Security News

Apple on Thursday released security updates to fix multiple security vulnerabilities in older versions of iOS and macOS that it says have been detected in exploits in the wild, in addition to expanding patches for a previously plugged security weakness abused by NSO Group's Pegasus surveillance tool to target iPhone users. Chief among them is CVE-2021-30869, a type confusion flaw that resides in the kernel component XNU developed by Apple that could cause a malicious application to execute arbitrary code with the highest privileges.

Upset with Apple's handling of its Security Bounty program, a bug researcher has released proof-of-concept exploit code for three zero-day vulnerabilities in Apple's newly released iOS 15 mobile operating system. "I've reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page," the researcher wrote.

If you have access to Apple's iOS 15 Developer Beta, learn how to use an important security feature called Mail Privacy Protection. If you're lucky enough to have access to the iOS 15 Developer Beta, you're probably already tinkering with all the new features, including Mail Privacy Protection.

Proof-of-concept exploit code for three iOS zero-day vulnerabilities was published on GitHub after Apple delayed patching and failed to credit the researcher. The unknown researcher who found the four zero-days reported them to Apple between March 10 and May 4.

Proof-of-concept exploit code for three iOS zero-day vulnerabilities was published on GitHub after Apple delayed patching and failed to credit the researcher.The researcher who found the four zero-days reported them to Apple between March 10 and May 4.

Cisco has patched three critical vulnerabilities affecting components in its IOS XE internetworking operating system powering routers and wireless controllers, or products running with a specific configuration.The worst of the flaws received the highest severity rating, 10 out of 10; it affects the Cisco Catalyst 9000 Family Wireless Controllers that includes the enterprise-class Catalyst 9800-CL Wireless Controllers for Cloud.

Networking equipment maker Cisco Systems has rolled out patches to address three critical security vulnerabilities in its IOS XE network operating system that remote attackers could potentially abuse to execute arbitrary code with administrative privileges and trigger a denial-of-service condition on vulnerable devices. The most severe of the issues is CVE-2021-34770, which Cisco calls a "Logic error" that occurs during the processing of CAPWAP packets that enable a central wireless Controller to manage a group of wireless access points.

If you've already listened to this week's Naked Security Podcast you'll know that we had finally concluded that iOS 12, the version before the version before the latest-and-greatest iOS 15, which arrived this Monday. So when iOS 14 got updated in the last couple of patch cycles, but iOS 12 didn't, we couldn't tell whether it was still safe and didn't need the patches, whether it needed the patches but they'd be a bit late, or whether it needed the patches but would never get them.

Apple has deprecated the insecure Transport Layer Security 1.0 and 1.1 protocols in recently launched iOS and macOS versions and plans to remove support in future releases altogether. The original TLS 1.0 specification and its TLS 1.1 successor have been used for almost 20 years.

Bypass attacks against Face ID have been announced before, notably by a Vietnamese researcher who claimed in 2017 to be able to get past Face ID using a mask, and by Chinese researchers from cybersecurity company Tencent in 2019, who were able to get around Face ID's "Are you awake?" detection and unlock the device of someone who was asleep. Along with updates for the otherwise brand-new iOS 15, iPadOS 15, tvOS 15 and watchOS 8, the latest security announcements also cover iTunes, macOS, Safari and Apple's Xcode developer tools, as well as iOS 14.8 and iPadOS 14.8.