Security News

Apple has just announced its latest something for everyone security and feature updates for iOS, iPadOS, macOS, watchOS, and tvOS. In terms of security, the attention grabber is iOS/iPad 13.4, which fixes 30 CVEs. As usual, WebKit browser engine and Safari gave Apple plenty to fix, all but one of which were found by sources outside the company, including an arbitrary code execution flaw, CVE-2020-3899, credited to Google's open source fuzzing tool, OSS-Fuzz.

Apple has released a slew of patches across its iOS and macOS operating systems, Safari browser, watchOS, tvOS and iTunes. Of the CVEs disclosed, 30 affected Apple's iOS, 11 impacted Safari and 27 affected macOS. Users for their part are urged to update to iOS 13.4, Safari 13.1 and macOS Catalina 10.15.3.

Security patches released this week by Apple for many of its products address a variety of vulnerabilities, including multiple issues that could lead to arbitrary code execution on the affected devices. The patched flaws could result in the execution of arbitrary code with system or kernel privileges, leak of kernel memory, privilege escalation, leak of sensitive information, disclosure of restricted memory, or code signing bypass.

Apple has released an update to its Safari browser that blocks third-party cookies, following an announcement by Google that it would do the same for its Chrome browser. Through the release of Safari 13.1 on Tuesday, alongside some changes to Apple's Intelligent Tracking Prevention in iOS and iPadOS 13.4, the company now blocks all third-party cookies by default in its browser, according to a blog post by the engineer behind Apple's WebKit, John Wilander.

Apple has emitted a bundle of security fixes ranging across its product lines. For the flagship iOS, the 13.4 update includes fixes for 30 security holes.

SAN FRANCISCO - Advanced persistent threat groups are hitting Apple devices with malware that has been reverse engineered and redeployed for malicious acts. Despite these threats, Wardle said that when it comes to security, Apple's moving in a "Positive" direction, adding more malware mitigation or security features into their operating system.

Now an app developer called Mysk has discovered pasteboard's dark side - malicious apps could exploit it to work out a user's location even when that user has locked down app location sharing. In the simplest scenario, an iPhone user would take a photo, copy it between apps using the pasteboard, from which a malicious app could extract location metadata while comparing it with timestamps to determine whether it was current or taken in the past.

The United States Supreme Court has kicked out Apple's attempt to overturn a judgement in one of the cases in its 10-year patent fight with VirnetX. The Supremes rejected Apple's petition for a judicial review in a bid to overrule the 2016 decision of a lower court, which awarded VirnetX $302m, which later rose to $439.8m in damages, fees and interest for Apple's use of its patents. Apple had argued earlier this month that the "Federal Circuit has created a gaping loophole that facilitates massive damages in patent cases where the damages claims are based on prior licenses" - in essence saying that VirnetX had overvalued the inventions to the court.

Any cut-and-paste data temporarily stored to an iPhone or iPad's memory can be accessed by all apps installed on the specific device - even malicious ones. To illustrate his concerns, Mysk created a rogue proof-of-concept app called KlipboardSpy and an iOS widget named KlipSpyWidget.

That browser makers were voted down might explain why Apple has decided to enforce the change unilaterally, apparently against the wishes of the Certificate Authorities which issue certificates as a business. The browser makers are adamant that reducing validity is good for security because it reduces the time period in which compromised or bogus certificates can be exploited.