Latest news with #vulnerabilities
Forbes
6 days ago
- Business
- Forbes
Google's New Chrome Update—Do Not Ignore June 5 Deadline
Why you need to update Chrome now NurPhoto via Getty Images Google has just updated Chrome again, warning that two high-severity vulnerabilities put PCs at risk. The 'use after free' and 'out of bounds' memory issues are typical for the browser, and while there are no attack warnings this time, these are the types of flaws often chained to other exploits to enable attacks. Details are scarce, as Google says 'access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed.' There are 11 fixes in total with the release of version 137.0.7151.55/56. The new high- and medium-severity fixes are as follows: Earlier this month, Google warned that Chrome had been actively exploited and issued an urgent fix for CVE-2025-4664. The company's confirmation 'that an exploit exists in the wild' followed a public disclosure on X from @slonser_ that a query parameter takeover could exploit sensitive data in a string which 'might lead to an Account Takeover' if the query parameter is stolen. Given attacks in the wild, America's cyber defense agency issued a mandatory warning for federal staff to update or stop using browsers by June 5. While that update instruction isn't mandatory for other users, you should follow suit and update by June 5. This vulnerability was openly disclosed from the get-go and is now in the public domain. That leaves browsers at risk until updates are applied. CISA's remit is 'to help [all organizations] As Cybersecurity News warns 'the vulnerability poses significant risks, including unauthorized data leakage across web origins… Given its classification as a zero-day flaw, it was exploited before Google released the patch, heightening the urgency for mitigation.' Remember, you need to restart your browser once the update has downloaded. As long as you have the current version, all past fixes will be applied and you will be protected.
Forbes
22-05-2025
- Forbes
Google Chrome Users Told To Wait 7 Days For Urgent Security Update
This new Google security update has only been rolled out to some users. Like most updates concerning high-severity security vulnerabilities, time is of the essence. It's why I have long urged Chrome users not to wait until any such update is eventually rolled out to them and to kickstart the process immediately instead. But now the odd decision has been taken to issue the latest Google Chrome security update on an early release basis. A what now? What this means is that the update will only roll out to 'a small percentage of users,' while the rest of us, the 3 billion of us, have to wait a week to get the same level of protection against attackers. Here's what you need to know and do. Reporting on Google Chrome security updates is usually pretty straightforward: here are the vulnerabilities and their impact, here is the security update, install it. This is no ordinary Google Chrome update, though; it's what Google refers to as an 'Early Stable Update' instead. The May 21 announcement appears fairly standard, in that it addresses several Chrome security vulnerabilities, five of which have Common Vulnerabilities and Exposures database entries, ranging from low to high severity. But that's where the normality ends. The Google Chrome 137.0.7151.40/.41 for Windows and Mac users is actually only available for 'a small percentage of users,' according to Prudhvi Kumar Bommana, part of the Chrome team at Google, 'as part of our early stable release' program. What. The. Flipping. Heck? Despite CVE-2025-5063, being a high-severity Google Chrome security restriction bypass vulnerability, which, if successfully exploited could lead to remote code execution, the majority of Chrome users are being told they need to wait another week before getting protected. According to a 2022 Google announcement, the early stable version release of updates was introduced to 'monitor the release before it rolls out to all of our users.' Monitor for what, exactly? What Google described as any 'showstopping issue,' by which I assume they mean bugs. The idea being that any discovered with a serious impact can then be addressed 'while the impact is relatively small.' Which is all well and good as nobody likes an update that barfs. Apart from the high-severity vulnerability that exists and all Chrome users are potentially vulnerable to exploitation until such a time, to be precise, when the rest of us can receive protection. I have reached out to Google for an explanation of why the early release was decided necessary in this case rather than an immediate global release. I also tried to kickstart the update using the Help|About Google Chrome menu option, but this wasn't playing ball, and the 137 update was not available to me.
