Security Weekly 36

Security Weekly 36 Main Logo

Security Week 36: iOS Applications Bug, Non-Robots Monero, Mining Through The MS Word

Most of us use a maximum of two keyboard layouts at home and hardly think about the fact that the applications that we run daily for correct work should understand and properly display thousands of characters from hundreds of languages. And if you forget even about one sign, the whole program can collapse like the Tower of Babel.

  • Unfortunately, this story is not a parable, but a story about a very real bug that hung or crashed iOS applications when they tried to reproduce one of the two Unicode characters for the Telugu language. The problem arose on some versions of iOS in applications that use the default font of San Franciso and delivered a lot of inconvenience to users who did not expect trick.

Imagine: you go to the social network from your favorite iPhone, and there you are either licked or someone who has not been struck with friends, with strange symbols in the name. Well, you think, probably, a foreigner … and you do not have time to think anything else because you immediately have a lot of other worries: the application you entered into hangs tight and refuses to work. You drop it and try to download it again, but nothing happens – you have to demolish and reinstall. After the reinstallation, everything finally worked. You go to your tape – and there again this user. Crash, reboot, reinstall, repeat until all the hairs on the head are torn out …

  • In general, the appearance of a typical “text bomb” – but in fact not quite. “Text bombs” are usually created by intruders or just hooligans and represent a piece of executable code. However, Telugu is not a program, but a normal human language, spoken by almost 80 million people in India and other countries. One of the authors of Motherboard gives an example: his own Twitter “hanged himself” from the likes of a normal user who does not have any hooligan intentions. Just to display some characters, the CoreText library refers to an incorrect memory sector. The system perceives this as a serious mistake, panics and collapses the defrauded component.

A new “text bomb” makes such popular applications as mail, Twitter, instant messaging, Slack, Instagram and Facebook (and this is not a complete list). Not only iPhones but also other Apple devices – watches, TVs – were threatened … And if one of the Telugu symbols appears in pop-up notifications, then not one of the installed applications is blocked, and SpringBoard is the key part of iOS. Then the device runs into an endless reboot cycle, and on it, it is necessary to reinstall the entire system. So if, while reading this article, you are thinking, rather than playing in such a way some familiar fan of Apple – better to refrain. Moreover, the bug is already fixed in the new beta versions of iOS, tvOS, macOS and watchOS, and in the near future, Apple promises to deploy the patch in other systems.

On non-robots Monero carry

Security Weekly 36 Photo 1

Ever swear, ten minutes trying to get the captcha from the phone with its little-screen keyboard? So, scammers figured out how to earn on your inconvenience.

  • A new method of mining, aimed at mobile devices Android, the researchers found when they studied one campaign of malicious ads. Checking the different chains of bad advertising, they noticed an interesting regularity: if you click on certain banners from a stationary computer, you get on a fake technical support site. And if you click from the phone, the browser shows a big and terrible message in red on black: they say your device demonstrates suspicious behavior, prove that you are not a robot – enter a captcha. In the meantime, you do not do this, we will be hijacked on your Monero device to compensate your expenses.

And after all, the funniest thing is that the offenders almost do not lie, except that they shift the accents somewhat – the mining is not “conducted because of suspicious behavior,” and this behavior itself is. And when the user enters the captcha, the mining is honestly terminated, and the Google homepage appears to the user.

  • But such “openness” is a weak consolation, because crypto injectors, in their most obscene form, cannot only slow down the phone but also lead to serious damage to the battery – in what its own hard experience was confirmed by Kaspersky Lab experts, investigating in December the multifunctional malware Loapi.

However, this particular campaign, which has been at least since November 2017, seems more harmless. And millions hardly collects: as processors at phones low-power, users need to be very longly detained on a page with a CAPTCHA that it brought considerable money. The researchers tested five domains used by scammers. They are visited by only 800 thousand users per month, and each of them spends 4 minutes on an average page. Of course, in fact, domain criminals probably have more, but according to preliminary estimates, their earnings hardly exceed several thousand dollars a month.

Mining through Word or experts know a lot about perversions

Any bug can be turned into a feature when properly filed, and any feature with the proper imagination becomes a bug – the law of unity and struggle of opposites in action. And given the current popularity of Monero and the service Coinhive, not by night will be remembered, any near-browser bug immediately begins to be used for mining. Now it’s the Word queue, to which Microsoft has added the ability to embed an iframe tag to show videos from third-party sites. (Here we wanted to joke that soon the mining will be waiting for us through the weather widgets, but it turned out that before that someone had thought of it before.)

  • So, going back to Word: in the “wild nature” until the cases of mining through documents with iframe is not detected, but it is easy to implement. The thing is that, firstly, Word does not restrict in any way which sites or domains videos are downloaded; secondly, the pop-up window in which the video is played, in fact, is an Internet Explorer browser with a cut off the interface. This means that it is possible to run scripts in it, including cryptographic.

True, it is not very profitable to obtain cryptocurrency through documents: for this, you will have to force the user to watch the video in the document well, very long. You can, of course, insert the video more genuinely or artificially stretch the time-scanners for downloading, but in general, it is much more profitable for scammers to remove the intermediate stage and simply launch their own streaming service – for example, with pornography, so that visitors are surely stuck for a long time.

Microsoft, by the way, does not consider this vulnerability as a security threat. It’s also logical: the producers ‘business is to give a useful opportunity, and the users’ business is to show prudence. Moreover, the crypto-juggling script built into the video display code is easily detected by the antivirus software.