Security News

Citizen Lab says two zero-days fixed by Apple today in emergency security updates were actively abused as part of a zero-click exploit chain to deploy NSO Group's Pegasus commercial spyware onto fully patched iPhones. The two bugs, tracked as CVE-2023-41064 and CVE-2023-41061, allowed the attackers to infect a fully-patched iPhone running iOS 16.6 and belonging to a Washington DC-based civil society organization via PassKit attachments containing malicious images.

Apple released emergency security updates to fix two new zero-day vulnerabilities exploited in attacks targeting iPhone and Mac users, for a total of 13 exploited zero-days patched since the start of the year. Since the start of the year, Apple has patched 13 zero-day bugs exploited in attacks against devices running iOS, macOS, iPadOS, and watchOS. While Apple has yet to disclose details regarding attacks exploiting the flaws patched today, it acknowledged that CVE-2023-41064 was found and reported by Citizen Labs, whose researchers have previously shared information on other Apple zero-days exploited to deploy commercial spyware on computers and iPhones in targeted attacks.

Analysis Chinese authorities have reportedly banned Apple's iPhones from some government offices. News of Beijing's ban was reported by the Wall Street Journal, which mentioned people familiar with the matter as having said employees at some central government regulators were told not to use iPhones for work or bring them into the office.

ALSO: Brazilian stalkerware database ripped by the short hairs, a fast fashion breach, and this week's critical vulns Infosec in brief The latest round of Apple's Security Research Device (SRD)...

Apple is inviting security researchers to apply for the Apple Security Research Device Program again, to discover vulnerabilities and earn bug bounties. In the intervening years, participating researchers have identified 130 security-critical vulnerabilities and have indirectly helped Apple implement security improvements in the XNU kernel, kernel extensions, and XPC services around the system.

Apple announced today that iOS security researchers can now apply for a Security Research Device by the end of October. The company added that iPhones provided through the Security Research Device Program should only be used by authorized people and never leave the premises of the security research facility.

Apple has released fixes for several security flaws that affect its iPhones, iPads, macOS computers, and Apple TV and watches, and warned that some of these bugs have already been exploited. Apple credits Kaspersky researchers Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin, Leonid Bezvershenko, and Boris Larin with finding this bug, which looks similar to the kernel vulnerability used to infect iPhones with TriangleDB spyware and also uncovered by the aforementioned team.

Apple has rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address several security vulnerabilities, including one actively exploited zero-day bug in the wild. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1," the tech giant noted in its advisory.

We and our store and/or access information on a device, such as cookies and process personal data, such as unique identifiers and standard information sent by a device for personalised ads and content, ad and content measurement, and audience insights, as well as to develop and improve products. With your permission we and our partners may use precise geolocation data and identification through device scanning.

There are ways to unlock your iPhone even without the right passcode, but you'll need a PC with iTunes or a Mac with Finder. Apple offers ways to access your iPhone without the passcode, but you'll have to put it into recovery mode.