"Processing maliciously crafted web content may lead to arbitrary code execution. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited."
Sounds pretty serious, has active exploitation like this happened before in the Apple ecosystem or is this like most zerodays; edge cases and state level exploits that don't target broadly?
I have no hard data, but having looked at the security content of a lot of these over the years I'd wager WebKit has serious issues like this crop up more than any other component in iOS.
I'm curious if Lockdown mode would prevent this exploit?
From Apple's Lockdown site, it's hard to tell the extent of what is locked down.
> Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode
This is allegedly the fix for this exploit for webkit: https://github.com/WebKit/WebKit/pull/3023, it appears to at least somewhat related to the JIT, but I don't know enough about the exploit, or webkit to make that determination.
Yes, but ideally in a sandboxed environment that prevents drive-by attacks. The web looks very different when you need to treat websites with the same caution as an exe.
It sure would be nice if Apple stopped forcing web browsers to be reskins of Safari, and allowed full implementations of 3rd party web browsers like Firefox and Chrome. Then we wouldn't have such a monoculture on iOS
I think the idea is that another browser is a "good thing" as along as there is more than .. three? include non-English world-power languages for the full puzzle
And/or allow Safari to be updated independently from the OS. Chrome/Firefox/etc. and Android WebView are updatable as normal apps outside of the Android lifecycle, there's no excuse for Apple's self-imposed limitations here.
1) Apple doesn't need an "excuse", it only needs a reason, and it has one
2) The reason is, they know that the moment they allow all the stuff you're talking about, we'll all be in the wild West again, with God knows what fucking version of Chrome being run, and it will be a nightmare to support, and a nightmare environment in which to protect privacy and security
3) Users have conclusively voted for it to be this way. We know it's this way and we're still buying iPhones instead of Android. What's annoying to me is that people like you, a lot of people, are still unable to summon any respect for the legitimacy of THAT choice. You can only think of the choice that YOU want.
> Users have conclusively voted for it to be this way. We know it's this way and we're still buying iPhones instead of Android.
That's like saying that every voter in a democracy approves of every policy implemented by the politician they voted for (especially if they re-elect that politician). The world is not as simple as that, and I think the general term for this erroneous line of thinking is "the fallacy of division".
No, it's not even close to that. I'm referring to one issue, obviously, and it's a fairly clear and major issue. The issue in question is also representative of larger and even more obvious issues regarding the inherent conflict between total user choice on one hand, and a degree of top-down OS control that keeps users in a walled garden but provides some protections, on the other.
Users don’t know what they want. They don’t deserve to make every decision, because they’re often missing context or misinformed. For example, you think you want this, but as soon as you get it, you’ll want the opposite. Version fragmentation leads to bugs, security vulnerabilities and poor overall user experience which is all you’ll really get with this change. Perhaps you’d make that tradeoff for the illusion of freedom, but the vast majority would not and Apple has to consider all their customers.
> Users have conclusively voted for it to be this way
I'm pretty confident that you'll need to interview a lot of iphone users from the general population before finding one that even knows about browser implementation internals in iOS, let alone who cares enough to have voted with their wallet for this particular reason.
So no, users have not voted conclusively for it to be that way.
Could we at least argue honestly? This isn't about "browser implementation internals". A lot of users are aware of the basic issue about browser choice in iOS. Granted, some are oblivious, but a lot know the basics of what is going on.
Yeah the people who think they want this really don’t want this. One of the biggest advantages of the iPhone over Android is the lack of version fragmentation. Not just in the OS but in the browser. It’s a better developer experience which leads to a better user experience.
It's in beta, and they may not have built everything out; however, ios16 allows for small delta updates (rapid response) and has further packaged everything neatly.
As ios16 isn't out yet, I don't expect the features to be functional. They may not even ship full functionality for the .0 release, although they have added small allusions and options here and there.
They haven't talked about it much, although I expect we'll see a bigger announcement in the next few weeks.
More web engines means less revenue for hack (more engines to spend time/money to research on, less victimes for engine). Keeping only one makes it much more attractive as a target
You mean to tell me, a developer, that the app I am building, my app, might be injected with user code which I do not have visibility into or control over (as a matter of definition)? And that one of those is an ad blocker which might (A) circumvent my source of revenue for a free app, and (B) arbitrarily decide to break my app too?
Well as a user, it helps to protect me against the tracking scripts which IG/TikTok/etc inject into their webviews.
I bought my phone, I own it. I know that disabling JS breaks some things, but I don't want random fly-by-night app developers injecting code into my web browser.
