Welcome to the February edition of the SSL.com Security Roundup!
February might be our shortest month, but you wouldn’t know it by looking at all of the emerging news about digital security. We’ve rounded them up in one convenient place to read, so have fun catching up on the past 28 days or so.
Apple to Hide Safe Browsing Requests from Google
Apple’s latest mobile operating system, iOS 14.5, comes with a new browser feature that alerts users to dangerous websites and prevents handing over IP addresses to Google. The Safari feature is called “Fraudulent Website Warning” and though it uses Google Safe Browsing to identify harmful websites, Apple will be rerouting Google Safe Browsing requests through a proxy server to avoid leaking IP addresses to Google. As Ravie Lakshmanan reports for The Hacker News, Apple will take other privacy precautions as well, as they lean into stepping up privacy for their users in other ways:
The new change in iOS and iPadOS is part of a number of privacy-oriented measures that Apple has been rolling out lately, including mandating app developers to disclose their data collection practices in App Store listings using “privacy nutrition labels.”
In addition, iOS 14.5 will also require apps to ask for users’ permission before tracking them across other apps and websites using the device’s advertising identifier as part of a new framework dubbed App Tracking Transparency.
The new iOS 14.5 is currently out in beta, with expectations that it will be released this spring.
Mystery Malware with Unknown Purpose Found on 30,000 Macs
Like something out of a modern spy movie, a new piece of malware known as “Silver Sparrow” has been found by security researchers from Red Canary. Though it has been found on nearly 30,000 Macs, no one really knows what it does, aside from checking for orders. As Ars Technica’s Dan Goodin reports:
Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware’s ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.
Also curious, the malware comes with a mechanism to completely remove itself, a capability that’s typically reserved for high-stealth operations. So far, though, there are no signs the self-destruct feature has been used, raising the question of why the mechanism exists.
Aside from the obvious intrigue, Silver Sparrow is also noteworthy because it is only the second malware to run natively on the new M1 chip from Apple. And, though no researchers have seen it in action yet, Red Canary has identified it as “a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice.”
Mozilla and Apple Frown Upon Advanced Hardware Features in Chrome 89
Google’s Chrome 89 beta includes some new hardware interaction APIs that Mozilla and Apple are not thrilled about. The APIs allow developers to communicate with gamepads and keyboards using device-specific logic, let web applications read and write tags, and a WebSerial APO allows direct communication between web applications and devices with serial ports. As Tim Anderson at The Register reports, Mozilla and Apple see this as dangerous:
Mozilla’s current standards position…has said that “because many USB devices are not designed to handle potentially malicious interactions over the USB protocols and because those devices can have significant effects on the computer they’re connected to, we believe that the security risks of exposing USB devices to the Web are too broad to risk exposing users to them or to explain properly to end users to obtain meaningful informed consent.”
Furthermore, because Google, Mozilla and Apple aren’t aligned on the safety of these APIs, if only one of them (Google) implements them, it might make browsers like Firefox and Safari appear broken because those browsers did not.
Researcher Exposes Widespread “Dependency Confusion”
Supply chain attacks have been in the news a lot recently. (You might remember this from our previous coverage of things like SolarWinds and Malwarebytes.) This month, researcher Alex Birsan showed us a new, scary version of the attack that is against developers that mix public and private dependencies when using package managers like NPM or RubyGems. Birsan details the vulnerability on Medium. It’s a little complicated, of course, but essentially he found that attackers look for names of internal packages that are accidentally exposed by companies through things like github or javascript. The attacker then creates what appears to be a higher version number of that package in a public repository and then waits to see if it is downloaded and used by their target.
In his article, Birsan said that they have detected this vulnerability, which he calls “dependency confusion” in more than 35 organizations. We recommend reading his Medium piece if you’re interested in the specific commands and tools that can make one vulnerable to this type of attack, and how to mitigate the risk of dependency confusion.