This post comes from Liviu Arsene, security analyst at Bitdefender.
The common belief that Apple’s OS X and iOS are not as prone to vulnerabilities and attacks as other popular operating systems has been put to the test in 2015. As OS X and iOS adoption increases in the enterprise segment—partly due to a new generation of “millennial” managers—attackers will likely target the two platforms more. If Apple patched more than 400 CVE vulnerabilities through security updates in 2015, in 2016 this number will likely increase.
For the past couple of years attackers have been focusing on using zero-day vulnerabilities in operating systems or applications to bundle into various exploit kits to deliver malware to targeted hosts.
This year’s leak from Italian surveillance malware vendor Hacking Team shocked many in terms of the sheer number of zero-day vulnerabilities being used to disseminate malware, particularly since they covered platforms ranging from Windows to OS X and iOS to Android. With some exclusive iOS exploits found to be priced at $500,000, the leak proved that iOS is a larger target in the underground world of zero-days than previously believed.
A survey by an Apple-focused IT management vendor revealed that 35 percent of professional IT respondents have more than 25 percent of their employees using Apple products. Although the study was conducted in 2014, it’s safe to assume these percentages will increase in 2015 and 2016.
418 Fixed CVE Vulnerabilities through OS X Security Updates in 2015
In 2015, 418 CVE vulnerabilities—as of this writing—have been fixed through Apple-pushed security updates for OS X, compared to 111 in 2014. Just by checking out Apple Support, it’s increasingly obvious that OS X is—and will continue to be—targeted by hackers in search of critical (and sometimes remotely exploitable) vulnerabilities. It seems the mobile ecosystem is not the only one getting the short end of the stick.
While these are only the vulnerabilities that have been addressed, it’s safe to assume that there are still many unknown zero-days in the hands of “organizations” like the Hacking Team.
During 2015 we also witnessed the emergence of some interesting proof-of-concept bootkits for Apple Macbooks, such as Thunderstrike, Thunderstrike 2 and even the DYLD_PRINT_TO_FILE vulnerability. They proved not only that some vulnerabilities can be exploited remotely, but also that no operating system is uncheckable with enough perseverance.
$3 Million Dollars iOS Bounties - Borderline Legit Practice
Until recently, common practice dictated that all vulnerabilities discovered either by independent security researchers or security companies were to be reported to the affected vendor. Even if no bounty program was in place, the moral high ground superseded financial gain— at least some of the time.
However, with companies like Zerodium that offered a total of $3 million dollars in prizes for a handful of remotely exploitable iOS zero-day vulnerabilities, an entirely new market has been created. While it’s great that security researchers are better paid for their work, some of these companies might chose not to report these findings to the affected vendors, and instead sell them to the highest bidder.
While this new business model has its advantages for both researchers and bounty-offering companies, the entire user base is left knowingly and openly vulnerable.
This year has been a true eye-opener in terms of security for iOS and OS X, as we’ve not only seen an increase in the number of reported zero-day vulnerabilities, but also a slight shift in zero-day focus. Companies need to start implementing adequate policies if supporting iOS or OS X, and invest more in additional perimeter security technologies.