Apple Corp. on Tuesday fixed a bug in AirDrop, a file exchange feature that made hackers nearby unable to use iPhones and iPads. The vulnerability was found to open the door to a denial-of-service attack where an attacker could use AirDrop shared pop-up notifications to send spam emails to all nearby iPhones and iPads indefinitely.
"This shared pop-up window blocks the user interface, so device owners will not be able to continue doing anything on the device unless it accepts / rejects the pop-up window and the pop-up window will continue to appear. It will also persist, "independent researcher Kishan Bagaria wrote in a post outlining his findings.
Apple fixes were released on Tuesday and include all other fixes for Apple Watch, iOS and macOS Catalina.
Bagaria calls this flaw AirDoS, which is a gameplay of Apple's feature names AirDrop and DoS (denial of service). AirDrop is a feature in iOS and macOS that allows files to be transferred using Wi-Fi or Bluetooth. "When someone uses AirDrop to share content with you, you see an alert with a preview. You can click to accept or decline," Apple described on its support page.
"This error is still subject to AirDrop receiving settings, which means that if your AirDrop setting is set to" Everyone, "anyone can become an attacker, but if you set it to" Contacts only, "only Someone from your contacts can be an attacker, Bagaria wrote.
Bagaria said that in addition to updating to the latest version of iOS 13.3 to resolve the issue, users can also turn off the AirDrop feature in Settings. To stop active attacks, he suggests having Siri turn off Wi-Fi and Bluetooth radios on your iPad or iPhone.
The researcher said that he reported the bug to Apple in August, and the bug was fixed in the latest iOS update (13.3). The proof-of-concept of the attack has been posted to GitHub, and a video about the ongoing attack is available on YouTube.
After researchers found six serious bugs in the mobile operating system, Apple Watch 6.1.0 users were also urged to update their hardware to the latest 6.1.1 version of watchOS software.
If it is not patched in time, Apple warns attackers that it may cause memory corruption issues on the target Apple Watch and exploits vulnerabilities to gain system or kernel privileges.
According to each Common Vulnerability and Disclosure (CVE) description, the attack complexity of the six vulnerabilities is "low"-meaning that the attack will not be difficult to perform.
According to CVE's description of the bug tracked as CVE-2019-8828, "By using a specially crafted application, an attacker could exploit this vulnerability to gain kernel privileges." Like other watchOS errors, this memory corruption vulnerability has a CVSS 3.0 base score of 7.8.
In all watchOS cases, this fix is an upgrade to watchOS 6.1.1.
On Tuesday, Apple also fixed a series of issues with its new versions of iOS and macOS.
The fix includes an item bundled with FaceTime (CVE-2019-8830). According to Apple, the vulnerability could allow malicious videos to be processed through FaceTime, which could lead to arbitrary code execution. The vulnerability was discovered by Natalie Silvanovich of Google Project Zero and is classified as a "out-of-bounds read" vulnerability that can be addressed through improved input validation.
Another bug was fixed in Apple's Live Photos feature (CVE-2019-8857), which affects iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation IOS users. Apple wrote: "Even if live photos are disabled in the share table carousel, live photo audio and video data can be shared via iCloud links."
Are you are looking for iPhone repair service? Then, UkiPhonerepair could be the best choice where you can get quick phone repair service with 12 month warranty on the repair service we offer.
For more details on UK iPhone repair services, visit the website http://ukiphonerepair.co.uk
Comments
Post a Comment