Newsletter

06.16.2021 | 5'' read

WebKit and the soft underbelly of iOS security

by Ryan Naraine

Hi friend, was this newsletter forwarded to you?  Sign up here!  Say hello on Twitter (DMs are open). The most clicked link from last week’s issue was the list of SBOM frequently asked questions [pdf]. A close second was this batch of slides and recordings on mobile security, including some great trainings on Android and iOS security.

Monday blues.

Late yesterday afternoon, Apple released an emergency patch to cover a pair of WebKit bugs being exploited in mysterious zero-day attacks on older iPhones. For those keeping count, we’re up to 46 in-the-wild zero-day discoveries so far in 2021.  A whopping three-quarters of all the documented 0days in 2021 have hit three prominent vendors:  Microsoft (30%), Apple (25%) and Google (20%).

Let’s linger on WebKit for a bit and understand how much of security scourge it is on iOS, even if you think you’re avoiding that buggy rendering engine by installing and using Chrome or any other browser.

Here’s a fun truth that went largely unreported when Google shipped Chrome on iOS back in June 2012:  What you think is Chrome is just Google’s skin around an iOS system version of Safari/Webkit.

You see, Apple App Store rules forbid third-party runtimes, which means that Google or Brave or DuckDuckGo or any non-Apple browser cannot ship their own rendering or JavaScript engines on iOS. When you install Chrome on iOS, you’re really running Apple’s Safari (WebKit) with a Chrome UI and interface.

Every time I see a batch of dangerous WebKit/Safari security flaws, I think of these interconnected risks and the false sense of security they bring to modern computing.

As ex-Googler Chris Evans puts it, your Chrome on iOS browser is “typically less secure, slower, less standards compliant.”

Justin Schuh, who ran Chrome security for many years, was even more blunt and his statement is worth repeating:

“You don’t really use Firefox. You’re using a Firefox skin on top of Apple’s Safari/Webkit, because Apple has never allowed alternative browser runtimes on iOS. Same for literally any other “browser” on iOS. They’re just thin skins over Safari/Webkit.”
“An attacker with enough resources will inevitably win, and any major software will eventually get hit by a 0day. That stated, Webkit/Safari represents a uniquely soft spot in iOS security, and Apple won’t allow their customers to choose a more secure browser instead.”

Let’s remember these little things when you hear Apple boasting about how seriously while forcing us all to rely on the never ending duct-taping of WebKit Safari.

On to the newsletter…

The big stories.

  • Kim Zetter’s piece on negotiating ransomsware payments with cybercriminals is eye-opening on many levels. There are tons of lessons on disaster recovery, measuring risk, understanding the murky world of ransomware payments.  Read it.
  • It’s incredible to me to see the words “ransomware” and software supply chain security in a communique coming out of a G7 summit, but here we are.
  • Reuters reporter Joe Menn is spot on with his analysis of how this complicates geo-political relationships and exacerbates tensions everywhere.
  • Stop what you’re doing and read Kevin Beaumont’s opus on why the ransomware epidemic will be near impossible to solve.  Pay attention to his call-to-action for Microsoft.

A word from our sponsor (Eclypsium)

Whether a part of the defense industry, the government or a business, strong cybersecurity is foundational to both the economic health and overall national security of any government. While this is true for all government entities, it takes on extra importance for federal agencies that work with sensitive information and for the many contractors, suppliers and other organizations that form the defense industrial base.  In this document, we will introduce simple steps to build device security into your overall cybersecurity plan.


Security and privacy.

Another thing that bothers me.

How does a company like Zoom, with its software so widely deployed, get away with not transparently documenting security patches?  Does anyone really think that Zoom has fixed a solitary bug in 2021?  Even the Pwn2Own zero-click bug isn’t listed as fixed.  How does this pass as acceptable?

Security toolkit.

🎧 New podcast episode – Michael Laventure, threat detection and response, Netflix

On the show this week, Netflix threat detection and response engineer Michael Laventure talks about a career pivot from the .gov sector to the fast pace of Silicon Valley, the way he views a modern threat-intelligence  program, and why there’s still room of optimism in cybersecurity. It’s an inspiring conversation, take a listen!

🎯  Also new: Here’s the full transcript of my conversation with Facebook product security chief Collin Green.

Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms — AppleGoogleSpotify and Amazon.

Tangentially. 

This essay on the downsides of hero-culture in cybersecurity is worth every bit of your time.  If you’re in charge of recognizing and rewarding the work of people, focus on impact rather than urgency. Shift left towards prevention, and reward the work that gets you there.

Have a fantastic week.

_ryan

|

This site uses cookies and may process personal data based on our Privacy Policy