Digital Trends
21-05-2025
- Digital Trends
How to keep your Apple devices safe from AirPlay attacks
Apple's approach to building new features has always been rooted in safety and seamless convenience. Take, for example, AirPlay, a wireless standard created by the company that allows users to stream audio and video from one device to another. AirPlay works not just across Apple devices, but also on TVs and speakers cleared by the company to offer the wireless streaming facility. That also makes it a ripe target for attacks, and it seems there are, in fact, vulnerabilities in the wireless lanes that could allow bad actors to seed malware and infect more connected devices. Recommended Videos Understanding the AirPlay risk Experts at the security research firm Oligo recently detailed Airborne, a set of flaws in Apple's AirPlay Protocol and the AirPlay Software Development Kit (SDK) that can allow hackers to remotely execute code. These vulnerabilities can let bad actors take control of devices and use the infected machines to broaden the damage. 'An attacker can take over certain AirPlay-enabled devices and do things like deploy malware that spreads to devices on any local network the infected device connects,' Oligo explained. The risk is huge because there are billions of Apple devices out there that support AirPlay, and millions that are sold by other brands. One of the vulnerabilities could allow hackers to compromise a device and then use it to gain access to a larger network, potentially targeting other devices, too. Depending on the target, the risks range from spying on conversations to tracking a car's location, accessing sensitive information, ransomware attacks, and denial of service. Apple has patched the vulnerabilities via macOS Sequoia 15.4, tvOS 18.4, macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, visionOS 2.4 updates. However, there are potentially thousands of older devices that will never get patched and remain vulnerable. What steps do experts suggest? Of course, the first line of defense to protect yourself across all vulnerable devices is to download the fix released by Apple. But that isn't the full picture. Trevor Horwitz, CISO and founder of TrustNet, says the patch will only work if people install it after the package downloads on their device. 'The simplest and most effective thing you can do is keep your devices updated. That sounds basic, but it's often overlooked,' he says. On an iPhone or iPad, follow this route to install the safety update: Settings > General > Software Update. For macOS, you must walk this path: Apple menu > System. Settings > General > Software Update. Since attack vectors like Airborne rely on Wi-Fi networks to expand their damage, you must also pay attention to them. Oleh Kulchytskyi, Senior Malware Reverse Engineer at MacPaw's Moonlock, told DigitalTrends that a Zero-Click Remote Code Execution (RCE) is the highest level of security breach. It should be immediately patched by the companies involved, but as a user, one must take further network-related precautions. 'To stay safe at home, ensure that your router has a strong password and there are no suspicious connections to your network,' Kulchytsky adds. A safe way to AirPlay Matthias Frielingsdorf, a veteran iOS researcher and cofounder of iVerify, tells me that everyone should follow basic digital security protocols. Those include installing updates as soon as they are available, maintaining strong network passwords, and most importantly, reducing the surface area for such attacks. Since AirPlay is the threat vector, users should take proactive steps while using it. 'Disabling this on iOS / macOS / tvOS devices that don't need to be an AirPlay receiver would limit some of the attacks. In public spaces, disabling WiFi on the Mac and iPhone would stop those attacks as well,' says Frielingsdorf. AirPlay streaming is active by default, and as such, you need to disable it. To do so, follow this path on your iPhone or iPad: Settings > General > AirPlay & Continuity > Ask. You can also set it to Never, if you don't actively utilize this feature. There's also an option to set a password, which I recommend that you enable, while at it. What about AirPlay itself? Can it be disabled? Yes, it can be turned off entirely. On your iPhone and iPad, go to the AirPlay & Continuity page and turn off the AirPlay Receiver toggle. Alternatively, you can choose to allow AirPlay only for the Current User, instead of keeping it open to everyone in the range. For Mac users, this is the path you need to follow: Apple Menu > System Settings > General > AirDrop & Handoff > AirPlay Receiver. You can't always patch older or discontinued devices, so it's best to ensure that the machines that are currently in your hands have enabled the right protocols to minimize the risks. The bottom line On multiple occasions in the past, security experts have highlighted flaws in wireless transmission systems, such as Bluetooth. But a vulnerability that allows zero-click remote code execution in AirPlay is a cautionary tale. The message is clear. Apple's security guardrails are solid, but not impenetrable. 'What makes this serious is the integration. AirPlay isn't just a standalone app. It's a system-level service built into iOS, macOS, and tvOS. So the moment that layer is compromised, the attacker could potentially affect multiple devices at once,' TrustNet's Horwitz told Digital Trends. So, where does that leave an average user who is not savvy about security measures? Well, it's time to set aside notions and market perceptions. Chris Hill, Chief Security Strategist at BeyondTrust, says users must understand the threat landscape instead of living with the idea that a certain ecosystem is safer than the rest. 'Threat actors are opportunistic, looking for the easiest path of least resistance, they will find it, and they did in this case with AirPlay and AirBorne,' he warns. The bottom line is that keep your devices updated, disable features you don't use, and be vigilant with network-related settings.
