Kaspersky Labs announced today that its security researchers have discovered a new vulnerability that affects Apple OS X and iOS. The vulnerability is to be found in the kernel of Darwin, an open source component of the two operating systems and has been called Darwin Nuke by Kaspersky. It not only targets the users device but can spread itself across corporate networks enabling attackers to trigger remote Denial of Service (DoS) attacks.
The vulnerability affects all 64-bit processors and any device running iOS 8. This includes all generations of the iPhone from the iPhone 5s onwards and all iPad/iPad minis from the iPad 2/iPad mini 2 onward. Apple has already released a patch for both operating systems to deal with this vulnerability and Kaspersky is telling users that they should immediately update their software to OS X 10.10.3 and iOS 8.3.
Darwin Nuke not easy to exploit
The list of conditions that any attack utilising the Darwin Nuke vulnerability would need to meet in order to be effective is not trivial:
- The size of the IP header should be 60 bytes.
- The size of the IP payload should be less than or equal to 65 bytes.
- The IP options should be incorrect (invalid option size, class, etc.)
This means that exploiting this vulnerability will be hard. A statement in the Kaspersky press release attributed to Anton Ivanov, Senior Malware Analyst at Kaspersky Labs says:
“At first sight, it is very hard to exploit this bug, as the conditions attackers need to meet are not trivial ones. But persistent cybercriminals can do so, breaking down devices or even affecting the activity of corporate networks. Routers and firewalls would usually drop incorrect packets with invalid option sizes, but we discovered several combinations of incorrect IP options that are able to pass through the Internet routers.”
Apple malware on the rise
Apple users tend to see themselves as less likely to be attacked than other computer users but this is beginning to become a false belief. In 2012, Kaspersky reported 551 malware samples targeted at Apple users. By 2013 that had soured to over 1,700 and in the first 8 months of 2014 that number was already over 2,000.
Many attacks are not directly against OS X or iOS but against common software components such as Java or Flash. Apple is also susceptible to attacks against many of the open source components that underpin its operating systems such as Shellshock which affected the Bash shell in Unix. Attacks against SSL such as Heartbleed and traditional phishing attacks are also just as likely to hit Apple users as they are those of other operating systems.
While this latest vulnerability has already been addressed by Apple, the use of its devices is increasing inside enterprises. The difficulty of using Darwin Nuke means we may never see proof of large-scale exploitation. Despite this IT security teams need to ensure that Apple devices are treated no differently in terms of endpoint protection than any other device in the enterprise.