Bluetooth communications are still not safe in 2023

Multiple active exploits could affect iPhone use of Bluetooth.

Flipper Zero hacker tool could be used to trigger iPhone DDoS attack using Bluetooth signals by AirPods, HomeKit accessories, etc. These signals usually trigger popup on iPhone allowing to connect to headphones or perform other actions. Crafting these signals in a specific way could result in iOS restart.

Newly discovered BLUFFS attack could be used to impersonate devices and trigger disclosure of private information. It is not yet clear, if AirDrop is affected by this attack as it uses more than just Bluetooth to authenticate the device. However, it is still possible to hijack audio or other Bluetooth connection. Fix would require device manufacturers to modify security mechanisms of Bluetooth stack.

References:

Safari could be exploited with new iLeakage attack

Safari now suffers from new exploit allowing malicious website to render arbitrary webpage and extract information out of it.

As of now, there is a workaround requiring access to developer menu on macOS.

Paste the following command in Terminal: defaults write com.apple.Safari IncludeInternalDebugMenu 1

Open Safari and select "Debug" from the menu bar, select "WebKit Internal Features" then Scroll down and click "Swap Processes on Cross-Site Window Open"

AppleInsider

It is expected that this vulnerability will be fixed by Apple in upcoming software updates.

Disclosure: iLeakage

References:

macOS 13 Ventura exploit is revealed 10 months after discovery

Exploit in macOS App Management subsystem allowing modification of signed applications was reported to Apple 10 months ago, but is still not resolved. Apple did fix other exploits though.

Johnson says the overwriting of the file completely bypasses App Management in macOS 13.5.1. "The straightforwardness and ease of the bypass is truly stunning."

AppleInsider

No comments from Apple are currently available.

Jeff Johnson: macOS 0day: App Management

Reference: macOS Ventura App Management exploit revealed 10 months after discovery

Apple stops signing iOS 16.2

Apple now no longer allows downgrade from iOS 16.3. This comes together with the news that previous iOS releases were subject to exploit allowing to get user's location if that permission was not given to the application.

Apple did not disclose details of this exploit.

Maps

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: A logic issue was addressed with improved state management.

CVE-2023-23503: an anonymous researcher

About the security content of iOS 16.3 and iPadOS 16.3

Apple Support: About the security content of iOS 16.3 and iPadOS 16.3

References:

Developer used iOS 16 exploit to change system font without jailbreak

The exploit which was fixed in iOS 16.2 provided a way for a developer to change system font on iPhone.

Zhuowei Zhang shared a story behind his proof-of-concept app. App itself is available as source code on GitHub.

Apple Support: About the security content of iOS 16.2 and iPadOS 16.2

GitHub: WDBFontOverwrite

Reference: Developer uses iOS 16 exploit to change system font without jailbreak

Cross-platform exploit targets Linux, Windows and macOS

New "SysJoker" cross-platform exploit now can infect machines with different OSes.

Interestingly, this exploit uses Universal Binary allowing it to run on Intel and Apple Silicon Macs. Code is signed with ad-hoc certificate. New certificates could be used in the future.

The files and directories created by SysJoker include:
/Library/MacOsServices
/Library/MacOsServices/updateMacOs
/Library/SystemNetwork
/Library/LaunchAgents/com.apple.update.plist

The persistence code is under the path LibraryLaunchAgents/com.apple.update.plist. If the files are found on a Mac, it is advised to kill off all related processes and delete the files.

AppleInsider

Reference: macOS, Windows, Linux all targeted by new cross-platform exploit

[UPDATED] RCE 0-day exploit found in log4j

Log4j is a popular Java logging package used by many backends.

Details of the vulnerability are available here, and according to reports, also libraries or solutions using Apache log4j (we are talking about Steam, iCloud or Minecraft servers) are also vulnerable. Solutions using the Struts library are also probably vulnerable.

Affected log4j versions: 2.0 <= Apache log4j <= 2.14.1