A webkit zero-say flaw besieges both iOS and Mac devices with malvertising redirects, rendering ad-sandbox protections totally useless…
Nefarious hackers have barraged the internet with over 1 billion malicious ads in less than two months. The attackers targeted iOS and Mac devices with zero-day vulnerabilities in Chrome and Safari browsers. Fortunately, the exploits were patched.
Webkit Zero-Day Exploit Bombards Mac and iOS with Malvertising Redirects
Over the course of the past six weeks, harmful code that contained redirects which sent unsuspecting users to malicious sites.The most recent campaign focused on phishing pages, which served-up spoofed custom messages based on the target’s mobile carrier. It most targeted people in Europe.
According to a post published by security firm Confiant:
“The nature of the bug is that a cross-origin nested iframe is able to ‘autofocus’ which bypasses the ‘allow-top-navigation-by-user-activation’ sandbox directive on the parent frame. With the inner frame automatically focused, the keydown event becomes a user-activated navigation event, which renders the ad sandboxing entirely useless as a measure for forced redirect mitigation.”