Apple says a newly patched hole in its GarageBand music tool could allow for remote code execution on the Mac. Because GarageBand is installed by default on OS X systems, all Mac owners should install the patch, but those who regularly use the music composing software should pay particular attention.
The lone flaw addressed in the update allows an attack to remotely execute simply by running a malformed .band file. Apple uses the .band format for all GarageBand project files. In theory, a crook could exploit the bug by convincing the user to run the specially crafted .band file that would target the bug.Read more
If you think clearing your web browsing history on your iPhone or Mac is going to make your online habits permanently disappear, you'd be wrong. Very wrong. Apple is storing Safari histories in the iCloud going back more than a year, possibly much longer, even where the user has asked for them to be wiped from memory.
Elcomsoft chief Vladimir Katalov told the iPhone maker kept a separate iCloud record, titled "tombstone," in which deleted web visits were stored, ostensibly for syncing across devices. Katalov told me he came across the issue "by accident" when he was looking through the Safari history on his own iPhone.Read more
The hacker says this demonstrates that when organizations make hacking tools, those techniques will eventually find their way to the public. In January, experts reported that a hacker had stolen 900GB of data from mobile phone forensics company Cellebrite.
The data suggested that Cellebrite had sold its phone cracking technology to oppressive regimes such as Turkey, the United Arab Emirates, and Russia. Now the hacker responsible has publicly released a cache of files allegedly stolen from Cellebrite relating to Android and BlackBerry devices, and older iPhones, some of which may have been copied from publicly available phone cracking tools.Read more
Apple is introducing a new analytics section to its iOS privacy settings where it will ask for permission to analyze iCloud account data to improve Siri and other smart features.
Apple has been critical of Silicon Valley's addiction to harvesting and monetizing user data for ads, but it appears Apple sees some sense in accessing user data and will be seeking to use more of it in the near future. An iOS 10.3 beta released last week contained a note under the title 'iCloud Analytics & Privacy', explaining that Apple wants to analyze iCloud account data to improve intelligent features such as Siri.Read more
Security researchers have discovered a rare piece of Mac-based espionage malware that relies on outdated coding practices but has been used in some previous real-world attacks to spy on biomedical research center computers.
Dubbed Fruitfly, the malware has remained undetected for years on macOS systems despite using unsophisticated and "antiquated code." According to the researchers, the recently discovered what they're calling "the first Mac malware of 2017" contains code that dates before OS X, which has reportedly been conducting detailed surveillance operation on targeted networks, possibly for over two years.Read more
Chris Lattner, Apple's head of developer tools and the creator of its uber-popular programming language, Swift, this week announced plans to join Tesla. People leave their jobs for all kinds of reasons, especially when they are offered exciting new jobs at important, on-the-rise companies.
But someone in Lattner's circle of developer friends shared some insight at to why Lattner may have been calling it quits at Apple now, even as one of his major contributions, Swift, had really taken off. The person experts talked to said one big reason was that Apple's culture of secrecy was wearing on him, particularly because it was his job to create open-source developer tools.Read more
A pretty dumb WhatsApp scam is making rounds in chain mail form, promising "free internet" without Wi-Fi on an invite-only basis. First of all, the scam is quite dumb to begin with because the only way to use WhatsApp without Wi-Fi is to have a cellular data connection and WhatsApp cannot offer data - it's just an app, not a provider.
Secondly, the scam is spreading because it prompts victims to forward the message to 13 friends or five groups on WhatsApp to activate the "free internet." As usual, the message spreads via WhatsApp groups or comes from a friend who 'recommends' the service - often unaware of it. In this case, you receive a special invitation with a link.Read more
Deutsche Bank AG has banned text messages and communication apps such as WhatsApp on company-issued phones in an effort to improve compliance standards. The functionality will be switched off this quarter, chief regulatory officer Sylvie Matherat and chief operating officer Kim Hammonds told staff in a memo.
Unlike e-mails, text messages can’t be archived by the bank, said a person with knowledge of the matter who asked not to be identified discussing internal matters. “We fully understand that the deactivation will change your day-to-day work and we regret any inconvenience this may cause,” Matherat and Hammonds said.Read more
A security vulnerability that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service. Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff.
But new research shows that the company could read messages due to the way WhatsApp has implemented its end-to-end encryption protocol. Privacy campaigners said the vulnerability is a “huge threat to freedom of speech” and warned it could be used by government agencies as a backdoor to snoop on users who believe their messages to be secure.Read more
Mac OS users running Safari are falling victim to a tech support scam that can freeze their computer, according to a Thursday post on the MalwareBytes Labs blog. Similar previous campaigns have used fake alerts notifying victims that something is wrong with their computer, prompting them to reach out for tech assistance.
By clicking onto a phony site, or by calling a phony assistance number, the victim can then authorize attackers to gain control of their machines. One version of this scam, which targeted the browser, was dubbed a browlock. Another one which actually loaded malware onto devices was termed a screen locker.Read more