Especialistas em segurança descobriram um bug perigosa que afeta aplicativos construídos para infra-estrutura de software móvel da Apple. De acordo com a informação publicada a vulnerabilidade ZipperDown afeta cerca de 10% de todos os aplicativos iOS lançado publicamente. É possível que esse erro pode funcionar em dispositivos Android, bem.
Vulnerabilidade ZipperDown Strikes iOS Apps
A descoberta de ZipperDown foi anunciada pelo Pangu Lab que, desde então, criou um site especialista em dar mais detalhes sobre o assunto. A análise de código de seus clientes revelou um erro de programação muito comum que levou a conseqüências perigosas quando novamente revistas. To give out further details about it’s spread the team has devised a special signature that can detect the problem in iOS apps. A scan was conducted using it on a specialist application analysis platform and the results show that por aí 10% of all iOS apps might be affected .
The platform cannot give out a 100% certainty however these figures are taken as credible enough to issue a warning across the whole security community. Some of the affected programs include even those that have more than 100 million active users: Weibo, MOMO< NetEas Music, QQ Muiic and Kwai. Exact details about the way ZipperDown operates are not disclosed at this moment in order to protect end-users. The security experts will work with all vendors that may have concerns about vulnerabilities in their products and services.
Details About The ZipperDown Vulnerability
As the detected Zipperdown vulnerability is described as a common programming language error the developers have also prepared a detector tool that is compatible with Android apps. At this moment there is no information available on specific vulnerable apps. The team has confirmed that some software may be impacted however details on this are due to be released.
Vulnerable iOS and Android apps can lead to several dangerous outcomes including modificação de dados and even overwrite, assim como execução de código arbitrário. In such cases the ZipperDown vulnerability has been observed to be limited by the sandbox environments used in both operating systems — Android and iOS.
Some issues that hinder the proper security assessment is the fact that the produced signatures might showcase many false negatives. This is the reason why a thorough manual code investigation is advised. The ZipperDown vulnerability can be exploited via different methods however the most common are traffic hijacking e spoofing.
To this date there are no reported incidents as the bug has just been discovered. Given this it is very possible that actual attacks are to be caused using complex scenarios. ZipperDown exploits will probably be performed using other malicious components as well in a several-tier behavior pattern.
We expect that vendors will mitigate the ZipperDown vulnerability in due time to prevent any security incidents.