You are somewhat conflating Android's additional "custom tab" API and traditional webviews. To some extent both of them can be used for similar purposes (I need to display some web content in my app), but only the former allows the user to choose any arbitrary browser that supports that API [1], whereas the latter always uses an app-specfic browser profile and is always powered by Chrome/Blink.
It's up to the app developer to choose which of the two implementations to use.
[1] Though some apps still used to (or still do?) hard-code Chrome there.
What? Why don't you just copy and paste links into a browser you control? I don't understand why you would want to interfere with the developer's code. If you choose to open a link in Facebook's app, why is it their fault if they track you?
Also, webviews aren't just used for browsing. More often they are used for embedded UI. I don't see how an ad blocker could feasibly tell the difference between a legitimate UI script and an ad within the context of a webview; to the extent it can, it's simply creating threat space which defeats the entire purpose of the tool in the first place.
A webview can't, and in my personal view, shouldn't, be under the control of the user. It's a tool for the developer. If you want to be safe in navigating to your links, you should paste it into a program you trust.
Of course not, but I do expect to control the code I am asked to execute on the user's machine? How can you guarantee stability of something you don't have control over?
No, it doesn't. There's an additional API ("custom tab") that allows an app to launch any browser that supports that API in a reduced UI/webview-like mode, but that's not the same thing as a classic webview, which on Android is always powered by Chrome/Blink.
Was there any additional context or comments provided in the email? Both the initial post and this comment are pretty vague on what was communicated beyond the phrase, "Update your iPhone".
No additional context. They don't even specify which you used (I have both a Mac and an iPhone and both are up to date). The full text is below:
"Update your iOS software and Safari® browser to keep your device(s) secure
We noticed the iOS software version you’re using on your mobile device and/or the Safari browser on your computer may need to be updated.
<Instructions on how to update>"
There are a ton of beta tests ahead of release, I think it's always prudent to keep up to date very quickly. This seems to be the top security expert recommendation.
but I wonder if I’m becoming like you or others, where there was some other arbitrary technological progress and lack of interest in trends and suddenly 10 years went by and people are like “what is that device why are you using that”
They’re talking about updating the operating system on the phone, not buying a new phone. The title got me like that as well. There was a security update that went out recently: https://support.apple.com/en-us/HT213412
Updates that Apple, or anyone (Microsoft etc) pushes to customers has been internally tested for a while on different rings of risk. People who write the code run it relentlessly to start to catch all the issues and then start pushing out updates to varying pools of people who can take those small bits of risk of a bug here or there, and poke holes in it. Once it reaches the company's QC metrics it is pushed outside. Pushing out bad updates ruins your credibility, companies are incentivized not to do so. Updating your computing devices as soon as public updates are made is vital to your own security/safety.
An update might break the feature I need, or change something my workflow depends on (more common). I'd rather wait for blog posts with workarounds/fixes. As it tends to be extremely time consuming to fix it myself (as it's often outside my domain).
most people who are hesitant to update are hesitant because they've been burned in the past. apple has a history of making phones unusably slow with updates and breaking 3rd party software.
I cannot help but read this as BofA saying their their systems are vulnerable to exploit more so than other banks who aren't sending out frantic "OMG! Upgrade your phone ASAP!!!" messages.
Could be that other banks are equally vulnerable and just not disclosing it. Hard to know without some insider knowledge. We'll know in a few months if class action lawsuits start popping up.
It's an RCE (out of sandbox) exploited when you load a web page in Safari. Everyone is equally vulnerable to this, and you should be frantically upgrading. People panicked about Heartbleed, and rightly so, but this is arguably much worse,
Apple has today shared some information in relation to a security issue. This has the potential to allow others to gain access to information on your device if security updates are not up to date.
We are contacting you as you have previously accessed your Starling account from an iOS device. We would strongly recommend that you ensure the security updates on your device are up to date to ensure that your device and information remains secure.
To update: Go to your device Settings > General, then tap Software Update.
If you are in need of further help updating your device, head to Apple Support.
People were going around to Apple stores and jailbreaking the demo units. It’s a neat exploit, but it’s scary how much power a simple website could have.
I think it's the Webkit vulnerability CVE-2022-32893 that is of concern. As I understand there's this one and the other vulnerability is in the kernel which requires physical access to exploit. The former lets nefarious actors compromise devices without physical access and is in fact being actively exploited in the wild (by Apple's own admission), so it's encouraging to see that BoA is taking the initiative to go so far as emailing users to update to keep them safe.
