Newsletter
06.16.2021 | 5'' read
WebKit and the soft underbelly of iOS security
Hi friend, was this newsletter forwarded to you? Sign up here! Say hello on Twitter (DMs are open). The most clicked link from last week’s issue was the list of SBOM frequently asked questions [pdf]. A close second was this batch of slides and recordings on mobile security, including some great trainings on Android and iOS security.
Monday blues.
Late yesterday afternoon, Apple released an emergency patch to cover a pair of WebKit bugs being exploited in mysterious zero-day attacks on older iPhones. For those keeping count, we’re up to 46 in-the-wild zero-day discoveries so far in 2021. A whopping three-quarters of all the documented 0days in 2021 have hit three prominent vendors: Microsoft (30%), Apple (25%) and Google (20%).
Let’s linger on WebKit for a bit and understand how much of security scourge it is on iOS, even if you think you’re avoiding that buggy rendering engine by installing and using Chrome or any other browser.
Here’s a fun truth that went largely unreported when Google shipped Chrome on iOS back in June 2012: What you think is Chrome is just Google’s skin around an iOS system version of Safari/Webkit.
You see, Apple App Store rules forbid third-party runtimes, which means that Google or Brave or DuckDuckGo or any non-Apple browser cannot ship their own rendering or JavaScript engines on iOS. When you install Chrome on iOS, you’re really running Apple’s Safari (WebKit) with a Chrome UI and interface.
Every time I see a batch of dangerous WebKit/Safari security flaws, I think of these interconnected risks and the false sense of security they bring to modern computing.
As ex-Googler Chris Evans puts it, your Chrome on iOS browser is “typically less secure, slower, less standards compliant.”
Justin Schuh, who ran Chrome security for many years, was even more blunt and his statement is worth repeating:
Let’s remember these little things when you hear Apple boasting about how seriously while forcing us all to rely on the never ending duct-taping of WebKit Safari.
On to the newsletter…
The big stories.
- Kim Zetter’s piece on negotiating ransomsware payments with cybercriminals is eye-opening on many levels. There are tons of lessons on disaster recovery, measuring risk, understanding the murky world of ransomware payments. Read it.
- It’s incredible to me to see the words “ransomware” and software supply chain security in a communique coming out of a G7 summit, but here we are.
- Reuters reporter Joe Menn is spot on with his analysis of how this complicates geo-political relationships and exacerbates tensions everywhere.
- Stop what you’re doing and read Kevin Beaumont’s opus on why the ransomware epidemic will be near impossible to solve. Pay attention to his call-to-action for Microsoft.
A word from our sponsor (Eclypsium)
Whether a part of the defense industry, the government or a business, strong cybersecurity is foundational to both the economic health and overall national security of any government. While this is true for all government entities, it takes on extra importance for federal agencies that work with sensitive information and for the many contractors, suppliers and other organizations that form the defense industrial base. In this document, we will introduce simple steps to build device security into your overall cybersecurity plan.
Security and privacy.
- Apple documents a handful of privacy goodies coming in iOS 15. MacRumors has a good piece summing up the new features.
- Google adds client-side encryption to the enterprise-facing Google Workspace product: With Client-side encryption, customer data is indecipherable to Google, while users can continue to take advantage of Google’s native web-based collaboration, access content on mobile devices, and share encrypted files externally.
- New from Google: A repository containing open-source libraries and tools to perform fully homomorphic encryption (FHE) operations on an encrypted data set.
Another thing that bothers me.
How does a company like Zoom, with its software so widely deployed, get away with not transparently documenting security patches? Does anyone really think that Zoom has fixed a solitary bug in 2021? Even the Pwn2Own zero-click bug isn’t listed as fixed. How does this pass as acceptable?
Security toolkit.
- CloudLinux ships a simple tool to detect outdates shared libraries.
- Spyse styles itself as the most complete Internet assets registry for every cybersecurity professional.
- After the supply chain hack, CodeCov has a new Uploader using NodeJS that is shipped as a static binary executable on the Windows, Linux, Alpine Linux, and macOS operating systems.
🎧 New podcast episode – Michael Laventure, threat detection and response, Netflix
On the show this week, Netflix threat detection and response engineer Michael Laventure talks about a career pivot from the .gov sector to the fast pace of Silicon Valley, the way he views a modern threat-intelligence program, and why there’s still room of optimism in cybersecurity. It’s an inspiring conversation, take a listen!
🎯 Also new: Here’s the full transcript of my conversation with Facebook product security chief Collin Green.
Tangentially.
This essay on the downsides of hero-culture in cybersecurity is worth every bit of your time. If you’re in charge of recognizing and rewarding the work of people, focus on impact rather than urgency. Shift left towards prevention, and reward the work that gets you there.
Have a fantastic week.
_ryan