Tag Archive for: apple

Apple Security Update Fixes Zero-Day Webkit Exploits

/in


Apple recommends users update to iOS 17.1.2, iPadOS 17.1.2 and macOS 14.1.2. Google’s Threat Analysis Group discovered these security bugs.

Apple has patched two zero-day vulnerabilities affecting iOS, iPadOS and macOS; users are advised to update to iOS 17.1.2, iPadOS 17.1.2 and macOS 14.1.2. The vulnerabilities were discovered by Google’s Threat Analysis group, which has been working on fixes for active Chrome vulnerabilities this week as well.

Jump to:

What are these Apple OS vulnerabilities?

“Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1,” according to Apple’s post about the security updates on Nov. 30. This implies that attackers may be actively using the vulnerabilities.

Apple’s update said the problem originated in WebKit, the engine used for Apple’s browsers, where “processing web content may lead to arbitrary code execution.” The updates fix an out-of-bounds read through improved input validation and repair a memory corruption vulnerability using improved locking.

SEE: Attackers have launched eavesdropping attacks on Apple devices over the last year. (TechRepublic) 

The first vulnerability, the out-of-bounds read, is tracked as CVE-2023-42916. The update addressing it is available for:

  • iPhone XS and later.
  • iPad Pro 12.9-inch 2nd generation and later.
  • iPad Pro 10.5-inch.
  • iPad Pro 11-inch 1st generation and later.
  • iPad Air 3rd generation and later.
  • iPad 6th generation and later.
  • iPad mini 5th generation and later.

The second vulnerability, the memory corruption, is tracked as CVE-2023-42917. The update addressing it is available for:

  • iPhone XS and later.
  • iPad Pro 12.9-inch 2nd generation and later.
  • iPad Pro 10.5-inch.
  • iPad Pro 11-inch 1st generation and later.
  • iPad Air 3rd generation and later.
  • iPad 6th generation and later.
  • iPad mini 5th generation and later.

Information is sparse about the vulnerabilities, which Apple said were investigated by Clément Lecigne at Google’s Threat Analysis Group; the group’s stated mission is to “counter government-backed attacks.”

Remediation and protection against the WebKit exploits

Apple users should be sure they are…

Source…

Apple secures WebKit as global ransomware attacks surge

/in


If nothing else, Apple’s most recent emergency security update should be considered proof of an increasingly tense security environment.

Enterprises must understand that while Apple maintains a pretty solid ecosystem — certainly at present the most secure, even according to Cisco — that doesn’t mean it’s entirely safe, and every Apple customer needs to get wise to the growing proliferation of threats.

With more and more business users turning to the company’s solutions, it’s important to get ahead of the threat.

What is the current threat environment?

The latest Orange Cyberdefense Security Navigator Report claims a global 46% surge in cyber-extortion attacks across the last year — and warns that just over a third (37.45%) of detected incidents originated from internal actors, not all of these by accident.

With employees and trusted insiders remaining the soft vulnerable point for a third of attacks, it’s essential every business and every user spend time learning about the best approach to online security.

The Orange report points out that attacks are taking place at strategic points in the supply chain. It warns that larger enterprises are the most targeted entities, and points to a surge in attacks against the manufacturing sector.

Ransomware, it seems, has become so prevalent that some of the more organized groups now host help desks targets can contact for assistance — and to arrange payment and data recovery.

Weaponizing WebKit

Keep these findings in mind as you consider Apple’s latest emergency security updates. Released at the end of November, these address two zero-day vulnerabilities (CVE-2023-42916 and CVE-2023-42917) that have been exploited by hackers to access sensitive information on Apple devices and/or to execute arbitrary code by using malicious webpages to take advantage of a memory corruption bug.

Michael Covington, vice president of portfolio strategy at Jamf, explained:

“These latest OS updates, which address bugs in Apple’s WebKit, show that attackers continue to focus on exploiting the framework that downloads and presents web-based content. The latest bugs could lead to both data leakage and arbitrary…

Source…

Apple to make a big change to iPhone messages next year

/in


(CNN) – The long-standing battle over the iOS’ blue and Android’s green text bubbles will soon take a more friendly turn.

Apple has announced plans to adopt a messaging standard that will finally bring iMessage features to Android users, eroding what some considered an element of Apple’s walled garden.

The change – first reported by tech site 9to5Mac – will add features, such as read receipt, typing indicators, better support for group chats, and higher quality media sharing of images and videos, across platforms.

Apple said in a statement it will add support for the standard, called RCS (Rich Communication Services), later next year. RCS is considered the replacement to alternatives such as SMS, or short messaging service, and can work over both Wi-Fi and mobile data.

“We believe RCS Universal Profile will offer a better interoperability experience when compared to SMS or MMS,” the company said in the statement. “This will work alongside iMessage, which will continue to be the best and most secure messaging experience for Apple users.”

A push from Europe
The change follows pressure from both regulators and competitors to more seamlessly work across operating systems. The European Union’s Digital Markets Act, for example, requires companies to make their key services interoperable between platforms. Earlier this year, it launched an investigation into whether it considers iMessage a core product.

Meanwhile, Google, which already has support for RCS within its messaging app, has been vocal about wanting Apple to adopt the standard. In early November, the company wrote a letter to the European Commission arguing iMessage was indeed a core Apple product and should be required to comply.

“Everyone deserves to communicate with each other in ways that are modern and secure, no matter what phone they have,” Google said in a statement. “That’s why we have…

Source…

Apple Warns of Newly Exploited iOS 17 Kernel Zero-Day

/in






Hi, what are you looking for?
Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.
By
Flipboard
Reddit
Whatsapp
Whatsapp
Email
Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.
The Cupertino device maker on Wednesday rushed out a new patch to cover a pair of serious vulnerabilities and warned that one of the issues has already been exploited as zero-day in the wild.
In a barebones advisory, Apple said the exploited CVE-2023-42824 kernel vulnerability allows a local attacker to elevate privileges, suggesting it was used in an exploit chain in observed attacks.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6,” the company said without providing additional details.
This is the 16th documented in-the-wild zero-day against Apple’s iOS, iPadOS and macOS-powered devices, according to data tracked by SecurityWeek. The majority of these attacks have been attributed to mercenary spyware vendors selling surveillance products.
The newest iOS 17.0.3 and iPadOS 17.0.3 updates also cover a buffer overflow vulnerability in WebRTC that exposes mobile devices to arbitrary code execution attacks. The issue was addressed by updating to libvpx 1.13.1, Apple said. 
Apple is encouraging oft-targeted users to enable Lockdown Mode to reduce exposure to mercenary spyware exploits.
Related: Atlassian Ships Urgent Patch for Exploited Confluence Zero-Day

Advertisement. Scroll to continue reading.

Related: Qualcomm Patches 3 Zero-Days Reported by Google
Related: Can ‘Lockdown Mode’ Solve Apple’s Mercenary Spyware Problem?
Related: Apple Patches Actively Exploited iOS, macOS Zero-Days
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs,…

Source…