Download apple security update1/6/2024 It, in turn, consists largely of spyware that can document texts and emails sent to and from the device as well as switch on its camera and microphone for secret recording.Ĭitizen Lab was confident that FORCEDENTRY was associated with Pegasus and thus, NGO Group. The exploit, which Citizen Lab dubbed "FORCEDENTRY," had been used to infect the phone of the activist - and possibly others as far back as February 2021 - with the NGO Group's "Pegasus" surveillance suite. "While analyzing the phone of a Saudi activist infected with NSO Group's Pegasus spyware, we discovered a zero-day zero-click exploit against iMessage," Citizen Lab researchers wrote. It was an out-of-bounds read issue that could have led to the disclosure of kernel memory.Īnd back in January, Cupertino fixed CVE-2022-22586, a remote code execution (RCE) vulnerability which existed in the IOBuffer component of iOS and pre-Catalina versions of macOS.Apple credited The Citizen Lab for reporting the flaw.Īlso on Monday, Citizen Lab, a cybersecurity watchdog organization that operates from the Munk School of Global Affairs & Public Policy at the University of Toronto, released a report outlining what it found. If Apple think it’s so serious that they need to go public, then if you haven’t already installed iOS 15.6.1, you need to go and do it right now.”Īpple has patched multiple other zero-days this year, including other issues related to kernel security – CVE-2022-22674, fixed in April, was an Intel Graphics Driver vulnerability patched in macOS Monterey. Higgins added: “The big risk in publicising a major vulnerability is that now every cyber criminal on the planet knows it exists and Apple users are in a race to update their devices before they can be infected. It’s very rare for them to go public like this, which means everyone should take this threat seriously and update as soon as they are able.” “Apple usually rely on software updates to keep their platforms safe and hope that any bugs go largely unnoticed between releases. “Sometimes platform providers release functions that are so dangerous they need to be fixed immediately to protect applications and devices, and that appears to be the case here,” he said. Unlike Microsoft, Apple does not adhere to any specific schedule for disclosing vulnerabilities or publishing fixes for them, but Comparitech’s Brian Higgins said the fact that Apple had taken the step of issuing an advisory for the two zero-days made them highly impactful. The relevant patches update macOS Monterey to version 12.5.1, iOS and iPadOS to version 15.6.1, and Safari to version 15.6.1 for macOS Big Sur and macOS Catalina. Users can check their update status and download patches through Apple Menu – About this Mac – Software Update on a Mac, or Settings – General – Software Update on an iPhone or iPad. Kernel vulnerabilities are among some of the most dangerous security issues that a device can face, and so these patches should be prioritised for deployment by organisations running Apple estates.Ĭonsumer users will also be at risk of compromise, but should bear in mind that Apple devices can and do take such updates automatically so they may already have applied the patches. In layman’s terms, this could give them total control of the device.ĬVE-2022-32894 enables a threat actor to use a malicious application to execute arbitrary code with kernel privileges, with the end effect again being to gain control of the target device. Successfully exploited, CVE-2022-32893 enables a threat actor to achieve arbitrary code execution if the targeted user visits a maliciously crafted website. Apple said it was aware of reports that both vulnerabilities may already have been actively exploited in the wild – making the need to patch more urgent. Both are out-of-bounds write issues that affect the Safari WebKit web browser extension, and the OS kernel, respectively.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |