Tag Archive for: ios

New iOS patch shuts down serious exploit

/in


Apple iPhone 14 Pro Max dynamic island angle

Robert Triggs / Android Authority

TL;DR

  • Apple has released security updates for iOS, iPadOS, macOS, and watchOS.
  • The latest patch fixes two zero-day vulnerabilities commonly known as BLASTPASS.
  • The security flaws allow malicious images or attachments to install malware on your Apple device.

If you have an iPhone, iPad, MacBook, or Apple Watch, you will want to update your device as soon as possible. Even if you typically avoid updates, this patch is one you shouldn’t miss, as it fixes two serious bugs.

Apple has released a new update that addresses the zero-day vulnerabilities CVE-2023-41064 and CVE-2023-41061, according to Ars Technica. Zero-day vulnerabilities are security flaws that have been discovered before security researchers or software developers become aware of them, making them a higher risk than other threats.

The updates include iOS 16.6.1, iPadOS 16.6.1, macOS 13.5.2, and watchOS 9.6.2. Unfortunately, it appears there have been no patches rolled out for older OS versions.

CVE-2023-41064 and CVE-2023-41061, better known as BLASTPASS, allow for images and attachments to install malware on your device. For example, loading a malicious image from WhatsApp, iMessage, or Safari could trigger the installation of malware. This cyberattack technique is known as steganography, or the hiding of a file within another file. It works by inserting malicious code in the hidden data that comes with an image.

The security gaps were first reported by the Citizen Lab at the Munk School of Global Affairs & Public Policy at the University of Toronto. Citizen Lab says that BLASTPASS was “being used to deliver NSO Group’s Pegasus mercenary spyware.”

Since Apple is holding its “Wonderlust” event on September 12, this will probably be the last update before the iPhone 15 launches. Apple will likely announce iOS 17 during this keynote.

Source…

iOS 16.6 fixes over a dozen security flaws — don’t wait to update your iPhone

/in


Tom's Guide Awards 2023 winner:

Tom’s Guide Awards 2023 winner:

Apple has released iOS 16.6 and while this update only comes with a few new features ahead of iOS 17, you’re not going to want to skip it. This is because it addresses more than a dozen security flaws, including two that have been actively exploited by hackers.

iOS 16.6 contains fixes for a total of 16 security flaws in Find My, WebKit, Apple Neural Engine and more. Although Apple doesn’t discuss security issues with the best iPhones until after users have had a chance to patch them, a support document does shine a bit more light on the types of flaws that have been fixed in iOS 16.6.

Of these flaws, two are considered quite serious as the company is aware of reports that they have been used by hackers in their attacks. The first is a WebKit flaw (tracked as CVE-2203-37540) while the other is a Kernel flaw (tracked as CVE-2023-38606).

If the first flaw sounds familiar, this is because Apple tried to address it in a Rapid Security Response update earlier this month. However, this update led to some websites not displaying properly and Apple had to re-release the emergency security update intended to fix the flaw a few days later.

In addition to fixing 16 different flaws, Apple is also rolling out iMessage Contact Key Verification with iOS 16.6. This new security feature can also help keep you safe online and in the real world as it lets you verify that the person you’re texting with in iMessage really is who they say they are.

Since these two zero-days have already been used by hackers in their attacks, you’re going to want to install iOS 16.6 as soon as possible.

How to keep your iPhone safe from hackers

A padlock resting next to the Apple logo on the lid of a gold-colored Apple laptop.

A padlock resting next to the Apple logo on the lid of a gold-colored Apple laptop.

Keeping your iPhone up to date by installing the latest security patches and updates from Apple is one of the easiest ways to stay safe from hackers. This is because hackers and other cybercriminals like to target individuals running outdated software since the exploits they’ve developed for zero-day flaws can still be used successfully.

As BleepingComputer points out, 11 different zero-day vulnerabilities which affect Apple devices have been…

Source…

Apple Releases Patches for Actively Exploited Flaws in iOS, macOS, and Safari

/in


Jun 22, 2023Ravie LakshmananVulnerability / Endpoint Security

iOS, macOS, and Safari

Apple on Wednesday released a slew of updates for iOS, iPadOS, macOS, watchOS, and Safari browser to address a set of flaws it said were actively exploited in the wild.

This includes a pair of zero-days that have been weaponized in a mobile surveillance campaign called Operation Triangulation that has been active since 2019. The exact threat actor behind the activity is not known.

  • CVE-2023-32434 – An integer overflow vulnerability in the Kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges.
  • CVE-2023-32435 – A memory corruption vulnerability in WebKit that could lead to arbitrary code execution when processing specially crafted web content.

The iPhone maker said it’s aware that the two issues “may have been actively exploited against versions of iOS released before iOS 15.7,” crediting Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko, and Boris Larin for reporting them.

The advisory comes as the Russian cybersecurity vendor dissected the spyware implant used in the zero-click attack campaign targeting iOS devices via iMessages carrying an attachment embedded with an exploit for the kernel remote code execution (RCE) vulnerability.

The exploit code is also engineered to download additional components to obtain root privileges on the target device, after which the backdoor is deployed in memory and the initial iMessage is deleted to conceal the infection trail.

The sophisticated implant, called TriangleDB, operates solely in the memory, leaving no traces of the activity following a device reboot. It also comes with diverse data collection and tracking capabilities.

Cybersecurity

This includes “interacting with the device’s file system (including file creation, modification, exfiltration, and removal), managing processes (listing and termination), extracting keychain items to gather victim credentials, and monitoring the victim’s geolocation, among others.”

In an attempt to complete the attack puzzle and gather its different moving parts, Kaspersky has released a utility called “triangle_check” that organizations can use to scan iOS device backups and hunt for any signs of…

Source…

iOS 17 Is Coming. Here’s What iPhones, iPads and Apple Watches Are Missing.

/in


New devices are fun, but among Apple’s glitzy product launches, its software-focused June event is my favorite. We get a glimpse of the new features coming to existing iPhones, iPads and other Apple devices—at no additional charge!

Copyright ©2023 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

Source…