Yeah got same from employer - within hours of release on the 18th. Guessing there is a service of some sort IT team uses to monitor cause they're always very fast on highlighting the serious ones
81 comments
[ 3.2 ms ] story [ 153 ms ] threadhttps://support.apple.com/en-us/HT213412
https://support.apple.com/en-us/HT213413
Sounds pretty serious, has active exploitation like this happened before in the Apple ecosystem or is this like most zerodays; edge cases and state level exploits that don't target broadly?
From Apple's Lockdown site, it's hard to tell the extent of what is locked down.
> Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode
This is allegedly the fix for this exploit for webkit: https://github.com/WebKit/WebKit/pull/3023, it appears to at least somewhat related to the JIT, but I don't know enough about the exploit, or webkit to make that determination.
I do not update to the latest-and-greatest when it first comes out. I typically wait a bit for everyone else to 'beta test' it for me.
If my bank is saying 'no, seriously, go fix this' maybe I should change my stance.
Anybody can put code out there that you'll run on your device?
2) The reason is, they know that the moment they allow all the stuff you're talking about, we'll all be in the wild West again, with God knows what fucking version of Chrome being run, and it will be a nightmare to support, and a nightmare environment in which to protect privacy and security
3) Users have conclusively voted for it to be this way. We know it's this way and we're still buying iPhones instead of Android. What's annoying to me is that people like you, a lot of people, are still unable to summon any respect for the legitimacy of THAT choice. You can only think of the choice that YOU want.
That's like saying that every voter in a democracy approves of every policy implemented by the politician they voted for (especially if they re-elect that politician). The world is not as simple as that, and I think the general term for this erroneous line of thinking is "the fallacy of division".
https://en.wikipedia.org/wiki/Fallacy_of_division
I'm pretty confident that you'll need to interview a lot of iphone users from the general population before finding one that even knows about browser implementation internals in iOS, let alone who cares enough to have voted with their wallet for this particular reason.
So no, users have not voted conclusively for it to be that way.
I think Apple fell down the design flaw that Microsoft went down of bundling the browser so tightly into the OS.
As ios16 isn't out yet, I don't expect the features to be functional. They may not even ship full functionality for the .0 release, although they have added small allusions and options here and there.
They haven't talked about it much, although I expect we'll see a bigger announcement in the next few weeks.
I personally would prefer if I could make the choice to do this, but I can also see the issues with that from Apple's perspective.
With Firefox, your extensions like adblockers and NoScript also run in webviews.
Well why didn't you say so this sounds great
I bought my phone, I own it. I know that disabling JS breaks some things, but I don't want random fly-by-night app developers injecting code into my web browser.
It is great.
It's up to the app developer to choose which of the two implementations to use.
[1] Though some apps still used to (or still do?) hard-code Chrome there.
A webview can't, and in my personal view, shouldn't, be under the control of the user. It's a tool for the developer. If you want to be safe in navigating to your links, you should paste it into a program you trust.
No, it doesn't. There's an additional API ("custom tab") that allows an app to launch any browser that supports that API in a reduced UI/webview-like mode, but that's not the same thing as a classic webview, which on Android is always powered by Chrome/Blink.
but "antivirus" for iOS is typically focused on network-side interception and blocking
Was there any additional context or comments provided in the email? Both the initial post and this comment are pretty vague on what was communicated beyond the phrase, "Update your iPhone".
"Update your iOS software and Safari® browser to keep your device(s) secure
We noticed the iOS software version you’re using on your mobile device and/or the Safari browser on your computer may need to be updated. <Instructions on how to update>"
but I wonder if I’m becoming like you or others, where there was some other arbitrary technological progress and lack of interest in trends and suddenly 10 years went by and people are like “what is that device why are you using that”
An update might break the feature I need, or change something my workflow depends on (more common). I'd rather wait for blog posts with workarounds/fixes. As it tends to be extremely time consuming to fix it myself (as it's often outside my domain).
But...
If someone is using BoA and they have an issue related to this, are they going to blame BoA or are they going to blame Apple?
Apple has today shared some information in relation to a security issue. This has the potential to allow others to gain access to information on your device if security updates are not up to date.
We are contacting you as you have previously accessed your Starling account from an iOS device. We would strongly recommend that you ensure the security updates on your device are up to date to ensure that your device and information remains secure.
To update: Go to your device Settings > General, then tap Software Update.
If you are in need of further help updating your device, head to Apple Support.
Either way its always a good idea to keep things updated!
...and my phone is up to date (15.6.1).
#fail