Critical Apple Operating Systems Vulnerabilities Exploited

The U.S. CISA has added to the agency’s Known Exploited Vulnerabilities catalog a critical vulnerability in Apple’s iOS and macOS, discovered by Apple’s security team. The flaw has been designated CVE-2022-48618 and has a rather high severity rating of CVSS 7.8. Upon successful exploitation, attackers could potentially bypass security measures and gain unauthorized access to sensitive information. CISA is urging all users to take immediate action to secure their devices.

Apple has not revealed much information about CVE-2022-48618 and its active exploitation in the wild. However, the Cybersecurity and Infrastructure Security Agency has directed all U.S. federal agencies to fix this flaw by February 21, per the binding operational directive (BOD 22-01) issued in November 2021.

CVE-2022-48618 Vulnerability Impact

Discovered within the kernel component of Apple’s software, this vulnerability threatens the integrity of devices by enabling adversaries to manipulate memory functions and execute arbitrary code. Successful exploitation leads to compromising personal data and undermining critical infrastructure security that relies on these technologies.

This flaw is being actively exploited and affects a wide range of devices, including older and newer models such as iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later. Additionally, it impacts Macs running macOS Ventura, Apple TV 4K, Apple TV 4K (2nd generation and later), Apple TV HD, and Apple Watch Series 4 and later. Thus, the systems affected by CVE-2022-48618 are:

Apple’s Response

In response to the discovery, Apple has promptly issued patches to rectify the vulnerability, embedding enhanced security checks within the latest software updates. These updates, which include iOS 16.2 and macOS Ventura 13.1, aim to fortify devices against potential exploits. However, the delayed disclosure of the vulnerability raises questions about the timing and transparency of security communications. Though, that is more of an “industry standard” than just Apple’s omission.

Apple has fixed a similar flaw in the kernel (CVE-2022-32844, CVSS score: 6.3) in iOS 15.6 and iPadOS 15.6, which were shipped on July 20, 2022. The flaw allowed an app with arbitrary kernel read and write capability to bypass Pointer Authentication. However, Apple addressed the issue with improved state management due to a logic issue.

The post Critical Vulnerability Uncovered in Apple iOS and macOS Exploited appeared first on Gridinsoft Blog.

As the Forbes reports, private messages sent via iMessage and WhatsApp on iPhone are not secure when using factory settings.

While encrypted apps like iMessage and WhatsApp keep messages on the device completely safe, a vulnerability in Apple’s iCloud backup system puts them at risk, and unauthorized people can access messages. This is possible as Apple stores message encryption keys in iCloud backups, which undermines the main security features that protect iMessage.

Apple states in its security policies: “End-to-end encryption protects iMessage conversations on all your devices, so Apple cannot read your messages as they are transfered between devices.”
This means that while messages are completely secured in transit between phones, they don’t have to be secured on the device or in the cloud.

Apple has come under a lot of pressure recently after an internal FBI document was released proving that the bureau regularly accesses messages on nine secure messengers, including iMessage and WhatsApp.

To keep their messages safe, users can turn off iCloud backups.

Apple also urgently needs to change its approach to iCloud to stop storing encryption keys and avoid backing up encrypted data.

The post Vulnerability in Apple iCloud puts billion users at risk appeared first on Gridinsoft Blog.

Gadgets are susceptible to a stored XSS vulnerability. Rauch has revealed the issue, although the patch is not yet available, as he was disappointed in Apple’s bug bounty program.

The root of the vulnerability lies in the fact that when an AirTag user turns on “lost mode”, that is, he cannot find his item, he can add his phone number and a custom message that will be displayed to anyone who finds and scans the AirTag using any device with NFC support.

Rauch noticed that the unique page created on found.apple.com for each AirTag is prone to stored XSS and the problem could be exploited by inserting malicious data into the phone number field.

The researcher describes the following attack scenario: an attacker turns on the “loss mode” for his own AirTag and intercepts the request associated with this operation. Then he enters malicious data into the phone number field.

After that, the attacker can only drop the AirTag device in the place where his target (or a bystander, if the attack is opportunistic) will find the key fob and scan it. After scanning such an AirTag, a malicious payload will be launched immediately.

Rauch demonstrated such an attack by injecting a payload that redirects the victim to a phishing page that mimics iCloud. Since we are talking about an Apple product, the iCloud login page may not raise suspicion from the victim, although, in fact, no credentials need to be provided when scanning the found AirTag.

