#Ransomware stat: Construction and Manufacturing are the top verticals targeted by hackers this year. https://bit.ly/2J4jl0l
#Ransomware stat: On average, downtime costs 23X MORE than the ransom. https://bit.ly/2J1Ex7f
A new feature in macOS Big Sur allows Apple’s own apps to bypass firewalls and VPNs—potentially letting malware also exploit the same shortcoming to access sensitive data stored on users’ systems and transmit them to remote servers.
The latest version of macOS was released to the public on 12th November 2020, the behaviour has been left unchanged, prompting concerns from security researchers, who say the change is ripe for abuse.
Of particular note is the possibility that the bypass can leave macOS systems open to attack, not to mention the inability to limit or block network traffic at users’ discretion.
Apple is yet to comment on the new changes.
While the company’s motivation to make its own apps exempt from firewalls and VPNs is still unclear, it’s possible that they are part of Apple’s “anti-malware (and perhaps anti-piracy) efforts” to keep traffic from its apps out of VPN servers and prevent geo-restricted content from being accessed through VPNs.
With Microsoft, security can be simple once again. Microsoft 365 provides an intelligent security hub that works seamlessly across platforms, going far beyond Microsoft—to Linux and Mac, to AWS and beyond, so you can manage mission critical workloads with the right tools at your fingertips. Watch the video to learn more.
Google released Chrome version 86.0.4240.111 today to patch several security high-severity issues, including a zero-day vulnerability that has been exploited in the wild by attackers to hijack targeted computers.
Tracked as CVE-2020-15999, the actively exploited vulnerability is a type of memory-corruption flaw called heap buffer overflow in Freetype, a popular open source software development library for rendering fonts that comes packaged with Chrome.
The vulnerability was discovered and reported by security researcher Sergei Glazunov of Google Project Zero on October 19 and is subject to a seven-day public disclosure deadline due to the flaw being under active exploitation.
Apple released multiple security updates to patch three zero-day vulnerabilities that were revealed as being actively exploited in the wild.
Rolled out as part of its iOS, iPadOS, macOS, and watchOS updates, the flaws reside in the FontParser component and the kernel, allowing adversaries to remotely execute arbitrary code and run malicious programs with kernel-level privileges.
The zero-days were discovered and reported to Apple by Google’s Project Zero security team.
“Apple is aware of reports that an exploit for this issue exists in the wild,” the iPhone maker said of the three zero-days without giving any additional details so as to allow a vast majority of users to install the updates.
The list of impacted devices includes iPhone 5s and later, iPod touch 6th and 7th generation, iPad Air, iPad mini 2 and later, and Apple Watch Series 1 and later.
According to Apple’s security bulletin, the flaws are:
- CVE-2020-27930: A memory corruption issue in the FontParser library that allows for remote code execution when processing a maliciously crafted font.
- CVE-2020-27932: A memory initialization issue that allows a malicious application to execute arbitrary code with kernel privileges.
- CVE-2020-27950: A type-confusion issue that makes it possible for a malicious application to disclose kernel memory.