Security News

Apple on Monday rolled out security updates for iOS, iPadOS, macOS, and Safari to address a zero-day flaw that it said has been actively exploited in the wild. It's not immediately clear as to how the vulnerability is being exploited in real-world attacks, but it's the second actively abused type confusion flaw in WebKit to be patched by Apple after CVE-2022-42856 in as many months, which was closed in December 2022.

Apple has released emergency security updates to address a new zero-day vulnerability used in attacks to hack iPhones, iPads, and Macs. The zero-day patched today is tracked as CVE-2023-23529 [1, 2] and is a WebKit confusion issue that could be exploited to trigger OS crashes and gain code execution on compromised devices.

Operators of high-yielding investment scams known as "Pig butchering" have found a way to bypass the defenses in Google Play and Apple's App Store, the official repositories for Android and iOS apps. After gaining the victims' trust, the scammers say that they have an uncle working for a financial analysis firm and launch an invitation to trade cryptocurrency via an app on Play Store or App Store.

On Monday, Apple released iOS 12.5.7 for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and sixth-generation iPod touch. "Processing maliciously crafted web content may lead to arbitrary code execution," Apple warned in the security update.

Last year, on the last day of August 2022, we wrote with mild astonishment, and perhaps even a tiny touch of excitement, about an unexpected but rather important update for iPhones stuck back on iOS 12. As we remarked at the time, we'd already decided that iOS 12 had slipped off Apple's radar, and would never be updated again, give that the previous update had been a year before that, back in September 2021.

Apple has released security updates for macOS, iOS, iPadOS and watchOS, patching - among other things - a type confusion flaw in the WebKit component that could be exploited for remote code execution on older iPhones and iPads running iOS v12. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1," the company said.

Apple has backported fixes for a recently disclosed critical security flaw affecting older devices, citing evidence of active exploitation. While it was originally addressed by the company on November 30, 2022, as part of iOS 16.1.2 update, the patch was expanded to a broader set of Apple devices with iOS 15.7.2, iPadOS 15.7.2, macOS Ventura 13.1, tvOS 16.2, and Safari 16.2.

Apple "Unlawfully records and uses consumers' personal information and activity," claims a new lawsuit accusing the company of tracking iPhone users' device data even when they've asked for tracking to be switched off. The would-be class action lawsuit, filed in Pennsylvania, accuses [PDF] Apple of violating Pennsylvania's Wiretapping and Electronic Surveillance Act, as well as breaching its trade practices and consumer protection law by "Representing that its mobile devices enable users to choose settings that would stop defendant from collecting or tracking their private data - a feature they do not have."

France's data protection authority has fined Apple €8,000,000 for collecting user data for targeted advertising on the App Store without requesting or securing the user's consent. "The CNIL services found that under the old version 14.6 of the operating system of the iPhone when a user visited the App Store, identifiers used for several purposes, including personalization of ads on the App Store, were by default automatically read on the terminal without obtaining consent." - CNIL. CNIL suggests that Apple could keep the option "Buried" in the settings menu as long as it prompted the user to consent to App Store tracking upon the device's first setup, which wasn't the case in iOS 14.6.

The reports, "Apps at Risk: Apple's Censorship and Compromises in Hong Kong" and "United Apple: Apple's Censorship and Compromises in Russia," were released by the Apple Censorship Project, which is run by free speech advocacy group GreatFire. "Apple's temporary withdrawal from Russia following the start of the war in Ukraine, and Apple's decision to move part of its production out of China, have not provided tangible evidence of any improvement of the situation in the App Store so far. For all we know, Apple is still willing to collaborate with repressive regimes."