Tag Archive for: apple

Zero-Click Apple Shortcuts Vulnerability Allows Silent Data Theft

/in


A dangerous vulnerability in Apple Shortcuts has surfaced, which could give attackers access to sensitive data across the device without the user being asked to grant permissions.

Apple’s Shortcuts application, designed for macOS and iOS, is aimed at automating tasks. For businesses, it allows users to create macros for executing specific tasks on their devices, and then combine them into workflows for everything from Web automation to smart-factory functions. These can then be shared online through iCloud and other platforms with co-workers and partners.

According to an analysis from Bitdefender out today, the vulnerability (CVE-2024-23204) makes it possible to craft a malicious Shortcuts file that would be able to bypass Apple’s Transparency, Consent, and Control (TCC) security framework, which is supposed to ensure that apps explicitly request permission from the user before accessing certain data or functionalities.

That means that when someone adds a malicious shortcut to their library, it can silently pilfer sensitive data and systems information, without having to get the user to give access permission. In their proof-of-concept (PoC) exploit, Bitdefender researchers were then able to exfiltrate the data in an encrypted image file.

“With Shortcuts being a widely used feature for efficient task management, the vulnerability raises concerns about the inadvertent dissemination of malicious shortcuts through diverse sharing platforms,” the report noted.

The bug is a threat to macOS and iOS devices running versions preceding macOS Sonoma 14.3, iOS 17.3, and iPadOS 17.3, and it is rated 7.5 out of a possible 10 (high) on the Common Vulnerability Scoring System (CVSS) because it can be remotely exploited with no required privileges.

Apple has patched the bug, and “we are urging users to make sure they are running the latest version of the Apple Shortcuts software,” says Bogdan Botezatu, director of threat research and reporting at Bitdefender.

Apple Security Vulnerabilities: Ever More Common

In October, Accenture published a report revealing a tenfold rise in Dark Web threat actors targeting macOS since 2019 — with the trend poised to continue.

The findings coincide with the emergence…

Source…

Apple buffs up iMessage security with quantum computer-proof encryption

/in


iMessage on an Android phone

Dhruv Bhutani / Android Authority

TL;DR

  • Apple is creating a new form of encryption for iMessage.
  • This new layer of encryption aims to prevent harvest now, decrypt later attacks.

Today’s encryption is good enough to defend against most encryption cracking attempts. But will today’s encryption hold up when pitted against more powerful computers in the future? Apple is not waiting to find out and is updating the security protocol for its messaging app to handle attacks from quantum computers.

According to Bloomberg, Apple is introducing a new form of encryption meant for iMessage called PQ3 cryptographic protocol. This new encryption layer will work alongside the company’s existing encryption tools.

PQ3 was designed to prevent what’s known as harvest now, decrypt later attacks. This is an attack where the perpetrator — like a nation-state hacker — extracts as much encrypted data as they can get. They then sit on that data, waiting for a future when quantum computers are powerful and reliable enough to crack the encryption.

The day when quantum computers become capable enough to tear through most encryption is referred to by experts as “Q-day.” There’s no agreement on when Q-day will arrive, with some believing it could happen in the coming decades. Given that Apple is taking this precaution now suggests that the company believes this day will come sooner than later.

Got a tip? Talk to us! Email our staff at [email protected]. You can stay anonymous or get credit for the info, it’s your choice.

Source…

Apple Rushes To Fix A Vision Pro Zero Day Exploit, Announces 600 Apps For Today’s Launch

/in


The inclusion of 600 apps for Vision Pro is no surprise, as Apple has been building a massive ecosystem of apps and content for several years across its devices. On the entertainment front, apps such as Apple TV will provide unique and immersive content to users that won’t be replicated on standard devices. Having a large virtual screen in front of users is certainly appealing if executed well, along with surround sound and curated content. 

With gaming, there is a plethora of opportunity here for Apple to expand on the popularity of Apple Arcade, and gain some high-end marketshare on that front from other popular headsets. 

Productivity is a major area where Apple plans to focus its efforts, with the idea that spatial computing can replace the traditional desktop for some users. Apps such as Zoom, popular with work-from-home, can be a starting point for those dipping their feet into this immersive world that Apple is aiming for. 

If users will ultimately buy into the idea of Vision Pro as a replacement or supplemental device for work and play remains to be seen. While there is no killer app available yet, the Apple ecosystem is robust and the technology is sufficiently capable to provide an experience not available elsewhere yet. 

apple webkit

While new apps are always needed to prove a products seaworthiness upon its maiden voyage, security is just as important. Apple has quickly released a security update addressing “maliciously crafted web content which may lead to arbitrary code execution.” This update is part of visionOS 1.0.1 for developers, and visionOS1.0.2 for those with visionOS1.0. 

While Vision Pro won’t have the same number of users as Apple’s iPhone, there will be a sufficient user base that makes security updates like this vital. Apple products have a reputation for being less likely to have issues such as malware, so keeping that reputation on a halo product such as Vision Pro is certainly in Apple’s best interest. 

Source…

Apple fixes zero-day bug in Apple Vision Pro that ‘may have been exploited’

/in


A day after reporters published their first hands-on review of Apple’s Vision Pro, the technology giant released its first security patch for the mixed reality headset to fix a vulnerability that “may have been exploited” by hackers in the wild.

On Wednesday, Apple released visionOS 1.0.2, the software that runs on the Vision Pro, with a fix for a vulnerability in WebKit, the browser engine that runs Safari and other web apps. Apple said the bug, if exploited, allowed malicious code to run on an affected device.

It’s the same vulnerability that Apple patched last week when it rolled out iOS 17.3, which included fixes for iPhones, iPads, Macs and Apple TV — all of which rely on WebKit. No patches for this bug, officially tracked as CVE-2024-23222, were released for Apple Watch.

It’s not immediately clear if malicious hackers used the vulnerability to specifically exploit Apple’s Vision Pro, and Apple spokesperson Scott Radcliffe would not say when asked by TechCrunch.

It also isn’t yet known who was exploiting the vulnerability, or for what reason.

It is not uncommon for malicious actors, such as spyware makers, to target weaknesses in WebKit as a way to break into the device’s underlying operating system and the user’s personal data. WebKit bugs can sometimes be exploited when a victim visits a malicious domain in their browser, or the in-app browser.

Apple rolled out several patches for WebKit bugs last year.

Vision Pro is expected to be available starting Friday.

Source…