperty should have
different heap location kinds»
--8<---------------cut here---------------start------------->8---
Status: RESOLVED FIXED
Alias: CVE-2023-32439
Product: WebKit
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
Importance: P2 Normal
Assignee: Yijia Huang
URL:
Keywords: InRadar
Depends on:
Blocks:
Reported: 2023-05-09 18:26 PDT by Yijia Huang
Modified: 2023-06-22 08:44 PDT (History)
CC List: 2 users (show)
--8<---------------cut here---------------end--------------->8---
Il tipo di bug viene definito "type confusion" in [4] :-D
Il bug è quindi relativo al sottosistema che interpreta i Javascript (ma
dai?!?), viene classificato come di importanza normale mentre il NIS nel
CVE gli da un "base score" di 8.8 (su 10).
La descrizione del bug credo sia stata redatta per eliminare ogni
riferimento all'**anonimo** che ha segnalato il baco, strano perché di
solito queste cose "fanno curriculum" :-O
Il bug è stato risolto con il commit 52fe95e580 [6] il 10 Maggio
scorso (zero-day what?).
Tutti i nostri dispositivi sono letteralmente dei colabrodo, parlo di
quelli di cui almeno si può verificare la corrispondeza tra sorgente e
binario; il resto sono ovviamente irrimediabilmente compromessi.
É stata una svista o un sapiente hack?
Qualcuno™ lo sapeva e ha fatto finta di niente per anni?
Saluti, 380°
[1] Debian Security Advisory, non ancora pubblicato via web qui:
https://www.debian.org/security/2023/
[2] https://en.wikipedia.org/wiki/WebKit
[3] presi a caso:
Il Fatto Quotidiano: https://archive.is/HX7aL
Il Tempo: https://archive.is/2PloD
Punto Informatico:
https://web.archive.org/web/20230707111337/https://www.punto-informatico.it/apple-nsa-spiano-cittadini-russi-iphone/
non ho avuto tempo di consultare i FAT checkers
[4] https://nvd.nist.gov/vuln/detail/CVE-2023-32439
[5] queste:
https://support.apple.com/en-us/HT213813
https://support.apple.com/en-us/HT213814
https://support.apple.com/en-us/HT213816
[6]
https://github.com/WebKit/WebKit/commit/52fe95e5805c735cc1fa4d6200fcaa1912efbfea
--
380° (Giovanni Biscuolo public alter ego)
«Noi, incompetenti come siamo,
non abbiamo alcun titolo per suggerire alcunché»
Disinformation flourishes because many people care deeply about injustice
but very few check the facts. Ask me about <https://stallmansupport.org>.
signature.asc
Description: PGP signature
_______________________________________________ nexa mailing list [email protected] https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa
