Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7.

@@ -468,7 +468,7 @@ a),DRAWIO\_GITLAB\_URL=a);a=urlParams\["gitlab-id"\];null!=a&&(DRAWIO\_GITLAB\_ID=a);w if("1"==urlParams.offline||"1"==urlParams.demo||"1"==urlParams.stealth||"1"==urlParams.local||"1"==urlParams.lockdown)urlParams.picker="0",urlParams.gapi="0",urlParams.db="0",urlParams.od="0",urlParams.gh="0",urlParams.gl="0",urlParams.tr="0"; "se.diagrams.net"==window.location.hostname&&(urlParams.db="0",urlParams.od="0",urlParams.gh="0",urlParams.gl="0",urlParams.tr="0",urlParams.plugins="0",urlParams.mode="google",urlParams.lockdown="1",window.DRAWIO\_GOOGLE\_APP\_ID=window.DRAWIO\_GOOGLE\_APP\_ID||"184079235871",window.DRAWIO\_GOOGLE\_CLIENT\_ID=window.DRAWIO\_GOOGLE\_CLIENT\_ID||"184079235871-pjf5nn0lff27lk8qf0770gmffiv9gt61.apps.googleusercontent.com");"trello"==urlParams.mode&&(urlParams.tr="1"); "embed.diagrams.net"==window.location.hostname&&(urlParams.embed="1");(null==window.location.hash||1>=window.location.hash.length)&&null!=urlParams.open&&(window.location.hash=urlParams.open);window.urlParams=window.urlParams||{};window.MAX\_REQUEST\_SIZE=window.MAX\_REQUEST\_SIZE||10485760;window.MAX\_AREA=window.MAX\_AREA||225E6;window.EXPORT\_URL=window.EXPORT\_URL||"/export";window.SAVE\_URL=window.SAVE\_URL||"/save";window.OPEN\_URL=window.OPEN\_URL||"/open";window.RESOURCES\_PATH=window.RESOURCES\_PATH||"resources";window.RESOURCE\_BASE=window.RESOURCE\_BASE||window.RESOURCES\_PATH+"/grapheditor";window.STENCIL\_PATH=window.STENCIL\_PATH||"stencils";window.IMAGE\_PATH=window.IMAGE\_PATH||"images"; window.STYLE\_PATH=window.STYLE\_PATH||"styles";window.CSS\_PATH=window.CSS\_PATH||"styles";window.OPEN\_FORM=window.OPEN\_FORM||"open.html";window.mxBasePath=window.mxBasePath||"mxgraph";window.mxImageBasePath=window.mxImageBasePath||"mxgraph/images";window.mxLanguage=window.mxLanguage||urlParams.lang;window.mxLanguages=window.mxLanguages||\["de","se"\];var mxClient={VERSION:"18.0.6",IS\_IE:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("MSIE"),IS\_IE11:null!=navigator.userAgent&&!!navigator.userAgent.match(/Trident\\/7\\./),IS\_EDGE:null!=navigator.userAgent&&!!navigator.userAgent.match(/Edge\\//),IS\_EM:"spellcheck"in document.createElement("textarea")&&8==document.documentMode,VML\_PREFIX:"v",OFFICE\_PREFIX:"o",IS\_NS:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("Mozilla/")&&0>navigator.userAgent.indexOf("MSIE")&&0>navigator.userAgent.indexOf("Edge/"), window.STYLE\_PATH=window.STYLE\_PATH||"styles";window.CSS\_PATH=window.CSS\_PATH||"styles";window.OPEN\_FORM=window.OPEN\_FORM||"open.html";window.mxBasePath=window.mxBasePath||"mxgraph";window.mxImageBasePath=window.mxImageBasePath||"mxgraph/images";window.mxLanguage=window.mxLanguage||urlParams.lang;window.mxLanguages=window.mxLanguages||\["de","se"\];var mxClient={VERSION:"18.0.7",IS\_IE:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("MSIE"),IS\_IE11:null!=navigator.userAgent&&!!navigator.userAgent.match(/Trident\\/7\\./),IS\_EDGE:null!=navigator.userAgent&&!!navigator.userAgent.match(/Edge\\//),IS\_EM:"spellcheck"in document.createElement("textarea")&&8==document.documentMode,VML\_PREFIX:"v",OFFICE\_PREFIX:"o",IS\_NS:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("Mozilla/")&&0>navigator.userAgent.indexOf("MSIE")&&0>navigator.userAgent.indexOf("Edge/"), IS\_OP:null!=navigator.userAgent&&(0<=navigator.userAgent.indexOf("Opera/")||0<=navigator.userAgent.indexOf("OPR/")),IS\_OT:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("Presto/")&&0>navigator.userAgent.indexOf("Presto/2.4.")&&0>navigator.userAgent.indexOf("Presto/2.3.")&&0>navigator.userAgent.indexOf("Presto/2.2.")&&0>navigator.userAgent.indexOf("Presto/2.1.")&&0>navigator.userAgent.indexOf("Presto/2.0.")&&0>navigator.userAgent.indexOf("Presto/1."),IS\_SF:/Apple Computer, Inc/.test(navigator.vendor), IS\_ANDROID:0<=navigator.appVersion.indexOf("Android"),IS\_IOS:/iP(hone|od|ad)/.test(navigator.platform)||navigator.userAgent.match(/Mac/)&&navigator.maxTouchPoints&&2<navigator.maxTouchPoints,IS\_WEBVIEW:/((iPhone|iPod|iPad).\*AppleWebKit(?!.\*Version)|; wv)/i.test(navigator.userAgent),IS\_GC:/Google Inc/.test(navigator.vendor),IS\_CHROMEAPP:null!=window.chrome&&null!=chrome.app&&null!=chrome.app.runtime,IS\_FF:"undefined"!==typeof InstallTrigger,IS\_MT:0<=navigator.userAgent.indexOf("Firefox/")&&0>navigator.userAgent.indexOf("Firefox/1.")&& 0>navigator.userAgent.indexOf("Firefox/2.")||0<=navigator.userAgent.indexOf("Iceweasel/")&&0>navigator.userAgent.indexOf("Iceweasel/1.")&&0>navigator.userAgent.indexOf("Iceweasel/2.")||0<=navigator.userAgent.indexOf("SeaMonkey/")&&0>navigator.userAgent.indexOf("SeaMonkey/1.")||0<=navigator.userAgent.indexOf("Iceape/")&&0>navigator.userAgent.indexOf("Iceape/1."),IS\_SVG:"MICROSOFT INTERNET EXPLORER"!