FOXTROT/ALFA: RCE in All Samsung Phones Since 2014, Facebook Crashes iOS Apps, The Red October Data Centre

Hey, I’m back! Sorry for missing the newsletter yesterday. I had something come up that prevented me from being able to sit down and write it. But I’ve recapped the most important news from yesterday and some of today’s news in this issue. So here we go. This is FOXTROT/ALFA, issue 115, for Thursday, 7 May 2020.

Remote Code Execution in All Samsung Phones Released Since 2014

Samsung has released an update to fix a security issue in which an MMS sent to a Samsung phone can execute malicious code. The vulnerability effects all of the smartphones the company has sold since 2014.

The security flaw resides in how the Android OS flavor running on Samsung devices handles the custom Qmage image format (.qmg), which Samsung smartphones started supporting on all devices released since late 2014. Mateusz Jurczyk, a security researcher with Google’s Project Zero bug-hunting team, discovered a way to exploit how Skia (the Android graphics library) handles Qmage images sent to a device. Jurczyk says the Qmage bug can be exploited in a zero-click scenario, without any user interaction.

Jurczyk said he exploited the bug by sending repeated MMS (multimedia SMS) messages to a Samsung device. Each message attempted to guess the position of the Skia library in the Android phone’s memory, a necessary operation to bypass Android’s ASLR (Address Space Layout Randomization) protection. Jurczyk says that once the Skia library was located in memory, a last MMS delivers the actual Qmage payload, which then executed the attacker’s code on a device.

The bug is tracked as SVE-2020-16747 in the Samsung security bulletin and CVE-2020-8899 in the Mitre CVE database. Other smartphones don’t appear to be impacted as only Samsung appears to have modified the Android OS to support the custom Qmage image format – developed by South Korean company Quramsoft.

Over 900,000 WordPress Sites Attacked

There seems to be a large campaign afoot to attack WordPress sites via cross-site scripting (XSS).

Our Threat Intelligence Team has been tracking a sudden uptick in attacks targeting Cross-Site Scripting(XSS) vulnerabilities that began on April 28, 2020 and increased over the next few days to approximately 30 times the normal volume we see in our attack data. The majority of these attacks appear to be caused by a single threat actor, based on the payload they are attempting to inject – a malicious JavaScript that redirects visitors and takes advantage of an administrator’s session to insert a backdoor into the theme’s header.

This might be related to the OneTone vulnerability which I reported on last week.

After further investigation, we found that this threat actor was also attacking other vulnerabilities, primarily older vulnerabilities allowing them to change a site’s home URL to the same domain used in the XSS payload in order to redirect visitors to malvertising sites. Due to the sheer volume and variety of attacks and sites that we’ve seen targeted, it is possible that your site may be exposed to these attacks, and the malicious actor will likely pivot to other vulnerabilities in the future.

While our records show that this threat actor may have sent out a smaller volume of attacks in the past, it’s only in the past few days that they’ve truly ramped up, to the point where more than 20 million attacks were attempted against more than half a million individual sites on May 3, 2020. Over the course of the past month in total, we’ve detected over 24,000 distinct IP addresses sending requests matching these attacks to over 900,000 sites.

If you run WordPress, it might be worth checking if your sites are vulnerable or have already been attacked.

If you had some issues with iOS apps yesterday, this might be why:

Countless iOS apps experienced problems launching Wednesday evening, according to multiple reports on Twitter and crowdsourced user reports on Downdetector. The issues seem to have started around 6:30PM ET, and Spotify, TikTok, Pinterest, Tinder, and more were affected, according to Downdetector. The issue was caused by an apparent problem with a Facebook software development kit (SDK) tool that’s used to power sign-in features for many of the apps. You didn’t need to be logged into the apps via Facebook to be affected by the crashes.

“Earlier today, a new release of Facebook included a change that triggered crashes for some users in some apps using the Facebook iOS SDK,” a Facebook spokesperson said in a statement to The Verge. “We identified the issue quickly and resolved it. We apologize for any inconvenience.”

Finally! The Butterfly Keyboard is Dead!

Apple has finally killed its ill-conceived “butterfly” keyboard which haunted its laptop range for half a decade. Good to know these premium-priced computers can now actually be used as computers…

For a company defined by design and attention to detail, the Butterfly keyboard was a tremendous humiliation for Apple. Conceived in 2015, it replaced the previous scissor-switch mechanism for one with a smaller profile, allowing Cupertino to continue shrinking already-svelte laptops. The first MacBook to carry the Butterfly Keyboard was 2015’s 12-inch MacBook, which Apple subsequently discontinued last year. Introducing the device, Apple marketing veep Bill Schiller lauded the Butterfly’s precision over previous scissor-based mechanisms, saying it was “four times more stable” and promised a “beautiful typing experience”.

