Category: iOS 16

We all know that the iPhone giant released its iOS 16 a few weeks ago and wanted everyone to upgrade to the new operating systems as it’s more intuitive and easier to use. A couple of weeks back, the technology giant of America issued a warning to all its users and urged them to go for the upgrade at the earliest. As among the two identified flaws, one was discovered to be exploited already by threat actors.

Technically speaking, the Webkit allows safari browser engine offer a backdoor to threat actors to execute an arbitrary code on an iPhone.

Thus, the MacOS developing giant wants all its users to go for the iOS 16 OS as it offers a fix to the vulnerability. However, only those using iPhone 8 and later models can go for the operating system update, as older devices do not support the upgrade because of incompatibility of hardware with software.

Apple Inc, released a press update at the end of last week stating iOS 16.3.1 offers bug fixes, acknowledges iCloud and SIRI issues and includes many Crash Detection Optimizations.

NOTE 1– The first developer version was released in June 2022, immediately after the Worldwide Developer’s Conference, with the first beta version being released in July 2022, after which it was made public on September 12th,2022.

NOTE 2- Google Photos are reportedly crashing with no error message on the device installing iOS 16.3.1.

NOTE 3-iCloud is freezing down after the iOS 16.3.1 and there seems to be no workaround to its insight. SIRI is not operating as per the expectations on the new platform and Crash Detection optimization is only proving worthy on iPhone 14 and 14 Pro models.

 

The post Apple urges iPhone users to upgrade to iOS16 amid device security hacking fears appeared first on Cybersecurity Insiders.

This month’s Patch Tuesday offers a little something for everyone, including security updates for a zero-day flaw in Microsoft Windows that is under active attack, and another Windows weakness experts say could be used to power a fast-spreading computer worm. Also, Apple has also quashed a pair of zero-day bugs affecting certain macOS and iOS users, and released iOS 16, which offers a new privacy and security feature called “Lockdown Mode.” And Adobe axed 63 vulnerabilities in a range of products.

Microsoft today released software patches to plug at least 64 security holes in Windows and related products. Worst in terms of outright scariness is CVE-2022-37969, which is a “privilege escalation” weakness in the Windows Common Log File System Driver that allows attackers to gain SYSTEM-level privileges on a vulnerable host. Microsoft says this flaw is already being exploited in the wild.

Kevin Breen, director of cyber threat research at Immersive Labs, said any vulnerability that is actively targeted by attackers in the wild must be put to the top of any patching list.

“Not to be fooled by its relatively low CVSS score of 7.8, privilege escalation vulnerabilities are often highly sought after by cyber attackers,” Breen said. “Once an attacker has managed to gain a foothold on a victim’s system, one of their first actions will be to gain a higher level of permissions, allowing the attacker to disable security applications and any device monitoring. There is no known workaround to date, so patching is the only effective mitigation.”

Satnam Narang at Tenable said CVE-2022-24521 — a similar vulnerability in the same Windows log file component — was patched earlier this year as part of Microsoft’s April Patch Tuesday release and was also exploited in the wild.

“CVE-2022-37969 was disclosed by several groups, though it’s unclear if CVE-2022-37969 is a patch-bypass for CVE-2022-24521 at this point,” Narang said.

Another vulnerability Microsoft patched this month — CVE-2022-35803 — also seems to be related to the same Windows log file component. While there are no indications CVE-2022-35803 is being actively exploited, Microsoft suggests that exploitation of this flaw is more likely than not.

Trend Micro’s Dustin Childs called attention to CVE-2022-34718, a remote code execution flaw in the Windows TCP/IP service that could allow an unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction.

“That officially puts it into the ‘wormable’ category and earns it a CVSS rating of 9.8,” Childs said. “However, only systems with IPv6 enabled and IPSec configured are vulnerable. While good news for some, if you’re using IPv6 (as many are), you’re probably running IPSec as well. Definitely test and deploy this update quickly.”

Cisco Talos warns about four critical vulnerabilities fixed this month — CVE-2022-34721 and CVE-2022-34722 — which have severity scores of 9.8, though they are “less likely” to be exploited, according to Microsoft.