In a similar way, a criminal can lure his victim to any other site, including one that distributes malware, or create another payload, which, for example. will intercept session tokens and clicks.

Rauch also notes that it is possible to use a malicious link to found.apple.com on its own by sending it directly to your target. In this case, the payload will be launched after accessing the link, and there will not even be a need to scan the AirTag.

Rauch told the well-known cybersecurity journalist Brian Krebs that he notified Apple of the problem on June 20, 2021, but the company reacted very slowly, constantly sending replies that specialists were studying the bug. Apple also refused to answer the expert’s questions about the possible reward for the detected error. As a result, Rauch was completely disappointed in Apple’s bug bounty and decided to publish the details of the vulnerability in the public domain.

Let me remind you that recently another information security specialist disclosed the details of bypassing the lock screen in iOS, and also wrote that this is a kind of revenge to Apple for the fact that earlier in 2021 the company downplayed the significance of similar problems of bypassing the lock screen, which he reported. Shortly thereafter, a researcher known by the nickname Illusion of Chaos published detailed descriptions and exploits for three 0-day vulnerabilities in iOS. He explained that he had reported these issues to Apple at the beginning of the year, but the company has never released any patches.

The Washington Post devoted a long article to this problem, in which many cybersecurity specialists talked about the same problems and argued that the company has never left their bug reports unattended for months, released ineffective patches, understated the size of rewards and generally prohibited researchers from participating in the bug bounty further, if they started to complain.

Let me also remind you that I wrote that Experts showed fraudulent payments from a locked iPhone with Apple Pay and a Visa card.

The post Users can be lured to a malicious site through a vulnerability in Apple AirTag appeared first on Gridinsoft Blog.

In total, Picren discovered seven vulnerabilities in the Apple browser and the Webkit browser engine (CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784 , CVE-2020-9787), three of which can be linked together and used to track users through the camera and microphone on an iPhone, iPad or Mac.

For such an attack, just a little is required: for the victim to enter a malicious site. No other interaction is required, and a malicious site can pretend to be a popular legitimate resource and abuse the permissions that the victim would grant only to a trusted domain.

“If a malicious site needs to access the camera, all that it needs to mask itself as a reliable site for video conferencing, such as Skype or Zoom”, — the researcher notes.

Corrections for bugs found by the specialist were released as part of Safari 13.0.5 (release dated January 28, 2020) and Safari 13.1 (release dated March 24, 2020).

Picren explains that Safari creates access to devices that require specific permissions (such as camera, microphone, location, and so on) for each individual site. This allows individual sites, such as the official Skype site, to access the camera without asking for user permission with each start.

In iOS, there are exceptions to this rule: if third-party applications must require user’s consent to access the camera, then Safari can access the camera or photo gallery without any permissions.

Exploitation of the problems became possible due to the way the browser parses URL schemes and processes the security settings for each site. In this case, the researcher’s method works only with sites already open in the browser.

“The most important fact is that the URL scheme is completely ignored,” the expert writes. – This is a problem, as some schemes do not contain a meaningful host name at all, for example file:, javascript: or data:. Simply, the error makes Safari think that the malicious site is actually trusted one. This is due to exploitation of a number of shortcomings (how the browser parses the URI, manages the web origin and initializes the secure context).”

In fact, Safari cannot verify that the sites adhered to Same Origin policies, thereby granting access to another site that should not have been granted permission at all. As a result, the site https://example.com and its malicious counterpart fake://example.com may have the same permissions. Therefore, you can use file: URI (for example, file:///path/to/file/index.html) to trick the browser and change the domain using JavaScript.

“Safari believes we are on skype.com and I can download some kind of malicious JavaScript. Camera, Screen Sharing microphone will be compromised after opening my local HTML file”, — Ryan Pickren writes.

Similarly works the blob URL: (for example, blob://skype.com) can be used to run arbitrary JavaScript code, using it to directly access the victim’s webcam without permission.

Even worse, the study showed that unencrypted passwords can be stolen in the same way, since Safari uses the same approach to detect sites that require automatic password completion.

PoC exploits and a demonstration of the attacks described are available on the specialist blog.

I should also remind you that recently researcher remotely hacked iPhone using only one vulnerability.

The post Vulnerabilities allowed access to cameras on Mac, iPhone and iPad appeared first on Gridinsoft Blog.