Holy shit. My relatives have asked me in the past "could this [image|video|other supposedly innocuous file format] be a virus or hack my phone?". I've always told them not to worry. Can't do that anymore.
https://en.wikipedia.org/wiki/Windows_Metafile_vulnerability Long story short: Windows library routines for handling an obscure, obsolete image format had a parser flaw. Simply rendering an appropriately crafted image via the standard Windows APIs -- whether in a web browser, file explorer, file preview, word processor, anywhere -- resulted in kernel-level arbitrary code execution.
Now, we've gotten a bit smarter about this sort of thing since. Both at a high level architecturally (don't process image files in the kernel) and at a lower level (use a language that takes measures to constrain its buffers). But the basic scenario hasn't been entirely eliminated. There could be a parser bug somewhere in your web browser for example that allows a properly crafted input to hijack the browser process.
> There could be a parser bug somewhere in your web browser for example that allows a properly crafted input to hijack the browser process.
Bit of a caveat: Chromium and Firefox are probably some of the most hardened software programs in the world (for other browsers, all bets are off).
Chromium distributes its logic over multiple processes per tab, so that even if you eg find a zero-day in V8, you still can't use it to get arbitrary file access without a sandbox escape. Last I checked, Firefox was getting there. Also, Firefox compiles some parsing and image processing libraries to WebAssembly for another layer of sandboxing (and to protect against ROP exploits), and increasingly uses Rust for sensitive tasks.
That's not to say they're safe, but I don't think they're the biggest source of exploits.
> I guess with Google, at least you know and give consent to the privacy "invasion" when you use their products.
Google tracks you and adds things to your profile when you explicitly choose incognito mode to avoid the privacy invasion. This doesn't seem like informed consent to me.
Which is why the only safe way to operate is assume anything that is susceptible to outside data is already compromised - and so run them in sandboxes.
Not only politics, the reason why some languages and OSes rule, is that real progress only happens one generation at a time, to put it in a more friendly wording.
I'm not so much saying it's a bad idea as that what my parent comment described was a logical contradiction. It isn't possible to run "anything that is susceptible to outside data" in sandboxes, because that makes the sandbox susceptible to outside data. If you're genuinely assuming that anything susceptible is already compromised, then the sandbox is accomplishing literally nothing.
Yes, microcode vulnerabilities is a problem indeed. Hopefully Qubes Air (next version 5.0) will compartmentalize even that by using separate devices as qubes: https://www.qubes-os.org/news/2018/01/22/qubes-air/.
These exploits are only really an issue for your grandparents and whoever if some large-scale mass hack is happening[^2]. As long as they stay up-to-date, anyone not targeted by nation state actors and not holding millions in cryptocurrency[0] likely has nothing to worry about, as these exploits are better used hacking journalists trying to expose corruption or political opponents running against the incumbent[1].
^2: For instance, the Coinbase Super bowl ad that was only a bouncing QR code would have been a very interesting way to start WW3 if it were Russia hacking millions upon millions of americans' phones, exfiltrating any potentially sensitive information (company emails, etc) in an instant, and/or destroying the device via some exploit chain that destroys the OS and requires a full firmware factory reset to recover.
I think it’s very possible to be in the grey zone. For example, I have worked as an activist, and a campaign I led was widely lauded by the mainstream media as being the key factor in a powerful government minister losing. Now, this is a western liberal democracy that probably doesn’t need to buy tools from NSO Group. But still, am I a fair target? Or what about a friend who is a journalist whose articles have recently attracted negative attention from the government of a fairly corrupt, despotic nation. Are they are target? I’m not talking about Snowden or Assange or executives at trillion dollar companies. In my circle I know a bunch of folk who are basically just normal people with jobs, but for whom their job means that someone working for some government somewhere might like to read their texts. How wide is the net? How can we protect ourselves?
Vulnerabilities on iOS are getting really scarce. People spend truckloads of money finding them and you need to pay twice that for the permission to burn said exploit.
That stuff isn't burned on mass hacks on random phone users, it's way too valuable.
BUT. There is a small sliver of time between the exploit being used on a high value target and Apple patching the hole. That's the spot where Joe Schmoe should be cautious.
You are probably right, but this attack only became visible because it had a bug. How many others are invisible currently? Well that's what I'm asking myself :)
If it can be used on one random person then it can be used on the hundreds of millions of random persons who use iPhone and Android.
And getting even 1% of those massive user bases to click on a link and steal their money or private information, would be incredibly lucrative even for the short period until the patch rolls out, especially for the wealthier iOS userbase as a target.
In my EU country, I'm still getting regular spam SMS with links to what I presume is some older Android malware that wrecked havock last year. So, if attackers are still at it, months after a patch was rolled out, it means they must be still getting returns on their "investment".
Except we don't live in the past decade anymore. Even though people are still sometimes reluctant to updates ("it only made my device slow!"), We made significant progress on patch distribution.
In the past a bug in the SMS stack could be mass exploited and still not getting fixed anytime soon. Not anymore. These bugs cost $10k~$100k now and once you mass-exploit it, they are gone.
> Except we don't live in the past decade anymore.
You do know that is a terible attitude for a real-world security posture meant to protect non-theoretical people's property and information against actual exploits?
> In the past a bug in the SMS stack could be mass exploited and still not getting fixed anytime soon. Not anymore.
While you may wish for patches to always take care of exploits before any phones are compromised, that's not much more than wishful thinking. You assume that all 0day exploits are both known and fixed immediately. That is 100% false.
That is only true of exploits that have obvious and visible impacts, right? If an attacker found an exploit and used it to put a rootkit on millions of phones, but did nothing with that rootkit and it had no outward markers, would anyone know?
