Security Bits Logo no alpha channel

Security Bits — 1 October 2021

Feedback & Followups

Deep Dive — A Mixed 2 Weeks for Apple Security

It’s been less than 2 weeks since the last Security Bits segment, but a lot has happened in the world of Apple security!

iOS & iPadOS 15

Apple have released their major OS upgrades for 2021, and for the first time ever, the updates are optional, with Apple promising to keep supporting iOS 14, at least for now (…).

As if to illustrate Apple’s improved attitude to older versions of iOS, they released updates to iOS 12 and macOS Catalina to patch bugs being actively exploited in the wild —….

While the updates are optional, a heck of a lot of people have the option, the list of supported devices is impressive —….

If you do choose to upgrade, you get some nice new features, but you also get some potentially annoying bugs:

The biggest iOS 15 bug was a problem preventing Apple watches unlocking iPhones 13 when users were wearing masks, but that was patched with iOS 15.0.1 released on Friday (….

But Lots of Un-patched Vulnerabilities Too

Un-patched Arbitrary Code Execution in macOS

A disgruntled security researcher has publicly released details of a remote code execution bug in macOS before Apple patched it. The researcher gave Apple notice, but Apple have not been responsive, so he got cranky and went public.

Apple actually tried to fix the bug without describing it in their release notes or crediting the researcher, but they did a bad job, and their fix can be bypassed by simply changing the case of some letters!

The bug involves .inetloc (internet shortcut) files, so until it’s patched, beware of opening files of this type you didn’t create yourself.


4 Information Leaks in iOS

A security researcher has disclosed details of 4 information leakage bugs in iOS — one of the vulnerabilities is patched in iOS 14, but not iOS 15, and the other three are mostly un-patched (one is partially patched in iOS 15).

Again, the developer went public when he got fed up with being ignored by Apple’s security department.

Malicious apps installed on devices can use these bugs to read information from the phone they absolutely should not have access to, like users’ address book and all their messages.

The silver lining here is that apps have to get past Apple’s review process and be installed by users to be in a position to abuse these bugs, so the real-world risk is probably low. This is a good reminder of why I think it’s important to think carefully before installing an app, each app is a risk, a small one, but a risk nonetheless.


Poor Data Validation Puts Finders of Lost Trackers at Risk

A lack of data validation in the phone number field for Lost Mode on Apple’s Find My network exposes finders of lost AirTag-compatible trackers to phishing. A malicious loser can enter JavaScript into the phone number field when enabling lost mode, and Apple’s website will execute that JavaScript allowing the attacker to redirect the user’s browser to a phishing site where it can ask them to log in or trick them into entering other information.

If you find a tracker and the web page you end up on has a URL anything other than ``, close the browser window immediately. The legitimate finders page does not ask you to log in or enter any information at all, it just shows the information the loser chose to publish.


ApplePay Express Transit Pass + Visa == Vulnerability

A flaw in the way ApplePay Express Transit Pass interoperates with Visa leaves users with Visa cards open to fraudulent charges. Apple say it’s Visa’s issue, and Visa say the attacks are impractical, and besides, their fraud protection covers users, so don’t worry about it. I’m not sure Visa’s cavalier attitude will stand, but for now, consider disabling Express Transit Pass if you’re a Visa user, or, unlinking your Visa card from ApplePay.

To be clear, this only affects Visa cards, and only if Express Transit Pass is enabled.


❗ Action Alerts

Worthy Warnings

Notable News

Interesting Insights

Just Because it’s Cool 😎

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top