Tag: Exploit

Security researches found a flaw in Apple Silicon chips that allows encryption key extraction. Flaw might require additional time for Apple to come up with the fix. Fix itself might also have performance impact.

M1 and M2 chips are affected. M3 chip has an option to disable performance optimization leading to a security flaw.

Security researches were able to demonstrate the flaw on several encryption algorithms.

Ars Technica: Unpatchable vulnerability in Apple chip leaks secret encryption keys

References:

• Apple Silicon vulnerability leaks encryption keys, and can't be patched easily
• Apple’s M-series processors have a cryptographic flaw ↦
• Unpatchable security flaw in Apple Silicon Macs breaks encryption
• Apple Silicon Vulnerability Allows Hackers to Extract Encryption Keys

Apple Silicon chips used in iPhones, iPads and Macs are affected by security flaw in GPU allowing unauthorized access to memory used by the app. This might affect LLM inference models and expose personal information to attacker apps.

While vulnerability requires access to user devices, there could be vectors allowing triggering it remotely (combining it with other exploits).

It is confirmed that A12 and M2 chips are affected by vulnerability, while A17 Pro and M3 were not.

References:

• Apple GPU security flaw confirmed in iPhone 12 and M2 MacBook Air
• Most older iPhones, Macs, and iPads are vulnerable to a new GPU security flaw
• Apple Silicon Security Flaw Discovered in iPhone 12 and M2 MacBook Air

Security researchers uncover 'most sophisticated' iPhone attack they 'ever seen'. Attack used multiple zero-day exploits with zero-click activation, triggering root access to device via specially crafted iMessage payload.

This attack is considered more sophisticated than previously known Pegasus software.

Vulnerabilities were closed in iOS/iPadOS 16.2.

References:

• ‘Most sophisticated’ iPhone attack chain ‘ever seen’ used four 0-days to create a 0-click exploit
• 'Operation Triangulation' exposes advanced iMessage attack on security firm
• Operation Triangulation Details

Multiple active exploits could affect iPhone use of Bluetooth.

Flipper Zero hacker tool could be used to trigger iPhone DDoS attack using Bluetooth signals by AirPods, HomeKit accessories, etc. These signals usually trigger popup on iPhone allowing to connect to headphones or perform other actions. Crafting these signals in a specific way could result in iOS restart.

Newly discovered BLUFFS attack could be used to impersonate devices and trigger disclosure of private information. It is not yet clear, if AirDrop is affected by this attack as it uses more than just Bluetooth to authenticate the device. However, it is still possible to hijack audio or other Bluetooth connection. Fix would require device manufacturers to modify security mechanisms of Bluetooth stack.

References:

• Flipper Zero can still crash iPhones running the latest version of iOS 17
• Bluetooth security flaws allow connections to be hijacked; AirDrop unlikely to be affected [U]

Safari now suffers from new exploit allowing malicious website to render arbitrary webpage and extract information out of it.

As of now, there is a workaround requiring access to developer menu on macOS.

Paste the following command in Terminal: defaults write com.apple.Safari IncludeInternalDebugMenu 1

Open Safari and select "Debug" from the menu bar, select "WebKit Internal Features" then Scroll down and click "Swap Processes on Cross-Site Window Open"

AppleInsider

It is expected that this vulnerability will be fixed by Apple in upcoming software updates.

Disclosure: iLeakage

References:

• iLeakage attack resurrects Spectre with password and website data extraction
• iLeakage flaw could force iPhones and Macs to divulge passwords and more

Apple issues iOS/iPadOS 15.7.9, macOS 11.7.10, macOS 12.6.9. These updates fix important security issues including remote code execution with specially crafted image.

References:

• macOS 12.6.9 and macOS 11.7.10
• Apple releases iOS 15.7.9 with ‘important security fixes’
• Apple Releases iOS 15.7.9, iPadOS 15.7.9, macOS 12.6.9 and macOS 11.7.10

Apple releases iOS and iPadOS 16.6.1, macOS Ventura 13.5.2 and watchOS 9.6.2. These releases contain security updates addressing zero day vulnerabilities.

Apple Support:

• About the security content of macOS Ventura 13.5.2
• About the security content of iOS 16.6.1 and iPadOS 16.6.1
• About the security content of watchOS 9.6.2

References:

• iOS 16.6.1 for iPhone now available with important security fixes
• PSA: Make Sure to Update, iOS 16.6.1 and macOS 13.5.2 Address Actively Exploited Vulnerability
• Apple fixed zero-day exploit used by Pegasus spyware with iOS 16.6.1
• Exploit patched in iOS 16.6.1 update delivered Pegasus spyware
• iOS 16.6.1 patches security vulnerabilities in Wallet and more

Exploit in macOS App Management subsystem allowing modification of signed applications was reported to Apple 10 months ago, but is still not resolved. Apple did fix other exploits though.

Johnson says the overwriting of the file completely bypasses App Management in macOS 13.5.1. "The straightforwardness and ease of the bypass is truly stunning."

AppleInsider

No comments from Apple are currently available.

Jeff Johnson: macOS 0day: App Management

Reference: macOS Ventura App Management exploit revealed 10 months after discovery

Apple now no longer allows downgrade from iOS 16.3. This comes together with the news that previous iOS releases were subject to exploit allowing to get user's location if that permission was not given to the application.

Apple did not disclose details of this exploit.

Maps

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2023-23503: an anonymous researcher

About the security content of iOS 16.3 and iPadOS 16.3

Apple Support: About the security content of iOS 16.3 and iPadOS 16.3

References:

• Apple Stops Signing iOS 16.2 Following iOS 16.3 Launch, Downgrading No Longer Possible
• Was a Popular Brazilian Food Delivery App Bypassing Apple’s Location Privacy Settings on iOS?
• Apple Maps privacy bug may have allowed apps to collect location data without permission
• Was this Brazilian major app bypassing Apple's location privacy on iOS?
• Bypassing iOS 16.2 Location Privacy

The exploit which was fixed in iOS 16.2 provided a way for a developer to change system font on iPhone.

Zhuowei Zhang shared a story behind his proof-of-concept app. App itself is available as source code on GitHub.

Apple Support: About the security content of iOS 16.2 and iPadOS 16.2

GitHub: WDBFontOverwrite

Reference: Developer uses iOS 16 exploit to change system font without jailbreak