CVE Confusion Around WebP Vulnerability; More Apple 0-Day Fixes; Ransomware Wipes Out Clorox Supply

I don't think this is an Apple specific issue, but more an illustration of how complex software supply chains make it difficult to identify related vulnerabilities. Code is often not included by just simply dynamically loading a particular library. Instead, code is statically linked or worse, copy/pasted.

Whether you compile from source or download the binary, issues at the source level must be considered. The tricky part is monitoring for issues with externally sourced code in your environment. The Rezilion researchers have identified many packages using the flawed libwebp package. Make sure your vulnerability scanner has the checks specific to CVE-2023-4863 or you'll get false negatives on flawed versions of libwebp in your environment. Many vendors have released packages for affected packages like chromium and Firefox, as well as for affected software and updated libwebp libraries for you to deploy post haste.

The Isosceles write-up goes into a lot of detail on this. The technical content gets very deep into how the exploit is triggered.

Libwebp is an open-source software library. While we’re unsure how the vulnerability was introduced into the library, pretty much every modern browser is affected. This is yet another example of a software supply chain that affects a wide swath of vendor products. As this vulnerability is being actively exploited, immediately update your browser and check for updates from other application vendors that also might be affected.

The three vulnerabilities provide everything an attack chain needs to persistently compromise a device. An initial access vector via WebKit, a privilege escalation vulnerability in the kernel, and a method to then install malware without being noticed. Patch soon.

Apple released updates for both iOS/iPadOS 16 and 17, so you need to update your running OS, irrespective of having updated to iOS/iPadOS 17. Same goes for macOS Monterey (12) and Ventura (13). You should be able to push these updates to managed devices today. Don't overlook that Apple released an updated version of Safari for Monterey separate from the OS update you need to deploy. If you're looking at your iOS/iPadOS migration, note it supports the iPhone XS and newer, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later, which means you may need to lifecycle some older devices.

The three vulnerabilities can be combined to enable a privilege escalation attack. Immediately download and install the available patches.

Apple users should enable automatic updates.

One impact of reverting to manual methods is they have a lower bandwidth, whether the multi-hour check-in lines at Caesars after their incident, or Clorox limited both on order processing and inventory replenishment. Fortunately, Clorox expects to be fully restored by the end of the month, having already restored many impacted systems and processes. Think about your business resumption plans: not only what you can do manually but also how you'd restart when IT systems are restored to include what it would take from that restoration point to being at full capacity and service levels. Don't forget your communication plan.

Information on the specifics of the cyber-attack is sketchy. That said, the announcement does reinforce the need for organizations to build and perhaps more importantly, test business continuity plans.

If you haven't done so: Experiment with Passkeys, and consider adding support for them to your web applications. I think they are our best bet to emerge from the current password mess we all have to deal with.

Kudos to GitHub for making these available to everyone. No longer do you have to worry about being eligible to use a passkey, so you can start experimenting and incorporating them into your application development and deployment processes. Make sure you are setup with two-factor - the end of 2023 will be here before you know it, heck October is like a week away!

Passkeys are great if you are on an ecosystem that fully supports this like iPhone + Mac or Android + Chrome. Highly recommended for people who don’t like to carry physical keys. Use them where you can and keep a good backup method. I am waiting for the password managers to start to store them also. This would give you many more options.

Kudos to GitHub for completing the journey to passwordless login. This announcement coupled with their mandatory use of MFA for developers, should have an immediate effect in protecting users on their platform against phishing attacks. Separately, every organization should look to adopt passkeys as part of the account authentication process.

Passkeys are both convenient and secure. Making them available in a system or application lowers user resistance to strong authentication. Offering them as an option is particularly important in systems or applications in which users must opt-in to strong authentication.

Expect more products with encryption to start rolling out PQC. In this case, Signal is effectively wrapping their existing crypto with PQC as a hedge against any further issues, such as the turn of events which took SPKIE out of the PQC running. Use this, and others, such as Google's proposed PQC algorithm for FIDO2, to watch rollouts and lessons learned to fuel your PQC transition project.

Post Quantum Cryptography is still theoretical as the practical application. Would assume that pre quantum ciphers are broken with a quantum machine which doesn't exist yet. I don't doubt that they decided on the "best" encryption possible given it's all theoretical although I am it sure how they came to that conclusion. To augment things, they are using belts and suspenders approach by overlaying their existing crypto with the Post Quantum Cipher they those which is one of the four that NIST recommended.

As quantum resistant encryption algorithms are adopted by NIST and other national standards organizations, we can expect to see them added to vendor products. The Signal Foundation is one such early adopter. This announcement is timely as encrypted communications can be ‘hoovered up’ today and later broken as quantum computing advances.

Signal is to be commended for this forward looking step. However, it is easier to do in a proprietary protocol than it will be to do in public protocols, like TLS, that involve hundreds of products.

Authors have a right to fair compensation for their work. That said, how do we make advances with artificial intelligence if we don’t make data sets available from which to train large language models? Availability and use of such data is further complicated by data privacy laws. Unfortunately, OpenAI is on the cutting edge of some of these advancements and as such, will bear the weight of litigation until, access to and use of data rights are adjudicated.

If copyrighted works are published online and the search engine (AI or otherwise) ingests the content, that is not a failing of the search engine. With advances such as GenAI, it may be possible to increase the efficacy of searches to identify and take down pirated content, followed by the dilemma of how to delete the ingested content. As privacy laws continue to evolve, it will be interesting to watch how requests to be forgotten or corrected are handled, particularly in the context of GenAI.

Safety and other goals require that training data for AI tools must be curated. Criteria for inclusion should be available to users of the tool.

This is the same court that said they'd take on prosecuting Cyberwar crimes. In addition, the other high-profile cases they investigate and try make them a prime target. They are planning to strengthen their cybersecurity framework as well as better leverage cloud services. While moving to the cloud by itself is not a security answer, moving to cloud services can make it easier to implement security measures that may require services, integration, orchestration and architecture not present in legacy infrastructure, reducing and augmenting one’s attack surface.

It may not be a coincidence that this compromise took place around the time that the Court announced that it would consider cases of cybercrime, instances that might rise to the level of crime against humanity.

CISA also provides background information to include that entries in the KEV require a CVE ID, evidence of active exploitation as well as an effective mitigation. Future plans include incorporating the information in CDM dashboards as well as other commercial partner systems, more relevant information to aid understanding as well as a hope that efforts to achieve "secure by design" lessen the frequency of entries being added. While I don't know how long that last part will take, incorporating the KEV data into your dashboards will help with context and urgency for discovered flaws, helping our SOC and IR teams.

Good read. Lessons include that KEV is working on reducing risk as measured by time to remediate, that most vulnerabilities are never exploited, that even the vulnerabilities in the list are not of equal risk, and that many, not to say most, of the vulnerabilities could have been avoided by better programming practices.