Windows users will want to make sure that they are running the latest version of iTunes, iTunes 12.12.9, in order to gain protection from a recently uncovered security vulnerability. Apple released iTunes 12.12.9 on May 23, and it fixes an issue that could allow malicious apps to gain elevated privileges to install malware on a Windows machine. While the vulnerability was addressed last week, Synopsys, the security company that discovered the problem, today shared some details on how it worked. iTunes had a privileged folder with weak access control, allowing a malicious person to redirect the folder creation to the Windows system directory, which could then be used to obtain a higher-privileged system shell.The iTunes application creates a folder, SC…

Russia’s Federal Security Service (FSB) claimed on Thursday it had uncovered a U.S. National Security Agency (NSA) plot using previously unknown malware to access vulnerabilities in Apple iPhones. Lockdown Mode is the first major capability of its kind designed to offer an extreme, optional protection for the very small number of users who face grave, targeted threats to their digital security. Guy Faulconbridge for Reuters: The FSB, the main successor to the Soviet-era KGB, said several thousand Apple phones had been infected, including those of domestic Russian subscribers. The Russian spy agency also said telephones belonging to foreign diplomats based in Russia and the former Soviet Union, including those from Israel, Syria, China and NATO members, had been targeted. “The…

Russia says that the National Security Agency (NSA) has been spying on Russian officials and civilians using iPhone backdoor vulnerabilities created for the US by Apple.Moscow, RussiaThe NSA has previously tried to get public opinion on its side as it objects to Apple's refusal to give it access to user data. But now the Federal Security Office (FSB) of Russia claims that Apple has given the NSA backdoor access after all. Read more...

An Apple security fix in iOS 15.6.1 back in August of last year was said to close two major security vulnerabilities, one of which could have allowed a rogue app to execute arbitrary code with kernel privileges (aka do Very Bad Things). But it’s now been revealed that the more serious vulnerability wasn’t closed after all. Apple did succeed in blocking a specific way of exploiting the vulnerability, but didn’t address the root issue until last week’s iOS 16.5 update, some nine months later … more… The post Apple security fix didn’t address root cause – now corrected in iOS 16.5 appeared first on 9to5Mac.

Macworld Apple’s operating system updates always have important security patches, which is why we urge users to update as soon as possible. The recent iOS and iPadOS 16.5 update, however, has a unique security patch that is essentially a follow-up to a previous patch. A report by Jamf released on Monday details the ColdInvite vulnerability, which is filed as CVE-2023-27930 in the CVE Program database. ColdInvite “can be exploited to leverage the co-processor in order to obtain read/write privileges to the kernel,” according to Jamf. A bad actor can use ColdInvite to eventually gain control of the device. This hole was fixed in the 16.5 update. Interestingly, ColdInvite was discovered because of a previous vulnerability that Apple addressed last year…

Macworld Multiple iPhone and iPad owners have complained that Apple’s latest mobile software updates, iOS 16.5 and iPadOS 16.5, render their devices incompatible with Apple’s Lightning to USB 3 Camera Adapter. The accessory, which costs $39 from Apple’s store (or £45 from the U.K. store) was designed with older Lightning iPad Pro models in mind, enabling owners to transfer photos from a digital camera to their tablet for editing and sharing; more recent iPads are equipped with USB-C ports and consequently have less need for an adapter. But it’s compatible, in theory, with pretty much any Lightning iPhone or iPad, going back all the way to the iPhone 5 from 2012 and the original iPad mini. I say “in theory”…