{"id":24503,"date":"2021-10-03T07:51:17","date_gmt":"2021-10-03T14:51:17","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=24503"},"modified":"2021-10-03T07:51:17","modified_gmt":"2021-10-03T14:51:17","slug":"sb-2021-10-01","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2021\/10\/sb-2021-10-01\/","title":{"rendered":"Security Bits \u2014 1 October 2021"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>&#x1f1eb;&#x1f1f7; <a href=\"https:\/\/www.intego.com\/mac-security-blog\/pegasus-spyware-found-on-5-french-cabinet-members-phones\/\">Pegasus spyware found on 5 French cabinet members&#8217; phones \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li>Social Media Developments:\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/facebook-pauses-instagram-kids-following-widespread-concerns\">Facebook pauses Instagram Kids development following widespread concerns \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/daringfireball.net\/linked\/2021\/09\/29\/youtube-anti-vax-ban\">YouTube Is Banning Prominent Anti-Vaccine Activists and Blocking All Anti-Vaccine Content \u2014 daringfireball.net\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Deep Dive \u2014 A Mixed 2 Weeks for Apple Security<\/h2>\n<p>It&#8217;s been less than 2 weeks since the last Security Bits segment, but a lot has happened in the world of Apple security!<\/p>\n<h3>iOS &amp; iPadOS 15<\/h3>\n<p>Apple have released their major OS upgrades for 2021, and for the first time ever, the updates are optional, with Apple promising to keep supporting iOS 14, at least for now (<a href=\"https:\/\/www.macobserver.com\/tips\/quick-tip\/ios-15-and-ipados-15-are-optional-updates\/\">www.macobserver.com\/\u2026<\/a>).<\/p>\n<p>As if to illustrate Apple&#8217;s improved attitude to older versions of iOS, they released updates to iOS 12 and macOS Catalina to patch bugs being actively exploited in the wild \u2014 <a href=\"https:\/\/tidbits.com\/2021\/09\/23\/apple-releases-ios-12-5-5-and-security-update-2021-006-for-catalina-to-block-exploited-vulnerabilities\/\">tidbits.com\/\u2026<\/a>.<\/p>\n<p>While the updates are optional, a heck of a lot of people have the option, the list of supported devices is impressive \u2014 <a href=\"https:\/\/www.macobserver.com\/tips\/quick-tip\/ios-15-device-support-list-2\/\">www.macobserver.com\/\u2026<\/a>.<\/p>\n<p>If you do choose to upgrade, you get some nice new features, but you also get some potentially annoying bugs:<\/p>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/09\/21\/ios-15-includes-face-id-fix-for-security-bypass-using-3d-models\/\">iOS 15 launches with 22 documented security patches \u2013 including a Face ID bypass using a \u201c3D model\u201d \u2014 nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li>The improved security may have come at a cost for some: <a href=\"https:\/\/www.imore.com\/some-cpap-masks-are-confusing-face-id-iphone-13-they-still-work-older-iphones\">Some CPAP masks are confusing Face ID on iPhone 13, but they still work on older iPhones \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Apple confirms iCloud+ upgrades with iOS 15 rollout \u2014 www.imore.com\/\u2026](https:\/\/www.imore.com\/apple-confirms-icloud-upgrades-ios-15-rollout)\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/product-news\/what-you-should-know-about-icloud\/\">What You Should Know About iCloud+ \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/how-to-use-icloud-with-additional-security-and-privacy-features-and-more\/\">How to Use iCloud+, with Additional Security and Privacy Features, and More \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.cnbc.com\/2021\/09\/27\/ios-15-hide-my-mail-creates-temporary-email-addresses.html\">Apple&#8217;s software update lets users create burner email addresses \u2013 here&#8217;s how to do it \u2014 www.cnbc.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.macobserver.com\/news\/1password-adds-email-aliases\/\">1Password Adds Email Aliases Powered by Fastmail \u2014 www.macobserver.com\/\u2026<\/a> (Requires <strong>both<\/strong> a 1Password and Fastmail account)<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/tips\/how-to\/icloud-data-recovery-contact\/\">iOS 15: Here\u2019s How to Set Up an iCloud Data Recovery Contact \u2014 www.macobserver.com\/\u2026<\/a><br \/>\n`* <a href=\"https:\/\/www.macrumors.com\/2021\/09\/20\/apple-card-ios-15-advanced-fraud-protection\/\">Apple Card Gains Advanced Fraud Protection in iOS 15 \u2014 www.macrumors.