Security News

Google on Friday rolled out an emergency security patch to its Chrome web browser to address a security flaw that's known to have an exploit in the wild. Tracked as CVE-2021-37973, the vulnerability has been described as use after free in Portals API, a web page navigation system that enables a page to show another page as an inset and "Perform a seamless transition to a new state, where the formerly-inset page becomes the top-level document."

Upset with Apple's handling of its Security Bounty program, a bug researcher has released proof-of-concept exploit code for three zero-day vulnerabilities in Apple's newly released iOS 15 mobile operating system. "I've reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page," the researcher wrote.

Google has released Chrome 94.0.4606.61 for Windows, Mac, and Linux, an emergency update addressing a high-severity zero-day vulnerability exploited in the wild. The update was available immediately when BleepingComputer manually checked for new updates from Chrome menu > Help > About Google Chrome.

One contributing factor in the higher rate of reported zero-days is the rapid global proliferation of hacking tools. Powerful groups are all pouring heaps of cash into zero-days to use for themselves - and they're reaping the rewards.

Apple has patched three actively exploited zero-day security vulnerabilities in updates to iOS and macOS, one of which can allow an attacker to execute arbitrary code with kernel privileges. Apple released two updates on Thursday: iOS 12.5.5, which patches three zero-days that affect older versions of iPhone and iPod devices, and Security Update 2021-006 Catalina for macOS Catalina, which patches one of same vulnerabilities, CVE-2021-30869, that also affects macOS. The XNU kernel vulnerability - the discovery of which was attributed to Google researchers Erye Hernandez and Clemente Lecigne of Google Threat Analysis Group and Ian Beer of Google Project Zero - is a type-confusion issue that Apple addressed with "Improved state handling," according to its advisory.

Proof-of-concept exploit code for three iOS zero-day vulnerabilities was published on GitHub after Apple delayed patching and failed to credit the researcher. The unknown researcher who found the four zero-days reported them to Apple between March 10 and May 4.

Another zero-day in Apple's software is being actively exploited by attackers, forcing the company to push out security updates for macOS Catalina and iOS 12. Flagged by researchers Erye Hernandez and Clément Lecigne of Google's Threat Analysis Group and Ian Beer of Google Project Zero, the vulnerability is a type confusion issue found in XNU, the kernel of Apple's macOS and iOS operating systems.

Apple has warned iPhone and Mac users that it's aware of a zero-day bug that's being actively exploited. It's a nasty flaw, as it's in the XNU kernel at the heart of Apple's operating systems including macOS and iOS. As Apple's advisory explains, that means "A malicious application may be able to execute arbitrary code with kernel privileges".

If you've already listened to this week's Naked Security Podcast you'll know that we had finally concluded that iOS 12, the version before the version before the latest-and-greatest iOS 15, which arrived this Monday. So when iOS 14 got updated in the last couple of patch cycles, but iOS 12 didn't, we couldn't tell whether it was still safe and didn't need the patches, whether it needed the patches but they'd be a bit late, or whether it needed the patches but would never get them.

A flaw in a widely used internet-of-things infrastructure code left more than 100 million devices across 10,000 enterprises vulnerable to attacks. Researchers at Guardara used their technology to find a zero-day vulnerability in NanoMQ, an open-source platform from EMQ that monitors IoT devices in real time, then acts as a "Message broker" to deliver alerts that atypical activity has been detected.