“These are remote code execution vulnerabilities in the Windows Internet Key Exchange protocol that could be triggered if an attacker sends a specially crafted IP packet,” wrote Jon Munshaw and Asheer Malhotra. “Two other critical vulnerabilities, CVE-2022-35805 and CVE-2022-34700 exist in on-premises instances of Microsoft Dynamics 365. An authenticated attacker could exploit these vulnerabilities to run a specially crafted trusted solution package and execute arbitrary SQL commands. The attacker could escalate their privileges further and execute commands as the database owner.”

Not to be outdone, Apple fixed at least two zero-day vulnerabilities when it released updates for iOS, iPadOS, macOS and Safari. CVE-2022-32984 is a problem in the deepest recesses of the operating system (the kernel). Apple pushed an emergency update for a related zero-day last month in CVE-2022-32983, which could be used to foist malware on iPhones, iPads and Macs that visited a booby-trapped website.

Also listed under active attack is CVE-2022-32817, which has been fixed on macOS 12.6 (Monterey), macOS 11.7 (Big Sur), iOS 15.7 and iPadOS 15.7, and iOS 16. The same vulnerability was fixed in Apple Watch in July 2022, and credits Xinru Chi of Japanese cybersecurity firm Pangu Lab.

“Interestingly, this CVE is also listed in the advisory for iOS 16, but it is not called out as being under active exploit for that flavor of the OS,” Trend Micro’s Childs noted. “Apple does state in its iOS 16 advisory that ‘Additional CVE entries to be added soon.’ It’s possible other bugs could also impact this version of the OS. Either way, it’s time to update your Apple devices.”

Apple’s iOS 16 includes two new security and privacy features — Lockdown Mode and Safety Check. Wired.com describes Safety Check as a feature for users who are at risk for, or currently experiencing, domestic abuse.

“The tool centralizes a number of controls in one place to make it easier for users to manage and revoke access to their location data and reset privacy-related permissions,” wrote Lily Hay Newman.

“Lockdown Mode, on the other hand, is meant for users who potentially face targeted spyware attacks and aggressive state-backed hacking. The feature comprehensively restricts any nonessential iOS features so there are as few potential points of entry to a device as possible. As more governments and repressive entities around the world have begun purchasing powerful commodity spyware to target individuals of particular importance or interest, iOS’s general security defenses haven’t been able to keep pace with these specialized threats.”

To turn on Lockdown Mode in iOS 16, go to Settings, then Privacy and Security, then Lockdown Mode. Safety Check is located in the same area.

Finally, Adobe released seven patches addressing 63 security holes in Adobe Experience Manager, Bridge, InDesign, Photoshop, InCopy, Animate, and Illustrator. More on those updates is here.

Don’t forget to back up your data and/or system before applying any security updates. If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a decent chance other readers have experienced the same and may chime in here with useful tips.

In September 2022, Apple Inc will release its iOS 16 to all smart phones in its ecosystem and is urging every device user of its to upgrade their device software with the new one. But what’s tricking in this OS upgrade is that it only works with the models related to iPhone 8 and above and cannot be downloaded by other phones such as iPhone 7 and the previous ones.

Now enters the big trouble, as the iPhone producer will not be releasing security updates to device models that are existing iPhone 8.

This can then lead to further troubles, as hackers can exploit the recurring vulnerabilities that can lead to further troubles.

Previously, Apple issued updates for iOS 14 for months after the release of iOS 15. But now the American tech giant seems to involve in business improvement tactics such as Vendor Lock-In and new OS release, so that the user doesn’t desire to go to other brand phones running on Android phones and buys in a new device to stay inside the Apple iOS user ecosystem.

Apparently, neither the MacOS producing giant has admitted or denied on these developments. But is planning to announce it as a conformation at the end of next month.

iPhone users are being requested to be vigilant about SMSs and email attachments sent by unknown senders, as they can lead them to malicious website links and download nefarious payloads.

NOTE- In July first week, the company announced the release of a new feature termed Lockdown mode designed to prevent targeted cyber attacks at its users. The aim behind the release of this feature is to combat attacks related to spyware.

 

The post iPhone iOS 16 update might trigger mobile security concerns appeared first on Cybersecurity Insiders.