Security News

During the pre-taped keynote at Apple's Worldwide Developers Conference, the company promised to pump up data protection even more with gobs of new features in its upcoming iOS 14, macOS Big Sur, and Safari releases. The big ones include the option for users to decline apps' ad tracking.

During WWDC 2020 on Monday, the world's most valuable company announced the next versions of its operating systems - iOS 14 for iPhones, iPadOS 14 for iPads, watchOS 7 for Apple Watches, and macOS Big Sur for MacBooks - with new features and enhancements. What's important is that the company also highlighted a few new security and privacy features that have been added to the upcoming iOS 14 and macOS Big Sur systems, categorically aiming to help users:better control which apps installed on their devices can access their data,.

A hacker team has released a new method to jailbreak iPhones that they claim uses a zero-day exploit that allows them to jailbreak iPhones running iOS 11 through Apple's most recent version of its mobile operating system - iOS 13.5. Calling it a "Big milestone for jailbreaking," one of its creators, a hacker called Pwn20wnd, heralded the new jailbreak release on Twitter, claiming it's the first zero-day jailbreak for the iPhone platform since iOS 8.

The unc0ver jailbreaking tool has been updated with support for the latest iOS releases, courtesy of a zero-day vulnerability, the team behind the utility announced. Unc0ver, which supports iOS 11 through iOS 13.5, is advertised as the most advanced jailbreak tool out there, providing users with the opportunity to do with their devices more than what the standard operating system allows them to.

The price of some iOS exploits has dropped recently and at least one exploit acquisition company is no longer buying certain types of vulnerabilities. It also announced that prices for iOS exploit chains that require some user interaction and don't provide persistence will likely drop in the near future.

Edison Mail, a popular third-party email app, has warned thousands of iOS users that their emails may have been compromised after a security flaw exposed emails to complete strangers. Several Edison Mail users took to Twitter to complain that they were seeing up to 100 unread email messages from strangers' accounts under their own Edison Mail inboxes.

An update rolled out recently by Edison Mail for its iOS application resulted in some users being given access to other people's email accounts. Edison Mail provides apps that allow users to manage their Gmail, Yahoo, Outlook, iCloud and other inboxes from one place.

Exploit acquisition firm Zerodium announced this week that it's no longer buying certain types of iOS exploits due to surplus, and the company expects prices to drop in the near future. Zerodium said on Twitter it would no longer acquire iOS local privilege escalation, Safari remote code execution, and sandbox escape exploits in the next 2-3 months "Due to a high number of submissions related to these vectors."

On Wednesday, the software exploit broker said it won't pay anything for some iOS bugs due to an oversupply. Apple's iOS 13 has been particularly buggy, enough that SVP of software engineering Craig Federighi reportedly overhauled the company's internal software testing process to avoid a repeat when iOS 14 arrives later this year.

iOS uses XML for Plists, and Plists are used everywhere in iOS. iOS's sandboxing system depends upon three different XML parsers, which interpret slightly invalid XML input in slightly different ways. So Siguza's exploit ­- which granted an app full access to the entire file system, and more ­- uses malformed XML comments constructed in a way that one of iOS's XML parsers sees its declaration of entitlements one way, and another XML parser sees it another way.