Security News

Apple has released a fresh batch of software security updates for its flagship devices. For iOS and iPadOS the 13.6 update includes fixes for 29 CVE-listed vulnerabilities, 10 involving arbitrary code execution.

The official Twitter accounts of Apple, Elon Musk, Jeff Bezos and others were hijacked on Wednesday by scammers trying to dupe people into sending cryptocurrency bitcoin, in a massive hack. The list of accounts commandeered simultaneously grew rapidly to include Joe Biden, Barack Obama, Uber, Microsoft co-founder Bill Gates, bitcoin specialty firms and many others.

Mozilla is the latest browser maker to have announced updated policies that would reduce the lifetime of TLS certificates. Currently, SSL/TLS certificates have a maximum lifespan of 825 days in an attempt to ensure better protection of HTTPS connections, browser makers such as Apple, Google and Mozilla are looking into reducing that period to 398 days.

Details on a macOS privacy protections bypass method were published this week, more than six months after Apple was informed of the issue, but failed to deliver a fix. Dubbed TCC, the privacy protections system was introduced in macOS Mojave to ensure that certain files on the system are kept out of reach of unauthorized applications.

Six months after software developer Jeff Johnson told Apple about a privacy bypass vulnerability opening up protected files in macOS Mojave, macOS Catalina, and the upcoming macOS Big Sur, the bug remains unfixed - so he's going public. This latest bug can be exploited by a maliciously crafted app to bypass a privacy system known as Transparency, Consent, and Control that was introduced in OS X Mavericks and got strengthened in subsequent releases through technologies like System Integrity Protection in El Capitan.

Cybersecurity researchers this week discovered a new type of ransomware targeting macOS users that spreads via pirated apps. According to several independent reports from K7 Lab malware researcher Dinesh Devadoss, Patrick Wardle, and Malwarebytes, the ransomware variant - dubbed "EvilQuest" - is packaged along with legitimate apps, which upon installation, disguises itself as Apple's CrashReporter or Google Software Update.

Google, it seems, is joining Apple in limiting the maximum validity of web security certificates - those digitally signed blobs of data that put the S in TLS and the padlock in your address bar - to just one year. Others ask why a year is seen as "Too long" given that certificate authorities such as Let's Enrcypt are already issuing certificates that are only valid for three months at a time, thanks to a smoothly automated process for renewal.

From September 1, Apple software, from Safari to macOS to iOS, will reject new HTTPS and other SSL/TLS certificates that are valid for more than 398 days, plus or minus some caveats. "Connections to TLS servers violating these new requirements will fail," Apple warned in its official note.

Encrypted DNS, as its name suggests, encrypts those queries to shield them from snoops and meddlers. A year later, a research paper presented at a Usenix conference underscored the need for better security when it reported that about 8.5 per cent of DNS queries were intercepted by service providers.

A new privacy feature in Apple iOS 14 sheds light on TikTok's practice of reading iPhone users' cut-and-paste data, even though the company said in March it would stop. Apple added a new banner alert to iOS 14 that lets users know if a mobile app is pasting from the clipboard and thus able to read to a user's cut-and-paste data.