Connect with us

Social

iOS 12.2 fixes bug that granted apps hidden access to the microphone

Published

on

Apple released yesterday iOS version 12.2 that, like never before, includes fixes for a considerable number of security-related issues, including some that are downright disturbing.

In total, the company fixed 51 security flaws. Probably the scariest security bug, at first glance, is CVE-2019-8566, a vulnerability in Apple’s ReplayKit. Used by various iOS apps, this is a component for recording and streaming audio and video feeds from a device.

Apple said a bug that existed in this component would have allowed malicious applications to access microphones without indication to the user, and surreptitiously record or stream nearby conversations.

“An API issue existed in the handling of microphone data. This issue was addressed with improved validation,” Apple said.

Code execution via SMS links

Another major issue fixed in this release is the one affecting iOS GeoServices, the component responsible for working with geo-location data.

Apple said that it patched a bug reported by an anonymous researcher who discovered out a way to execute code on iOS devices by sending links in SMS messages. If the user clicked these malformed links, then the attacker would have been able to run malicious code on the device.

The vulnerability (CVE-2019-8553) was attributed to a memory handling issue and patched in iOS 12.2. Memory handling bugs aren’t a problem for Apple alone, and Microsoft said earlier this year that nearly 70 percent of all security bugs it patches on a yearly basis are memory handling related issues.

WebKit bugs galore

But the GeoServices SMS link bug wasn’t the only memory-related bug fixed in iOS 12.2. Similar memory corruption issues that could also lead to code execution with elevated privileges were also fixed in the IOKit SCSI and Power Management components.

WebKit, which is the heart of the Safari browser, also suffered from similar memory corruption issues that could lead to malicious code execution.

Apple fixed not one, but 13 of these bugs –CVE-2019-8535, CVE-2019-6201, CVE-2019-8518, CVE-2019-8523, CVE-2019-8524, CVE-2019-8558, CVE-2019-8559, CVE-2019-8563, CVE-2019-8536, CVE-2019-8544, CVE-2019-7285, CVE-2019-8556, and CVE-2019-8506.

WebKit was, by far, the component that received the most security fixes overall. Besides code execution vulnerabilities, Apple also fixed a universal cross-site scripting (XSS) flaw that impacted the WebKit engine and worked on any website (CVE-2019-8551), along with a dangerous sandbox escape issue (CVE-2019-8562) that could have allowed malicious code to escape from the browser process and run on the underlying OS.

In addition, Denis Markov of Resonance Software found that malicious websites may also be able to access a user’s microphone without a visual indicator being shown (CVE-2019-6222).

KeySteal zero-day receives a fix

These are just a summary of the most dangerous security bugs fixed in iOS and its components. Some bugs, like the Safari and WebKit issues, also impact other Apple products where they are also embedded.

Besides security fixes for iOS, Apple also released security updates for other products, such as macOS, tvOS, Safari, Xcode, iTunes and iCloud for Windows.

The release of iOS 12.2 at Apple’s glitzy event yesterday may have caught everybody’s eye because of the release of the Apple News Plus and Apple Card services, but users would be doing themselves a bigger favor if they update to get the iOS 12.2 security patches instead.

In addition, updating macOS to the latest 10.14.4 release will also patch the KeySteal zero-day that became public at the start of February 2019, and which can allow malicious threat actors to steal passwords from the macOS Keychain.

More vulnerability reports:

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Social

Fortnite’s mystery ‘superstar’ virtual music tour kicks off next week – TechCrunch

Published

on

Epic Games is teasing the biggest in-game event since Travis Scott psychedelically stomped through Fortnite’s virtual meadows.

The mysterious new event, which Fortnite-maker Epic is calling the “Rift Tour,” will kick off on Friday, August 6 and run through Sunday, August 8. In the teaser announcement, Epic invites players to “take a musical journey into magical new realities where Fortnite and a record-breaking superstar collide.”

In-game events building up to the mystery show series will run from July 29 through August 8, so players can hop into Fortnite to check out new Rift Tour-themed quests and rewards now. The cotton-candy-colored event will offer a custom loading screen and a fluffy cloud kitty emoticon, among other digital prizes.

The Rift Tour isn’t a one-and-done event. Like the Travis Scott event, Fortnite will host five different show times across three days to make it easier for players to catch. Epic says they’ll have more details to share on Monday, August 2, so Fortnite players will have to wait for more hints or an official announcement about who’s performing.

So … who’s performing? So far, all signs point to Ariana Grande. Leakers have been saying as much for more than a week, and the documents revealed through Epic’s court battle with Apple also detailed plans for in-game events with both Grande and Lady Gaga.

Image Credits: Epic Games

At Forbes, Paul Tassi also connected the dots on how recent leaks point to Grande, including some visual themes from her music videos and a reference to her pet pig Piggy Smalls.

