Pixel Envy

Written by Nick Heer.

Giant Gaping Security Chasms

If you subscribe to a bunch of security mailing lists, as I do, you’ll know that there are all sorts of small-to-medium-sized security bugs made public every day. Rarely, though, are two massive holes made public on the same day. First up is Craig Hockenberry’s explanation of a way nefarious developers could watch and log keystrokes in in-app browsers in their apps:

Changing the content of a web page is a good thing when it’s done to make a page more readable or accessible. Handling keyboard events can also guide a user through a complex form or make viewing a slide show easier.

These are not inherently bad web technologies. The problem is that an iOS app has as much access to these technologies as the developer of the web page.

Then there’s the “Shellshock” bug in Bash, explained here by Huzaifa Sidhpurwala:

Like “real” programming languages, Bash has functions, though in a somewhat limited implementation, and it is possible to put these bash functions into environment variables. This flaw is triggered when extra code is added to the end of these function definitions (inside the enivronment variable).

Troy Hunt has a much more detailed explanation, should you want one.

These bugs have two things in common: they’re in technologies that have widespread use, and they’ve been around for ages. Both of these factors make the bugs extremely severe. My web host is among many that has, thankfully, patched their copy of Bash already. It would be so sweet if Apple were to roll a fix for their UIWebView bug into an iOS update, too. What a nightmare.