Daily Mail
19-05-2025
- Daily Mail
Urgent warning to iPhone users over Airplay feature
Hackers can hijack your iPhone , Mac, or even car through Apple's AirPlay, thanks to a devastating set of flaws dubbed 'AirBorne.' The team at Oligo Security discovered 23 vulnerabilities in AirPlay, which allows users to stream audio, video and photos from Apple devices to other smart devices. After discovering all those flaws, tech researchers revealed 17 different ways they could be exploited by hackers to remotely attack billions of devices that use wireless streaming technology. The 17 issues represent different ways hackers can exploit AirPlay, each requiring specific software fixes to protect devices from threats like remote takeovers, data theft, or malware spreading across networks . The 'AirBorne' flaws allow zero-click attacks, where hackers can harm devices without any user action, such as a macOS exploit that secretly replaces the Apple Music app with malicious code. Apple patched its devices with security updates like iOS 18.4, macOS Sequoia 15.4, and tvOS 18.4 on March 31. However, tens of millions of third-party AirPlay devices may remain vulnerable without timely manufacturer updates. To stay safe, disable AirPlay receivers in device settings and restrict access to 'Current User.' Installing security software on Apple devices further reduces risks from AirPlay's constant background broadcasting. With 1.8 billion iPhones and another 500 million AirPlay-compatible devices active globally, the threat of AirBorne's is massive, amplified by its ability to chain attacks across networks. The team at Oligo Security found that two of the flaws allowed attackers to weaponize iPhones, allowing them to 'do things like deploy malware that spreads to devices on any local network the infected device connects to.' AirBorne also targets smart speakers and CarPlay-enabled car infotainment systems, allowing hackers to execute harmful actions without the user interacting with their device. The attacks can act like a network worm, automatically spreading to other devices on networks like public Wi-Fi, putting more systems at risk. Combining updates, cautious settings, and security software is critical to thwart AirBorne's threats. An Apple spokesperson told that attackers can only exploit these flaws if they are on the same Wi-Fi network as the device they are targeting. According to Oligo, however, some third-party devices that are compatible with AirPlay may still be vulnerable if their manufacturers do not provide timely updates. For third-party devices using AirPlay, cybersecurity experts have urged users to check with their manufacturers for software updates regularly. 'Because AirPlay is supported in such a wide variety of devices, there are a lot that will take years to patch — or they will never be patched,' Elbaz told Wired. 'And it's all because of vulnerabilities in one piece of software that affects everything.' So, even if your Apple devices are up-to-date, that doesn't mean they're totally protected from hackers who may exploit these AirPlay vulnerabilities. While not every Apple device worldwide is vulnerable AirBorne, Apple stated in January 2025 that there are 2.35 billion active Apple devices across the globe. In 2018, Apple indicated that there were over 100 million active MacOS users globally. Oligo reported it tipped Apple off about the vulnerabilities last fall, which Apple did not take lightly and worked with the security firm to patch the flaw. The other vulnerabilities discovered allowed hackers to execute malicious code on a remote system from a remote location, potentially gaining unauthorized control. The team also uncovered a security mechanism that was not configured properly, along with a flaw that allowed cybercriminals to access and read sensitive data. When AirPlay is turned on, your device is constantly broadcasting and listening for AirPlay signals in the background, even when you're not actively using the feature. Disabling the AirPlay feature stops the device from doing this, removing the 'attack surface' - the access points through which hackers can take control of your device. To disable AirPlay on your iPhone, open the Settings app and tap 'General,' then 'AirPlay & Continuity.' At the top of the menu, you will see a tab called 'Automatically AirPlay.' Tap that, then select the 'Never' option to turn the feature off. Want more stories like this from the Daily Mail? Visit our profile page and hit the follow button above for more of the news you need.
