Month: July 2019

Remote exploitation can be achieved with no user interaction.

Five bugs in Apple’s iMessage service for the iPhone have been uncovered that require no user interaction to exploit, including one that would allow remote attackers to access content stored on iOS devices.

First discovered by Google Project Zero security researcher Natalie Silvanovich, Apple has fully patched four of the flaws as part of the 12.4 iOS update.

CVE-2019-8646 is the bug that allows an attacker to read files off a remote device with no user interaction. An exploit could leak the SMS database, binary files like images and more. Silvanovich has made a proof-of-concept public for the flaw.

In the bug description, the researcher explained where the issue lies: “The class _NSDataFileBackedFuture can be deserialized even if secure encoding is enabled. This class is a file-backed NSData object that loads a local file into memory when the [NSData bytes] selector is called.”

This presents two problems, she added: opening up access to local files if the code deserializing the buffer ever shares it; and, it allows an NSData object to be created with a length that is different than the length of its byte array.

In the latter case, “this violates a very basic property that should always be true of NSData objects,” Silvanovich explained. “This can allow out-of-bounds reads, and could also potentially lead to out-of-bounds writes, as it is now possible to create NSData objects with very large sizes that would not be possible if the buffer was backed.”

Since the potential for information exfiltration is significant, iOS users should take care to upgrade to the latest version as soon as possible.

“Apple publishes less granular details about the distribution of iOS versions than Google does for Android,” OneSpan senior product marketing manager Sam Bakken told Threatpost in an email interview. “Apple data from May 2019 reports that 85 percent of all devices use iOS 12. But, depending on what minor version of iOS 12 they are on (12.0, 12.1, 12.2, 12.3, etc.) a lot of those users will be vulnerable to this seemingly very dangerous vulnerability.”

Other Bugs

As for the other issues, CVE-2019-8647 is a remote, interactionless use-after-free vulnerability that can crash SpringBoard, the standard application that manages the iOS home screen, with no user interaction.

Silvanovich explained in the bug description that when deserializing a class with initWithCoder, subclasses can also be deserialized “so long as they do not override initWithCoder and implement all methods that require a concrete implementation.”

When_PFArray, which is a subclass of NSArray, is deserialized that way, it eventually calls [_PFArray initWithObjects:count:].

“This method initializes the array with the objects provided by the NSKeyedUnarchiver, but does not retain references to these objects, so when the NSKeyedUnarchiver is released, the objects in the array will also be released, even though the user of the deserialized objects could still be using them,” she explained.

The third bug is CVE-2019-8660 – a remote, interactionless memory corruption flaw that crops up when decoding an object of class NSKnownKeysDictionary1.

“This class decodes an object of type NSKnownKeysMappingStrategy1, which decodes a length member which is supposed to represent the length of the keys of the dictionary,” said Silvanovich, in the bulletin. “However, this member is decoded before the keys are decoded, so if a key is an instance of NSKnownKeysDictionary1 which also uses this instance of NSKnownKeysMappingStrategy1, the mapping strategy will be used before the length is checked.”

This is a problem because the NSKnownKeysDictionary1 instance uses this length to allocate a buffer, and the length is multiplied by eight during that allocation, without an integer overflow check. The code will then attempt to copy the values array (another decoded parameter) into the buffer using the unmultiplied length.

However, she said the issue would be fairly difficult to exploit due to the uncontrolled nature of the copies.

As for the other two, the researcher said that CVE-2019-8662 is similar to CVE-2019-8647, but access to the bug description is restricted. And, the team is withholding CVE-2019-8641 for now because Apple’s initial fix did not resolve the vulnerability, according to Silvanovich.

Overall, OneSpan’s Bakken noted that the finds highlight the fact that the mobile environment should be treated as “hostile.”

“Consider the mobile device a hostile environment and apply multiple controls and measures to keep your app safe and your users’ data secure,” he noted.

He added that developers should also take note.

