apple_badger

anonymouse said:

I don't think any public VPNs should be considered "safe". Not if you mean "safe" as protecting your data and privacy better than not using a VPN. VPNs weren't developed for that purpose, and they don't really serve it.

Edit: And to clarify, by "public" I mean meant to "serve" the general public — i.e., not internal organizational VPNs.

Very enthusiastically seconding this. The solution for moving data across untrusted (that is all) networks, is TLS. VPNs serve different purposes. The fear mongering that public VPN providers use in their ads is so very misleading. If it's not safe to do over public WiFi or the open Internet without a VPN then it's not safe to do it with one either. 

hmlongco said:

apple_badger said:

That's not how vulnerability chaining doesn't work. Safari is already downloaded and running on your device and CVE-2022-32893 potentially gives an attacker the ability to use Safari to leverage CVE-2022-32894. 

Yet AFAIK Safari doesn't ship with a malicious code exploit embedded within it. Not to mention that WebKit is also sandboxed pretty heavily. I'll grant that the possibility of chaining one exploit into another... but only in the sense that ANYTHING is possible. It's possible that the Earth could explode in the next 0.2 seconds. It is, however, not probable.

Safari doesn't have to ship with malicious code; CVE-2022-32893  allows an attacker to inject their own code into the Safari process and execute it. At this point sandboxing should kick in and limit the damage, but CVE-2022-32894 allows the possibility of that attacker's code being run with kernel privileges, at which point it's game over. This is not an unlikely event; it's an absolutely textbook example of an exploit chain. 

hmlongco said:

apple_badger said:

CVE-2022-32893 is an arbitrary code execution bug in Webkit. 
CVE-2022-32894 is an arbitrary code execution with kernel privileges bug.

Both have been addressed in this update. 

https://support.apple.com/en-us/HT213413

Okay, The kernel issue is related to an application running on macOS. i.e. The user would have to download, enable, and run an app with an exploit. The arbitrary code execution bug in Webkit is worrisome, but isn't related to the kernel privileges issue. 

It's not, "A remote code execution flaw in webkit paired with the ability to execute arbitrary code with kernel privileges is really, really, *really* bad. " They're not "paired", they're two distinct issues.

That's not how vulnerability chaining doesn't work. Safari is already downloaded and running on your device and CVE-2022-32893 potentially gives an attacker the ability to use Safari to leverage CVE-2022-32894. 

hmlongco said:

apple_badger said:

I'm going to respectfully disagree here. Speaking as someone who heads up Information security for an organization, this may not be as quite bad as it gets (it won't kill your dog), but it's darn close. A remote code execution flaw in webkit paired with the ability to execute arbitrary code with kernel privileges is really, really, *really* bad. 

I feel like we're already in one of those "phone" games. The original mention was "elevated privileges" which you immediately escalated to "kernel privileges".

CVE-2022-32893 is an arbitrary code execution bug in Webkit. 
CVE-2022-32894 is an arbitrary code execution with kernel privileges bug.

Both have been addressed in this update. 

cpsro said:

apple_badger said:

I'm going to respectfully disagree here. Speaking as someone who heads up Information security for an organization, this may not be as quite bad as it gets (it won't kill your dog), but it's darn close. A remote code execution flaw in webkit paired with the ability to execute arbitrary code with kernel privileges is really, really, *really* bad. 

Even if an Apple user doesn't manually update, the system will automatically update within a week of release.

Only if automatic updates are enabled, unless something has changed since the last time I checked (which is a possibility). Though, automatic updates are on by default. 

(I'm not being critical of Apple here; I'm disagreeing with this story's downplaying of the importance of this update. It's *very* important, and it's very important to update sooner rather than later)

Edit to add: The time from publication of a vulnerability to attempted exploitation is now measured in hours, not days or weeks. When something like this is made public then its value as something to be used in targeted attacks against only high value targets is effectively zero. There's no reason for bad actors to exercise restraint at this point.