Security News

Apple has deprecated the insecure Transport Layer Security 1.0 and 1.1 protocols in recently launched iOS and macOS versions and plans to remove support in future releases altogether. The original TLS 1.0 specification and its TLS 1.1 successor have been used for almost 20 years.

Cybersecurity researchers on Tuesday disclosed details of an unpatched vulnerability in macOS Finder that could be abused by remote adversaries to trick users into running arbitrary commands on the machines. "A vulnerability in macOS Finder allows files whose extension is inetloc to execute arbitrary commands, these files can be embedded inside emails which if the user clicks on them will execute the commands embedded inside them without providing a prompt or warning to the user," SSD Secure Disclosure said in a write-up published today.

Intriguingly, Apple also fixed another in-the-wild bug at the same time, dubbed CVE-2021-30858. Even browsers such as Edge and Firefox, which usually use the Chromium and Gecko web rendering software respectively, have to use via WebKit instead, so WebKit security bugs can have widespread consequences on iPhones and iPads.

Openc8... is applicable to a range of iPhone models all the way up to the iPhone X - though the research paper focuses on its use in the iTimed toolkit to audit and attack the Apple A10 Fusion chip inside an iPhone 7. The trio's - Seetal Potluri was the third researcher - checkm8 reimplementation, which brings with it a range of claimed improvements, is dubbed openc8, and is applicable to a range of iPhone models all the way up to the iPhone X - though the research paper focuses on its use in the iTimed toolkit to audit and attack the Apple A10 Fusion chip inside an iPhone 7.

Designed to combat zero-day flaws exploited in Apple's operating systems, the patch applies to the iPhone, iPad, Apple Watch and Mac. Apple has pushed out an update for most of its major products to protect them from a strain of spyware that has already targeted a number of people.

Apple has released security updates for macOS, iOS, iPadOS, watchOS and Safari that patch two vulnerabilities that are being exploited in attacks in the wild. Active exploitation of CVE-2021-30860, a integer overflow bug that could be exploited via a maliciously crafted PDF to achieve execution of malicious code on vulnerable devices, was flagged by researchers with The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada.

Apple on Monday issued security patches for its mobile and desktop operating systems, and for its WebKit browser engine, to address two security flaws, at least one of which was, it is said, used by autocratic governments to spy on human rights advocates. On August 24, 2021, researchers with the organization reported that the iPhones of nine Bahraini activists had been hacked between June 2020 and February 2021 using NSO Group's Pegasus spyware and two zero-click iMessage exploits.

Apple has released iOS 14.8, iPadOS 14.8, watchOS 7.6.2, macOS Big Sur 11.6, and Safari 14.1.2 to fix two actively exploited vulnerabilities, one of which defeated extra security protections built into the operating system. The updates arrive weeks after researchers from the University of Toronto's Citizen Lab revealed details of a zero-day exploit called "FORCEDENTRY" that was weaponized by Israeli surveillance vendor NSO Group and allegedly put to use by the government of Bahrain to install Pegasus spyware on the phones of nine activists in the country since February this year.

Apple users should immediately update all their devices - iPhones, iPads, Macs and Apple Watches - to install an emergency patch for a zero-click zero-day exploited by NSO Group to install spyware. The security updates, pushed out by Apple on Monday, include iOS 14.8 for iPhones and iPads, as well as new updates for Apple Watch and macOS. The patches will fix at least one vulnerability that the tech behemoth said "May have been actively exploited."

Apple has released security updates to fix two zero-day vulnerabilities that have been seen exploited in the wild to attack iPhones and Macs. The CVE-2021-30860 CoreGraphics vulnerability is an integer overflow bug discovered by Citizen Lab that allows threat actors to create malicious PDF documents that execute commands when opened in iOS and macOS. CVE-2021-30858 is a WebKit use after free vulnerability allowing hackers to create maliciously crafted web page that execute commands when visiting them on iPhones and macOS. Apple states that this vulnerability was disclosed anonymously.