FOXTROT/ALFA: iOS Mail App Vulnerability, Team Fortress 2 Source Code Leak, Ubuntu 20.04

This is the 107th issue of my daily newsletter FOXTROT/ALFA. Today is Thursday, 23 April 2020 and here’s what’s been happening in tech today.

Critical Exploit in iOS Mail App

There’s a critical zero-day in iOS' default mail app.

Apple has reportedly patched a pair of critical vulnerabilities in iOS that are being exploited by what appears to be government-backed hackers to spy on high-value targets. Think senior executives, journalists, managed security service providers, and similar.

Journalists are high value targets now? Seriously? LOL.

ZecOps bods this week claimed the bugs are buried within the iOS Mail application, and can be abused to achieve remote code execution without the victim ever needing to open a booby-trapped message. The device just has to receive and process the incoming email, specially crafted to exploit Apple’s programming blunders, and malicious code embedded in the message will be executed, we’re told. This code can then potentially snoop on and meddle with the victim’s online activities.

“We believe that these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade and used ‘as-is’ or with minor modifications,” the ZecOps team said.

We’re told the bugs have been present in iOS since version 6, released in 2012. ZecOps said it noticed hackers exploiting the weaknesses in January 2018 in version 11.2.2. Now they have determined iOS 13.4.1 and below are all vulnerable. iOS 13 is the latest major version officially available.

According to the infosec biz, the vulnerabilities are a pair of out-of-bounds write and heap-overflow errors triggered when a malformed email is fetched by Mail. While the flaws themselves only grant intruders limited access to the compromised device, they can be chained with exploits for kernel-level security holes that escalate access to the whole iThing, we’re told. It is suspected the hackers used a kernel-level privilege-escalation exploit.

It bears repeating that these reported attacks are limited in scope, and have been only aimed at a small set of high-value targets. That said, it would be wise to keep an eye out for iOS updates over the next week or so, and promptly install them, as these sort of bugs will often draw copycat attacks from other cyber-crooks. And, as said above, if you’re concerned, disable Mail on your iThing and use another client if possible.

Valve Suffers a Source Code Leak

Source code for Valve’s games Team Fortress 2 and Counter Strike: Global Offensive has leaked. Hackers have reportedly used this leak to attack these and other Source Engine games. Valve commented:

We have reviewed the leaked code and believe it to be a reposting of a limited CS:GO engine code depot released to partners in late 2017, and originally leaked in 2018. From this review, we have not found any reason for players to be alarmed or avoid the current builds (as always, playing on the official servers is recommended for greatest security). We will continue to investigate the situation and will update news outlets and players if we find anything to prove otherwise.

New GCC Analyser Tool Snags OpenSSL Bug

GCC 10 is getting a new gizmo. I don’t really understand all of this C-type programming shit, so I’ll just let The Register explain it. It’s already caught that OpenSSL vuln I wrote about yesterday.

Bernd Edlinger discovered CVE-2020-1967, a denial-of-service flaw deemed to be a high severity risk by the OpenSSL team. It is possible to crash a server or application that uses a vulnerable build of OpenSSL by sending specially crafted messages while setting up a TLS 1.3 connection. While the flaw is an irritation – it’s not remote-code execution but it can potentially hose servers and apps – programmers may be more interested in how it was uncovered. Edlinger credits the discovery of the bug to GCC 10’s brand new static analysis feature. Edlinger ran that tool over the OpenSSL source, and the flaw was revealed in diagnostic output.

The static analysis feature was introduced as a way to check C code for common exploitable programming gaffes during build time, before any binaries are shipped to users. It can catch things like double free() calls, use-after-free() calls, memory leaks, and so on. C++ support is said to be in the works. Last month, Red Hat toolchain developer David Malcolm, who worked on the feature, said the aim was to help developers iron out potentially exploitable vulnerabilities in their code prior to release.

That the analyzer tool, accessed through the -fanalyzer command-line option, has already been shown to be capable of catching serious errors in deployed code will be a nice vote of confidence in the feature. The analyzer is available from the master branch of the GCC 10 source code. It’s hoped the feature will be finalized in time for version 10’s official release, due this month or next. The current latest version is 9.3.

