iOS | Breaking Cybersecurity News | The Hacker News

Details have emerged about a now-patched security vulnerability in Apple's iOS and macOS that, if successfully exploited, could sidestep the Transparency, Consent, and Control ( TCC ) framework and result in unauthorized access to sensitive information. The flaw, tracked as CVE-2024-44131 (CVSS score: 5.3), resides in the FileProvider component, per Apple, and has been addressed with improved validation of symbolic links (symlinks) in iOS 18, iPadOS 18 , and macOS Sequoia 15 . Jamf Threat Labs, which discovered and reported the flaw, said the TCC bypass could be exploited by a rogue installed on the system to grab sensitive data without users' knowledge. TCC serves as a critical security protection in Apple devices, giving end users a way to allow or deny a request from apps to access sensitive data, such as GPS location, contacts, and photos, among others. "This TCC bypass allows unauthorized access to files and folders, Health data, the microphone or camera, and m...

Apple has released security updates for iOS, iPadOS, macOS, visionOS, and its Safari web browser to address two zero-day flaws that have come under active exploitation in the wild. The flaws are listed below - CVE-2024-44308 (CVSS score: 8.8)  - A vulnerability in JavaScriptCore that could lead to arbitrary code execution when processing malicious web content CVE-2024-44309 (CVSS score: 6.1)  - A cookie management vulnerability in WebKit that could lead to a cross-site scripting (XSS) attack when processing malicious web content The iPhone maker said it addressed CVE-2024-44308 and CVE-2024-44309 with improved checks and improved state management, respectively.  Not much is known about the exact nature of the exploitation, but Apple has acknowledged that the pair of vulnerabilities "may have been actively exploited on Intel-based Mac systems." Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group (TAG) have been credited with discovering and report...

Vulnerability Management (VM) has long been a cornerstone of organizational cybersecurity. Nearly as old as the discipline of cybersecurity itself, it aims to help organizations identify and address potential security issues before they become serious problems. Yet, in recent years, the limitations of this approach have become increasingly evident.  At its core, Vulnerability Management processes remain essential for identifying and addressing weaknesses. But as time marches on and attack avenues evolve, this approach is beginning to show its age. In a recent report, How to Grow Vulnerability Management into Exposure Management (Gartner, How to Grow Vulnerability Management Into Exposure Management, 8 November 2024, Mitchell Schneider Et Al.), we believe Gartner® addresses this point precisely and demonstrates how organizations can – and must – shift from a vulnerability-centric strategy to a broader Exposure Management (EM) framework. We feel it's more than a worthwhile read an...

Apple has released iOS and iPadOS updates to address two security issues, one of which could have allowed a user's passwords to be read out aloud by its VoiceOver assistive technology. The vulnerability, tracked as CVE-2024-44204, has been described as a logic problem in the new Passwords app impacting a slew of iPhones and iPads. Security researcher Bistrit Daha has been credited with discovering and reporting the flaw. "A user's saved passwords may be read aloud by VoiceOver," Apple said in an advisory released this week, adding it was resolved with improved validation.  The shortcoming impacts the following devices - iPhone XS and later iPad Pro 13-inch iPad Pro 12.9-inch 3rd generation and later iPad Pro 11-inch 1st generation and later iPad Air 3rd generation and later iPad 7th generation and later, and iPad mini 5th generation and later Also patched by Apple is a security vulnerability (CVE-2024-44207) specific to the newly launched iPhone 16 mo...

Microsoft on Thursday disclosed four medium-severity security flaws in the open-source OpenVPN software that could be chained to achieve remote code execution (RCE) and local privilege escalation (LPE). "This attack chain could enable attackers to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information," Vladimir Tokarev of the Microsoft Threat Intelligence Community said . That said, the exploit, presented by Black Hat USA 2024, requires user authentication and an advanced understanding of OpenVPN's inner workings. The flaws affect all versions of OpenVPN prior to version 2.6.10 and 2.5.10. The list of vulnerabilities is as follows - CVE-2024-27459 - A stack overflow vulnerability leading to a Denial-of-service (DoS) and LPE in Windows CVE-2024-24974 - Unauthorized access to the "\\openvpn\\service" named pipe in Windows, allowing an attacker to remotely inte...