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.macobserver.com\/tips\/how-to\/apple-card-fraud-protection\/\">New Apple Card Security Feature Lets You Change Your CVV \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<p>The biggest iOS 15 bug was a problem preventing Apple watches unlocking iPhones 13 when users were wearing masks, but that was patched with iOS 15.0.1 released on Friday (<a href=\"https:\/\/www.macobserver.com\/news\/product-news\/apple-release-ios-1501\/\">www.macobserver.com\/\u2026<\/a>.<\/p>\n<h3>But Lots of Un-patched Vulnerabilities Too<\/h3>\n<h4>Un-patched Arbitrary Code Execution in macOS<\/h4>\n<p>A disgruntled security researcher has publicly released details of a remote code execution bug in macOS before Apple patched it. The researcher gave Apple notice, but Apple have not been responsive, so he got cranky and went public.<\/p>\n<p>Apple actually tried to fix the bug without describing it in their release notes or crediting the researcher, but they did a bad job, and their fix can be bypassed by simply changing the case of some letters!<\/p>\n<p>The bug involves <code>.inetloc<\/code> (internet shortcut) files, so until it&#8217;s patched, beware of opening files of this type you didn&#8217;t create yourself.<\/p>\n<h5>Links<\/h5>\n<ul>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1797268\">Unpatched MacOS vulnerability lets remote attackers execute code \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/remotely-exploitable-inetloc-zero-day-vulnerability-hits-the-mac\/\">Remotely exploitable \u201cinetloc\u201d zero-day vulnerability hits the Mac \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li>The discoverer&#8217;s writeup of the bug: <a href=\"https:\/\/ssd-disclosure.com\/ssd-advisory-macos-finder-rce\/\">SSD Advisory \u2013 macOS Finder RCE \u2014 ssd-disclosure.com\/\u2026<\/a><\/li>\n<\/ul>\n<h4>4 Information Leaks in iOS<\/h4>\n<p>A security researcher has disclosed details of 4 information leakage bugs in iOS \u2014 one of the vulnerabilities is patched in iOS 14, but not iOS 15, and the other three are mostly un-patched (one is partially patched in iOS 15).<\/p>\n<p>Again, the developer went public when he got fed up with being ignored by Apple&#8217;s security department.<\/p>\n<p>Malicious apps installed on devices can use these bugs to read information from the phone they absolutely should not have access to, like users&#8217; address book and all their messages.<\/p>\n<p>The silver lining here is that apps have to get past Apple&#8217;s review process and be installed by users to be in a position to abuse these bugs, so the real-world risk is probably low. This is a good reminder of why I think it&#8217;s important to think carefully before installing an app, each app is a risk, a small one, but a risk nonetheless.<\/p>\n<h5>Link<\/h5>\n<ul>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/researcher-discloses-several-zero-day-ios-ipados-vulnerabilities\/\">www.intego.com\/\u2026<\/a><\/li>\n<\/ul>\n<h4>Poor Data Validation Puts Finders of Lost Trackers at Risk<\/h4>\n<p>A lack of data validation in the phone number field for <em>Lost Mode<\/em> on Apple&#8217;s <em>Find My<\/em> network exposes finders of lost AirTag-compatible trackers to phishing. A malicious <em>loser<\/em> can enter JavaScript into the phone number field when enabling lost mode, and Apple&#8217;s website will execute that JavaScript allowing the attacker to redirect the user&#8217;s browser to a phishing site where it can ask them to log in or trick them into entering other information.<\/p>\n<p>If you find a tracker and the web page you end up on has a URL anything other than `https:\/\/found.apple.com\/`, close the browser window immediately. The legitimate finders page does not ask you to log in or enter any information at all, it just shows the information the loser chose to publish.<\/p>\n<h5>Link<\/h5>\n<ul>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/lost-apple-airtag-can-lead-finder-to-malicious-website\/\">www.intego.com\/\u2026<\/a> <\/li>\n<\/ul>\n<h4>ApplePay Express Transit Pass + Visa == Vulnerability<\/h4>\n<p>A flaw in the way ApplePay Express Transit Pass interoperates with Visa leaves users with Visa cards open to fraudulent charges. Apple say it&#8217;s Visa&#8217;s issue, and Visa say the attacks are impractical, and besides, their fraud protection covers users, so don&#8217;t worry about it. I&#8217;m not sure Visa&#8217;s cavalier attitude will stand, but for now, consider disabling Express Transit Pass if you&#8217;re a Visa user, or, unlinking your Visa card from ApplePay.<\/p>\n<p>To be clear, this only affects Visa cards, and only if Express Transit Pass is enabled.