=navigator.appName.toUpperCase(),NO\_FO:!document.createElementNS||"\[object SVGForeignObjectElement\]"!== @@ -11694,7 +11694,7 @@ D.appendChild(R);Q.appendChild(D);this.container=Q};var W=ChangePageSetup.protot this.format);null!=this.mathEnabled&&(this.page.viewState.mathEnabled=this.mathEnabled);null!=this.shadowVisible&&(this.page.viewState.shadowVisible=this.shadowVisible)}}else W.apply(this,arguments),null!=this.mathEnabled&&this.mathEnabled!=this.ui.isMathEnabled()&&(this.ui.setMathEnabled(this.mathEnabled),this.mathEnabled=!this.mathEnabled),null!=this.shadowVisible&&this.shadowVisible!=this.ui.editor.graph.shadowVisible&&(this.ui.editor.graph.setShadowVisible(this.shadowVisible),this.shadowVisible= !this.shadowVisible)};Editor.prototype.useCanvasForExport=!1;try{var U=document.createElement("canvas"),X=new Image;X.onload=function(){try{U.getContext("2d").drawImage(X,0,0);var u=U.toDataURL("image/png");Editor.prototype.useCanvasForExport=null!=u&&6<u.length}catch(D){}};X.src="data:image/svg+xml;base64,"+btoa(unescape(encodeURIComponent('<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="1px" height="1px" version="1.1"><foreignObject pointer-events="all" width="1" height="1"><div xmlns="http://www.w3.org/1999/xhtml"></div></foreignObject></svg>')))}catch(u){}})(); (function(){var b=new mxObjectCodec(new ChangePageSetup,\["ui","previousColor","previousImage","previousFormat"\]);b.beforeDecode=function(e,f,c){c.ui=e.ui;return f};b.afterDecode=function(e,f,c){c.previousColor=c.color;c.previousImage=c.image;c.previousFormat=c.format;null!=c.foldingEnabled&&(c.foldingEnabled=!c.foldingEnabled);null!=c.mathEnabled&&(c.mathEnabled=!c.mathEnabled);null!=c.shadowVisible&&(c.shadowVisible=!c.shadowVisible);return c};mxCodecRegistry.register(b)})(); (function(){var b=new mxObjectCodec(new ChangeGridColor,\["ui"\]);b.beforeDecode=function(e,f,c){c.ui=e.ui;return f};mxCodecRegistry.register(b)})();(function(){EditorUi.VERSION="18.0.6";EditorUi.compactUi="atlas"!=uiTheme;Editor.isDarkMode()&&(mxGraphView.prototype.gridColor=mxGraphView.prototype.defaultDarkGridColor);EditorUi.enableLogging="1"!=urlParams.stealth&&"1"!=urlParams.lockdown&&(/.\*\\.draw\\.io$/.test(window.location.hostname)||/.\*\\.diagrams\\.net$/.test(window.location.hostname))&&"support.draw.io"!=window.location.hostname;EditorUi.drawHost=window.DRAWIO\_BASE\_URL;EditorUi.lightboxHost=window.DRAWIO\_LIGHTBOX\_URL;EditorUi.lastErrorMessage= (function(){var b=new mxObjectCodec(new ChangeGridColor,\["ui"\]);b.beforeDecode=function(e,f,c){c.ui=e.ui;return f};mxCodecRegistry.register(b)})();(function(){EditorUi.VERSION="18.0.7";EditorUi.compactUi="atlas"!=uiTheme;Editor.isDarkMode()&&(mxGraphView.prototype.gridColor=mxGraphView.prototype.defaultDarkGridColor);EditorUi.enableLogging="1"!=urlParams.stealth&&"1"!=urlParams.lockdown&&(/.\*\\.draw\\.io$/.test(window.location.hostname)||/.\*\\.diagrams\\.net$/.test(window.location.hostname))&&"support.draw.io"!=window.location.hostname;EditorUi.drawHost=window.DRAWIO\_BASE\_URL;EditorUi.lightboxHost=window.DRAWIO\_LIGHTBOX\_URL;EditorUi.lastErrorMessage= null;EditorUi.ignoredAnonymizedChars="\\n\\t\`~!@#$%^&\*()\_+{}|:\\"<>?-=\[\];'./,\\n\\t";EditorUi.templateFile=TEMPLATE\_PATH+"/index.xml";EditorUi.cacheUrl=window.REALTIME\_URL;null==EditorUi.cacheUrl&&"undefined"!==typeof DrawioFile&&(DrawioFile.SYNC="none");Editor.cacheTimeout=1E4;EditorUi.enablePlantUml=EditorUi.enableLogging;EditorUi.isElectronApp=null!=window&&null!=window.process&&null!=window.process.versions&&null!=window.process.versions.electron;EditorUi.nativeFileSupport=!mxClient.IS\_OP&&!EditorUi.isElectronApp&& "1"!=urlParams.extAuth&&"showSaveFilePicker"in window&&"showOpenFilePicker"in window;EditorUi.enableDrafts=!mxClient.IS\_CHROMEAPP&&isLocalStorage&&"0"!=urlParams.drafts;EditorUi.scratchpadHelpLink="https://www.diagrams.net/doc/faq/scratchpad";EditorUi.enableHtmlEditOption=!0;EditorUi.defaultMermaidConfig={theme:"neutral",arrowMarkerAbsolute:!1,flowchart:{htmlLabels:!1},sequence:{diagramMarginX:50,diagramMarginY:10,actorMargin:50,width:150,height:65,boxMargin:10,boxTextMargin:5,noteMargin:10,messageMargin:35, mirrorActors:!0,bottomMarginAdj:1,useMaxWidth:!0,rightAngles:!1,showSequenceNumbers:!1},gantt:{titleTopMargin:25,barHeight:20,barGap:4,topPadding:50,leftPadding:75,gridLineStartPadding:35,fontSize:11,fontFamily:'"Open-Sans", "sans-serif"',numberSectionStyles:4,axisFormat:"%Y-%m-%d"}};EditorUi.logError=function(d,g,k,l,p,q,x){q=null!=q?q:0<=d.indexOf("NetworkError")||0<=d.indexOf("SecurityError")||0<=d.indexOf("NS\_ERROR\_FAILURE")||0<=d.indexOf("out of memory")?"CONFIG":"SEVERE";if(EditorUi.enableLogging&&

CVE-2022-1767: 18.0.7 release · jgraph/drawio@c63f3a0

GPAC 2.0.0 misuses a certain Unicode utf8_wcslen (renamed gf_utf8_wcslen) function in utils/utf.c, resulting in a heap-based buffer over-read, as demonstrated by MP4Box.

