Security News

A security researcher disclosed details of an Apple Safari web browser security hole that could leak files with other browsers and applications and open the door to exploitation by attackers. The disclosure came only after Apple said it would delay patching the vulnerability for nearly a year.

For two years, IBM has been deploying confidential computing capabilities in the IBM Cloud and Rohit Badlaney, vice president of IBM Z Hybrid Cloud, said it is the only public cloud with "Production-ready confidential computing capabilities able to protect data, applications and processes." IBM's platform is now used in heavily regulated industries like healthcare and banking, with high profile customers like Bank of America and Daimler taking advantage of confidential cloud computing capabilities.

Apple earlier this year fixed a security vulnerability in iOS and macOS that could have potentially allowed an attacker to gain unauthorized access to a user's iCloud account. Uncovered in February by Thijs Alkemade, a security specialist at IT security firm Computest, the flaw resided in Apple's implementation of TouchID biometric feature that authenticated users to log in to websites on Safari, specifically those that use Apple ID logins.

Google and Amazon overtook Apple in the second quarter of 2020 as the brand most spoofed by attackers to lure people into falling for phishing attacks. While the number of so-called brand-phishing attacks remained stable from the first quarter of 2020 to the second, there was a major shift in position for the companies that threat actors think people are most likely to trust - or whose pages they will most likely click on, according to Check Point Research's Brand Phishing Report for Q2. Brand phishing is a type of attack in which a threat actor imitates an official website of a known brand by using a similar domain or URL in an attack, as well as in some cases a copycat web page similar or identical to the actual company's original website in look and feel.

Threatpost editors talk about the biggest security news stories for the week ended Jul. 24.

Apple this week kicked off another initiative meant to improve the security of iPhones, by offering hackable phones to security researchers. Specifically designed for security researchers, these devices feature unique code execution and containment policies and are offered as part of the company's Security Research Device program, which was initially announced in December last year.

Apple's long anticipated Security Research Device program has launched, giving select security researchers access to testable iPhones that will make it easier for them to find iOS vulnerabilities. To be eligible for the program, researchers must be a membership Account Holder in the Apple Developer Program and have a "Proven track record of success" in finding security issues on Apple platforms.

Apple was alone among corporate giants in foreseeing the pandemic risk in the run-up to the global COVID-19 outbreak, according to analysis by research firm Forrester. As part of a report that predicts the continuing rise of blockchain, robotic process automation and Kubernetes among the technology responses to the pandemic, Forrester also looked at how organisations are set to change their approach to operational and technological risk.

For the protection of our customers, Apple doesn't disclose, discuss or confirm security issues until an investigation has occurred and patches or releases are generally available. Of course, we know now that Apple did know about the Vim issue mentioned above, and has patched it at last, so any users who were wondering about it can now scratch that one off their list of concerns.

Apple this week released patches to address numerous vulnerabilities across its products, including five arbitrary code execution issues affecting the audio components used by its operating systems. The five bugs were found to affect macOS Catalina, with four of them also impacting iOS and iPadOS, tvOS, and watchOS. The first two of the flaws are CVE-2020-9884 and CVE-2020-9889, two out-of-bounds write issues, while the remaining three, namely CVE-2020-9888, CVE-2020-9890 and CVE-2020-9891, are out-of-bounds read flaws.