“Mobile app developers and publishers need to constantly remind themselves that even if they think their mobile app is completely buttoned-up in terms of security (keeping in mind that 100 percent secure is impossible anyway), vulnerabilities in the OS, or other apps or malware on a users’ device can put their app and users at risk,” he said.

The new Android Auto started rolling out today (and it’s pretty good), but unfortunately, all of its various improvements are only coming to in-car displays. The version of Android Auto you can run on your phone’s screen standalone won’t be getting the same face lift — and as a matter of fact, it’s eventually going away entirely (though we’re not sure exactly when). Here’s what’s happening.

Why is Google phasing out Android Auto’s smartphone mode?

The short answer is that Google wants to get rid of the need for a discrete driving mode app on your phone. The long answer is, well, longer.

The Google Assistant — the one you already have installed — will be taking over for Android Auto as your phone-display driving companion, with an all new interface to boot. Android Auto is increasingly specialized for in-car dashboard displays, which are traditionally horizontally oriented, significantly larger than your phone, and fixed in the center of your car’s dash.

Your phone, on the other hand, can be mounted in any number of locations, and is usually fixed vertically to maximize navigation visibility. The new Assistant-based interface is tailored to work better on a phone-format display. Bonus: it doesn’t require any additional software. Once it’s available (more on that soon) if you’ve got the latest version of the Google app, you’re good to go.

What is the Assistant driving mode? What features does it add?

The official name of this new interface is “Google Assistant driving mode.” You’ll be able to turn it on by saying “let’s drive” to the Assistant (that phrase currently opens Google Maps to Driving Mode or just does a search, depending on what state your phone is in). It also stands to reason that, like Auto, you’ll be able to configure it launch automatically when your phone connects to your car by Bluetooth, but we haven’t heard anything official to that end just yet.

You’ll see large icons representing common actions people take while driving — navigation, phone, and media control — followed by a selection of specific things Google thinks you might want to do, like resuming playing media you’d started elsewhere, returning a missed call, or navigating to an appointment. If you get a call, the Assistant will ask aloud whether you’d like to answer, and you can verbally answer yes or no to take action.

It’s all similar to what Android Auto’s phone interface does now, just in a prettier, easier-to-use package with a bit more predictive Google Assistant magic and without the need for a separate app.

When does Assistant Driving Mode launch?

We’re not exactly sure. In May, Google said driving mode would be available on Android phones this summer, but the latest word is just “in the future.” It’s part of the “next-generation” Assistant announced at I/O this year. Parts of that new experience, like easier verbal control of Google Home alarms and Duplex on the web have already trickled out, so it could be any time now.

We’re just starting to see leaked images of the stylus-packing Samsung Galaxy Note 10 and its higher-specced Plus version, but there’s something new in the mix: leaked information on and images of the Samsung Galaxy Note 10 Plus 5G.

The first image came courtesy of reputable leaker Evan Blass (who supplied earlier leaks of the Note 10 Plus, among others), who tweeted out what appears to be ad copy pairing the new handset with Verizon’s next-generation network, which reads: “Galaxy Note10 Plus 5G meets Verizon 5G. Pre-order today and get a Note10 free.*” He followed it up with a tweet of another Verizon ad GIF.

What does the Note 10 Plus 5G look like? A bigger, wider version of the already-large Note 10, from the looks of the leaked image. True, we don’t see much from the ad – and like early images of the Note 10 Plus, our metric of comparison is really how tall it is compared to the stylus – but it simply looks like a sized-up version of the base model.

Something else has appeared supporting the existence of a 5G Note 10: a certification by China’s 3C authority, according to GizmoChina. The 3C database includes a listing for one SM-N9760, which other reports have tied to the Galaxy Note 10 Plus.

The entry in question prominently lists a “5G digital mobile phone,” which is very likely the 10 Plus 5G, suggesting Samsung views it as a variant rather than a standalone device.

A Note 10 … in 5G?

