Security News

Apple has released security updates for macOS Big Sur, Catalina and Mojave, as well as iOS and iPadOS. There is no indication that Apple has fixed any vulnerabilities that may be exploited to deliver NSO Group's Pegasus spyware via "Zero-click" iMessage attacks. MacOS Big Sur comes with fixes for a multitude of security issues.

News of a zero-click zero-day in Apple's iMessage feature being incorporated into the notorious Pegasus mobile spyware from NSO Group has drawn a variety of reactions from the security community, including concerns about the security of Apple's closed ecosystem, and varying views on NSO Group's culpability for how Pegasus is used. He added, "Apple aims their statements about security and privacy at consumers. However, the majority of the individuals targeted by the NSO group are not categorized as typical consumers and Apple needs to recognize that securing these individuals may require help from third parties."

It's already nearly two months since Apple's last security update to iOS 14, which was back on 2021-05-24 when iOS 14.6 appeared. So we weren't surprised to see that another patch is out, officially listed [2021-07-19] as covering iOS, tvOS and watchOS. Annoyingly, there's no mention of iPadOS, which has typically been listed on the same line as its related iOS update in recent Apple security reports.

Law firm Campbell Conroy & O'Neil has warned of a breach from late February which may have exposed data from the company's lengthy client list of big-name corporations including Apple and IBM. The breach, which was discovered on 27 February 2021 when a ransomware infection blocked access to selected files on the company's internal systems, has been blamed on an unnamed "Unauthorised actor." While it's not yet known precisely what data was accessed during the breach, the system affected held a treasure trove including "Certain individuals' names, dates of birth, driver's license numbers/state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials," the company confirmed in a statement regarding the attack.

Apple in early 2021 quietly patched an iOS vulnerability that could lead to remote code execution when connecting to a Wi-Fi access point that had a specially crafted SSID. The issue was initially brought to light last month, when reverse engineer Carl Schou discovered that the Wi-Fi functionality on his iPhone would completely crash when connecting to a hotspot that had the SSID "%p%s%s%s%s%n. The issue, which impacts all iOS devices running iOS 14.0 to 14.6, was deemed to be a format string bug, where iOS is considering the characters that follow "%" as string-format specifiers, meaning that they are processed as commands, rather than text.

At this year's Apple Worldwide Developer Conference, Apple announced something called "iCloud Private Relay." That's basically its private version of onion routing, which is what Tor does. Privacy Relay is built into both the forthcoming iOS and MacOS versions, but it will only work if you're an iCloud Plus subscriber and you have it enabled from within your iCloud settings.

A security researcher claims he discovered a critical vulnerability in Apple's password reset feature that could have been used to take over any iCloud account, but Apple has downplayed the impact of the flaw. The issue, researcher Laxman Muthiyah says, was a bypass of the various security measures Apple has in place to prevent attempts to brute force the 'forgot password' functionality for Apple accounts.

The EU's proposed new rules to rein in tech giants risk undermining the security of the iPhone, Apple chief Tim Cook warned Wednesday. Cook, speaking at the VivaTech convention for startups in Paris, took aim at some of the rules that target online "Gatekeepers" such as Apple which controls which apps can be installed on its phones and tablets.

Apple has released a security update for older iDevices to fix three vulnerabilities, two of which are zero-days that are apparently actively exploited in attacks in the wild. The security update is iOS 12.5.4, which can still be run on older iDevices: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch.

Apple issued two out-of-band security fixes for its Safari web browser, fixing zero-day vulnerabilities that "May have been actively exploited," according to a Monday security bulletin by the company. The bugs affect sixth-generation Apple iPhones, iPads and iPod touch model hardware, released between 2013 and 2018.