A Bad Weekend for Computer Security

You may have read that hackers finally found a way in to Apple’s iOS app store, infecting dozens of legitimate apps with malware with the potential to steal personal information and passwords. Here’s how they did it:

The hack exploited Chinese developers’ impatience, according to Palo Alto Networks. To write apps for Apple devices, developers have to use a tool kit called Xcode, but downloading the official version from Apple’s website can take a long time in China.

The hackers posted their infected version on a Chinese server, advertising faster downloads, the researchers said. Any app created or altered using the bogus Xcode would then itself become infected with the malware, they said.

The infected Xcode was hosted on Baidu Pan, a cloud service offered by Chinese search company Baidu Inc., according to multiple security researchers. Baidu removed the file shortly after being notified of its existence, Baidu spokesman Kaiser Kuo said Sunday.

The malware has been dubbed XcodeGhost by researchers at Alibaba Mobile Security, who were the first to document it extensively in a series of social-media posts starting Thursday.

And here is a complete list of infected apps. Most of these are Chinese and of no concern to you or me, but the popular web browser Mercury is on the list. I have that one, and it doesn’t appear to have been updated recently — which is bad news. I haven’t run it in months, which would seem to make me immune — but I’ve changed my passwords anyway.

On top of that, Google’s own security researchers have challenged a “key Android security talking point.” Ars Technica has that story:

Members of Google’s Project Zero vulnerability research team have challenged a key talking point surrounding the security of Google’s Android mobile operating system. To wit, a key exploit mitigation known as address space layout randomization does much less than the company’s overworked public relations people say in blocking attacks targeting critical weaknesses in Android’s stagefright media library.

As Ars reported beginning in July, a series of vulnerabilities in the libstagefright library made it possible for attackers to remotely execute malicious code on close to one billion Android phones. In the following seven weeks, Google has released updates that either lessen the severity of attacks or directly fix the underlying cause, although many users have yet to receive the fixes, and some probably never will.

Throughout the resulting media storm, Google PR people have repeatedly held up the assurance that the raft of stagefright vulnerabilities is difficult to exploit in practice on phones running recent Android versions. The reason, they said: address space layout randomization, which came to maturity in Android 4.1, neutralizes such attacks. Generally speaking, ASLR does nothing to fix a buffer overflow or similar software bug that causes the vulnerability in the first place.

Apple and Google both have some ‘splainin to do.