Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system. We shared these findings with Apple, and fix for this vulnerability, now identified as CVE-2022-26706, was included in the security updates on May 16, 2022.

Whenever there’s a new in-the-wild 0-day disclosed, I’m very interested in understanding the root cause of the bug. This allows us to then understand if it was fully fixed, look for variants, and brainstorm new mitigations. This blog is the story of a “zombie” Safari 0-day and how it came back from the dead to be disclosed as exploited in-the-wild in 2022. CVE-2022-22620 was initially fixed in 2013, reintroduced in 2016, and then disclosed as exploited in-the-wild in 2022. If you’re interested in the full root cause analysis for CVE-2022-22620, we’ve published it here.

MRT’s days appear numbered. On 14 March this year, Apple released its successor – a new version of XProtect, which now does the lot.

MIT CSAIL boffins devise PACMAN attack to let existing exploits avoid pointer authentication

A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business.

Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission. The Cupertino, Calif.-based tech giant told TechCrunch that the update — now released — removes the hidden web server, which […]

Researcher shares how he unearthed newer bugs in Apple's operating system by closer scrutiny of previous research, including vulnerabilities that came out of the Pwn2Own competition.

Faster, easier, and more secure sign-ins will be available to consumers across leading devices and platforms.

Faster, easier and more secure sign-ins will be available to consumers across leading devices and platforms  Mountain View, California, MAY 5, 2022  – In a joint effort to make the web […]

The identified vulnerability allows bypassing of Gatekeeper security and app notorization, has been patched by Apple.

As use of Apple devices has grown in the enterprise, the company has increasingly become a target for malware threats and other attacks. ISMG spoke with experts and

Motherboard obtained reports of stalking, harassment, and abuse using AirTags, targeting victims of intimate partner violence.

Apple Inc. and Meta Platforms Inc., the parent company of Facebook, provided customer data to hackers who masqueraded as law enforcement officials, according to three people with knowledge of the matter. Apple and Meta provided basic subscriber details, such as a customer’s address, phone number and IP address, in mid-2021 in response to the forged “emergency data requests.” Normally, such requests are only provided with a search warrant or subpoena signed by a judge, according to the people. However, the emergency requests don’t require a court order.

Apple's AirTags, its cheap and cheerful trackers, have proven increasingly dangerous. Unfortunately, there's no easy way of making them safer

La société Passware, qui s'est fait une spécialité des solutions de déverrouillage des Mac et des PC par force brute, est parvenue à « craquer » la puce T2. Mais attention, le processus nécessite de 10 heures à… plusieurs milliers d'années, en fonction du mot de passe et de sa longueur. Mais cela reste possible grâce à une vulnérabilité exploitée par l'entreprise, dont les clients sont principalement les forces de l'ordre mais aussi des entreprises.

A researcher has sent one of Apple's AirTags to a mysterious "federal authority" in Germany to locate its true offices — and to help prove that it's really part of an intelligence agency.

Apple awarded a $100,500 bug bounty to the researcher who discovered the latest major vulnerability in its browser.

$100,500 Apple Bug Bounty for hacking the webcam via a Safari Universal Cross-Site Scripting (UXSS) bug. CVE-2021-30861, CVE-2021-30975

A flaw in Apple's software exploited by Israeli surveillance firm NSO Group to break into iPhones in 2021 was simultaneously abused by a competing company, according to five people familiar with the matter.

A vast location-tracking network is being built around us so we don’t lose our keys: One couple’s adventures in the consumer tech surveillance state.

We’re happy to announce the public release of esmat, a new free & open-source tool. esmat is a command-line app for macOS that allows you to explore the behavior of Apple’s Endpoint Security framework.

Apple a publié iOS 15.3.1 pour corriger la vulnérabilité CVE-2022-22620 de WebKit, qui serait activement exploitée par les cybercriminels. [version EN](https://www.kaspersky.com/blog/webkit-vulnerability-cve-2022-22620/43650/)

"This document describes the security content of macOS Monterey 12.2.1."