CyberSecurityBoard
Sponsor Register Login

WebKit security hole found The Register

Apple has issued emergency fixes to plug security flaws in iPhones, iPads, and Macs that may already be under attack.
The software updates for iOS, iPadOS, macOS Sonoma, and Safari web browser address two bugs: an out-of-bounds read flaw tracked as CVE-2023-42916, and a memory corruption vulnerability tracked as CVE-2023-42917.
Both are in the WebKit web browser engine - the heart of Safari, as found on iThings and Macs - and can be abused to access sensitive information and execute arbitrary code on vulnerable devices.
It appears a malicious webpage or similar content can exploit these holes: we imagine an attack would involve tricking a mark into a opening a page that then hijacks their equipment and snoops on them.
iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.
"Apple is aware of a report that this issue may have been exploited," the Silicon Valley corp said about both bugs in the November 30 security update.
While we don't have details about who may have been poking code in Apple devices, and what evil deeds they were likely doing, both were found by Clément Lecigne of Google's Threat Analysis Group.
TAG keeps a close eye on nation-state espionage crews, as well as commercial spyware vendors, and some of the earlier Apple bugs have been used to deploy Pegasus and TriangleDB snooping malware on compromised phones and computers.
In May, Cupertino fixed three other WebKit flaws under exploit that had also been spotted by Lecigne and Amnesty International.
These types of bugs tend to be exploited in targeted attacks against politicians, journalists, academics, activists and others.
Also this week: Google fixed a bug in its Chrome browser that Lecigne found.
This vulnerability, CVE-2023-6345, was also exploited by miscreants before Google issued the patch.
As with the Apple flaws, we don't have many details about the Chrome vulnerability, other than it's a high-severity integer overflow issue in Skia, a popular graphics library used by the browser.
If we had to bet, we'd put money on all of these being exploited by cyber snoops for espionage purposes.
So before you head into the weekend, it's probably a good idea to update everything.


This Cyber News was published on go.theregister.com. Publication date: Fri, 01 Dec 2023 23:06:56 +0000


