It's a distinct skillset.
To whatever extent they might build software that's more secure than the average dev's, that really comes down to applying their security skills and toolset to their own software- thinking like an attacker- not any particular skill at software engineering.
The birthday lottery still plays a roll: being born with the particular set of predispositions, and the right family and environment to encourage strengthening those predispositions.
they are exploiting the 'quality' codebase written by your so-called average dev or software engineers
and since when software engineering does not take security into account?
Guaranteed to be 10x bugs to lines written.
Nonexistent ideal: No way, Jose. Your infotech is owned because it is fundamentally unsound.
There's a huge gap between cutting edge security research at the hardware level and the implementation of consumer hardware/os's
Fuchsia is a good start.
Microsoft IoT for Azure has some interesting hardware developments pertinent to separation of public facing hardware and out of band control mesh
> After several validation checks to ensure the device being exploited was a real device, the final payload would be served to exploit CVE- 2021-1879. This exploit would turn off Same-Origin-Policy protections in order to collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook, and Yahoo and send them via WebSocket to an attacker-controlled IP. The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated. There was no sandbox escape or implant delivered via this exploit. The exploit targeted iOS versions 12.4 through 13.7. This type of attack, described by Amy Burnett in Forget the Sandbox Escape: Abusing Browsers from Code Execution, is mitigated in browsers with Site Isolation enabled, such as Chrome or Firefox.
For this to be effective you would need to be logged in to your accounts on Safari, rather than just logged in through the respective app (FB for example). So this would have limited effectiveness. Also if you browse with Safari in Private mode it probably wouldn't have worked at all.
As I understand it, the web views share cookie storage with regular safari.
> These are two different campaigns, but based on our visibility, we consider the actors behind the WebKit 0-day and the USAID campaign to be the same group of actors
Same group, but different campaign.
If mail clients were to open a modal for each link and say "Are you sure you want to go to https://LinkMeIn.firstname.lastname@example.org" would this cut down on these attacks?
Taking the idea too far: A system like this would probably link to some sort of cloud database eventually to catch "emerging threats" (novel URLs that look malicious) but then would that in turn threaten end-to-end encryption of email by sending links in emails to a cloud tracker?
Meanwhile it seems very unlikely to stop such a determined attacker. They just need to compromise a site that you might plausibly want to visit, or create a convincing enough lookalike. The URL need not look suspicious.
IMHO expecting users to be able to discern "safe" from "unsafe" links by just looking at them represents a failure of our infosec systems.
Turned out it wasn’t a false positive, their dist site got pwned. Other than that, I’m very careful with pc security.
and yet the gunfighter did not know where the link actually led to
Obviously, there are ways to sacrifice usability to gain security, but it is by no means required or sufficient to do so. There are plenty of ways to completely demolish usability without gaining any safety. And even in cases where it is necessary to tradeoff, most problems are so far from the actual edge of what is possible that you only need to sacrifice a negligible amount of usability to gain order of magnitude improvements in safety if you are working with someone who knows what they are doing.
"The exploit targeted iOS versions 12.4 through 13.7."
The title is incorrect. It targeted older phones exclusively.
I'm using an older LTS version of Ubuntu, I get security updates daily and I would myself "fully updated".
Misleading but not incorrect. Old iOS versions mentioned still gets security updates, so technically correct.
More on the same theme:
The only safe email is text-only email
The best bet it to rewrite links and parse the through a proxy that scans them on click. It’s a shame free mail services don’t do this. The only one I think offers this is Outlook.
Sure if you want the proxy provider to know all the links you're clicking on.
But some attacks are only worth it if the pool of vulnerable devices is large enough. So the fragmentation helps, bust mostly for lower stakes attacks.
fragmentation make keeping all variant up-to-date much harder.
I suppose to give them credit, putting a white word on a black background is enough plausible deniability.