CVE-2022-30976: gpac/gpac.1 at 105d67985ff3c3f4b98a98f312e3d84ae77a4463 · gpac/gpac

If you're an Apple user, make sure you patch for CVE-2022-22675, a zero-day flaw actively exported in the wild.
The post Update now! Apple patches zero-day vulnerability affecting Macs, Apple Watch, and Apple TV appeared first on Malwarebytes Labs.

Apple has released security updates for a zero-day vulnerability that affects multiple products, including Mac, Apple Watch, and Apple TV.

The flaw is an out-of-bounds write issue—tracked as CVE-2022-22675—in AppleAVD, a decoder that handles specific media files.

An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions. This could allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

Attackers could take control of affected devices if they exploit this flaw.

CVE-2022-22675 is the same vulnerability that affected macOS Monterey 12.3.1, iOS 15.4.1, and iPad 15.4.1. The flaw for these was patched in March.

This latest batch of updates has improved bounds checking for additional Apple products running specific operating systems, particularly macOS Big Sur 11.6.6, watchOS 8.6, and tvOS 15.5. These OSs are installed in Apple Macs running Big Sur, Apple Watch Series 3 and later, and Apple TV (4K, 4K 2nd generation, and 4K HD).

Apple says it’s aware this flaw is currently being abused in the wild. It didn’t go into detail, likely to give customers time to patch up their Apple devices.

BleepingComputer has noted that attacks against CVE-2022-22675 might only be targeted in nature. However,if you’re using any or all of the above Apple products we mentioned, it is still wise to apply updates as soon as you can.

Stay safe!

Update now! Apple patches zero-day vulnerability affecting Macs, Apple Watch, and Apple TV

Researchers found a way to exploit the tech that enables Apple’s Find My feature, which could allow attackers to track location when a device is powered down.

When you turn off an iPhone, it doesn’t fully power down. Chips inside the device continue to run in a low-power mode that makes it possible to locate lost or stolen devices using the Find My feature or use credit cards and car keys after the battery dies. Now researchers have devised a way to abuse this always-on mechanism to run malware that remains active even when an iPhone appears to be powered down.

It turns out that the iPhone’s Bluetooth chip—which is key to making features like Find My work—has no mechanism for digitally signing or even encrypting the firmware it runs. Academics at Germany’s Technical University of Darmstadt figured out how to exploit this lack of hardening to run malicious firmware that allows the attacker to track the phone’s location or run new features when the device is turned off.

This video provides a high overview of some of the ways an attack can work.

The research is the first—or at least among the first—to study the risk posed by chips running in low-power mode. Not to be confused with iOS’s low-power mode for conserving battery life, the low-power mode (LPM) in this research allows chips responsible for near-field communication, ultra wideband, and Bluetooth to run in a special mode that can remain on for 24 hours after a device is turned off.

“The current LPM implementation on Apple iPhones is opaque and adds new threats,” the researchers wrote in a paper published last week. “Since LPM support is based on the iPhone’s hardware, it cannot be removed with system updates. Thus, it has a long-lasting effect on the overall iOS security model. To the best of our knowledge, we are the first who looked into undocumented LPM features introduced in iOS 15 and uncover various issues.”

They added: “Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications. Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation.”

The findings have limited real-world value, since infections required first jailbreaking an iPhone, which in itself is a difficult task, particularly in an adversarial setting. Still, targeting the always-on feature in iOS could prove handy in post-exploit scenarios by malware such as Pegasus, the sophisticated smartphone exploit tool from Israel-based NSO Group, which governments worldwide routinely employ to spy on adversaries.

It may also be possible to infect the chips in the event hackers discover security flaws that are susceptible to over-the-air exploits similar to this one that worked against Android devices.

Besides allowing malware to run while the iPhone is turned off, exploits targeting LPM could also allow malware to operate with much more stealth since LPM allows firmware to conserve battery power. And, of course, firmware infections are extremely difficult to detect since it requires significant expertise and expensive equipment.

The researchers said Apple engineers reviewed their paper before it was published, but company representatives never provided any feedback on its contents. Apple representatives didn’t respond to an email seeking comment for this story.

Ultimately, Find My and other features enabled by LPM help provide added security, because they allow users to locate lost or stolen devices and lock or unlock car doors even when batteries are depleted. But the research exposes a double-edged sword that, until now, has gone largely unnoticed.

“Hardware and software attacks similar to the ones described have been proven practical in a real-world setting, so the topics covered in this paper are timely and practical,” said John Loucaides, senior vice president of strategy at firmware security firm Eclypsium. “This is typical for every device. Manufacturers are adding features all the time, and with every new feature comes a new attack surface.”

_This story originally appeared on_ _Ars Technica__._

Your iPhone Is Vulnerable to a Malware Attack Even When It’s Off

Apple Security Advisory 2022-05-16-6 - tvOS 15.5 addresses bypass, code execution, integer overflow, out of bounds access, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-05-16-6 tvOS 15.5

tvOS 15.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213254.

