Security News

Threatpost editors talk about the biggest security news stories for the week ended Jul. 24.

Apple this week kicked off another initiative meant to improve the security of iPhones, by offering hackable phones to security researchers. Specifically designed for security researchers, these devices feature unique code execution and containment policies and are offered as part of the company's Security Research Device program, which was initially announced in December last year.

Apple's long anticipated Security Research Device program has launched, giving select security researchers access to testable iPhones that will make it easier for them to find iOS vulnerabilities. To be eligible for the program, researchers must be a membership Account Holder in the Apple Developer Program and have a "Proven track record of success" in finding security issues on Apple platforms.

Apple was alone among corporate giants in foreseeing the pandemic risk in the run-up to the global COVID-19 outbreak, according to analysis by research firm Forrester. As part of a report that predicts the continuing rise of blockchain, robotic process automation and Kubernetes among the technology responses to the pandemic, Forrester also looked at how organisations are set to change their approach to operational and technological risk.

For the protection of our customers, Apple doesn't disclose, discuss or confirm security issues until an investigation has occurred and patches or releases are generally available. Of course, we know now that Apple did know about the Vim issue mentioned above, and has patched it at last, so any users who were wondering about it can now scratch that one off their list of concerns.

Apple this week released patches to address numerous vulnerabilities across its products, including five arbitrary code execution issues affecting the audio components used by its operating systems. The five bugs were found to affect macOS Catalina, with four of them also impacting iOS and iPadOS, tvOS, and watchOS. The first two of the flaws are CVE-2020-9884 and CVE-2020-9889, two out-of-bounds write issues, while the remaining three, namely CVE-2020-9888, CVE-2020-9890 and CVE-2020-9891, are out-of-bounds read flaws.

Apple has released a fresh batch of software security updates for its flagship devices. For iOS and iPadOS the 13.6 update includes fixes for 29 CVE-listed vulnerabilities, 10 involving arbitrary code execution.

The official Twitter accounts of Apple, Elon Musk, Jeff Bezos and others were hijacked on Wednesday by scammers trying to dupe people into sending cryptocurrency bitcoin, in a massive hack. The list of accounts commandeered simultaneously grew rapidly to include Joe Biden, Barack Obama, Uber, Microsoft co-founder Bill Gates, bitcoin specialty firms and many others.

Mozilla is the latest browser maker to have announced updated policies that would reduce the lifetime of TLS certificates. Currently, SSL/TLS certificates have a maximum lifespan of 825 days in an attempt to ensure better protection of HTTPS connections, browser makers such as Apple, Google and Mozilla are looking into reducing that period to 398 days.

Details on a macOS privacy protections bypass method were published this week, more than six months after Apple was informed of the issue, but failed to deliver a fix. Dubbed TCC, the privacy protections system was introduced in macOS Mojave to ensure that certain files on the system are kept out of reach of unauthorized applications.