Security News
Trend Micro on Thursday disclosed the details of a recently patched privilege escalation vulnerability that has been found to impact macOS, iOS and iPadOS. The flaw, tracked as CVE-2021-30724, was discovered by Trend Micro researcher Mickey Jin, and it was patched by Apple on May 24 with the release of macOS 11.4, iOS 14.6 and iPadOS 14.6. The vulnerability, caused by an out-of-bounds memory access issue, can allow a local attacker to elevate privileges by sending specially crafted requests.
Well, SophosLabs researchers have just published a report entitled Fake Android and iOS apps disguise as trading andcryptocurrency apps, and it seems that some investment scammers are taking a similar sort of approach. If you've gone to all the trouble of building an imposter website that looks like a genuine online currency trading business, and a fake app that is believable enough to pass muster as belonging to someone else's brand.
Mobile app analytics company Flurry is measuring how many users of iOS 14.5 are opting in to allow apps to request to track them - and so far only 15 per cent worldwide have done so. One of its new features is enforcement of what Apple calls AppTrackingTransparency, which means that apps must request permission from the user before tracking them or accessing the Apple device identifier.
Documents submitted in a court case involving Apple revealed that the XcodeGhost malware discovered in 2015 impacted 128 million iOS users. The published emails show exchanges between Apple employees, including executives, discussing the XcodeGhost incident and the steps the company should take in response.
As many as six zero-days have been uncovered in an application called Remote Mouse, allowing a remote attacker to achieve full code execution without any user interaction. The unpatched flaws, collectively named 'Mouse Trap,' were disclosed on Wednesday by security researcher Axel Persinger, who said, "It's clear that this application is very vulnerable and puts users at risk with bad authentication mechanisms, lack of encryption, and poor default configuration."
Apple's problems with zero-day attacks continued this week with news of another mysterious in-the-wild compromise affecting iPhones, iPads and macOS devices. News of the latest compromise was included in a one-line mention in an advisory from Apple that documents fixes for a pair of WebKit security flaws that have been exploited on both iPhones and macOS computers.
Apple on Monday patched security flaws in its software said to have been exploited in the wild by miscreants to hijack gear. WebKit, fixed in macOS Big Sur 11.3.1, can be tricked into executing arbitrary code by processing malicious web content - a bad webpage can take over the browser, in other words.
Today, Apple has released security updates that fix two actively exploited iOS zero-day vulnerabilities in the Webkit engine used by hackers to attack iPhones, iPads, iPods, macOS, and Apple Watch devices. "Apple is aware of a report that this issue may have been actively exploited," the company said in multiple security advisories published today.
Apple on Monday shipped the long-awaited iOS and iPadOS 14.5 update with patches for at least 50 documented security vulnerabilities. The patch, which is currently being rolled out via iOS and iPadOS automatic-updating mechanism, includes cover for a WebKit vulnerability that Apple believes may have been exploited in the wild by attackers.
A kids' game called "Jungle Run" that, until recently, was available in the Apple App store, was secretly a cryptocurrency-funded casino set up to scam people out of money. His latest discovery was that Jungle Run, which was marketed in the App Store as a game for ages 4+, transformed into a crypto-funded casino when he set his VPN to Turkey.