Apple security problem! Patch your systems urgently

[RickH]

"Apple devices get urgent patch for zero-day exploit – update now!"

Or, in layman's terms

"Crooks have found a way to trick your browser into giving them access to private data they aren’t supposed to see, and as far as we know they are already abusing this bug to do bad things."

More details here.

[Jdsk]

Thanks for the heads-up.

For everyday purposes and nonexperts... patch here means Software Update, and your devices should now be notifying you.

Jonathan

[Ride-sleep-repeat]

I always have mine set to auto update.

[Syd]

Auto update can sometimes take several days to pick up the update and install it.

An update such as this should really be installed as soon as possible.

[Mick F]

Just checked my MacBookAir this very minute.

No updates available.

[Mick F]

Just checked my iPhone 6s.
It's updating to IOS 14.4.2

[Syd]

Just checked my MacBookAir this very minute.

No updates available.

Screen Shot 2021-03-28 at 09.38.45.png

It’s an iOS exploit that is being patched so not relevant to your MacBook.

[Mick F]

Yes. I realise that, but I still checked.

What are the people trying to steal?
Private data?

Who has "private data" on a mobile phone?

[kwackers]

Yes. I realise that, but I still checked.

What are the people trying to steal?
Private data?

Who has "private data" on a mobile phone?

A phonebook/contacts data is "private data" surely?

Photos, voice messages etc etc

Take a browse through all the installed apps and see how much data they hang on to.
Then of course if you use it for interwebs there's probably tons of other stuff too.

The question probably need rephrasing as "who doesn't have private data on a mobile phone"...
(Yes, we all know who that person is. )

[[XAP]Bob]

Yes. I realise that, but I still checked.

What are the people trying to steal?
Private data?

Who has "private data" on a mobile phone?

You have names numbers, text messages, call records - browsing history...

It's personally identifying as much as private in the traditional sense of that word.


For those who (quite reasonably) don't want to click on obscured links:

https://nakedsecurity.sophos.com/2021/0 ... pdate-now/

[Psamathe]

Yes. I realise that, but I still checked.

What are the people trying to steal?
Private data?

Who has "private data" on a mobile phone? :shock:

You have names numbers, text messages, call records - browsing history...

It's personally identifying as much as private in the traditional sense of that word.


For those who (quite reasonably) don't want to click on obscured links:

https://nakedsecurity.sophos.com/2021/0 ... pdate-now/

And then people often sync their passwords (e.g. so they can log on to Amazon from their phone to track their package) which means website passwords ... Some people do online banking ...

For many mobile devices are replacements for desktops/laptops. When I travel/tour I only take iPad & iPhone (no laptop) and when away for quit a few months you do want to log on to web sites to update your blog, order a birthday present for somebody (and have it delivered to them), etc.

Ian

[[XAP]Bob]

The Apple version, which will no doubt get expanded upon later...

https://support.apple.com/en-us/HT212256


It's "only" an XSS vulnerability, so it's a case of being able to read cookies (which will include data about usage of certain sites, usernames, and in some cases auth tokens, but should not include passwords (at least not for any reputably written site)).
More info on XSS - https://medium.com/@laur.telliskivi/pen ... 672e4738b2

I used only in quotes, because it's not a remote code execution bug, and it doesn't allow further escalation of privilege. It's serious enough to need a "single bug" patch, which has been released for all iOS devices dating back to 2013!

That's not a level of support you get with any other phone vendor or mobile os...

[Psamathe]

The Apple version, which will no doubt get expanded upon later...

https://support.apple.com/en-us/HT212256


It's "only" an XSS vulnerability, so it's a case of being able to read cookies (which will include data about usage of certain sites, usernames, and in some cases auth tokens, but should not include passwords (at least not for any reputably written site)).
More info on XSS - https://medium.com/@laur.telliskivi/pen ... 672e4738b2
...

That is interesting as over the last few months I've seen a massive increase in XSS "attacks" on my own web site. Mainly coming through domestic ISPs in India, though recently Korea (South) been doing more and "the usual players" from the US (China and Russia are geo-blocked from my site as they are just a continual hack nuisance).

Ian

[Jdsk]

The question probably need rephrasing as "who doesn't have private data on a mobile phone"...

Yes.

Jonathan

[Mick F]

A phonebook/contacts data is "private data" surely?
Photos, voice messages etc etc

Take a browse through all the installed apps and see how much data they hang on to.
Then of course if you use it for interwebs there's probably tons of other stuff too.

The question probably need rephrasing as "who doesn't have private data on a mobile phone"...
(Yes, we all know who that person is. )

Contacts list?
Names and telephone numbers. How do you know that the other people on the list keep it "private"? If you want to look at my contacts list, help yourself.

Photos?
Just about every one I've taken with my phone - and my digital camera - are on here for public viewing. Others are saved on external drives and wiped off my phone.

Rarely use my phone for the internet. Too small a screen to be of any use.
Never use email on it as I don't have an email account on the phone.

I have an old iPhone5c which knocks spots off my iPhone6s but it's no longer supported. I sometimes swap my sim over to use the 5c as it fits in a pocket far easier.