Security News
Apple users should immediately update all their devices - iPhones, iPads, Macs and Apple Watches - to install an emergency patch for a zero-click zero-day exploited by NSO Group to install spyware. The security updates, pushed out by Apple on Monday, include iOS 14.8 for iPhones and iPads, as well as new updates for Apple Watch and macOS. The patches will fix at least one vulnerability that the tech behemoth said "May have been actively exploited."
Apple has released security updates to fix two zero-day vulnerabilities that have been seen exploited in the wild to attack iPhones and Macs. The CVE-2021-30860 CoreGraphics vulnerability is an integer overflow bug discovered by Citizen Lab that allows threat actors to create malicious PDF documents that execute commands when opened in iOS and macOS. CVE-2021-30858 is a WebKit use after free vulnerability allowing hackers to create maliciously crafted web page that execute commands when visiting them on iPhones and macOS. Apple states that this vulnerability was disclosed anonymously.
Apple is temporarily hitting the pause button on its controversial plans to screen users' devices for child sexual abuse material after receiving sustained blowback over worries that the tool could be weaponized for mass surveillance and erode the privacy of users. In August, Apple detailed several new features intended to help limit the spread of CSAM on its platform, including scanning users' iCloud Photos libraries for illicit content, Communication Safety in Messages app to warn children and their parents when receiving or sending sexually explicit photos, and expanded guidance in Siri and Search when users try to perform searches for CSAM-related topics.
Apple on Friday said it intends to delay the introduction of its plan to commandeer customers' own devices to scan their iCloud-bound photos for illegal child exploitation imagery, a concession to the broad backlash that followed from the initiative. Last month, Apple announced its child safety initiative, which involves adding a nudity detection algorithm to its Messages chat client, to provide a way to control the sharing of explicit images, and running code on customer's iDevices to detect known child sexual abuse material among on-device photos destined for iCloud storage.
Apple has announced a new free-of-charge service program for iPhone 12 and iPhone 12 Pro devices experiencing sound issues caused by a receiver module component. "Apple has determined that a very small percentage of iPhone 12 and iPhone 12 Pro devices may experience sound issues due to a component that might fail on the receiver module," the company said in a new support document.
A California man this month admitted he stole hundreds of thousands of photos and videos from strangers' Apple iCloud accounts to find and share images of nude young women. Chi, using the online name "Icloudripper4you," worked with other unidentified miscreants to obtain files from Apple customers' iCloud accounts by impersonating Apple customer support representatives in email messages.
In this post, I'll collect links on Apple's iPhone backdoor for scanning CSAM images. Apple says that hash collisions in its CSAM detection system were expected, and not a concern.
More than ninety human rights groups from around the world have signed a letter condemning Apple's plans to scan devices for child sexual abuse material - and warned Cupertino could usher in "Censorship, surveillance and persecution on a global basis." The US-based Center for Democracy and Technology organised the open letter [PDF], which called on Apple to abandon its approach to mass-scanning.
Apple's NeuralHash algorithm - the one it's using for client-side scanning on the iPhone - has been reverse-engineered. Early tests show that it can tolerate image resizing and compression, but not cropping or rotations.
Last week, Apple essentially invited security researchers to probe its forthcoming technology that's supposed to help thwart the spread of known child sexual abuse material. Crucially, Apple repeatedly stated that its claims about its CSAM-scanning software are "Subject to code inspection by security researchers like all other iOS device-side security claims." And its senior veep of software engineering Craig Federighi went on the record to say "Security researchers are constantly able to introspect what's happening in Apple's [phone] software."