close
    • chevron_right

      Apple patches “clickless” 0-day image processing vulnerability in iOS, macOS

      news.movim.eu / ArsTechnica · Thursday, 7 September, 2023 - 22:47

    Apple patches “clickless” 0-day image processing vulnerability in iOS, macOS

    Enlarge (credit: Apple)

    Apple has released security updates for iOS, iPadOS, macOS, and watchOS today to fix actively exploited zero-day security flaws that can be used to install malware via a "maliciously crafted image" or attachment. The iOS 16.6.1, iPadOS 16.6.1, macOS 13.5.2, and watchOS 9.6.2 updates patch the flaws across all of Apple's platforms. As of this writing, no updates have been released for older versions like iOS 15 or macOS 12.

    The CVE-2023-41064 and CVE-2023-41061 flaws were reported by the Citizen Lab at the Munk School of Global Affairs & Public Policy at the University of Toronto. Also dubbed "BLASTPASS," Citizen Lab says that the bugs are serious because they can be exploited just by loading an image or attachment, which happens regularly in Safari, Messages, WhatsApp, and other first- and third-party apps. These bugs are also called "zero-click" or "clickless" vulnerabilities.

    Citizen Lab also said that the BLASTPASS bug was "being used to deliver NSO Group’s Pegasus mercenary spyware ," the latest in a long line of similar exploits that have been used to infect fully patched iOS and Android devices.

    Read 3 remaining paragraphs | Comments

    • chevron_right

      Biden’s executive order limits government’s use of commercial spyware

      news.movim.eu / ArsTechnica · Monday, 27 March, 2023 - 21:31

    Biden’s executive order limits government’s use of commercial spyware

    Enlarge (credit: Getty Images)

    President Joe Biden on Monday signed an executive order barring many uses by the federal government of commercial spyware, which has been increasingly used by other countries in recent years to surveil dissidents, journalists, and politicians.

    The signing of the executive order came as administration officials told journalists that roughly 50 US government personnel in at least 10 countries had been infected or targeted by such spyware, a larger number than previously known. The officials didn’t elaborate.

    Commercial spyware is sold by a host of companies, with the best known being NSO Group of Israel. The company sells a hacking tool known as Pegasus that can surreptitiously compromise both iPhones and Android devices using “clickless” exploits, meaning they require no user interaction. By sending a text or ringing the device, Pegasus can install spying software that steals contacts, messages, geo locations, and more, even when the text or call isn’t answered. Other companies selling commercial spyware include Cytrox, Candiru, and Paragon.

    Read 5 remaining paragraphs | Comments

    • chevron_right

      Zero-click iMessage zeroday used to hack the iPhones of 36 journalists

      Dan Goodin · news.movim.eu / ArsTechnica · Monday, 21 December, 2020 - 21:39

    Promotional image of iPhone.

    Enlarge (credit: Apple )

    Three dozen journalists had their iPhones hacked in July and August using what at the time was an iMessage zeroday exploit that didn’t require the victims to take any action to be infected, researchers said.

    The exploit and the payload it installed were developed and sold by NSO Group, according to a report published Sunday by Citizen Lab, a group at the University of Toronto that researches and exposes hacks on dissidents and journalists. NSO is a maker of offensive hacking tools that has come under fire over the past few years for selling its products to groups and governments with poor human rights records. NSO has disputed some of the conclusions in the Citizen Lab report.

    The attacks infected the targets’ phones with Pegasus, an NSO-made implant for both iOS and Android that has a full range of capabilities, including recording both ambient audio and phone conversations, taking pictures, and accessing passwords and stored credentials. The hacks exploited a critical vulnerability in the iMessage app that Apple researchers weren’t aware of at the time. Apple has since fixed the bug with the rollout of iOS 14.

    Read 11 remaining paragraphs | Comments

    index?i=X7VZ3UWIKAQ:0LGrqbQfKTs:V_sGLiPBpWUindex?i=X7VZ3UWIKAQ:0LGrqbQfKTs:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA