Apple T2 chip vulnerability allows password brute-force attacks

Vulnerability in T2 chip used in recent Intel-based Macs allow brute-force attacks on system password, making FileVault storage crackable in reasonable time when password is short enough.

Apple Silicon Macs are unaffected by this vulnerability. On the other hand, Macs without T2 chip are easier to be brute-forced.

Use strong passwords

Time to decrypt the password depends on its length and usage of special characters. Also, avoid usage of "dictionary words" as passwords.

Reference: T2 Mac security vulnerability means passwords can now be cracked

Safari bug leaks user information, allowing user tracking

Safari 15 is exposing IndexedDB data to opened sites and in tabs and recently opened.

Sites cannot read contents of IndexedDB, however, names of databases are accessible to all sites. Google keeps user ID as a part of database name allowing cross-site tracking.

Use alternate browsers, until fix is released

Even Private Mode is vulnerable, no workarounds are available at the time.
iOS alternate browsers are also vulnerable, and Private Mode does not fully protect from tracking.

Users should use alternate browsers on macOS and wait for Apple's fix.

Live demo: Safari Leaks


Microsoft discovered flaw in macOS, it was fixed in 12.1

Microsoft found a vulnerability called "Powerdir" in macOS. This vulnerability was addressed in macOS 12.1 Monterey.

According to Microsoft, the "Powerdir" security flaw could allow a fake TCC database to be planted. TCC is a long running macOS function that lets users configure the privacy settings of their apps, and with the fake database, a malicious person could hijack an app installed on a Mac or install their own malicious app, accessing the microphone and camera to obtain sensitive info. 


Apple Support: About the security content of macOS Monterey 12.1

Reference: Microsoft Discovered New 'Powerdir' macOS Vulnerability, Fixed in 12.1 Update

HomeKit vulnerability could affect iPhone responsiveness

Security researcher found an issue with HomeKit which could make iPhone unusable. Issue is triggered by very long HomeKit device name (more than 500,000 characters).

This issue will affect first the Home app and if this device appears on Control Center, the whole iOS will become unresponsive or sluggish.

Issue is still present in current iOS and iPadOS releases.

Public disclosure: doorLock

Reference: This HomeKit bug could make your iPhone completely unusable; here are the details

[UPDATED] RCE 0-day exploit found in log4j

Log4j is a popular Java logging package used by many backends.

Details of the vulnerability are available here, and according to reports, also libraries or solutions using Apache log4j (we are talking about Steam, iCloud or Minecraft servers) are also vulnerable. Solutions using the Struts library are also probably vulnerable.

Affected log4j versions: 2.0 <= Apache log4j <= 2.14.1

Apple issues an apology to security researcher

As reported earlier, Apple seemed to ignore reports on zero-day vulnerabilities in iOS. Now story continues with report from Denis Tokarev. Apple contacted him and apologized for the delays in response.

"We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you," an Apple employee wrote. "We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance. Please let us know if you have any questions."