Security News

Apple and Google will ban location-tracking by apps using their new coronavirus contract-tracing API, newly renamed ExposureNotification. In a set of guidelines [PDF] for the API released today, the companies said that developers will not be able to access or even seek permission to access location data using the app.

Google Project Zero security researchers have discovered multiple vulnerabilities in ImageIO, the image parsing API used by Apple's iOS and macOS operating systems. The bugs in image parsing code, some of which impact open source image libraries and not the ImageIO framework itself, can be triggered through popular messenger applications by sending specially crafted image files to the targeted user.

Privacy advocates are urging developers to proceed with caution as they use technology released by Apple and Google to build COVID-19 contact-tracing apps - and are warning against the potential for cybercriminal use. "The apps built on top of Apple and Google's new system will not be a 'magic bullet' techno-solution to the current state of shelter-in-place," EFF staff technologist Bennet Cyphers and director of research Gennie Gebhart said, in a post on Tuesday on the organization's blog.

Germany on Sunday pulled an about-face regarding the best way to use smart phones to trace people's contacts with those infected by COVID-19, embracing a decentralized Bluetooth-based approach instead of the more invasive location tracking proposed in other approaches. Apple and Google first announced their contact tracing collaboration two weeks ago, on 10 April.

The UK has decided to break with growing international consensus and insist its upcoming coronavirus contact-tracing app is run through centralised British servers - rather than follow the decentralized Apple-Google approach. Within the details over how it would work, the memo revealed the NHS and UK government reckon the contact-tracing protocols built by Apple and Google protect user privacy under advisement only.

Further worse news is that an attack against Apple's latest version of iOS 13.x can occur while the app is open in the background and does not require interaction by the user to execute the code and compromise your device. Users who rely on Mail.app to handle emails should stop using the app until Apple releases the official 13.4.5 update to patch the vulnerability.

Apple and Google have revealed a little more about their plans to support COVID-19 contact-tracing apps and changed up some of their security plans. Apple and Google won't see the information ever.

Sophos XG Firewall hacked in the wild - hotfix available. Sophos has rushed out a hotfix for its XG Firewall products to close an SQL injection vulnerability - after hackers were spotted exploiting the hole in the wild.

Apple devices are vulnerable to a "Text bomb" attack where simply looking at messages or posts containing characters in the Sindhi language can crash devices. The problem occurs in a number of different scenarios, including if the character string shows up in a text message - in fact, just looking at a message notification containing a message preview will crash the system.

It started a couple days ago when a number of researchers and I'm probably gonna mispronounce the name of the security firm, ZecOps or something along those lines -I can never pronounce these names - But anyways, they found two zero days, or what they claimed are two zero days that are very, very troubling when described. Tom: Yeah, well, you know, Apple has gotten some support from the research community.