SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 138: Any Times a Good Time for an Update

Posted on May 16, 2019

A tricky class of vulnerability rises from the grave to trouble us again, one of the world’s most popular communications apps turns out to have a glaring flaw in its code that requires an immediate update to fix, and it’s time again to update your Apple devices — those stories, and all the details you need to know, are right here on today’s show. Here are the stories we’re checking off our list:

  • Zombies on the Prowl
  • News of a WhatsApp Vulnerability
  • A Slew of Updates from Apple

It’s the night of living dead as processor-based vulnerabilities come back to haunt us again here on The Checklist — did you really think Spectre and Meltdown were the last we’d hear of them? Let’s waste no time in diving right into what’s going on this week.

Zombies on the Prowl

This week, we got word that there’s a new exploit for Intel processors making waves in the security community. This exploit can affect nearly every Intel processor model produced since 2011 — which more than likely means it can affect the Intel CPUs inside your Mac. TechCrunch says that bad guys using this exploit could fool a processor into giving up access to secretive data it’s holding inside. If you’ve been tracking security news for a while or if you’re a long time listener of The Checklist, this might sound a bit familiar, and for a good reason: all this is reminiscent of last year’s Spectre and Meltdown flaws that caused so much consternation. This new bug, dubbed ZombieLoad, is a potent one.

Before we dive into the specifics of ZombieLoad, though, let’s quickly recap what Spectre/Meltdown were all about, and why they were such a big deal.

Both flaws use a technologically sophisticated and advanced procedure to exploit a vulnerability in a very important but also very behind-the-scenes process in CPUs. To put it simply, your processor, in order to stay speedy for you, does its best to guess what part of a program the system will need to access next. To save time, it preloads that data and the code required to run it into a special cache on the processor. If its guess was correct, the processor runs the queued instructions immediately. If it’s not, it discards and runs the requested code instead. Using Meltdown or Spectre could allow someone to steal that “guessed” information before it’s discarded, which might include your passwords, secret encryption keys, and more.

Researchers say ZombieLoad is very similar overall but uses a slightly different approach to steal information the processor is not supposed to reveal. When your CPU runs code and ends up in a situation with data it can’t understand, it turns to its own firmware, also called microcode, for assistance in handling the unknown data and avoiding a debilitating crash. Now, normally, an app is not allowed to see data from other apps — that’s a pretty basic security consideration, right? ZombieLoad breaks down those barriers and leaks any app data stored in the processor’s core, allowing the malware to steal that potentially valuable info away.

As with Spectre and Meltdown, processors created by AMD and ARM may still be vulnerable in some instances, but researchers largely think they are more immune to these concerns. Intel has already pushed out firmware updates for everything from Xeon and Sandy Bridge processors to their latest and greatest models, too. 

So, what can you do to stay safe and avoid these concerns? The answer to that question is an easy one, at least: stay on top of your updates. Intel’s updates continue to get pushed out through Google and Microsoft, but macOS users may already be protected. If you updated to the most recent version of macOS recently, you’ve already received the fix from Apple, and you’re good to go. According to TechCrunch, the Apple updates ensure that malicious webpages can’t use the ZombieLoad exploit on your machine. Further, most users shouldn’t notice any changes — but TechCrunch did note that those who “opted in” for complete ZombieLoad correction could face slowdowns. Is that likely for you?

Probably not. For the average user, installing the macOS update is all you need to do — and for the non-average user, you’ve probably already taken the appropriate steps to protect yourself. So, take a deep breath, do your updates, and relax — the likelihood of running into ZombieLoad in the wild is slim, as are your chances of encountering any serious problems related to it. 

For more detailed information on these concerns, you can check out the site set up to help inform the public: ZombieLoadAttack.com

News of a WhatsApp Vulnerability

Ah, Facebook — do they ever fail to disappoint? Apple Insider says that WhatsApp, which Facebook owns these days, has shared with the public the news that it fixed a vulnerability in its Voice-over-IP (VoIP) protocol. This wasn’t just any vulnerability, though — this was a serious flaw that allowed hackers to infect devices and install spyware without user knowledge. The flaw affected both Android systems as well as iPhones. 

