One month after a group of Chinese researchers exploited a critical WebKit bug to break into — and hijack private data — from a fully patched iPhone, Apple has shipped a Safari update to fix the vulnerability.
The patch, available for Safari 6.1.1 and Safari 7.0.1, fixes a total of nine security vulnerabilities, the most serious of which allows malicious hackers to launch drive-by downloads using rigged Web sites.
The new Safari update comes just over a month after Keen Team, a group of Chinese researchers, demonstrated two iPhone exploits via Safari to capture Facebook credentials (iOS version 7.0.3) and hijack photographs (iOS aversion 6.1.4).
Keen Team’s exploits were delivered as part of the Mobile Pwn2Own hacking challenge at the PacSecWest security conference in Japan.
Here’s the explanation from HP, one of the Pwn2Own sponsors:
The first was an application exploit. Via Safari, the team were able to steal a Facebook cookie that was then exfiltrated and used to compromise the targeted Facebook account from another machine. In order for the exploit to work, a user would need to click on a link in an email, an SMS, or a web page, so some social engineering would be required to prompt a user to take an action before their credentials could be compromised.
According to documentation from Apple, the security holes resided in WebKit. The company confirmed that visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
The Safari update also includes a patch for a bug that disclosed user credentials to an unexpected site via autofill.
“Safari may have autofilled user names and passwords into a subframe from a different domain than the main frame. Thisissue was addressed through improved origin tracking,” Apple explained.
Related: Hackers Demo Two iPhone Exploits via Safari at Mobile Pwn2Own
Ryan is the host of the podcast series “Security Conversations – a podcast with Ryan Naraine”. He is the head of Kaspersky Lab’s Global Research & Analysis team in the USA and has extensive experience in computer security user education, specializing in operating system and third-party application vulnerabilities, zero-day attacks, social engineering and social networking threats. Prior to joining Kaspersky Lab, he monitored security and hacker attack trends for over 10 years, writing for eWEEK magazine and the ZDNet Zero Day blog. Follow Ryan on Twitter @ryanaraine.Previous Columns by Ryan Naraine:Apple Plugs Gaping Holes in Safari BrowserMassive Android Mobile Botnet Hijacking SMS DataArbor Networks: Beware of Bitcoin Alarm Utility Database Cloud Services a Malware Risk to Enterprises: ImpervaBug Bounty Flaws Remain Unpatched for 151 Days: Study
Tags: Mobile Security