The Butterfly mechanism was also 40 per cent thinner than the previous scissor-based keys. It accomplished this by reducing the amount of travel needed to register a key. The problem is, you need some travel on a keyboard. Firstly, it feels good. There’s a reason why typing on a touchscreen feels so unfulfilling, and it’s because there’s no physical response (save for the occasional haptic vibration) to let you know when you’ve pressed a key. The Butterfly keyboard had as little as 0.7mm of travel. The so-called Magic Keyboard (the magic being it works) – which shipped on pre-2015 Mac laptops, and has since returned across the firm’s computing line – has around 1mm of travel. A decent mechanical keyboard will offer anywhere between 2mm and 5mm of travel.

Typists complained about the “flatness” of the Butterfly keyboard. Earlier models were also notoriously loud, registering almost 12 decibels higher than the current-generation 16-inch MacBook Pro, which uses the scissor-based Magic Keyboard. With just 0.7mm of travel between keys, it was far too easy for debris to lodge itself under a keycap, causing them to become stuck. Key presses would fail to register, or would register multiple times. This problem reached a head in 2017, when former Outline journalist Casey Johnston penned a blog post describing her woes with Apple’s latest in keyboard tech. The post, titled “The New Macbook Keyboard is Ruining My Life”, catalogued Johnston’s repeated visits to the Genius Bar, and described an epidemic of bust laptops that, at that point, Apple had failed to properly acknowledge. Later that year, musician Jonathan Mann published a song describing his ongoing woes with the Butterfly keyboard on his MacBook Pro called: “I am pressing the spacebar and nothing is happening.”

Consequently, Apple’s approach to repairing bust units involves replacing the entire top case of the machine, which includes a glued-in battery, speakers, and other crucial components. It also didn’t help that Apple had designed the Butterfly keyboard in a way that was almost impossible for users to self-repair. The keycaps and underlying mechanisms were fragile, with some keys – particularly the spacebar – more so.

What a disaster. Of course Apple’s reaction made it even worse.

Apple’s response to the backlash was typical Cupertino, insofar as it failed to acknowledge the existence of a critical design flaw across its entire portable computer line, minimising it as something affecting a small handful of users. It wasn’t as openly contemptuous as Steve Jobs' infamous “You’re holding it wrong” line, but it wasn’t far off. Over five years, it quietly reworked the concept, adding polymer membranes designed to catch debris before it could interfere with the keyswitch mechanism. For the most part, these failed to resolve the overarching problem, which was caused by an almost non-existent amount of key travel.

Since 2019, and starting with the 16-inch MacBook Pro, Apple has gradually phased out the Butterfly mechanism from its laptop lineup. That process was completed this week, with the launch of the new 13-inch MacBook Pro. The reputational damage is done. Influential Apple commentator John Gruber described the mechanism as one of “the worst products in Apple history” – a lineup that includes the Newton, the Cube G4, and the repetitive strain-inducing “puck” mouse. Five years ago, you could have argued that Apple had the best industrial design of any consumer technology company. Not any more. “MacBooks should have the best keyboards in the industry; instead they’re the worst,” said Gruber. “They’re doing lasting harm to the reputation of the MacBook brand.”

The Hunt for Red October Data Centre

I love sub movies and The Hunt for Red October is, of course, one of the all-time greats. Apparently, I’m not the only fan:

Australian serial entrepreneur Bevan Slattery has revealed that he told the architects of a data centre he funded to make it resemble the sets used in classic submarine flick The Hunt for Red October.

“I said in the movie The Hunt for Red October when Connery said ‘Ryan, be careful – things don’t react too well to bullets?’ and then Ryan peeks around the corner and sees the reactor? Well, I want it to look like the reactor room from the Red October. I think they nailed it,” Slattery wrote, calling out the red walls, marine lights and large lettering as bringing the set design into the data centre.

It looks pretty cool. Just one nitpick: That room he’s talking about? That’s not the reactor room. They are in between the ICBM launch tubes in that scene. The movie itself is also not factually correct, because in reality the ICBM launch tubes of the Typhoon-class SSBN (which Red October is supposed to be in the movie) were outside its two pressure hulls.

Since the movie came out in 1990 and was made before the Cold War ended, I usually cut them some slack on this. We didn’t know much about the inner workings of those subs until a few years ago. They are pretty amazing. If you want to know more, H.I. Sutton of Covert Shores has an excellent article on the Typhoon class – including a great cutaway drawing and pictures of its swimming pool (!). These things are huge and absolutely awe-inspiring.

Also Noteworthy

Some other stories I read today:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.