Security News

Previously undocumented account-stealing malware distributed via fake software crack sites targets the users of major service providers, including Google, Facebook, Amazon, and Apple. The malware, dubbed CopperStealer by Proofpoint researchers, is an actively developed password and cookie stealer with a downloader feature that enables its operators to deliver additional malicious payloads to infected devices.

Apple may be changing the way it delivers security patches to its devices running iOS and iPadOS mobile operating systems. According to code spotted in iOS 14.5, the iPhone maker is reportedly working on a method for delivering security fixes independently of other OS updates.

Google's Apple-mandated privacy labels for its Chrome and Search apps on iOS have drawn criticism from tiny search rival DuckDuckGo, which tweeted "No wonder they wanted to hide it." Mysterious delays in Google's app updates soon ensued - though the company said in January that: "As Google's iOS apps are updated with new features or to fix bugs, you'll see updates to our app page listings that include the new App Privacy Details. These labels represent the maximum categories of data that could be collected - meaning if you use every available feature and service in the app."

As the new kid on the block, the M1 chip-based Mac is already on the radar of malware writers, says Kaspersky. Discovered for the first time last year, the XCSSET malware mainly targets Mac developers by injecting a malicious payload into Xcode IDE projects on the victim's Mac.

Abstract: Overnight, Apple has turned its hundreds-of-million-device ecosystem into the world's largest crowd-sourced location tracking network called offline finding. OF leverages online finder devices to detect the presence of missing offline devices using Bluetooth and report an approximate location back to the owner via the Internet.

Mozilla today started rolling out Firefox 86.0.1 to address a known bug causing the web browser to crash frequently when launched on Linux systems. While this issue came with a low crash rate on previous Firefox versions, Linux users have started seeing more and more crashes after updating to Firefox 86 last month.

A team of researchers from universities in the United States, Australia and Israel has demonstrated that attackers could launch browser-based side-channel attacks that do not require JavaScript, and they've tested the method on a wide range of platforms, including devices that use Apple's recently introduced M1 chip. The researchers - representing the Ben-Gurion University of the Negev, the University of Michigan and the University of Adelaide - have published a paper on what they have described as the first browser side-channel attack that uses only CSS and HTML, and works even if JavaScript is completely disabled.

Two vulnerabilities in a crowdsourced location-tracking system that helps users find Apple devices even when they're offline could expose the identity of users, research claim. Offline Finding, a proprietary app introduced by Apple in 2019 for its iOS, macOS and watchOS platforms, enables the location of Apple devices even if they aren't connected to the internet.

Apple on Monday released patches for a vulnerability in WebKit that could allow attackers to execute code remotely on affected devices. To exploit the vulnerability, an attacker would simply need to craft a webpage containing malicious code, and then lure the victim into accessing that webpage, which would trigger the execution of code onto the victim's machine.

Apple is rolling out fixes for a high-severity vulnerability in its WebKit browser engine that, if exploited, could allow remote attackers to completely compromise affected systems. Apple on Monday urged affected device users to update as soon as possible: "Keeping your software up-to-date is one of the most important things you can do to maintain your Apple product's security," said the company on Monday.