“Apple’s lack of transparency is not only frustrating to security researchers who often work for free, it poses a risk to the millions of people who use Apple products in their day-to-day lives by reducing Apple’s accountability on security matters.” “Status updates on the matter were rare and featured exceptionally few details, even though I asked for them frequently.” “Despite them confirming the security issue and me urging them many times over the past four months to take the matter seriously, little was done,” he wrote. Spiniolas said that Apple pledged to fix the issue in a security update last year, but this was pushed back until “early 2022,” prompting Spiniolas to disclose the bug fearing the delay poses a “serious risk” to users. Worse, Spiniolas warned that attackers could leverage the doorLock vulnerability to launch ransomware attacks against iOS users, locking devices into an unusable state and demanding a ransom payment to set the HomeKit device back to a safe string length. But once the device reboots and the user signs back into the iCloud account linked to HomeKit, the bug is triggered again.Įven if a user doesn’t have any devices added on HomeKit, an attacker could create a spoof Home network and trick a user into joining via a phishing email. When that string loads on a user’s iPhone or iPad, the device’s software would be thrown into a denial of service (DoS) state, requiring a forced-reset to unfreeze. To exploit the bug, an attacker would need to change the name of a HomeKit device to a string larger than 500,000 characters. ![]() The bug affects iPhones and iPads running iOS 14.7 through iOS 15.2 and is triggered via HomeKit, Apple’s smart home platform that lets Apple users configure, communicate with and control their smart home devices. The technology giant released iOS 15.2.1 and iPadOS 15.2.1 on Wednesday to patch the so-called “doorLock” flaw, which was disclosed earlier this month by security researcher Trevor Spiniolas. Otherwise that would be rather unfortunate as we avoid one problem only to face another one.Apple has fixed a security vulnerability in iOS and iPadOS that could be exploited via HomeKit to launch persistent denial of service (DoS) attacks. Pokdepinion: Time to get them all updated, and I sure hope none of these will cause anything to break. ![]() ![]() WatchOS 9.3.1 was also released for Apple Watch Series 4 and later with bug fixes and important security updates. Apple also released HomePod 16.3.2 and tvOS 16.3.2 updates for all models, following 16.3.1 updates earlier this month. The article also mentions a separate update for macOS Big Sur that fixes a Safari issue where websites in the Favorites section of the Start page lost their custom favicons and instead displayed generic gray icons. The update is available for the iPhone 8 and later, iPad Air (3rd gen) and later, iPad (5th gen) and later, iPad mini (5th gen) and later, MacBook Pro (2017 and later), MacBook Air (2018 and later), MacBook (2017 and later), iMac (2017 and later), Mac mini (2018 and later), and Mac Studio. Additionally, the update includes a fix for a “use after free” issue that could allow an app to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited. The security update in these patches addresses a type confusion issue that could allow arbitrary code execution when processing maliciously crafted web content using WebKit.
0 Comments
Leave a Reply. |