Apple changed its core, and so did the security hole.
Just now, Tencent security basaltic laboratory announced an apple security vulnerability that they found recently.
It is reported that,This vulnerability not only affects the latest M1 based MacBook Air and MacBook Pro, but also affects the new iPhone 12 and iPhone 12 Pro Series products launched this year.
At the same time, it is the first open security vulnerability that can affect Apple's apple silicon chip devices.
How was this vulnerability discovered?
You can see from the video provided by Tencent,On MacBook (device model: M1 MacBook Air 2020, MacOS Big Sur 11.0.1), the attacker can obtain the highest privilege (root identity) of the system within one second when all system protection is turned on, so that the user privacy such as address book, photo and file stored in the device can be read and written arbitrarily.
It should be noted that any malicious app developer can exploit this vulnerability.
However, this loophole should not be really exploited at present.
At the same time, basaltic laboratory also found that Apple's iPhone 12 series mobile phones also have the same security problems.
After turning off the vulnerability in the system settings of iPhone 12 pro, the app can still read the album and address book and send it to the attacker.
What's more, users can hardly feel this attack.
in other words,Once this vulnerability is maliciously exploited, app developers can bypass the system's permission settings, read the user's address book, photo, account password and other private information and send it to the attacker.
In order to avoid malicious exploitation of the vulnerability, Tencent security basaltic laboratory has reported the technical details of the vulnerability to Apple's security team.
Now, for ordinary users, all they can do is wait for apple to release a new security patch.
Tencent Xuanwu laboratory has made contributions to Apple
This is not the first time Tencent Xuanwu laboratory has found a security hole for apple.
As early as 2017, shortly after Apple launched IOS 11, Tencent Xuanwu laboratory found a vulnerability named cve-2017-7085 and another high-risk vulnerability of WebKit in versions before IOS 11 and safari 11, respectively.
The attack principle of this vulnerability belongs to URL spoofing vulnerability, or address bar spoofing, which allows hackers to tamper with the URL in the user's current address bar.
For example, when a user visits a website, if it is modified by hackers, although you open it and find it looks like a website, in fact, this page may be copied. When you enter your user name and password, your account will be stolen, which is commonly known as a phishing website.
Apple specially thanks Tencent Xuanwu laboratory after the event.
It seems that cook would like to thank Tencent basaltic laboratory again this time.
- THE END -Lei Feng net