Apple released a security update for iOS and iPadOS to patch multiple vulnerabilities, including one that could leak sensitive information when visiting a malicious website and one that allows an attacker to display false information in the address bar.
In total, 29 vulnerabilities were patched, most of them in WebKit, Apple’s web rendering engine that powers Safari and renders webpages in other apps. The update is available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Read more…
Source: Malwarebytes Labs
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Command Injection and Local File Inclusion in Grafana: CVE-2024-9264
October 24, 2024
The SonicWall Capture Labs threat research team became aware of a critical vulnerability in Grafana, assessed its impact and developed mitigation measures. Grafana is a multi-platform open-source analytics and visualization solution that can produce charts, graphs and alerts according to the data. Identified as CVE-2024-9264, Grafana versions 11.0.x, 11.1.x and 11.2.x allows an attacker with ‘viewer’ ...
- The Crypto Game of Lazarus APT: Investors vs. Zero-days
October 23, 2024
On May 13, 2024, Kaspersky consumer-grade product Kaspersky Total Security detected a new Manuscrypt infection on the personal computer of a person living in Russia. Since Lazarus rarely attacks individuals, this piqued Kaspersky researchers interest and they decided to take a closer look. The researchers discovered that prior to the detection of Manuscrypt, Kaspersky technologies also ...
- VMWare vCenter Server CVE-2024-38812 DCERPC Vulnerability
October 23, 2024
CVE-2024-38812 is a critical heap-overflow vulnerability identified in VMware vCenter Server’s implementation of the DCERPC (Distributed Computing Environment/Remote Procedure Call) protocol. This flaw allows a malicious actor with network access to the vCenter Server to send specially crafted packets, potentially leading to remote code execution (RCE). The vulnerability, classified under CWE-122 (Heap-based Buffer Overflow), arises when ...
- Code Injection in Spring Cloud: CVE-2024-37084
October 18, 2024
The SonicWall Capture Labs threat research team became aware of the threat CVE-2024-37084, assessed its impact, and developed mitigation measures for this vulnerability. CVE-2024-37084 is a critical vulnerability affecting Spring Cloud Data Flow versions 2.11.0 through 2.11.3. A malicious user with access to the Skipper server API can exploit a flaw in the upload request process, ...
- New macOS vulnerability, “HM Surf”, could lead to unauthorized data access
October 17, 2024
Microsoft Threat Intelligence uncovered a macOS vulnerability that could potentially allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology and gain unauthorized access to a user’s protected data. The vulnerability, which we refer to as “HM Surf”, involves removing the TCC protection for the Safari browser directory and modifying a configuration ...
- Gatekeeper Bypass: Uncovering Weaknesses in a macOS Security Mechanism
October 17, 2024
Unit 42 researchers have found that certain third-party utilities and applications pertaining to archiving, virtualization and Apple’s native command-line tools do not enforce the quarantine attribute. This can pose a threat to the integrity of a security feature on macOS known as Gatekeeper, which is responsible for ensuring that only trusted software runs on the system. ...