Apple and Google. And their apps one needs to avoid like the plague.

[L&LD]

Incomplete disclosures by Apple and Google create “huge blindspot” for 0-day hunters

No one mentioned that libwebp, a library found in millions of apps, was a 0-day origin.

arstechnica.com

 

[sfx2000]

Gah - webkit is what it is....

That being said - peeling an edge up, and setting forth a chain of events to get to root - the path might be different with Android vs iOS, but the effect is the same.

Apple has released updates for many of their devices, that's perhaps upside of being vertically integrated...

With Google, Android, the OEM's and various Carrier Approvals - there are additional steps between the chipset vendor BSP, the OEM's code/release and Google's fixes in Android - that'll take a bit of time to get deployed...

And that depends on Carrier Approval for many devices - OpenMarket devices might get a fix earlier, or not at all - depends on the changes...

 

[sfx2000]

FWIW - the Apple fixes for the issues noted are around the Pegasus Spyware/Malware discovery/disclosure - most of the players for the first round of patches are the same for the second round....

Apple patched it first round last week with IOS 16.6.1, and additional patches went into iOS 17.0.1 and iOS 16.7.

iPhones, iPads, and Watches are the most urgent to get fixed up - MacOS gets an update for 13 (13.6) and 12 (12.7) along with Safari updates...

 

[XIII]

Since Apple & Google patched the bug (which was in a library, not an App) their Apps should actually be safe to use now (as far as this particular exploit is concerned).

Does anyone know how this affected image library is used by third party Apps?

(Statically included in the binary, dynamically linked against the OS, something else?

 

[L&LD]

Nobody is safe.

3 iOS 0-days, a cellular network compromise, and HTTP used to infect an iPhone

Apple patches 3 zero-days after they were used in a sophisticated attack.

arstechnica.com

The above is proof of concept. Yes, if you can think of it, it exists. And if you can't imagine it, it may still be real.

 

[drinkingbird]

Incomplete disclosures by Apple and Google create “huge blindspot” for 0-day hunters

No one mentioned that libwebp, a library found in millions of apps, was a 0-day origin.

arstechnica.com

I mean in reality, they're both fairly evil and even if they don't get compromised, the data they're collecting is concern enough.

But unless you live off the grid in the woods somewhere, there is no getting around that. You can take some steps to minimize it, but they both make sure that anything you disable removes something useful as well (even if that thing wasn't critical for said feature to work). I hate to be complacent but I've accepted it to a certain extent and focus more on reducing what other things I run on those devices and isolating them from my more trusted devices. I have an old android phone that is not logged into any account, location services disabled, it runs on isolated guest wifi (which I've added extra ebtables and iptables rules to) and if there is an app I need to try out (or really any app that I don't need with me all the time) I put it on there.

Android does have sandbox features, "work mode" being the most common but many phones you can now create a different personal profile that is supposedly completely isolated. I don't trust it enough to rely on it though.

When you can't really control the attack surface, you have to think more along the lines of controlling what can be exposed should it get compromised, that's more my mindset with phones these days.

 

[L&LD]

I'm at the point where I don't think I need a cell phone anymore (at least, not a 'smartphone').

Not that MS is more trustworthy (but that is the evidence today), but if I could buy a Windows phone again, I would, immediately.

Right now, as from the beginning, no apps, no features, nothing except phone/messages on my Android. Everything else is just an info grab and time waster.

 

[drinkingbird]

I'm at the point where I don't think I need a cell phone anymore (at least, not a 'smartphone').

Not that MS is more trustworthy (but that is the evidence today), but if I could buy a Windows phone again, I would, immediately.

Right now, as from the beginning, no apps, no features, nothing except phone/messages on my Android. Everything else is just an info grab and time waster.

I was forced to have a Windows phone for work for about 2 years and you know what? I liked the damn "tiles" and I miss them still.

I cringe when I see people's phones. Not just the obvious stuff like TikTok which at best is questionable, but Temu/Wish, various games from unknown sources, just everything they've ever thought to install even if they don't use it anymore. I will at least give Google credit that newer Android versions remove permissions for unused apps automatically. But these people will come on my guest network and that's basically the only time I see the trend micro stats increase. So they essentially test that out for me I guess. And its not just 1 or 2, its hundreds of hits.

I do have apps I could live without, but I give each a cost/benefit (convenience/risk) thought and decide whether it is worth it.

I have not yet put the Wyze app on my main phone (yes there are a lot of rumors out there about Wyze, but in reality most are urban legends, did a lot of research before buying them and pretty much the worst thing about them is they nag you to pay for the monthly service a lot). But if I were going to be away for a couple weeks I'd probably put it on and take it off when I got home. So far my spare phone on my guest network, I ran a sniffer on it for a week and the only thing Wyze communicated with was https with AWS, but unfortunately you have no idea what is behind their AWS infra. I'm not concerned with them seeing whats on the cameras as they are outdoors, but more about access to other stuff on my main phone.

Still waiting for the sandbox feature to come out of beta on my Pixel 4a 5G (if it ever does). I can't root or run beta due to also running work mode on it.