A trio of security flaws has been uncovered in the CocoaPods dependency manager for Swift and Objective-C Cocoa projects that could be exploited to stage software supply chain attacks, putting downstream customers at severe risks. The vulnerabilities allow "any malicious actor to claim ownership over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and macOS applications," E.V.A Information Security researchers Reef Spektor and Eran Vaknin said in a report published today. The Israeli application security firm said the three issues have since been patched by CocoaPods as of October 2023. The project maintainers also reset all user sessions at the time in response to the disclosures. One of the vulnerabilities is CVE-2024-38368 (CVSS score: 9.3), which makes it possible for an attacker to abuse the " Claim Your Pods " process and take control of a package, effectively allowing them to tamper with the source code and int...

Apple and Google on Monday officially announced the rollout of a new feature that notifies users across both iOS and Android if a Bluetooth tracking device is being used to stealthily keep tabs on them without their knowledge or consent. "This will help mitigate the misuse of devices designed to help keep track of belongings," the companies said in a joint statement, adding it aims to address "potential risks to user privacy and safety." The proposal for a cross-platform solution was  originally unveiled  exactly a year ago by the two tech giants. The capability – dubbed " Detecting Unwanted Location Trackers " (DULT) – is available in Android devices running versions 6.0 and later, and iOS devices with iOS 17.5, which was officially shipped yesterday. As part of the industry specification, Android users will  receive  a "Tracker traveling with you" alert if an unidentified Bluetooth tracking device is detected as moving along with them over...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday  added  a high-severity flaw impacting iOS, iPadOS, macOS, tvOS, and watchOS to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerability, tracked as  CVE-2022-48618  (CVSS score: 7.8), concerns a bug in the kernel component. "An attacker with arbitrary read and write capability may be able to bypass  Pointer Authentication ," Apple said in an advisory, adding the issue "may have been exploited against versions of iOS released before iOS 15.7.1." The iPhone maker said the problem was addressed with improved checks. It's currently not known how the vulnerability is being weaponized in real-world attacks. Interestingly, patches for the flaw were released on December 13, 2022, with the release of  iOS 16.2, iPadOS 16.2 ,  macOS Ventura 13.1 ,  tvOS 16.2 , and  watchOS 9.2 , although it was only publicly discl...

Apple on Monday released  security patches  for iOS, iPadOS, macOS, tvOS, watchOS, and Safari web browser to address multiple security flaws, in addition to backporting fixes for two recently disclosed zero-days to older devices. This includes updates for  12 security vulnerabilities  in iOS and iPadOS spanning AVEVideoEncoder, ExtensionKit, Find My, ImageIO, Kernel, Safari Private Browsing, and WebKit.  macOS Sonoma 14.2 , for its part, resolves 39 shortcomings, counting six bugs impacting the  ncurses library . Notable among the flaws is  CVE-2023-45866 , a critical security issue in Bluetooth that could allow an attacker in a privileged network position to inject keystrokes by spoofing a keyboard. The vulnerability was disclosed by SkySafe security researcher Marc Newlin last week. It has been remediated in iOS 17.2, iPadOS 17.2, and macOS Sonoma 14.2 with improved checks, the iPhone maker said. Also released by Apple is  Safari 17.2 , co...

A collection of security flaws in the firmware implementation of 5G mobile network modems from major chipset vendors such as MediaTek and Qualcomm impact USB and IoT modems as well as hundreds of smartphone models running Android and iOS. Of the 14 flaws – collectively called  5Ghoul  (a combination of "5G" and "Ghoul") – 10 affect 5G modems from the two companies, out of which three have been classified as high-severity vulnerabilities. "5Ghoul vulnerabilities may be exploited to continuously launch attacks to drop the connections, freeze the connection that involve manual reboot or downgrade the 5G connectivity to 4G," the researchers  said  in a study published today. As many as 714 smartphones from 24 brands are impacted, including those from Vivo, Xiaomi, OPPO, Samsung, Honor, Motorola, realme, OnePlus, Huawei, ZTE, Asus, Sony, Meizu, Nokia, Apple, and Google. The vulnerabilities were disclosed by a team of researchers from the ASSET (Automated ...

