New Exploit Shows We Should Just Skip to iOS 13.1

· Andrew Orr · Link

apple contacts icon

A contacts exploit was discovered in iOS 13 that lets a person bypass Face ID / Touch ID to see an iPhone’s contacts.

Relatively little is at stake with this exploit. Beyond the inherent danger of an assailant having your iPhone, this method only allows someone to view the contacts within the target iPhone, provided that they have physical access to the target phone and can complete the VoiceOver exploit.

Little is at stake, but there have been so my iOS exploits in the news lately that we might as well go straight to iOS 13.1.

Google's Project Zero Finds 6 iOS 'Interactionless' Bugs

· Andrew Orr · Link

Google’s security team Project Zero recently found six “interactionless” iOS bugs. If sold on the black market they would be worth over US$5 million.

According to the researcher, four of the six security bugs can lead to the execution of malicious code on a remote iOS device, with no user interaction needed. All an attacker needs to do is to send a malformed message to a victim’s phone, and the malicious code will execute once the user opens and views the received item.

The fifth and sixth bugs, CVE-2019-8624 and CVE-2019-8646, can allow an attacker to leak data from a device’s memory and read files off a remote device –also with no user interaction.

A Fix For That Scary WhatsApp Exploit is Live

· Andrew Orr · Link

WhatsApp

An Israeli firm called NSO Group used a WhatsApp exploit to inject spyware on target devices. A fix for the exploit is live.

Given the stealthy way the attack was attempted, it’s impressive that WhatsApp caught it as quickly as they did. Engineers at Facebook have been busy sorting this one out over the weekend…Named CVE-2019-3568…affected versions include…WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51.

Security Researcher Won't Share macOS Keychain Bug

· Andrew Orr · Link

Security researcher Linuz Henze found a macOS Keychain bug but won’t share it with Apple out of protest.

Henze has publicly shared legitimate iOS vulnerabilities in the past, so he has a track record of credibility. However, Henze is frustrated that Apple’s bug bounty program only applies to iOS, not macOS, and has decided not to release more information about his latest Keychain invasion.

It is odd that there isn’t a macOS bug bounty but I think withholding security information isn’t the way to go.

Wikileaks Giving CIA's iPhone Spy Code to Apple

· Jeff Gamet · News

Cellebrite's servers hit with data breach

Apple may have patched most of the security flaws that Wikileaks revealed the CIA is exploiting, but not all of them. Apple has been scrambling trying to learn more about the remaining exploits and it looks like the help it needs is coming directly from Wikileaks. The organization said it plans to share everything it knows about the hacks with Apple, and it’s going to do the same for other tech companies the CIA targeted, too.

Update your iOS 9.x Devices Now!

· Bob LeVitus · Dr. Mac's Rants & Raves

What kind of

Dr. Mac says he doesn’t  usually write about Apple’s minor operating system updates, but, if you’re using an iPhone, iPad, or iPod touch, you should update to iOS version 9.3.5 without delay. Read all about it in Dr. Mac’s Rants & Raves #190:  Update your iOS 9.x Devices Now!