|
|
|
|
|
|
by netsharc
2034 days ago
|
|
|
The article is light on the details (it's an article that digests the contents of another article - behind a paywall bypassable by having a Google referer), but it doesn't talk about how the hack works. Presumably the fake Zoom invite was a link to a non-Zoom website that promptly popped up a window to download an executable named ZoomUpgrade.exe . The victim clicked "download and run", and ta da, he installed a backdoor. So, despite me not liking them, Apple would be safer because no one probably bothered to write the backdoor for Macs (maybe that's a market, since rich "hedge fund" folks would prefer bling computers?), and their nanny software would probably have said "No, you can't install this!". Alternatively the hacker could've written a browser extension, I doubt those have adequate protection... |
|
|
I think if Apple locks down MacOS enough to actually protect users (not just continue the platform's illusion of superiority) you'll know because ISVs will all say it's impossible to get anything done and abandon the platform.
It's very hard to have a platform that's locked down enough to keep people truly safe as this assumes, while keeping it viable for general purpose third party software from ISVs.
I actually ran into one of the corner cases for this recently. Say you own a Yubico Security Key. With any decent web browser you can use this with WebAuthn or U2F and it's unphishable. But, the Security Key itself is relying on your web browser being honest about the origin.
On an iPhone there is only one web browser, Apple made it, everybody else can only re-skin it a bit. So, no problem, Apple's web browser is honest and any third party software that says "Hi I'm your web browser, I need to sign into google.com" does not work, it isn't your web browser.
On a Windows PC, or a Mac, any program can say it's a web browser, if you're foolish enough to install ZoomUpgrade.exe it can tell your Security Key "I'm a web browser, give me credentials for google.com" and that works, the OS has no way to know if this is or is not a web browser.
Android gives you an interesting middle case. Not only Chrome but also Firefox works. Ah, but only the official Mozilla builds of Firefox. If you build Firefox, name it "Netsharc 1000" and try to install it on your Android, it mysteriously can't do WebAuthn. As well as all those Android permissions you can ask for in the manifest, and the ones you have to ask for explicitly at runtime, there are extra permissions only the platform owner (Google) can grant, and official builds of Firefox have the "I'm really a web browser" permission which allows them to use the Security Key for web sites.