This isn’t a huge surprise, as Samsung released the Galaxy S10 5G some months after the base phone was released. That handset was bigger, slightly higher-specced, and had an extra ToF sensor. As expected, carriers with nascent 5G networks, like Verizon and later T-Mobile, have supported the S10 5G, which has been the best-performing 5G phone thus far.

A Note 10 Plus 5G will build on that path – though without more information on what’s packed in the phone, we can’t foretell which 5G networks it will be compatible with. For instance, will it follow the S10 5G and just work with hyperlocal millimeter wave setups, like Verizon 5G? Or will it work with the wider sub-6GHz networks coming from the merged T-Mobile 5G and Sprint 5G?

If it’s anything like the S10 5G, the Note 10 Plus 5G will be bigger and higher-specced than the base model – the ultimate version, you could say, for anyone who wants to buy a phone to flex with.

There’s no smartwatch as popular as the Apple Watch, and Apple keeps selling millions of units every quarter. Apple’s smartwatch is quite easy to tell apart from its main competitors, as its design is instantly recognizable. But come next week, Samsung will launch a Galaxy Watch 2 that looks very familiar.

“The best I can do is pass along details from trusted sources. Nothing I say should ever be taken as gospel until the press release is out,” prominent leaker Evan Blass commented on Twitter about a recent Galaxy Note 10 specs leak he posted. “Unless there are pictures,” he followed, sharing the image above.

This was a week ago, and, at the time, we didn’t know what to make of it. Blass didn’t explain what the smartwatch was, and it looked just like a round version of the Apple Watch rather than a Galaxy Watch. Just check out the colors, the metal and glass blend, the physical buttons, and, most importantly, the watchfaces. It all screams Apple Watch, and some people thought it was a press render of the Apple Watch Series 5.

The device Blass leaked could not be an Apple Watch, however, because, as other users observed, the image delivered two important clues. First of all, the watch shows the time as 10:08, which is one second earlier than Apple’s usual 10:09 time for the Watch. Moreover, the date was August 5th, and Apple doesn’t have any Watch events planned for August.

At the time, we thought the Galaxy Watch 2 would be introduced during the August 7th Galaxy Note 10 event, which made the press render even more puzzling. A few days later, leaked FCC documentation (via Droid-Life) revealed actual images of the Galaxy Watch 2. As it turns out, the circular watch design looked exactly like the device in Blass’s press render. However, the similarities with the Apple Watch were no longer obvious. After all, while it may be easy to replicate the Watch design and its watchfaces, it’s harder to copy the watchOS software. Not that Samsung would want to do that again, would they?

I’ll also point out that we saw several Note 10 preorder leaks that included Galaxy Watch 2 renders, but you can barely make out the device in these pics:

In other words, it sure looks like the Galaxy Watch 2 might have a design that could convince some people that they’re looking at an Apple Watch. I wouldn’t call it a blatant ripoff, because it’s not identical, but this Galaxy Watch 2 design looks like it drew its inspiration from Apple’s best-selling wearable.

Gears 5 is a third-person shooter that launches in September and The Coalition keeps on providing us with new details about the upcoming game. Recently, Gears 5 Multiplayer Design Director Ryan Cleven discussed servers and balance tuning. The franchise will feature 60 Hz servers for the first time with Gears 5 and there is one tuning setup across core and competitive multiplayer modes.

The servers that track action at 60 Hz should make shooting feel much more precise. This should give every shot more meaning. You can read Cleven’s comments on Twitter below.

The Coalition wanted to have the same balancing tuning for core and competitive modes. This means that weapons, recoil, and other attributes of the shooting mechanics should feel the same across all of the affected modes. Keep in mind that there is no aim assist for competitive modes so you’ll have to rely on your skills alone.

It’s unclear how these changes will be perceived by the community. Only time will tell once the game is in everyone’s hands. Hopefully, these changes will make the game fairer.