<\/p>\n<h5>Links<\/h5>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/apple-and-visa-downplay-express-transit-security-flaw\">Apple and Visa downplay Express Transit security flaw in Apple Pay \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/09\/30\/how-to-steal-money-via-apple-pay-using-the-express-transit-feature\/\">How to steal money via Apple Pay using the \u201cExpress Transit\u201d feature \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>Reminder: <a href=\"https:\/\/tidbits.com\/2021\/09\/23\/apple-releases-ios-12-5-5-and-security-update-2021-006-for-catalina-to-block-exploited-vulnerabilities\/\">iOS 12.5.5 and Security Update 2021-006 Catalina Block Exploited Vulnerabilities \u2014 tidbits.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2021\/09\/21\/netgear-releases-security-updates-rce-vulnerability\">NETGEAR Releases Security Updates for RCE Vulnerability \u2014 us-cert.cisa.gov\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/houseparty-privacy-not-included\/\">Mozilla Adds Facebook Messenger, Houseparty, and WeChat to \u2018Privacy Not Included\u2019 Guide \u2014 www.macobserver.com\/\u2026<\/a> (Apple&#8217;s FaceTime was also evaluated, and it got Mozilla&#8217;s approval)<\/li>\n<li>Brian Krebs warns that scammers are using voice and instant messaging services to try trick people into giving up their one-time codes for things like Google Authenticator \u2014 never give them out over the phone, by SMS, or in a chat app: <a href=\"https:\/\/krebsonsecurity.com\/2021\/09\/the-rise-of-one-time-password-interception-bots\/\">The Rise of One-Time Password Interception Bots \u2013 Krebs on Security \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>&#x1f1e8;&#x1f1e6; <a href=\"https:\/\/www.cbc.ca\/news\/canada\/calgary\/portpass-privacy-breach-1.6191749\">Portpass app may have exposed hundreds of thousands of users&#8217; personal data \u2014 www.cbc.ca\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>An investigation by the Washington Post has found that many major iOS apps are finding ways to work around Apple&#8217;s App Tracking Transparency system to continue to track users against their explicit wishes. The list of naughty apps includes big names like Yelp, Telegram, Grubhub, Run Rich 3D, Starbucks, Streamer Life!, Cash App, DoorDash, and PeacockTV \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/apps-track-despite-att\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/arstechnica.com\/tech-policy\/2021\/09\/expanded-robocall-blocking-has-begun-but-there-are-still-too-many-loopholes\/\">Phone companies must now block carriers that didn\u2019t meet FCC robocall deadline \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/krebsonsecurity.com\/2021\/10\/fcc-proposal-targets-sim-swapping-port-out-fraud\/\">FCC Proposal Targets SIM Swapping, Port-Out Fraud \u2013 Krebs on Security \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>Some food for thought: <a href=\"https:\/\/mashable.com\/article\/privacy-please-what-data-do-modern-cars-collect\">Your car knows too much about you. That could be a privacy nightmare. \u2014 mashable.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Just Because it&#8217;s Cool &#x1f60e;<\/h2>\n<aside class=\"small-aside\">Stories that are not important, that don&#8217;t require you to do anything, and that you don&#8217;t even have to worry about.<\/aside>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/09\/28\/serious-security-lets-encrypt-gets-ready-to-go-it-alone-in-a-good-way\/\">Serious Security: Let\u2019s Encrypt gets ready to go it alone (in a good way!) \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>A very cool lunar selfie 50 years in the making: <a href=\"https:\/\/apod.nasa.gov\/apod\/ap210927.html\">Astronomy Picture of the Day \u2014 apod.nasa.gov\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. &#x1f1eb;&#x1f1f7; Pegasus spyware found on 5 French cabinet members&#8217; phones \u2014 www.intego.com\/\u2026 Social Media Developments: Facebook pauses Instagram Kids development following widespread concerns \u2014 www.imore.com\/\u2026 YouTube Is Banning Prominent Anti-Vaccine Activists and Blocking All [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[4807,4808,50,569,2003],"class_list":["post-24503","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-apple-security","tag-express-transit","tag-security","tag-security-bits","tag-vulnerabilities"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24503","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=24503"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24503\/revisions"}],"predecessor-version":[{"id":24506,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24503\/revisions\/24506"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=24503"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=24503"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=24503"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}