Security News

Google's Apple-mandated privacy labels for its Chrome and Search apps on iOS have drawn criticism from tiny search rival DuckDuckGo, which tweeted "No wonder they wanted to hide it." Mysterious delays in Google's app updates soon ensued - though the company said in January that: "As Google's iOS apps are updated with new features or to fix bugs, you'll see updates to our app page listings that include the new App Privacy Details. These labels represent the maximum categories of data that could be collected - meaning if you use every available feature and service in the app."

As the new kid on the block, the M1 chip-based Mac is already on the radar of malware writers, says Kaspersky. Discovered for the first time last year, the XCSSET malware mainly targets Mac developers by injecting a malicious payload into Xcode IDE projects on the victim's Mac.

Abstract: Overnight, Apple has turned its hundreds-of-million-device ecosystem into the world's largest crowd-sourced location tracking network called offline finding. OF leverages online finder devices to detect the presence of missing offline devices using Bluetooth and report an approximate location back to the owner via the Internet.

Mozilla today started rolling out Firefox 86.0.1 to address a known bug causing the web browser to crash frequently when launched on Linux systems. While this issue came with a low crash rate on previous Firefox versions, Linux users have started seeing more and more crashes after updating to Firefox 86 last month.

A team of researchers from universities in the United States, Australia and Israel has demonstrated that attackers could launch browser-based side-channel attacks that do not require JavaScript, and they've tested the method on a wide range of platforms, including devices that use Apple's recently introduced M1 chip. The researchers - representing the Ben-Gurion University of the Negev, the University of Michigan and the University of Adelaide - have published a paper on what they have described as the first browser side-channel attack that uses only CSS and HTML, and works even if JavaScript is completely disabled.

Two vulnerabilities in a crowdsourced location-tracking system that helps users find Apple devices even when they're offline could expose the identity of users, research claim. Offline Finding, a proprietary app introduced by Apple in 2019 for its iOS, macOS and watchOS platforms, enables the location of Apple devices even if they aren't connected to the internet.

Apple on Monday released patches for a vulnerability in WebKit that could allow attackers to execute code remotely on affected devices. To exploit the vulnerability, an attacker would simply need to craft a webpage containing malicious code, and then lure the victim into accessing that webpage, which would trigger the execution of code onto the victim's machine.

Apple is rolling out fixes for a high-severity vulnerability in its WebKit browser engine that, if exploited, could allow remote attackers to completely compromise affected systems. Apple on Monday urged affected device users to update as soon as possible: "Keeping your software up-to-date is one of the most important things you can do to maintain your Apple product's security," said the company on Monday.

Vulnerabilities identified in offline finding - Apple's proprietary crowd-sourced location tracking system - could be abused for user identification, researchers said in a report released this month. With "Hundreds of millions" of devices part of Apple's OF network, this represents the largest crowd-sourced location tracking system in the world, one that is expected to grow even further, as support for non-Apple devices is added to it.

Apple on Monday released security patches for macOS, iOS, iPadOS, watchOS, and Safari to fix up a vulnerability that can be exploited by malicious web pages to run malware on victims' computers and gadgets. Apple thanks Clément Lecigne of Google's Threat Analysis Group and Alison Huffman of Microsoft Browser Vulnerability Research for reporting the arbitrary code execution security flaw, CVE-2021-1844, which is present in WebKit, the browser engine used by various bits of Cupertino code.