Daily Mail
19-05-2025
- Daily Mail
Urgent warning to all 1.8 BILLION iPhone users: Turn off the auto feature NOW
Hackers can hijack your iPhone, Mac, or even car through Apple's AirPlay, thanks to a devastating set of flaws dubbed 'AirBorne.' The team at Oligo Security discovered 23 vulnerabilities in AirPlay, which allows users to stream audio, video and photos from Apple devices to other smart devices. After discovering all those flaws, tech researchers revealed 17 different ways they could be exploited by hackers to remotely attack billions of devices that use wireless streaming technology. The 17 issues represent different ways hackers can exploit AirPlay, each requiring specific software fixes to protect devices from threats like remote takeovers, data theft, or malware spreading across networks. The 'AirBorne' flaws allow zero-click attacks, where hackers can harm devices without any user action, such as a macOS exploit that secretly replaces the Apple Music app with malicious code. Apple patched its devices with security updates like iOS 18.4, macOS Sequoia 15.4, and tvOS 18.4 on March 31. However, tens of millions of third-party AirPlay devices may remain vulnerable without timely manufacturer updates. To stay safe, disable AirPlay receivers in device settings and restrict access to 'Current User.' Installing security software on Apple devices further reduces risks from AirPlay's constant background broadcasting. With 1.8 billion iPhones and another 500 million AirPlay-compatible devices active globally, the threat of AirBorne's is massive, amplified by its ability to chain attacks across networks. The team at Oligo Security found that two of the flaws allowed attackers to weaponize iPhones, allowing them to 'do things like deploy malware that spreads to devices on any local network the infected device connects to.' AirBorne also targets smart speakers and CarPlay-enabled car infotainment systems, allowing hackers to execute harmful actions without the user interacting with their device. The attacks can act like a network worm, automatically spreading to other devices on networks like public Wi-Fi, putting more systems at risk. Combining updates, cautious settings, and security software is critical to thwart AirBorne's threats. An Apple spokesperson told that attackers can only exploit these flaws if they are on the same Wi-Fi network as the device they are targeting. According to Oligo, however, some third-party devices that are compatible with AirPlay may still be vulnerable if their manufacturers do not provide timely updates. For third-party devices using AirPlay, cybersecurity experts have urged users to check with their manufacturers for software updates regularly. 'Because AirPlay is supported in such a wide variety of devices, there are a lot that will take years to patch — or they will never be patched,' Elbaz told Wired. 'And it's all because of vulnerabilities in one piece of software that affects everything.' So, even if your Apple devices are up-to-date, that doesn't mean they're totally protected from hackers who may exploit these AirPlay vulnerabilities. While not every Apple device worldwide is vulnerable AirBorne, Apple stated in January 2025 that there are 2.35 billion active Apple devices across the globe. In 2018, Apple indicated that there were over 100 million active MacOS users globally. Oligo reported it tipped Apple off about the vulnerabilities last fall, which Apple did not take lightly and worked with the security firm to patch the flaw. To prevent yourself from being hacked, you should make sure that the latest software is installed on all your Apple devices. You can also disable the AirPlay feature The other vulnerabilities discovered allowed hackers to execute malicious code on a remote system from a remote location, potentially gaining unauthorized control. The team also uncovered a security mechanism that was not configured properly, along with a flaw that allowed cybercriminals to access and read sensitive data. When AirPlay is turned on, your device is constantly broadcasting and listening for AirPlay signals in the background, even when you're not actively using the feature. Disabling the AirPlay feature stops the device from doing this, removing the 'attack surface' - the access points through which hackers can take control of your device. To disable AirPlay on your iPhone, open the Settings app and tap 'General,' then 'AirPlay & Continuity.' At the top of the menu, you will see a tab called 'Automatically AirPlay.' Tap that, then select the 'Never' option to turn the feature off.
