On May 18th, Apple released updates to address three zero-day vulnerabilities: a sandbox escape, an out-of-bounds read issue, and a use-after-free issue. All three affect the WebKit browser engine. Updates are available to address the flaws in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5. Two of the vulnerabilities were addressed earlier this month with Rapid Security Response (RSR) patches for iOS 16.4.1 and macOS 13.3.1.
Info: https://support.apple.com/en-us/HT213757
Update your Apple products ASAP.
———————————————————-
MSI UEFI keys have been leaked. What does this mean? It means that bad actors can create malicious BIOS updates and other firmware and digitally sign it as MSI.
MSI has no process for revoking these keys, so this is a concern.
If you use MSI motherboards, always be 100% sure that any firmware updates you download come from MSI and not a 3rd party website, then double-check it again.
A quote from SANS: ‘A ransomware attack last month against hardware maker Micro-Star International (MSI) resulted in leaked private Unified Extensible Firmware Interface (UEFI) keys. MSI refused to pay the ransom demand, and the attackers began leaking stolen data, including source code for MSI motherboard firmware. The trove of leaked information includes firmware image signing keys for 57 products and Intel Boot Guard private keys for 166 products.’
Regards,
Daniel Weatherly
Director of Security Services
Mainstream Technologies Inc
501-801-6706