Security News

Apple on Monday rolled out security updates for iOS, iPadOS, macOS, and Safari to address a zero-day flaw that it said has been actively exploited in the wild. It's not immediately clear as to how the vulnerability is being exploited in real-world attacks, but it's the second actively abused type confusion flaw in WebKit to be patched by Apple after CVE-2022-42856 in as many months, which was closed in December 2022.

The US National Institute of Standards and Technology wants to protect all devices great and small, and is getting closer to settling on next-gen cryptographic algorithms suitable for systems at both ends of that spectrum - the very great and the very small. The lightweight cryptography algorithms for IoT need to be powerful enough to offer high security and efficient enough to do so with limited electronic resources.

Money Lover is a finance app allowing users to manage their expenses and budgets that has been downloaded five million times on the Play Store, with the app also available for iOS and Windows. Money Lover allows users to create "Shared wallets" with specific users, like family members or coworkers, to log transactions to collaborate in expense logging and monitoring.

Dashlane announced it had made the source code for its Android and iOS apps available on GitHub under the Creative Commons Attribution-NonCommercial 4.0 license. The popular subscription-based password manager and digital wallet have decided to release the code of its mobile apps to increase transparency in how they operate while also promoting a more collaborative and open development approach going forward.

Apple has released security updates for macOS, iOS, iPadOS and watchOS, patching - among other things - a type confusion flaw in the WebKit component that could be exploited for remote code execution on older iPhones and iPads running iOS v12. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1," the company said.

A massive ad fraud operation dubbed 'Vastflux' that spoofed more than 1,700 applications from 120 publishers, mostly for iOS, has been disrupted by security researchers at cybersecurity company HUMAN. The operation's name was derived from the VAST ad-serving template and the "Fast flux" evasion technique used to conceal malicious code by rapidly changing a large number of IP addresses and DNS records associated with a single domain. The research team at HUMAN discovered Vastflux while investigating a separate ad fraud scheme.

Apple has just published a wide range of security fixes for all its supported platforms, from the smallest watch to the biggest laptop. In other words, if you've got an Apple product, and it's still officially supported, we urge you to do an update check now.

In security updates released today, Apple has fixed the tenth zero-day vulnerability since the start of the year, with this latest one actively used in attacks against iPhones. In October, Apple fixed a zero-day in the iOS Kernel.

It's just under a month since iOS 16.1.1 came out for Apple iPhone users, fixing a pair of bugs that were listed with the worrying words "a remote user may be able to cause unexpected app termination or arbitrary code execution". Now, there's another security update, apparently moving iPhone users only up to version iOS 16.1.2.

Over 280 Android and iOS apps on the Google Play and the Apple App stores trapped users in loan schemes with misleading terms and employed various methods to extort and harass borrowers. [...]