Apple Addresses Critical Security Vulnerability For Windows 10 And 11 Users

Yet again, Apple forgot to test their software - this time in iTunes.

One of the most basic holes happened again with Apple, where a critical
security vulnerability in the iTunes application for Windows 10 and Windows
11 enables arbitrary remote code execution.

There's a reason Apple has the worst support in the industry & the most
exploits, which is basically Apple doesn't bother to sufficiently test.
<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>

Apple has never caught any of their zero-day bugs, which are
twice in number than any other common consumer operating system.

CVE-2024-27793
Willy R. Vasquez, a Ph.D student and security researcher with The
University of Texas at Austin, whose sandboxing code contributions can be
found in the Firefox 117 web browser, was behind the discovery of
CVE-2024-27793. The vulnerability, rated critical using the Common
Vulnerability Scoring System v3, impacts the CoreMedia framework which
defines the media pipeline used ultimately to process media samples and
manage queues of media data, according to Apple.

CVE-2024-27793 is one of the many vulnerabilities I and my coauthors,
Stephen Checkoway and Hovav Shacham, found in our research on analyzing
H.264 video decoders," Vasquez told me. "We developed a tool called
H26Forge that generates malformed compressed videos, which can be used to
either fuzz a video decoder or exploit a vulnerability in a video decoder."

https://www.forbes.com/sites/daveywinder/2024/05/12/apple-addresses-critical-security-vulnerability-for-windows-10-11-users/

Bear in mind, another reason Apple support is the worst in the industry
is that Apple only fully supports a single release - which is unlike every
other common consumer operating system support of multiple major releases.
<https://screenrant.com/apple-product-security-update-lifespan/>
<https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a/>
<https://hothardware.com/news/apple-admits-only-fully-patches-security-flaws-in-latest-os-releases>
<https://arstechnica.com/gadgets/2022/10/apple-clarifies-security-update-policy-only-the-latest-oses-are-fully-patched/>

On 2024-05-15, Andrew <andrew@spam.net> wrote:
> Apple Addresses Critical Security Vulnerability For Windows 10 And 11 Users
>
> Yet again, Apple forgot to test their software - this time in iTunes.

Google fixes fifth Chrome zero-day exploited in attacks this year

Yet again, Google forgot to test their software - this time in Chrome:

Google has released a security update for the Chrome browser to fix the
fifth zero-day vulnerability exploited in the wild since the start of
the year.

The high-severity issue tracked as CVE-2024-4671 is a “use after free”
vulnerability in the Visuals component that handles the rendering and
display of content on the browser.

Google revealed that the vulnerability, discovered and reported by an
anonymous researcher, was exploited in attacks.

“Google is aware that an exploit for CVE-2024-4671 exists in the wild,”
reads the advisory, without providing additional information.

Use after-free flaws are security flaws that occur when a program
continues to use a pointer after the memory it points to has been freed,
following the completion of its legitimate operations on that region.

Because the freed memory could now contain different data or be used by
other software or components, accessing it could result in data leakage,
code execution, or crash.

Google addressed the problem with the release of 124.0.6367.201/.202 for
Mac/Windows and 124.0.6367.201 for Linux, with the updates rolling out
over the coming days/weeks.

For users of the ‘Extended Stable’ channel, fixes will be made available
in version 124.0.6367.201 for Mac and Windows, also to roll out later.

Chrome updates automatically when a security update is available, but
users can confirm they’re running the latest version by going to
Settings > About Chrome, letting the update finish, and then clicking on
the ‘Relaunch’ button to apply it.

Update

This latest flaw addressed in Google Chrome is the fifth this year, with
three others discovered during the March 2024 Pwn2Own hacking contest in
Vancouver.

The complete list of Chrome zero-day vulnerabilities fixed since the
start of 2024 also includes the following:

CVE-2024-0519: A high-severity out-of-bounds memory access weakness
within the Chrome V8 JavaScript engine, allowing remote attackers to
exploit heap corruption via a specially crafted HTML page, leading to
unauthorized access to sensitive information.

CVE-2024-2887: A high-severity type confusion flaw in the WebAssembly
(Wasm) standard. It could lead to remote code execution (RCE) exploits
leveraging a crafted HTML page.

CVE-2024-2886: A use-after-free vulnerability in the WebCodecs API used
by web applications to encode and decode audio and video. Remote
attackers exploited it to perform arbitrary reads and writes via crafted
HTML pages, leading to remote code execution.

CVE-2024-3159: A high-severity vulnerability caused by an out-of-bounds
read in the Chrome V8 JavaScript engine. Remote attackers exploited this
flaw using specially crafted HTML pages to access data beyond the
allocated memory buffer, resulting in heap corruption that could be
leveraged to extract sensitive information.

<https://www.bleepingcomputer.com/news/security/google-fixes-fifth-chrome-zero-day-vulnerability-exploited-in-attacks-in-2024/>

