Critical Zero-Day Alarm on iOS and iPadOS
Apple has released updates to 20 security vulnerabilities affecting iOS and iPadOS operating systems, including a 0-day vulnerability known to be actively exploited by threat actors.
The 0-day vulnerability, tracked as CVE-2022-42827, exists due to a boundary error affecting the “Kernel“ component of the operating system. Threat actors can execute with root privileges on the vulnerable system by triggering an out-of-bounds write error through a specially crafted application.
Apart from the vulnerability mentioned above, Apple has also fixed two high-severity vulnerabilities with the released iOS 16.1 and iPadOS 16 updates. In order not to be the target of attacks that can be carried out using vulnerabilities, Apple users using vulnerable versions are recommended to apply the published updates immediately.
Preliminary Information Released for OpenSSL Vulnerability
The developers of the OpenSSL library, which has implemented HTTPS secure networking in numerous applications, have stated that a critical security vulnerability will be fixed in version 3.0.7, released on November 1, 2022 (Reference Link). However, the project developers made public announcements that did not include all details of the vulnerability, as more information was kept confidential until the update for the identified vulnerability was released.
It has been announced that the critical security vulnerability detected is affected by the versions between OpenSSL 3.0 and version 3.0.6, released on September 7, 2021. Therefore the affected versions were not widely known until OpenSSL 1.x, which has been available for 12 years.
OpenSSL security vulnerabilities have a widespread impact. The HeartBleed vulnerability, discovered in April 2014, has been observed on Apache and Nginx web servers, which have a usage rate of over 66% among all active websites on the internet. However, it is unknown whether the detected and declared critical vulnerability would lead to a mass exploit like HeartBleed.
In this context, to limit the risk of being affected by the relevant security vulnerability as much as possible; Until the release of the measures by OpenSSL developers, it is recommended to master the “Software Supply Chain” processes to determine which applications the old version OpenSSL libraries are running, and to make preliminary preparations.
Air New Zealand Suffered A Security Breach
In the security breach, threat actors performed credential-stuffing attacks to gain unauthorized access to customer accounts. A credential stuffing attack is performed by trying compromised credentials until the targeted system is logged in.
Following the detection of the security breach, Air New Zealand officials stated that the breach did not affect any of the company’s systems, but only individual customer accounts were affected. Upon the relevant explanation, customer accounts were blocked, and customers were contacted to change their login information before using the Airpoints system again.
Logging in to more than one platform with the same login information and not enabling MFA/2FA authentication mechanisms on the platforms cause such attacks to be seen frequently. In this context, it is recommended to consider the following security recommendations not to be the target of similar attacks.
- The same username and password should not be used in more than one online session,
- The login information should be created by applying unique and strong password policies.
- Air NZ customers should be aware of the data that could be leaked to the internet in this breach and used in various phishing/social engineering attacks.