I wonder whether even as many as half of android phones are less than, say, six months behind on security updates. They're often quite slow in releasing for any given model, and that's while the phone even gets updates.
One of the earlier iPhone jailbreaks was a tiff image... complicated decompression/rendering algorithms leave room for implementation errors, which can be taken advantage of.
At some point it was also used as a way to get a custom firmware onto a PSP.
Then modders somehow managed to update the batteries' firmware (cf "Pandora battery") and use that. Sony couldn’t patch it, and it was basically game over for them until they released a new generation of hardware, with motherboards immune to the trick.
There's been buffer overflows/RCE exploits in all sorts of software that can parse images since, well, forever. I remember more than 20 years ago seeing a notice about the embedded Internet Explorer rendering engine in Microsoft Outlook Express having an RCE zero day which could be exploited by simply loading an image in the body of an email.
Rich multimedia parsing display systems in messaging apps are a very tempting attack surface for entities such as NSO.
> Other is when you are targeted by regimes with essentially unlimited budget. In that case yes, the picture can be a spyware.
If this was the case, exploits would never be published or abused, and jailbreaks wouldn't exist because this logic says that those who find exploits will either disclose them "responsibly" or sell them to a nation-state.
If the idea of non-state hackers doesn't bother you, recognize that organized crime is a billion dollar industry and fraud rings would love root access on tons of normal people's devices, including your own.
That's terrible advice that is among some of the worst advice that could be given. There are many other types of attacks that are not viral, are not ransomware and do not originate from state actors.
Think about who would want to spy on you, what they'd want to know, and how much they'd be willing to spend to know it.
If the most they could get out of you was a few thousand bucks from your bank account and maybe your email password, you're probably in the first category.
On the other hand, if you have access to highly confidential information (think classified government info or you're literally working on the next iPhone) or are the type of person who makes enemies of spoiled rich oligarchs in despotic nations then you're probably in the second.
The problem is, everyone is in the second category over a long enough time frame. Hong Kongers probably thought the same, but suddenly there were crackdowns, and state actors probably would have loved to have unrestricted access to peoples phones to see if citizens were exercising their “free speech” correctly.
Think about Ukraine today, the Russian government would probably love to have a way to compromise millions of Ukrainian citizens’ phones.
A quick research tells me that pretty much all stats show Android use to be around 80% in Ukraine. Or did you mean Hong Kong? For the latter I see a 50/50 divide.
Just curious about that sentence. I don't think the stats take anything away from your general argument.
Who might be my enemy in the future? Well, maybe anyone who thinks I have something worth to them. Let's say a social media account with a double letter username. Or anything I don't think has any worth now but can be turned into a handsome buck tomorrow. People have been doxed and SWATed over less.
I don’t know. If I was going to bust a move on, say, Taiwan, it might be handy to have root access to as many computing devices as possible so that I could wreak havoc on my enemy’s communication and banking systems.
Are you or someone you associate with interesting?
Negotiate big contracts? Work in aerospace or defense? Have access to inside information about a public company? Have access or are a high level political official?
Exploits via image libraries have been a perennial threat. A lot of jailbreaks on various devices and consoles over the last 20 years owe their existence to such exploits.
I remember telling lots of people at the time that this was impossible, because images weren't executable code, and viruses spread through running programs, not through viewing images.
Unfortunately, this elegant, straightforward distinction didn't hold up over time. :-(
I believe that is what the creators of this virus must be relying on.
All I hope is that creating this image virus doesn't become common knowledge (cause that we will fundamentally reshape how we interact on social media).
The problem with cpu's is they dont know what instructions are supposed to run in order. Pipeline cache goes a little way towards getting the instructions in order, but ultimately a cpu does not know what instructions it has to run in order for a group of instructions to not be malicious. Think of a cpu like an old human telephone exchange where the operator is plugging in different cables to different sockets and hopefully you get the idea.
I'm amazed at the tech giants with all their funding and they still cant build secure operating systems or have the resources to reduce attack vectors within their own OS'es.
I wouldnt consider Rice's theorem to be relevant for what I was thinking. Sure all programs have common repeatable elements, like open a file, read/write, close file, so you wouldnt have an instruction or few out of the blue suddenly being run, in effect out of context, but thats whats happening here, the normal instructions that would be required to do a task, suddenly start using instructions that are not required in most cases before resorting back to the rest of the instructions for the original task.
Its abit like saying, would you expect some instructions for virtualisation to run if you load a jpg to display on screen? I wouldnt expect instructions for virtualisation functionality to be running in this example.
Or would I expect some instructions for encryption to run if I were to load a sound file to play over speakers? No I wouldnt expect that to happen, but thats the sort of thing thats happening here, some instructions not normally associated with a task are occurring, so how do you detect and alert and maybe halt those instructions?
There isnt anything in the CPU AFAIK that would pick this up, it would need the OS to act as a co-party to perhaps halt this, and I dont know if the OS or even AV software goes to this extent? At best, you'd have something like a dmesg feed or the Intel Processor Trace (https://news.ycombinator.com/item?id=30110088) to get the output of instructions being called (possibly independent of the OS), but like I say I dont know of any OS or AV product that goes to this level of monitoring.
Now, we've gotten a bit smarter about this sort of thing since. Both at a high level architecturally (don't process image files in the kernel) and at a lower level (use a language that takes measures to constrain its buffers). But the basic scenario hasn't been entirely eliminated. There could be a parser bug somewhere in your web browser for example that allows a properly crafted input to hijack the browser process.