Don't take any ‘shortcuts' – Positive Technologies find critical vulnerability in macOS application
If the compromised device happens to be a laptop connected to a corporate network, the attacker could also infiltrate the internal company infrastructure.
The vulnerability, tracked as BDU:2025-02497 and rated 8.6 out of 10 on the CVSS 3.0 scale, affects Shortcuts 7.0 (2607.1.3). The vendor was notified of the threat in line with the responsible disclosure policy and has already released a software patch.
Users are advised to upgrade to macOS Sequoia 15.5 or later. If updating the OS is currently not possible, Positive Technologies recommends users to pay close attention to the downloaded shortcuts before running them or avoid using them altogether.
The Shortcuts app was introduced with macOS Monterey back in 2021 and has been supported in macOS Ventura, Sonoma, and Sequoia versions over the past four years.
With the app, users can create shortcuts to automate various tasks, such as starting a timer, playing music, or converting text to audio. Users also have access to macros[1] that provide ready-made shortcuts. A threat actor could leverage this functionality by uploading infected templates to the library. For the security flaw to be exploited, it would be enough for the victim to inadvertently run a malicious macro on their device.
'An attacker could exploit this vulnerability to target any Shortcuts user,' said Egor Filatov, Junior Mobile Application Security Researcher at Positive Technologies. 'Before remediation, the vulnerability allowed an attacker to bypass macOS security mechanisms and execute arbitrary code on the victim's system.'
According to the expert, the potential consequences of successful attacks include the following:
Theft of confidential data or deletion of valuable information
Malware execution
Installation of backdoors[2] aimed at maintaining access to the system even after vulnerability patching
Ransomware[3] infection
Disruption to the organization's business processes (if a corporate device is compromised)
Positive Technologies experts have been studying Apple products for over a decade. In 2018, Maxim Goryachy and Mark Ermolov, while looking for security flaws in Intel Management Engine, found a firmware vulnerability (CVE-2018-4251) affecting personal computers made by Apple and other manufacturers.
In 2017, Timur Yunusov warned the community about multiple security gaps he discovered in Apple Pay: by exploiting the vulnerabilities, attackers could compromise users' bank cards and make unauthorized payments on external resources.
Before that, another Positive Technologies researcher found and helped eliminate a critical vulnerability in the apple.com website, which could allow an adversary to conduct a directory traversal attack and gain access to private data.
In addition to the macOS version of Shortcuts, there is also an iOS version of the app for mobile devices. To prevent threat actors from infiltrating the corporate network via vulnerable mobile apps, companies should protect their apps against reverse engineering. This can be done with solutions such as PT MAZE, which turns the application into an impenetrable maze, making attacks too resource-intensive for adversaries.
[1] A macro is a pre-programmed sequence of actions defined by the user.
[2] A backdoor is a type of malware that allows unauthorized access to data or enables remote control of the compromised system. Typically, an attacker installs a backdoor on a target system for future access.
[3] Ransomware is a type of malware that encrypts a victim's files or locks them out of their computer system, giving the attacker control over any personal information stored on the compromised device. The attacker can then demand a ransom, threatening to leave the files or system inaccessible to the victim or to disclose confidential data if the ransom is not paid.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Zawya
4 hours ago
- Zawya
Oracle to offer Google's Gemini models to customers, accelerating enterprises' agentic AI journeys
Oracle will collaborate with Google Cloud on various Gemini model integrations across business applications Austin, Texas and Sunnyvale, Calif. — Oracle and Google Cloud have expanded their partnership to offer customers access to Google's most advanced AI models, starting with Gemini 2.5, via Oracle Cloud Infrastructure (OCI) Generative AI service. Oracle customers can now utilize the latest Gemini models to build AI agents for a wide range of use cases including multimodal understanding, advanced coding and software development tasks, productivity and workflow automation, and research and knowledge retrieval. Oracle plans to make Google's entire range of Gemini models available via OCI Generative AI service through new integrations with Vertex AI, including cutting edge models for video, image, speech, and music generation and specialized industry models like MedLM. In the future, Oracle will collaborate with Google Cloud to make Gemini models via Vertex AI available as an option within Oracle Fusion Cloud Applications, providing customers with a broader choice to enhance workflows in finance, HR, supply chain, sales, service, and marketing. Oracle customers can use their existing Oracle Universal Credits to start leveraging Google's Gemini models. 