Security News

Urgent Apple iOS and macOS Updates Released to Fix Actively Exploited Zero-Days
2021-09-26 21:38

Apple on Thursday released security updates to fix multiple security vulnerabilities in older versions of iOS and macOS that it says have been detected in exploits in the wild, in addition to expanding patches for a previously plugged security weakness abused by NSO Group's Pegasus surveillance tool to target iPhone users. Chief among them is CVE-2021-30869, a type confusion flaw that resides in the kernel component XNU developed by Apple that could cause a malicious application to execute arbitrary code with the highest privileges.

Frustrated dev drops three zero-day vulns affecting Apple iOS 15 after six-month wait
2021-09-24 19:43

Upset with Apple's handling of its Security Bounty program, a bug researcher has released proof-of-concept exploit code for three zero-day vulnerabilities in Apple's newly released iOS 15 mobile operating system. "I've reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page," the researcher wrote.

iOS 15: How to enable Mail Privacy Protection
2021-09-24 14:48

If you have access to Apple's iOS 15 Developer Beta, learn how to use an important security feature called Mail Privacy Protection. If you're lucky enough to have access to the iOS 15 Developer Beta, you're probably already tinkering with all the new features, including Mail Privacy Protection.

Researcher drops three iOS zero-days that Apple refused to fix
2021-09-24 11:13

Proof-of-concept exploit code for three iOS zero-day vulnerabilities was published on GitHub after Apple delayed patching and failed to credit the researcher. The unknown researcher who found the four zero-days reported them to Apple between March 10 and May 4.

Exploit code released for three iOS 0-days that Apple failed to patch
2021-09-24 11:13

Proof-of-concept exploit code for three iOS zero-day vulnerabilities was published on GitHub after Apple delayed patching and failed to credit the researcher.The researcher who found the four zero-days reported them to Apple between March 10 and May 4.

Cisco fixes highly critical vulnerabilities in IOS XE Software
2021-09-24 07:23

Cisco has patched three critical vulnerabilities affecting components in its IOS XE internetworking operating system powering routers and wireless controllers, or products running with a specific configuration.The worst of the flaws received the highest severity rating, 10 out of 10; it affects the Cisco Catalyst 9000 Family Wireless Controllers that includes the enterprise-class Catalyst 9800-CL Wireless Controllers for Cloud.

Cisco Releases Patches 3 New Critical Flaws Affecting IOS XE Software
2021-09-24 00:27

Networking equipment maker Cisco Systems has rolled out patches to address three critical security vulnerabilities in its IOS XE network operating system that remote attackers could potentially abuse to execute arbitrary code with administrative privileges and trigger a denial-of-service condition on vulnerable devices. The most severe of the issues is CVE-2021-34770, which Cisco calls a "Logic error" that occurs during the processing of CAPWAP packets that enable a central wireless Controller to manage a group of wireless access points.

STILL ALIVE! iOS 12 gets 3 zero-day security patches – update now
2021-09-23 22:28

If you've already listened to this week's Naked Security Podcast you'll know that we had finally concluded that iOS 12, the version before the version before the latest-and-greatest iOS 15, which arrived this Monday. So when iOS 14 got updated in the last couple of patch cycles, but iOS 12 didn't, we couldn't tell whether it was still safe and didn't need the patches, whether it needed the patches but they'd be a bit late, or whether it needed the patches but would never get them.

Apple will disable insecure TLS in future iOS, macOS releases
2021-09-22 16:59

Apple has deprecated the insecure Transport Layer Security 1.0 and 1.1 protocols in recently launched iOS and macOS versions and plans to remove support in future releases altogether. The original TLS 1.0 specification and its TLS 1.1 successor have been used for almost 20 years.

iOS 15 launches with 22 documented security patches – including a Face ID bypass using a “3D model”
2021-09-21 18:19

Bypass attacks against Face ID have been announced before, notably by a Vietnamese researcher who claimed in 2017 to be able to get past Face ID using a mask, and by Chinese researchers from cybersecurity company Tencent in 2019, who were able to get around Face ID's "Are you awake?" detection and unlock the device of someone who was asleep. Along with updates for the otherwise brand-new iOS 15, iPadOS 15, tvOS 15 and watchOS 8, the latest security announcements also cover iTunes, macOS, Safari and Apple's Xcode developer tools, as well as iOS 14.8 and iPadOS 14.8.