Hackers used zerodays to infect Windows, iOS, and Android users

I said this once and I&#x27;ll say it again: To counter such threats we need a healthy heterogeneous ecosystem. According to the article, the attack would have been prevented by using Firefox, (because it relied on a Chrome CVE). It also did not work on Linux and presumably not on Apple&#x27;s ARM CPUs.<p>But unfortunately we don&#x27;t get exponential security. Normally, one would expect that n variables (Browser, OS, CPU architecture) with three choices each should give you 3^n required exploits to cover all combinations.<p>But unfortunately, n is rather small nowadays, the number of choices shrinks every year, and -even more worrying- the attack vectors compose extremely well so you actually just need 3n exploits.<p>So I am a little bit at a loss here how we can make such attacks non-economical again.

&gt;The importance of keeping apps and OSes up to date and avoiding suspicious websites still stands. Unfortunately, neither of those things would have helped the victims hacked by this unknown group.<p>Disabling Javascript would have helped. You can even use tools like uMatrix to set exceptions per site so you&#x27;re not exposing yourself to every single site on the internet by default. Though you won&#x27;t see online news sites suggest this since their revenue is so tied to Javascript being enabled.

The actual exploited bugs were mostly found in the OS but this is really about browsers. A contemporary browser pretty much exposes your entire OS to remote attacks. You want to exploit font interpretation? No problem, the browser will happily download your malicious font.<p>There has to be a better way. This isn&#x27;t working...

Maybe a better link: <a href="https:&#x2F;&#x2F;googleprojectzero.blogspot.com&#x2F;2021&#x2F;03&#x2F;in-wild-series-october-2020-0-day.html" rel="nofollow">https:&#x2F;&#x2F;googleprojectzero.blogspot.com&#x2F;2021&#x2F;03&#x2F;in-wild-serie...</a>

Hackers ARE using zerodays to infect EVERYTHING. I really can&#x27;t understand why people continue to just assume that their endpoints and networks are clean. Worse, they then use the lack of security events to justify not buying the tools and expertise that are necessary to identify compromises.<p>EDIT: not just zerodays. Many organizations have patch schedules that are too slow.

I really don&#x27;t understand why people decide to work in computer security, today it&#x27;s really an arms race. I see how it&#x27;s like games of lockpicking, but honestly I don&#x27;t understand the value of it.<p>It&#x27;s like being in the arms trade: what matters is who you decide to trade with.<p>Honestly, I&#x27;d rather see myself as anti-cyber-war at this point, like anti-war protests, meaning telling people to use computers for less critical tasks, and disengaging from certain areas.

It seems that a watering hole attack by definition targets users of a particular organization, but articles on this event make no mention of which organizations would that be, sounding like it affects general public. Wondering who should be worried.<p>Related: can community recommend some forums, periodic publications or other sources that aggregate information security news?

If a PC is infected I can (and should) reinstall everything from scratch. That should remove the malware, barring some super resistant malware that hides in the BIOS or something like that.<p>What do you do on an iOS device? Does a full device reset reinstall the OS, or does it simply remove all user settings?<p>I feel like the locked down nature of iOS makes it harder to attack, but if an attack goes thru it would also make it harder to clean up the attack?

How long until we realize that JIT was a mistake and that we should offer orders of magnitude slower JS in browsers that is actually safe (or start building webpages without JS at all again, which will probably never happen) lest we give every website the ability to take over our device?<p>I&#x27;d pay real money for a browser with a slow, safe JS interpreter.

Curious why there isn&#x27;t more specificity in the article? Is it to protect the sites and allow them time to fix? I&#x27;m not asking in a derogatory fashion, more trying to figure out the level of potential exposure I have myself. Tough to determine from the article.

Been playing with tools like angr lately and learning more about binary analysis.<p>It seems to me that &quot;automatic exploit generation&quot; is improving quite a bit where the infrastructure for analysis is a little tricky to set up, but then you can direct that infrastructure to analyze the code for you. The bad guys and good guys are in a race to find new exploits faster (they always have been) but I&#x27;ve been pretty amazed by the direction I see things going with automation.<p>I might just go back to pen and paper at this point.

Why is &quot;expert&quot; in quotes? Aren&#x27;t 11 zerodays impressive?

The scare quotes in the title read as sarcasm but they clearly didn’t intend them as such. An odd choice as I almost overlooked the article assuming it was a tale of some failed hackers.

It hints but doesn&#x27;t outright say that these attacks were highly targeted to specific people, and not the general public; is that known?

Probably a stupid question to ask, and I realise the bigger picture here is that there are sophisticated groups searching for complicated exploits all the time, but are <i>these</i> specific exploits addressed already in the latest software updates for the affected platforms?<p>Wasn’t clear to me from the article, although I may just have missed it being the idiot that I am.

What sites were targeted?

Even if it this worked on Linux, would a chrome running in flatpak sandbox be able to escalate privileges?

My guess is that the watering hole websites were probably browsed by minorities frowned upon by the Chinese state.<p>The Volexity blog covers some of the earlier watering hole attacks in more detail.