Tag: Exploit

Multiple active exploits could affect iPhone use of Bluetooth.

Flipper Zero hacker tool could be used to trigger iPhone DDoS attack using Bluetooth signals by AirPods, HomeKit accessories, etc. These signals usually trigger popup on iPhone allowing to connect to headphones or perform other actions. Crafting these signals in a specific way could result in iOS restart.

Newly discovered BLUFFS attack could be used to impersonate devices and trigger disclosure of private information. It is not yet clear, if AirDrop is affected by this attack as it uses more than just Bluetooth to authenticate the device. However, it is still possible to hijack audio or other Bluetooth connection. Fix would require device manufacturers to modify security mechanisms of Bluetooth stack.

References:

• Flipper Zero can still crash iPhones running the latest version of iOS 17
• Bluetooth security flaws allow connections to be hijacked; AirDrop unlikely to be affected [U]

Safari now suffers from new exploit allowing malicious website to render arbitrary webpage and extract information out of it.

As of now, there is a workaround requiring access to developer menu on macOS.

Paste the following command in Terminal: defaults write com.apple.Safari IncludeInternalDebugMenu 1

Open Safari and select "Debug" from the menu bar, select "WebKit Internal Features" then Scroll down and click "Swap Processes on Cross-Site Window Open"

AppleInsider

It is expected that this vulnerability will be fixed by Apple in upcoming software updates.

Disclosure: iLeakage

References:

• iLeakage attack resurrects Spectre with password and website data extraction
• iLeakage flaw could force iPhones and Macs to divulge passwords and more

Apple issues iOS/iPadOS 15.7.9, macOS 11.7.10, macOS 12.6.9. These updates fix important security issues including remote code execution with specially crafted image.

References:

• macOS 12.6.9 and macOS 11.7.10
• Apple releases iOS 15.7.9 with ‘important security fixes’
• Apple Releases iOS 15.7.9, iPadOS 15.7.9, macOS 12.6.9 and macOS 11.7.10

Apple releases iOS and iPadOS 16.6.1, macOS Ventura 13.5.2 and watchOS 9.6.2. These releases contain security updates addressing zero day vulnerabilities.

Apple Support:

• About the security content of macOS Ventura 13.5.2
• About the security content of iOS 16.6.1 and iPadOS 16.6.1
• About the security content of watchOS 9.6.2

References:

• iOS 16.6.1 for iPhone now available with important security fixes
• PSA: Make Sure to Update, iOS 16.6.1 and macOS 13.5.2 Address Actively Exploited Vulnerability
• Apple fixed zero-day exploit used by Pegasus spyware with iOS 16.6.1
• Exploit patched in iOS 16.6.1 update delivered Pegasus spyware
• iOS 16.6.1 patches security vulnerabilities in Wallet and more

Exploit in macOS App Management subsystem allowing modification of signed applications was reported to Apple 10 months ago, but is still not resolved. Apple did fix other exploits though.

Johnson says the overwriting of the file completely bypasses App Management in macOS 13.5.1. "The straightforwardness and ease of the bypass is truly stunning."

AppleInsider

No comments from Apple are currently available.

Jeff Johnson: macOS 0day: App Management

Reference: macOS Ventura App Management exploit revealed 10 months after discovery

Apple now no longer allows downgrade from iOS 16.3. This comes together with the news that previous iOS releases were subject to exploit allowing to get user's location if that permission was not given to the application.

Apple did not disclose details of this exploit.

Maps

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2023-23503: an anonymous researcher

About the security content of iOS 16.3 and iPadOS 16.3

Apple Support: About the security content of iOS 16.3 and iPadOS 16.3

References:

• Apple Stops Signing iOS 16.2 Following iOS 16.3 Launch, Downgrading No Longer Possible
• Was a Popular Brazilian Food Delivery App Bypassing Apple’s Location Privacy Settings on iOS?
• Apple Maps privacy bug may have allowed apps to collect location data without permission
• Was this Brazilian major app bypassing Apple's location privacy on iOS?
• Bypassing iOS 16.2 Location Privacy

The exploit which was fixed in iOS 16.2 provided a way for a developer to change system font on iPhone.

Zhuowei Zhang shared a story behind his proof-of-concept app. App itself is available as source code on GitHub.

Apple Support: About the security content of iOS 16.2 and iPadOS 16.2

GitHub: WDBFontOverwrite

Reference: Developer uses iOS 16 exploit to change system font without jailbreak

Apple releases bug fix releases – iOS and iPadOS 15.4.1, macOS 12.3.1 and watchOS 8.5.1. HomePod software is also updated to 15.4.1 version.

iOS fixes include battery drain fix, macOS Monterey now should have Bluetooth game controllers working properly.

Reference:

• Apple releases iOS 15.4.1 with battery issues fix for iPhone and iPad
• Apple Releases watchOS 8.5.1 With Security Updates and Bug Fixes
• Apple Releases HomePod 15.4.1 Software With Siri Fix
• Apple Releases iOS 15.4.1 With Fix for Battery Drain Issue
• Apple Releases macOS Monterey 12.3.1 With Bluetooth and Display Fixes
• macOS 12.3.1 fixes bug affecting game controllers and other Bluetooth devices
• Apple fixes multiple zero-day exploits with iOS 15.4.1 and macOS 12.3.1

New "SysJoker" cross-platform exploit now can infect machines with different OSes.

Interestingly, this exploit uses Universal Binary allowing it to run on Intel and Apple Silicon Macs. Code is signed with ad-hoc certificate. New certificates could be used in the future.

The files and directories created by SysJoker include:
/Library/MacOsServices
/Library/MacOsServices/updateMacOs
/Library/SystemNetwork
/Library/LaunchAgents/com.apple.update.plist
The persistence code is under the path LibraryLaunchAgents/com.apple.update.plist. If the files are found on a Mac, it is advised to kill off all related processes and delete the files.

AppleInsider

Reference: macOS, Windows, Linux all targeted by new cross-platform exploit

Log4j is a popular Java logging package used by many backends.

Details of the vulnerability are available here, and according to reports, also libraries or solutions using Apache log4j (we are talking about Steam, iCloud or Minecraft servers) are also vulnerable. Solutions using the Struts library are also probably vulnerable.

Affected log4j versions: 2.0 <= Apache log4j <= 2.14.1