Latest Technology News: Apple is shipping this recent “Rapid Response” spyware patch to ev

Two weeks ago, we urged Apple users with recent hardware to grab the company’s second Rapid Response patch.

As we pointed out at the time, this was an emergency patch to block a web browsing security flaw that had apparently been used in real-world spyware attacks:

Component: WebKit

Impact: Processing web content may lead 
        to arbitrary code execution. 
        Apple is aware of a report that 
        this issue may have been 
        actively exploited.

Description: The issue was addressed 
             with improved checks.

CVE-2023-37450: an anonymous researcher

The next best thing to no-click attacks

Technically, code execution bugs that can be triggered by causing you to view a webpage containing booby-trapped content do not count as so-called zero-click attacks.

A true no-click attack is one where cybercriminals can take control of your device just because it’s turned on and connected to a network.

Well-known examples include the infamous Code Red and Slammer worms of the early 2000s that spread globally within hours of finding new victim computers on their own, or the legendary Morris Worm of 1988 that distributed worldwide almost as soon as its creator triggered it.

Morris, author of the eponymous worm, apparently intended to limit the side effects of his experiment by infecting each potential victim only once. But it added code that randomly and occasionally re-infected existing victims as an insurance policy against blocked or fake versions of the worm that might otherwise trick the worm into avoiding computers that seemed infectious but weren’t. Morris decided to deliberately re-infect the computers 1/7 of the time, but it turned out to be far too aggressive. So the worm quickly overwhelmed the internet infecting victims again and again until they did nothing but attack everyone.

But one watch and get pwned attack, also known as installation in carwhere just looking at a web page can invisibly implant malware, even if you don’t click any additional buttons or approve any pop-ups, is the best thing for an attacker to do.

After all, your browser isn’t supposed to download and run unauthorized programs unless and until you explicitly give it permission.

As you can imagine, crooks love to combine a look-and-get-pwned exploit with a second kernel-level code execution bug to take full control of your computer or phone.

Browser-based exploits often give attackers limited results, such as malware that can only spy on your browsing (as bad as that is on their own), or that won’t continue to work after you close your browser or restart your device.

But if the malware attackers execute through an initial browser hole is specifically coded to exploit the second bug in the chain, they immediately evade any throttling or sandboxing implemented in the browser app by taking over your entire device at the operating system level.

Typically, this means they can spy on every app you run, and even the operating system itself, as well as install their malware as part of your devices’ official startup routine, invisibly and automatically surviving any precautionary reboots you might perform.

More iPhone malware holes in the wild

Apple has now rolled out full system upgrades, with new version numbers, for every operating system version the company supports.

After this latest update, you should see the following version numbers as listed in the Apple Security Bulletins listed below:

In addition to including a permanent fix for the CVE-2023-37450 exploit mentioned above (thereby fixing those who skipped the Quick Response or had older devices that were not eligible), these updates also address this listed bug:

Component: Kernel

Impact: An app may be able to modify sensitive 
        kernel state. Apple is aware of a 
        report that this issue may have been 
        actively exploited against versions of 
        iOS released before iOS 15.7.1. 

Description: This issue was addressed with 
             improved state management.

CVE-2023-38606: Valentin Pashkov, 
                Mikhail Vinogradov, 
                Georgy Kucherin (@kucher1n), 
                Leonid Bezvershenko (@bzvr_), 
                and Boris Larin (@oct0xor) 
                of Kaspersky

As in our article on Apple’s previous system-level updates in late June 2023, the two holes in the wild that made the list this time dealt with a WebKit bug and a kernel flaw, with the WebKit-level bug again attributed to an anonymous researcher and the kernel-level bug once again attributed to Russian antivirus Kaspersky.

So let’s assume that these patches related to the so-called Triangulation Trojan malware, first reported by Kasperky in early June 2023, after the company discovered that iPhones belonging to some of its own employees had been actively infected with spyware:

What to do?

Again, we urge you to make sure your Apple devices have downloaded (and then installed!) these updates as soon as possible.

Although we always urge you to Correct early/correct oftenthe fixes for these upgrades aren’t just there to fill in theoretical holes.

Here, you close cybersecurity loopholes that attackers already know how to exploit.

Even though crooks have only used them so far in a limited number of successful intrusions against older iPhones

why stay behind when you can jump ahead?

And if protection against the Triangulation Trojan malware isn’t enough to convince you, remember that these updates also fix many theoretical attacks that Apple and other Good Guys have proactively found, including code execution holes at the kernel level, privilege escalation bugs, and data leakage flaws.

As always, see you at Settings > General > Software update to check if you have correctly received and installed this emergency patch, or to jump to the front of the queue and get it immediately if you haven’t.

(Note. On older Macs, check for updates using About This Mac > Software update instead.)

Also read this Article:

An Overview of Global Events in 2023

In 2023, the world witnessed a myriad of events that left a lasting impact on global affairs. From political developments and economic shifts to environmental challenges and breakthroughs in science and technology, the year was marked by significant changes and a sense of urgency for collective action. Here’s an overview of some of the latest world news in 2023.

Political Unrest and Diplomatic Strides:
In the political arena, several regions experienced unrest and geopolitical tensions. The ongoing conflict in the Middle East continued to dominate headlines, with efforts towards peace and stability remaining elusive. However, there were also moments of diplomatic breakthroughs as nations engaged in dialogues to ease tensions and work towards lasting solutions.

Economic Transformations:
The global economy faced both challenges and opportunities. Trade disputes between major powers affected markets, while some countries grappled with debt crises. On the other hand, emerging economies showed resilience and promising growth, fueling optimism for a more balanced global economic landscape.

Technological Advancements:
Innovation surged forward in the tech industry, with breakthroughs in artificial intelligence, renewable energy, and space exploration. Quantum computing achieved milestones, promising radical transformations across industries. Renewable energy sources gained traction, with many countries setting ambitious goals to combat climate change.

Climate Crisis and Environmental Resilience:
As the climate crisis intensified, extreme weather events wreaked havoc in various parts of the world. Wildfires, hurricanes, and floods reminded humanity of the urgent need for climate action. In response, governments and communities across the globe doubled down on efforts to reduce carbon emissions, invest in sustainable infrastructure, and protect biodiversity.

Health and Pandemic Management:
Health remained a global priority as countries continued to combat the COVID-19 pandemic. With the emergence of new variants, vaccination efforts and public health measures remained crucial to curbing the spread of the virus. There were also significant advancements in medical research and technology, offering hope for better preparedness in handling future health crises.

Sports and Cultural Milestones:
Amidst the challenges, the world found moments of joy and unity through sports and culture. International sporting events brought together athletes from diverse backgrounds, promoting solidarity and camaraderie. Cultural exchanges and celebrations showcased the richness of human diversity and fostered mutual understanding.

In conclusion, the year 2023 was a dynamic period filled with significant events that shaped the course of history. From political unrest to technological advancements and environmental challenges, the world witnessed the complexities of the global landscape. While obstacles remained, there were also encouraging developments and collaborative efforts towards a more sustainable, peaceful, and prosperous future for all nations. As we move forward, the lessons learned from these events serve as a reminder of the importance of collective action and cooperation to address shared global challenges.