AppleAVD  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-26702: an anonymous researcher

AppleAVD  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An application may be able to execute arbitrary code with  
kernel privileges. Apple is aware of a report that this issue may  
have been actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-22675: an anonymous researcher

AuthKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A local user may be able to enable iCloud Photos without  
authentication  
Description: An authentication issue was addressed with improved  
state management.  
CVE-2022-26724:  Jorge A. Caballero (@DataDrivenMD)

AVEVideoEncoder  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-26736: an anonymous researcher  
CVE-2022-26737: an anonymous researcher  
CVE-2022-26738: an anonymous researcher  
CVE-2022-26739: an anonymous researcher  
CVE-2022-26740: an anonymous researcher

DriverKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A malicious application may be able to execute arbitrary code  
with system privileges  
Description: An out-of-bounds access issue was addressed with  
improved bounds checking.  
CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)

ImageIO  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A remote attacker may be able to cause unexpected application  
termination or arbitrary code execution  
Description: An integer overflow was addressed with improved input  
validation.  
CVE-2022-26711: actae0n of Blacksun Hackers Club working with Trend  
Micro Zero Day Initiative

IOKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A race condition was addressed with improved locking.  
CVE-2022-26701: chenyuwang (@mzzzz__) of Tencent Security Xuanwu Lab

IOMobileFrameBuffer  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A memory corruption issue was addressed with improved  
state management.  
CVE-2022-26768: an anonymous researcher

IOSurfaceAccelerator  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A malicious application may be able to execute arbitrary code  
with kernel privileges  
Description: A memory corruption issue was addressed with improved  
state management.  
CVE-2022-26771: an anonymous researcher

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2022-26714: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs  
(@starlabs_sg)

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-26757: Ned Williamson of Google Project Zero

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: An attacker that has already achieved kernel code execution  
may be able to bypass kernel memory mitigations  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2022-26764: Linus Henze of Pinauten GmbH (pinauten.de)

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A malicious attacker with arbitrary read and write capability  
may be able to bypass Pointer Authentication  
Description: A race condition was addressed with improved state  
handling.  
CVE-2022-26765: Linus Henze of Pinauten GmbH (pinauten.de)

LaunchServices  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A sandboxed process may be able to circumvent sandbox  
restrictions  
Description: An access issue was addressed with additional sandbox  
restrictions on third-party applications.  
CVE-2022-26706: Arsenii Kostromin (0x3c3e)

libxml2  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A remote attacker may be able to cause unexpected application  
termination or arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-23308

Security  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A malicious app may be able to bypass signature validation  
Description: A certificate parsing issue was addressed with improved  
checks.  
CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: Processing maliciously crafted web content may lead to code  
execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 238178  
CVE-2022-26700: ryuzaki

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 236950  
CVE-2022-26709: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua  
wingtecher lab  
WebKit Bugzilla: 237475  
CVE-2022-26710: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua  
wingtecher lab  
WebKit Bugzilla: 238171  
CVE-2022-26717: Jeonghoon Shin of Theori

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 238183  
CVE-2022-26716: SorryMybad (@S0rryMybad) of Kunlun Lab  
WebKit Bugzilla: 238699  
CVE-2022-26719: Dongzhuo Zhao working with ADLab of Venustech

Wi-Fi  
Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple  
TV HD  
Impact: A malicious application may disclose restricted memory  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2022-26745: an anonymous researcher

Additional recognition

AppleMobileFileIntegrity  
We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing  
for their assistance.

WebKit  
We would like to acknowledge James Lee, an anonymous researcher for  
their assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmKC1TcACgkQeC9qKD1p  
rhiw7BAAy82XZ2+vjnjFB1FrZ7ZnKtM4pz8MMpX4ZTD2ytgkwXi0qnyzBdMe/w4p  
zrpedL4p/RfdDOiM/4kWBtiH62qetiXDcE8tBqN8WTE9rf55cX4jlXrHASohFI2q  
ErkAjo51j2fg8S7a+luyaZWzBUZqlghtzWjtFgaHOQAP5dDf+He92kDerbrIDQw9  
dg0nL4os0VFgWdX0EtFC7umK8iiTFbvtoEbLDLFODWweaJN8LOP/LHe71YzAryKg  
Dh9ItWqVdzkCOKWR8F96NnoBs7c6B4naqQkS4k2F/m6C6ckPb8LI18ss7oiD3eMB  
k7oo7+u1zQFRKmk0XlfH7awxtEHjYjjw3LT8ko9QJ8mEuspxoiwW7n1mINWa7Khp  
YoCe88xR06kfti4h6MJDSN6JpxSnikEyJzR4j4xGL6rWjqCj+XV9ejrt9EgF8BL2  
JZ+Oceoh23m7IqVoMe1Hzjf1X3nsxXJQEg/xxRwHRknAjSNtVJUKhT4/ioOc9pu6  
TROAHYdSO5yRLNUNpj9RlkBeDbXtiWgA2IEg0wcUPzwf3Uzt2Qw9zBFbMb1hPSht  
7zTIOtF4Ub+MD6cFuHbC7hL58pRmA4FzEczLG81BoGGaFOCD2QDt0/ySTFr1M+YD  
g2L2PlZNgxd0zetkTkZbvAwroMUTRSi1GqxAhVeKwbvW4XAN+yc=  
=G3ho  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-05-16-6

Apple Security Advisory 2022-05-16-5 - watchOS 8.6 addresses bypass, code execution, integer overflow, out of bounds access, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-05-16-5 watchOS 8.6

watchOS 8.6 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213253.

AppleAVD  
Available for: Apple Watch Series 3 and later  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-26702: an anonymous researcher

AppleAVD  
Available for: Apple Watch Series 3 and later  
Impact: An application may be able to execute arbitrary code with  
kernel privileges. Apple is aware of a report that this issue may  
have been actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-22675: an anonymous researcher

DriverKit  
Available for: Apple Watch Series 3 and later  
Impact: A malicious application may be able to execute arbitrary code  
with system privileges  
Description: An out-of-bounds access issue was addressed with  
improved bounds checking.  
CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)

ImageIO  
Available for: Apple Watch Series 3 and later  
Impact: A remote attacker may be able to cause unexpected application  
termination or arbitrary code execution  
Description: An integer overflow was addressed with improved input  
validation.  
CVE-2022-26711: actae0n of Blacksun Hackers Club working with Trend  
Micro Zero Day Initiative

IOMobileFrameBuffer  
Available for: Apple Watch Series 3 and later  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A memory corruption issue was addressed with improved  
state management.  
CVE-2022-26768: an anonymous researcher

IOSurfaceAccelerator  
Available for: Apple Watch Series 3 and later  
Impact: A malicious application may be able to execute arbitrary code  
with kernel privileges  
Description: A memory corruption issue was addressed with improved  
state management.  
CVE-2022-26771: an anonymous researcher

Kernel  
Available for: Apple Watch Series 3 and later  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2022-26714: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs  
(@starlabs_sg)

