Tag Archive for: patch

Apple releases emergency security updates to patch iPhone, iPad and Mac zero-day flaws

/in


Apple has once again released emergency security updates to fix zero-day vulnerabilities that are being used to attack compromised iPhones, iPads and Macs in the wild.

In a security advisory (opens in new tab) released on Friday (April 7), the Cupertino-based company revealed that it “is aware of a report that this issue may have been actively exploited”. Unlike with other recently discovered zero-day flaws, the ones Apple has patched have already been exploited by hackers in their attacks.

Source…

Apple Ships Urgent iOS Patch for Newly Exploited Zero-Days

/in


Apple on Friday pushed out a major iOS security update to fix a pair of zero-day vulnerabilities already being exploited in the wild.

The newest iOS 16.4.1 and iPadOS 16.4.1 updates cover code execution software flaws in IOSurfaceAccelerator and WebKit, suggesting a complex exploit chain was detected in the wild hitting the latest iPhone devices.

“Apple is aware of a report that this issue may have been actively exploited,” Cupertino says in a barebones advisory that credits Google and Amnesty International with reporting the issue.

The advisory documents two separate issues — CVE-2023-28205 and CVE-2023-28206 — that expose iPhones and iPads to arbitrary code execution attacks.

Apple described the IOSurfaceAccelerator flaw as an out-of-bounds write issue that was addressed with improved input validation.

The WebKit bug, which has already been exploited via web content to execute arbitrary code with kernel privileges, has been fixed with improved memory management.

The company did not say if the newly discovered exploits are capable of bypassing the Lockdown Mode feature that Apple shipped to deter these types of attacks.

The iOS patch comes alongside news from Google that commercial spyware vendors are burning through zero-days to infect mobile devices with surveillance malware.

In one of the two campaigns described by Google this week, an attack started with a link being sent to the targeted user via SMS. When clicked, the link took the victim to malicious websites delivering Android or iOS exploits — depending on the target’s device. Once the exploits were delivered, victims were redirected to legitimate websites, likely in an effort to avoid raising suspicion. 

The iOS exploit chain also hit a WebKit vulnerability (CVE-2022-42856) that Apple patched in iPhones in December 2022. Attacks also involved a Pointer Authentication (PAC) bypass technique, and an exploit for CVE-2021-30900, a sandbox escape and privilege escalation vulnerability that Apple patched in iOS in 2021. 

So far this year, there have been at least 24 documented zero-day vulnerabilities exploited in the wild prior to discovery.

Related: Apple Adds ‘Lockdown Mode’ to Thwart .Gov Mercenary…

Source…

Spyware vendors use exploit chains to take advantage of patch delays in mobile ecosystem

/in


Several commercial spyware vendors developed and used zero-day exploits against iOS and Android users last year. However, their exploit chains also relied on known vulnerabilities to work, highlighting the importance of both users and device manufacturers to speed up the adoption of security patches.

“The zero-day exploits were used alongside n-day exploits and took advantage of the large time gap between the fix release and when it was fully deployed on end-user devices,” researchers with Google’s Threat Analysis Group (TAG) said in a report detailing the attack campaigns. “Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits.”

The iOS spyware exploit chain

Apple has a much tighter grip on its mobile ecosystem being both the sole hardware manufacturer of iOS devices and the creator of the software running on them. As such, iPhones and iPads have historically had a much better patch adoption rate than Android, where Google creates the base OS and then tens of device manufacturers customize it for their own products and maintain their own separate firmware.

In November 2022, Google TAG detected an attack campaign via SMS that targeted both iOS and Android users in Italy, Malaysia, and Kazakhstan using exploit chains for both platforms. The campaign involved bit.ly shortened URLs that, when clicked, directed users to a web page delivering the exploits then redirected them to legitimate websites, such as the shipment tracking portal for Italian logistics company BRT or a popular news site from Malaysia.

The iOS exploit chain combined a remote code execution vulnerability in WebKit, Apple’s website rendering engine used in Safari and iOS, that was unknown and unpatched at the time. The flaw, now tracked as CVE-2022-42856, was patched in January after Google TAG reported it to Apple.

However, a remote code execution flaw in the web browser engine is not enough to compromise a device, because mobile operating systems like iOS and Android use sandboxing techniques to limit the privileges of the browser….

Source…

Microsoft’s Patch Tuesday update fixes 3 zero-day flaws

/in


Keeping your operating system updated is a great way to fend off cybercriminals. Many Widows updates contain patches that fix vulnerabilities that hackers can exploit. The latest Windows update is no different, as it fixes three dangerous zero-day flaws.

Read on for details on the most recent Microsoft update and how to get it.

Here’s the backstory

Microsoft just rolled out a Windows update for February’s Patch Tuesday, and it’s a big one.

The security update fixes three zero-day exploits and another 74 flaws. A zero-day exploit is a vulnerability that hackers know about and actively use. Nine of the flaws are rated as critical.

According to Nucleus Security, one significant issue is CVE-2023-23529, a WebKit Remote Code Execution flaw.

“An attacker would need to convince a user to visit a malicious application from a vulnerable device to exploit the vulnerability, which appears to have the potential to lead to local code execution,” Nucleus explains in a blog post.

In total, the critical Windows update fixes:

  • 12 Elevation of Privilege flaws.
  • Two Security Feature Bypass flaws.
  • 38 Remote Code Execution flaws.
  • Eight Information Disclosure flaws.
  • 10 Denial of Service flaws.
  • Eight Spoofing flaws.

How to update Windows 10 and Windows 11

You must frequently check your operating system to see if there are any updates available. The best way to ensure you remain protected is to set Windows to download updates automatically.

If you don’t use that setting, here’s how to manually update Windows 10:

  • Click the Start button > Settings > Update & Security > Windows Update
  • Then select Check for updates. If an update is available, select Download and install now.

Even though this update is specifically for Windows 10, you might have missed a few patches on your Windows 11 computer. 

Here’s how to update Windows 11:

  • Go to Start > Settings > Windows Update > Check for updates.
  • If an update is available, select Download and install now.

Remember that some updates require a restart, so save any work or open…

Source…