Cyber News related to WebKit security hole found The Register

CVE-2013-0135 - Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) ...
6 years ago
CVE-2017-17713 - Trape before 2017-11-05 has SQL injection via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp ...
6 years ago
CVE-2017-17714 - Trape before 2017-11-05 has XSS via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp parameter, ...
6 years ago
CVE-2023-52780 - In the Linux kernel, the following vulnerability has been resolved: net: mvneta: fix calls to page_pool_get_stats Calling page_pool_get_stats in the mvneta driver without checks leads to kernel crashes. First the page pool is only available if the bm ...
1 month ago Tenable.com
CVE-2024-27080 - In the Linux kernel, the following vulnerability has been resolved: ...
2 months ago
Embracing Security as Code - Everything is smooth until it isn't because we traditionally tend to handle the security stuff at the end of the development lifecycle, which adds cost and time to fix those discovered security issues and causes delays. Over the years, software ...
6 months ago Feeds.dzone.com
Microsoft Security Copilot improves speed and efficiency for security and IT teams - First announced in March 2023, Microsoft Security Copilot-Microsoft's first generative AI security product-has sparked major interest. With the rapid innovations of Security Copilot, we have taken this solution beyond security operations use cases ...
6 months ago Microsoft.com
6 Best Cloud Security Companies & Vendors in 2024 - Cloud security companies specialize in protecting cloud-based assets, data, and applications against cyberattacks. To help you choose, we've analyzed a range of cybersecurity companies offering cloud security products and threat protection services. ...
4 months ago Esecurityplanet.com
10 Best Security Service Edge Solutions - Security Service Edge is an idea in cybersecurity that shows how network security has changed over time. With a focus on customized solutions, Security Service Edge Solutions leverages its expertise in multiple programming languages, frameworks, and ...
4 months ago Cybersecuritynews.com
Five business use cases for evaluating Azure Virtual WAN security solutions - To help organizations who are evaluating security solutions to protect their Virtual WAN deployments, this article considers five business use cases and explains how Check Point enhances and complements Azure security with its best-of-breed, ...
1 month ago Blog.checkpoint.com
What Is Cloud Security Management? Types & Strategies - Cloud security management is the process of safeguarding cloud data and operations from attacks and vulnerabilities through a set of cloud strategies, tools, and practices. The cloud security manager and the IT team are generally responsible for ...
1 month ago Esecurityplanet.com
IaaS vs PaaS vs SaaS Security: Which Is Most Secure? - Security concerns include data protection, network security, identity and access management, and physical security. While IaaS gives complete control and accountability, PaaS strikes a compromise between control and simplicity, and SaaS provides a ...
6 months ago Esecurityplanet.com
Russians break into Microsoft as Chinese hit VMware users The Register - A VMware security vulnerability has been exploited by Chinese cyberspies since late 2021, according to Mandiant, in what has been a busy week for nation-state espionage news. On Friday VMware confirmed CVE-2023-34048, a critical out-of-bounds write ...
5 months ago Go.theregister.com
Benefits and challenges of managed cloud security services - Too many organizations lack the in-house cloud security expertise and resources needed to protect cloud assets effectively. One option to address these challenges is managed cloud security. Outsourcing cloud security to a third party not only helps ...
4 months ago Techtarget.com
Report: Organisations Have Endpoint Security Tools But Are Still Falling Short on the Basics - Most IT and security teams would agree that ensuring endpoint security and network access security applications are running in compliance with security policies on managed PCs should be a basic task. A new report from Absolute Security, based on ...
1 month ago Techrepublic.com
Week in review: 10 must-read cybersecurity books, AnyDesk hack, Patch Tuesday forecast - How CISOs navigate policies and access across enterprisesIn this Help Net Security interview, Marco Eggerling, Global CISO at Check Point, discusses the challenge of balancing data protection with diverse policies, devices, and access controls in a ...
4 months ago Helpnetsecurity.com
A Practitioner's Guide to Security-First Design - Instead, organizations must proactively fortify their defenses and enter the era of security-first design - an avant-garde approach that transcends traditional security measures. Security-first design is an approach that emphasizes integrating robust ...
6 months ago Feeds.dzone.com
New Stellar Cyber Alliance to Deliver Email Security for SecOps Teams - Stellar Cyber, a Double Platinum 'ASTORS' Award Champion in the 2023 Homeland Security Awards Program, and the innovator of Open XDR has entered inao a new partnership with Proofpoint, a leading cybersecurity and compliance company. Through this ...
4 months ago Americansecuritytoday.com
Understanding the 2024 Cloud Security Landscape - As we swiftly move towards the second quarter of 2024, predictions by cloud security reports highlight the challenges of cloud adoption in the cloud security landscape. This growing reliance on cloud infrastructure raises the critical issue of ...
3 months ago Feeds.dzone.com
Cyber Security News Weekly Round-Up - The weekly cybersecurity news wrap-up provides readers with the latest information on emerging risks, vulnerabilities, ways to reduce them, and harmful schemes to help make defensive measures proactive. According to recent findings from Morphisec ...
2 months ago Cybersecuritynews.com
IaaS Security: Top 8 Issues & Prevention Best Practices - Understanding the risks, advantages, and best practices connected with IaaS security is becoming increasingly important as enterprises shift their infrastructure to the cloud. By exploring the top eight issues and preventative measures, as well as ...
6 months ago Esecurityplanet.com
Konica Minolta Wins Two Platinum 'ASTORS' Homeland Security Awards - ' Now in its ninth year, it continues to recognize industry leaders in physical and border security, cybersecurity, emergency preparedness management and response, law enforcement, first responders, and federal, state, and municipal government ...
3 months ago Americansecuritytoday.com
Gaining Insights on the Top Security Conferences - A Guide for CSOs - Are you a CSO looking for the best security events around the world? Well, you have come to the right place! This article is a guide to the top security conferences that offer essential security insights to help make informed decisions. Security ...
1 year ago Csoonline.com
Intel knew AVX chips were insecure and did nothing - Intel has been sued by a handful of PC buyers who claim the x86 goliath failed to act when informed five years ago about faulty chip instructions that allowed the recent Downfall vulnerability, and during that period sold billions of insecure chips. ...
7 months ago Theregister.com
The Art of Securing Cloud-Native Mobile Applications - We will explore the dynamic intersection of cloud-native architecture and mobile application security, delving into the strategies and best practices essential for safeguarding sensitive data, ensuring user privacy, and fortifying against emerging ...
6 months ago Feeds.dzone.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)