Since Epic is calling its latest virtual event a tour, that suggests Grande won’t be alone, if she is indeed the mystery superstar. A Lady Gaga appearance could also be in the cards, since Epic apparently had plans for Gaga to appear in a December 2020 concert that never materialized. Kanye West is also releasing his newest album on August 6, but it seems less likely that Epic would be willing to partner with West given his myriad recent controversies. And “Donda,” West’s latest album, was originally scheduled for a different date before being delayed.

Whoever it winds up being, we’ll likely know more on Monday. Even if you’re not a Grande fan or a regular gamer, Fortnite’s in-game concerts are some of the most creative and visually exciting virtual events to date.

Everyone should fall through the metaverse with their friends while a skyscraper-sized virtual rapper shoots neon lightning bolts at least once.

Continue Reading

Social

Why companies and brands need to tune in – TechCrunch

Published

on

What comes to mind when you think of livestreaming? In the U.S., most people would name their favorite celebrity leading a Q&A on Instagram or a gamer doing a speedrun on Twitch.

In China, it’s shopping, streamed live.

Livestream e-commerce has taken off in China in the last few years and is expected to yield more than $60 billion this year. In 2019, 37% of online shoppers in China (a cool 265 million people) made purchases on livestreams — and that was well before quarantine. In 2020, it’s estimated to have reached around 560 million people.

During Taobao’s annual Single’s Day Global Shopping Festival in 2020 (China’s Black Friday), livestreams accounted for $6 billion in sales — nearly doubled from a year earlier.

Starting to see a trend? The big U.S. companies have noticed, and they’re jumping on the bandwagon faster than you can say, “Swipe up to buy now!”

Last December, Walmart livestreamed shopping events on TikTok. Amazon released a live platform where influencers promote items and chat with customers. Instagram launched a Shop feature that encourages users to browse and buy within the app. Facebook also kicked off Live Shopping Fridays for the beauty and fashion categories.

“It’s an entertaining way for shops to tell the story behind their products. It brings buyers closer than ever to their favorite creators and allows them to have a voice in the conversation.”

Startups are growing fast to keep up with the heavy hitters — PopShop.Live raised $20 million to let people buy everything from books and toys to jewelry from sellers who livestream their offerings, and Whatnot raised a $50 million Series B, largely to expand its livestream commerce infrastructure. There’s also a burgeoning category of SaaS tools such as Bambuser, which is working with brands like Klarna to test native livestream shopping directly within branded apps.

At this pace, retailers will all welcome livestream commerce teams like they have influencer partnerships in recent years. It’ll just be part of the digital equation to stay competitive and relevant in the future of marketplaces and e-commerce.

From B.C. to 5G: The evolution of shopping

What is old is new again. Your grandparents spent years watching QVC because it balanced the experience of speaking with an associate with the convenience of their retirement community’s TV room. Livestream is today’s version of “shoptainment,” where hosts showcase products dynamically, interact with their audiences and build urgency with short-term offers, giveaways and limited-edition items.

Now, with livestream commerce, hosts can form deeper customer connections and answer questions in real time. It’s a new standard of communication that holds a longstanding truth from Istanbul’s Grand Bazaar to smartphones: People shop to kill time and are more likely to buy when they feel connected with a salesperson.

Continue Reading

Social

Twitter shuttering NY, SF offices in response to new CDC guidelines – TechCrunch

Published

on

Just two weeks after reopening its New York and San Francisco offices, social media giant Twitter said Wednesday that it will be closing those offices “immediately.”

The decision came “after careful consideration of the CDC’s updated guidelines, and in light of current conditions,” a spokesperson said.

“Twitter has made the decision to close our opened offices in New York and San Francisco as well as pause future office reopenings, effective immediately. We’re continuing to closely monitor local conditions and make necessary changes that prioritize the health and safety of our Tweeps,” the spokesperson added.

The company initially just reopened those offices on July 12. It declined to reveal headcount per office.

The CDC this week recommended that fully vaccinated people begin wearing masks indoors again in places with high Covid transmission rates amid concerns about the highly contagious Delta variant.

Earlier today, TechCrunch’s Brian Heater reported that Google CEO Sundar Pichai announced that the company will require employees to be vaccinated before returning to work on-site. It was part of a larger letter sent to Google/Alphabet staff that also noted the company will be extending its work-from-home policy through October 18, as the COVID-19 delta variant continues to sweep through the global population.

In a message to TechCrunch, Facebook’s VP of People, Lori Goler, confirmed a similar policy for the social media behemoth.

Amazon also responded to TechCrunch’s inquiry on the matter, noting, “We strongly encourage Amazon employees and contractors to be vaccinated as soon as COVID-19 vaccines are available to them.”

Continue Reading

Trending