Using the bug in the way WhatsApp handled digital phone calls, hackers could call up one of their targets and automatically force that user’s phone to download and run their spyware payload. Victims didn’t even have to pick up the phone or even notice the call; hackers just had to reach out and trigger it on their own. 

The good news: it only took the WhatsApp team about ten days to fix the problem once it was identified, an impressively quick turnaround, all things considered. The bad news, though, is that there’s no telling how long the bug was in the software before WhatsApp discovered the problem early in May. Oh, and the really bad news? Facebook says that they do know that hackers did, in fact, exploit the flaw this time, affecting an “unknown” number of users with spyware.

So how worried should you be about this event? Thankfully, “not very” — and not at all if you don’t use WhatsApp. If you do, though, as long as you’ve done your updates, you should be A-OK to continue without worrying about being affected by this bug. Unfortunately, though, there’s no telling what damage has already been done to others since developers aren’t sure yet how long the flaw was in the code. 

However, investigations by security researchers into this mess indicate that it may not have been rogue hackers exploiting the loophole, but rather an Israeli vendor called the NSO Group — a team that often works with governments looking to target mobile phone operating systems for intelligence gathering purposes. So, unless your alter ego is secretly James Bond, you’re probably not going to end up in the crosshairs for a targeted malware campaign using a sneaky WhatsApp vulnerability. 

What if that’s true for you, though? Let’s suppose that you’re a vocal political activist concerned about being targeted for your actions — or maybe you’re just paranoid. Could you know whether you were targeted in this attack? Unfortunately, no. One concern plaguing phone owners right now, especially on iOS, is the lack of tools (official or otherwise) to determine whether your device has been compromised somehow. 

You’ll have to resort to more basic methods of discerning something is wrong, such as watching battery and bandwidth consumption. If you’re continually using more of these resources than you would normally expect, there may be something wrong with your device. Of course, you can also try deleting apps that you don’t use as a precaution — the fewer apps you have on your phone, the fewer opportunities for one of them to become a conduit for spying on your activities. 

A Slew of Updates from Apple

Updates have been the key fix to most of the problems presented on today’s Checklist, so why not end things with even more updates? Earlier this week, Apple dropped updates for many of its biggest products. While iOS 12.3 has a refreshed user experience for those who like to use Apple TV, the Wallet App got some upgrades of its own as Apple prepares to launch its very own credit card later this year. In between all that good stuff, though, was the real meat of these patches: a slew of updates across platforms, correcting some nasty bugs here and there. 

In iOS 12.3, there are 23 bugs and vulnerabilities patched. Users who haven’t updated yet could remain exposed to the dangers they pose. One of the most crucial problems patched in 12.3 includes a bug in CoreAudio. This is the system in your iPhone through which every single sound flows, including videos on the web, and this bug allowed the bad guys to manipulate CoreAudio into executing their own malicious code. The specifics aren’t entirely clear — Apple keeps many of these things under wraps — users remain potentially vulnerable if they encounter a malicious video on the web without these updates.

macOS got updates too, with the latest version being 10.14.5. AirPlay 2 makes its way to the Mac now, with better support for sharing everything you can imagine from your desktop to your TV, while also improving Apple News and fixing some pesky software bugs. Oh, and there are security fixes, too — 26 of them, in fact. CoreAudio makes another appearance here, but some fixes for the macOS kernel are the most critical. The kernel has nothing to do with popcorn — it’s actually the heart and soul of the operating system, the most critical and basic component that powers everything else. Some of the bugs patched this week fixed problems that allowed code to run with kernel privileges — in other words, completely access with no restrictions.

The Apple Watch got an important update, too, to version 5.2.1. Eighteen security fixes in all make their way to this tiny device, including those kernel and CoreAudio bugs, plus one in the sysdiagnose subroutine. This system, designed to aid WatchOS in diagnosing problems, should be foolproof, but it too had a bug that allowed for arbitrary code execution.

You know the moral of this story — it’s time to update!

With dozens of new fixes available in all and with many of those nasty bugs squashed, there’s no good reason not to plug your device in and update as soon as possible. Don’t forget — Apple will even allow you to set up your phone so that it will update automatically overnight while you sleep. What could be easier than that? Take advantage of this opportunity and enjoy a safer, more secure experience.

Join our mailing list for the latest security news and deals