Security News
Apple has pushed out security updates that fix two actively exploited zero-day vulnerabilities in macOS, iOS and iPadOS. Reported by researchers Clément Lecigne of Google's Threat Analysis Group and Donncha Cearbhaill, the head of Amnesty International's Security Lab, the vulnerabilities have been exploited in tandem to achieve full device compromise - with the likely goal to install spyware on target devices. CVE-2023-28206 is an out-of-bounds write issue in IOSurfaceAccelerator that can be exploited by a malicious app to execute arbitrary code with kernel privileges.
Simply put, there were zero days during which even the most proactive and cybersecurity conscious users amongst us could have been patched in advance of the crooks. Just to be clear: the Apple Safari browser uses WebKit for "Processing web content" on all Apple devices, although third-party browsers such as Firefox, Edge and Chromium don't use WebKit on Mac.
Apple has released emergency updates to backport security patches released on Friday, addressing two actively exploited zero-day flaws also affecting older iPhones, iPads, and Macs. The second zero-day is a WebKit use after free that can let threat actors execute malicious code on compromised iPhones, Macs, or iPads after tricking their targets into loading malicious web pages.
The Cybersecurity and Infrastructure Security Agency ordered federal agencies to patch two security vulnerabilities actively exploited in the wild to hack iPhones, Macs, and iPads. According to a binding operational directive issued in November 2022, Federal Civilian Executive Branch Agencies agencies are required to patch their systems against all security bugs added to CISA's Known Exploited Vulnerabilities catalog.
Apple has released emergency security updates to address two new zero-day vulnerabilities exploited in attacks to compromise iPhones, Macs, and iPads. Last week, Google TAG and Amnesty International exposed two recent series of attacks using exploit chains of Android, iOS, and Chrome zero-day and n-day flaws to deploy mercenary spyware.
Apple has released security updates for - pardon the pop-culture reference - everyhing everywhere all at once, and has fixed the WebKit vulnerability exploited in the wild for users of older iPhones and iPads. The presently most important fix among those delivered is the one for CVE-2023-23529, a type confusion issue in the WebKit browser engine, which can be triggered by maliciously crafted web content and ultimately allow code execution.
Apple has released security updates to backport patches released last month, addressing an actively exploited zero-day bug for older iPhones and iPads. "Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited," Apple describes the zero-day.
The Russian report, citing several sources who attended an event in Moscow earlier this month, noted that the country's presidential administration employees have until April 1 to replace their iPhones with Android-based smartphones, or others with Chinese or Aurora operating systems. Aurora is a Linux-based smartphone OS developed by Open Mobile Platform, which is owned by Russian IT firm Rostelecom.
Microsoft announced today an early preview of Phone Link for iPhone users available to Windows Insiders running the latest Windows 11 builds. "The preview will begin rolling out to Insiders who have opted in their device into one of the 3 Insider Channels via Settings > Windows Update > Windows Insider Program," Microsoft Senior Program Manager Brandon LeBlanc said.
Apple has revised the security advisories it released last month to include three new vulnerabilities impacting iOS, iPadOS, and macOS. The first flaw is a race condition in the Crash Reporter component that could enable a malicious actor to read arbitrary files as root. "An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges," Apple said, adding it patched the issues with "Improved memory handling."