Unpacking the FUD from security vulnerability disclosures

I recently read in the trade press about how Check Point researchers used techniques they call Query Hijacking and Query Oriented Programming to exploit memory corruptions issues in the popular SQLite engine to gain persistency with elevated privileges on iOS devices. So I was wondering, should all iOS users panic?

To dig deeper into this disclosure, I went over to our security research team to see if they might help me peel away some of the fear, uncertainty and doubt (FUD) that is typically packed into these sorts of disclosures. The answers I got were a little more nuanced and somewhat less ominous.

Check Point’s research is impressive and provides an important contribution for security researchers and architects, but there’s no need to panic. In order to exploit SQLite on iOS and achieve persistency with administrative privileges, an attacker needs to operate on an already jailbroken device. In addition, the attacker also needs physical access to the device or a remote code execution (RCE) vulnerability they can use to write files to the device. So in order to exploit the SQLite vulnerabilities disclosed, there is a lot of pre-requisite exploitation that is needed to set things up.

Taking a step back, I think this anecdote provides a good example for how the need to make an impact leads security companies and researchers to pack a lot of FUD into their disclosures. Not all high-severity vulnerabilities are easily exploitable. Some, like the one described in the Check Point publication, are actually hard to exploit because they depend on a lot of pre-requisite exploitation that is not easy to come by. It’s like saying ‘if you give me a completely compromised device, then I can show you another neat exploit’.

To understand the potential impact of a vulnerability, you need to look not only at its severity – you need to also evaluate its likelihood of being exploited.

One of the biggest investment areas for us at AppScan is to develop better ways to focus our customers’ attention on the application vulnerabilities that matter – those that are both severe and have a high likelihood of being exploited. Over the years we found out that overwhelming customers with exhaustive lists of vulnerabilities found in their code, without any sort of prioritization, is not helpful. When the to-do list is too long, nothing gets done. Instead, we’re filtering the issues found and curating a short list of those critical vulnerabilities that are highly exploitable. We then provide targeted fix recommendations to help developers pinpoint the root cause of the vulnerability, so a small number of targeted code changes can provide a huge boost to security.

To come up with our short list of high-impact vulnerabilities, we are combining our deep expertise in application security together with machine learning technology, and also some good-old-fashioned rules.

You can learn more about our vulnerability scanning and filtering technology at www.hcltechsw.com/appscan.