Security
Headlines
HeadlinesLatestCVEs

Tag

#ios

10 things to do to improve your online privacy

It's Data Privacy Week so here are 10 tips from our VP of Consumer Privacy, Oren Arar, about how to stay private online.

Malwarebytes
Open in Source
#web#ios#android#mac#windows#apple#google#git#auth#chrome#ssl
Apple Security Advisory 01-22-2024-3

Apple Security Advisory 01-22-2024-3 - iOS 16.7.5 and iPadOS 16.7.5 addresses code execution vulnerabilities.

Apple Security Advisory 01-22-2024-2

Apple Security Advisory 01-22-2024-2 - iOS 17.3 and iPadOS 17.3 addresses bypass and code execution vulnerabilities.

Apple Security Advisory 01-22-2024-1

Apple Security Advisory 01-22-2024-1 - Safari 17.3 addresses code execution vulnerabilities.

Why is the cost of cyber insurance rising?

Cyber insurance premiums are expected to rise this year after leveling out in 2023.

CVE-2024-0804: Chromium: CVE-2024-0804 Insufficient policy enforcement in iOS Security UI

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

GHSA-9f9p-cp3c-72jf: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in trillium-http and trillium-client

### Summary Insufficient validation of outbound header values may lead to request splitting or response splitting attacks in scenarios where attackers have sufficient control over outbound headers. ### Details Outbound `trillium_http::HeaderValue` and `trillium_http::HeaderName` can be constructed infallibly and were not checked for illegal bytes when sending requests from the client or responses from the server. Thus, if an attacker has sufficient control over header values (or names) in a request or response that they could inject `\r\n` sequences, they could get the client and server out of sync, and then pivot to gain control over other parts of requests or responses. (i.e. exfiltrating data from other requests, SSRF, etc.) ### Patches #### trillium-http >= 0.3.12: * If a header name is invalid in server response headers, the specific header and any associated values are omitted from network transmission. * If a header value is invalid in server response headers, the individual ...

Notorious Spyware Maker NSO Group Is Quietly Plotting a Comeback

NSO Group, creator of the infamous Pegasus spyware, is spending millions on lobbying in Washington while taking advantage of the crisis in Gaza to paint itself as essential for global security.

Update now! Apple releases patch for zero-day vulnerability

Apple has released new security updates for several products including a patch for a zero-day vulnerability which may have been exploited.

Apple Issues Patch for Critical Zero-Day in iPhones, Macs - Update Now

Apple on Monday released security updates for iOS, iPadOS, macOS, tvOS, and Safari web browser to address a zero-day flaw that has come under active exploitation in the wild. The issue, tracked as CVE-2024-23222, is a type confusion bug that could be exploited by a threat actor to achieve arbitrary code execution when processing maliciously crafted web content. The tech giant said the problem