'Today, leading enterprises are using Gemini to power AI agents across a range of use cases and industries,' said Thomas Kurian, CEO, Google Cloud. 'Now, Oracle customers can access our leading models from within their Oracle environments, making it even easier for them to begin deploying powerful AI agents that can support developers, streamline data integration tasks, and much more.' Google's Gemini models excel in enterprise use cases thanks to their ability to ground responses in up-to-date Google Search data for accuracy, large context windows, strong encryption and data privacy policies, and leading reasoning abilities. 'Oracle has been intentional in offering model choice curated for the enterprise, spanning open and proprietary models,' said Clay Magouyrk, president, Oracle Cloud Infrastructure. 'The availability of Gemini on OCI Generative AI service highlights our focus on delivering powerful, secure, and cost-effective AI solutions that help customers drive innovation and achieve their business goals.' Oracle brings leading-edge AI technology close to enterprise data and prioritizes security, adaptability, and scalability. This helps customers across industries apply the right AI technologies, including generative and agentic AI, to the right business scenarios for immediate results. In addition, thousands of AI innovators are leveraging OCI's cost-effective, purpose-built AI capabilities to run the most demanding AI workloads faster. OCI bare metal GPU instances can power applications for generative AI, natural language processing, computer vision, and recommendation systems. Additional Resources Learn more about Oracle AI Learn more about OCI Generative AI Learn more about Oracle Fusion Cloud Applications Learn more about Google Gemini Learn more about Google Cloud's Vertex AI About Oracle Oracle offers integrated suites of applications plus secure, autonomous infrastructure in the Oracle Cloud. For more information about Oracle (NYSE: ORCL), please visit us at Trademarks Oracle, Java, MySQL and NetSuite are registered trademarks of Oracle Corporation. NetSuite was the first cloud company—ushering in the new era of cloud computing. About Google Cloud Google Cloud is the new way to the cloud, providing AI, infrastructure, developer, data, security, and collaboration tools built for today and tomorrow. Google Cloud offers a powerful, fully integrated, and optimized AI stack with its own planet-scale infrastructure, custom-built chips, generative AI models and development platform, as well as AI-powered applications, to help organizations transform. Customers in more than 200 countries and territories turn to Google Cloud as their trusted technology partner. Contact Info Google PR Acacia Krebs Press@ Oracle PR
Khaleej Times
5 hours ago
- Khaleej Times
Foxconn's Apple era fades as AI servers drive growth in Taiwan tech sector
Taiwan's Foxconn, which rose to become a global tech manufacturing juggernaut by assembling millions of iPhones, can now say its main business is no longer Apple as it takes advantage of the AI-boom to diversify its income. Its revenue from making AI servers and other cloud and networking products, including for major customer Nvidia , surpassed smart consumer products such as iPhones for the first time in the second quarter, marking the culmination of a shift that began years ago and has swept through Taiwan's tech industry. Foxconn's heavy reliance on the smartphone business has long been viewed by investors as a significant risk, as demand growth for new iPhones has gradually weakened since they were first introduced nearly two decades ago, leaving the top iPhone assembler grappling with slowing sales momentum, analysts said. Wary of the risk, Foxconn Chairman Young Liu has been championing new businesses such as AI servers, electric vehicles and semiconductors since taking the top job in 2019. While its expansion into EVs and chips has yet to show a meaningful contribution to its topline, Foxconn's success in AI server manufacturing - the company is Nvidia's biggest server maker - is the result of its early bets before the technology was thrust into the limelight with the advent of ChatGPT in late 2022. Consumer electronics accounted for 35% of Foxconn's total revenue in the second quarter, while cloud and networking business represented 41%. In 2021, consumer electronics represented 54% of its revenue. The firm's prudent wagers years back helped it cultivate a now-prized relationship with the U.S. AI chip firm and other major AI players, analysts said. "The company has been in the business for years, meeting higher quality requirements, diversifying assembly and operations across sites, and pursuing vertical integration,' said Ming-Chi Kuo, an analyst at TF International Securities. Foxconn began producing reference designs for Nvidia's graphics cards around 2002 and started making general-purpose servers for cloud service providers' data centres as early as around 2009. Its AI server business with Nvidia is in many ways the culmination of that history, analysts said. Foxconn says it is now one of the world's largest suppliers of both general-purpose and AI servers, with a market share of nearly 40% in each. The company has also shown a willingness to commit investment to a project at an earlier stage than other companies, Kuo said, citing its past investments for Apple and similar moves for Nvidia. 