banner
Nov 2, 2021
16 Views
0 0

Apple Patches Critical iOS Bugs; One Under Attack

Written by
banner

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
Researchers found that one critical flaw in question is exploitable from the browser, allowing watering-hole attacks.
Apple lovers who haven’t yet updated to iOS 15, you may want to pop into Settings to freshen up your iPhone now: Apple has released several critical security updates that might light a fire under your britches.
On Monday and Tuesday, Apple released iOS 14.8.1, iPadOS 14.8.1, watchOS 8.1 and tvOS 15.1, patching 24 CVEs in total.
Apple’s security page has all the details about the CVEs, which include multiple issues in iOS components that, if exploited, could lead to arbitrary code execution, sometimes with kernel privileges that would let an attacker get to the heart of the operating system.
In one case – a memory-corruption issue in IOMobileFrameBuffer for Apple TV – Apple said that it’s “aware of a report that this issue may have been actively exploited” – a “maybe” that researchers confirmed.

This one is particularly worrisome, given that researchers already found that the flaw is exploitable from the browser, making it “perfect for one-click & waterholing mobile attacks,” mobile security firm ZecOps said earlier this month.
We can confirm that the recently patched iOS 15.0.2 vulnerability, CVE-2021-30883, is also accessible from the browser: perfect for 1-click & water-holing mobile attacks. This vulnerability is exploited in the wild. Update as soon as possible. https://t.co/dhogxTM6pT
— ZecOps (@ZecOps) October 12, 2021

In a watering-hole attack, a threat actor plants malware on websites that could attract a target, in hopes that somebody will eventually drop in and get infected.
Understandably, Apple keeps a lid on details that might help more attackers do damage. What we do know is that this bug could allow an application to execute arbitrary code with kernel privileges.
Malwarebyte Labs has a nice rundown on other security-related bugs that stand out in the two dozen CVEs Apple addressed this week.
Earlier this year, Apple announced that it was giving users a choice: They could update to iOS 15 as soon as it’s released, or they could stay on iOS 14 but still get important security updates until they’re ready to upgrade.
Why the choice? Some suggested it might have to do with an “urban legend” about Apple slowing down older phones on purpose in order to prod people into upgrading.
Maybe that’s just an oft-circulated conspiracy theory, but it’s rooted in legal comeuppance, at least with regards to battery life: Apple admitted to slowing down phones in 2017 as a way to prevent old batteries from randomly shutting devices off. In November of last year, the company was fined $113 million to settle an investigation into what was known as iPhone “batterygate.”
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
Share this article:
It’s a legitimate access token, stolen from a third-party contractor, that lets the attackers send phishing emails from kaspersky.com email addresses.
An alleged sports content pirate is accused of not only hijacking leagues’ streams but also threatening to tell reporters how he accessed their systems.
The old RLO trick of exploiting how Unicode handles script ordering and a related homoglyph attack can imperceptibly switch the real name of malware.



This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
An attack on the fuel distribution chain in #Iran forced the shutdown of a network of filling stations, leaving mot… https://t.co/pWDaUaFUQ2
5 days ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Article Categories:
Vulnerabilities
banner

Comments are closed.