A critical Bluetooth security flaw could be exploited by threat actors to take control of Android, Linux, macOS and iOS devices. Tracked as  CVE-2023-45866 , the issue relates to a case of authentication bypass that enables attackers to connect to susceptible devices and inject keystrokes to achieve code execution as the victim. "Multiple Bluetooth stacks have authentication bypass vulnerabilities that permit an attacker to connect to a discoverable host without user confirmation and inject keystrokes," said security researcher  Marc Newlin , who  disclosed  the flaws to the software vendors in August 2023. Specifically, the attack deceives the target device into thinking that it's connected to a Bluetooth keyboard by taking advantage of an "unauthenticated pairing mechanism" that's defined in the Bluetooth specification. Successful exploitation of the flaw could permit an adversary in close physical proximity to connect to a vulnerable device and trans...

New findings have identified connections between an Android spyware called DragonEgg and another sophisticated modular iOS surveillanceware tool named LightSpy . DragonEgg , alongside WyrmSpy (aka AndroidControl), was  first disclosed  by Lookout in July 2023 as a strain of malware capable of gathering sensitive data from Android devices. It was attributed to the Chinese nation-state group APT41. On the other hand, details about LightSpy came to light in March 2020 as part of a campaign dubbed  Operation Poisoned News  in which Apple iPhone users in Hong Kong were targeted with watering hole attacks to install the spyware. Now, according to Dutch mobile security firm ThreatFabric, DragonEgg attack chains involve the use of a trojanized Telegram app that's designed to download a second-stage payload (smallmload.jar), which, in turn, is configured to download a third component codenamed Core. Further analysis of the artifacts has revealed that the Android varian...

Apple has released yet another round of security patches to address three actively exploited zero-day flaws impacting iOS, iPadOS, macOS, watchOS, and Safari, taking the total tally of zero-day bugs discovered in its software this year to 16. The list of security vulnerabilities is as follows - CVE-2023-41991  - A certificate validation issue in the Security framework that could allow a malicious app to bypass signature validation. CVE-2023-41992  - A security flaw in Kernel that could allow a local attacker to elevate their privileges. CVE-2023-41993  - A WebKit flaw that could result in arbitrary code execution when processing specially crafted web content. Apple did not provide additional specifics barring an acknowledgement that the "issue may have been actively exploited against versions of iOS before iOS 16.7." The updates are available for the following devices and operating systems - iOS 16.7 and iPadOS 16.7  - iPhone 8 and later, iPad Pro (all mo...

Apple has  rolled out security updates  to iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address several security vulnerabilities, including one actively exploited zero-day bug in the wild. Tracked as  CVE-2023-38606 , the shortcoming resides in the kernel and permits a malicious app to modify sensitive kernel state potentially. The company said it was addressed with improved state management. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1," the tech giant noted in its advisory. It's worth noting that CVE-2023-38606 is the fourth security vulnerability discovered in connection with  Operation Triangulation , a sophisticated mobile cyber espionage campaign targeting iOS devices since 2019 using a zero-click exploit chain. The other two zero-days,  CVE-2023-32434 and CVE-2023-32435 , were patched by Apple last month. A third shortcoming, CVE-2022-46690 , was addressed as part...

Apple has released  Rapid Security Response  updates for iOS, iPadOS, macOS, and Safari web browser to  address  a zero-day flaw that it said has been actively exploited in the wild. The WebKit bug, cataloged as  CVE-2023-37450 , could allow threat actors to achieve arbitrary code execution when processing specially crafted web content. The iPhone maker said it addressed the issue with improved checks. Credited with discovering and reporting the flaw is an anonymous researcher. As with most cases like this, there are scant details about the nature and the scale of the attacks and the identity of the threat actor behind them. But Apple noted in a terse advisory that it's "aware of a report that this issue may have been actively exploited." The updates, iOS 16.5.1 (a), iPadOS 16.5.1 (a), macOS Ventura 13.4.1 (a), and Safari 16.5.2, are available for devices running the following operating system versions: iOS 16.5.1 and iPadOS 16.5.1 macOS Ventura 13.4.1 ...

