Security News

Apple has released security updates to fix two zero-day vulnerabilities that have been seen exploited in the wild to attack iPhones and Macs. The CVE-2021-30860 CoreGraphics vulnerability is an integer overflow bug discovered by Citizen Lab that allows threat actors to create malicious PDF documents that execute commands when opened in iOS and macOS. CVE-2021-30858 is a WebKit use after free vulnerability allowing hackers to create maliciously crafted web page that execute commands when visiting them on iPhones and macOS. Apple states that this vulnerability was disclosed anonymously.

Apple patched a zero-day flaw on Monday, found in both its iOS and macOS platforms that's being actively exploited in the wild and can allow attackers to take over an affected system. Apple released three updates, iOS 14.7., iPadOS 14.7.1 and macOS Big Sur 11.5.1 to patch the vulnerability on each of the platforms Monday.

The bug, CVE-2021-30807, was found in the iGiant's IOMobileFrameBuffer code, a kernel extension for managing the screen frame buffer that could be abused to run malicious code on the affected device. Apple did not say who might be involved in the exploitation of this bug.

Apple on Monday released a major security update with fixes for a security defect the company says "May have been actively exploited" to plant malware on macOS and iOS devices. Instead, a line in Apple advisory simply reads: "Apple is aware of a report that this issue may have been actively exploited."

Apple has released security updates for macOS Big Sur, Catalina and Mojave, as well as iOS and iPadOS. There is no indication that Apple has fixed any vulnerabilities that may be exploited to deliver NSO Group's Pegasus spyware via "Zero-click" iMessage attacks. MacOS Big Sur comes with fixes for a multitude of security issues.

Tens of Vulnerabilities Patched by Apple in macOS and iOS. Apple this week started rolling out security updates for iOS, macOS, iPadOS, watchOS, tvOS, and Safari, to address tens of vulnerabilities, including some that could result in arbitrary code execution. A total of 37 security holes were resolved with the release of iOS 14.7 and iPadOS 14.7, including a recently detailed bug that attackers could exploit to crash the Wi-Fi functionality of vulnerable devices.

The Wi-Fi network name bug that was found to completely disable an iPhone's networking functionality had remote code execution capabilities and was silently fixed by Apple earlier this year, according to new research. The denial-of-service vulnerability, which came to light last month, stemmed from the way iOS handled string formats associated with the SSID input, triggering a crash on any up-to-date iPhone that connected to wireless access points with percent symbols in their names such as "%p%s%s%s%s%n.

Apple in early 2021 quietly patched an iOS vulnerability that could lead to remote code execution when connecting to a Wi-Fi access point that had a specially crafted SSID. The issue was initially brought to light last month, when reverse engineer Carl Schou discovered that the Wi-Fi functionality on his iPhone would completely crash when connecting to a hotspot that had the SSID "%p%s%s%s%s%n. The issue, which impacts all iOS devices running iOS 14.0 to 14.6, was deemed to be a format string bug, where iOS is considering the characters that follow "%" as string-format specifiers, meaning that they are processed as commands, rather than text.

Human rights non-governmental organization Amnesty International and non-profit project Forbidden Stories revealed in a recent report that they found spyware made by Israeli surveillance firm NSO Group deployed on iPhones running Apple's latest iOS release, hacked using zero-day zero-click iMessage exploits. Citizen Lab was able to independently observe NSO Pegasus spyware deployed on an iPhone 12 Pro Max running iOS 14.6, hacked via a zero-day zero-click iMessage exploit, which does not require interaction from the target.

Threat intelligence researchers from Google on Wednesday shed more light on four in-the-wild zero-days in Chrome, Safari, and Internet Explorer browsers that were exploited by malicious actors in different campaigns since the start of the year. What's more, three of the four zero-days were engineered by commercial providers and sold to and used by government-backed actors, contributing to an uptick in real-world attacks.