Security News

If you've already listened to this week's Naked Security Podcast you'll know that we had finally concluded that iOS 12, the version before the version before the latest-and-greatest iOS 15, which arrived this Monday. So when iOS 14 got updated in the last couple of patch cycles, but iOS 12 didn't, we couldn't tell whether it was still safe and didn't need the patches, whether it needed the patches but they'd be a bit late, or whether it needed the patches but would never get them.

Apple has deprecated the insecure Transport Layer Security 1.0 and 1.1 protocols in recently launched iOS and macOS versions and plans to remove support in future releases altogether. The original TLS 1.0 specification and its TLS 1.1 successor have been used for almost 20 years.

Bypass attacks against Face ID have been announced before, notably by a Vietnamese researcher who claimed in 2017 to be able to get past Face ID using a mask, and by Chinese researchers from cybersecurity company Tencent in 2019, who were able to get around Face ID's "Are you awake?" detection and unlock the device of someone who was asleep. Along with updates for the otherwise brand-new iOS 15, iPadOS 15, tvOS 15 and watchOS 8, the latest security announcements also cover iTunes, macOS, Safari and Apple's Xcode developer tools, as well as iOS 14.8 and iPadOS 14.8.

Apple has released security updates to fix two zero-day vulnerabilities that have been seen exploited in the wild to attack iPhones and Macs. The CVE-2021-30860 CoreGraphics vulnerability is an integer overflow bug discovered by Citizen Lab that allows threat actors to create malicious PDF documents that execute commands when opened in iOS and macOS. CVE-2021-30858 is a WebKit use after free vulnerability allowing hackers to create maliciously crafted web page that execute commands when visiting them on iPhones and macOS. Apple states that this vulnerability was disclosed anonymously.

Apple patched a zero-day flaw on Monday, found in both its iOS and macOS platforms that's being actively exploited in the wild and can allow attackers to take over an affected system. Apple released three updates, iOS 14.7., iPadOS 14.7.1 and macOS Big Sur 11.5.1 to patch the vulnerability on each of the platforms Monday.

The bug, CVE-2021-30807, was found in the iGiant's IOMobileFrameBuffer code, a kernel extension for managing the screen frame buffer that could be abused to run malicious code on the affected device. Apple did not say who might be involved in the exploitation of this bug.

Apple on Monday released a major security update with fixes for a security defect the company says "May have been actively exploited" to plant malware on macOS and iOS devices. Instead, a line in Apple advisory simply reads: "Apple is aware of a report that this issue may have been actively exploited."

Apple has released security updates for macOS Big Sur, Catalina and Mojave, as well as iOS and iPadOS. There is no indication that Apple has fixed any vulnerabilities that may be exploited to deliver NSO Group's Pegasus spyware via "Zero-click" iMessage attacks. MacOS Big Sur comes with fixes for a multitude of security issues.

Tens of Vulnerabilities Patched by Apple in macOS and iOS. Apple this week started rolling out security updates for iOS, macOS, iPadOS, watchOS, tvOS, and Safari, to address tens of vulnerabilities, including some that could result in arbitrary code execution. A total of 37 security holes were resolved with the release of iOS 14.7 and iPadOS 14.7, including a recently detailed bug that attackers could exploit to crash the Wi-Fi functionality of vulnerable devices.

The Wi-Fi network name bug that was found to completely disable an iPhone's networking functionality had remote code execution capabilities and was silently fixed by Apple earlier this year, according to new research. The denial-of-service vulnerability, which came to light last month, stemmed from the way iOS handled string formats associated with the SSID input, triggering a crash on any up-to-date iPhone that connected to wireless access points with percent symbols in their names such as "%p%s%s%s%s%n.