Security News

Today, Apple has released security updates that fix two actively exploited iOS zero-day vulnerabilities in the Webkit engine used by hackers to attack iPhones, iPads, iPods, macOS, and Apple Watch devices. "Apple is aware of a report that this issue may have been actively exploited," the company said in multiple security advisories published today.

Apple's latest macOS updates patch three vulnerabilities that can be exploited to bypass security mechanisms, including one that has been exploited in the wild and one that impacts only Macs powered by the M1 chip. It was reported earlier this week that one of the security holes patched in macOS Big Sur and Catalina has been exploited by a piece of malware known as Shlayer to bypass security mechanisms designed by Apple to protect users against malicious files downloaded from the internet, specifically file quarantine, Gatekeeper and notarization.

The latest update to Apple's Big Sur includes critical security patches, which is why Cory Bohon advises upgrading your macOS devices now. Apple released macOS 11.3 on April 26, 2021 to the public.

Apple patched a zero-day vulnerability in its MacOS that can bypass critical anti-malware capabilities and which a variant of the notorious Mac threat Shlayer adware dropper already has been exploiting for several months. Security researcher Cedric Owens first discovered the vulnerability, tracked as CVE-2021-30657 and patched in macOS 11.3, an update dropped by Apple on Monday.

Apple has patched a serious security bypass vulnerability in macOS that has been exploited in the wild by at least one threat group. The Big Sur update fixes nearly 60 security holes, including a logic issue tracked as CVE-2021-30657 that, Apple says, can allow a malicious application to bypass Gatekeeper checks.

Apple has patched a critical macOS zero-day that has been exploited by Shlayer malware for months and has finally introduced/enabled the App Tracking Transparency feature and policy in iOS, iPadOS and tvOS. A zero-day exploited by malware peddlers. Discovered by security researcher Cedric Owens and privately reported to Apple in March 2021, CVE-2021-30657 is a logic issue that allowed attackers to craft a macOS payload that is not checked by Gatekeeper, the macOS's security feature that verifies downloaded applications before allowing them to run, and bypasses File Quarantine and Application Notarization protections as well.

The new privacy feature, dubbed "App Tracking Transparency," rolled out Monday as part of an update to the operating system powering the iPhone and iPad. The anti-tracking shield included in iOS 14.5 arrives after a seven-month delay during which Apple and Facebook attacked each other's business models and motives for decisions that affect billions of people around the world. Apple takes a 15% to 30% cut on most payments processed through an iPhone app.

Apple on Monday shipped the long-awaited iOS and iPadOS 14.5 update with patches for at least 50 documented security vulnerabilities. The patch, which is currently being rolled out via iOS and iPadOS automatic-updating mechanism, includes cover for a WebKit vulnerability that Apple believes may have been exploited in the wild by attackers.

The REvil ransomware gang has mysteriously removed Apple's schematics from their data leak site after privately warning Quanta that they would leak drawings for the new iPad and new Apple logos. Earlier this month, the ransomware gang conducted an attack on Quanta, a Taiwan-based original design manufacturer that helps manufacture the Apple Watch, Apple Macbook Air, and the Apple Macbook Pro.

Apple has fixed a zero-day vulnerability in macOS exploited in the wild by Shlayer malware to bypass Apple's File Quarantine, Gatekeeper, and Notarization security checks and download second-stage malicious payloads. The Jamf Protect detection team discovered that starting January 2021, the Shlayer threat actors created unsigned and unnotarized Shlayer samples have begun exploiting a zero-day vulnerability, discovered and reported to Apple by security engineer Cedric Owens.