> One of the most basic holes happened again with Apple, where a critical
> security vulnerability in the iTunes application for Windows 10 and Windows
> 11 enables arbitrary remote code execution.
>
> There's a reason Apple has the worst support in the industry & the most
> exploits, which is basically Apple doesn't bother to sufficiently test.
> <https://www.cisa.gov/known-exploited-vulnerabilities-catalog>
>
> Apple has never caught any of their zero-day bugs, which are
> twice in number than any other common consumer operating system.
>
> CVE-2024-27793
> Willy R. Vasquez, a Ph.D student and security researcher with The
> University of Texas at Austin, whose sandboxing code contributions can be
> found in the Firefox 117 web browser, was behind the discovery of
> CVE-2024-27793. The vulnerability, rated critical using the Common
> Vulnerability Scoring System v3, impacts the CoreMedia framework which
> defines the media pipeline used ultimately to process media samples and
> manage queues of media data, according to Apple.
>
> CVE-2024-27793 is one of the many vulnerabilities I and my coauthors,
> Stephen Checkoway and Hovav Shacham, found in our research on analyzing
> H.264 video decoders," Vasquez told me. "We developed a tool called
> H26Forge that generates malformed compressed videos, which can be used to
> either fuzz a video decoder or exploit a vulnerability in a video decoder."
>
> https://www.forbes.com/sites/daveywinder/2024/05/12/apple-addresses-critical-security-vulnerability-for-windows-10-11-users/
>
> Bear in mind, another reason Apple support is the worst in the industry
> is that Apple only fully supports a single release - which is unlike every
> other common consumer operating system support of multiple major releases.
> <https://screenrant.com/apple-product-security-update-lifespan/>
> <https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a/>
> <https://hothardware.com/news/apple-admits-only-fully-patches-security-flaws-in-latest-os-releases>
> <https://arstechnica.com/gadgets/2022/10/apple-clarifies-security-update-policy-only-the-latest-oses-are-fully-patched/>

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

On May 14, 2024 at 6:17:55 PM PDT, "Andrew" <andrew@spam.net> wrote:

> There's a reason Apple has the worst support in the industry & the most
> exploits, which is basically Apple doesn't bother to sufficiently test.

That is really hilarious! The most exploits? Why not just insist they cause
leprosy?

On 15.05.24 04:50, Jolly Roger wrote:
> On 2024-05-15, Andrew <andrew@spam.net> wrote:
>> Apple Addresses Critical Security Vulnerability For Windows 10 And 11 Users
>>
>> Yet again, Apple forgot to test their software - this time in iTunes.
>
> Google fixes fifth Chrome zero-day exploited in attacks this year
>
> Yet again, Google forgot to test their software - this time in Chrome:

Do you think you will ever learn to keep your fingers still to avoid
feeding this Troll?

--
"Alea iacta est." (Julius Caesar)

Jörg Lorenz <hugybear@gmx.net> wrote:
> On 15.05.24 04:50, Jolly Roger wrote:
>> On 2024-05-15, Andrew <andrew@spam.net> wrote:
>>> Apple Addresses Critical Security Vulnerability For Windows 10 And 11 Users
>>>
>>> Yet again, Apple forgot to test their software - this time in iTunes.
>>
>> Google fixes fifth Chrome zero-day exploited in attacks this year
>>
>> Yet again, Google forgot to test their software - this time in Chrome:
>
> Do you think you will ever learn to keep your fingers still to avoid
> feeding this Troll?
>

Why not filter both of them, Jughead?
Instead of adding to the noise.

gtr wrote on Wed, 15 May 2024 05:26:46 -0000 (UTC) :

>> There's a reason Apple has the worst support in the industry & the most
>> exploits, which is basically Apple doesn't bother to sufficiently test.
>
> That is really hilarious! The most exploits? Why not just insist they cause
> leprosy?

What did you learn when you clicked on this link and noticed the exploits?
<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>

Hint: iPhone exploits are always more than ten times those of Android.

DoubleHint: If you get all your news only from Apple advertisements,
guess what?

Apple never tells you they sell the most exploited devices in history.

There are good reasons for these exploits - as Apple only fully supports
a single release - not multiple releases which all other OS vendors support.

REFERENCES:
<https://screenrant.com/apple-product-security-update-lifespan/>
<https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a/>
<https://hothardware.com/news/apple-admits-only-fully-patches-security-flaws-in-latest-os-releases>
<https://arstechnica.com/gadgets/2022/10/apple-clarifies-security-update-policy-only-the-latest-oses-are-fully-patched/>
<https://www.cnet.com/tech/mobile/samsung-extends-android-and-security-updates-to-7-years/>
<https://www.tomsguide.com/opinion/google-pixel-8-software-updates>
<https://www.androidheadlines.com/2022/01/google-monthly-changelog-play-system-updates.html>

Hank Rogers wrote on 15 May 2024 05:55:49 GMT :

>>>> Apple Addresses Critical Security Vulnerability For Windows 10 And 11 Users
>>>>
>>>> Yet again, Apple forgot to test their software - this time in iTunes.
>>>
>>> Google fixes fifth Chrome zero-day exploited in attacks this year
>>>
>>> Yet again, Google forgot to test their software - this time in Chrome:
>>
>> Do you think you will ever learn to keep your fingers still to avoid
>> feeding this Troll?
>>
>
> Why not filter both of them, Jughead?
> Instead of adding to the noise.

Bear in mind I stated a fact that was relevant to the subject line,
and which was temporal and which affected those in the newsgroup line.

You're welcome to filter me out but if you do, you lose those facts.

Jolly Roger and Joerg Lorenz only provided negative value in noise.
a. Joerg I don't see but he's nothing but a jughead of no value.
b. Jolly Roger is using classic whataboutism to deflect from the subject
<https://en.wikipedia.org/wiki/Whataboutism>
"Whataboutism or whataboutery (as in "what about...?") is a
pejorative for the strategy of responding to an accusation
with a counter-accusation instead of a defense of the
original accusation. From a logical and argumentative point
of view, whataboutism is considered a variant of the tu-quoque
pattern (Latin 'you too', term for a counter-accusation),
which is a subtype of the ad-hominem argument.
The communication intent is often to distract from the content
of a topic (red herring). "

What Jolly Roger is trying to do is distract the topic away from
the fact that this iTunes bug exists using this ad hominem attack.

It's classic because Jolly Roger has no defense to the facts.
And Joerg... well... everyone has him filtered out already, don't they?