1Password is designed to substantially reduce the attack surface of vulnerabilities affecting Google Chrome for 1Password. We haven’t seen any reports that this issue has been exploited in 1Password apps.
The issue does not affect 1Password for iOS or Android, nor earlier versions of 1Password. This is part of a wide-ranging industry issue that impacts many apps, including users of 1Password 8 for Mac, Windows, and Linux versions before 8.10.15, which were released on September 13, 2023. An attacker can exploit this issue by sharing accounts with potential victims to achieve remote code execution or steal secrets. This means older iPhones, such as the iPhone 6 and 7, are now protected despite iOS 15 being out of support.Ġ9/18 update: 1Password’s chief technology officer, Pedro Canahuat, told Forbes that “An issue inherited from Google Chrome was discovered that affects the way 1Password displays images in WebP format. Patches are now available for iOS 15.7.9, iPadOS 15.7.9, macOS Monterey 12.6.9 and macOS Big Sur 11.7.9. Apple has, however, now released further security updates for earlier versions of iOS as well as iPadOS and macOS.
There is still no confirmation that the WebP vulnerability is connected to the BLASTPASS exploit chain comprising two zero-days that could lead to iPhones getting infected by Pegasus spyware.
#COST 1PASSWORD IPHONE PATCH#
Other web browsers that have been updated to patch the zero-day WebP vulnerability include:Įdge, which has been updated to 1.81 (116.1938.79 for iOS)įirefox, which has been updated to 117.0.1 Ivanovs explains that the problem sits with the BuildHuffman Table function, introduced in 2014.
#COST 1PASSWORD IPHONE UPDATE#
I have approached Apple, Citizen Lab, and Google for a statement and will update this article if any is forthcoming.Ġ9/14 update: Developer and blogger Alex Ivanovs has confirmed that, as well as web browsers, “any software that uses the libwebp library” is affected by this vulnerability, including Electron-based applications such as 1Password and Signal.ġPassword applications for Mac, Windows and Linux have been updated to patch against CVE-2023-4863, and Signal Desktop has been updated to include the patched Electron v25.
0 kommentar(er)
