Security News
Apple today sued NSO Group, which sells spyware to governments and other organizations, for infecting and snooping on people's iPhones. In a strongly worded filing [PDF] Apple described NSO as "Amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse." Cupertino wants damages and a ban on NSO interacting or interfering any further with Apple services and products.
CVE-2021-30663 - Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-30665 - Processing maliciously crafted web content may lead to arbitrary code execution.
We were going to say "Unexpected updates", but all Apple security patches are, of course, unexpected by design. Apple deliberately announces security fixes only after they've been published, so you couldn't plan for them even if you wanted.
If you're using an iPhone, install the iOS 15.0.2 update immediately: Apple has warned that the latest OS upgrade patches an "Actively exploited" zero-day. Described as a "Memory corruption issue" by Apple, the vuln is present within the IOMobileFrameBuffer kernel extension, used for managing display memory.
Cybersecurity researchers have disclosed an unpatched flaw in Apple Pay that attackers could abuse to make an unauthorized Visa payment with a locked iPhone by taking advantage of the Express Travel mode set up in the device's wallet. Express Travel is a feature that allows users of iPhone and Apple Watch to make quick contactless payments for public transit without having to wake or unlock the device, open an app, or even validate with Face ID, Touch ID or a passcode.
An attacker who steals a locked iPhone can use a stored Visa card to make contactless payments worth up to thousands of dollars without unlocking the phone, researchers are warning. The problem is due to unpatched vulnerabilities in both the Apple Pay and Visa systems, according to an academic team from the Universities of Birmingham and Surrey, backed by the U.K.'s National Cyber Security Centre.
An attacker who steals a locked iPhone can use a stored Visa card to make contactless payments worth up to thousands of dollars without unlocking the phone, researchers are warning. The problem is due to unpatched vulnerabilities in both the Apple Pay and Visa systems, according to an academic team from the Universities of Birmingham and Surrey, backed by the U.K.'s National Cyber Security Centre.
Academic researchers have found a way to make fraudulent payments using Apple Pay from a locked iPhone with a Visa card in the digital wallet with express mode enabled. Apple Pay solved the problem with Express Transit, a feature that allows a transaction to go through without unlocking the device.
Apple has released security updates to fix a zero-day vulnerability exploited in the wild by attackers to hack into iPhones and Macs running older iOS and macOS versions. The zero-day patched today [1, 2] was found in the XNU operating system kernel and was reported by Erye Hernandez and Clément Lecigne of Google Threat Analysis Group, and Ian Beer of Google Project Zero.
Apple has released security updates to fix three zero-day vulnerabilities exploited in the wild by attackers to hack into iPhones and Macs running older iOS and macOS versions. Based on the info shared by Apple in today's security advisories [1, 2] at least one of the bugs was likely used to deploy NSO Pegasus spyware on hacked devices.