Kernel  
Available for: Apple Watch Series 3 and later  
Impact: An application may be able to execute arbitrary code with  
kernel privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-26757: Ned Williamson of Google Project Zero

Kernel  
Available for: Apple Watch Series 3 and later  
Impact: An attacker that has already achieved kernel code execution  
may be able to bypass kernel memory mitigations  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2022-26764: Linus Henze of Pinauten GmbH (pinauten.de)

Kernel  
Available for: Apple Watch Series 3 and later  
Impact: A malicious attacker with arbitrary read and write capability  
may be able to bypass Pointer Authentication  
Description: A race condition was addressed with improved state  
handling.  
CVE-2022-26765: Linus Henze of Pinauten GmbH (pinauten.de)

LaunchServices  
Available for: Apple Watch Series 3 and later  
Impact: A sandboxed process may be able to circumvent sandbox  
restrictions  
Description: An access issue was addressed with additional sandbox  
restrictions on third-party applications.  
CVE-2022-26706: Arsenii Kostromin (0x3c3e)

libxml2  
Available for: Apple Watch Series 3 and later  
Impact: A remote attacker may be able to cause unexpected application  
termination or arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-23308

Security  
Available for: Apple Watch Series 3 and later  
Impact: A malicious app may be able to bypass signature validation  
Description: A certificate parsing issue was addressed with improved  
checks.  
CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)

TCC  
Available for: Apple Watch Series 3 and later  
Impact: An app may be able to capture a user's screen  
Description: This issue was addressed with improved checks.  
CVE-2022-26726: an anonymous researcher

WebKit  
Available for: Apple Watch Series 3 and later  
Impact: Processing maliciously crafted web content may lead to code  
execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 238178  
CVE-2022-26700: ryuzaki

WebKit  
Available for: Apple Watch Series 3 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 236950  
CVE-2022-26709: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua  
wingtecher lab  
WebKit Bugzilla: 237475  
CVE-2022-26710: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua  
wingtecher lab  
WebKit Bugzilla: 238171  
CVE-2022-26717: Jeonghoon Shin of Theori

WebKit  
Available for: Apple Watch Series 3 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 238183  
CVE-2022-26716: SorryMybad (@S0rryMybad) of Kunlun Lab  
WebKit Bugzilla: 238699  
CVE-2022-26719: Dongzhuo Zhao working with ADLab of Venustech

Wi-Fi  
Available for: Apple Watch Series 3 and later  
Impact: A malicious application may disclose restricted memory  
Description: A memory corruption issue was addressed with improved  
validation.  
CVE-2022-26745: an anonymous researcher

Additional recognition

AppleMobileFileIntegrity  
We would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRing  
for their assistance.

WebKit  
We would like to acknowledge James Lee, an anonymous researcher for  
their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmKC1TYACgkQeC9qKD1p  
rhhgaBAAq/igmuSba0Occu1TcS6aXG50gjUZyJXPu7/UVVWI4icwz+c/ruKquy/w  
XuiT+C2Q6CJIWn2qM+hHrHtgsi3EYI6XxrbgcLgmvGvbwICs9RwHyHc1ztSyurTe  
ys8gJkc+/nZWPKR4dy7JUl8NdjoTWuUyGVE9xOJQeISND5xUoDz2i9d8FKgkZta6  
FoJlIWCDuNq01vgcAfKSZqPX2mEPMnWL47Q6g69PXIs34iBcOrHNesZ/mH/jz5Nz  
aAnisEj9gC0+KERoMSmGoBrYmP7kr/DmVBEwa9cDA0rGfNntgNliQ7wbLxnT8kJG  
rJARAyLPtPsygs7UmnkDaNDkI/a63dIRWwPIKUOQYtKKqwNL5GSoytdk/OhRGjmN  
Hi7k1GmvGiJA7bFI3PIQDSi3YSC1cs9CeyIL2rNUSVmRZ7jHlXxlDQYH1/ad4DU1  
TqVw9Rwg0mlc0tYKUNjChg/uAK1G5OGidxtLRt0FzUaXvPoVLe0/btYeaH6ijfU9  
i1W+xJ8jGgWddP7r1HvNeN6B+WGuIEcla+GNduEV3+AcnxL9h6FP8sAzQuTHQtKC  
AkqUO1G20ieIQHKJPNEIpgLlrCFYVajDfRtB9zGDme6aBZNHxefOWMMxdKfnspj2  
MtFpJ9qPmpnRITjCF5z1RDfqFjXUZvePcRA6rS1Lq4ClgQ575yI=  
=zdvf  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-05-16-5

