Security News

An Apple software installation daemon called system installd allowed its child processes to bypass SIP's normal restrictions on filesystem access. Unleashed on world+dog with 2015's El Capitan release, MacOS SIP is intended to ensure that system-level files on a Mac can only be modified by Apple-signed installers or the fruity firm's own update mechanism - locking out even root users.

Apple has delivered a barrage of security updates for most of its devices this week, and among the vulnerabilities fixed are CVE-2021-30892, a System Integrity Protection bypass in macOS, and CVE-2021-30883, an iOS flaw that's actively exploited by attackers. A security researcher who analyzed the patch created a POC that worked on iOS 15.0 and iOS 14.7.1, and said it would probably work on earlier versions of the OS. Two weeks later, the fix has finally been included in iOS and iPadOS 14.8.1, tvOS 15.1, and watchOS 8.1.

Big Sur gets a version-bump to 11.6.1, while Catalina gets an old-version-style patched labelled Security Update 2021-007, but not a version number change. Importantly, these updates retrofit the iOS 15.0.2 patch to the Watch and TV product lines.

Apple lovers who haven't yet updated to iOS 15, you may want to pop into Settings to freshen up your iPhone now: Apple has released several critical security updates that might light a fire under your britches. On Monday and Tuesday, Apple released iOS 14.8.1, iPadOS 14.8.1, watchOS 8.1 and tvOS 15.1, patching 24 CVEs in total.

Digitally signing an email might not be a singular means to a secure end, but it can at least help recipients of your email better trust the missives you send them. Some email clients make digitally signing easier than others.

CVE-2021-30663 - Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-30665 - Processing maliciously crafted web content may lead to arbitrary code execution.

Pyramid-scheme cryptocurrency scammers are exploiting Apple's Enterprise Developer Program to get bogus trading apps onto their marks' iPhones. They scammers are using a loophole that allows enterprise mobile device management programs to control corporate-owned iOS devices, according to Sophos' analysis, via Apple's Enterprise Developer program - specifically, the Apple Enterprise/Corporate Signature feature.

Apple has silently fixed a 'gamed' zero-day vulnerability with the release of iOS 15.0.2, on Monday, a security flaw that could let attackers gain access to sensitive user information. In July, Apple also silently patched an 'analyticsd' zero-day flaw with the release of 14.7 without crediting Tokarev in the security advisory, instead promising to acknowledge his report in security advisories for an upcoming update.

We were going to say "Unexpected updates", but all Apple security patches are, of course, unexpected by design. Apple deliberately announces security fixes only after they've been published, so you couldn't plan for them even if you wanted.

With the newest iOS and iPad updates, Apple has fixed another vulnerability that is being actively exploited by attackers. The vulnerability may be exploited by an application to execute arbitrary code with kernel privileges, Apple explained.