Actually I believe they make VNC and/or teamviewer for android so in reality I should just access my spare phone when I'm away and run the apps that way

 

[XIII]

Not that MS is more trustworthy (but that is the evidence today)

Which evidence?

 

[L&LD]

The evidence is in the use of MS products. Beginning with Windows 11 Pro, MS 365, OneDrive (which offers even further protection), and other related products.

I've seen many more users of other platforms get their credentials, data, and/or personal information get hacked than anyone within the MS ecosystem.

Apple, Google, Android, and other smaller players have been hacked repeatedly. I don't know of one instance of a normal MS user (i.e. not a corporate user), who has been hacked though. At least, not when they haven't done it to themselves by sharing passwords, using '1234' as their password, etc.

MS' reputation is just the best of all the mega-tech corporations out there. For a reason.

Just search and see what you find on MS vs. others, for yourself.

 

[RMerlin]

MS' reputation is just the best of all the mega-tech corporations out there. For a reason.

Ever read the monthly security bulletin they have to put out with the monthly security updates? They regularly need to fix issues that involve RCEs and privilege escalation flaws.

Microsoft's security model used to be so bad that their CEO had to put a stop on all ongoing development projects and launch a company wide security review project, which led to Windows XP SP2.

Google and Apple both have a better security track record than Microsoft. Exchange had been swiss cheese for decades, the last major event happening as recently as last year. We've also had security issues in Microsoft Office that could be exploited just by opening a malicious document.

Malicious Office files: 20+ Years of Microsoft Office Exploits | Deep Instinct

Weaponized Office documents pose a large risk to organizations. From embedded active content, such as scripts and HTML code in Word and PowerPoint files to Excel macros, this is an attack vector every organization must pay attention to.

www.deepinstinct.com

How many attempts did it take them to resolve that printer-related issue a few years ago?

Microsoft is also the company that brought us Internet Explorer and ActiveX...

I don't know of one instance of a normal MS user (i.e. not a corporate user), who has been hacked though.

I do. First example that comes to me: just a few years ago, there was a flaw in RDP that allowed to remotely take over machines. I had a customer whose PC needed a complete reformat because he got compromised that way.

 

[RMerlin]

With Google, Android, the OEM's and various Carrier Approvals - there are additional steps between the chipset vendor BSP, the OEM's code/release and Google's fixes in Android - that'll take a bit of time to get deployed...

Project Mainline greatly helps there.

 

[L&LD]

Ever read the monthly security bulletin they have to put out with the monthly security updates? They regularly need to fix issues that involve RCEs and privilege escalation flaws.

Microsoft's security model used to be so bad that their CEO had to put a stop on all ongoing development projects and launch a company wide security review project, which led to Windows XP SP2.

Google and Apple both have a better security track record than Microsoft. Exchange had been swiss cheese for decades, the last major event happening as recently as last year. We've also had security issues in Microsoft Office that could be exploited just by opening a malicious document.

Malicious Office files: 20+ Years of Microsoft Office Exploits | Deep Instinct

Weaponized Office documents pose a large risk to organizations. From embedded active content, such as scripts and HTML code in Word and PowerPoint files to Excel macros, this is an attack vector every organization must pay attention to.

www.deepinstinct.com

How many attempts did it take them to resolve that printer-related issue a few years ago?

Microsoft is also the company that brought us Internet Explorer and ActiveX...


I do. First example that comes to me: just a few years ago, there was a flaw in RDP that allowed to remotely take over machines. I had a customer whose PC needed a complete reformat because he got compromised that way.

They're addressing those issues. That is far different than 'we're secure by default', or, 'let's ignore this and it'll go away'.

I'm talking about compromised systems. Mentioning how a single customer got compromised isn't degrading my perspective.

I've no doubt many have been compromised to one degree or another. The point is, that they are far fewer than Apple, Google, Android, etc. And not only far fewer but also with far fewer consequences to those users too.

 

[drinkingbird]

They're addressing those issues. That is far different than 'we're secure by default', or, 'let's ignore this and it'll go away'.

I'm talking about compromised systems. Mentioning how a single customer got compromised isn't degrading my perspective.

I've no doubt many have been compromised to one degree or another. The point is, that they are far fewer than Apple, Google, Android, etc. And not only far fewer but also with far fewer consequences to those users too.

Eh it's a matter of perspective and opinion. How many people (and companies, and governments) have been hit by ransomware attacks on windows? How does an OS even allow that to happen?

My view is trust no OS. Mitigate as much as possible, reduce your attack surface, isolate, and most importantly, think before you click, open, etc.

 

[L&LD]

@drinkingbird, agree with all you wrote above. I don't believe the ransomware attacks on a Windows platform are due to Windows insecurities (quite the opposite I believe). They are due to user error, almost 100% of the time. Or, apps, other mobile devices, etc. that can't adequately protect users from those types of attacks and compromises like a full Windows install can (as I stated further above).

 

[drinkingbird]

@drinkingbird, agree with all you wrote above. I don't believe the ransomware attacks on a Windows platform are due to Windows insecurities (quite the opposite I believe). They are due to user error, almost 100% of the time. Or, apps, other mobile devices, etc. that can't adequately protect users from those types of attacks and compromises like a full Windows install can (as I stated further above).

