Hackers Breach iOS 15, Windows 10, Google Chrome During Massive Cyber Security Onslaught

Gandalf_The_Grey

Level 59
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
4,853
During the weekend of 16-17 October, Chinese hackers went on something of a rampage that saw all but three of the 15 target products breached during the exploit onslaught that was the Tianfu Cup. This annual competition, held in the Sichuan province of Chengdu, has been the go-to for China's elite hackers since they were banned from participating in similar competitive hacking events outside of the country. The biggest and best known of these, Pwn2Own, is due to take place in Austin, Texas, 2-5 November, and I will be reporting on that next weekend when the results are known.

In the meantime, what of the massive Tianfu Cup cybersecurity onslaught? Well, I've already reported how the iPhone 13 Pro, running a fully patched (at the time) version of iOS 15.0.2, was breached not once but twice. The zero-day vulnerabilities, exploited by the Kunlun Lab and Team Pangu in a matter of seconds on the day, saw a remote code execution attack and the first iOS 15 jailbreak.

As well as the attacks on Apple iOS and Safari, there were a whole host of other victims. These included Microsoft, which saw five successful exploits involving the Windows 10 operating system, one impacting Microsoft Exchange, and Google, which saw Chrome fall on the security sword twice. But the list is far from over: Adobe PDF, the Asus AX56U router, Docker CE, Parallels VM, QEMA VM, Ubuntu 20, VMware ESXi and Workstation were also successfully hacked.

Full details of the vulnerabilities exploited and the exploits themselves will filter into the public domain in the coming months. Meanwhile, full disclosure of the security flaws would have been immediately made to all the affected vendors.
Which vendors have already released Tianfu Cup security fixes?
I reached out to all the vendors whose products fell to exploits during the Tianfu Cup weekend, requesting a statement regarding patching timelines for the vulnerabilities concerned. Unfortunately, the response has, if I'm honest, been very disappointing indeed.

A Microsoft spokesperson told me that "all vulnerabilities reported as part of the contest are disclosed responsibly and confidentially. Solutions to verified security issues that meet our criteria for immediate servicing are normally released via our monthly Update Tuesday cadence." So, without confirming as much specifically, there is some hope that patches for the Windows 10 and Microsoft Exchange vulnerabilities on Tuesday, 9 November.

Google didn't provide a statement but did confirm for background purposes that it will roll out any patches required once issues are investigated thoroughly. However, according to Google's security blog it would appear that the two vulnerabilities exploited during the Tianfu Cup have been fixed in Chrome 95.0.4638.69, which started rolling out on Thursday, 28 October.

The only other vendor that responded to my request for more information at the time of publication was Red Hat regarding a vulnerability in the QEMA VM. Unfortunately, the Red Hat security had nothing that could be shared with me.

I will, of course, update this article if and when I hear anything from the remaining vendors, which are Adobe, Apple, Asus, Canonical, Docker, Parallels and VMware. In the meantime, my advice is to keep an eye out for security updates and apply them as soon as you can if you are a user of Adobe PDF, Apple iOS and Safari, Asus AX56U router, Docker CE, Microsoft Exchange and Windows 10, Parallels VM, QEMA VM, Ubuntu 20 or VMware ESXi and Workstation.
 

The_King

Level 12
Verified
Top poster
Well-known
Aug 2, 2020
557

Vitali Ortzi

Level 22
Verified
Top poster
Well-known
Dec 12, 2016
1,113
  • Like
Reactions: Nevi

Chuck57

Level 7
Verified
Well-known
Oct 22, 2018
317
Pentagon hierarchy doesn't understand what cybersecurity is. I wonder if they're even familiar with computers. They understand military weapons and how to move men on a battlefield. Cyber is the new war. We're in WW3 all over the globe, and they can't see it and because they can't see it, it isn't happening.