Apple Security Advisory 2022-05-16-1 - iOS 15.5 and iPadOS 15.5 addresses bypass, code execution, denial of service, integer overflow, out of bounds access, out of bounds write, and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-05-16-1 iOS 15.5 and iPadOS 15.5iOS 15.5 and iPadOS 15.5 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213258.AppleAVDAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: A use after free issue was addressed with improvedmemory management.CVE-2022-26702: an anonymous researcherAppleGraphicsControlAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing a maliciously crafted image may lead to arbitrarycode executionDescription: A memory corruption issue was addressed with improvedinput validation.CVE-2022-26751: Michael DePlante (@izobashi) of Trend Micro Zero DayInitiativeAVEVideoEncoderAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: An out-of-bounds write issue was addressed with improvedbounds checking.CVE-2022-26736: an anonymous researcherCVE-2022-26737: an anonymous researcherCVE-2022-26738: an anonymous researcherCVE-2022-26739: an anonymous researcherCVE-2022-26740: an anonymous researcherDriverKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A malicious application may be able to execute arbitrary codewith system privilegesDescription: An out-of-bounds access issue was addressed withimproved bounds checking.CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de)GPU DriversAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: A memory corruption issue was addressed with improvedstate management.CVE-2022-26744: an anonymous researcherImageIOAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A remote attacker may be able to cause unexpected applicationtermination or arbitrary code executionDescription: An integer overflow issue was addressed with improvedinput validation.CVE-2022-26711: actae0n of Blacksun Hackers Club working with TrendMicro Zero Day InitiativeIOKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: A race condition was addressed with improved locking.CVE-2022-26701: chenyuwang (@mzzzz__) of Tencent Security Xuanwu LabIOMobileFrameBufferAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: A memory corruption issue was addressed with improvedstate management.CVE-2022-26768: an anonymous researcherIOSurfaceAcceleratorAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A malicious application may be able to execute arbitrary codewith kernel privilegesDescription: A memory corruption issue was addressed with improvedstate management.CVE-2022-26771: an anonymous researcherKernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: A memory corruption issue was addressed with improvedvalidation.CVE-2022-26714: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs(@starlabs_sg)KernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An application may be able to execute arbitrary code withkernel privilegesDescription: A use after free issue was addressed with improvedmemory management.CVE-2022-26757: Ned Williamson of Google Project ZeroKernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An attacker that has already achieved kernel code executionmay be able to bypass kernel memory mitigationsDescription: A memory corruption issue was addressed with improvedvalidation.CVE-2022-26764: Linus Henze of Pinauten GmbH (pinauten.de)KernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A malicious attacker with arbitrary read and write capabilitymay be able to bypass Pointer AuthenticationDescription: A race condition was addressed with improved statehandling.CVE-2022-26765: Linus Henze of Pinauten GmbH (pinauten.de)LaunchServicesAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A sandboxed process may be able to circumvent sandboxrestrictionsDescription: An access issue was addressed with additional sandboxrestrictions on third-party applications.CVE-2022-26706: Arsenii Kostromin (0x3c3e)libxml2Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A remote attacker may be able to cause unexpected applicationtermination or arbitrary code executionDescription: A use after free issue was addressed with improvedmemory management.CVE-2022-23308NotesAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing a large input may lead to a denial of serviceDescription: This issue was addressed with improved checks.CVE-2022-22673: Abhay Kailasia (@abhay_kailasia) of Lakshmi NarainCollege Of Technology BhopalSafari Private BrowsingAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A malicious website may be able to track users in Safariprivate browsing modeDescription: A logic issue was addressed with improved statemanagement.CVE-2022-26731: an anonymous researcherSecurityAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A malicious app may be able to bypass signature validationDescription: A certificate parsing issue was addressed with improvedchecks.CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de)ShortcutsAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A person with physical access to an iOS device may be able toaccess photos from the lock screenDescription: An authorization issue was addressed with improved statemanagement.CVE-2022-26703: Salman Syed (@slmnsd551)WebKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing maliciously crafted web content may lead to codeexecutionDescription: A memory corruption issue was addressed with improvedstate management.WebKit Bugzilla: 238178CVE-2022-26700: ryuzakiWebKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A use after free issue was addressed with improvedmemory management.WebKit Bugzilla: 236950CVE-2022-26709: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghuawingtecher labWebKit Bugzilla: 237475CVE-2022-26710: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghuawingtecher labWebKit Bugzilla: 238171CVE-2022-26717: Jeonghoon Shin of TheoriWebKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A memory corruption issue was addressed with improvedstate management.WebKit Bugzilla: 238183CVE-2022-26716: SorryMybad (@S0rryMybad) of Kunlun LabWebKit Bugzilla: 238699CVE-2022-26719: Dongzhuo Zhao working with ADLab of VenustechWebRTCAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Video self-preview in a webRTC call may be interrupted if theuser answers a phone callDescription: A logic issue in the handling of concurrent media wasaddressed with improved state handling.WebKit Bugzilla: 237524CVE-2022-22677: an anonymous researcherWi-FiAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A malicious application may disclose restricted memoryDescription: A memory corruption issue was addressed with improvedvalidation.CVE-2022-26745: an anonymous researcherWi-FiAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A malicious application may be able to elevate privilegesDescription: A memory corruption issue was addressed with improvedstate management.CVE-2022-26760: 08Tc3wBB of ZecOps Mobile EDR TeamWi-FiAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A remote attacker may be able to cause a denial of serviceDescription: This issue was addressed with improved checks.CVE-2015-4142: Kostya Kortchinsky of Google Security TeamWi-FiAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: A malicious application may be able to execute arbitrary codewith system privilegesDescription: A memory corruption issue was addressed with improvedmemory handling.CVE-2022-26762: Wang Yu of CyberservalAdditional recognitionAppleMobileFileIntegrityWe would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRingfor their assistance.FaceTimeWe would like to acknowledge Wojciech Reguła (@_r3ggi) of SecuRingfor their assistance.WebKitWe would like to acknowledge James Lee, an anonymous researcher fortheir assistance.Wi-FiWe would like to acknowledge 08Tc3wBB of ZecOps Mobile EDR Team fortheir assistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 15.5 and iPadOS 15.5".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmKC1TQACgkQeC9qKD1prhh9PRAApeuHnWvZRxSW/QArItDF2fA1eXCu7n9BwPA6CoqrU7v7aR6H/NQ3wes6xOjoRccHRCWRJ12RubM06ggC+WA/MLb96t2Wc4IUoFDkI3G6fp/I3aHpSONv4YMtEoHSGMpJ3qAb6Z60mIMcshsCtyv9k4LxpjOTnHKRLp/M4JLWG4CanOGpN2u/wPPVTpRY4jkZlAdvQK3qrPmA8aO5sWnbh5l//kUS6IL649seZQFUeZdz7QUyodjjqr2/XWyqsQC4mqVphxwvWDWA5J6/Zf7C7hNdZ1BE+SPpLhjEZlU6IYBFY2PLrg9NDTv8YMZpftlm5HQo3qmy/HLoiF8bIqgtdz+TpgNiT+TYz9+/pvP/hyGbX6xF9esKBVjj+1OUnd2GaLjSdY7o9WOtZgSJQxi1/R1X1+DjY1vI+d/TQZ+Sz58Me90R99aWc+Gc1B8e6FhjwT48rHJiuIw75ZW1orpUX6OL5vqdge0H1aJXm7EEUhByZvm2E2DajKu2mp2jr01UZyb3ro0qE1zpNitNORWAdvrlriIJxFVxtxW4MygMn8ThJ/Jz2LjquHvTEwvCyB9jaqPKja3b/dwzf/nowjw+aocxOjelW2Q/HcyR13YF2ZHd1+hNtG/7IsrxWIpI9nNAQQ2LCQIgL7/xCn6Yni9t3le3+eU+cdafoqJKTpETNbk==OMfW-----END PGP SIGNATURE-----

Apple Security Advisory 2022-05-16-1

AirTag stalking is in the news as bills look to close loopholes used by stalkers. What are AirTags, and how can they be used to track people?
The post AirTag stalking: What is it, and how can I avoid it? appeared first on Malwarebytes Labs.

