Latest news with #macOSSequoia15.5
Mid East Info
5 days ago
- Mid East Info
Apple thanks Positive Technologies for discovering a vulnerability in its Shortcuts app - Middle East Business News and Information
PT SWARM expert Egor Filatov found a critical vulnerability in Shortcuts, a built-in macOS app that streamlines device management by automating repetitive user actions. If successfully exploited, the security flaw could allow an attacker to gain full control over the device, including the ability to read, edit, and delete any data. If the compromised device happens to be a laptop connected to a corporate network, the attacker could also infiltrate the internal company infrastructure. The vulnerability, tracked as BDU:2025-02497 and rated 8.6 out of 10 on the CVSS 3.0 scale, affects Shortcuts 7.0 (2607.1.3). The vendor was notified of the threat in line with the responsible disclosure policy and has already released a software patch . Users are advised to upgrade to macOS Sequoia 15.5 or later. If updating the OS is currently not possible, Positive Technologies recommends users to pay close attention to the downloaded shortcuts before running them or avoid using them altogether. The Shortcuts app was introduced with macOS Monterey back in 2021 and has been supported in macOS Ventura, Sonoma, and Sequoia versions over the past four years. With the app, users can create shortcuts to automate various tasks, such as starting a timer, playing music, or converting text to audio. Users also have access to macros that provide ready-made shortcuts. A threat actor could leverage this functionality by uploading infected templates to the library. For the security flaw to be exploited, it would be enough for the victim to inadvertently run a malicious macro on their device. 'An attacker could exploit this vulnerability to target any Shortcuts user,' said Egor Filatov, Junior Mobile Application Security Researcher at Positive Technologies. 'Before remediation, the vulnerability allowed an attacker to bypass macOS security mechanisms and execute arbitrary code on the victim's system.' According to the expert, the potential consequences of successful attacks include the following: Theft of confidential data or deletion of valuable information Malware execution Installation of backdoors aimed at maintaining access to the system even after vulnerability patching Ransomware infection Disruption to the organization's business processes (if a corporate device is compromised) Positive Technologies experts have been studying Apple products for over a decade. In 2018, Maxim Goryachy and Mark Ermolov, while looking for security flaws in Intel Management Engine, found a firmware vulnerability ( CVE-2018-4251 ) affecting personal computers made by Apple and other manufacturers. In 2017, Timur Yunusov warned the community about multiple security gaps he discovered in Apple Pay: by exploiting the vulnerabilities, attackers could compromise users' bank cards and make unauthorized payments on external resources. Before that, another Positive Technologies researcher found and helped eliminate a critical vulnerability in the website, which could allow an adversary to conduct a directory traversal attack and gain access to private data. In addition to the macOS version of Shortcuts, there is also an iOS version of the app for mobile devices. To prevent threat actors from infiltrating the corporate network via vulnerable mobile apps, companies should protect their apps against reverse engineering. This can be done with solutions such as PT MAZE , which turns the application into an impenetrable maze, making attacks too resource-intensive for adversaries. Positive Technologies is an industry leader in result-driven cybersecurity and a major global provider of information security solutions. Our mission is to safeguard businesses and entire industries against cyberattacks and non-tolerable damage. Positive Technologies is the first and only cybersecurity company in Russia on the Moscow Exchange (MOEX: POSI), with 220,000 shareholders and counting. Follow us on X , LinkedIn , and in the News section at
TECHx
7 days ago
- TECHx
Critical macOS Shortcuts Flaw Reported by PT SWARM Expert
Home » Emerging technologies » Cyber Security » Critical macOS Shortcuts Flaw Reported by PT SWARM Expert PT SWARM expert Egor Filatov has discovered a critical vulnerability in Shortcuts, a built-in Critical macOS app used to automate user actions. The flaw, if exploited, could give an attacker full control over a device. Positive Technologies revealed that the vulnerability is tracked as BDU:2025-02497 and carries a severity score of 8.6 out of 10 on the CVSS 3.0 scale. It affects Shortcuts version 7.0 (2607.1.3). The app has been part of macOS since Monterey, and is also supported in Ventura, Sonoma, and Sequoia. If a compromised device is connected to a corporate network, attackers could infiltrate the internal infrastructure. Filatov warned that it would be enough for a victim to run a malicious macro unknowingly. Positive Technologies reported that the vendor was notified in line with responsible disclosure policies. A patch has already been issued. Users are advised to upgrade to macOS Sequoia 15.5 or later. If an OS update is not possible, users should avoid downloading unknown shortcuts or using the app altogether. According to the report, possible consequences of exploitation include: Theft or deletion of sensitive data Remote malware installation and ransomware attacks Business disruption in corporate environments The company emphasized that threat actors could upload infected shortcut templates to the app's library. Before the patch, the flaw could be used to bypass macOS security and execute arbitrary code. Positive Technologies has a long track record of studying Apple products. In 2018, its researchers discovered a firmware flaw in Intel Management Engine that affected Apple computers. In 2017, vulnerabilities in Apple Pay were reported, allowing unauthorized transactions. The Shortcuts app is also available on iOS. To prevent threats on mobile, companies are advised to use solutions like PT MAZE. It protects apps by making reverse engineering difficult and costly for attackers.