It would still be nice if an OS would say "hey, something is attempting to encrypt your files, is this OK?". Especially after say the first 5 major ransomware attacks happened years ago. However I think they saw a sales opportunity with using MS365 and Onedrive as a "solution", which is basically what is offered in the windows security options. Ransomware protection - buy MS365 is basically what it says.

I've also seen the variants of AgentTesla very easily bypass both windows and 3rd party virus detection using simple things like echoing a string of individual characters instead of specifying a path.
For example instead of
c:\windows
it will use echo "c"+":"+"\"+"w" and so on. And it actually uses aspnet compiler to do this, a microsoft product! A pretty simple workaround, seems like it should be harder.

I was also disappointed by the vast majority of antivirus programs (including MS defender) not being able to detect that something was issuing a command to encrypt your files and halting it until you said it was ok. I still haven't seen any with this functionality (but they may exist now). They are looking out for known ransomware, but not looking out for this generic function being performed, which seems like a much better defense against 0 day.

I guess I just don't understand why UAC can pop up a "hey this program is executing, are you sure" but not a "hey something is going to encrypt your files, are you sure".

It is at least nice to see that everyone who said Apple and even Linux are "immune" to viruses finally shut up. They were not immune, they just were not as common and thus not as valuable of a target, better ROI to invest your time in programming viruses for Windows. But now vulnerabilities in both have been exploited and brought to light some of these practices and people are starting to wake up.

Obviously Windows is still the main target for corporate attacks, but for home/average users, they're fully focused on phones now. By far the most common computing device and definitely easier to penetrate, especially with most users not really thinking about it as a computer and thus assuming there is no virus concern etc.

 

[L&LD]

It doesn't matter what is implemented. The malware agents will find a workaround. That's their job.

You can't blame the gun for the killing. The motive is what determines guilt. Not the hardware/software/Bioware used.

All I know is that using safe browsing/email practices, I haven't been infected in decades. Contrary to when I was relying on third-party programs that were in their best interest to let me get infected and then sell me 'up'.

Encrypting files isn't an extraordinary process for a user, most would find that more annoying 99.99% of the time than the few who do get a virus and run it on their systems.

 

[sfx2000]

Project Mainline greatly helps there.

It helps - should also note that Google does path the GMS layer from time to time outside of the OEM's firmware, which for some urgent items can be effective enough...

While the thread is focused on handsets, we should also note that there's a lot of Android based Media Players that might not ever get patched up as many are based on AOSP and don't have official GMS or Play Store support.

 

[drinkingbird]

It doesn't matter what is implemented. The malware agents will find a workaround. That's their job.

You can't blame the gun for the killing. The motive is what determines guilt. Not the hardware/software/Bioware used.

All I know is that using safe browsing/email practices, I haven't been infected in decades. Contrary to when I was relying on third-party programs that were in their best interest to let me get infected and then sell me 'up'.

Encrypting files isn't an extraordinary process for a user, most would find that more annoying 99.99% of the time than the few who do get a virus and run it on their systems.

Yeah the same 99.99% that found UAC annoying at first, MS ended up de-tuning it a bit, and yeah it probably still doesn't work. But a popup with a fairly urgent warning that something is attempting to encrypt your files, the only false positive would mostly be if you password protected an Office file or something, seems logical. But you can't save everyone from themselves I guess.

Especially when you can make money by selling people MS365 as a "protection" against ransomware. Of course only a matter of time before the ransomware figures out how to purge your version history off onedrive, or after encrypting the files changes their attributes a couple dozen times so every version is encrypted.

My PCs firewalls pop up a warning every time a new or changed process tries to hit the network, one of the main reasons I still use Symantec Endpoint as it has that feature. I like to know what is going on. While I am very careful, doesn't mean I'm going to uninstall AV and firewall and be left without some sort of safety net.

For me it isn't really about my stuff, I haven't gotten a virus in many years either, but parents, friends, relatives, etc I end up having to clean and fix their stuff. I put as much in place as I can (one particular offender got demoted to a user account so they couldn't blindly click "OK" on every UAC prompt) but I still feel like it wouldn't be that hard for MS or the AV providers to detect malicious/bulk encryption attempts. Oh well.

A sad fact is that our company sends out fake phishing emails periodically and even though there is this mandatory annual training that makes it crystal clear the stuff to look out for, and the "test" emails are painfully obvious, so many people, even technical ones, still get caught. People are like fish in a barrel for the hackers.....

 

[RMerlin]

here's a lot of Android based Media Players that might not ever get patched up as many are based on AOSP and don't have official GMS or Play Store support.

And a lot of these are actually shipping with malware/ratware built-in. There's been a few studies recently about these, including one from LTT.

I would never trust an Android box coming from some random Shenzen company. I love my current NVIDIA Shield, and if I ever needed to replace it, I would possibly go back the HTPC route rather than trust a cheap Android box. At least there are good fanless options now, which would be better than the Zotac box I used back in the day.