More voices are being raised against the use of everyday technology repurposed to attack and stalk people. Most recently, it’s reported that Ohio has proposed a new bill in relation to electronic tagging devices.

The bill, aimed at making short work of a loophole allowing people with no stalking or domestic violence record to use tracking devices, is currently in the proposal stages. As PC Mag mentions, 19 states currently ban the use of trackers to aid stalking.

**Dude, where’s my car?**

Using tech to find missing items is nothing new. Back in the 80s, my dad had one of the new wave of tools used to find your lost keys. You put a small device on your keychain, and when they inevitably went missing, you whistled. The device, assuming it was nearby, would beep or whistle back. That is, it would if the range wasn’t awful and it frequently didn’t respond to your best whistle attempts.

Skip forward enough years, and we had similar concept but with Bluetooth and Radio Frequency. But the range on them isn’t great and so the use is limited.

Step up to the plate, tracker devices.

**What is an AirTag?**

There are many types of tracking device, but AirTags are unfortunately for Apple the one most closely associated with this form of stalking.

Find My, an app for Apple mobiles, is an incredibly slick way to keep track of almost any Apple product you can think of. Making your lost phone make a noise, offline finding, and sending the last location when battery is low are some of the fine-tune options available.

An AirTag is a small round device which plugs right into the Find My options. The idea is a supercharged version of ye olde key whistler. Misplace an item attached to an AirTag, and when you get close enough you’ll even have Precision Finding kicking in to guide to the lost item.

This is all incredibly helpful, especially if you’re good at misplacing things. Even better if something is stolen. Where it goes wrong is when people with bad intentions immediately figure out ways they can harass people with it.

**A stalker’s life for me**

Back in January, model Brooks Nader claimed someone placed an AirTag in her coat. Whoever was responsible used it to follow her around for several hours. She only became aware of what was happening because her phone alerted her to the tag’s presence.

However, this is an Apple-specific product, which means not all devices will be able to flag it. Android users are resorting to downloading standalone apps which can flush out unwanted AirTag stalkers. Meanwhile, the case numbers themselves are steadily increasing across multiple regions. Smart stalkers will place tags on items or in places victims won’t suspect. A tag under the car means victims may never even find out they’ve been stalked in the first place.

**Apple pushes back on AirTag stalking**

This isn’t great news for any company faced with a sudden wave of people abusing their devices. Apple is trying to lead the charge against these practices by making it harder for stalkers.

*   Improving the accuracy of “unknown accessory detected” notices
*   Adding support documents for people who believe they may be being stalked.
*   Implementing notices which say “tracking without consent is a crime”

**Advice for people worried about AirTag stalking**

Apple’s support document lists two ways to discover unwanted tracking.

1.  If you have an iPhone, iPad, or iPod touch, Find My will send a notification to your Apple device. This feature is available on iOS or iPadOS 14.5 or later. To receive alerts, make sure that you:  
    Go to Settings > Privacy > Location Services, and turn Location Services on.  
    Go to Settings > Privacy > Location Services > System Services. Turn Find My iPhone on.  
    Go to Settings > Privacy > Location Services > System Services. Turn Significant Locations on to be notified when you arrive at a significant location, such as your home.  
    Go to Settings > Bluetooth, and turn Bluetooth on.  
    Go to the Find My app, tap the Me tab, and turn Tracking Notifications on.
2.  If you don’t have an iOS device or a smartphone, an AirTag that isn’t with its owner for a period of time will emit a sound when it’s moved. This type of notification isn’t supported with AirPods.

Any alert on your mobile device that a tracker is nearby allows you to make the tracker produce a noise via your phone. You can make this noise repeat as often as you want until the device is found.

**Disabling the AirTag**

If you can’t find the physical object, don’t worry. You can disable it, again using your phone. Apple’s advice:

> _To disable the AirTag, AirPods, or Find My network accessory and stop it from sharing its location, tap Instructions to Disable and follow the onscreen steps. After the AirTag, AirPods, or Find My network accessory is disabled, the owner can no longer get updates on its current location. You will also no longer receive any unwanted tracking alerts for this item._

Apple has been quite visible in both drawing attention to the problem and providing accessible and straightforward solutions to shutting unwanted tracking down. We can only hope that other companies whose trackers are being misused in this way are doing their part too.

AirTag stalking: What is it, and how can I avoid it?

New offering provides credit and financial monitoring along with identity protection and restoration.

BUCHAREST, Romania and SANTA CLARA, Calif., May 17, 2022 /PRNewswire/ -- Bitdefender, a global cybersecurity leader, today unveiled Bitdefender Identity Theft Protection, a new U.S. consumer service delivering identity threat detection and alerts, 24/7 credit and financial account monitoring, and dedicated recovery services in the event of successful identity takeover. The service helps prevent criminals from stealing or using personal information to drain financial accounts, open new lines of credit, commit medical or tax fraud among other identity-based offenses.

Identity theft remains a significant risk for consumers. The Federal Trade Commission (FTC) reported consumers losing nearly $6 billion due to fraud in 2021, an increase of more than 70% over the previous year. Additionally, a recent Bitdefender survey of more than 10,000 consumers found many to practice what is considered high-risk behavior when it comes to data protection and digital identities, including 50% stating use of a single password for all online accounts and regular sharing of personal identification details including name (43%), email address and birthdate (40%) and home address (29%).

"As consumers conduct more personal business and finances online, they need complete cybersecurity protection that not only blocks threats like malware and phishing attempts, but also protects digital privacy and actively secures personal data against theft and misuse," said Ciprian Istrate, vice president, Bitdefender Consumer Solutions Group. "Bitdefender Identity Theft Protection service enables consumers to enjoy online shopping, banking, social media and other activities with peace of mind knowing their financial identity, privacy and personal data is safeguarded around the clock and credit quickly repaired if ever needed."

Bitdefender Identity Theft Protection, developed in collaboration with IdentityForce (a TransUnion brand), is available as a standalone subscription service or through Bitdefender Ultimate Security, a comprehensive cybersecurity suite that incorporates Bitdefender Total Security antivirus, Bitdefender Premium VPN and Bitdefender Password Manager to protect computers and mobile devices across multiple operating systems including Windows, macOS, Android and iOS.

