Apple on Monday released a new version of the iPhone and iPad’s operating systems to fix a zero day vulnerability that hackers were exploiting.
On the security update page, Apple wrote that it “is aware of a report that this issue may have been actively exploited.” This is the language Apple uses when someone alerts the company that they have observed hackers exploiting a bug against targets in the real world, as opposed to a vulnerability found by a researcher in a controlled environment, so to speak.
The issue relates to a type confusion bug in Apple’s WebKit browser engine that could be activated when processing maliciously crafted web content, culminating in arbitrary code execution.
As usual, the chances that an average iPhone user will be targeted with a zero-day like this one are slim, but you should still update your phone.
Here is our primer on zero-day.
What does Zero Day mean?
A zero day is a security flaw for which the developer/vendor of the flawed system has yet to make a patch available to affected users. The name ultimately derives from the world of digital content piracy: if pirates were able to distribute a bootleg copy of a movie or album on the same day it went on sale legitimately (or maybe even before), it was dubbed a “zero day.”
Borrowed into the world of cybersecurity, the name evokes a scenario where an attacker has gotten the jump on a software vendor, implementing attacks that exploit the flaw before the IT dept. are able to respond. Once a zero day attack technique is circulating out there in the criminal web, often sold by their discoverers for big money, the clock is ticking for vendors to create and distribute a patch that plugs the hole.
What is the difference between zero day vulnerability, exploit & attack
There are three words — vulnerability, exploit, and attack — that you often see associated with zero days, and understanding the distinction will explain the zero day lifecycle.
A zero day vulnerability is a software or hardware flaw that has been discovered and for which no patch exists. The discovery part is key, as there are no doubt any number of flaws out there that literally nobody knows about. But the question of who knows about these flaws is crucial to how security incidents play out. White hat security researchers who discover a flaw may contact the vendor in confidence so that a patch can be developed before the flaw’s existence is widely known. Some malicious hackers or state-sponsored hacking groups, meanwhile, may want to keep knowledge of the vulnerability secret so that the vendor remains in the dark and the hole remains open.
Once armed with an exploit, a malicious hacker can now carry out a zero day attack. In other words, a vulnerability only represents a potential avenue of attack, and an exploit is a tool for performing that attack; it’s the attack itself that’s truly dangerous. This can be a point of contention within the security research community, where vulnerabilities are often uncovered, and occasionally publicize, with the intent of raising awareness and getting them patched more quickly. However, vendors whose vulnerabilities are exposed sometimes treat that exposure as tantamount to an attack itself.
Why are zero day exploits dangerous?
Because zero day exploits represent a means to take advantage of a vulnerability that has yet to be patched, they are a sort of “ultimate weapon” for a cyberattack. While almost innumerable systems around the world are breached every year, the sad truth is that most of those breaches make use of holes that are known to security pros and for which fixes exist; the attacks succeed in part due to poor security hygiene on the part of the victims, and organizations that are on top of their security situation—which, at least in theory, should include truly high value targets like financial institutions and government agencies—will have applied the needed patches to prevent those sorts of breaches.
But a zero day vulnerability, by definition, cannot be patched. If the vulnerability hasn’t been widely publicized, potential victims may not be paying to attention to the vulnerable system or software and so could miss signals of suspicious activity. The advantage this gives to attackers means that they may try to keep knowledge of the vulnerability relatively secret and use zero day exploits only against high value targets, since the secret won’t last forever.
When affected organizations do learn about a zero day vulnerability, they may find themselves in a quandary, especially if the vulnerability is in an operating system or other widely used piece of software: they must either accept the risk of attack or shut down crucial aspects of their operations.
Helix22 offers a Perfect Defense against zero day attacks
The Helix 22 data security SDK is a primary defense. The reason is that even if a vulnerability is undetected, any cyber exploit or attack will not be able to benefit from accessing systems or data. Whether a virus, malware, data theft, ransomware or any other type of cyber attack, your data remains protected and cannot be exfiltrated. Even if spyware is embedded in your system, no access to systems or data is possible.
You see, the Helix22 cryptography is embedded with the data itself through our inventive and patented process of DNA BindingTM. Therefore, even if a perfectly executed zero-day attack occurs, the data cannot be exfiltrated. This means that all data is 100% protected regardless of any type of attack. This holds true for customer and user data as well. No theft of user information is possible. Furthermore, no operational interruption is possible.
“In Math We Trust”
We can make this claim as the tech engineers at BLAKFX invented and patented a genuine device2device (D2D) encryption. We manage data security transmission through the truly brilliant and also patented universal Helix22 key service. The Helix22 encryption originates on your network or device, not just when the app is opened. This means, that when data arrives to our key server, it is already encrypted so all it needs to do is issue another key. Signal and Telegram cannot claim this level of security. This key will then only work with the intended device, which generates a matching key required to open the data. In this protocol, we are truly a “zero-knowledge” server so your communications and transmissions remain completely top secret. Even in the event that BLAKFX were subpoenaed, we can honor the request by just handing over the encrypted content…as that is literally all we have. Helix22 also only use keys just one-time and then destroys them. This way the data security is future forward prefect. Therefore, in our unique device-to-device (D2D) world, there is no opportunity at all for any data leak.
This same protocol just described, can be the same with all your 3rd party vendors and suppliers. It does not matter in the least what platform they are running or what device they are using or even the type of data, it is all 100% protected. We do however, strongly advise that all firms involved be utilizing Helix22 due to the nature of the data content. Helix22 can ensure that whatever data they are generating is protected as well.
Let’s take it a step further. Even if your organization were a victim of an internal attack or a victim of malicious open source downloads, there is no reason for concern. Any data that has been forwarded, downloaded, copied or saved cannot be exfiltrated. Period. We have the technology industries foremost data packets which are protected with multi-layered, military grade encryption algorithms that have already proven the ability to withstand penetration testing from MI5 and quantum computing attacks.
One final practical genius of DNA BindingTM is in that it is immediately compatible with whichever system or software you are utilizing. Therefore, any organization can forward information to another and then discuss it and there is immediate privacy.
The Helix22 data security SDK accomplishes the following:
- Protects all your firms data at rest, in use and in transit
- Renders ransomware threats obsolete
- Eliminates human error
- Eliminates all malicious or interior attacks
- Verifies original content i.e. minimizes the threat of impersonation attacks and deep fakes
- Reduces latency and optimizes 5G networks
- Installs with 5 lines of code
- Runs on any platform, network, device and in any programming language
- Provides perfect future/forward secrecy
- Delivers “zero-knowledge” encryption
- Compatible with all cloud, 3rd party and vendor services
- Enables Internet of Things data security by providing protection at the Edge and has ultra low latency
- Ensures privacy and security for blockchain and all cryptocurrency transactions
- Is quantum ready – so there’s no need to upgrade when the time comes
- Requires no employee training
- Exceeds all gov’t and banking security standards
- Meets all international compliance regulations
BLAKFX is Based on Success
Our founders, Robert Statica PhD and Kara Coppa, also founded Wickr, which is used by the US military and has never been hacked since its inception in 2012. The Helix22 data security SDK is several generations enhanced since then. Dr. Statica also delivered the encryption for the world’s most secure phone, Katim.
Founder – Robert Statica PhD Founder – Kara Coppa
Co-Founders of Wickr KatimTM Ultra Secure Smartphone