Security News

Today, the U.S. Cybersecurity & Infrastructure Security Agency ordered federal agencies to address three recently patched zero-day flaws affecting iPhones, Macs, and iPads known to be exploited in attacks. iPhone 6s, iPhone 7, iPhone SE, iPad Air 2, iPad mini, iPod touch, and iPhone 8 and later.

Apple has addressed three new zero-day vulnerabilities exploited in attacks to hack into iPhones, Macs, and iPads. Apple addressed the three zero-days in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5 with improved bounds checks, input validation, and memory management.

A Microsoft app that helps people use their Windows PC and iPhone or Android phone in tandem could also be abused by cyberstalkers to snoop on personal information. In a report released Thursday, software maker Certo explains how Microsoft's Phone Link app could be used against iPhone owners and how they can protect themselves against this type of threat.

Apple has launched the first Rapid Security Response patches for iOS 16.4.1 and macOS 13.3.1 devices, with some users having issues installing them on their iPhones. As the company describes in a recently published support document, RSR patches are small-sized updates that target the iPhone, iPad, and Mac platforms and patch security issues between major software updates.

Apple introduced the optional recovery key in 2020 to protect users from online hackers. iPhone thieves with your passcode can flip on the recovery key and lock you out.

Israeli spyware maker NSO Group deployed at least three novel "Zero-click" exploits against iPhones in 2022 to infiltrate defenses erected by Apple and deploy Pegasus, according to the latest findings from Citizen Lab. "NSO Group customers widely deployed at least three iOS 15 and iOS 16 zero-click exploit chains against civil society targets around the world," the interdisciplinary laboratory based at the University of Toronto said.

It's also suspected that the company abused a zero-click exploit dubbed ENDOFDAYS in iOS 14 to deploy spyware as a zero-day in version 14.4 and 14.4.2. While QuaDream is not directly involved in targeting, it is known to sell its "Exploitation services and malware" to government customers, the tech giant assessed with high confidence.

Microsoft and Citizen Lab discovered commercial spyware made by an Israel-based company QuaDream used to compromise the iPhones of high-risk individuals using a zero-click exploit named ENDOFDAYS. The attackers targeted a zero-day vulnerability affecting iPhones running iOS 1.4 up to 14.4.2 between January 2021 and November 2021, using what Citizen Lab described as backdated and "Invisible iCloud calendar invitations." Compromised devices belonged to "At least five civil society victims of QuaDream's spyware and exploits in North America, Central Asia, Southeast Asia, Europe, and the Middle East," Citizen Lab researchers said.

Apple has pushed out security updates that fix two actively exploited zero-day vulnerabilities in macOS, iOS and iPadOS. Reported by researchers Clément Lecigne of Google's Threat Analysis Group and Donncha Cearbhaill, the head of Amnesty International's Security Lab, the vulnerabilities have been exploited in tandem to achieve full device compromise - with the likely goal to install spyware on target devices. CVE-2023-28206 is an out-of-bounds write issue in IOSurfaceAccelerator that can be exploited by a malicious app to execute arbitrary code with kernel privileges.

Simply put, there were zero days during which even the most proactive and cybersecurity conscious users amongst us could have been patched in advance of the crooks. Just to be clear: the Apple Safari browser uses WebKit for "Processing web content" on all Apple devices, although third-party browsers such as Firefox, Edge and Chromium don't use WebKit on Mac.