Security News

Apple has filed a lawsuit against Pegasus spyware-maker NSO Group and its parent company for the targeting and spying of Apple users with surveillance tech. NSO's FORCEDENTRY exploit was used by state-backed attackers to break into Apple devices to install the latest version of Pegasus spyware, as revealed by the Citizen Lab in August.

Heads-up: The mail privacy protection introduced in iOS 15 doesn't apply to the Mail app on the Apple Watch. The idea is quite neat and simple: to shield you from annoying marketing tricks such as tracking pixels, you can ask Apple to fetch your remote email content first, and then relay it to to you indirectly, thus using Apple as a proxy for images and links in your messages.

The balance between hands-free payments and the security standards required to protect those transactions has tipped too far in the wrong direction, according to a security expert. At a session at Black Hat Europe 2021 this week, Timur Yunusov, a senior security expert at Positive Technologies, explained flaws in contactless payment apps that could lead to fraud using lost or stolen mobile phones.

Since at least late August, attackers have been using flaws in macOS and iOS - including in-the-wild use of what was then a zero-day flaw - to install a backdoor on the Apple devices of users who visited Hong Kong-based media and pro-democracy sites. In other words, the threat actors threaded malware into the legitimate websites of "a media outlet and a prominent pro-democracy labor and political group" in Hong Kong, according to TAG. The victims' devices were inflicted with what was then a zero day, plus another exploit that used a previously patched vulnerability for macOS that was used to install a backdoor on their computers, according to TAG's report.

A team of researchers at the Imperial College in London have presented a simple method to evade detection by image content scanning mechanisms, such as Apple's CSAM. CSAM was a controversial proposal submitted by Apple earlier this year. The research presented at the recent USENIX Security Symposium by British researchers shows that neither Apple's CSAM nor any system of this type would effectively detect illegal material.

The problem-dubbed "Shrootless"-is associated with a security technology called System Integrity Protection found in macOS. Jonathan Bar Or from the Microsoft 365 Defender Research Team explained in a blog post that SIP restricts a user at the root level of the OS from performing operations that may compromise system integrity. "A malicious actor could create a specially crafted file that would hijack the installation process. After bypassing SIP's restrictions, the attacker could then install a malicious kernel driver, overwrite system files, or install persistent, undetectable malware, among others."

Impact: A malicious application may be able to modify protected parts of the file system Description: An inherited permissions issue was addressed with additional restrictions CVE-2021-30892: Jonathan Bar Or of Microsoft. As we now know, following an article published by Microsoft researchers after Apple's patches came out, there was a bit more to it that just "Modifying protected parts" of the file system.

An Apple software installation daemon called system installd allowed its child processes to bypass SIP's normal restrictions on filesystem access. Unleashed on world+dog with 2015's El Capitan release, MacOS SIP is intended to ensure that system-level files on a Mac can only be modified by Apple-signed installers or the fruity firm's own update mechanism - locking out even root users.

Apple has delivered a barrage of security updates for most of its devices this week, and among the vulnerabilities fixed are CVE-2021-30892, a System Integrity Protection bypass in macOS, and CVE-2021-30883, an iOS flaw that's actively exploited by attackers. A security researcher who analyzed the patch created a POC that worked on iOS 15.0 and iOS 14.7.1, and said it would probably work on earlier versions of the OS. Two weeks later, the fix has finally been included in iOS and iPadOS 14.8.1, tvOS 15.1, and watchOS 8.1.

Big Sur gets a version-bump to 11.6.1, while Catalina gets an old-version-style patched labelled Security Update 2021-007, but not a version number change. Importantly, these updates retrofit the iOS 15.0.2 patch to the Watch and TV product lines.