'In long-term partnerships, Foxconn is more willing to take the initiative,' he said. Foxconn's plan to build factories in Houston, Texas — part of Nvidia's $500 billion U.S. investment plan — and in Mexico to produce AI servers for the U.S. client underscores this strategy, analysts said. Foxconn now expects its AI server revenue would grow more than 170% in the third quarter year-on-year. Foxconn and Nvidia declined to comment. Apple did not respond to request for comment. BROADER SHIFT The shift at Foxconn mirrors a broader trend in Taiwan's technology sector, where companies once centred on consumer electronics — such as Foxconn with iPhones, and Quanta Computer and Wistron Corp with notebooks — are now investing heavily in AI servers. Nvidia partner Wistron's revenue for January to July rose 92.7%, while Quanta's grew 65.6% in the same period. "The monthly sales jump for Taiwan ODMs in the first half of 2025 is evidence of this trend,' said Robert Cheng, head of Asia technology hardware research at BofA Global Research, referring to original design manufacturers like Foxconn that contract manufacture products for their clients. Their fast transition into AI servers is also the result of Taiwanese tech supply chain working closely with U.S. tech giants on data centre infrastructure work for a decade now, according to Chris Wei, industry consultant at Taiwan's Market Intelligence Consulting Institute. He estimates Taiwan accounts for about 80% of global server shipments and more than 90% of AI servers. Cheng agrees. "We think this shift toward AI servers, whatever form it takes, is good for Taiwan's tech industry," he said, noting Taiwanese firms' ability to rapidly shift to cater to changing needs from their customers.
Khaleej Times
5 hours ago
- Khaleej Times
Dubai flying taxi service: Successful piloted flights conducted between two airports in US
Dubai's flying taxi service has moved a step closer to reality as Joby Aviation successfully completed its first piloted flight between two US airports in a controlled airspace. Set to launch its commercial flying taxi service in Dubai in the first half of 2026, Joby's piloted flight lasted approximately 12 minutes over 10 nautical miles. It included five minutes in a holding pattern for air traffic spacing, reflecting the progress the electric air taxi firm is making toward securing approval from the US regulator to launch commercial service. Joby's piloted flight follows a previous successful test flight at its facility at the Dubai Jetman Helipad in Margham, along the Dubai–Al Ain Road, in June 2025. The aircraft completed several loops over the facility and surrounding desert. The US company operated the flight in airspace controlled by the Federal Aviation Administration (FAA), between Marina (OAR) and Monterey (MRY) airports in California. 'Successfully flying from Marina to Monterey showcased operations of our aircraft integrated into the broader transportation network and further validated its performance to ensure we're prepared for service on day one,' said Didier Papadopoulos, president of aircraft development and manufacturing at Joby. 'For years, our flight testing has validated our aircraft's capabilities, and we've done this across a wide range of environmental conditions.' Last step in certification Joby recently began the final assembly of its first aircraft for Type Inspection Authorisation (TIA) flight testing – one of the last major steps in FAA certification. The company plans to begin flight testing with FAA pilots early next year. Following certification, Joby aims to launch commercial service in the US, starting in Los Angeles and New York City. Dubai will be the first international destination to launch air taxi operations by New York-listed Joby Aviation. In February 2024, Joby Aviation signed a definitive agreement with Dubai's Roads and Transport Authority (RTA) to launch air taxi services in 2026. RTA and Joby also partnered with Skyports for the construction of vertiports. The company said in its second-quarter report that the first vertiport, being constructed at Dubai International Airport (DXB), will be completed in the first quarter of next year. 'Our vertiport network development in Dubai—a key strategic pillar for commercial operations—remains on pace. The DXB vertiport, engineered for concurrent aircraft movements and rapid passenger processing, is critical infrastructure and is on track for completion in Q1 2026,' it said in the quarterly report. In addition to the DXB vertiport, Palm Jumeirah, Downtown Dubai, and Dubai Marina will host the other vertiports in the initial phase.