Gears 5 shines with Unreal Engine 4. The game looks stunning and should run at 4K resolution and 60 frames per second (FPS) on Xbox One X. Gears of War 4 ran at 4K 30 FPS during the campaign and 4K 60 FPS during multiplayer. This time around, both modes are the same frame rate.

One of the more jarring experiences you’ll encounter when updating your iPad to Apple’s iPadOS 13 this fall—including having to call it that from now on—are the slightly smaller icons now gracing your iPad’s Home screen and pages.

Like a juice cleanse, this icon diet is only a temporary fad. It appears Apple is going to let you revert back to the beefier icons you’ve been using all this time if you prefer your apps to look like a delicious thicc steak than a lean patty. At least, that’s my impression based on the latest iPadOS 13 beta—version 5!—which now comes with a little setting for adjusting the size of your app icons.

Make your app icons big or small

If you’re currently running the iPadOS 13 beta, or you know smaller icons are going to drive you crazy and you’ll want to change this as soon as iPadOS 13 drops in (probably) September, here’s how to fatten up your icons.

First, pull up the Settings app. You’ll then want to tap on Display & Brightness. Toward the bottom of this section, look for the new option for “App Icon Size.” You can’t miss it, as you’ll see a little graphic that shows you how many icons will fit on a page in “More” and “Bigger” modes:

That’s it! I haven’t reinstalled iPadOS 13 lately, but it makes sense that Apple would alsoask you this preference as part of your device’s initial setup process. If not, now you know where to find it.

It’s been nearly three weeks since AMD’s launch of the new Ryzen 3000 series CPUs and our extensive coverage of the new parts. Among one of the things that didn’t quite go as smoothly is AMD’s BIOS and software situation where as things were still very much in flux following the launch.

One issue that was repeatedly brought up by the community over the past weeks was the new CPU’s idle behaviour both in terms of temperature as well as voltages. In particular, the new parts seemingly looked like they rarely idled at lower performance states and instead looked to remain at high frequencies even when not doing much.

While initially appearing as an issue, it really wasn’t one and rather just a side-effect of AMD’s new CPPC2 fast frequency ramp-up behaviour. Monitoring applications that are badly programmed tend to have a too heavy of a monitoring loop that causes load on the CPU – triggering a frequency ramp-up as the CPU is seeing a larger load. Given the new CPU’s sub-1ms ramp-up this meant that it was very hard to actually catch the machine at the lower frequencies – even though it most likely did idle correctly.

As AMD states in their community brief on the issue, part of the new behaviour change is that the new scheduler settings will now have a much more relaxed ramp-up time compared to the previous versions. In particular, when the chip will be at its base frequency and idling voltage, it will now take a significantly longer load for the chip to ramp up to its boost frequencies.

In our quick A/B testing between the two driver versions, we can see that prior to the update the CPU would ramp up in around 840 microseconds to its boost clocks, whilst on the new power plan in this data-set took it a longer 17.5 milliseconds.

The new behaviour thus should make the CPU ramp-up much less susceptible to smaller transient loads. The new boost duration is still very much adequate and extremely fast – sustained CPU workloads will see largely imperceptible difference, while intermittent workloads such as games also won’t be affected as once the CPU gets over the initial base frequency ramp threshold it maintains the sub-1ms frequency change behaviour.

AMD has also addressed concerns about the reported high temperatures of the chip. The company explains that generally the value that most applications are reading out is the maximum of several sensors on the chip. Essentially this acts as the junction temperature of the chip – whilst most of the die would actually be a different/lower temperature.

A new version of Ryzen Master now includes a different temperature readout algorithm that is meant to better represent the “overall” temperature of the die rather than the absolute maximum a sensor reports. AMD says this is a better representation of the temperature of the CPU. Besides averaging across different sensors, it also averages readouts over a small time-window. In my testing the most affected scenarios are idle and low-load scenarios and the new temperature behaviour isn’t nearly as erratic and spiky.