Apple on Friday released security updates for  iOS, iPadOS ,  macOS , and  Safari web browser  to address a pair of zero-day flaws that are being exploited in the wild. The two vulnerabilities are as follows - CVE-2023-28205  - A  use after free issue  in WebKit that could lead to arbitrary code execution when processing specially crafted web content. CVE-2023-28206  - An  out-of-bounds write issue  in IOSurfaceAccelerator that could enable an app to execute arbitrary code with kernel privileges. Apple said it addressed CVE-2023-28205 with improved memory management and the second with better input validation, adding it's aware the bugs "may have been actively exploited." Credited with discovering and reporting the flaws are Clément Lecigne of Google's Threat Analysis Group (TAG) and Donncha Ó Cearbhaill of Amnesty International's Security Lab. Details about the two vulnerabilities have been withheld in light of active exploi...

3CX said it's  working on a software update  for its desktop app after multiple cybersecurity vendors sounded the alarm on what appears to be an active supply chain attack that's using digitally signed and rigged installers of the popular voice and video conferencing software to target downstream customers. "The trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub and ultimately leads to a third-stage infostealer DLL," SentinelOne researchers  said . The cybersecurity firm is tracking the activity under the name SmoothOperator , stating the threat actor registered a massive attack infrastructure as far back as February 2022. There are indications that the attack may have commenced around March 22, 2023. 3CX, the company behind 3CXDesktopApp,  claims  to have more than 600,000 customers and 12 million users in 190 countries, some of which include well-known names like American ...

Apple on Monday rolled out security updates for  iOS, iPadOS ,  macOS , and  Safari  to address a zero-day flaw that it said has been actively exploited in the wild. Tracked as  CVE-2023-23529 , the issue relates to a type confusion bug in the WebKit browser engine that could be activated when processing maliciously crafted web content, culminating in arbitrary code execution. The iPhone maker said the bug was addressed with improved checks, adding it's "aware of a report that this issue may have been actively exploited." An anonymous researcher has been credited with reporting the flaw. It's not immediately clear as to how the vulnerability is being exploited in real-world attacks, but it's the second actively abused type confusion flaw in WebKit to be patched by Apple after  CVE-2022-42856  in as many months, which was closed in December 2022.  WebKit flaws are also notable for the fact that they impact every third-party web browser that's...

Popular instant messaging service WhatsApp has launched support for proxy servers in the latest version of its Android and iOS apps, letting users circumvent government-imposed censorship and internet shutdowns. "Choosing a proxy enables you to connect to WhatsApp through servers set up by volunteers and organizations around the world dedicated to helping people communicate freely," the Meta-owned company  said . Proxies act as an intermediary between end users and the service provider by routing requests originating from a client to the server and forwarding the response back to the device. Users can  access the option  by navigating to Settings > Storage and Data > Proxy > Use Proxy and entering a trusted proxy server address. WhatsApp, which is used by more than two billion users across the world, has also made available a  reference implementation  that can be used to set up a proxy server to help others connect to the service. The company em...

Apple on Tuesday rolled out security updates to iOS, iPadOS, macOS, tvOS, and Safari web browser to address a new zero-day vulnerability that could result in the execution of malicious code. Tracked as  CVE-2022-42856 , the issue has been described by the tech giant as a type confusion issue in the WebKit browser engine that could be triggered when processing specially crafted content, leading to arbitrary code execution. The company said it's "aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1." While details surrounding the exact nature of the attacks are unknown as yet, it's likely that it involved a case of social engineering or a watering hole to infect the devices when visiting a rogue or legitimate-but-compromised domain via the browser. It's worth noting that every third-party web browser that's available for iOS and iPadOS, including Google Chrome, Mozilla Firefox, and Microsoft Edg...

A now-patched security flaw in Apple's iOS and macOS operating systems could have potentially enabled apps with Bluetooth access to eavesdrop on conversations with Siri. Apple said "an app may be able to record audio using a pair of connected AirPods," adding it addressed the Core Bluetooth issue in iOS 16.1 with improved entitlements. Credited with discovering and reporting the bug in August 2022 is app developer Guilherme Rambo. The bug, dubbed  SiriSpy , has been assigned the identifier CVE-2022-32946. "Any app with access to Bluetooth could record your conversations with Siri and audio from the iOS keyboard dictation feature when using AirPods or Beats headsets," Rambo  said  in a write-up. "This would happen without the app requesting microphone access permission and without the app leaving any trace that it was listening to the microphone." The vulnerability, according to Rambo, relates to a service called DoAP that's included in AirPo...