I recently read in the trade press about how Check Point researchers used techniques they call Query Hijacking and Query Oriented Programming to exploit memory corruptions issues in the popular SQLite engine to gain persistency with elevated privileges on iOS devices. So I was wondering, should all iOS users panic?

To dig deeper into this disclosure, I went over to our security research team to see if they might help me peel away some of the fear, uncertainty and doubt (FUD) that is typically packed into these sorts of disclosures. The answers I got were a little more nuanced and somewhat less ominous.

Check Point’s research is impressive and provides an important contribution for security researchers and architects, but there’s no need to panic. In order to exploit SQLite on iOS and achieve persistency with administrative privileges, an attacker needs to operate on an already jailbroken device. In addition, the attacker also needs physical access to the device or a remote code execution (RCE) vulnerability they can use to write files to the device. So in order to exploit the SQLite vulnerabilities disclosed, there is a lot of pre-requisite exploitation that is needed to set things up.

Taking a step back, I think this anecdote provides a good example for how the need to make an impact leads security companies and researchers to pack a lot of FUD into their disclosures. Not all high-severity vulnerabilities are easily exploitable. Some, like the one described in the Check Point publication, are actually hard to exploit because they depend on a lot of pre-requisite exploitation that is not easy to come by. It’s like saying ‘if you give me a completely compromised device, then I can show you another neat exploit’.

To understand the potential impact of a vulnerability, you need to look not only at its severity – you need to also evaluate its likelihood of being exploited.

One of the biggest investment areas for us at AppScan is to develop better ways to focus our customers’ attention on the application vulnerabilities that matter – those that are both severe and have a high likelihood of being exploited. Over the years we found out that overwhelming customers with exhaustive lists of vulnerabilities found in their code, without any sort of prioritization, is not helpful. When the to-do list is too long, nothing gets done. Instead, we’re filtering the issues found and curating a short list of those critical vulnerabilities that are highly exploitable. We then provide targeted fix recommendations to help developers pinpoint the root cause of the vulnerability, so a small number of targeted code changes can provide a huge boost to security.

To come up with our short list of high-impact vulnerabilities, we are combining our deep expertise in application security together with machine learning technology, and also some good-old-fashioned rules.

You can learn more about our vulnerability scanning and filtering technology at www.hcltechsw.com/appscan.

Comment wrap
Further Reading
article-img
Secure DevOps | June 24, 2022
Automatic Issue Correlation Now Part of HCL AppScan
There is no silver bullet that can solve the application security challenge. Each of the core technologies (IAST, DAST, and SAST) has strengths and weaknesses.Auto Issue Correlation allows us to leverage the strengths of each technology, while overcoming weaknesses with the advantages of the others. Furthermore, Auto Issue Correlation enhances your AST capabilities, improves your prioritization process and reduces remediation time and effort.
article-img
Secure DevOps | June 6, 2022
Guide To Reliable Application Security Testing Software
Looking for a secure solution for fast, accurate, and agile application security testing? You can come across reliable market-leading web application security testing facilities that quickly detect system vulnerabilities. Read the blog to know more.
article-img
Secure DevOps | May 20, 2022
New Vulnerability in Spring Framework Detected
A new vulnerability, dubbed SpringShell in Spring Framework, was recently discovered by the HCL AppScan team.SpringShell was given a CVE ID of CVE-2022-22965, and results in Remote Code Execution (RCE) upon successful exploitation, compromising the web server and putting it under the attacker's control. It affects Spring Framework versions 5.3.17/5.2.19 and lower (it was patched in versions 5.3.18/5.2.20).
Close
Filters result by
Sort:
|