**Key Features of Bitdefender Identity Theft Protection Include:**

*   **Continuous Identity and Credit Monitoring** \-- Bitdefender combines advanced threat detection capabilities and dark web threat intelligence with 24/7 identity, privacy and credit monitoring to protect users against the theft, sale or illegal trade of their personal, financial and credit information. Monitoring is correlated with data dumps and known breaches to notify users with specifics on what information was compromised such as passwords, addresses or credit card numbers**.**
*   **Real-Time Fraud Alerts** -- Bitdefender Identity Theft instantly alerts users when personal and financial data is compromised or identity details are used to apply for new lines of credit, mortgages, car loans, wireless devices, check reorders and more. Fraud attempts are stopped in the moment, not after the financial damage has occurred.
*   **Complete Identity Theft Restoration Services** \-- Bitdefender Identity Theft delivers 24/7 support services, personalized mitigation strategies and identity theft restoration if an incident occurs. Certified U.S. protection experts do the heavy lifting of freezing compromised accounts, contacting third parties and completing necessary paperwork to restore identity removing the burden from consumers.
*   **Identity Theft Insurance** \-- Bitdefender Identify Theft guarantees insurance covering certain out-of-pocket expenses, lost wages and funds stolen from financial accounts, up to $2 million (USD) if a user falls victim to successful identity theft.
*   **Credit Score Simulator** \-- A unique credit score simulator helps users foresee how certain financial decisions may impact their credit score. Users can experiment with different credit balances, credit card payments, balance transfers and more, to understand how and why their score changes to make the best financial decision for their situation.

**Availability**

Bitdefender Identity Theft Protection is available now as an annual subscription or through the Bitdefender Ultimate Security suite. For more information or to purchase, visit https://www.bitdefender.com/solutions/identity-theft-protection.html.

**About Bitdefender**

Bitdefender provides cybersecurity solutions with leading security efficacy, performance and ease of use to small and medium businesses, mid-market enterprises and consumers. Guided by a vision to be the world's most trusted cybersecurity solutions provider, Bitdefender is committed to defending organizations and individuals around the globe against cyberattacks to transform and improve their digital experience. For more information, visit https://www.bitdefender.com.

Bitdefender Launches Identity Theft Protection Service for U.S. Consumers

Wireless features Bluetooth, NFC and UWB stay on even when the device is powered down, which could allow attackers to execute pre-loaded malware.

Wireless features Bluetooth, NFC and UWB stay on even when the device is powered down, which could allow attackers to execute pre-loaded malware.

Attackers can target iPhones even when they are turned off due to how Apple implements standalone wireless features Bluetooth, Near Field Communication (NFC ) and Ultra-wideband ( UWB) technologies in the device, researchers have found.

These features—which have access to the iPhone’s Secure Element (SE), which stores sensitive info–stay on even when modern iPhones are powered down, a team of researchers from Germany’s Technical University of Darmstadt discovered.

This makes it possible, for example, “to load malware onto a Bluetooth chip that is executed while the iPhone is off,” they wrote in a research paper titled “Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhone.”

By compromising these wireless features, attackers can then go on to access secure info such as a user’s credit card data, banking details or even digital car keys on the device, researchers Jiska Classen, Alexander Heinrich, Robert Reith and Matthias Hollick of the university’s Secure Mobile Networking Lab disclosed in the paper.

Though the risk is real, exploiting the scenario is not so straightforward for would-be attackers, researchers acknowledged. Threat actors would still need to load the malware when the iPhone is on for later execution when it’s off, they said. This would require system-level access or remote code execution (RCE), the latter of which they could gain by using known flaws, such as BrakTooth, researchers said.

****Root of the Issue****

The root cause of the issue is the current implementation of low power mode (LPM) for wireless chips on iPhones, researchers detailed in the paper. The team differentiated between the LPM that these chips run on versus the power-saving app that iPhone users can enable on their phones to save battery life.

The LPM at issue is “either activated when the user switches off their phone or when iOS shuts down automatically due to low battery,” they wrote.

While the current LPM implementation on iPhones increases “the user’s security, safety, and convenience in most situations,” it also “adds new threats,” researchers said.

LPM support is based on the iPhone’s hardware, so it can’t be removed with system updates and thus has “a long-lasting effect on the overall iOS security model,” they said.

“The Bluetooth and UWB chips are hardwired to the \[SE\] in the NFC chip, storing secrets that should be available in LPM,” researchers explained. “Since LPM support is implemented in hardware, it cannot be removed by changing software components. As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown. This poses a new threat model.”

****Sample Threat Scenario****

Researchers analyzed the security of LPM features in a layered approach, observing the impact of the feature on application-, firmware- and hardware-level security.

For example, a potential threat scenario that they outlined on the iPhone’s firmware assumes that an attacker either has system-level access or can gain remote code execution (RCE) using a known Bluetooth vulnerability, such as the aforementioned Braktooth flaw.

In this attack, a threat actor with system-level access could modify firmware of any component that supports LPM, researchers said. This way, they maintain control, albeit limited, of the iPhone even when the user powers it off, researchers said.

“This might be interesting for persistent exploits used against high-value targets, such as journalists,” they wrote.

In the case of leveraging an RCE flaw, actors have a smaller attack surface but could still access data via NFC Express Mode, Bluetooth and UWB DCK 3.0, researchers note. However, “Apple already minimizes the attack surface by only enabling these features on demand,” they wrote.

Even if all firmware would be protected against manipulation, an attacker with system-level access could still send custom commands to chips that “allow a very fine-grained configuration, including advertisement rotation intervals and contents,” researchers noted.

This could allow an attacker to create settings that would allow them to locate a user’s device even more accurately than the legitimate user in the Find My application, for example.

****Apple’s Response and Potential Mitigation****

Before publishing the paper, researchers reported their research to Apple, which didn’t provide feedback on the issues raised by their findings, they said.

A potential solution to the scenario would be for Apple to add “a hardware-based switch to disconnect the battery” so these wireless elements wouldn’t have power while an iPhone is powered down, researchers said.

“This would improve the situation for privacy-concerned users and surveillance targets like journalists,” they noted.

Tag

#ios