Security News > 2022 > August

Apple has released new security updates to backport patches released earlier this month to older iPhones and iPads addressing a remotely exploitable WebKit zero-day that allows attackers to execute arbitrary code on unpatched devices. In a security advisory published today, Apple once again said that they're aware of reports that this security issue "May have been actively exploited."

Our much-loved iPhone 6+, now nearly eight years old but in pristine, as-new condition until a recent UDI, hasn't received any security updates from Apple for almost a year. The last update we received was back on 2021-09-23, when we updated to iOS 12.5.5.

The first ad blocker extension for Chrome that is compatible with Google's Manifest V3 is now available. The new ad-blocking extension that complies with Manifest V3 requirements comes from AdGuard, a developer of ad-blocking software.

According to Google, this new version includes 24 security fixes, though none of them are reported as "In-the-wild", which means that there weren't any zero-days patched this time. Suddenly, bug-free code elsewhere in the program behaves as if it were buggy itself, thanks to the flaw in your code that just invalidated what was in memory.

Chrome version 104 accidentally introduced a bug that removes the user requirement to approve clipboard writing events from websites they visit. When the user tries to make a payment and copies the wallet address to the clipboard, the website can write to the clipboard the threat actor's address.

The Ragnar Locker ransomware gang has claimed an attack on the flag carrier of Portugal, TAP Air Portugal, disclosed by the airline after its systems were hit on Thursday night. Even though TAP is yet to confirm if this was a ransomware attack, the Ragnar Locker ransomware gang posted a new entry on their data leak website today, claiming to be behind last week's cyberattack that hit TAP's network.

Microsoft found and reported a high severity flaw in the TikTok Android app in February that allowed attackers to "Quickly and quietly" take over accounts with one click by tricking targets into clicking a specially crafted malicious link."Attackers could have leveraged the vulnerability to hijack an account without users' awareness if a targeted user simply clicked a specially crafted link," Microsoft 365 Defender Research Team's Dimitrios Valsamaras said.

This is a fun story, detailing the hack a group of high school students perpetrated against an Illinois school district, hacking 500 screens across a bunch of schools. During the process, the group broke into the school's IT systems; repurposed software used to monitor students' computers; discovered a new vulnerability; wrote their own scripts; secretly tested their system at night; and managed to avoid detection in the school's network.

EdFinancial and the Oklahoma Student Loan Authority are notifying over 2.5 million loanees that their personal data was exposed in a data breach. The target of the breach was Nelnet Servicing, the Lincoln, Neb.-based servicing system and web portal provider for OSLA and EdFinancial, according to a breach disclosure letter.

As the NHS in England is set to launch a competition for a far-reaching patient data platform, a public consultation has said decisions about health data sharing should not be taken by politicians. A report by England's National Data Guardian, an independent watchdog for health data appointed by the Secretary of State for Health and Social Care, found that in citizen juries consulted on health data, "Very few jurors wanted decisions about the future of these initiatives to be taken by the minister or organization accountable for them. Most believed that an independent body of experts and lay people should assess the data sharing initiatives."