Another Zero day for Apple

[Markverhyden]

Purportedly another zero day exploit against OS X and iOS

According to Vilaça, the zero-day vulnerability is easy to exploit, and a simple spear-phishing or browser-based attack would be more than enough to compromise the target machine.
"It is a logic-based vulnerability, extremely reliable and stable, and does not crash machines or processes," Vilaça says. "This kind of exploit could typically be used in highly targeted or state-sponsored attacks."

http://thehackernews.com/2016/03/sy...Security+Blog)&_m=3n.009a.1201.hx0aof6vy5.oul

 

[FremontPC]

Lovely. Is there any good counter to spear-phishing aside from User Ed? I would imagine that even if you had edge protection, if one of your regular senders gets infected it's still going to come from an accepted IP addy. Maybe if you agreed to use only certain attachment types and the edge device rejected all other types AND scanned accepted types to ensure the file header was legit (i.e. PDFs had a normal PDF header, Word docs, etc).

 

[Markverhyden]

This is pretty serious from what I gather after reading the stuff. Unlike a lot of other stuff mentioned in the past, which require explicit installation, this looks to be different. He mentions browser exploits but not in detail. So we don't know if it some kind of Java drive by or adding a browser plugin. The biggest thing is that it used the new OS security features to prevent mitigation. And it does not involve the traditional finger prints that anti-malware apps look for.

 

[fencepost]

I have someone who had a popup (possibly from this?) on his iPhone, then proceeded to follow the instructions to let them onto his PC and paid them $400 (plus, of course, whatever else they could get before cooler heads locked the card). Just glad he did this on his home PC not at his office. About to call his wife and probably run up there to see what the status on things is.

Edit: Ah, never mind after reading the article. I suspect this was just a Javascript scare on a phone that hit a non-savvy user who was taken in.