Security News
Apple has released security updates for - pardon the pop-culture reference - everyhing everywhere all at once, and has fixed the WebKit vulnerability exploited in the wild for users of older iPhones and iPads. The presently most important fix among those delivered is the one for CVE-2023-23529, a type confusion issue in the WebKit browser engine, which can be triggered by maliciously crafted web content and ultimately allow code execution.
Apple has released security updates to backport patches released last month, addressing an actively exploited zero-day bug for older iPhones and iPads. "Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited," Apple describes the zero-day.
The Russian report, citing several sources who attended an event in Moscow earlier this month, noted that the country's presidential administration employees have until April 1 to replace their iPhones with Android-based smartphones, or others with Chinese or Aurora operating systems. Aurora is a Linux-based smartphone OS developed by Open Mobile Platform, which is owned by Russian IT firm Rostelecom.
Microsoft announced today an early preview of Phone Link for iPhone users available to Windows Insiders running the latest Windows 11 builds. "The preview will begin rolling out to Insiders who have opted in their device into one of the 3 Insider Channels via Settings > Windows Update > Windows Insider Program," Microsoft Senior Program Manager Brandon LeBlanc said.
Apple has revised the security advisories it released last month to include three new vulnerabilities impacting iOS, iPadOS, and macOS. The first flaw is a race condition in the Crash Reporter component that could enable a malicious actor to read arbitrary files as root. "An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges," Apple said, adding it patched the issues with "Improved memory handling."
Apple has released emergency security updates to address a new zero-day vulnerability used in attacks to hack iPhones, iPads, and Macs. The zero-day patched today is tracked as CVE-2023-23529 [1, 2] and is a WebKit confusion issue that could be exploited to trigger OS crashes and gain code execution on compromised devices.
On Monday, Apple released iOS 12.5.7 for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and sixth-generation iPod touch. "Processing maliciously crafted web content may lead to arbitrary code execution," Apple warned in the security update.
Last year, on the last day of August 2022, we wrote with mild astonishment, and perhaps even a tiny touch of excitement, about an unexpected but rather important update for iPhones stuck back on iOS 12. As we remarked at the time, we'd already decided that iOS 12 had slipped off Apple's radar, and would never be updated again, give that the previous update had been a year before that, back in September 2021.
Apple "Unlawfully records and uses consumers' personal information and activity," claims a new lawsuit accusing the company of tracking iPhone users' device data even when they've asked for tracking to be switched off. The would-be class action lawsuit, filed in Pennsylvania, accuses [PDF] Apple of violating Pennsylvania's Wiretapping and Electronic Surveillance Act, as well as breaching its trade practices and consumer protection law by "Representing that its mobile devices enable users to choose settings that would stop defendant from collecting or tracking their private data - a feature they do not have."
The most recent iPhone update-to version 16.1.2-patches a zero-day vulnerability that "May have been actively exploited against versions of iOS released before iOS 15.1.". Apple said security researchers at Google's Threat Analysis Group, which investigates nation state-backed spyware, hacking and cyberattacks, discovered and reported the WebKit bug.