apple

Can You Really Trust That Permission Pop-Up On macOS? (CVE-2025-31250)

,

macOS vulnerability CVE-2025-31250 allows apps to spoof permission prompts, misleading users into granting access to the wrong application. Correctly patched in macOS Sequoia 15.5, earlier versions like Ventura and Sonoma remain unaddressed. The flaw arises from incorrect handling in the TCC framework's request logic, permitting consent responses for one app while displaying prompts for another. While exploiting this requires user interaction, it poses significant risks, particularly for high-access applications like Microphone and Camera. Apple has responded slowly to the issue, but recent updates appear to address the vulnerability, enhancing overall security.

https://wts.dev/posts/tcc-who/

Apple Fixes Two Zero-days Exploited in Targeted iPhone Attacks

,

Apple patched two zero-day vulnerabilities in iPhones, affecting several operating systems, after reports of exploitation in targeted attacks. The flaws, found in CoreAudio and RPAC, allow remote code execution and bypass security features. Users are urged to update their devices immediately. This marks the fifth zero-day fix from Apple this year.

https://www.bleepingcomputer.com/news/security/apple-fixes-two-zero-days-exploited-in-targeted-iphone-attacks/

Phishing Platform ‘Lucid’ Behind Wave of iOS, Android SMS Attacks

, ,

Phishing platform ‘Lucid,' operated by the XinXin group, targets 169 entities across 88 countries using iMessage and RCS for SMS attacks. Sold on a subscription model, it provides phishing domains and tools to attackers. Lucid sends 100,000 smishing messages daily, bypassing spam filters with encrypted messaging tech. The operation employs device farms and impersonates legitimate services to steal personal data, including financial information, often demonstrating ease of use through public videos.

https://www.bleepingcomputer.com/news/security/phishing-platform-lucid-behind-wave-of-ios-android-sms-attacks/

FBI Warning For All iPhone, Android Users—Hang Up Now, Use This Code

, ,

FBI warns iPhone and Android users about AI-powered deepfake scams. Users should hang up on suspicious calls and create a secret code for verification with close family to combat voice cloning threats. Social media poses risks as it provides voice samples for cybercriminals. Ongoing AI attacks are reshaping crime, making scams increasingly sophisticated and difficult to detect.

https://www.forbes.com/sites/daveywinder/2025/03/22/fbi-warns-iphone-and-android-users-hang-up-now-use-this-code/

Apple Fixes Zero-day Exploited in ‘extremely Sophisticated’ Attacks

,

Apple patched a zero-day vulnerability in iOS and iPadOS exploited in “extremely sophisticated” targeted attacks. The issue, affecting various iPhone and iPad models, potentially allowed misuse of USB Restricted Mode. Users are urged to update their devices to prevent ongoing attacks, as previous zero-days have been linked to spyware targeting high-risk individuals.

https://www.bleepingcomputer.com/news/apple/apple-fixes-zero-day-exploited-in-extremely-sophisticated-attacks/

Apple Chips Can Be Hacked to Leak Secrets From Gmail, iCloud, and More

,

Vulnerabilities in Apple chips (A- and M-series) allow side-channel attacks, FLOP and SLAP, to leak sensitive data from browsers like Chrome and Safari. FLOP exploits the load value predictor to steal memory contents, affecting data from services like Gmail and iCloud, while SLAP targets the load address predictor, limited to Safari. Devices from 2021 onwards are affected. Researchers indicated potential mitigations, and Apple intends to address the issues, though they don't view them as immediate threats.

https://arstechnica.com/security/2025/01/newly-discovered-flaws-in-apple-chips-leak-secrets-in-safari-and-chrome/

Apple Users: Update Your Devices Now to Patch Zero-day Vulnerability

, ,

Apple users must update devices to fix a zero-day vulnerability actively exploited in iOS. Affected devices include iPhone XS and newer, certain iPads, macOS Sequoia, Apple Watch Series 6+, and Apple TV models. Users should check for updates in Settings and consider enabling Automatic Updates. The vulnerability, tracked as CVE-2025-24085, allows privilege escalation via a misuse of memory in Core Media.

https://www.malwarebytes.com/blog/news/2025/01/apple-users-update-your-devices-now-to-patch-zero-day-vulnerability

About the Security Content of iOS 18.3 and iPadOS 18.3

,

iOS 18.3 and iPadOS 18.3 security update released January 27, 2025, addresses multiple vulnerabilities affecting recent devices. Key fixes involve potential unauthorized access, denial-of-service risks, and privilege escalation. Each vulnerability is linked to specific CVE-ID, and Apple prioritizes user safety by withholding details until patches are available. For further details, consult the Apple security releases page.

https://support.apple.com/en-us/122066

Phishing Texts Trick Apple iMessage Users Into Disabling Protection

,

Phishing texts are tricking Apple iMessage users into disabling phishing protection by prompting them to reply to messages. Users who respond to these texts inadvertently enable links, making them vulnerable to attacks. Cybercriminals exploit this tactic, especially targeting individuals who may be less aware of such scams. It's advised not to respond to unknown messages with disabled links and to verify their legitimacy directly with the sender.

https://www.bleepingcomputer.com/news/security/phishing-texts-trick-apple-imessage-users-into-disabling-protection/

Scroll to Top