RoundupWelcome to another Register security roundup. Here are a few stories that caught our eye. Citrix vulnerability hit by working exploit Late last month Citrix disclosed a critical security hole (CVE-2019-19781) in its Application Delivery Controller and Unified Gateway offerings (VPN products formerly known as Netscaler ADC and …

For a company that prizes itself on its privacy credentials, Apple received a bit of a bloody nose earlier this week when long-time security journalist Brian Krebs revealed the iPhone 11 Pro intermittently seeks the user’s location — even when there are no applications with location permissions in use. In recent years, Apple …

A bug in the way Unix-flavored systems handle TCP connections could put VPN users at risk of having their encrypted traffic hijacked, it is claimed. The University of New Mexico team of William Tolley, Beau Kujath, and Jedidiah Crandall this week said they've discovered CVE-2019-14899, a security weakness they report to be …

Russian President Vladimir Putin has signed off on the law requiring most electronics sold in the country to be pre-bundled with domestically produced software. Monday's approval from Putin means that, from July, all handsets, tablets, PCs, and smart TVs sold within the country's borders will be required to include software …

GitHub used the first day of its Universe developer conference to roll out a slew of new projects, including a dedicated mobile app. On Wednesday the source code depot said the smartphone application would be designed to let developers perform some of the more common non-coding tasks, such as reviewing pull requests, managing …

The iOS App Store is 18 applications lighter today after the software was caught harboring malware that secretly clicked on ads, signed up punters for premium services, or deliberately overloaded websites. Apple on Thursday pulled the apps, all written by India-based AppAspect, after confirming they were being used for click- …

RoundupHere's your Register security roundup to kick off your week. Malware hides as iOS jailbreak tool The team over at Cisco Talos has spotted a clever bit of trickery being used by an iOS click fraud operation. Researchers say a piece of malware called "Checkrain" has been making the rounds spoofing a popular iOS jailbreaking tool …

Apple is under fire for kowtowing to Beijing and removing references to Taiwan in the localized versions of iOS 13 for Hong Kong and Macau in China. Yes, the same China that just pressured America's NBA into issuing a groveling apology for a team manager's tweet in support of Hong Kong. The same China that loves to censor any …

RoundupHere's the latest security news in handy digest form of stories you may have missed over the last week. NordVPN bug causes connection confusion Reg reader Tony H writes in to tell us of an interesting security bug that arises when running NordVPN in tandem with the Cloudflare 1.1.1.1 WARP service in iOS. The end result is a …

MacOS network admins are being advised to update their copies of the Jamf Pro management software following the disclosure of a critical security flaw. The Jamf Pro 10.15.1 update includes among its fixes a patch for a security flaw that, depending upon the version being used, could allow for file deletions or remote code …

A programmer claims to have found a way to execute arbitrary code on recent-ish iPhones and iPads, paving the way for full-blown tethered jailbreaks. And, we're told, it is impossible for Apple to block these shenanigans as it involves a vulnerability baked into the devices' immutable Boot ROM. Specifically, the coder, who …

Yesterday El Reg wrote about the frustrating syncing failures plaguing FitBit gadgets over the past four or so weeks. Unlucky punters say that, since a mid-August Android app and firmware update was released, they have been unable to get their wearable fitness trackers to link up consistently with their handsets over the air, …

VideoApple's very latest version of iOS appears to have the same sort of lock-screen bypass that plagued previous versions of the iThing firmware. Researcher Jose Rodriguez told The Register that back in July he discovered how the then-beta-now-gold version of iOS 13 could be fooled into showing an iPhone's address book without …

AnalysisFacebook has been caught bending the truth again – only this time it has been forced to out itself. For years the antisocial media giant has claimed it doesn’t track your location, insisting to suspicious reporters and privacy advocates that its addicts “have full control over their data,” and that it does not gather or sell …

Bug-broker Zerodium says it will cough up as much as $2.5m in exchange for techniques to silently and remotely hijack Android devices via critical vulnerabilities, signaling a major change in the pricing of security holes. A new payment structure revealed on Tuesday made clear that flaw-hunters who hook Zerodium up with proof- …

UpdatedGoogle's Project Zero says more than a dozen iOS flaws that Apple patched back in February had been under attack for years. Zero team bug hunter Ian Beer explained how the collection of fourteen vulnerabilities in various components of the OS, ranging from the browser to the kernel, were chained together to covertly launch …

Apple has issued an update to address a potentially serious security flaw it re-opened in the latest version of iOS. Monday's iOS 12.4.1 update contains a single fix: a patch to address CVE-2019-8605. The use-after-free vulnerability would let an application gain the ability to execute arbitrary code with system privileges. …

iPhone hackers have discovered Apple's most recent iOS update, 12.4, released in July, accidentally reopened a code-execution vulnerability that was previously patched – a vulnerability that can be abused to jail-break iThings. Pwn20wnd, the developer of the iPhone jail-breaking tool unc0ver, says the newest version of their …