Tag Archive for: update

Android Users Should Download This Security Update NOW!

/in


Google has started to roll out the security patch for December, and it evidently fixes multiple vulnerabilities affecting Android devices, but the highlight has to be CVE-2023-40088. This vulnerability allows Remote Code Execution or RCE, and an attacker could leverage this to install malicious code or software on a user’s phone without consent.

Google itself has stated that this vulnerability is dangerous. The company notes that it could lead to “remote (proximal/adjacent) code execution with no additional execution privileges needed” and that “user interaction is not needed for exploitation.” In simple terms, this could have made it easy for hackers and bad actors to gain access, snoop around your device, and get access to your valuable data.

Additionally, it’s important to keep in mind that this vulnerability affected a wide range of Android versions, including Android 11, 12, 12L, 13, and 14.

Story continues below advertisement

This security patch includes additional fixes that address vulnerabilities identified in components from various chip makers, such as ARM, Unisoc, Mediatek, and Qualcomm.

That said, the update should roll out to devices as and when manufacturers decide to optimize and release these security packages for their smartphones. Typically, Samsung and Google Pixel devices receive these security patches quickly after their reveal.

Now, if you happen to have an Android device that is eligible for the December security update, you should definitely update to the latest version as soon as possible. The vulnerability is of a ‘critical’ nature, and if an attacker does gain access to your device, the consequences can be severe, especially given the prevalence of financial fraud and scams.

top videos

  • Facebook Shutting Down Accounts But Why?

  • Could Elon Musk’s X Platform Go Bankrupt?

  • iPhone Users Being Warned About This New Feature

  • Millions Watching Videos Online In India but Are They Fake?

  • Safety Tips to avoid major Aadhaar fraud

    • Shaurya SharmaShaurya Sharma, Sub Editor at CNN-News18, specialises in reporting on consumer, …Read More

    first published: December 06, 2023, 08:07 IST

    News18 Join our Whatsapp channel

    Source…

    Nothing’s iMessage app wasn’t its only security lapse (Update: Statement)

    /in


    Nothing Phone 2 Essential Glyph Light On

    C. Scott Brown / Android Authority

    TL;DR

    • Nothing’s CMF Watch app encrypted emails and passwords suboptimally, allegedly allowing for decryption using the same decryption keys.
    • The issue was partially fixed, as the encryption method of the passwords was updated, but not that of emails.
    • Nothing claims it is currently working to resolve the issues.

    Update, December 4, 2023 (12:45 PM ET): Nothing has now provided a comment to Android Authority about the issues. A spokesperson for the company states:

    CMF takes privacy issues very seriously and the team is investigating security concerns regarding the Watch app. We rectified initial credential concerns earlier in the year and are currently working to resolve the issues raised. As soon as this next fix is complete, we will roll out an OTA update to all CMF Watch Pro users. Security reports can now be more easily submitted via https://intl.cmf.tech/pages/vulnerability-report

    Original article, December 4, 2023 (3:29 AM ET): Nothing has had some good success with the Nothing Phone 2, considering the novelty of the phone and the nascent brand image. To win over some of the iPhone audience, Nothing partnered with Sunbird to launch an iMessage-for-Android app called Nothing Chats. The app lasted about a day in the wild before being pulled down due to glaring security oversights. But there seem to be more skeletons in Nothing’s closet, as two more vulnerabilities have emerged.

    Android developer and reverse engineer Dylan Roussel posted on X that he found two vulnerabilities centered around Nothing. The first was found in September in the CMF Watch app, which was built in partnership with a company called Jingxun. The CMF Watch app encrypted email usernames and passwords, but the encryption method allegedly left the door open for decrypting the same with the same decryption keys, defeating the purpose of encryption.

    Nothing/Jingxun fixed this vulnerability, but curiously, only for the password. You could still allegedly decrypt the email that is used as the username.

    The second vulnerability has not been publicly detailed, but it relates to Nothing’s internal data. Nothing was informed of the same in August, but it hasn’t been fixed…

    Source…

    Apple Security Update Fixes Zero-Day Webkit Exploits

    /in


    Apple recommends users update to iOS 17.1.2, iPadOS 17.1.2 and macOS 14.1.2. Google’s Threat Analysis Group discovered these security bugs.

    Apple has patched two zero-day vulnerabilities affecting iOS, iPadOS and macOS; users are advised to update to iOS 17.1.2, iPadOS 17.1.2 and macOS 14.1.2. The vulnerabilities were discovered by Google’s Threat Analysis group, which has been working on fixes for active Chrome vulnerabilities this week as well.

    Jump to:

    What are these Apple OS vulnerabilities?

    “Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1,” according to Apple’s post about the security updates on Nov. 30. This implies that attackers may be actively using the vulnerabilities.

    Apple’s update said the problem originated in WebKit, the engine used for Apple’s browsers, where “processing web content may lead to arbitrary code execution.” The updates fix an out-of-bounds read through improved input validation and repair a memory corruption vulnerability using improved locking.

    SEE: Attackers have launched eavesdropping attacks on Apple devices over the last year. (TechRepublic) 

    The first vulnerability, the out-of-bounds read, is tracked as CVE-2023-42916. The update addressing it is available for:

    • iPhone XS and later.
    • iPad Pro 12.9-inch 2nd generation and later.
    • iPad Pro 10.5-inch.
    • iPad Pro 11-inch 1st generation and later.
    • iPad Air 3rd generation and later.
    • iPad 6th generation and later.
    • iPad mini 5th generation and later.

    The second vulnerability, the memory corruption, is tracked as CVE-2023-42917. The update addressing it is available for:

    • iPhone XS and later.
    • iPad Pro 12.9-inch 2nd generation and later.
    • iPad Pro 10.5-inch.
    • iPad Pro 11-inch 1st generation and later.
    • iPad Air 3rd generation and later.
    • iPad 6th generation and later.
    • iPad mini 5th generation and later.

    Information is sparse about the vulnerabilities, which Apple said were investigated by Clément Lecigne at Google’s Threat Analysis Group; the group’s stated mission is to “counter government-backed attacks.”

    Remediation and protection against the WebKit exploits

    Apple users should be sure they are…

    Source…

    OnePlus Open’s latest update lets you set a specific exposure value in Photo mode

    /in


    The OnePlus Open is receiving a new software update. It doesn’t upgrade the foldable from Android 13 to Android 14 but brings some system and communications improvements. More importantly, it now lets users set a specific exposure value for the camera, but only in the Photo mode.

    The update also bumps up the Android security patch level on the OnePlus Open to November 2023. It has firmware CPH2551_13.2.0.201(EX01) and requires a download of about 510MB. You can check the screenshots below for the update’s changelog.



    OnePlus Open OxygenOS 13.2.0.201 update’s changelog

    It’s worth mentioning that this update is currently only seeding in India, but the rollout should expand to other regions soon.

    Via

    Source…