Security News

Apple on Thursday rolled out emergency patches to address two zero-day flaws in its mobile and desktop operating systems that it said may have been exploited in the wild. Both the vulnerabilities have been reported to Apple anonymously.

Apple has released security updates on Thursday to address two zero-day vulnerabilities exploited by attackers to hack iPhones, iPads, and Macs. In security advisories published today, Apple said that they're aware of reports the issues "May have been actively exploited."

Researchers have blown the lid off a sophisticated malicious scheme primarily targeting Chinese users via copycat apps on Android and iOS that mimic legitimate digital wallet services to siphon cryptocurrency funds. The wallet services are said to have been distributed through a network of over 40 counterfeit wallet websites that are promoted with the help of misleading articles posted on legitimate Chinese websites, as well as by means of recruiting intermediaries through Telegram and Facebook groups, in an attempt to trick unsuspecting visitors into downloading the malicious apps.

Social engineering attacks leveraging a combination of romantic lures and cryptocurrency fraud have been luring unsuspecting victims into installing fake apps by taking advantage of legitimate iOS features like TestFlight and Web Clips. "This style of cyber-fraud, known as sha zhu pan - literally 'pig butchering plate' - is a well-organized, syndicated scam operation that uses a combination of often romance-centered social engineering and fraudulent financial applications and websites to ensnare victims and steal their savings after gaining their confidence," Sophos analyst Jagadeesh Chandraiah said in a report published last week.

The latest raft of non-emergency Apple security updates are out, patching a total of 87 different CVE-rated software bugs across all Apple products and plaforms. With 87 noteworthy bugs in the mix, there are plenty of security issues to choose from, including several that are listed with a warning that the bug might "Lead to arbitrary code execution", or even that it might be exploitable "To execute arbitrary code with kernel privileges".

Here on Naked Security, we've been lamenting the mysterious nature of Apple's security updates for ages. In the sudo bug case, Apple did eventually come to the party, and updated its own products in September.

The US Cybersecurity and Infrastructure Security Agency has added a new flaw to its catalog of vulnerabilities exploited in the wild, an Apple WebKit remote code execution bug used to target iPhones, iPads, and Macs. According to the binding operational directive issued by CISA in November, federal agencies are now required to patch their systems against this actively exploited vulnerability impacting iOS, iPadOS, and macOS devices.

The US Cybersecurity and Infrastructure Security Agency has added a new flaw to its catalog of vulnerabilities exploited in the wild, an Apple WebKit bug used to target iPhones, iPads, and Macs. According to the binding operational directive issued by CISA in November, federal agencies are now required to patch their systems against this actively exploited vulnerability impacting iOS, iPadOS, and macOS devices.

Apple has released security updates to fix a new zero-day vulnerability exploited in the wild by attackers to hack iPhones, iPads, and Macs. Successful exploitation of this bug allows attackers to execute arbitrary code on iPhones and iPads running vulnerable versions of iOS and iPadOS after processing maliciously crafted web content.

ForcedEntry - the exploit of a zero-click iMessage zero day that circumvented Apple's then-brand-new BlastDoor security feature starting a year ago - was picked apart not just by NSO Group with its Pegasus spyware but also by a newly uncovered, smaller smartphone-hacking toolmaker named QuaDream. Two sources also said that QuaDream and NSO Group came up with the iPhone exploit techniques on their own, separately - as opposed to collaborating.