Vietnam Tried to Hack the Wuhan Government Right in the Middle of the Outbreak

Word’s out that hackers who apparently work for the Vietnamese government have tried to hack the Chinese organisations that runs the CCP’s SARS-CoV-2 response. At least that’s what FireEye (ie. probably the CIA) is saying.

APT32, a hacking group previously linked to the Vietnamese government, tried to access the personal and professional email addresses of staff at China’s Ministry of Emergency Management and the government of Wuhan, where it is believed the pandemic started, according to a report released by FireEye yesterday.

Between January and April, APT32 sent Chinese officials phishing emails that contained a tracking link claiming to direct the reader to a report on office equipment bids. When clicked, the link would report back to the hackers, indicating that they the trigger-happy user was vulnerable to malware. FireEye said the attacks mirror other attempts by state-backed hackers to collect information about the virus.

The WHO’s Password Security is Appalling

In another, more recent hack connected to the ongoing pandemic, almost 25,000 email accounts connected to the Health Organization (WHO), National Institutes of Health (NIH), Wuhan Institute of Virology, Bill Gates Foundation and other groups connected to the virus outbreak were breached. The credentials of these accounts have now been leaked.

A cache of nearly 25,000 email addresses and passwords allegedly belonging to the World Health Organization (WHO), National Institutes of Health (NIH), Wuhan Institute of Virology, Bill Gates Foundation and several other groups involved with the coronavirus pandemic response were dumped on 4chan before appearing on several other websites, according to the SITE Intelligence Group. WHO chief information officer Bernardo Mariano told Bloomberg that the organization wasn’t hacked, and that the data was possibly obtained through prior data breaches.

Mariano added that the organization has been seeing an increasing number of attempted cyber-intrusions since mid-March, and that there had recently been a “sustained attempt” to hack into the computers of four WHO employees in South Korea, along with the organization’s Geneva headquarters.

Australian cybersecurity expert Robert Potter said he was able to verify the WHO information, and that “their password security is appalling. Forty-eight people have ‘password’ as their password,” he said. Others used their own first names or “changeme.”

GitHub Gets the Wobbles

GitHub’s been fucked all week, you might have noticed. They’re not having a good time.

Having fallen over in dramatic style on 21 April, seen its notifications totter on 22 April, and had trouble with Actions Workflows in the small hours of 23 April, the platform decided to take an extended lunch break today.

Twitter was its usual supportive self as developers found themselves faced with the dread error code 500 and a humorous depiction of the GitHub mascot tumbling into a ravine (like the unfortunate Wile E Coyote of Looney Tunes fame).

The issue looked to be global, although the timing meant that much of the US remained in blissful ignorance while Europe and the rest of the world wailed.

Ubuntu 20.04 Has Been Released

Ubuntu 20.04 is out. It’s an LTS. And Shuttleworth is saying they ain’t losing money anymore.

Ubuntu 20.04 will be supported until April 2025, for the Desktop, Server and Ubuntu Core editions, and other flavours for three years. Businesses can also get Extended Security Maintenance for 10 years of support. It is built on Linux 5.4, which is also a long-term support release.

Is anybody still using Ubuntu?

In a press briefing attended by The Reg, Canonical founder and CEO Mark Shuttleworth stated that: “This has been a very big year for Ubuntu and for Canonical, it is the year where Ubuntu became commercially self-sustaining.”

He also added in response to a question: “We’re well past the point where Ubuntu itself and all the supporting systems and infrastructure are dependent on me. If I were to meet my maker tomorrow, Ubuntu continues in the very capable hands of the team in Canonical, and the community.”

Does Canonical still plan to become a public company? “That continues to be our plan of record,” said Shuttleworth. “We are taking a cautious posture this year, because it’s difficult to predict the impact [of COVID-19] on all our customers. I will say that our strength is in public cloud, and the public clouds have seen tremendous demand over the last few months.” He also stated that during the crisis, Canonical is “able to continue and to have no disruption in the delivery of Ubuntu.”

Ah yes, the old COVID excuse. Well, good to hear they think they’re doing fine. Ubuntu has done a lot for desktop Linux and will forever have a place in my heart as the first usable Linux I encountered.

Also Noteworthy

A number of other stories I’ve read today:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.