Sophos Cloud Optix
These days, there seem to be two types of security vulnerabilities – those with alarming names and eye-catching logos, and those that make do with mere CVE numbers.
The latest example of the naming trend is ZipperDown, uncovered by Chinese jailbreakers Pangu Lab, affecting iOS apps and possibly some Android ones too.
The company offers only minimal detail on the flaw beyond, describing it as:
A common programming error, which leads to severe consequences such as data overwritten and even code execution in the context of affected apps.
This sounds like trouble but this time the eye-catching bit is the number of apps the company believes might suffer from it – 15,978 (9.5%) of 168,951 iOS Apps in the App Store, a collection of computer programs that have been downloaded about 100 million times.
They admit this is a guesstimate due to the impossibility of checking such a large number of apps individually.
As for other platforms:
We have confirmed that many popular Android apps have similar issues. We will release more results for Android apps in future.
The company manually verified that a number of Chinese apps are affected including Weibo, MOMO, NetEase Music, QQ Music and Kwai, while Instagram, Pandora, Dropbox, Amazon and a Google app or two are on the long list.
Working out which apps are affected will require developers to carry out manual checks, app-by-app.
On the face of it while ZipperDown sounds like a big issue, as flaws-with-their-own-names go this one is probably a bit second division.
As Pangu Lab alludes to in its advisory, exploiting it appears to require control of a Wi-Fi network, for example using a compromised public hotspot. That’s not hard to imagine happening but still limits the chances of compromise for most users.
The company also admits:
The sandbox on both iOS and Android can effectively limit ZipperDown’s consequence.
An unsettling aspect of the alert is that while the company has kept the guts of the flaw to itself (to give app developers time to check for the problem and fix it), further details seem to be known elsewhere, with some claiming the problem is a path traversal issue in a utility called ZipArchive.
If that’s true, exploits might not be far off. App makers need to check their software for the issue and correct it as soon as possible.
Whatever else it is, ZipperDown is an unusual flaw. With so many apps apparently affected, and so many app developers needing to be informed, responsible disclosure becomes a huge communications issue. As much as we might dislike the trend for PR-first vulnerability naming, perhaps giving this flaw a fancy name and its own badge was the right attention-grabbing tactic in this case.
Great job by Apple. Keep the Apps and User data safe.
Without more detail, it’s impossible to say whether the situation is as bad as the bug-finders’ self-serving PR suggests. The company claims to have a way of detecting whether an app might be vulnerable, but freely admits that its detection method is unreliable. For all we know, the allegedly-buggy apps might have their own programmatic defences to detect rogue data, even if they appear to contain library code that could, in theory, enable this bug. Also, not every app with the bug might be attackable to the same extent. Some might allow remote code execution, which would be risky to the user, while others might only allow minor configuration tweaks such as extending an activation licence, which would be the vendor’s problem but not put the user in harm’s way.
(Rumours, plus the name of the bug, suggest it is down to tricking apps into unzipping unauthorised downloads and writing them unnoticed into the wrong place, thus overwriting critical files such as configuration data or executable code. There’s also the suggestion that you need to modify or substitute the contents of downloaded data in transit, for example via a rogue Wi-Fi access point, without getting detected via message checksums or other cryptographic protections.)
I am not leaping fanbuoyishly to Apple’s defence here. Just saying that bugs don’t get more severe just because they have a dramatic name and a website – EFAIL is an excellent recent example. Let’s wait for the facts before we point fingers.
The title is misleading as it states that 170,000 apps caught, however as you state its about 9.5% which is about 17,000…
I’ll change it – thanks for the comment.